Add WASM support for i64 simple opcodes.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-08-17  Keith Miller  <keith_miller@apple.com>
2
3         Add WASM support for i64 simple opcodes.
4         https://bugs.webkit.org/show_bug.cgi?id=160928
5
6         Reviewed by Michael Saboff.
7
8         This patch also removes the unsigned int32 mod operator, which is not supported by B3 yet.
9
10         * wasm/WASMB3IRGenerator.cpp:
11         (JSC::WASM::toB3Op):
12         (JSC::WASM::B3IRGenerator::unaryOp):
13         * wasm/WASMFunctionParser.h:
14         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
15         * wasm/WASMOps.h:
16
17 2016-08-17  JF Bastien  <jfbastien@apple.com>
18
19         We allow assignments to const variables when in a for-in/for-of loop
20         https://bugs.webkit.org/show_bug.cgi?id=156673
21
22         Reviewed by Filip Pizlo.
23
24         for-in and for-of weren't checking whether iteration variable from
25         parent scopes were const. Assigning to such variables should
26         throw, but used not to.
27
28         * bytecompiler/NodesCodegen.cpp:
29         (JSC::ForInNode::emitLoopHeader):
30         (JSC::ForOfNode::emitBytecode):
31
32 2016-08-17  Geoffrey Garen  <ggaren@apple.com>
33
34         Fixed a potential bug in MarkedArgumentBuffer.
35         https://bugs.webkit.org/show_bug.cgi?id=160948
36         <rdar://problem/27889416>
37
38         Reviewed by Oliver Hunt.
39
40         I haven't been able to produce an observable test case after some trying.
41
42         * runtime/ArgList.cpp:
43         (JSC::MarkedArgumentBuffer::addMarkSet): New helper function -- I broke
44         this out from existing code for clarity, but the behavior is the same.
45
46         (JSC::MarkedArgumentBuffer::expandCapacity): Ditto.
47
48         (JSC::MarkedArgumentBuffer::slowAppend): Always addMarkSet() on the slow
49         path. This is faster than the old linear scan, and I think it might
50         avoid cases the old scan could miss.
51
52         * runtime/ArgList.h:
53         (JSC::MarkedArgumentBuffer::append): Account for the case where someone
54         has called clear() or removeLast().
55
56         (JSC::MarkedArgumentBuffer::mallocBase): No behavior change -- but it's
57         clearer to test the buffers directly instead of inferring what they
58         might be based on capacity.
59
60 2016-08-17  Mark Lam  <mark.lam@apple.com>
61
62         Remove an invalid assertion in the DFG backend's GetById emitter.
63         https://bugs.webkit.org/show_bug.cgi?id=160925
64         <rdar://problem/27248961>
65
66         Reviewed by Filip Pizlo.
67
68         The DFG backend's GetById assertion that the node's prediction not be SpecNone
69         is just plain wrong.  It assumes that we can never have a GetById node without a
70         type prediction, but this is not true.  The following test case proves otherwise:
71
72             function foo() {
73                 "use strict";
74                 return --arguments["callee"];
75             }
76
77         Will remove the assertion.  Nothing else needs to change as the DFG is working
78         correctly without the assertion.
79
80         * dfg/DFGSpeculativeJIT32_64.cpp:
81         (JSC::DFG::SpeculativeJIT::compile):
82         * dfg/DFGSpeculativeJIT64.cpp:
83         (JSC::DFG::SpeculativeJIT::compile):
84
85 2016-08-16  Mark Lam  <mark.lam@apple.com>
86
87         Heap::collectAllGarbage() should work with JSC_useImmortalObjects=true.
88         https://bugs.webkit.org/show_bug.cgi?id=160917
89
90         Reviewed by Filip Pizlo.
91
92         If we do an synchronous GC when JSC_useImmortalObjects=true, we'll get a
93         RELEASE_ASSERT failure:
94
95             $ JSC_useImmortalObjects=true jsc
96             >>> gc()
97             Trace/BPT trap: 5
98
99         This is because Heap::collectAllGarbage() is doing an explicit sweep of the
100         MarkedSpace, and the sweeper is expecting to see no RetiredBlocks.  However, we
101         make objects immortal by retiring their blocks.  As a result, there is a mismatch
102         in expectancy.
103
104         The fix is simply to not run the sweeper when JSC_useImmortalObjects=true.
105
106         * heap/Heap.cpp:
107         (JSC::Heap::collectAllGarbage):
108
109 2016-08-16  Keith Miller  <keith_miller@apple.com>
110
111         Add WASM I32 simple operators.
112         https://bugs.webkit.org/show_bug.cgi?id=160914
113
114         Reviewed by Benjamin Poulain.
115
116         This patch adds support for the i32 simple binary operators.
117
118         * wasm/WASMB3IRGenerator.cpp:
119         (JSC::WASM::toB3Op):
120         (JSC::WASM::B3IRGenerator::binaryOp):
121         * wasm/WASMFunctionParser.h:
122         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
123         * wasm/WASMOps.h:
124
125 2016-08-15  Ryosuke Niwa  <rniwa@webkit.org>
126
127         Conversion to sequence<T> is broken for iterable objects
128         https://bugs.webkit.org/show_bug.cgi?id=160801
129
130         Reviewed by Darin Adler.
131
132         Export functions used to iterate over iterable objects.
133
134         * runtime/IteratorOperations.h:
135         (JSC::forEachInIterable):
136
137 2016-08-15  Benjamin Poulain  <bpoulain@apple.com>
138
139         [Regression 204203-204210] 32-bit ASSERTION FAILED: !m_data[index].name.isValid()
140         https://bugs.webkit.org/show_bug.cgi?id=160881
141
142         Reviewed by Mark Lam.
143
144         * dfg/DFGSpeculativeJIT32_64.cpp:
145         (JSC::DFG::SpeculativeJIT::compile):
146         We were trying to set the result of the Identity node to the same
147         value as the source of the Identity.
148         That is pretty messed up.
149
150 2016-08-15  Saam Barati  <sbarati@apple.com>
151
152         Web Inspector: Introduce a method to enable code coverage profiler without enabling type profiler
153         https://bugs.webkit.org/show_bug.cgi?id=160750
154         <rdar://problem/27793469>
155
156         Reviewed by Joseph Pecoraro.
157
158         * inspector/agents/InspectorRuntimeAgent.cpp:
159         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
160         (Inspector::InspectorRuntimeAgent::enableControlFlowProfiler):
161         (Inspector::InspectorRuntimeAgent::disableControlFlowProfiler):
162         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
163         (Inspector::InspectorRuntimeAgent::setControlFlowProfilerEnabledState):
164         * inspector/agents/InspectorRuntimeAgent.h:
165         * inspector/protocol/Runtime.json:
166
167 2016-08-15  Saam Barati  <sbarati@apple.com>
168
169         Array.prototype.map builtin should go on the fast path when constructor===@Array
170         https://bugs.webkit.org/show_bug.cgi?id=160836
171
172         Reviewed by Keith Miller.
173
174         In the FTL, we were not compiling the result array in Array.prototype.map
175         efficiently when the result array should use the Array constructor
176         (which is the common case). We used to compile it as:
177         x: JSConstant(Array)
178         y: Construct(@x, ...)
179         instead of
180         y: NewArrayWithSize(...)
181
182         This patch changes the builtin to go down the fast path when certain
183         conditions are met. Often, the check to go down the fast path will
184         be constant folded because we always create a normal array from the
185         Array constructor.
186
187         This is around a 5% speedup on ES6 Sample Bench.
188
189         I also made similar changes for Array.prototype.filter
190         and Array.prototype.concat on its slow path.
191
192         * builtins/ArrayPrototype.js:
193
194 2016-08-15  Mark Lam  <mark.lam@apple.com>
195
196         Make JSValue::strictEqual() handle failures to resolve JSRopeStrings.
197         https://bugs.webkit.org/show_bug.cgi?id=160832
198         <rdar://problem/27577556>
199
200         Reviewed by Geoffrey Garen.
201
202         Currently, JSValue::strictEqualSlowCaseInline() (and peers) will blindly try to
203         access the StringImpl of a JSRopeString that fails to resolve its rope.  As a
204         result, we'll crash with null pointer dereferences.
205
206         We can fix this by introducing a JSString::equal() method that will do the
207         equality comparison, but is aware of the potential failures to resolve ropes.
208         JSValue::strictEqualSlowCaseInline() (and peers) will now call JSString::equal()
209         instead of accessing the underlying StringImpl directly.
210
211         Also added some exception checks.
212
213         * JavaScriptCore.xcodeproj/project.pbxproj:
214         * jit/JITOperations.cpp:
215         * runtime/ArrayPrototype.cpp:
216         (JSC::arrayProtoFuncIndexOf):
217         (JSC::arrayProtoFuncLastIndexOf):
218         * runtime/JSCJSValueInlines.h:
219         (JSC::JSValue::equalSlowCaseInline):
220         (JSC::JSValue::strictEqualSlowCaseInline):
221         * runtime/JSString.cpp:
222         (JSC::JSString::equalSlowCase):
223         * runtime/JSString.h:
224         * runtime/JSStringInlines.h: Added.
225         (JSC::JSString::equal):
226
227 2016-08-15  Keith Miller  <keith_miller@apple.com>
228
229         Implement WASM Parser and B3 IR generator
230         https://bugs.webkit.org/show_bug.cgi?id=160681
231
232         Reviewed by Benjamin Poulain.
233
234         This patch adds the skeleton for a WebAssembly pipeline. The
235         pipeline is designed in order to make it easy to have as much of
236         the compilation process threaded as possible. The flow of the
237         pipeline roughly goes as follows:
238
239         1) Create a WASMPlan with the VM and a Vector of the
240         assembly. Currently the plan will process all the work
241         synchronously, however, in the future this can be offloaded to
242         other threads.
243
244         2) The plan will run the WASMModuleParser, which collates all the
245         information needed to compile each module function
246         independently. Since, we are still in the early phases, the only
247         information is the starting and ending byte of the function's
248         body. The module parser, however, still scans both and
249         semi-validates the type and the function sections.
250
251         3) Each function is decoded and compiled. In the future this
252         should also include a opcode validation phase. The
253         WASMFunctionParser is templatized so that a validator should be
254         able to use most of the same code the B3 IR generator does.
255
256         4) When the plan has finished it will fill a Vector of
257         B3::Compilation objects that correspond to the respective function
258         in the WASM module.
259
260
261         The current testing plan for the modules is to inline the the
262         binary generated by the spec's OCaml prototype. The inlined binary
263         is passed to a WASMPlan then invoked to check the result of the
264         function. In the future we should add a more robust testing
265         infrastructure.
266
267         * JavaScriptCore.xcodeproj/project.pbxproj:
268         * testWASM.cpp:
269         (printUsageStatement):
270         (CommandLine::parseArguments):
271         (invoke):
272         (runWASMTests):
273         (main):
274         * wasm/JSWASMModule.h:
275         (JSC::JSWASMModule::globalVariableTypes):
276         * wasm/WASMB3IRGenerator.cpp: Added.
277         (JSC::WASM::B3IRGenerator::B3IRGenerator):
278         (JSC::WASM::B3IRGenerator::addLocal):
279         (JSC::WASM::B3IRGenerator::binaryOp):
280         (JSC::WASM::B3IRGenerator::addConstant):
281         (JSC::WASM::B3IRGenerator::addBlock):
282         (JSC::WASM::B3IRGenerator::endBlock):
283         (JSC::WASM::B3IRGenerator::addReturn):
284         (JSC::WASM::B3IRGenerator::unify):
285         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
286         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel):
287         (JSC::WASM::B3IRGenerator::stackForControlLevel):
288         (JSC::WASM::B3IRGenerator::blockForControlLevel):
289         (JSC::WASM::parseAndCompile):
290         * wasm/WASMB3IRGenerator.h: Copied from Source/WTF/wtf/DataLog.h.
291         * wasm/WASMFormat.h:
292         * wasm/WASMFunctionParser.h: Added.
293         (JSC::WASM::WASMFunctionParser<Context>::WASMFunctionParser):
294         (JSC::WASM::WASMFunctionParser<Context>::parse):
295         (JSC::WASM::WASMFunctionParser<Context>::parseBlock):
296         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
297         * wasm/WASMModuleParser.cpp: Added.
298         (JSC::WASM::WASMModuleParser::parse):
299         (JSC::WASM::WASMModuleParser::parseFunctionTypes):
300         (JSC::WASM::WASMModuleParser::parseFunctionSignatures):
301         (JSC::WASM::WASMModuleParser::parseFunctionDefinitions):
302         * wasm/WASMModuleParser.h: Copied from Source/WTF/wtf/DataLog.h.
303         (JSC::WASM::WASMModuleParser::WASMModuleParser):
304         (JSC::WASM::WASMModuleParser::functionInformation):
305         * wasm/WASMOps.h: Copied from Source/WTF/wtf/DataLog.h.
306         * wasm/WASMParser.h: Added.
307         (JSC::WASM::WASMParser::parseVarUInt32):
308         (JSC::WASM::WASMParser::WASMParser):
309         (JSC::WASM::WASMParser::consumeCharacter):
310         (JSC::WASM::WASMParser::consumeString):
311         (JSC::WASM::WASMParser::parseUInt32):
312         (JSC::WASM::WASMParser::parseUInt7):
313         (JSC::WASM::WASMParser::parseVarUInt1):
314         (JSC::WASM::WASMParser::parseValueType):
315         * wasm/WASMPlan.cpp: Copied from Source/WTF/wtf/DataLog.h.
316         (JSC::WASM::Plan::Plan):
317         * wasm/WASMPlan.h: Copied from Source/WTF/wtf/DataLog.h.
318         * wasm/WASMSections.cpp: Copied from Source/WTF/wtf/DataLog.h.
319         (JSC::WASM::WASMSections::lookup):
320         * wasm/WASMSections.h: Copied from Source/WTF/wtf/DataLog.h.
321         (JSC::WASM::WASMSections::validateOrder):
322
323 2016-08-15  Benjamin Poulain  <bpoulain@apple.com>
324
325         [JSC] B3 Neg opcode should support float
326         https://bugs.webkit.org/show_bug.cgi?id=160795
327
328         Reviewed by Geoffrey Garen.
329
330         This is required to implement WASM f32.neg opcode.
331
332         * assembler/MacroAssemblerARM64.h:
333         (JSC::MacroAssemblerARM64::negateFloat):
334         * b3/B3LowerToAir.cpp:
335         (JSC::B3::Air::LowerToAir::lower):
336         * b3/B3ReduceDoubleToFloat.cpp:
337         * b3/air/AirOpcode.opcodes:
338         * b3/testb3.cpp:
339         (JSC::B3::testNegDouble):
340         (JSC::B3::testNegFloat):
341         (JSC::B3::testNegFloatWithUselessDoubleConversion):
342         (JSC::B3::run):
343
344 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
345
346         Use #pragma once in inspector headers
347         https://bugs.webkit.org/show_bug.cgi?id=160861
348
349         Reviewed by Mark Lam.
350
351         * inspector/*.h:
352
353 2016-08-15  Daniel Bates  <dabates@apple.com>
354
355         Cannot build WebKit for iOS device using Xcode 7.3/iOS 9.3 public SDK due to missing
356         private frameworks and libraries
357         https://bugs.webkit.org/show_bug.cgi?id=155931
358         <rdar://problem/25807989>
359
360         Reviewed by Dan Bernstein.
361
362         Add directory WebKitLibraries/WebKitPrivateFrameworkStubs/iOS/X to the framework search path
363         where X is the major version of the active iOS SDK.
364
365         * Configurations/Base.xcconfig:
366
367 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
368
369         Reduce includes of Debugger.h
370         https://bugs.webkit.org/show_bug.cgi?id=160827
371
372         Reviewed by Mark Lam.
373
374         * API/JSTypedArray.cpp:
375         * bytecode/UnlinkedCodeBlock.h:
376         * bytecode/UnlinkedFunctionExecutable.cpp:
377         * bytecode/UnlinkedFunctionExecutable.h:
378         * bytecompiler/BytecodeGenerator.h:
379         * bytecompiler/NodesCodegen.cpp:
380         * dfg/DFGPlan.cpp:
381         * dfg/DFGSpeculativeJIT32_64.cpp:
382         * dfg/DFGSpeculativeJIT64.cpp:
383         * ftl/FTLJITCode.h:
384         * inspector/ScriptCallStackFactory.cpp:
385         * inspector/agents/InspectorDebuggerAgent.h:
386         * jit/JITOpcodes.cpp:
387         * jit/JITOpcodes32_64.cpp:
388         * jit/JITOperations.cpp:
389         * llint/LLIntOffsetsExtractor.cpp:
390         * parser/Nodes.cpp:
391         * parser/Parser.cpp:
392         * parser/Parser.h:
393         * runtime/Completion.cpp:
394         * runtime/Executable.cpp:
395         * runtime/Executable.h:
396         * runtime/FunctionConstructor.cpp:
397         * runtime/SamplingProfiler.cpp:
398         * runtime/SamplingProfiler.h:
399         * runtime/VMEntryScope.cpp:
400
401 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
402
403         Remove unused includes of wtf headers
404         https://bugs.webkit.org/show_bug.cgi?id=160839
405
406         Reviewed by Alex Christensen.
407
408         * Lots of files.
409
410 2016-08-13  Per Arne Vollan  <pvollan@apple.com>
411
412         [Win] Warning fixes.
413         https://bugs.webkit.org/show_bug.cgi?id=160803
414
415         Reviewed by Brent Fulgham.
416
417         Initialize local variables.
418
419         * jit/JIT.cpp:
420         (JSC::JIT::compileWithoutLinking):
421         * runtime/Error.cpp:
422         (JSC::addErrorInfoAndGetBytecodeOffset):
423
424 2016-08-12  Joseph Pecoraro  <pecoraro@apple.com>
425
426         Remove always true JSC::Debugger::needPauseHandling virtual method
427         https://bugs.webkit.org/show_bug.cgi?id=160822
428
429         Reviewed by Mark Lam.
430
431         All subclasses return true for this method. Just remove the method.
432
433         * debugger/Debugger.cpp:
434         (JSC::Debugger::pauseIfNeeded):
435         * inspector/ScriptDebugServer.h:
436
437 2016-08-12  Saam Barati  <sbarati@apple.com>
438
439         Inline store loop for CopyRest in DFG and FTL for certain array modes
440         https://bugs.webkit.org/show_bug.cgi?id=159612
441
442         Reviewed by Filip Pizlo.
443
444         This patch changes the old copy_rest bytecode to actually allocate the rest array itself.
445         The bytecode is now called create_rest with an analogous CreateRest node in the DFG/FTL.
446         This allows the bytecode to be in control of what type of indexingType the array is allocated
447         with. We always allocate using ArrayWithContiguous storage unless we're havingABadTime().
448         This also makes allocating and writing into the array fast. On the fast path, the DFG/FTL
449         JIT will fast allocate the array and its storage, and we will do a memmove from the rest
450         region of arguments into the array's storage.
451
452         I'm seeing a 1-2% speedup on ES6SampleBench, and about a 2x speedup
453         on micro benchmarks that just test rest creation speed.
454
455         * bytecode/BytecodeList.json:
456         * bytecode/BytecodeUseDef.h:
457         (JSC::computeUsesForBytecodeOffset):
458         (JSC::computeDefsForBytecodeOffset):
459         * bytecode/CodeBlock.cpp:
460         (JSC::CodeBlock::dumpBytecode):
461         * bytecompiler/BytecodeGenerator.cpp:
462         (JSC::BytecodeGenerator::emitRestParameter):
463         * dfg/DFGAbstractInterpreterInlines.h:
464         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
465         * dfg/DFGByteCodeParser.cpp:
466         (JSC::DFG::ByteCodeParser::parseBlock):
467         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
468         (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
469         * dfg/DFGCapabilities.cpp:
470         (JSC::DFG::capabilityLevel):
471         * dfg/DFGClobberize.h:
472         (JSC::DFG::clobberize):
473         * dfg/DFGDoesGC.cpp:
474         (JSC::DFG::doesGC):
475         * dfg/DFGFixupPhase.cpp:
476         (JSC::DFG::FixupPhase::fixupNode):
477         * dfg/DFGGraph.h:
478         (JSC::DFG::Graph::uses):
479         (JSC::DFG::Graph::isWatchingHavingABadTimeWatchpoint):
480         (JSC::DFG::Graph::compilation):
481         * dfg/DFGNode.h:
482         (JSC::DFG::Node::numberOfArgumentsToSkip):
483         * dfg/DFGNodeType.h:
484         * dfg/DFGOperations.cpp:
485         * dfg/DFGOperations.h:
486         * dfg/DFGPredictionPropagationPhase.cpp:
487         * dfg/DFGSafeToExecute.h:
488         (JSC::DFG::safeToExecute):
489         * dfg/DFGSpeculativeJIT.cpp:
490         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
491         (JSC::DFG::SpeculativeJIT::compileCreateRest):
492         (JSC::DFG::SpeculativeJIT::compileGetRestLength):
493         (JSC::DFG::SpeculativeJIT::compileCopyRest): Deleted.
494         * dfg/DFGSpeculativeJIT.h:
495         (JSC::DFG::SpeculativeJIT::callOperation):
496         * dfg/DFGSpeculativeJIT32_64.cpp:
497         (JSC::DFG::SpeculativeJIT::compile):
498         (JSC::DFG::SpeculativeJIT::compileArithRandom):
499         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
500         * dfg/DFGSpeculativeJIT64.cpp:
501         (JSC::DFG::SpeculativeJIT::compile):
502         (JSC::DFG::SpeculativeJIT::compileArithRandom):
503         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
504         * ftl/FTLCapabilities.cpp:
505         (JSC::FTL::canCompile):
506         * ftl/FTLLowerDFGToB3.cpp:
507         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
508         (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
509         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
510         (JSC::FTL::DFG::LowerDFGToB3::compileGetRestLength):
511         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
512         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize):
513         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
514         (JSC::FTL::DFG::LowerDFGToB3::compileCopyRest): Deleted.
515         * interpreter/CallFrame.h:
516         (JSC::ExecState::addressOfArgumentsStart):
517         (JSC::ExecState::argument):
518         * jit/JIT.cpp:
519         (JSC::JIT::privateCompileMainPass):
520         * jit/JIT.h:
521         * jit/JITOpcodes.cpp:
522         (JSC::JIT::emit_op_argument_count):
523         (JSC::JIT::emit_op_create_rest):
524         (JSC::JIT::emit_op_copy_rest): Deleted.
525         * jit/JITOperations.h:
526         * llint/LowLevelInterpreter.asm:
527         * runtime/CommonSlowPaths.cpp:
528         (JSC::SLOW_PATH_DECL):
529         * runtime/CommonSlowPaths.h:
530
531 2016-08-12  Ryosuke Niwa  <rniwa@webkit.org>
532
533         Add a helper class for enumerating elements in an iterable object
534         https://bugs.webkit.org/show_bug.cgi?id=160800
535
536         Reviewed by Benjamin Poulain.
537
538         Added iteratorForIterable which provides an abstraction for iterating over an iterable object,
539         and deployed it in the constructors of Set, WeakSet, Map, and WeakMap.
540
541         Also added a helper function iteratorForIterable, which retrieves the iterator out of an iterable object.
542
543         * runtime/IteratorOperations.cpp:
544         (JSC::iteratorForIterable): Added.
545         * runtime/IteratorOperations.h:
546         (JSC::forEachInIterable): Added.
547         * runtime/MapConstructor.cpp:
548         (JSC::constructMap):
549         * runtime/SetConstructor.cpp:
550         (JSC::constructSet):
551         * runtime/WeakMapConstructor.cpp:
552         (JSC::constructWeakMap):
553         * runtime/WeakSetConstructor.cpp:
554         (JSC::constructWeakSet):
555
556 2016-08-12  Joseph Pecoraro  <pecoraro@apple.com>
557
558         Remove unused includes of RefCountedLeakCounter.h
559         https://bugs.webkit.org/show_bug.cgi?id=160817
560
561         Reviewed by Mark Lam.
562
563         * parser/Nodes.cpp:
564         * runtime/Structure.cpp:
565
566 2016-08-12  Pranjal Jumde  <pjumde@apple.com>
567
568         ASSERTION FAILED: : line >= firstLine in BytecodeGenerator::emitExpressionInfo.
569         https://bugs.webkit.org/show_bug.cgi?id=160535
570         <rdar://problem/27328151>
571         
572         Reviewed by Saam Barati.
573
574         lineNumber from the savePoint was not being restored before calling next() causing discrepancy in the offset and line for the token
575
576         * parser/Parser.h:
577         (JSC::Parser::restoreLexerState):
578
579 2016-08-12  Skachkov Oleksandr  <gskachkov@gmail.com>
580
581         [ES2016] Implement Object.entries
582         https://bugs.webkit.org/show_bug.cgi?id=160412
583
584         Reviewed by Saam Barati.
585
586         This patch adds entries function to Object that returns list of 
587         key+values pairs. Patch did according to the point of
588         spec https://tc39.github.io/ecma262/#sec-object.entries
589
590         * builtins/ObjectConstructor.js:
591         (globalPrivate.enumerableOwnProperties):
592         (entries):
593         * runtime/ObjectConstructor.cpp:
594
595 2016-08-11  Mark Lam  <mark.lam@apple.com>
596
597         OverridesHasInstance should not branch across register allocations.
598         https://bugs.webkit.org/show_bug.cgi?id=160792
599         <rdar://problem/27361778>
600
601         Reviewed by Benjamin Poulain.
602
603         The OverrideHasInstance node has a branch test that is emitted conditionally.
604         It also has a bug where it allocated a register after this branch, which is not
605         allowed and would fail an assertion introduced in https://trac.webkit.org/r145931.
606         From the ChangeLog for r145931:
607
608         "This [assertion that register allocations are not branched around] protects
609         against the case where an allocation could have spilled register contents to free
610         up a register and that spill only occurs on one path of many through the code.
611         A subsequent fill of the spilled register may load garbage."
612
613         Because the branch isn't always emitted, this bug has gone unnoticed until now.
614         This patch fixes this issue by pre-allocating the registers before emitting the
615         branch in OverrideHasInstance.
616
617         Note: this issue is only present in DFGSpeculativeJIT64.cpp.  The 32-bit version
618         is doing it right.
619
620         * dfg/DFGSpeculativeJIT64.cpp:
621         (JSC::DFG::SpeculativeJIT::compile):
622
623 2016-08-11  Benjamin Poulain  <bpoulain@apple.com>
624
625         [JSC] Make B3 Return opcode work without arguments
626         https://bugs.webkit.org/show_bug.cgi?id=160787
627
628         Reviewed by Keith Miller.
629
630         We need a way to create functions that do not return values.
631
632         * assembler/MacroAssembler.h:
633         (JSC::MacroAssembler::retVoid):
634         * b3/B3BasicBlock.cpp:
635         (JSC::B3::BasicBlock::appendNewControlValue):
636         * b3/B3LowerToAir.cpp:
637         (JSC::B3::Air::LowerToAir::lower):
638         * b3/B3Validate.cpp:
639         * b3/B3Value.h:
640         * b3/air/AirOpcode.opcodes:
641         * b3/testb3.cpp:
642         (JSC::B3::testReturnVoid):
643         (JSC::B3::run):
644
645 2016-08-11  Mark Lam  <mark.lam@apple.com>
646
647         Gardening: fix gcc builds after r204387. 
648
649         Not reviewed.
650
651         Apparently, gcc is not sophisticated enough to realize that the end of the
652         function is unreachable, and is wrongly complaining about "control reaches end of
653         non-void function".  I'm restoring the RELEASE_ASSERT_NOT_REACHED() and return
654         statement at the end of MarkedBlock::sweepHelper() to appease gcc.
655
656         * heap/MarkedBlock.cpp:
657         (JSC::MarkedBlock::sweepHelper):
658
659 2016-08-11  Alex Christensen  <achristensen@webkit.org>
660
661         Use StringBuilder::appendLiteral when possible don't append result of makeString
662         https://bugs.webkit.org/show_bug.cgi?id=160772
663
664         Reviewed by Sam Weinig.
665
666         * API/tests/ExecutionTimeLimitTest.cpp:
667         (testExecutionTimeLimit):
668         * API/tests/PingPongStackOverflowTest.cpp:
669         (PingPongStackOverflowObject_hasInstance):
670         * bytecompiler/NodesCodegen.cpp:
671         (JSC::ArrayPatternNode::toString):
672         (JSC::RestParameterNode::toString):
673         * runtime/ErrorInstance.cpp:
674         (JSC::ErrorInstance::sanitizedToString):
675         * runtime/Options.cpp:
676         (JSC::Options::dumpOption):
677
678 2016-08-11  Benjamin Poulain  <bpoulain@apple.com>
679
680         [JSC] Revert most of r203808
681         https://bugs.webkit.org/show_bug.cgi?id=160784
682
683         Reviewed by Geoffrey Garen.
684
685         Switching to fastMalloc() caused regressions on Jetstream and Octane
686         on MacBook Air. I was able to get back some of it in the following
687         patches but the tests that never go to FTL are still regressed.
688
689         This patch revert r203808 except of the node index.
690         Nodes are allocated with the custom allocator like before but they are
691         now also kept in a table, addressed by the node index.
692
693         * CMakeLists.txt:
694         * JavaScriptCore.xcodeproj/project.pbxproj:
695         * b3/B3SparseCollection.h:
696         (JSC::B3::SparseCollection::packIndices): Deleted.
697         * dfg/DFGAllocator.h: Added.
698         (JSC::DFG::Allocator::Region::size):
699         (JSC::DFG::Allocator::Region::headerSize):
700         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
701         (JSC::DFG::Allocator::Region::data):
702         (JSC::DFG::Allocator::Region::isInThisRegion):
703         (JSC::DFG::Allocator::Region::regionFor):
704         (JSC::DFG::Allocator<T>::Allocator):
705         (JSC::DFG::Allocator<T>::~Allocator):
706         (JSC::DFG::Allocator<T>::allocate):
707         (JSC::DFG::Allocator<T>::free):
708         (JSC::DFG::Allocator<T>::freeAll):
709         (JSC::DFG::Allocator<T>::reset):
710         (JSC::DFG::Allocator<T>::indexOf):
711         (JSC::DFG::Allocator<T>::allocatorOf):
712         (JSC::DFG::Allocator<T>::bumpAllocate):
713         (JSC::DFG::Allocator<T>::freeListAllocate):
714         (JSC::DFG::Allocator<T>::allocateSlow):
715         (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
716         (JSC::DFG::Allocator<T>::startBumpingIn):
717         * dfg/DFGDriver.cpp:
718         (JSC::DFG::compileImpl):
719         * dfg/DFGGraph.cpp:
720         (JSC::DFG::Graph::Graph):
721         (JSC::DFG::Graph::~Graph):
722         (JSC::DFG::Graph::addNodeToMapByIndex):
723         (JSC::DFG::Graph::deleteNode):
724         (JSC::DFG::Graph::packNodeIndices):
725         * dfg/DFGGraph.h:
726         (JSC::DFG::Graph::addNode):
727         (JSC::DFG::Graph::maxNodeCount):
728         (JSC::DFG::Graph::nodeAt):
729         * dfg/DFGLongLivedState.cpp: Added.
730         (JSC::DFG::LongLivedState::LongLivedState):
731         (JSC::DFG::LongLivedState::~LongLivedState):
732         (JSC::DFG::LongLivedState::shrinkToFit):
733         * dfg/DFGLongLivedState.h: Added.
734         * dfg/DFGNode.h:
735         * dfg/DFGNodeAllocator.h: Added.
736         (operator new ):
737         * dfg/DFGPlan.cpp:
738         (JSC::DFG::Plan::compileInThread):
739         (JSC::DFG::Plan::compileInThreadImpl):
740         * dfg/DFGPlan.h:
741         * dfg/DFGWorklist.cpp:
742         (JSC::DFG::Worklist::runThread):
743         * runtime/VM.cpp:
744         (JSC::VM::VM):
745         * runtime/VM.h:
746
747 2016-08-11  Mark Lam  <mark.lam@apple.com>
748
749         The jsc shell's Element host constructor should throw if it fails to construct an object.
750         https://bugs.webkit.org/show_bug.cgi?id=160773
751         <rdar://problem/27328608>
752
753         Reviewed by Saam Barati.
754
755         The Element object is a test object provided in the jsc shell for testing use only.
756         JavaScriptCore expects host constructors to either throw an error or return a
757         constructed object.  Element has a host constructor that did not obey this contract.
758         As a result, the following statement will fail a RELEASE_ASSERT:
759
760             new (Element.bind())
761
762         This is now fixed.
763
764         * jsc.cpp:
765         (functionCreateElement):
766
767 2016-08-11  Mark Lam  <mark.lam@apple.com>
768
769         Disallow synchronous sweeping for eden GCs.
770         https://bugs.webkit.org/show_bug.cgi?id=160716
771
772         Reviewed by Geoffrey Garen.
773
774         * heap/Heap.cpp:
775         (JSC::Heap::collectAllGarbage):
776         (JSC::Heap::collectAndSweep): Deleted.
777         * heap/Heap.h:
778         (JSC::Heap::collectAllGarbage): Deleted.
779         - No need for a separate collectAndSweep() anymore since we only call it for
780           FullCollections.
781         - Since we've already swept all the blocks, I cleared m_blockSnapshot so that the
782           IncrementalSweeper can bail earlier when it runs later.
783
784         * heap/MarkedBlock.cpp:
785         (JSC::MarkedBlock::sweepHelper):
786         - Removed the unreachable return statement.
787
788         * heap/MarkedBlock.h:
789         - Document what "Retired" means.
790
791         * tools/JSDollarVMPrototype.cpp:
792         (JSC::JSDollarVMPrototype::edenGC):
793
794 2016-08-11  Per Arne Vollan  <pvollan@apple.com>
795
796         [Win] Warning fix.
797         https://bugs.webkit.org/show_bug.cgi?id=160734
798
799         Reviewed by Sam Weinig.
800
801         Add static cast from int to uint32_t.
802
803         * bytecode/ArithProfile.h:
804
805 2016-08-10  Michael Saboff  <msaboff@apple.com>
806
807         Baseline GetByVal and PutByVal for cache ID stubs need to handle exceptions
808         https://bugs.webkit.org/show_bug.cgi?id=160749
809
810         Reviewed by Filip Pizlo.
811
812         We were emitting "callOperation()" calls in emitGetByValWithCachedId() and
813         emitPutByValWithCachedId() without linking the exception checks created by the
814         code emitted.  This manifested itself in various ways depending on the processor.
815         This is due to what the destination is for an unlinked branch.  On X86, an unlinked
816         branch goes tot he next instructions.  On ARM64, we end up with an infinite loop
817         as we branch to the same instruction.  On ARM we branch to 0 as the branch is to
818         an absolute address of 0.
819
820         Now we save the exception handler address for the original generated function and
821         link the exception cases for these by-val stubs to this handler.
822
823         * bytecode/ByValInfo.h:
824         (JSC::ByValInfo::ByValInfo): Added the address of the exception handler we should
825         link to.
826
827         * jit/JIT.cpp:
828         (JSC::JIT::link): Compute the linked exception handler address and pass it to
829         the ByValInfo constructor.
830         (JSC::JIT::privateCompileExceptionHandlers): Make sure that we generate the
831         exception handler if we have any by-val handlers.
832
833         * jit/JIT.h:
834         Added a label for the exception handler.  We'll link this later for the
835         by value handlers.
836
837         * jit/JITPropertyAccess.cpp:
838         (JSC::JIT::privateCompileGetByValWithCachedId):
839         (JSC::JIT::privateCompilePutByValWithCachedId):
840         Link exception branches to the exception handler for the main function.
841
842 2016-08-10  Mark Lam  <mark.lam@apple.com>
843
844         DFG's flushForTerminal() needs to add PhantomLocals for bytecode live locals.
845         https://bugs.webkit.org/show_bug.cgi?id=160755
846         <rdar://problem/27488507>
847
848         Reviewed by Filip Pizlo.
849
850         If the DFG sees that an inlined function will result in an OSR exit every time,
851         it will treat all downstream blocks as dead.  However, it still needs to keep
852         locals that are alive in the bytecode alive for the compiled function so that
853         those locals are properly written to the stack by the OSR exit ramp.
854
855         The existing code neglected to do this.  This patch remedies this issue.
856
857         * dfg/DFGByteCodeParser.cpp:
858         (JSC::DFG::ByteCodeParser::flushDirect):
859         (JSC::DFG::ByteCodeParser::addFlushOrPhantomLocal):
860         (JSC::DFG::ByteCodeParser::phantomLocalDirect):
861         (JSC::DFG::ByteCodeParser::flushForTerminal):
862
863 2016-08-09  Skachkov Oleksandr  <gskachkov@gmail.com>
864
865         [ES2016] Implement Object.values
866         https://bugs.webkit.org/show_bug.cgi?id=160410
867
868         Reviewed by Saam Barati, Yusuke Suzuki.
869
870         This patch adds values function to Object that return list of 
871         own values of the object. Patch did according to the point of 
872         spec http://tc39.github.io/ecma262/#sec-object.values
873         
874         Also patch adds generic builtin intrinsic constants: 
875         @IterationKindKey/@IterationKindValue/@IterationKindKeyValue 
876         that is used in  EnumerableOwnProperties to set Kind of operation  
877         and replace own IterationKind enums in following iterators: 
878         ArrayIterator, MapIterator, and SetIterator 
879
880         * JavaScriptCore.xcodeproj/project.pbxproj:
881         * builtins/ObjectConstructor.js:
882         (globalPrivate.enumerableOwnProperties):
883         (values):
884         * bytecode/BytecodeIntrinsicRegistry.cpp:
885         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
886         * bytecode/BytecodeIntrinsicRegistry.h:
887         * inspector/JSInjectedScriptHost.cpp:
888         (Inspector::JSInjectedScriptHost::getInternalProperties):
889         * runtime/ArrayIteratorPrototype.h:
890         * runtime/IterationKind.h: Copied from Source/JavaScriptCore/builtins/ObjectConstructor.js.
891         * runtime/JSMapIterator.h:
892         (JSC::JSMapIterator::create):
893         (JSC::JSMapIterator::next):
894         (JSC::JSMapIterator::kind):
895         (JSC::JSMapIterator::JSMapIterator):
896         * runtime/JSSetIterator.h:
897         (JSC::JSSetIterator::create):
898         (JSC::JSSetIterator::next):
899         (JSC::JSSetIterator::kind):
900         (JSC::JSSetIterator::JSSetIterator):
901         * runtime/MapPrototype.cpp:
902         (JSC::mapProtoFuncValues):
903         (JSC::mapProtoFuncEntries):
904         (JSC::mapProtoFuncKeys):
905         (JSC::privateFuncMapIterator):
906         * runtime/ObjectConstructor.cpp:
907         * runtime/SetPrototype.cpp:
908         (JSC::setProtoFuncValues):
909         (JSC::setProtoFuncEntries):
910         (JSC::privateFuncSetIterator):
911
912 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
913
914         [JSC] Speed up SparseCollection & related maps
915         https://bugs.webkit.org/show_bug.cgi?id=160733
916
917         Reviewed by Saam Barati.
918
919         On MBA, Graph::addNode() shows up in profiles due to SparseCollection::add().
920         This is unfortunate.
921
922         The first improvement is to build the new unique_ptr in the empty slot
923         instead of moving a new value into it.
924
925         Previously, the code would load the previous value, test if it is null
926         then invoke the destructor and finally fastFree(). The initial test
927         obviously fails so that's a whole bunch of code that is never executed.
928
929         With the new code, we just have a store.
930
931         I also removed the bounds checking on our maps based on node index.
932         Those bounds checks are never eliminated by clang because the index
933         is always loaded from memory instead of being computed.
934         There are unfortunately too many nodes processed and the bounds checks
935         get costly.
936
937         * b3/B3SparseCollection.h:
938         (JSC::B3::SparseCollection::add):
939         * dfg/DFGGraph.h:
940         (JSC::DFG::Graph::abstractValuesCache):
941         * dfg/DFGInPlaceAbstractState.h:
942
943 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
944
945         [JSC] Remove some useless code I left when rewriting CSE's large maps
946         https://bugs.webkit.org/show_bug.cgi?id=160720
947
948         Reviewed by Michael Saboff.
949
950         * dfg/DFGCSEPhase.cpp:
951         The maps m_worldMap && m_sideStateMap are useless. They come from the previous
952         iteration that had weaker constraints.
953
954         Also move m_heapMap after m_fallbackStackMap since that is the order
955         in which they are used in the algorithm.
956
957 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
958
959         Remove AbstractInterpreter::executeEdges(unsigned), it is no longer used anywhere
960         https://bugs.webkit.org/show_bug.cgi?id=160708
961
962         Reviewed by Mark Lam.
963
964         * dfg/DFGAbstractInterpreter.h:
965         * dfg/DFGAbstractInterpreterInlines.h:
966         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges): Deleted.
967
968 2016-08-10  Simon Fraser  <simon.fraser@apple.com>
969
970         Sort the feature flags in the FEATURE_DEFINES lines
971         https://bugs.webkit.org/show_bug.cgi?id=160742
972
973         Reviewed by Anders Carlsson.
974
975         * Configurations/FeatureDefines.xcconfig:
976
977 2016-08-10  Yusuke Suzuki  <utatane.tea@gmail.com>
978
979         [ES6] Add ModuleLoaderPrototype and move methods to it
980         https://bugs.webkit.org/show_bug.cgi?id=160633
981
982         Reviewed by Saam Barati.
983
984         In the future, we need to add the ability to create the new Loader object (by users).
985         So rather than holding all the methods in the ModuleLoaderObject instance, moving them
986         to ModuleLoaderPrototype and create the default JSModuleLoader instance is better.
987
988         No behavior change.
989
990         * CMakeLists.txt:
991         * DerivedSources.make:
992         * JavaScriptCore.xcodeproj/project.pbxproj:
993         * builtins/ModuleLoaderObject.js:
994         (setStateToMax): Deleted.
995         (newRegistryEntry): Deleted.
996         (ensureRegistered): Deleted.
997         (forceFulfillPromise): Deleted.
998         (fulfillFetch): Deleted.
999         (fulfillTranslate): Deleted.
1000         (fulfillInstantiate): Deleted.
1001         (commitInstantiated): Deleted.
1002         (instantiation): Deleted.
1003         (requestFetch): Deleted.
1004         (requestTranslate): Deleted.
1005         (requestInstantiate): Deleted.
1006         (requestResolveDependencies.): Deleted.
1007         (requestResolveDependencies): Deleted.
1008         (requestInstantiateAll): Deleted.
1009         (requestLink): Deleted.
1010         (requestReady): Deleted.
1011         (link): Deleted.
1012         (moduleEvaluation): Deleted.
1013         (provide): Deleted.
1014         (loadAndEvaluateModule): Deleted.
1015         (loadModule): Deleted.
1016         (linkAndEvaluateModule): Deleted.
1017         * builtins/ModuleLoaderPrototype.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderObject.js.
1018         (setStateToMax):
1019         (newRegistryEntry):
1020         (ensureRegistered):
1021         (forceFulfillPromise):
1022         (fulfillFetch):
1023         (fulfillTranslate):
1024         (fulfillInstantiate):
1025         (commitInstantiated):
1026         (instantiation):
1027         (requestFetch):
1028         (requestTranslate):
1029         (requestInstantiate):
1030         (requestResolveDependencies.):
1031         (requestResolveDependencies):
1032         (requestInstantiateAll):
1033         (requestLink):
1034         (requestReady):
1035         (link):
1036         (moduleEvaluation):
1037         (provide):
1038         (loadAndEvaluateModule):
1039         (loadModule):
1040         (linkAndEvaluateModule):
1041         * bytecode/BytecodeIntrinsicRegistry.cpp:
1042         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1043         * jsc.cpp:
1044         (GlobalObject::moduleLoaderResolve):
1045         (GlobalObject::moduleLoaderFetch):
1046         * runtime/Completion.cpp:
1047         (JSC::loadAndEvaluateModule):
1048         (JSC::loadModule):
1049         * runtime/JSGlobalObject.cpp:
1050         (JSC::JSGlobalObject::init):
1051         (JSC::JSGlobalObject::visitChildren):
1052         * runtime/JSGlobalObject.h:
1053         (JSC::JSGlobalObject::moduleLoader):
1054         (JSC::JSGlobalObject::moduleLoaderStructure):
1055         * runtime/JSModuleLoader.cpp: Added.
1056         (JSC::JSModuleLoader::JSModuleLoader):
1057         (JSC::JSModuleLoader::finishCreation):
1058         (JSC::printableModuleKey):
1059         (JSC::JSModuleLoader::provide):
1060         (JSC::JSModuleLoader::loadAndEvaluateModule):
1061         (JSC::JSModuleLoader::loadModule):
1062         (JSC::JSModuleLoader::linkAndEvaluateModule):
1063         (JSC::JSModuleLoader::resolve):
1064         (JSC::JSModuleLoader::fetch):
1065         (JSC::JSModuleLoader::translate):
1066         (JSC::JSModuleLoader::instantiate):
1067         (JSC::JSModuleLoader::evaluate):
1068         * runtime/JSModuleLoader.h: Copied from Source/JavaScriptCore/runtime/ModuleLoaderObject.h.
1069         (JSC::JSModuleLoader::create):
1070         (JSC::JSModuleLoader::createStructure):
1071         * runtime/JSModuleRecord.h:
1072         * runtime/ModuleLoaderObject.cpp: Removed.
1073         (JSC::ModuleLoaderObject::ModuleLoaderObject): Deleted.
1074         (JSC::ModuleLoaderObject::finishCreation): Deleted.
1075         (JSC::printableModuleKey): Deleted.
1076         (JSC::ModuleLoaderObject::provide): Deleted.
1077         (JSC::ModuleLoaderObject::loadAndEvaluateModule): Deleted.
1078         (JSC::ModuleLoaderObject::loadModule): Deleted.
1079         (JSC::ModuleLoaderObject::linkAndEvaluateModule): Deleted.
1080         (JSC::ModuleLoaderObject::resolve): Deleted.
1081         (JSC::ModuleLoaderObject::fetch): Deleted.
1082         (JSC::ModuleLoaderObject::translate): Deleted.
1083         (JSC::ModuleLoaderObject::instantiate): Deleted.
1084         (JSC::ModuleLoaderObject::evaluate): Deleted.
1085         (JSC::moduleLoaderObjectParseModule): Deleted.
1086         (JSC::moduleLoaderObjectRequestedModules): Deleted.
1087         (JSC::moduleLoaderObjectModuleDeclarationInstantiation): Deleted.
1088         (JSC::moduleLoaderObjectResolve): Deleted.
1089         (JSC::moduleLoaderObjectFetch): Deleted.
1090         (JSC::moduleLoaderObjectTranslate): Deleted.
1091         (JSC::moduleLoaderObjectInstantiate): Deleted.
1092         (JSC::moduleLoaderObjectEvaluate): Deleted.
1093         * runtime/ModuleLoaderObject.h:
1094         (JSC::ModuleLoaderObject::create): Deleted.
1095         (JSC::ModuleLoaderObject::createStructure): Deleted.
1096         * runtime/ModuleLoaderPrototype.cpp: Added.
1097         (JSC::ModuleLoaderPrototype::ModuleLoaderPrototype):
1098         (JSC::moduleLoaderPrototypeParseModule):
1099         (JSC::moduleLoaderPrototypeRequestedModules):
1100         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1101         (JSC::moduleLoaderPrototypeResolve):
1102         (JSC::moduleLoaderPrototypeFetch):
1103         (JSC::moduleLoaderPrototypeTranslate):
1104         (JSC::moduleLoaderPrototypeInstantiate):
1105         (JSC::moduleLoaderPrototypeEvaluate):
1106         * runtime/ModuleLoaderPrototype.h: Renamed from Source/JavaScriptCore/runtime/ModuleLoaderObject.h.
1107         (JSC::ModuleLoaderPrototype::create):
1108         (JSC::ModuleLoaderPrototype::createStructure):
1109
1110 2016-08-09  Saam Barati  <sbarati@apple.com>
1111
1112         JSBoundFunction should lazily generate its name string
1113         https://bugs.webkit.org/show_bug.cgi?id=160678
1114         <rdar://problem/27043194>
1115
1116         Reviewed by Mark Lam.
1117
1118         We were eagerly allocating the BoundFunction's 'name' string
1119         by prepending the "bound " prefix. This patch makes the 'name'
1120         string creation lazy like we do with ordinary JSFunctions.
1121
1122         This is a 25% speedup on the microbenchmark I added that measures
1123         bound function creation speed. Hopefully this also helps us recover
1124         from a 1% Speedometer regression that was introduced in the original
1125         bound function "bound " prefixing patch.
1126
1127         * runtime/JSBoundFunction.cpp:
1128         (JSC::JSBoundFunction::create):
1129         (JSC::JSBoundFunction::JSBoundFunction):
1130         (JSC::JSBoundFunction::finishCreation):
1131         * runtime/JSBoundFunction.h:
1132         * runtime/JSFunction.cpp:
1133         (JSC::JSFunction::finishCreation):
1134         (JSC::JSFunction::getOwnPropertySlot):
1135         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1136         (JSC::JSFunction::put):
1137         (JSC::JSFunction::deleteProperty):
1138         (JSC::JSFunction::defineOwnProperty):
1139         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1140         (JSC::JSFunction::reifyBoundNameIfNeeded):
1141         * runtime/JSFunction.h:
1142
1143 2016-08-09  George Ruan  <gruan@apple.com>
1144
1145         Implement functionality of media capture on iOS
1146         https://bugs.webkit.org/show_bug.cgi?id=158945
1147         <rdar://problem/26893343>
1148
1149         Reviewed by Tim Horton.
1150
1151         * Configurations/FeatureDefines.xcconfig: Enable media capture feature
1152         for iOS.
1153
1154 2016-08-09  Saam Barati  <sbarati@apple.com>
1155
1156         Parser<LexerType>::parseFunctionInfo() has the wrong info about captured vars when a function is not cached.
1157         https://bugs.webkit.org/show_bug.cgi?id=160671
1158         <rdar://problem/27756112>
1159
1160         Reviewed by Mark Lam.
1161
1162         There was a bug in our captured variable analysis when a function has a default
1163         parameter expression that is a function that captures something from the parent scope.
1164         The bug was that we were relying on the SourceProviderCache to succeed for the
1165         analysis to work. This is obviously wrong. I've fixed this to work regardless
1166         of getting a cache hit. To prevent future bugs that rely on the success of the
1167         SourceProviderCache, I've made the validate testing mode disable the SourceProviderCache
1168
1169         * parser/Parser.cpp:
1170         (JSC::Parser<LexerType>::parseFunctionInfo):
1171         * parser/Parser.h:
1172         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1173         (JSC::Scope::addClosedVariableCandidateUnconditionally):
1174         (JSC::Scope::collectFreeVariables):
1175         * runtime/Options.h:
1176
1177 2016-08-08  Mark Lam  <mark.lam@apple.com>
1178
1179         ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().
1180         https://bugs.webkit.org/show_bug.cgi?id=160666
1181
1182         Reviewed by Keith Miller.
1183
1184         This assertion is benign.  JSFinalObject::visitChildren() calls
1185         JSObject::inlineStorage() to get a pointer to the object's inline storage, and
1186         later passes it to visitor.appendValuesHidden() with a previously computed
1187         storageSize.  When storageSize is 0, appendValuesHidden() ends up doing nothing.
1188         However, before we get there, JSObject::inlineStorage() will be asserting
1189         hasInlineStorage() and this assertion will fail when storageSize is 0.
1190
1191         We can fix this assertion failure by simply adding a storageSize check before
1192         calling hasInlineStorage() and visitor.appendValuesHidden().
1193
1194         * runtime/JSObject.cpp:
1195         (JSC::JSFinalObject::visitChildren):
1196
1197 2016-08-08  Brian Burg  <bburg@apple.com>
1198
1199         Web Inspector: clean up prefixing of Automation protocol generated files
1200         https://bugs.webkit.org/show_bug.cgi?id=160635
1201         <rdar://problem/27735327>
1202
1203         Reviewed by Timothy Hatcher.
1204
1205         Introduce different settings for the 'protocol group' name for C++ vs. Objective-C.
1206
1207         Use 'WD' as the prefix for generated Objective-C frontend dispatchers and helpers.
1208         Continue using 'Automation' as the prefix for generated C++ backend dispatchers.
1209
1210         * inspector/scripts/codegen/cpp_generator.py:
1211         (CppGenerator.protocol_name):
1212         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
1213         (ObjCProtocolTypeConversionsImplementationGenerator.generate_output):
1214         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
1215         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
1216         Adjust the class name. Generate one category per protocol domain to keep it easy to read.
1217
1218         * inspector/scripts/codegen/models.py:
1219         * inspector/scripts/codegen/objc_generator.py:
1220         (ObjCGenerator.protocol_name):
1221
1222         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1223         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1224         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1225         * inspector/scripts/tests/expected/enum-values.json-result:
1226         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1227         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1228         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1229         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1230         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1231         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1232         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1233         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1234         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1235         Rebaseline test results.
1236
1237 2016-08-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1238
1239         [ES6] Module namespace object should not allow unset IC
1240         https://bugs.webkit.org/show_bug.cgi?id=160553
1241
1242         Reviewed by Saam Barati.
1243
1244         Previously, module namespace object accidentally allow "unset IC". But this "unsetness" does not rely on
1245         the structure. We should disable inline caching onto the namespace object. Once it is needed, we should
1246         create the special caching for namespace object like the following: it should be similar to monomorphic IC,
1247         but it caches the object itself instead of the structure. It checks the object itself (And in DFG, it should be
1248         CheckCell) and loads the value from the target module environment directly[1].
1249
1250         And this patch also set setIsTaintedByProxy for the module namespace object to notify to the caller that
1251         this object has impure ::getOwnPropertySlot. Then this function is now renamed to setIsTaintedByOpaqueObject.
1252
1253         We drop the hack in JSModuleNamespaceObject::getOwnPropertySlot since we already introduced InternalMethodType
1254         for ProxyObject. Previously we cannot distinguish ::HasProperty and ::GetOwnProperty. So not to throw any
1255         errors for ::HasProperty case, we used slot.setCustom to delay the observable operation.
1256         But, this hack lacks the support for hasOwnProperty: hasOwnProperty uses [[GetOwnProperty]], so it should throw an error.
1257         However the previous implementation does not throw an error since the delayed observable part (custom function part) is
1258         skipped in hasOwnProperty implementation. We now remove this custom property hack and fix the corresponding failure
1259         in test262.
1260
1261         [1]: https://bugs.webkit.org/show_bug.cgi?id=160590
1262
1263         * jit/JITOperations.cpp:
1264         * runtime/ArrayPrototype.cpp:
1265         (JSC::getProperty):
1266         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1267         (JSC::constructGenericTypedArrayViewWithArguments):
1268         * runtime/JSModuleNamespaceObject.cpp:
1269         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1270         (JSC::callbackGetter): Deleted.
1271         * runtime/JSModuleNamespaceObject.h:
1272         * runtime/PropertySlot.cpp:
1273         (JSC::PropertySlot::getPureResult):
1274         * runtime/PropertySlot.h:
1275         (JSC::PropertySlot::PropertySlot):
1276         (JSC::PropertySlot::setIsTaintedByOpaqueObject):
1277         (JSC::PropertySlot::isTaintedByOpaqueObject):
1278         (JSC::PropertySlot::setIsTaintedByProxy): Deleted.
1279         (JSC::PropertySlot::isTaintedByProxy): Deleted.
1280         * runtime/ProxyObject.cpp:
1281         (JSC::ProxyObject::getOwnPropertySlotCommon):
1282
1283 2016-08-05  Keith Miller  <keith_miller@apple.com>
1284
1285         Add LEBDecoder and tests
1286         https://bugs.webkit.org/show_bug.cgi?id=160625
1287
1288         Reviewed by Benjamin Poulain.
1289
1290         Adds a new target testWASM that is currently used to test the LEB decoder.
1291         In the future, if we add more support for WASM we will put more tests
1292         here.
1293
1294         * JavaScriptCore.xcodeproj/project.pbxproj:
1295         * testWASM.cpp: Added.
1296         (CommandLine::CommandLine):
1297         (printUsageStatement):
1298         (CommandLine::parseArguments):
1299         (runLEBTests):
1300         (main):
1301
1302 2016-08-05  Keith Miller  <keith_miller@apple.com>
1303
1304         32-bit JSC test failure: stress/instanceof-late-constant-folding.js
1305         https://bugs.webkit.org/show_bug.cgi?id=160620
1306
1307         Reviewed by Filip Pizlo.
1308
1309         * dfg/DFGSpeculativeJIT32_64.cpp:
1310         (JSC::DFG::SpeculativeJIT::compile):
1311
1312 2016-08-05  Benjamin Poulain  <bpoulain@apple.com>
1313
1314         [JSC] Remove the first LocalCSE
1315         https://bugs.webkit.org/show_bug.cgi?id=160615
1316
1317         Reviewed by Saam Barati.
1318
1319         LocalCSE is the most expensive phase in DFG (excluding FTL).
1320
1321         The combination of two LocalCSEs does not seem to pay for its cost.
1322         Doing a single LocalCSE is always after ConstantFolding and StrengthReduction
1323         is always a win on my machine.
1324
1325         * dfg/DFGCleanUpPhase.cpp:
1326         (JSC::DFG::CleanUpPhase::run):
1327         * dfg/DFGPlan.cpp:
1328         (JSC::DFG::Plan::compileInThreadImpl):
1329
1330 2016-08-05  Saam Barati  <sbarati@apple.com>
1331
1332         various math operations don't properly check for an exception after calling toNumber() on the lhs
1333         https://bugs.webkit.org/show_bug.cgi?id=160154
1334
1335         Reviewed by Mark Lam.
1336
1337         We must check for an exception after calling toNumber() on the lhs
1338         because this can throw an exception. If we called toNumber() on
1339         the rhs without first checking for an exception after the toNumber()
1340         on the lhs, this can lead us to execute effectful code or deviate
1341         from the standard in subtle ways. I fixed this bug in various places
1342         by always checking for an exception after calling toNumber() on the
1343         lhs for the various bit and arithmetic operations.
1344
1345         This patch also found a commutativity bug inside DFGStrengthReduction.
1346         We could end up commuting the lhs and rhs of say an "|" expression
1347         even when the lhs/rhs may not be numbers. This is wrong because
1348         executing toNumber() on the lhs/rhs has strict ordering guarantees
1349         by the specification and is observable by user programs.
1350
1351         * dfg/DFGOperations.cpp:
1352         * dfg/DFGStrengthReductionPhase.cpp:
1353         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
1354         * jit/JITOperations.cpp:
1355         * runtime/CommonSlowPaths.cpp:
1356         (JSC::SLOW_PATH_DECL):
1357         * runtime/Operations.cpp:
1358         (JSC::jsAddSlowCase):
1359
1360 2016-08-05  Michael Saboff  <msaboff@apple.com>
1361
1362         compilePutByValForIntTypedArray() has a slow path in the middle of its processing
1363         https://bugs.webkit.org/show_bug.cgi?id=160614
1364
1365         Reviewed by Keith Miller.
1366
1367         In compilePutByValForIntTypedArray() we were calling out to the slow path
1368         operationToInt32() and then returning back to the middle of code to finish
1369         the processing of writing the value to the array.  When we make the slow
1370         path call, we trash any temporary registers that have been allocated.
1371         In general slow path calls should finish the operation in progress and
1372         continue processing at the beginning of the next node.
1373
1374         This was discovered while working on the register argument changes, when
1375         we SpeculateStrictInt32Operand on the value child node.  That child node's
1376         value was live in register with a spill format of DataFormatJSInt32.  In that
1377         case we allocate a new temporary register and copy just the lower 32 bits from
1378         the child register to the new temp register.  That temp register gets trashed
1379         when we make the operationToInt32() slow path call.
1380
1381         I spent some time trying to devise a test with the current code base and wasn't
1382         successful.  This case is tested with the register argument changes in progress.
1383
1384         * dfg/DFGSpeculativeJIT.cpp:
1385         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1386
1387 2016-08-05  Saam Barati  <sbarati@apple.com>
1388
1389         Assertion failure when accessing TDZ variable in catch through eval
1390         https://bugs.webkit.org/show_bug.cgi?id=160554
1391
1392         Reviewed by Mark Lam and Keith Miller.
1393
1394         When we were calculating the variables under TDZ from a JSScope,
1395         the algorithm was not taking into account that a catch scope
1396         has variables under TDZ.
1397
1398         * runtime/JSScope.cpp:
1399         (JSC::JSScope::collectVariablesUnderTDZ):
1400
1401 2016-08-05  Keith Miller  <keith_miller@apple.com>
1402
1403         Delete out of date WASM code.
1404         https://bugs.webkit.org/show_bug.cgi?id=160603
1405
1406         Reviewed by Saam Barati.
1407
1408         This patch removes a bunch of the wasm files that we are unlikey to use
1409         with the newer wasm spec. If we end up needing any of the deleted code
1410         later we can restore it at that time.
1411
1412         * CMakeLists.txt:
1413         * JavaScriptCore.xcodeproj/project.pbxproj:
1414         * jit/JITOperations.cpp:
1415         * jsc.cpp:
1416         (GlobalObject::finishCreation): Deleted.
1417         (functionLoadWebAssembly): Deleted.
1418         * llint/LLIntSlowPaths.cpp:
1419         (JSC::LLInt::setUpCall): Deleted.
1420         * runtime/Executable.cpp:
1421         (JSC::WebAssemblyExecutable::prepareForExecution): Deleted.
1422         * runtime/JSGlobalObject.cpp:
1423         (JSC::JSGlobalObject::init): Deleted.
1424         (JSC::JSGlobalObject::visitChildren): Deleted.
1425         * runtime/JSGlobalObject.h:
1426         (JSC::JSGlobalObject::wasmModuleStructure): Deleted.
1427         * wasm/WASMConstants.h: Removed.
1428         * wasm/WASMFunctionB3IRGenerator.h: Removed.
1429         (JSC::WASMFunctionB3IRGenerator::MemoryAddress::MemoryAddress): Deleted.
1430         (JSC::WASMFunctionB3IRGenerator::startFunction): Deleted.
1431         (JSC::WASMFunctionB3IRGenerator::endFunction): Deleted.
1432         (JSC::WASMFunctionB3IRGenerator::buildSetLocal): Deleted.
1433         (JSC::WASMFunctionB3IRGenerator::buildSetGlobal): Deleted.
1434         (JSC::WASMFunctionB3IRGenerator::buildReturn): Deleted.
1435         (JSC::WASMFunctionB3IRGenerator::buildImmediateI32): Deleted.
1436         (JSC::WASMFunctionB3IRGenerator::buildImmediateF32): Deleted.
1437         (JSC::WASMFunctionB3IRGenerator::buildImmediateF64): Deleted.
1438         (JSC::WASMFunctionB3IRGenerator::buildGetLocal): Deleted.
1439         (JSC::WASMFunctionB3IRGenerator::buildGetGlobal): Deleted.
1440         (JSC::WASMFunctionB3IRGenerator::buildConvertType): Deleted.
1441         (JSC::WASMFunctionB3IRGenerator::buildLoad): Deleted.
1442         (JSC::WASMFunctionB3IRGenerator::buildStore): Deleted.
1443         (JSC::WASMFunctionB3IRGenerator::buildUnaryI32): Deleted.
1444         (JSC::WASMFunctionB3IRGenerator::buildUnaryF32): Deleted.
1445         (JSC::WASMFunctionB3IRGenerator::buildUnaryF64): Deleted.
1446         (JSC::WASMFunctionB3IRGenerator::buildBinaryI32): Deleted.
1447         (JSC::WASMFunctionB3IRGenerator::buildBinaryF32): Deleted.
1448         (JSC::WASMFunctionB3IRGenerator::buildBinaryF64): Deleted.
1449         (JSC::WASMFunctionB3IRGenerator::buildRelationalI32): Deleted.
1450         (JSC::WASMFunctionB3IRGenerator::buildRelationalF32): Deleted.
1451         (JSC::WASMFunctionB3IRGenerator::buildRelationalF64): Deleted.
1452         (JSC::WASMFunctionB3IRGenerator::buildMinOrMaxI32): Deleted.
1453         (JSC::WASMFunctionB3IRGenerator::buildMinOrMaxF64): Deleted.
1454         (JSC::WASMFunctionB3IRGenerator::buildCallInternal): Deleted.
1455         (JSC::WASMFunctionB3IRGenerator::buildCallIndirect): Deleted.
1456         (JSC::WASMFunctionB3IRGenerator::buildCallImport): Deleted.
1457         (JSC::WASMFunctionB3IRGenerator::appendExpressionList): Deleted.
1458         (JSC::WASMFunctionB3IRGenerator::discard): Deleted.
1459         (JSC::WASMFunctionB3IRGenerator::linkTarget): Deleted.
1460         (JSC::WASMFunctionB3IRGenerator::jumpToTarget): Deleted.
1461         (JSC::WASMFunctionB3IRGenerator::jumpToTargetIf): Deleted.
1462         (JSC::WASMFunctionB3IRGenerator::startLoop): Deleted.
1463         (JSC::WASMFunctionB3IRGenerator::endLoop): Deleted.
1464         (JSC::WASMFunctionB3IRGenerator::startSwitch): Deleted.
1465         (JSC::WASMFunctionB3IRGenerator::endSwitch): Deleted.
1466         (JSC::WASMFunctionB3IRGenerator::startLabel): Deleted.
1467         (JSC::WASMFunctionB3IRGenerator::endLabel): Deleted.
1468         (JSC::WASMFunctionB3IRGenerator::breakTarget): Deleted.
1469         (JSC::WASMFunctionB3IRGenerator::continueTarget): Deleted.
1470         (JSC::WASMFunctionB3IRGenerator::breakLabelTarget): Deleted.
1471         (JSC::WASMFunctionB3IRGenerator::continueLabelTarget): Deleted.
1472         (JSC::WASMFunctionB3IRGenerator::buildSwitch): Deleted.
1473         * wasm/WASMFunctionCompiler.h: Removed.
1474         (JSC::operationConvertJSValueToInt32): Deleted.
1475         (JSC::operationConvertJSValueToDouble): Deleted.
1476         (JSC::operationDiv): Deleted.
1477         (JSC::operationMod): Deleted.
1478         (JSC::operationUnsignedDiv): Deleted.
1479         (JSC::operationUnsignedMod): Deleted.
1480         (JSC::operationConvertUnsignedInt32ToDouble): Deleted.
1481         (JSC::sizeOfMemoryType): Deleted.
1482         (JSC::WASMFunctionCompiler::MemoryAddress::MemoryAddress): Deleted.
1483         (JSC::WASMFunctionCompiler::WASMFunctionCompiler): Deleted.
1484         (JSC::WASMFunctionCompiler::startFunction): Deleted.
1485         (JSC::WASMFunctionCompiler::endFunction): Deleted.
1486         (JSC::WASMFunctionCompiler::buildSetLocal): Deleted.
1487         (JSC::WASMFunctionCompiler::buildSetGlobal): Deleted.
1488         (JSC::WASMFunctionCompiler::buildReturn): Deleted.
1489         (JSC::WASMFunctionCompiler::buildImmediateI32): Deleted.
1490         (JSC::WASMFunctionCompiler::buildImmediateF32): Deleted.
1491         (JSC::WASMFunctionCompiler::buildImmediateF64): Deleted.
1492         (JSC::WASMFunctionCompiler::buildGetLocal): Deleted.
1493         (JSC::WASMFunctionCompiler::buildGetGlobal): Deleted.
1494         (JSC::WASMFunctionCompiler::buildConvertType): Deleted.
1495         (JSC::WASMFunctionCompiler::buildLoad): Deleted.
1496         (JSC::WASMFunctionCompiler::buildStore): Deleted.
1497         (JSC::WASMFunctionCompiler::buildUnaryI32): Deleted.
1498         (JSC::WASMFunctionCompiler::buildUnaryF32): Deleted.
1499         (JSC::WASMFunctionCompiler::buildUnaryF64): Deleted.
1500         (JSC::WASMFunctionCompiler::buildBinaryI32): Deleted.
1501         (JSC::WASMFunctionCompiler::buildBinaryF32): Deleted.
1502         (JSC::WASMFunctionCompiler::buildBinaryF64): Deleted.
1503         (JSC::WASMFunctionCompiler::buildRelationalI32): Deleted.
1504         (JSC::WASMFunctionCompiler::buildRelationalF32): Deleted.
1505         (JSC::WASMFunctionCompiler::buildRelationalF64): Deleted.
1506         (JSC::WASMFunctionCompiler::buildMinOrMaxI32): Deleted.
1507         (JSC::WASMFunctionCompiler::buildMinOrMaxF64): Deleted.
1508         (JSC::WASMFunctionCompiler::buildCallInternal): Deleted.
1509         (JSC::WASMFunctionCompiler::buildCallIndirect): Deleted.
1510         (JSC::WASMFunctionCompiler::buildCallImport): Deleted.
1511         (JSC::WASMFunctionCompiler::appendExpressionList): Deleted.
1512         (JSC::WASMFunctionCompiler::discard): Deleted.
1513         (JSC::WASMFunctionCompiler::linkTarget): Deleted.
1514         (JSC::WASMFunctionCompiler::jumpToTarget): Deleted.
1515         (JSC::WASMFunctionCompiler::jumpToTargetIf): Deleted.
1516         (JSC::WASMFunctionCompiler::startLoop): Deleted.
1517         (JSC::WASMFunctionCompiler::endLoop): Deleted.
1518         (JSC::WASMFunctionCompiler::startSwitch): Deleted.
1519         (JSC::WASMFunctionCompiler::endSwitch): Deleted.
1520         (JSC::WASMFunctionCompiler::startLabel): Deleted.
1521         (JSC::WASMFunctionCompiler::endLabel): Deleted.
1522         (JSC::WASMFunctionCompiler::breakTarget): Deleted.
1523         (JSC::WASMFunctionCompiler::continueTarget): Deleted.
1524         (JSC::WASMFunctionCompiler::breakLabelTarget): Deleted.
1525         (JSC::WASMFunctionCompiler::continueLabelTarget): Deleted.
1526         (JSC::WASMFunctionCompiler::buildSwitch): Deleted.
1527         (JSC::WASMFunctionCompiler::localAddress): Deleted.
1528         (JSC::WASMFunctionCompiler::temporaryAddress): Deleted.
1529         (JSC::WASMFunctionCompiler::appendCall): Deleted.
1530         (JSC::WASMFunctionCompiler::appendCallWithExceptionCheck): Deleted.
1531         (JSC::WASMFunctionCompiler::emitNakedCall): Deleted.
1532         (JSC::WASMFunctionCompiler::appendCallSetResult): Deleted.
1533         (JSC::WASMFunctionCompiler::callOperation): Deleted.
1534         (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer): Deleted.
1535         (JSC::WASMFunctionCompiler::callAndUnboxResult): Deleted.
1536         (JSC::WASMFunctionCompiler::convertValueToInt32): Deleted.
1537         (JSC::WASMFunctionCompiler::convertValueToDouble): Deleted.
1538         (JSC::WASMFunctionCompiler::convertDoubleToValue): Deleted.
1539         * wasm/WASMFunctionParser.cpp: Removed.
1540         (JSC::nameOfType): Deleted.
1541         (JSC::WASMFunctionParser::checkSyntax): Deleted.
1542         (JSC::WASMFunctionParser::compile): Deleted.
1543         (JSC::WASMFunctionParser::parseFunction): Deleted.
1544         (JSC::WASMFunctionParser::parseLocalVariables): Deleted.
1545         (JSC::WASMFunctionParser::parseStatement): Deleted.
1546         (JSC::WASMFunctionParser::parseReturnStatement): Deleted.
1547         (JSC::WASMFunctionParser::parseBlockStatement): Deleted.
1548         (JSC::WASMFunctionParser::parseIfStatement): Deleted.
1549         (JSC::WASMFunctionParser::parseIfElseStatement): Deleted.
1550         (JSC::WASMFunctionParser::parseWhileStatement): Deleted.
1551         (JSC::WASMFunctionParser::parseDoStatement): Deleted.
1552         (JSC::WASMFunctionParser::parseLabelStatement): Deleted.
1553         (JSC::WASMFunctionParser::parseBreakStatement): Deleted.
1554         (JSC::WASMFunctionParser::parseBreakLabelStatement): Deleted.
1555         (JSC::WASMFunctionParser::parseContinueStatement): Deleted.
1556         (JSC::WASMFunctionParser::parseContinueLabelStatement): Deleted.
1557         (JSC::WASMFunctionParser::parseSwitchStatement): Deleted.
1558         (JSC::WASMFunctionParser::parseExpression): Deleted.
1559         (JSC::WASMFunctionParser::parseExpressionI32): Deleted.
1560         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionI32): Deleted.
1561         (JSC::WASMFunctionParser::parseImmediateExpressionI32): Deleted.
1562         (JSC::WASMFunctionParser::parseUnaryExpressionI32): Deleted.
1563         (JSC::WASMFunctionParser::parseBinaryExpressionI32): Deleted.
1564         (JSC::WASMFunctionParser::parseRelationalI32ExpressionI32): Deleted.
1565         (JSC::WASMFunctionParser::parseRelationalF32ExpressionI32): Deleted.
1566         (JSC::WASMFunctionParser::parseRelationalF64ExpressionI32): Deleted.
1567         (JSC::WASMFunctionParser::parseMinOrMaxExpressionI32): Deleted.
1568         (JSC::WASMFunctionParser::parseExpressionF32): Deleted.
1569         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF32): Deleted.
1570         (JSC::WASMFunctionParser::parseImmediateExpressionF32): Deleted.
1571         (JSC::WASMFunctionParser::parseUnaryExpressionF32): Deleted.
1572         (JSC::WASMFunctionParser::parseBinaryExpressionF32): Deleted.
1573         (JSC::WASMFunctionParser::parseExpressionF64): Deleted.
1574         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF64): Deleted.
1575         (JSC::WASMFunctionParser::parseImmediateExpressionF64): Deleted.
1576         (JSC::WASMFunctionParser::parseUnaryExpressionF64): Deleted.
1577         (JSC::WASMFunctionParser::parseBinaryExpressionF64): Deleted.
1578         (JSC::WASMFunctionParser::parseMinOrMaxExpressionF64): Deleted.
1579         (JSC::WASMFunctionParser::parseExpressionVoid): Deleted.
1580         (JSC::WASMFunctionParser::parseGetLocalExpression): Deleted.
1581         (JSC::WASMFunctionParser::parseGetGlobalExpression): Deleted.
1582         (JSC::WASMFunctionParser::parseSetLocal): Deleted.
1583         (JSC::WASMFunctionParser::parseSetGlobal): Deleted.
1584         (JSC::WASMFunctionParser::parseMemoryAddress): Deleted.
1585         (JSC::WASMFunctionParser::parseLoad): Deleted.
1586         (JSC::WASMFunctionParser::parseStore): Deleted.
1587         (JSC::WASMFunctionParser::parseCallArguments): Deleted.
1588         (JSC::WASMFunctionParser::parseCallInternal): Deleted.
1589         (JSC::WASMFunctionParser::parseCallIndirect): Deleted.
1590         (JSC::WASMFunctionParser::parseCallImport): Deleted.
1591         (JSC::WASMFunctionParser::parseConditional): Deleted.
1592         (JSC::WASMFunctionParser::parseComma): Deleted.
1593         (JSC::WASMFunctionParser::parseConvertType): Deleted.
1594         * wasm/WASMFunctionParser.h: Removed.
1595         (JSC::WASMFunctionParser::WASMFunctionParser): Deleted.
1596         * wasm/WASMFunctionSyntaxChecker.h: Removed.
1597         (JSC::WASMFunctionSyntaxChecker::MemoryAddress::MemoryAddress): Deleted.
1598         (JSC::WASMFunctionSyntaxChecker::startFunction): Deleted.
1599         (JSC::WASMFunctionSyntaxChecker::endFunction): Deleted.
1600         (JSC::WASMFunctionSyntaxChecker::buildSetLocal): Deleted.
1601         (JSC::WASMFunctionSyntaxChecker::buildSetGlobal): Deleted.
1602         (JSC::WASMFunctionSyntaxChecker::buildReturn): Deleted.
1603         (JSC::WASMFunctionSyntaxChecker::buildImmediateI32): Deleted.
1604         (JSC::WASMFunctionSyntaxChecker::buildImmediateF32): Deleted.
1605         (JSC::WASMFunctionSyntaxChecker::buildImmediateF64): Deleted.
1606         (JSC::WASMFunctionSyntaxChecker::buildGetLocal): Deleted.
1607         (JSC::WASMFunctionSyntaxChecker::buildGetGlobal): Deleted.
1608         (JSC::WASMFunctionSyntaxChecker::buildConvertType): Deleted.
1609         (JSC::WASMFunctionSyntaxChecker::buildLoad): Deleted.
1610         (JSC::WASMFunctionSyntaxChecker::buildStore): Deleted.
1611         (JSC::WASMFunctionSyntaxChecker::buildUnaryI32): Deleted.
1612         (JSC::WASMFunctionSyntaxChecker::buildUnaryF32): Deleted.
1613         (JSC::WASMFunctionSyntaxChecker::buildUnaryF64): Deleted.
1614         (JSC::WASMFunctionSyntaxChecker::buildBinaryI32): Deleted.
1615         (JSC::WASMFunctionSyntaxChecker::buildBinaryF32): Deleted.
1616         (JSC::WASMFunctionSyntaxChecker::buildBinaryF64): Deleted.
1617         (JSC::WASMFunctionSyntaxChecker::buildRelationalI32): Deleted.
1618         (JSC::WASMFunctionSyntaxChecker::buildRelationalF32): Deleted.
1619         (JSC::WASMFunctionSyntaxChecker::buildRelationalF64): Deleted.
1620         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxI32): Deleted.
1621         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxF64): Deleted.
1622         (JSC::WASMFunctionSyntaxChecker::buildCallInternal): Deleted.
1623         (JSC::WASMFunctionSyntaxChecker::buildCallImport): Deleted.
1624         (JSC::WASMFunctionSyntaxChecker::buildCallIndirect): Deleted.
1625         (JSC::WASMFunctionSyntaxChecker::appendExpressionList): Deleted.
1626         (JSC::WASMFunctionSyntaxChecker::discard): Deleted.
1627         (JSC::WASMFunctionSyntaxChecker::linkTarget): Deleted.
1628         (JSC::WASMFunctionSyntaxChecker::jumpToTarget): Deleted.
1629         (JSC::WASMFunctionSyntaxChecker::jumpToTargetIf): Deleted.
1630         (JSC::WASMFunctionSyntaxChecker::startLoop): Deleted.
1631         (JSC::WASMFunctionSyntaxChecker::endLoop): Deleted.
1632         (JSC::WASMFunctionSyntaxChecker::startSwitch): Deleted.
1633         (JSC::WASMFunctionSyntaxChecker::endSwitch): Deleted.
1634         (JSC::WASMFunctionSyntaxChecker::startLabel): Deleted.
1635         (JSC::WASMFunctionSyntaxChecker::endLabel): Deleted.
1636         (JSC::WASMFunctionSyntaxChecker::breakTarget): Deleted.
1637         (JSC::WASMFunctionSyntaxChecker::continueTarget): Deleted.
1638         (JSC::WASMFunctionSyntaxChecker::breakLabelTarget): Deleted.
1639         (JSC::WASMFunctionSyntaxChecker::continueLabelTarget): Deleted.
1640         (JSC::WASMFunctionSyntaxChecker::buildSwitch): Deleted.
1641         (JSC::WASMFunctionSyntaxChecker::stackHeight): Deleted.
1642         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeight): Deleted.
1643         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeightForCall): Deleted.
1644         * wasm/WASMModuleParser.cpp: Removed.
1645         (JSC::WASMModuleParser::WASMModuleParser): Deleted.
1646         (JSC::WASMModuleParser::parse): Deleted.
1647         (JSC::WASMModuleParser::parseModule): Deleted.
1648         (JSC::WASMModuleParser::parseConstantPoolSection): Deleted.
1649         (JSC::WASMModuleParser::parseSignatureSection): Deleted.
1650         (JSC::WASMModuleParser::parseFunctionImportSection): Deleted.
1651         (JSC::WASMModuleParser::parseGlobalSection): Deleted.
1652         (JSC::WASMModuleParser::parseFunctionDeclarationSection): Deleted.
1653         (JSC::WASMModuleParser::parseFunctionPointerTableSection): Deleted.
1654         (JSC::WASMModuleParser::parseFunctionDefinitionSection): Deleted.
1655         (JSC::WASMModuleParser::parseFunctionDefinition): Deleted.
1656         (JSC::WASMModuleParser::parseExportSection): Deleted.
1657         (JSC::WASMModuleParser::getImportedValue): Deleted.
1658         (JSC::parseWebAssembly): Deleted.
1659         * wasm/WASMModuleParser.h: Removed.
1660         * wasm/WASMReader.cpp: Removed.
1661         (JSC::WASMReader::readUInt32): Deleted.
1662         (JSC::WASMReader::readFloat): Deleted.
1663         (JSC::WASMReader::readDouble): Deleted.
1664         (JSC::WASMReader::readCompactInt32): Deleted.
1665         (JSC::WASMReader::readCompactUInt32): Deleted.
1666         (JSC::WASMReader::readString): Deleted.
1667         (JSC::WASMReader::readType): Deleted.
1668         (JSC::WASMReader::readExpressionType): Deleted.
1669         (JSC::WASMReader::readExportFormat): Deleted.
1670         (JSC::WASMReader::readByte): Deleted.
1671         (JSC::WASMReader::readOpStatement): Deleted.
1672         (JSC::WASMReader::readOpExpressionI32): Deleted.
1673         (JSC::WASMReader::readOpExpressionF32): Deleted.
1674         (JSC::WASMReader::readOpExpressionF64): Deleted.
1675         (JSC::WASMReader::readOpExpressionVoid): Deleted.
1676         (JSC::WASMReader::readVariableTypes): Deleted.
1677         (JSC::WASMReader::readOp): Deleted.
1678         (JSC::WASMReader::readSwitchCase): Deleted.
1679         * wasm/WASMReader.h: Removed.
1680         (JSC::WASMReader::WASMReader): Deleted.
1681         (JSC::WASMReader::offset): Deleted.
1682         (JSC::WASMReader::setOffset): Deleted.
1683
1684 2016-08-05  Keith Miller  <keith_miller@apple.com>
1685
1686         Fix 32-bit OverridesHasInstance in the DFG.
1687         https://bugs.webkit.org/show_bug.cgi?id=160600
1688
1689         Reviewed by Mark Lam.
1690
1691         In https://trac.webkit.org/changeset/204140, we fixed an issue where the DFG might
1692         do the wrong thing if it proved that the Symbol.hasInstance value for a constructor
1693         was a constant late in compilation. That fix was ommited from the 32-bit version,
1694         causing the new test to fail.
1695
1696         * dfg/DFGSpeculativeJIT32_64.cpp:
1697         (JSC::DFG::SpeculativeJIT::compile):
1698
1699 2016-08-04  Saam Barati  <sbarati@apple.com>
1700
1701         Restore CodeBlock jettison code to jettison when a CodeBlock has been alive for a long time
1702         https://bugs.webkit.org/show_bug.cgi?id=151241
1703
1704         Reviewed by Benjamin Poulain.
1705
1706         This patch rolls back in the jettisoning policy from https://bugs.webkit.org/show_bug.cgi?id=149727.
1707         We can now jettison a CodeBlock when it has been alive for a long time
1708         and is only pointed to by its owner executable. I haven't been able to get this
1709         patch to crash on anything it used to crash on, so I suspect we've fixed the bugs that
1710         were causing this before. I've also added some stress options for this feature that
1711         will cause us to either eagerly old-age jettison or to old-age jettison whenever it's legal.
1712         These options helped me find a bug where we would ask an Executable to create a CodeBlock,
1713         and then the Executable would do some other allocations, causing a GC, immediately causing
1714         the CodeBlock to jettison. There is a small chance that this was the bug we were seeing before,
1715         however, it's unlikely given that the previous timing metrics require at least 5 second between
1716         compiling to jettisoning.
1717
1718         This patch also enables the stress options for various modes
1719         of JSC stress tests.
1720
1721         * bytecode/CodeBlock.cpp:
1722         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
1723         (JSC::timeToLive):
1724         (JSC::CodeBlock::shouldJettisonDueToOldAge):
1725         * interpreter/CallFrame.h:
1726         (JSC::ExecState::callee):
1727         (JSC::ExecState::unsafeCallee):
1728         (JSC::ExecState::codeBlock):
1729         (JSC::ExecState::addressOfCodeBlock):
1730         (JSC::ExecState::unsafeCodeBlock):
1731         (JSC::ExecState::scope):
1732         * interpreter/Interpreter.cpp:
1733         (JSC::Interpreter::execute):
1734         (JSC::Interpreter::executeCall):
1735         (JSC::Interpreter::executeConstruct):
1736         (JSC::Interpreter::prepareForRepeatCall):
1737         * jit/JITOperations.cpp:
1738         * llint/LLIntSlowPaths.cpp:
1739         (JSC::LLInt::setUpCall):
1740         * runtime/Executable.cpp:
1741         (JSC::ScriptExecutable::installCode):
1742         (JSC::setupJIT):
1743         (JSC::ScriptExecutable::prepareForExecutionImpl):
1744         * runtime/Executable.h:
1745         (JSC::ScriptExecutable::prepareForExecution):
1746         * runtime/Options.h:
1747
1748 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1749
1750         [ES6] JSModuleNamespaceObject's Symbol.iterator function should have name
1751         https://bugs.webkit.org/show_bug.cgi?id=160549
1752
1753         Reviewed by Saam Barati.
1754
1755         ES6 Module's namespace[Symbol.iterator] function should have the name, "[Symbol.iterator]".
1756
1757         * runtime/JSModuleNamespaceObject.cpp:
1758         (JSC::JSModuleNamespaceObject::finishCreation):
1759
1760 2016-08-04  Keith Miller  <keith_miller@apple.com>
1761
1762         ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()
1763         https://bugs.webkit.org/show_bug.cgi?id=160562
1764         <rdar://problem/27704825>
1765
1766         Reviewed by Mark Lam.
1767
1768         This patch fixes an issue where we would emit incorrect code in the DFG when constant folding would
1769         convert a GetByOffset into a constant late in compilation. Additionally, it removes invalid assertions
1770         associated with the assumption that this could not happen.
1771
1772         * dfg/DFGSpeculativeJIT64.cpp:
1773         (JSC::DFG::SpeculativeJIT::compile):
1774         * ftl/FTLLowerDFGToB3.cpp:
1775         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance): Deleted.
1776
1777 2016-08-04  Keith Miller  <keith_miller@apple.com>
1778
1779         Remove unused intrinsic member of NativeExecutable
1780         https://bugs.webkit.org/show_bug.cgi?id=160560
1781
1782         Reviewed by Saam Barati.
1783
1784         NativeExecutable has an Intrinsic member. It appears that this member is never
1785         used. Instead we use the Intrinsic member NativeExecutable's super class,
1786         ExecutableBase.
1787
1788         * runtime/Executable.h:
1789
1790 2016-08-04  Benjamin Poulain  <bpoulain@apple.com>
1791
1792         [JSC] Speed up InPlaceAbstractState::endBasicBlock()
1793         https://bugs.webkit.org/show_bug.cgi?id=160539
1794
1795         Reviewed by Mark Lam.
1796
1797         This patch does small improvements to our handling
1798         of value propagation to the successors.
1799
1800         One key insight is that using HashMap to map Nodes
1801         to Value in valuesAtTail is too inefficient at the scale
1802         we use it. Instead, I reuse our existing mapping
1803         from every Node to its value, abstracted by forNode().
1804
1805         Since we are not going to use the mapping after endBasicBlock()
1806         I can replace whatever we had there. The next beginBasicBlock()
1807         will setup the new value as needed.
1808
1809         In endBasicBlock(), valuesAtTail is now a vector of all values live
1810         at tail. For each node, I merge the previous live at tail with
1811         the new value, then replace the value in the mapping.
1812         Liveness Analysis guarantees we won't have duplicates there which
1813         make the replacement sound.
1814
1815         Next, when propagating, I take the vector of values lives at head
1816         and use the global node->value mapping to find its new abstract value.
1817         Again, Liveness Analysis guarantees I won't find a value live at head
1818         that was not replaced by the merging at tail of the predecessor.
1819
1820         All our live lists have become vectors instead of HashTable.
1821         The mapping from Node to Value is always done by array indexing.
1822         Same big-O, much smaller constant.
1823
1824         * dfg/DFGAtTailAbstractState.cpp:
1825         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
1826         (JSC::DFG::AtTailAbstractState::createValueForNode):
1827         (JSC::DFG::AtTailAbstractState::forNode):
1828         * dfg/DFGAtTailAbstractState.h:
1829         I did not look much into this state, I just made it equivalent
1830         to the previous mapping.
1831
1832         * dfg/DFGBasicBlock.h:
1833         * dfg/DFGCFAPhase.cpp:
1834         (JSC::DFG::CFAPhase::performBlockCFA):
1835         * dfg/DFGGraph.cpp:
1836         (JSC::DFG::Graph::dump):
1837         * dfg/DFGInPlaceAbstractState.cpp:
1838         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1839
1840         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1841         AbstractValue is big enough that we really don't want to copy it twice.
1842
1843         (JSC::DFG::InPlaceAbstractState::merge):
1844         (JSC::DFG::setLiveValues): Deleted.
1845         * dfg/DFGInPlaceAbstractState.h:
1846
1847         * dfg/DFGPhiChildren.h:
1848         This is heap allocated by AbstractInterpreter. It should use fastMalloc().
1849
1850 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1851
1852         [ES7] Update features.json for exponentiation expression
1853         https://bugs.webkit.org/show_bug.cgi?id=160541
1854
1855         Reviewed by Mark Lam.
1856
1857         * features.json:
1858
1859 2016-08-03  Chris Dumez  <cdumez@apple.com>
1860
1861         Drop DocumentType.internalSubset attribute
1862         https://bugs.webkit.org/show_bug.cgi?id=160530
1863
1864         Reviewed by Alex Christensen.
1865
1866         Drop DocumentType.internalSubset attribute.
1867
1868         * inspector/protocol/DOM.json:
1869
1870 2016-08-03  Benjamin Poulain  <bpoulain@apple.com>
1871
1872         [JSC] Improve the memory locality of DFG Node's AbstractValues
1873         https://bugs.webkit.org/show_bug.cgi?id=160443
1874
1875         Reviewed by Mark Lam.
1876
1877         The AbstractInterpreter spends a lot of time on memory operations
1878         for AbstractValues. This patch attempts to improve the situation
1879         by putting the values closer together in memory.
1880
1881         First, AbstractValue is moved out of DFG::Node and it kept in
1882         a vector addressed by node indices.
1883
1884         I initially moved them to InPlaceAbstractState but I quickly discovered
1885         initializing the values in the vector was costly.
1886         I moved the vector to Graph as a cache shared by every instantiation of
1887         InPlaceAbstractState. It is mainly there to avoid constructors and destructors
1888         of AbstractValue. The patch of https://bugs.webkit.org/show_bug.cgi?id=160370
1889         should also help eventually.
1890
1891         I instrumented CFA to find how packed is SparseCollection.
1892         The answer is it can be very sparse, which is bad for CFA.
1893         I added packIndices() to repack the collection before running
1894         liveness since that's where we start using the memory intensively.
1895         This is a measurable improvement but it implies we can no longer
1896         keep indices on a side channel between phases since they may change.
1897
1898         * b3/B3SparseCollection.h:
1899         (JSC::B3::SparseCollection::packIndices):
1900         * dfg/DFGGraph.cpp:
1901         (JSC::DFG::Graph::packNodeIndices):
1902         * dfg/DFGGraph.h:
1903         (JSC::DFG::Graph::abstractValuesCache):
1904         * dfg/DFGInPlaceAbstractState.cpp:
1905         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
1906         * dfg/DFGInPlaceAbstractState.h:
1907         (JSC::DFG::InPlaceAbstractState::forNode):
1908         * dfg/DFGLivenessAnalysisPhase.cpp:
1909         (JSC::DFG::performLivenessAnalysis):
1910         * dfg/DFGNode.h:
1911
1912 2016-08-03  Caitlin Potter  <caitp@igalia.com>
1913
1914         Clarify SyntaxErrors around yield and unskip tests
1915         https://bugs.webkit.org/show_bug.cgi?id=158460
1916
1917         Reviewed by Saam Barati.
1918
1919         Fix and unskip tests which erroneously asserted that `yield` is not a
1920         valid BindingIdentifier, and improve error message for YieldExpressions
1921         occuring in Arrow formal parameters.
1922
1923         * parser/Parser.cpp:
1924         (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope):
1925         (JSC::Parser<LexerType>::parseFunctionInfo):
1926         (JSC::Parser<LexerType>::parseYieldExpression):
1927         * parser/Parser.h:
1928
1929 2016-08-03  Filip Pizlo  <fpizlo@apple.com>
1930
1931         REGRESSION(r203368): broke some test262 tests
1932         https://bugs.webkit.org/show_bug.cgi?id=160479
1933
1934         Reviewed by Mark Lam.
1935         
1936         The optimization in r203368 overlooked a subtle detail: freezing should not set ReadOnly on
1937         Accessor properties.
1938
1939         * runtime/Structure.cpp:
1940         (JSC::Structure::nonPropertyTransition):
1941         * runtime/StructureTransitionTable.h:
1942         (JSC::setsDontDeleteOnAllProperties):
1943         (JSC::setsReadOnlyOnNonAccessorProperties):
1944         (JSC::setsReadOnlyOnAllProperties): Deleted.
1945
1946 2016-08-03  Csaba Osztrogonác  <ossy@webkit.org>
1947
1948         Lacking support on a arm-traditional disassembler.
1949         https://bugs.webkit.org/show_bug.cgi?id=123717
1950
1951         Reviewed by Mark Lam.
1952
1953         * CMakeLists.txt:
1954         * disassembler/ARMLLVMDisassembler.cpp: Added, based on pre r196729 LLVMDisassembler, but it is ARM traditional only now.
1955         (JSC::tryToDisassemble):
1956
1957 2016-08-03  Saam Barati  <sbarati@apple.com>
1958
1959         Implement nested rest destructuring w.r.t the ES7 spec
1960         https://bugs.webkit.org/show_bug.cgi?id=160423
1961
1962         Reviewed by Filip Pizlo.
1963
1964         The spec has updated the BindingRestElement grammar production to be:
1965         BindingRestElement:
1966            BindingIdentifier
1967            BindingingPattern.
1968
1969         It used to only allow BindingIdentifier in the grammar production.
1970         I've updated our engine to account for this. The semantics are exactly
1971         what you'd expect.  For example:
1972         `let [a, ...[b, ...c]] = expr();`
1973         means that we create an array for the first rest element `...[b, ...c]`
1974         and then perform the binding of `[b, ...c]` to that array. And so on, 
1975         applied recursively through the pattern.
1976
1977         * bytecompiler/NodesCodegen.cpp:
1978         (JSC::RestParameterNode::collectBoundIdentifiers):
1979         (JSC::RestParameterNode::toString):
1980         (JSC::RestParameterNode::bindValue):
1981         (JSC::RestParameterNode::emit):
1982         * parser/ASTBuilder.h:
1983         (JSC::ASTBuilder::createBindingLocation):
1984         (JSC::ASTBuilder::createRestParameter):
1985         (JSC::ASTBuilder::createAssignmentElement):
1986         * parser/NodeConstructors.h:
1987         (JSC::AssignmentElementNode::AssignmentElementNode):
1988         (JSC::RestParameterNode::RestParameterNode):
1989         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
1990         * parser/Nodes.h:
1991         (JSC::RestParameterNode::name): Deleted.
1992         * parser/Parser.cpp:
1993         (JSC::Parser<LexerType>::parseDestructuringPattern):
1994         (JSC::Parser<LexerType>::parseFormalParameters):
1995         * parser/SyntaxChecker.h:
1996         (JSC::SyntaxChecker::operatorStackPop):
1997
1998 2016-08-03  Benjamin Poulain  <benjamin@webkit.org>
1999
2000         [JSC] Fix Windows build after r204065
2001
2002         * dfg/DFGAbstractValue.cpp:
2003         (JSC::DFG::AbstractValue::observeTransitions):
2004         AbstractValue is bigger on Windows for an unknown reason.
2005
2006 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
2007
2008         [JSC] Fix 32bits jsc after r204065
2009
2010         Default constructed JSValue() are not equal to zero in 32bits.
2011
2012         * dfg/DFGAbstractValue.h:
2013         (JSC::DFG::AbstractValue::AbstractValue):
2014
2015 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
2016
2017         [JSC] Simplify the initialization of AbstractValue in the AbstractInterpreter
2018         https://bugs.webkit.org/show_bug.cgi?id=160370
2019
2020         Reviewed by Saam Barati.
2021
2022         We use a ton of AbstractValue to run the Abstract Interpreter.
2023
2024         When we set up the initial values, the compiler sets
2025         a zero on a first word, a one on a second word, and a zero
2026         again on a third word.
2027         Since no vector or double-store can deal with 3 words, unrolling
2028         is done by repeating those instructions.
2029
2030         The reason for the one was TinyPtrSet. It needed a flag for
2031         empty value to identify the set as thin. I flipped the flag to "fat"
2032         to make sure TinyPtrSet is initialized to zero.
2033
2034         With that done, I just had to clean some places to make
2035         the initialization shorter.
2036         It makes the binary easier to follow but this does not help with
2037         the bigger problem: the time spent per block on Abstract Interpreter.
2038
2039         * bytecode/Operands.h:
2040         The traits were useless, no client code defines it.
2041
2042         (JSC::Operands::Operands):
2043         (JSC::Operands::ensureLocals):
2044         Because of the size of the function, llvm is not inlining it.
2045         We were literally loading 3 registers from memory and storing
2046         them in the vector.
2047         Now that AbstractValue has a VectorTraits, we should just rely
2048         on the memset of Vector when possible.
2049
2050         (JSC::Operands::getLocal):
2051         (JSC::Operands::setArgumentFirstTime):
2052         (JSC::Operands::setLocalFirstTime):
2053         (JSC::Operands::clear):
2054         (JSC::OperandValueTraits::defaultValue): Deleted.
2055         (JSC::OperandValueTraits::isEmptyForDump): Deleted.
2056         * bytecode/OperandsInlines.h:
2057         (JSC::Operands<T>::dumpInContext):
2058         (JSC::Operands<T>::dump):
2059         (JSC::Traits>::dumpInContext): Deleted.
2060         (JSC::Traits>::dump): Deleted.
2061         * dfg/DFGAbstractValue.cpp:
2062         * dfg/DFGAbstractValue.h:
2063         (JSC::DFG::AbstractValue::AbstractValue):
2064
2065 2016-08-02  Saam Barati  <sbarati@apple.com>
2066
2067         update a class extending null w.r.t the ES7 spec
2068         https://bugs.webkit.org/show_bug.cgi?id=160417
2069
2070         Reviewed by Keith Miller.
2071
2072         When a class extends null, it should not be marked as a derived class.
2073         This was changed in the ES2016 spec, and this patch makes the needed
2074         changes in JSC to follow the spec. This allows classes to extend
2075         null and have their default constructor invoked without throwing an exception.
2076         This also prevents |this| from being under TDZ at the start of the constructor.
2077         Because ES6 allows arbitrary expressions in the `class <ident> extends <expr>`
2078         syntax, we don't know statically if a constructor is extending null or not.
2079         Therefore, we don't always know statically if it's a base or derived constructor.
2080         I solved this by putting a boolean on the constructor function under a private
2081         symbol named isDerivedConstructor when doing class construction. We only need
2082         to put this boolean on constructors that may extend null. Constructors that are
2083         declared in a class with no extends syntax can tell statically that they are a base constructor.
2084
2085         I've also renamed the ConstructorKind::Derived enum value to be
2086         ConstructorKind::Extends to better indicate that we can't answer
2087         the "am I a derived constructor?" question statically.
2088
2089         * builtins/BuiltinExecutables.cpp:
2090         (JSC::BuiltinExecutables::createDefaultConstructor):
2091         * builtins/BuiltinNames.h:
2092         * bytecompiler/BytecodeGenerator.cpp:
2093         (JSC::BytecodeGenerator::BytecodeGenerator):
2094         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2095         (JSC::BytecodeGenerator::emitReturn):
2096         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
2097         (JSC::BytecodeGenerator::ensureThis):
2098         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
2099         * bytecompiler/BytecodeGenerator.h:
2100         (JSC::BytecodeGenerator::makeFunction):
2101         * bytecompiler/NodesCodegen.cpp:
2102         (JSC::EvalFunctionCallNode::emitBytecode):
2103         (JSC::FunctionCallValueNode::emitBytecode):
2104         (JSC::FunctionNode::emitBytecode):
2105         (JSC::ClassExprNode::emitBytecode):
2106         * parser/Parser.cpp:
2107         (JSC::Parser<LexerType>::Parser):
2108         (JSC::Parser<LexerType>::parseFunctionInfo):
2109         (JSC::Parser<LexerType>::parseClass):
2110         (JSC::Parser<LexerType>::parseMemberExpression):
2111         * parser/ParserModes.h:
2112
2113 2016-08-02  Enrica Casucci  <enrica@apple.com>
2114
2115         Allow building with content filtering disabled.
2116         https://bugs.webkit.org/show_bug.cgi?id=160454
2117
2118         Reviewed by Simon Fraser.
2119
2120         * Configurations/FeatureDefines.xcconfig:
2121
2122 2016-08-02  Csaba Osztrogonác  <ossy@webkit.org>
2123
2124         [ARM] Disable Inline Caching on ARMv7 traditional until proper fix
2125         https://bugs.webkit.org/show_bug.cgi?id=159759
2126
2127         Reviewed by Saam Barati.
2128
2129         * jit/JITMathIC.h:
2130         (JSC::JITMathIC::generateInline):
2131
2132 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
2133
2134         REGRESSION (r203990): JSC Debug test stress/arity-check-ftl-throw.js failing
2135         https://bugs.webkit.org/show_bug.cgi?id=160438
2136
2137         Reviewed by Mark Lam.
2138         
2139         In r203990 I fixed a bug where CommonSlowPaths.h/arityCheckFor() was basically failing at
2140         catching stack overflow due to large parameter count. It would only catch regular old stack
2141         overflow, like if the frame pointer was already past the limit.
2142         
2143         This had a secondary problem: unfortunately all of our tests for what happens when you overflow
2144         the stack due to large parameter count were not going down that path at all, so we haven't had
2145         test coverage for this in ages.  There were bugs in all tiers of the engine when handling this
2146         case.
2147
2148         We need to be able to roll back the topCallFrame on paths that are meant to throw an exception
2149         from the caller. Otherwise, we'd crash in StackVisitor because it would see a busted stack
2150         frame. Rolling back like this "just works" except when the caller is the VM entry frame. I had
2151         some choices here. I could have forced anyone who is rolling back to always skip VM entry
2152         frames. They can't do it in a way that changes the value of VM::topVMEntryFrame, which is what
2153         a stack frame roll back normally does, since exception unwinding needs to see the current value
2154         of topVMEntryFrame. So, we have a choice to either try to magically avoid all of the paths that
2155         look at topCallFrame, or give topCallFrame a state that unambiguously signals that we are
2156         sitting right on top of a VM entry frame without having succeeded at making a JS call. The only
2157         place that really needs to know is StackVisitor, which wants to start scanning at topCallFrame.
2158         To signal this, I could have either made topCallFrame point to the real top JS call frame
2159         without also rolling back topVMEntryFrame, or I could make topCallFrame == topVMEntryFrame. The
2160         latter felt somehow cleaner. I filed a bug (https://bugs.webkit.org/show_bug.cgi?id=160441) for
2161         converting topCallFrame to a void*, which would give us a chance to harden the rest of the
2162         engine against this case.
2163         
2164         * interpreter/StackVisitor.cpp:
2165         (JSC::StackVisitor::StackVisitor):
2166         We may do ShadowChicken processing, which invokes StackVisitor, when we have topCallFrame
2167         pointing at topVMEntryFrame. This teaches StackVisitor how to handle this case. I believe that
2168         StackVisitor is the only place that needs to be taught about this at this time, because it's
2169         one of the few things that access topCallFrame along this special path.
2170         
2171         * jit/JITOperations.cpp: Roll back the top call frame.
2172         * runtime/CommonSlowPaths.cpp:
2173         (JSC::SLOW_PATH_DECL): Roll back the top call frame.
2174
2175 2016-08-01  Benjamin Poulain  <bpoulain@apple.com>
2176
2177         [JSC][ARM64] Fix branchTest32/64 taking an immediate as mask
2178         https://bugs.webkit.org/show_bug.cgi?id=160439
2179
2180         Reviewed by Filip Pizlo.
2181
2182         * assembler/MacroAssemblerARM64.h:
2183         (JSC::MacroAssemblerARM64::branchTest64):
2184         * b3/air/AirOpcode.opcodes:
2185         Fix the ARM64 codegen to lower BitImm64 without using a scratch register.
2186
2187 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
2188
2189         [B3] Fusing immediates into test instructions should work again
2190         https://bugs.webkit.org/show_bug.cgi?id=160073
2191
2192         Reviewed by Sam Weinig.
2193
2194         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
2195         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
2196         was still using Imm!  This meant that isValidForm() always returned false.
2197         
2198         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
2199         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
2200         with the scratch register).
2201         
2202         This is not an obvious progression on anything, so I added comprehensive tests to
2203         testb3, which check that we selected the optimal instruction in a variety of situations.
2204         We should add more tests like this!
2205
2206         Rolling this back in after fixing ARM64. The bug was that branchTest32|64 on ARM64 doesn't
2207         actually support BitImm or BitImm64, at least not yet. Disabling that in AirOpcodes makes
2208         this patch not a regression on ARM64. That change was reviewed by Benjamin Poulain.
2209
2210         * b3/B3BasicBlock.h:
2211         (JSC::B3::BasicBlock::successorBlock):
2212         * b3/B3LowerToAir.cpp:
2213         (JSC::B3::Air::LowerToAir::createGenericCompare):
2214         * b3/B3LowerToAir.h:
2215         * b3/air/AirArg.cpp:
2216         (JSC::B3::Air::Arg::isRepresentableAs):
2217         (JSC::B3::Air::Arg::usesTmp):
2218         * b3/air/AirArg.h:
2219         (JSC::B3::Air::Arg::isRepresentableAs):
2220         (JSC::B3::Air::Arg::castToType):
2221         (JSC::B3::Air::Arg::asNumber):
2222         * b3/air/AirCode.h:
2223         (JSC::B3::Air::Code::size):
2224         (JSC::B3::Air::Code::at):
2225         * b3/air/AirOpcode.opcodes:
2226         * b3/air/AirValidate.h:
2227         * b3/air/opcode_generator.rb:
2228         * b3/testb3.cpp:
2229         (JSC::B3::compile):
2230         (JSC::B3::compileAndRun):
2231         (JSC::B3::lowerToAirForTesting):
2232         (JSC::B3::testSomeEarlyRegister):
2233         (JSC::B3::testBranchBitAndImmFusion):
2234         (JSC::B3::zero):
2235         (JSC::B3::run):
2236
2237 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
2238
2239         Rationalize varargs stack overflow checks
2240         https://bugs.webkit.org/show_bug.cgi?id=160425
2241
2242         Reviewed by Michael Saboff.
2243
2244         * ftl/FTLLink.cpp:
2245         (JSC::FTL::link): AboveOrEqual 0 is a tautology. The code meant GreaterThanOrEqual, since the error code is -1.
2246         * runtime/CommonSlowPaths.h:
2247         (JSC::CommonSlowPaths::arityCheckFor): Use roundUpToMultipleOf(), which is almost certainly what we meant when we said %.
2248
2249 2016-08-01  Saam Barati  <sbarati@apple.com>
2250
2251         Sub should be a Math IC
2252         https://bugs.webkit.org/show_bug.cgi?id=160270
2253
2254         Reviewed by Mark Lam.
2255
2256         This makes Sub an IC like Mul and Add. I'm seeing the following
2257         improvements of average Sub size on Unity and JetStream:
2258
2259                    |   JetStream  |  Unity 3D  |
2260              ------| -------------|--------------
2261               Old  |   202 bytes  |  205 bytes |
2262              ------| -------------|--------------
2263               New  |   134  bytes |  134 bytes |
2264              ------------------------------------
2265
2266         * bytecode/CodeBlock.cpp:
2267         (JSC::CodeBlock::addJITMulIC):
2268         (JSC::CodeBlock::addJITSubIC):
2269         (JSC::CodeBlock::findStubInfo):
2270         (JSC::CodeBlock::dumpMathICStats):
2271         * bytecode/CodeBlock.h:
2272         (JSC::CodeBlock::stubInfoBegin):
2273         (JSC::CodeBlock::stubInfoEnd):
2274         * dfg/DFGSpeculativeJIT.cpp:
2275         (JSC::DFG::SpeculativeJIT::compileArithSub):
2276         * ftl/FTLLowerDFGToB3.cpp:
2277         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2278         * jit/JITArithmetic.cpp:
2279         (JSC::JIT::emit_op_sub):
2280         (JSC::JIT::emitSlow_op_sub):
2281         (JSC::JIT::emit_op_pow):
2282         * jit/JITMathIC.h:
2283         * jit/JITMathICForwards.h:
2284         * jit/JITOperations.cpp:
2285         * jit/JITOperations.h:
2286         * jit/JITSubGenerator.cpp:
2287         (JSC::JITSubGenerator::generateInline):
2288         (JSC::JITSubGenerator::generateFastPath):
2289         * jit/JITSubGenerator.h:
2290         (JSC::JITSubGenerator::JITSubGenerator):
2291         (JSC::JITSubGenerator::isLeftOperandValidConstant):
2292         (JSC::JITSubGenerator::isRightOperandValidConstant):
2293         (JSC::JITSubGenerator::arithProfile):
2294         (JSC::JITSubGenerator::didEmitFastPath): Deleted.
2295         (JSC::JITSubGenerator::endJumpList): Deleted.
2296         (JSC::JITSubGenerator::slowPathJumpList): Deleted.
2297
2298 2016-08-01  Keith Miller  <keith_miller@apple.com>
2299
2300         We should not keep the JavaScript tests inside the Source/JavaScriptCore/ directory.
2301         https://bugs.webkit.org/show_bug.cgi?id=160372
2302
2303         Rubber stamped by Geoffrey Garen.
2304
2305         This patch moves all the JavaScript tests from Source/JavaScriptCore/tests to
2306         a new top level directory, JSTests. Having the tests in the Source directory
2307         was both confusing an inconvenient for people that just want to checkout the
2308         source code of WebKit. Since there is no other obvious place to put all the
2309         JavaScript tests a new top level directory seemed the most sensible.
2310
2311         * tests/: Deleted.
2312
2313 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2314
2315         [JSC] Should check Test262Error correctly
2316         https://bugs.webkit.org/show_bug.cgi?id=159862
2317
2318         Reviewed by Saam Barati.
2319
2320         Test262Error in the harness does not have "name" property.
2321         Rather than checking "name" property, peforming `instanceof` is better to check the class of the exception.
2322
2323         * jsc.cpp:
2324         (checkUncaughtException):
2325         * runtime/JSObject.h:
2326         * tests/test262.yaml:
2327
2328 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2329
2330         [ES6] Module binding can be exported by multiple names
2331         https://bugs.webkit.org/show_bug.cgi?id=160343
2332
2333         Reviewed by Saam Barati.
2334
2335         ES6 Module can export the same local binding by using multiple names.
2336         For example,
2337
2338             ```
2339             var value = 42;
2340
2341             export { value };
2342             export { value as value2 };
2343             ```
2344
2345         Currently, we only allowed one local binding to be exported with one name. So, in the above case,
2346         the local binding "value" is exported as "value2" and "value" name is not exported. This is wrong.
2347
2348         To fix this issue, we collect the correspondence (local name => exported name) to the local bindings
2349         in the parser. Previously, we only maintained the exported local bindings in the parser. And utilize
2350         this information when creating the export entries in ModuleAnalyzer.
2351
2352         And this patch also moves ModuleScopeData from the Scope object to the Parser class since exported
2353         names should be managed per-module, not per-scope.
2354
2355         This change fixes several test262 failures.
2356
2357         * JavaScriptCore.xcodeproj/project.pbxproj:
2358         * parser/ModuleAnalyzer.cpp:
2359         (JSC::ModuleAnalyzer::exportVariable):
2360         (JSC::ModuleAnalyzer::analyze):
2361         (JSC::ModuleAnalyzer::exportedBinding): Deleted.
2362         (JSC::ModuleAnalyzer::declareExportAlias): Deleted.
2363         * parser/ModuleAnalyzer.h:
2364         * parser/ModuleScopeData.h: Copied from Source/JavaScriptCore/parser/ModuleAnalyzer.h.
2365         (JSC::ModuleScopeData::create):
2366         (JSC::ModuleScopeData::exportedBindings):
2367         (JSC::ModuleScopeData::exportName):
2368         (JSC::ModuleScopeData::exportBinding):
2369         * parser/Nodes.cpp:
2370         (JSC::ProgramNode::ProgramNode):
2371         (JSC::ModuleProgramNode::ModuleProgramNode):
2372         (JSC::EvalNode::EvalNode):
2373         (JSC::FunctionNode::FunctionNode):
2374         * parser/Nodes.h:
2375         (JSC::ModuleProgramNode::moduleScopeData):
2376         * parser/NodesAnalyzeModule.cpp:
2377         (JSC::ExportDefaultDeclarationNode::analyzeModule):
2378         (JSC::ExportNamedDeclarationNode::analyzeModule): Deleted.
2379         * parser/Parser.cpp:
2380         (JSC::Parser<LexerType>::Parser):
2381         (JSC::Parser<LexerType>::parseModuleSourceElements):
2382         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2383         (JSC::Parser<LexerType>::createBindingPattern):
2384         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2385         (JSC::Parser<LexerType>::parseClassDeclaration):
2386         (JSC::Parser<LexerType>::parseExportSpecifier):
2387         (JSC::Parser<LexerType>::parseExportDeclaration):
2388         * parser/Parser.h:
2389         (JSC::Parser::exportName):
2390         (JSC::Parser<LexerType>::parse):
2391         (JSC::ModuleScopeData::create): Deleted.
2392         (JSC::ModuleScopeData::exportedBindings): Deleted.
2393         (JSC::ModuleScopeData::exportName): Deleted.
2394         (JSC::ModuleScopeData::exportBinding): Deleted.
2395         (JSC::Scope::Scope): Deleted.
2396         (JSC::Scope::setSourceParseMode): Deleted.
2397         (JSC::Scope::moduleScopeData): Deleted.
2398         (JSC::Scope::setIsModule): Deleted.
2399         * tests/modules/aliased-names.js: Added.
2400         * tests/modules/aliased-names/main.js: Added.
2401         (change):
2402         * tests/stress/modules-syntax-error-with-names.js:
2403         (export.Cocoa):
2404         (SyntaxError.Cannot.export.a.duplicate.name):
2405         * tests/test262.yaml:
2406
2407 2016-07-30  Mark Lam  <mark.lam@apple.com>
2408
2409         Assertion failure while setting the length of an ArrayClass array.
2410         https://bugs.webkit.org/show_bug.cgi?id=160381
2411         <rdar://problem/27328703>
2412
2413         Reviewed by Filip Pizlo.
2414
2415         When setting large length values, we're currently treating ArrayClass as a
2416         ContiguousIndexingType array.  This results in an assertion failure.  This is
2417         now fixed.
2418
2419         There are currently only 2 places where we create arrays with indexing type
2420         ArrayClass: ArrayPrototype and RuntimeArray.  The fix in JSArray:;setLength()
2421         takes care of ArrayPrototype.
2422
2423         RuntimeArray already checks for the setting of its length property, and will
2424         throw a RangeError.  Hence, there's no change is needed for the RuntimeArray.
2425         Instead, I added some test cases ensure that the check and throw behavior does
2426         not change without notice.
2427
2428         * runtime/JSArray.cpp:
2429         (JSC::JSArray::setLength):
2430         * tests/stress/array-setLength-on-ArrayClass-with-large-length.js: Added.
2431         (toString):
2432         (assertEqual):
2433         * tests/stress/array-setLength-on-ArrayClass-with-small-length.js: Added.
2434         (toString):
2435         (assertEqual):
2436
2437 2016-07-29  Keith Miller  <keith_miller@apple.com>
2438
2439         TypedArray super constructor has some incompatabilities
2440         https://bugs.webkit.org/show_bug.cgi?id=160369
2441
2442         Reviewed by Filip Pizlo.
2443
2444         This patch fixes the length proprety of the TypedArray super constructor.
2445         Additionally, the TypedArray super constructor should no longer be callable.
2446
2447         Also, this patch fixes the expected result of some test262 tests.
2448
2449         * runtime/JSTypedArrayViewConstructor.cpp:
2450         (JSC::JSTypedArrayViewConstructor::finishCreation):
2451         (JSC::constructTypedArrayView):
2452         (JSC::JSTypedArrayViewConstructor::getCallData):
2453         * tests/test262.yaml:
2454
2455 2016-07-29  Jonathan Bedard  <jbedard@apple.com>
2456
2457         Undefined Behavior in JSValue cast from NaN
2458         https://bugs.webkit.org/show_bug.cgi?id=160322
2459
2460         Reviewed by Mark Lam.
2461
2462         JSValues can be constructed from doubles, and in some cases, are deliberately constructed with NaN values.
2463
2464         In circumstances where NaN is bound through the default JSValue constructor, however, an undefined conversion
2465         to int32_t occurs.  While the subsequent if statement should fail and construct the JSValue through the explicit
2466         double constructor, given that the deliberate use of NaN is fairly common, it seems that the jsNaN() function
2467         should immediately call the explicit double constructor both for efficiency and to prevent inadvertent
2468         suppressing of any other bugs which may be instantiating a JSValue with a NaN double.
2469
2470         * runtime/JSCJSValueInlines.h:
2471         (JSC::jsNaN): Explicit double construction for NaN JSValues to avoid undefined behavior.
2472
2473 2016-07-29  Michael Saboff  <msaboff@apple.com>
2474
2475         Refactor DFG::Node::hasLocal() to accessesStack()
2476         https://bugs.webkit.org/show_bug.cgi?id=160357
2477
2478         Reviewed by Filip Pizlo.
2479
2480         Refactoring in preparation for using register arguments for JavaScript calls.
2481
2482         Renamed Node::hasLocal() to Node::accessesStack() and changed all uses accordingly.
2483         Also changed uses of Node::hasVariableAccessData() to accessesStack() where that
2484         use guards stack operation logic associated with the Node's VariableAccessData.
2485
2486         The hasVariableAccessData() check now implies no more than the node has a
2487         VariableAccessData and nothing about its use of that data to coordinate stack   
2488         accesses.
2489
2490         * dfg/DFGGraph.cpp:
2491         (JSC::DFG::Graph::dump):
2492         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2493         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
2494         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
2495         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2496         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2497         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
2498         * dfg/DFGNode.h:
2499         (JSC::DFG::Node::containsMovHint):
2500         (JSC::DFG::Node::accessesStack):
2501         (JSC::DFG::Node::hasLocal): Deleted.
2502         * dfg/DFGPredictionInjectionPhase.cpp:
2503         (JSC::DFG::PredictionInjectionPhase::run):
2504         * dfg/DFGValidate.cpp:
2505
2506 2016-07-29  Benjamin Poulain  <benjamin@webkit.org>
2507
2508         [JSC] Use the same data structures for DFG and Air Liveness Analysis
2509         https://bugs.webkit.org/show_bug.cgi?id=160346
2510
2511         Reviewed by Geoffrey Garen.
2512
2513         In Air, we minimized memory accesses during liveness analysis
2514         with a couple of tricks:
2515         -Use a single Sparse Set ADT for the live value of each block.
2516         -Manipulate compact positive indices instead of hashing values.
2517
2518         This patch brings the same ideas to DFG.
2519
2520         This patch still uses the same fixpoint algorithms.
2521         The reason is Edge's KillStatus used by other phases. We cannot
2522         use a block-boundary liveness algorithm and update KillStatus
2523         simultaneously. It's something I'll probably revisit at some point.
2524
2525         * dfg/DFGAbstractInterpreterInlines.h:
2526         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
2527         (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
2528         * dfg/DFGBasicBlock.h:
2529         * dfg/DFGGraph.h:
2530         (JSC::DFG::Graph::maxNodeCount):
2531         (JSC::DFG::Graph::nodeAt):
2532         * dfg/DFGInPlaceAbstractState.cpp:
2533         (JSC::DFG::setLiveValues):
2534         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2535         * dfg/DFGLivenessAnalysisPhase.cpp:
2536         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
2537         (JSC::DFG::LivenessAnalysisPhase::run):
2538         (JSC::DFG::LivenessAnalysisPhase::processBlock):
2539         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
2540         (JSC::DFG::LivenessAnalysisPhase::process): Deleted.
2541
2542 2016-07-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2543
2544         Unreviewed, ByValInfo is only used in JIT enabled environments
2545         https://bugs.webkit.org/show_bug.cgi?id=158908
2546
2547         * bytecode/CodeBlock.cpp:
2548         (JSC::CodeBlock::stronglyVisitStrongReferences):
2549
2550 2016-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2551
2552         JSC::Symbol should be hash-consed
2553         https://bugs.webkit.org/show_bug.cgi?id=158908
2554
2555         Reviewed by Filip Pizlo.
2556
2557         Previously, SymbolImpls held by symbols represent identity of symbols.
2558         When we check the equality between symbols, we need to load SymbolImpls of symbols and compare them.
2559
2560         This patch performs hash-consing onto the symbols. We cache symbols in per-VM's SymbolImpl-keyed WeakGCMap.
2561         When creating a new symbol from SymbolImpl, we first query to this map and reuse the previously created symbol
2562         if it is found. This ensures that one-on-one correspondence between SymbolImpl and symbol. So now, we can use
2563         pointer-comparison to query the equality of symbols.
2564
2565         This change drops SymbolImpl loads when checking the equality. Furthermore, we can use DFG CheckCell to symbol
2566         when we would like to ensure that the given value is the expected symbol. This cleans up GetByVal's symbol-keyd
2567         caching. Then, we changed CheckIdent to CheckStringIdent since it only checks the string case now. The symbol
2568         case is handled by CheckCell.
2569
2570         Additionally, this patch also cleans up Map / Set implementation since we can use the logic for JSCell to symbols.
2571
2572         The performance effects in the related benchmarks are the followings.
2573
2574                                                                baseline                   patch
2575
2576             bigswitch-indirect-symbol-or-undefined         85.6214+-1.0063     ^     63.0522+-0.8615        ^ definitely 1.3579x faster
2577             bigswitch-indirect-symbol                      84.9653+-0.6258     ^     80.4900+-0.8008        ^ definitely 1.0556x faster
2578             fold-put-by-val-with-symbol-to-multi-put-by-offset
2579                                                             9.4396+-0.3726            9.2941+-0.3311          might be 1.0157x faster
2580             inlined-put-by-val-with-symbol-transition
2581                                                            49.5477+-0.2401     ?     49.7533+-0.3369        ?
2582             get-by-val-with-symbol-self-or-proto           11.9740+-0.0798     ?     12.1706+-0.2723        ? might be 1.0164x slower
2583             get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple
2584                                                             4.1364+-0.0841            4.0872+-0.0925          might be 1.0120x faster
2585             put-by-val-with-symbol                         11.3709+-0.0223           11.3613+-0.0264
2586             get-by-val-with-symbol-proto-or-self           11.8984+-0.0706     ?     11.9030+-0.0787        ?
2587             polymorphic-put-by-val-with-symbol             31.4176+-0.0558           31.3825+-0.0447
2588             implicit-bigswitch-indirect-symbol             61.3115+-0.6577     ^     58.0098+-0.1212        ^ definitely 1.0569x faster
2589             get-by-val-with-symbol-bimorphic-check-structure-elimination-simple
2590                                                             3.3139+-0.0565     ^      2.9947+-0.0732        ^ definitely 1.1066x faster
2591             get-by-val-with-symbol-chain-from-try-block
2592                                                             2.2316+-0.0179            2.2137+-0.0210
2593             get-by-val-with-symbol-bimorphic-check-structure-elimination
2594                                                            10.6031+-0.2216     ^     10.0939+-0.1977        ^ definitely 1.0504x faster
2595             get-by-val-with-symbol-check-structure-elimination
2596                                                             8.5576+-0.1521     ^      7.7107+-0.1308        ^ definitely 1.1098x faster
2597             put-by-val-with-symbol-slightly-polymorphic
2598                                                             3.1957+-0.0538     ^      2.9181+-0.0708        ^ definitely 1.0951x faster
2599             put-by-val-with-symbol-replace-and-transition
2600                                                            11.8253+-0.0757     ^     11.6590+-0.0351        ^ definitely 1.0143x faster
2601
2602             <geometric>                                    13.3911+-0.0527     ^     12.7376+-0.0457        ^ definitely 1.0513x faster
2603
2604         * bytecode/ByValInfo.h:
2605         * bytecode/CodeBlock.cpp:
2606         (JSC::CodeBlock::stronglyVisitStrongReferences):
2607         * dfg/DFGAbstractInterpreterInlines.h:
2608         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2609         * dfg/DFGByteCodeParser.cpp:
2610         (JSC::DFG::ByteCodeParser::parseBlock):
2611         * dfg/DFGClobberize.h:
2612         (JSC::DFG::clobberize):
2613         * dfg/DFGConstantFoldingPhase.cpp:
2614         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2615         * dfg/DFGDoesGC.cpp:
2616         (JSC::DFG::doesGC):
2617         * dfg/DFGFixupPhase.cpp:
2618         (JSC::DFG::FixupPhase::fixupNode):
2619         * dfg/DFGNode.h:
2620         (JSC::DFG::Node::hasUidOperand):
2621         * dfg/DFGNodeType.h:
2622         * dfg/DFGPredictionPropagationPhase.cpp:
2623         * dfg/DFGSafeToExecute.h:
2624         (JSC::DFG::safeToExecute):
2625         * dfg/DFGSpeculativeJIT.cpp:
2626         (JSC::DFG::SpeculativeJIT::compileSymbolEquality):
2627         (JSC::DFG::SpeculativeJIT::compilePeepHoleSymbolEquality):
2628         (JSC::DFG::SpeculativeJIT::compileCheckStringIdent):
2629         (JSC::DFG::SpeculativeJIT::extractStringImplFromBinarySymbols): Deleted.
2630         (JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
2631         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality): Deleted.
2632         * dfg/DFGSpeculativeJIT.h:
2633         * dfg/DFGSpeculativeJIT32_64.cpp:
2634         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
2635         (JSC::DFG::SpeculativeJIT::compile):
2636         * dfg/DFGSpeculativeJIT64.cpp:
2637         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
2638         (JSC::DFG::SpeculativeJIT::compile):
2639         * ftl/FTLAbstractHeapRepository.h:
2640         * ftl/FTLCapabilities.cpp:
2641         (JSC::FTL::canCompile):
2642         * ftl/FTLLowerDFGToB3.cpp:
2643         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2644         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStringIdent):
2645         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2646         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent): Deleted.
2647         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID): Deleted.
2648         * jit/JIT.h:
2649         * jit/JITOperations.cpp:
2650         (JSC::tryGetByValOptimize):
2651         * jit/JITPropertyAccess.cpp:
2652         (JSC::JIT::emitGetByValWithCachedId):
2653         (JSC::JIT::emitPutByValWithCachedId):
2654         (JSC::JIT::emitByValIdentifierCheck):
2655         (JSC::JIT::privateCompileGetByValWithCachedId):
2656         (JSC::JIT::privateCompilePutByValWithCachedId):
2657         (JSC::JIT::emitIdentifierCheck): Deleted.
2658         * jit/JITPropertyAccess32_64.cpp:
2659         (JSC::JIT::emitGetByValWithCachedId):
2660         (JSC::JIT::emitPutByValWithCachedId):
2661         * runtime/JSCJSValue.cpp:
2662         (JSC::JSValue::dumpInContextAssumingStructure):
2663         * runtime/JSCJSValueInlines.h:
2664         (JSC::JSValue::equalSlowCaseInline):
2665         (JSC::JSValue::strictEqualSlowCaseInline): Deleted.
2666         * runtime/JSFunction.cpp:
2667         (JSC::JSFunction::setFunctionName):
2668         * runtime/MapData.h:
2669         * runtime/MapDataInlines.h:
2670         (JSC::JSIterator>::clear): Deleted.
2671         (JSC::JSIterator>::find): Deleted.
2672         (JSC::JSIterator>::add): Deleted.
2673         (JSC::JSIterator>::remove): Deleted.
2674         (JSC::JSIterator>::replaceAndPackBackingStore): Deleted.
2675         * runtime/Symbol.cpp:
2676         (JSC::Symbol::finishCreation):
2677         (JSC::Symbol::create):
2678         * runtime/Symbol.h:
2679         * runtime/VM.cpp:
2680         (JSC::VM::VM):
2681         * runtime/VM.h:
2682         * tests/stress/symbol-equality-over-gc.js: Added.
2683         (shouldBe):
2684         (test):
2685
2686 2016-07-28  Mark Lam  <mark.lam@apple.com>
2687
2688         ASSERTION FAILED in errorProtoFuncToString() when Error name is a single char string.
2689         https://bugs.webkit.org/show_bug.cgi?id=160324
2690         <rdar://problem/27389572>
2691
2692         Reviewed by Keith Miller.
2693
2694         The issue is that errorProtoFuncToString() was using jsNontrivialString() to
2695         generate the error string even when the name string can be a single character
2696         string.  This is incorrect.  We should be using jsString() instead.
2697
2698         * runtime/ErrorPrototype.cpp:
2699         (JSC::errorProtoFuncToString):
2700         * tests/stress/errors-with-simple-names-or-messages-should-not-crash-toString.js: Added.
2701
2702 2016-07-28  Michael Saboff  <msaboff@apple.com>
2703
2704         ARM64: Fused left shift with a right shift can create NaNs from integers
2705         https://bugs.webkit.org/show_bug.cgi?id=160329
2706
2707         Reviewed by Geoffrey Garen.
2708
2709         When we fuse a left shift and a right shift of integers where the shift amounts
2710         are the same and the size of the quantity being shifted is 8 bits, we rightly
2711         generate a sign extend byte instruction.  On ARM64, we were sign extending
2712         to a 64 bit quantity, when we really wanted to sign extend to a 32 bit quantity.
2713
2714         Checking the ARM64 marco assembler and we were extending to 64 bits for all
2715         four combinations of zero / sign and 8 / 16 bits.
2716         
2717         * assembler/MacroAssemblerARM64.h:
2718         (JSC::MacroAssemblerARM64::zeroExtend16To32):
2719         (JSC::MacroAssemblerARM64::signExtend16To32):
2720         (JSC::MacroAssemblerARM64::zeroExtend8To32):
2721         (JSC::MacroAssemblerARM64::signExtend8To32):
2722         * tests/stress/regress-160329.js: New test added.
2723         (narrow):
2724
2725 2016-07-28  Mark Lam  <mark.lam@apple.com>
2726
2727         StringView should have an explicit m_is8Bit field.
2728         https://bugs.webkit.org/show_bug.cgi?id=160282
2729         <rdar://problem/27327943>
2730
2731         Reviewed by Benjamin Poulain.
2732
2733         * tests/stress/string-joining-long-strings-should-not-crash.js: Added.
2734         (catch):
2735
2736 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
2737
2738         [ARM] Typo fix after r121885
2739         https://bugs.webkit.org/show_bug.cgi?id=160288
2740
2741         Reviewed by Zoltan Herczeg.
2742
2743         * assembler/MacroAssemblerARM.h:
2744         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
2745
2746 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
2747
2748         64-bit alignment check isn't necessary in ARMAssembler::prepareExecutableCopy after r202214
2749         https://bugs.webkit.org/show_bug.cgi?id=159711
2750
2751         Reviewed by Mark Lam.
2752
2753         * assembler/ARMAssembler.cpp:
2754         (JSC::ARMAssembler::prepareExecutableCopy):
2755
2756 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2757
2758         [JSC] Remove some unused code from FTL
2759         https://bugs.webkit.org/show_bug.cgi?id=160285
2760
2761         Reviewed by Mark Lam.
2762
2763         All the liveness and swapping is done inside B3,
2764         this code is no longer needed.
2765
2766         * dfg/DFGEdge.h:
2767         (JSC::DFG::Edge::doesNotKill): Deleted.
2768         * ftl/FTLLowerDFGToB3.cpp:
2769         (JSC::FTL::DFG::LowerDFGToB3::doesKill): Deleted.
2770
2771 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2772
2773         [JSC] DFG::Node should not have its own allocator
2774         https://bugs.webkit.org/show_bug.cgi?id=160098
2775
2776         Reviewed by Geoffrey Garen.
2777
2778         We need some design changes for DFG::Node:
2779         -Accessing the index must be fast. B3 uses indices for sets
2780          and maps, it is a lot faster than hashing pointers.
2781         -We should be able to subclass DFG::Node to specialize it.
2782
2783         * CMakeLists.txt:
2784         * JavaScriptCore.xcodeproj/project.pbxproj:
2785         * dfg/DFGAllocator.h: Removed.
2786         (JSC::DFG::Allocator::Region::size): Deleted.
2787         (JSC::DFG::Allocator::Region::headerSize): Deleted.
2788         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
2789         (JSC::DFG::Allocator::Region::data): Deleted.
2790         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
2791         (JSC::DFG::Allocator::Region::regionFor): Deleted.
2792         (JSC::DFG::Allocator<T>::Allocator): Deleted.
2793         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
2794         (JSC::DFG::Allocator<T>::allocate): Deleted.
2795         (JSC::DFG::Allocator<T>::free): Deleted.
2796         (JSC::DFG::Allocator<T>::freeAll): Deleted.
2797         (JSC::DFG::Allocator<T>::reset): Deleted.
2798         (JSC::DFG::Allocator<T>::indexOf): Deleted.
2799         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
2800         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
2801         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
2802         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
2803         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
2804         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
2805         * dfg/DFGByteCodeParser.cpp:
2806         (JSC::DFG::ByteCodeParser::addToGraph):
2807         * dfg/DFGCPSRethreadingPhase.cpp:
2808         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
2809         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
2810         * dfg/DFGCleanUpPhase.cpp:
2811         (JSC::DFG::CleanUpPhase::run):
2812         * dfg/DFGConstantFoldingPhase.cpp:
2813         (JSC::DFG::ConstantFoldingPhase::run):
2814         * dfg/DFGConstantHoistingPhase.cpp:
2815         * dfg/DFGDCEPhase.cpp:
2816         (JSC::DFG::DCEPhase::fixupBlock):
2817         * dfg/DFGDriver.cpp:
2818         (JSC::DFG::compileImpl):
2819         * dfg/DFGGraph.cpp:
2820         (JSC::DFG::Graph::Graph):
2821         (JSC::DFG::Graph::deleteNode):
2822         (JSC::DFG::Graph::killBlockAndItsContents):
2823         (JSC::DFG::Graph::~Graph): Deleted.
2824         * dfg/DFGGraph.h:
2825         (JSC::DFG::Graph::addNode):
2826         * dfg/DFGLICMPhase.cpp:
2827         (JSC::DFG::LICMPhase::attemptHoist):
2828         * dfg/DFGLongLivedState.cpp: Removed.
2829         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
2830         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
2831         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
2832         * dfg/DFGLongLivedState.h: Removed.
2833         * dfg/DFGNode.cpp:
2834         (JSC::DFG::Node::index): Deleted.
2835         * dfg/DFGNode.h:
2836         (JSC::DFG::Node::index):
2837         * dfg/DFGNodeAllocator.h: Removed.
2838         (operator new ): Deleted.
2839         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2840         * dfg/DFGPlan.cpp:
2841         (JSC::DFG::Plan::compileInThread):
2842         (JSC::DFG::Plan::compileInThreadImpl):
2843         * dfg/DFGPlan.h:
2844         * dfg/DFGSSAConversionPhase.cpp:
2845         (JSC::DFG::SSAConversionPhase::run):
2846         * dfg/DFGWorklist.cpp:
2847         (JSC::DFG::Worklist::runThread):
2848         * runtime/VM.cpp:
2849         (JSC::VM::VM): Deleted.
2850         * runtime/VM.h:
2851
2852 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2853
2854         [JSC] Fix a bunch of use-after-free of DFG::Node
2855         https://bugs.webkit.org/show_bug.cgi?id=160228
2856
2857         Reviewed by Mark Lam.
2858
2859         FTL had a few places where we use a node after it has been
2860         deleted. The dangling pointers come from the SSA liveness information
2861         kept on the basic blocks.
2862
2863         This patch fixes the issues I could find and adds liveness invalidation
2864         to help finding dependencies like these.
2865
2866         * dfg/DFGBasicBlock.h:
2867         (JSC::DFG::BasicBlock::SSAData::invalidate):
2868
2869         * dfg/DFGConstantFoldingPhase.cpp:
2870         (JSC::DFG::ConstantFoldingPhase::run):
2871         Constant folding phase was deleting nodes in the loop over basic blocks.
2872         The problem is the deleted nodes can be referenced by other blocks.
2873         When the abstract interpreter was manipulating the abstract values of those
2874         it was doing so on the dead nodes.
2875
2876         * dfg/DFGConstantHoistingPhase.cpp:
2877         Just invalidation. Nothing wrong here since the useless nodes were
2878         kept live while iterating the blocks.
2879
2880         * dfg/DFGGraph.cpp:
2881         (JSC::DFG::Graph::killBlockAndItsContents):
2882         (JSC::DFG::Graph::killUnreachableBlocks):
2883         (JSC::DFG::Graph::invalidateNodeLiveness):
2884
2885         * dfg/DFGGraph.h:
2886         * dfg/DFGPlan.cpp:
2887         (JSC::DFG::Plan::compileInThreadImpl):
2888         We had a lot of use-after-free in LCIM because we were using the stale
2889         live nodes deleted by previous phases.
2890
2891 2016-07-27  Keith Miller  <keith_miller@apple.com>
2892
2893         concatAppendOne should allocate using the indexing type of the array if it cannot merge
2894         https://bugs.webkit.org/show_bug.cgi?id=160261
2895         <rdar://problem/27530122>
2896
2897         Reviewed by Mark Lam.
2898
2899         Before, if we could not merge the indexing types for copying, we would allocate the
2900         the array as ArrayWithUndecided. Instead, we should allocate an array with the original
2901         array's indexing type.
2902
2903         * runtime/ArrayPrototype.cpp:
2904         (JSC::concatAppendOne):
2905         * tests/stress/concat-append-one-with-sparse-array.js: Added.
2906
2907 2016-07-27  Saam Barati  <sbarati@apple.com>
2908
2909         We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an object with symbols
2910         https://bugs.webkit.org/show_bug.cgi?id=160211
2911         <rdar://problem/27572612>
2912
2913         Reviewed by Geoffrey Garen.
2914
2915         The fast for-in iteration mode assumes all inline/out-of-line properties
2916         can be iterated in linear order. This is not true if we have Symbols
2917         because Symbols should not be iterated by for-in.
2918
2919         * runtime/Structure.cpp:
2920         (JSC::Structure::add):
2921         * tests/stress/symbol-should-not-break-for-in.js: Added.
2922         (assert):
2923         (foo):
2924
2925 2016-07-27  Mark Lam  <mark.lam@apple.com>
2926
2927         The second argument for Function.prototype.apply should be array-like or null/undefined.
2928         https://bugs.webkit.org/show_bug.cgi?id=160212
2929         <rdar://problem/27328525>
2930
2931         Reviewed by Filip Pizlo.
2932
2933         The spec for Function.prototype.apply says its second argument can only be null,
2934         undefined, or must be array-like.  See
2935         https://tc39.github.io/ecma262/#sec-function.prototype.apply and
2936         https://tc39.github.io/ecma262/#sec-createlistfromarraylike.
2937
2938         Our previous implementation was not handling this correctly for SymbolType.
2939         This is now fixed.
2940
2941         * interpreter/Interpreter.cpp:
2942         (JSC::sizeOfVarargs):
2943         * tests/stress/apply-second-argument-must-be-array-like.js: Added.
2944
2945 2016-07-27  Saam Barati  <sbarati@apple.com>
2946
2947         MathICs should be able to emit only a jump along the inline path when they don't have any type data
2948         https://bugs.webkit.org/show_bug.cgi?id=160110
2949
2950         Reviewed by Mark Lam.
2951
2952         This patch allows for MathIC fast-path generation to be delayed.
2953         We delay when we don't see any observed type information for
2954         the lhs/rhs operand, which implies that the MathIC has never
2955         executed. This is profitable for two main reasons:
2956         1. If the math operation never executes, we emit much less code.
2957         2. Once we get type information for the lhs/rhs, we can emit better code.
2958
2959         To implement this, we just emit a jump to the slow path call
2960         that will repatch on first execution.
2961
2962         New data for add:
2963                    |   JetStream  |  Unity 3D  |
2964              ------| -------------|--------------
2965               Old  |   148 bytes  |  143 bytes |
2966              ------| -------------|--------------
2967               New  |   116  bytes |  113 bytes |
2968              ------------------------------------
2969
2970         New data for mul:
2971                    |   JetStream  |  Unity 3D  |
2972              ------| -------------|--------------
2973               Old  |   210 bytes  |  185 bytes |
2974              ------| -------------|--------------
2975               New  |   170  bytes |  137 bytes |
2976              ------------------------------------
2977
2978         * jit/JITAddGenerator.cpp:
2979         (JSC::JITAddGenerator::generateInline):
2980         * jit/JITAddGenerator.h:
2981         (JSC::JITAddGenerator::isLeftOperandValidConstant):
2982         (JSC::JITAddGenerator::isRightOperandValidConstant):
2983         (JSC::JITAddGenerator::arithProfile):
2984         * jit/JITMathIC.h:
2985         (JSC::JITMathIC::generateInline):
2986         (JSC::JITMathIC::generateOutOfLine):
2987         (JSC::JITMathIC::finalizeInlineCode):
2988         * jit/JITMathICInlineResult.h:
2989         * jit/JITMulGenerator.cpp:
2990         (JSC::JITMulGenerator::generateInline):
2991         * jit/JITMulGenerator.h:
2992         (JSC::JITMulGenerator::isLeftOperandValidConstant):
2993         (JSC::JITMulGenerator::isRightOperandValidConstant):
2994         (JSC::JITMulGenerator::arithProfile):
2995         * jit/JITOperations.cpp:
2996
2997 2016-07-26  Saam Barati  <sbarati@apple.com>
2998
2999         rollout r203666
3000         https://bugs.webkit.org/show_bug.cgi?id=160226
3001
3002         Unreviewed rollout.
3003
3004         * b3/B3BasicBlock.h:
3005         (JSC::B3::BasicBlock::successorBlock):
3006         * b3/B3LowerToAir.cpp:
3007         (JSC::B3::Air::LowerToAir::createGenericCompare):
3008         * b3/B3LowerToAir.h:
3009         * b3/air/AirArg.cpp:
3010         (JSC::B3::Air::Arg::isRepresentableAs):
3011         (JSC::B3::Air::Arg::usesTmp):
3012         * b3/air/AirArg.h:
3013         (JSC::B3::Air::Arg::isRepresentableAs):
3014         (JSC::B3::Air::Arg::asNumber):
3015         (JSC::B3::Air::Arg::castToType): Deleted.
3016         * b3/air/AirCode.h:
3017         (JSC::B3::Air::Code::size):
3018         (JSC::B3::Air::Code::at):
3019         * b3/air/AirOpcode.opcodes:
3020         * b3/air/AirValidate.h:
3021         * b3/air/opcode_generator.rb:
3022         * b3/testb3.cpp:
3023         (JSC::B3::compileAndRun):
3024         (JSC::B3::testSomeEarlyRegister):
3025         (JSC::B3::zero):
3026         (JSC::B3::run):
3027         (JSC::B3::lowerToAirForTesting): Deleted.
3028         (JSC::B3::testBranchBitAndImmFusion): Deleted.
3029
3030 2016-07-26  Caitlin Potter  <caitp@igalia.com>
3031
3032         [JSC] Object.getOwnPropertyDescriptors should not add undefined props to result
3033         https://bugs.webkit.org/show_bug.cgi?id=159409
3034
3035         Reviewed by Geoffrey Garen.
3036
3037         * runtime/ObjectConstructor.cpp:
3038         (JSC::objectConstructorGetOwnPropertyDescriptors):
3039         * tests/es6.yaml:
3040         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
3041         (testPropertiesIndexedSetterOnPrototypeThrows.set get var): Deleted.
3042         (testPropertiesIndexedSetterOnPrototypeThrows): Deleted.
3043         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js.
3044         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js.
3045
3046 2016-07-26  Mark Lam  <mark.lam@apple.com>
3047
3048         Remove unused DEBUG_WITH_BREAKPOINT configuration.
3049         https://bugs.webkit.org/show_bug.cgi?id=160203
3050
3051         Reviewed by Keith Miller.
3052
3053         * bytecompiler/BytecodeGenerator.cpp:
3054         (JSC::BytecodeGenerator::emitDebugHook):
3055
3056 2016-07-25  Benjamin Poulain  <benjamin@webkit.org>
3057
3058         Unreviewed, rolling out r203703.
3059
3060         It breaks some internal tests
3061
3062         Reverted changeset:
3063
3064         "[JSC] DFG::Node should not have its own allocator"
3065         https://bugs.webkit.org/show_bug.cgi?id=160098
3066         http://trac.webkit.org/changeset/203703
3067
3068 2016-07-25  Benjamin Poulain  <bpoulain@apple.com>
3069
3070         [JSC] DFG::Node should not have its own allocator
3071         https://bugs.webkit.org/show_bug.cgi?id=160098
3072
3073         Reviewed by Geoffrey Garen.
3074
3075         We need some design changes for DFG::Node:
3076         -Accessing the index must be fast. B3 uses indices for sets
3077          and maps, it is a lot faster than hashing pointers.
3078         -We should be able to subclass DFG::Node to specialize it.
3079
3080         * CMakeLists.txt:
3081         * JavaScriptCore.xcodeproj/project.pbxproj:
3082         * dfg/DFGAllocator.h: Removed.
3083         (JSC::DFG::Allocator::Region::size): Deleted.
3084         (JSC::DFG::Allocator::Region::headerSize): Deleted.
3085         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
3086         (JSC::DFG::Allocator::Region::data): Deleted.
3087         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
3088         (JSC::DFG::Allocator::Region::regionFor): Deleted.
3089         (JSC::DFG::Allocator<T>::Allocator): Deleted.
3090         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
3091         (JSC::DFG::Allocator<T>::allocate): Deleted.
3092         (JSC::DFG::Allocator<T>::free): Deleted.
3093         (JSC::DFG::Allocator<T>::freeAll): Deleted.
3094         (JSC::DFG::Allocator<T>::reset): Deleted.
3095         (JSC::DFG::Allocator<T>::indexOf): Deleted.
3096         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
3097         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
3098         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
3099         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
3100         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
3101         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
3102         * dfg/DFGByteCodeParser.cpp:
3103         (JSC::DFG::ByteCodeParser::addToGraph):
3104         * dfg/DFGCPSRethreadingPhase.cpp:
3105         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3106         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
3107         * dfg/DFGCleanUpPhase.cpp:
3108         (JSC::DFG::CleanUpPhase::run):
3109         * dfg/DFGConstantFoldingPhase.cpp:
3110         (JSC::DFG::ConstantFoldingPhase::run):
3111         * dfg/DFGConstantHoistingPhase.cpp:
3112         * dfg/DFGDCEPhase.cpp:
3113         (JSC::DFG::DCEPhase::fixupBlock):
3114         * dfg/DFGDriver.cpp:
3115         (JSC::DFG::compileImpl):
3116         * dfg/DFGGraph.cpp:
3117         (JSC::DFG::Graph::Graph):
3118         (JSC::DFG::Graph::deleteNode):
3119         (JSC::DFG::Graph::killBlockAndItsContents):
3120         (JSC::DFG::Graph::~Graph): Deleted.
3121         * dfg/DFGGraph.h:
3122         (JSC::DFG::Graph::addNode):
3123         * dfg/DFGLICMPhase.cpp:
3124         (JSC::DFG::LICMPhase::attemptHoist):
3125         * dfg/DFGLongLivedState.cpp: Removed.
3126         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
3127         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
3128         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
3129         * dfg/DFGLongLivedState.h: Removed.
3130         * dfg/DFGNode.cpp:
3131         (JSC::DFG::Node::index): Deleted.
3132         * dfg/DFGNode.h:
3133         (JSC::DFG::Node::index):
3134         * dfg/DFGNodeAllocator.h: Removed.
3135         (operator new ): Deleted.
3136         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3137         * dfg/DFGPlan.cpp:
3138         (JSC::DFG::Plan::compileInThread):
3139         (JSC::DFG::Plan::compileInThreadImpl):
3140         * dfg/DFGPlan.h:
3141         * dfg/DFGSSAConversionPhase.cpp:
3142         (JSC::DFG::SSAConversionPhase::run):
3143         * dfg/DFGWorklist.cpp:
3144         (JSC::DFG::Worklist::runThread):
3145         * runtime/VM.cpp:
3146         (JSC::VM::VM): Deleted.
3147         * runtime/VM.h:
3148
3149 2016-07-25  Filip Pizlo  <fpizlo@apple.com>
3150
3151         AssemblyHelpers should own all of the cell allocation methods
3152         https://bugs.webkit.org/show_bug.cgi?id=160171
3153
3154         Reviewed by Saam Barati.
3155         
3156         Prior to this change we had some code in DFGSpeculativeJIT.h and some code in JIT.h that
3157         did cell allocation.
3158         
3159         This change moves all of that code into AssemblyHelpers.h.
3160
3161         * dfg/DFGSpeculativeJIT.h:
3162         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
3163         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
3164         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
3165         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
3166         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
3167         * jit/AssemblyHelpers.h:
3168         (JSC::AssemblyHelpers::emitAllocate):
3169         (JSC::AssemblyHelpers::emitAllocateJSCell):
3170         (JSC::AssemblyHelpers::emitAllocateJSObject):
3171         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3172         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3173         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
3174         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
3175         * jit/JIT.h:
3176         * jit/JITInlines.h:
3177         (JSC::JIT::isOperandConstantChar):
3178         (JSC::JIT::emitValueProfilingSite):
3179         (JSC::JIT::emitAllocateJSObject): Deleted.
3180         * jit/JITOpcodes.cpp:
3181         (JSC::JIT::emit_op_new_object):
3182         (JSC::JIT::emit_op_create_this):
3183         * jit/JITOpcodes32_64.cpp:
3184         (JSC::JIT::emit_op_new_object):
3185         (JSC::JIT::emit_op_create_this):
3186
3187 2016-07-25  Saam Barati  <sbarati@apple.com>
3188
3189         MathICs should be able to take and dump stats about code size
3190         https://bugs.webkit.org/show_bug.cgi?id=160148
3191
3192         Reviewed by Filip Pizlo.
3193
3194         This will make testing changes on MathIC going forward much easier.
3195         We will be able to easily see if modifications to MathIC will lead
3196         to us generating smaller code. We now only dump average size when we
3197         regenerate any MathIC. This works out for large tests/pages, but is not
3198         great for testing small programs. We can add more dump points later if
3199         we find that we want to dump stats while running small small programs.
3200
3201         * bytecode/CodeBlock.cpp:
3202         (JSC::CodeBlock::jitSoon):
3203         (JSC::CodeBlock::dumpMathICStats):
3204         * bytecode/CodeBlock.h:
3205         (JSC::CodeBlock::isStrictMode):
3206         (JSC::CodeBlock::ecmaMode):
3207         * dfg/DFGSpeculativeJIT.cpp:
3208         (JSC::DFG::SpeculativeJIT::compileMathIC):
3209         * ftl/FTLLowerDFGToB3.cpp:
3210         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
3211         * jit/JITArithmetic.cpp:
3212         (JSC::JIT::emitMathICFast):
3213         (JSC::JIT::emitMathICSlow):
3214         * jit/JITMathIC.h:
3215         (JSC::JITMathIC::finalizeInlineCode):
3216         (JSC::JITMathIC::codeSize):
3217         * jit/JITOperations.cpp:
3218
3219 2016-07-25  Saam Barati  <sbarati@apple.com>
3220
3221         op_mul/ArithMul(Untyped,Untyped) should be an IC
3222         https://bugs.webkit.org/show_bug.cgi?id=160108
3223
3224         Reviewed by Mark Lam.
3225
3226         This patch makes Mul a type based IC in much the same way that we made
3227         Add a type-based IC. I implemented Mul in the same way. I abstracted the
3228         implementation of the Add IC in the various JITs to allow for it to
3229         work over arbitrary IC snippets. This will make adding Div/Sub/Pow in the
3230         future easy. This patch also adds a new boolean argument to the various
3231         snippet generateFastPath() methods to indicate if we should emit result profiling.
3232         I added this because we want this profiling to be emitted for Mul in
3233         the baseline, but not in the DFG. We used to indicate this through passing
3234         in a nullptr for the ArithProfile, but we no longer do that in the upper
3235         JIT tiers. So we are passing an explicit request from the JIT tier about
3236         whether or not it's worth it for the IC to emit profiling.
3237
3238         We now emit much less code for Mul. Here is some data on the average
3239         Mul snippet/IC size:
3240
3241                    |   JetStream  |  Unity 3D  |
3242              ------| -------------|--------------
3243               Old  |  ~280 bytes  | ~280 bytes |
3244              ------| -------------|--------------
3245               New  |   210  bytes |  185 bytes |
3246              ------------------------------------
3247
3248         * bytecode/CodeBlock.cpp:
3249         (JSC::CodeBlock::addJITAddIC):
3250         (JSC::CodeBlock::addJITMulIC):
3251         (JSC::CodeBlock::findStubInfo):
3252         * bytecode/CodeBlock.h:
3253         (JSC::CodeBlock::stubInfoBegin):
3254         (JSC::CodeBlock::stubInfoEnd):
3255         * dfg/DFGSpeculativeJIT.cpp:
3256         (JSC::DFG::GPRTemporary::adopt):
3257         (JSC::DFG::FPRTemporary::FPRTemporary):
3258         (JSC::DFG::SpeculativeJIT::compileValueAdd):
3259         (JSC::DFG::SpeculativeJIT::compileMathIC):
3260         (JSC::DFG::SpeculativeJIT::compileArithMul):
3261         * dfg/DFGSpeculativeJIT.h:
3262         (JSC::DFG::SpeculativeJIT::callOperation):
3263         (JSC::DFG::GPRTemporary::GPRTemporary):
3264         (JSC::DFG::GPRTemporary::operator=):
3265         (JSC::DFG::FPRTemporary::~FPRTemporary):
3266         (JSC::DFG::FPRTemporary::fpr):
3267         * ftl/FTLLowerDFGToB3.cpp:
3268         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
3269         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3270         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
3271         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
3272         * jit/JIT.h:
3273         (JSC::JIT::getSlowCase):
3274         * jit/JITAddGenerator.cpp:
3275         (JSC::JITAddGenerator::generateInline):
3276         (JSC::JITAddGenerator::generateFastPath):
3277         * jit/JITAddGenerator.h:
3278         (JSC::JITAddGenerator::JITAddGenerator):
3279         (JSC::JITAddGenerator::isLeftOperandValidConstant):
3280         (JSC::JITAddGenerator::isRightOperandValidConstant):
3281         * jit/JITArithmetic.cpp:
3282         (JSC::JIT::emit_op_add):
3283         (JSC::JIT::emitSlow_op_add):
3284         (JSC::JIT::emitMathICFast):
3285         (JSC::JIT::emitMathICSlow):
3286         (JSC::JIT::emit_op_mul):
3287         (JSC::JIT::emitSlow_op_mul):
3288         (JSC::JIT::emit_op_sub):
3289         * jit/JITInlines.h:
3290         (JSC::JIT::callOperation):
3291         * jit/JITMathIC.h:
3292         (JSC::JITMathIC::slowPathStartLocation):
3293         (JSC::JITMathIC::slowPathCallLocation):
3294         (JSC::JITMathIC::isLeftOperandValidConstant):
3295         (JSC::JITMathIC::isRightOperandValidConstant):
3296         (JSC::JITMathIC::generateInline):
3297         (JSC::JITMathIC::generateOutOfLine):
3298         * jit/JITMathICForwards.h:
3299         * jit/JITMulGenerator.cpp:
3300         (JSC::JITMulGenerator::generateInline):
3301         (JSC::JITMulGenerator::generateFastPath):
3302         * jit/JITMulGenerator.h:
3303         (JSC::JITMulGenerator::JITMulGenerator):
3304         (JSC::JITMulGenerator::isLeftOperandValidConstant):
3305         (JSC::JITMulGenerator::isRightOperandValidConstant):
3306         (JSC::JITMulGenerator::didEmitFastPath): Deleted.
3307         (JSC::JITMulGenerator::endJumpList): Deleted.
3308         (JSC::JITMulGenerator::slowPathJumpList): Deleted.
3309         * jit/JITOperations.cpp:
3310         * jit/JITOperations.h:
3311
3312 2016-07-25  Darin Adler  <darin@apple.com>
3313
3314         Speed up make process slightly by improving "list of files" idiom
3315         https://bugs.webkit.org/show_bug.cgi?id=160164
3316
3317         Reviewed by Mark Lam.
3318
3319         * DerivedSources.make: Change rules that build lists of files to only run when
3320         DerivedSources.make has been modified since the last time they were run. Since the
3321         list of files are inside this file, this is safe, and this is faster than always
3322         comparing and regenerating the file containing the list of files each time.
3323
3324 2016-07-24  Youenn Fablet  <youenn@apple.com>
3325
3326         [Fetch API] Request should be created with any HeadersInit data
3327         https://bugs.webkit.org/show_bug.cgi?id=159672
3328
3329         Reviewed by Sam Weinig.
3330
3331         * Scripts/builtins/builtins_generator.py:
3332         (WK_lcfirst): Synchronized with CodeGenerator.pm version.
3333
3334 2016-07-24  Filip Pizlo  <fpizlo@apple.com>
3335
3336         B3 should support multiple entrypoints
3337         https://bugs.webkit.org/show_bug.cgi?id=159391
3338