Unreviewed, fix cloop some more.

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2016-04-05  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix cloop some more.

        * runtime/RegExpInlines.h:
        (JSC::RegExp::hasCodeFor):
        (JSC::RegExp::hasMatchOnlyCodeFor):

2016-04-05  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix cloop.

        * jit/CCallHelpers.cpp:

2016-03-18  Filip Pizlo  <fpizlo@apple.com>

        JSC should use a shadow stack version of CHICKEN so that debuggers have the option of retrieving tail-deleted frames
        https://bugs.webkit.org/show_bug.cgi?id=155598

        Reviewed by Saam Barati.
        
        JSC is the first JSVM to have proper tail calls. This means that error.stack and the
        debugger will appear to "delete" strict mode stack frames, if the call that this frame made
        was in tail position. This is exactly what functional programmers expect - they don't want
        the VM to waste resources on tail-deleted frames to ensure that it's legal to loop forever
        using tail calls. It's also something that non-functional programmers fear. It's not clear
        that tail-deleted frames would actually degrade the debugging experience, but the fear is
        real, so it's worthwhile to do something about it.

        It turns out that there is at least one tail call implementation that doesn't suffer from
        this problem. It implements proper tail calls in the sense that you won't run out of memory
        by tail-looping. It also has the power to show you tail-deleted frames in a backtrace, so
        long as you haven't yet run out of memory. It's called CHICKEN Scheme, and it's one of my
        favorite hacks:
        
        http://www.more-magic.net/posts/internals-gc.html

        CHICKEN does many awesome things. The intuition from CHICKEN that we use here is a simple
        one: what if a tail call still kept the tail-deleted frame, and the GC actually deleted that
        frame only once we proved that there was insufficient memory to keep it around.
        
        CHICKEN does this by reshaping the C stack with longjmp/setjmp. We can't do that because we
        can have arbitrary native code, and that native code does not have relocatable stack frames.
        
        But we can do something almost like CHICKEN on a shadow stack. It's a common trick to have a
        VM maintain two stacks - the actual execution stack plus a shadow stack that has some extra
        information. The shadow stack can be reshaped, moved, etc, since the VM tightly controls its
        layout. The main stack can then continue to obey ABI rules.

        This patch implements a mechanism for being able to display stack traces that include
        tail-deleted frames. It uses a shadow stack that behaves like a CHICKEN stack: it has all
        frames all the time, though we will collect the tail-deleted ones if the stack gets too big.
        This new mechanism is called ShadowChicken, obviously: it's CHICKEN on a shadow stack.
        
        ShadowChicken is always on, but individual CodeBlocks may make their own choices about
        whether to opt into it. They will do that at bytecompile time based on the debugger mode on
        their global object.

        When no CodeBlock opts in, there is no overhead, since ShadowChicken ends up doing nothing
        in that case. Well, except when exceptions are thrown. Then it might do some work, but it's
        minor.

        When all CodeBlocks opt in, there is about 6% overhead. That's too much overhead to enable
        this all the time, but it's low enough to justify enabling in the Inspector. It's currently
        enabled on all CodeBlocks only when you use an Option. Otherwise it will auto-enable if the
        debugger is on.

        Note that ShadowChicken attempts to gracefully handle the presence of stack frames that have
        no logging. This is essential since we *can* have debugging enabled in one GlobalObject and
        disabled in another. Also, some frames don't do ShadowChicken because they just haven't been
        hacked to do it yet. Native frames fall into this category, as do the VM entry frames.

        This doesn't yet wire ShadowChicken into DebuggerCallFrame. That will take more work. It
        just makes a ShadowChicken stack walk function available to jsc. It's used from the
        shadow-chicken tests.

        * API/JSContextRef.cpp:
        (BacktraceFunctor::BacktraceFunctor):
        (BacktraceFunctor::operator()):
        (JSContextCreateBacktrace):
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::RecursionCheckFunctor::RecursionCheckFunctor):
        (JSC::RecursionCheckFunctor::operator()):
        (JSC::CodeBlock::noticeIncomingCall):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitEnter):
        (JSC::BytecodeGenerator::emitCallInTailPosition):
        (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
        (JSC::BytecodeGenerator::emitCallVarargs):
        (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
        (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
        (JSC::BytecodeGenerator::emitCallDefineProperty):
        * bytecompiler/BytecodeGenerator.h:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::LineAndColumnFunctor::operator()):
        (JSC::LineAndColumnFunctor::column):
        (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
        (JSC::FindCallerMidStackFunctor::operator()):
        (JSC::DebuggerCallFrame::DebuggerCallFrame):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLAbstractHeapRepository.cpp:
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
        (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
        (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
        (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
        (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket):
        (JSC::FTL::DFG::LowerDFGToB3::boolify):
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::visitSamplingProfiler):
        (JSC::Heap::visitShadowChicken):
        (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
        (JSC::Heap::collectImpl):
        * heap/Heap.h:
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::CreateScriptCallStackFunctor::CreateScriptCallStackFunctor):
        (Inspector::CreateScriptCallStackFunctor::operator()):
        (Inspector::createScriptCallStack):
        * interpreter/CallFrame.h:
        (JSC::ExecState::iterate):
        * interpreter/Interpreter.cpp:
        (JSC::DumpRegisterFunctor::DumpRegisterFunctor):
        (JSC::DumpRegisterFunctor::operator()):
        (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
        (JSC::GetStackTraceFunctor::operator()):
        (JSC::Interpreter::getStackTrace):
        (JSC::GetCatchHandlerFunctor::handler):
        (JSC::GetCatchHandlerFunctor::operator()):
        (JSC::notifyDebuggerOfUnwinding):
        (JSC::UnwindFunctor::UnwindFunctor):
        (JSC::UnwindFunctor::operator()):
        (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer):
        * interpreter/ShadowChicken.cpp: Added.
        (JSC::ShadowChicken::Packet::dump):
        (JSC::ShadowChicken::Frame::dump):
        (JSC::ShadowChicken::ShadowChicken):
        (JSC::ShadowChicken::~ShadowChicken):
        (JSC::ShadowChicken::log):
        (JSC::ShadowChicken::update):
        (JSC::ShadowChicken::visitChildren):
        (JSC::ShadowChicken::reset):
        (JSC::ShadowChicken::dump):
        (JSC::ShadowChicken::functionsOnStack):
        * interpreter/ShadowChicken.h: Added.
        (JSC::ShadowChicken::Packet::Packet):
        (JSC::ShadowChicken::Packet::tailMarker):
        (JSC::ShadowChicken::Packet::throwMarker):
        (JSC::ShadowChicken::Packet::prologue):
        (JSC::ShadowChicken::Packet::tail):
        (JSC::ShadowChicken::Packet::throwPacket):
        (JSC::ShadowChicken::Packet::operator bool):
        (JSC::ShadowChicken::Packet::isPrologue):
        (JSC::ShadowChicken::Packet::isTail):
        (JSC::ShadowChicken::Packet::isThrow):
        (JSC::ShadowChicken::Frame::Frame):
        (JSC::ShadowChicken::Frame::operator==):
        (JSC::ShadowChicken::Frame::operator!=):
        (JSC::ShadowChicken::log):
        (JSC::ShadowChicken::logSize):
        (JSC::ShadowChicken::addressOfLogCursor):
        (JSC::ShadowChicken::logEnd):
        * interpreter/ShadowChickenInlines.h: Added.
        (JSC::ShadowChicken::iterate):
        * interpreter/StackVisitor.h:
        (JSC::StackVisitor::Frame::callee):
        (JSC::StackVisitor::Frame::codeBlock):
        (JSC::StackVisitor::Frame::bytecodeOffset):
        (JSC::StackVisitor::Frame::inlineCallFrame):
        (JSC::StackVisitor::Frame::isJSFrame):
        (JSC::StackVisitor::Frame::isInlinedFrame):
        (JSC::StackVisitor::visit):
        * jit/CCallHelpers.cpp: Added.
        (JSC::CCallHelpers::logShadowChickenProloguePacket):
        (JSC::CCallHelpers::logShadowChickenTailPacket):
        (JSC::CCallHelpers::setupShadowChickenPacket):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::prepareForTailCallSlow):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_resume):
        (JSC::JIT::emit_op_log_shadow_chicken_prologue):
        (JSC::JIT::emit_op_log_shadow_chicken_tail):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (FunctionJSCStackFunctor::FunctionJSCStackFunctor):
        (FunctionJSCStackFunctor::operator()):
        (functionClearSamplingFlags):
        (functionShadowChickenFunctionsOnStack):
        (functionReadline):
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::llint_throw_stack_overflow_error):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * profiler/ProfileGenerator.cpp:
        (JSC::AddParentForConsoleStartFunctor::foundParent):
        (JSC::AddParentForConsoleStartFunctor::operator()):
        * runtime/Error.cpp:
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
        (JSC::addErrorInfoAndGetBytecodeOffset):
        * runtime/JSFunction.cpp:
        (JSC::RetrieveArgumentsFunctor::result):
        (JSC::RetrieveArgumentsFunctor::operator()):
        (JSC::retrieveArguments):
        (JSC::RetrieveCallerFunctionFunctor::result):
        (JSC::RetrieveCallerFunctionFunctor::operator()):
        (JSC::retrieveCallerFunction):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::GlobalFuncProtoGetterFunctor::result):
        (JSC::GlobalFuncProtoGetterFunctor::operator()):
        (JSC::globalFuncProtoGetter):
        (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
        (JSC::GlobalFuncProtoSetterFunctor::operator()):
        * runtime/NullSetterFunction.cpp:
        (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
        (JSC::GetCallerStrictnessFunctor::operator()):
        (JSC::GetCallerStrictnessFunctor::callerIsStrict):
        (JSC::callerIsStrict):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
        (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
        (JSC::objectConstructorGetPrototypeOf):
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::SetEnabledProfilerFunctor::operator()):
        * runtime/VM.h:
        (JSC::VM::shouldBuilderPCToCodeOriginMapping):
        (JSC::VM::bytecodeIntrinsicRegistry):
        (JSC::VM::shadowChicken):
        * tests/stress/resources/shadow-chicken-support.js: Added.
        (describeFunction):
        (describeArray):
        (expectStack):
        (initialize):
        * tests/stress/shadow-chicken-disabled.js: Added.
        (test1.foo):
        (test1.bar):
        (test1.baz):
        (test1):
        (test2.foo):
        (test2.bar):
        (test2.baz):
        (test2):
        (test3.foo):
        (test3.bar):
        (test3.baz):
        (test3):
        * tests/stress/shadow-chicken-enabled.js: Added.
        (test1.foo):
        (test1.bar):
        (test1.baz):
        (test1):
        (test2.foo):
        (test2.bar):
        (test2.baz):
        (test2):
        (test3.bob):
        (test3.thingy):
        (test3.foo):
        (test3.bar):
        (test3.baz):
        (test3):
        (test4.bob):
        (test4.thingy):
        (test4.foo):
        (test4.bar):
        (test4.baz):
        (test4):
        (test5.foo):
        (test5):
        * tools/JSDollarVMPrototype.cpp:
        (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
        (JSC::CallerFrameJITTypeFunctor::operator()):
        (JSC::CallerFrameJITTypeFunctor::jitType):
        (JSC::functionLLintTrue):
        (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
        (JSC::CellAddressCheckFunctor::operator()):
        (JSC::JSDollarVMPrototype::isValidCell):
        (JSC::JSDollarVMPrototype::isValidCodeBlock):
        (JSC::JSDollarVMPrototype::codeBlockForFrame):
        (JSC::PrintFrameFunctor::PrintFrameFunctor):
        (JSC::PrintFrameFunctor::operator()):
        (JSC::printCallFrame):

2016-03-19  Filip Pizlo  <fpizlo@apple.com>

        DFG and FTL should constant-fold RegExpExec, RegExpTest, and StringReplace
        https://bugs.webkit.org/show_bug.cgi?id=155270

        Reviewed by Saam Barati.

        This enables constant-folding of RegExpExec, RegExpTest, and StringReplace.

        It's now possible to run Yarr on the JIT threads. Since previous work on constant-folding
        strings gave the DFG an API for reasoning about JSString constants in terms of
        JIT-thread-local WTF::Strings, it's now super easy to just pass strings to Yarr and build IR
        based on the results.

        But RegExpExec is hard: the folded version still must allocate a RegExpMatchesArray. We must
        use the same Structure that the code would have used or else we'll pollute the program's
        inline caches. Also, RegExpMatchesArray.h|cpp will allocate the array and its named
        properties in one go - we don't want to lose that optimization. So, this patch enables
        MaterializeNewObject to allocate objects or arrays with any number of indexed or named
        properties. Previously it could only handle objects (but not arrays) and named properties
        (but not indexed ones).

        This also adds a few minor things for setting the RegExpConstructor cached result.

        This is about a 2x speed-up on microbenchmarks when we fold a match success and about a
        8x speed-up when we fold a match failure. It's a 10% speed-up on Octane/regexp.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGInsertionSet.cpp:
        (JSC::DFG::InsertionSet::insertSlow):
        (JSC::DFG::InsertionSet::execute):
        * dfg/DFGInsertionSet.h:
        (JSC::DFG::InsertionSet::insertCheck):
        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::tryGetString):
        * dfg/DFGMayExit.cpp:
        (JSC::DFG::mayExit):
        * dfg/DFGNode.h:
        (JSC::DFG::StackAccessData::flushedAt):
        (JSC::DFG::OpInfo::OpInfo): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        * dfg/DFGObjectMaterializationData.cpp:
        (JSC::DFG::ObjectMaterializationData::dump):
        (JSC::DFG::PhantomPropertyValue::dump): Deleted.
        (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore): Deleted.
        (JSC::DFG::ObjectMaterializationData::similarityScore): Deleted.
        * dfg/DFGObjectMaterializationData.h:
        (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue): Deleted.
        (JSC::DFG::PhantomPropertyValue::operator==): Deleted.
        * dfg/DFGOpInfo.h: Added.
        (JSC::DFG::OpInfo::OpInfo):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGPromotedHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGPromotedHeapLocation.h:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::~SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
        (JSC::DFG::SpeculativeJIT::emitGetLength):
        (JSC::DFG::SpeculativeJIT::compileLazyJSConstant):
        (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
        (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): Deleted.
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStoreBarrierInsertionPhase.cpp:
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
        (JSC::DFG::StrengthReductionPhase::handleNode):
        (JSC::DFG::StrengthReductionPhase::handleCommutativity):
        (JSC::DFG::StrengthReductionPhase::executeInsertionSet):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        (JSC::DFG::Validate::validateCPS):
        * ftl/FTLAbstractHeapRepository.cpp:
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
        (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
        (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
        (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
        (JSC::FTL::DFG::LowerDFGToB3::storageForTransition):
        (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
        (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
        * ftl/FTLOperations.cpp:
        (JSC::FTL::operationPopulateObjectInOSR):
        (JSC::FTL::operationNewObjectWithButterfly): Deleted.
        * ftl/FTLOperations.h:
        * inspector/ContentSearchUtilities.cpp:
        * runtime/JSObject.h:
        (JSC::JSObject::createRawObject):
        (JSC::JSFinalObject::create):
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::match):
        (JSC::RegExp::matchConcurrently):
        (JSC::RegExp::compileMatchOnly):
        (JSC::RegExp::deleteCode):
        * runtime/RegExp.h:
        * runtime/RegExpCachedResult.h:
        (JSC::RegExpCachedResult::offsetOfLastRegExp):
        (JSC::RegExpCachedResult::offsetOfLastInput):
        (JSC::RegExpCachedResult::offsetOfResult):
        (JSC::RegExpCachedResult::offsetOfReified):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::offsetOfCachedResult):
        * runtime/RegExpInlines.h:
        (JSC::RegExp::hasCodeFor):
        (JSC::RegExp::compileIfNecessary):
        (JSC::RegExp::matchInline):
        (JSC::RegExp::hasMatchOnlyCodeFor):
        (JSC::RegExp::compileIfNecessaryMatchOnly):
        * runtime/RegExpObjectInlines.h:
        (JSC::RegExpObject::execInline):
        * runtime/StringPrototype.cpp:
        (JSC::substituteBackreferencesSlow):
        (JSC::substituteBackreferencesInline):
        (JSC::substituteBackreferences):
        (JSC::StringRange::StringRange):
        * runtime/StringPrototype.h:
        * runtime/VM.h:
        * tests/stress/simple-regexp-exec-folding-fail.js: Added.
        (foo):
        * tests/stress/simple-regexp-exec-folding.js: Added.
        (foo):
        * tests/stress/simple-regexp-test-folding-fail.js: Added.
        (foo):
        * tests/stress/simple-regexp-test-folding.js: Added.
        (foo):
        * yarr/RegularExpression.cpp:
        * yarr/Yarr.h:
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::interpret):
        (JSC::Yarr::ByteCompiler::ByteCompiler):
        (JSC::Yarr::ByteCompiler::compile):
        (JSC::Yarr::ByteCompiler::checkInput):
        (JSC::Yarr::byteCompile):
        (JSC::Yarr::interpret):
        * yarr/YarrInterpreter.h:
        (JSC::Yarr::BytecodePattern::BytecodePattern):

2016-04-05  Keith Miller  <keith_miller@apple.com>

        We should support the ability to do a non-effectful getById
        https://bugs.webkit.org/show_bug.cgi?id=156116

        Reviewed by Benjamin Poulain.

        Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
        useful because it enables us to take different code paths based on values that we would
        otherwise not be able to have knowledge of. This patch adds this new feature called
        try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
        an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
        GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
        undefined if the slot is unset.  If the slot is proxied or any other cases then the result
        is null. In theory, if we ever wanted to check for null we could add a sentinal object to
        the global object that indicates we could not get the result.

        In order to implement this feature we add a new enum GetByIdKind that indicates what to do
        for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
        get_by_id the same way we would for load and return the value at the appropriate offset.
        Additionally, in order to make sure the we can properly compare the GetterSetter object
        with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
        GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
        likely to have little to no impact on memory usage as normal accessors are generally rare.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createDefaultConstructor):
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        (JSC::createBuiltinExecutable):
        (JSC::BuiltinExecutables::createExecutable):
        (JSC::createExecutableInternal): Deleted.
        * builtins/BuiltinExecutables.h:
        * bytecode/BytecodeIntrinsicRegistry.h:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::tryGet):
        (JSC::AccessCase::generate):
        (WTF::printInternal):
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessCase::isGet): Deleted.
        (JSC::AccessCase::isPut): Deleted.
        (JSC::AccessCase::isIn): Deleted.
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::reset):
        * bytecode/StructureStubInfo.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitTryGetById):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::getById):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        * jit/JITInlineCacheGenerator.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitGetByValWithCachedId):
        (JSC::JIT::emit_op_try_get_by_id):
        (JSC::JIT::emitSlow_op_try_get_by_id):
        (JSC::JIT::emit_op_get_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitGetByValWithCachedId):
        (JSC::JIT::emit_op_try_get_by_id):
        (JSC::JIT::emitSlow_op_try_get_by_id):
        (JSC::JIT::emit_op_get_by_id):
        * jit/Repatch.cpp:
        (JSC::repatchByIdSelfAccess):
        (JSC::appropriateOptimizingGetByIdFunction):
        (JSC::appropriateGenericGetByIdFunction):
        (JSC::tryCacheGetByID):
        (JSC::repatchGetByID):
        (JSC::resetGetByID):
        * jit/Repatch.h:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionGetGetterSetter):
        (functionCreateBuiltin):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * runtime/GetterSetter.cpp:
        * runtime/GetterSetter.h:
        * runtime/JSType.h:
        * runtime/PropertySlot.cpp:
        (JSC::PropertySlot::getPureResult):
        * runtime/PropertySlot.h:
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::getOwnPropertySlotCommon):
        * tests/stress/try-get-by-id.js: Added.
        (tryGetByIdText):
        (getCaller.obj.1.throw.new.Error.let.func):
        (getCaller.obj.1.throw.new.Error):
        (throw.new.Error.get let):
        (throw.new.Error.):
        (throw.new.Error.let.get createBuiltin):
        (get let):
        (let.get createBuiltin):
        (let.func):
        (get let.func):
        (get throw):

2016-04-05  Saam barati  <sbarati@apple.com>

        jsc-layout-tests.yaml/js/script-tests/regress-141098.js failing on Yosemite Debug after r198989
        https://bugs.webkit.org/show_bug.cgi?id=156187

        Reviewed by Filip Pizlo.

        This is a speculative fix. Lets see if the prevents the timeout.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseStatementListItem):

2016-04-04  Filip Pizlo  <fpizlo@apple.com>

        PolymorphicAccess should have a MegamorphicLoad case
        https://bugs.webkit.org/show_bug.cgi?id=156182

        Reviewed by Geoffrey Garen and Keith Miller.

        This introduces a new case to PolymorphicAccess called MegamorphicLoad. This inlines the lookup in
        the PropertyTable. It's cheaper than switching on a huge number of cases and it's cheaper than
        calling into C++ to do the same job - particularly since inlining the lookup into an access means
        that we can precompute the hash code.

        When writing the inline code for the hashtable lookup, I found that our hashing algorithm was not
        optimal. It used a double-hashing method for reducing collision pathologies. This is great for
        improving the performance of some worst-case scenarios. But this misses the point of a hashtable: we
        want to optimize the average-case performance. When optimizing for average-case, we can choose to
        either focus on maximizing the likelihood of the fast case happening, or to minimize the cost of the
        worst-case, or to minimize the cost of the fast case. Even a very basic hashtable will achieve a high
        probability of hitting the fast case. So, doing work to reduce the likelihood of a worst-case
        pathology only makes sense if it also preserves the good performance of the fast case, or reduces the
        likelihood of the worst-case by so much that it's a win for the average case even with a slow-down in
        the fast case.

        I don't believe, based on looking at how the double-hashing is implemented, that it's possible that
        this preserves the good performance of the fast case. It requires at least one more value to be live
        around the loop, and dramatically increases the register pressure at key points inside the loop. The
        biggest offender is the doubleHash() method itself. There is no getting around how bad this is: if
        the compiler live-range-splits that method to death to avoid degrading register pressure elsewhere
        then we will pay a steep price anytime we take the second iteration around the loop; but if the
        compiler doesn't split around the call then the hashtable lookup fast path will be full of spills on
        some architectures (I performed biological register allocation and found that I needed 9 registers
        for complete lookup, while x86-64 has only 6 callee-saves; OTOH ARM64 has 10 callee-saves so it might
        be better off).

        Hence, this patch changes the hashtable lookup to use simple linear probing. This was not a slow-down
        on anything, and it made MegamorphicLoad much more sensible since it is less likely to have to spill.

        There are some other small changes in this patch, like rationalizing the IC's choice between giving
        up after a repatch (i.e. never trying again) and just pretending that nothing happened (so we can
        try to repatch again in the future). It looked like the code in Repatch.cpp was set up to be able to
        choose between those options, but we weren't fully taking advantage of it because the
        regenerateWithCase() method just returned null for any failure, and didn't say whether it was the
        sort of failure that renders the inline cache unrepatchable (like memory allocation failure). Now
        this is all made explicit. I wanted to make sure this change happened in this patch since the
        MegamorphicLoad code automagically generates a MegamorphicLoad case by coalescing other cases. Since
        this is intended to avoid blowing out the cache and making it unrepatchable, I wanted to make sure
        that the rules for giving up were something that made sense to me.
        
        This is a big win on microbenchmarks. It's neutral on traditional JS benchmarks. It's a slight
        speed-up for page loading, because many real websites like to have megamorphic property accesses.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessGenerationResult::dump):
        (JSC::AccessGenerationState::addWatchpoint):
        (JSC::AccessCase::get):
        (JSC::AccessCase::megamorphicLoad):
        (JSC::AccessCase::replace):
        (JSC::AccessCase::guardedByStructureCheck):
        (JSC::AccessCase::couldStillSucceed):
        (JSC::AccessCase::canBeReplacedByMegamorphicLoad):
        (JSC::AccessCase::canReplace):
        (JSC::AccessCase::generateWithGuard):
        (JSC::AccessCase::generate):
        (JSC::PolymorphicAccess::PolymorphicAccess):
        (JSC::PolymorphicAccess::~PolymorphicAccess):
        (JSC::PolymorphicAccess::regenerateWithCases):
        (JSC::PolymorphicAccess::regenerateWithCase):
        (WTF::printInternal):
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessCase::isGet):
        (JSC::AccessCase::isPut):
        (JSC::AccessCase::isIn):
        (JSC::AccessGenerationResult::AccessGenerationResult):
        (JSC::AccessGenerationResult::operator==):
        (JSC::AccessGenerationResult::operator!=):
        (JSC::AccessGenerationResult::operator bool):
        (JSC::AccessGenerationResult::kind):
        (JSC::AccessGenerationResult::code):
        (JSC::AccessGenerationResult::madeNoChanges):
        (JSC::AccessGenerationResult::gaveUp):
        (JSC::AccessGenerationResult::generatedNewCode):
        (JSC::PolymorphicAccess::isEmpty):
        (JSC::AccessGenerationState::AccessGenerationState):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::aboutToDie):
        (JSC::StructureStubInfo::addAccessCase):
        * bytecode/StructureStubInfo.h:
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
        (JSC::AssemblyHelpers::loadProperty):
        (JSC::emitRandomThunkImpl):
        (JSC::AssemblyHelpers::emitRandomThunk):
        (JSC::AssemblyHelpers::emitLoadStructure):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::loadValue):
        (JSC::AssemblyHelpers::moveValueRegs):
        (JSC::AssemblyHelpers::argumentsStart):
        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
        (JSC::AssemblyHelpers::emitLoadStructure): Deleted.
        * jit/GPRInfo.cpp:
        (JSC::JSValueRegs::dump):
        * jit/GPRInfo.h:
        (JSC::JSValueRegs::uses):
        * jit/Repatch.cpp:
        (JSC::replaceWithJump):
        (JSC::tryCacheGetByID):
        (JSC::tryCachePutByID):
        (JSC::tryRepatchIn):
        * jit/ThunkGenerators.cpp:
        (JSC::virtualThunkFor):
        * runtime/Options.h:
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::begin):
        (JSC::PropertyTable::find):
        (JSC::PropertyTable::get):
        * runtime/Structure.h:

2016-04-05  Antoine Quint  <graouts@apple.com>

        [WebGL2] Turn the ENABLE_WEBGL2 flag on
        https://bugs.webkit.org/show_bug.cgi?id=156061
        <rdar://problem/25463193>

        Reviewed by Alex Christensen.

        * Configurations/FeatureDefines.xcconfig:
        * runtime/CommonIdentifiers.h:

        Define the conditionalized classes WebGL2RenderingContext and WebGLVertexArrayObject. 

2016-04-04  Zan Dobersek  <zdobersek@igalia.com>

        Add missing EABI_32BIT_DUMMY_ARG arguments for some callOperation(J_JITOperation_EGReoJ, ...) overloads
        https://bugs.webkit.org/show_bug.cgi?id=156161

        Reviewed by Yusuke Suzuki.

        r197641 added a couple of callOperation(J_JITOperation_EGReoJ, ...) overloads
        that handle arguments split into the tag and the payload. The two were split
        between the last argument register and the stack on 32-bit ARM EABI systems,
        causing incorrect behavior.

        Adding EABI_32BIT_DUMMY_ARG pushes the tag and payload together onto the
        stack, removing the issue.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):

2016-04-04  Joseph Pecoraro  <pecoraro@apple.com>

        Avoid copying ModuleLoaderObject.js to resources bundle
        https://bugs.webkit.org/show_bug.cgi?id=156188
        <rdar://problem/25534383>

        Reviewed by Alexey Proskuryakov.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2016-04-04  Geoffrey Garen  <ggaren@apple.com>

        Unreviewed, rolling out r199016.
        https://bugs.webkit.org/show_bug.cgi?id=156140

        "Regressed Octane and Kraken on the perf bots."

        Reverted changeset:

        CopiedBlock should be 16kB
        https://bugs.webkit.org/show_bug.cgi?id=156168
        http://trac.webkit.org/changeset/199016

2016-04-04  Benjamin Poulain  <bpoulain@apple.com>

        [JSC][x86] Fix an assertion in MacroAssembler::branch8()
        https://bugs.webkit.org/show_bug.cgi?id=156181

        Reviewed by Geoffrey Garen.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::branch8):
        The test was wrong because valid negative numbers have ones
        in the top bits.

        I replaced the assertion to be explicit about the valid range.

2016-04-04  Chris Dumez  <cdumez@apple.com>

        Regression(r196145): Crash in getOwnPropertyDescriptor on http://www.history.com/shows/vikings
        https://bugs.webkit.org/show_bug.cgi?id=156136
        <rdar://problem/25410767>

        Reviewed by Ryosuke Niwa.

        Add a few more identifiers for using in the generated bindings.

        * runtime/CommonIdentifiers.h:

2016-04-04  Geoffrey Garen  <ggaren@apple.com>

        CopiedBlock should be 16kB
        https://bugs.webkit.org/show_bug.cgi?id=156168

        Reviewed by Mark Lam.

        MarkedBlock is 16kB, and bmalloc's largest fast-path allocation is 16kB,
        and the largest page size on Apple devices is 16kB -- so this change
        should improve sharing and recycling and keep us on the fast path more.

        32kB is also super aggro. At 16kB, we support allocations up to 8kB,
        which covers 99.3% of allocations on facebook.com. The 32kB block size
        only covered an additional 0.2% of allocations.

        * heap/CopiedBlock.h:

2016-04-04  Carlos Garcia Campos  <cgarcia@igalia.com>

        REGRESSION(r198792): [GTK] Inspector crashes in Inspector::Protocol::getEnumConstantValue since r198792
        https://bugs.webkit.org/show_bug.cgi?id=155745
        <rdar://problem/25289456>

        Reviewed by Brian Burg.

        The problem is that we are generating the Inspector::Protocol::getEnumConstantValue() method and the
        enum_constant_values array for every framework that has enum values. So, in case of GTK port we have two
        implementations, one for the inspector in JavaScriptCore and another one for Web Automation in WebKit2, but when
        using the inspector in WebKit2 we always end up using the one in WebKit2. Since the enum_constant_values array
        is smaller in WebKit2 than the one in JavaScriptCore, we crash every time we receive an enum value higher than
        the array size. We need to disambiguate the getEnumConstantValue() generated and used for every framework, so we
        can use a specific namespace for the enum conversion methods.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::breakpointActionTypeForString): Use Inspector::Protocol::InspectorHelpers.
        * inspector/scripts/codegen/cpp_generator.py:
        (CppGenerator.helpers_namespace): Return the namespace name that should be used for the helper methods.
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
        (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): Use
        CppGenerator.helpers_namespace() to use the right namespace when using getEnumConstantValue().
        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Ditto.
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): Ditto.
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        (CppProtocolTypesHeaderGenerator.generate_output): Move declaration of getEnumConstantValue to a helper function.
        (_generate_enum_constant_value_conversion_methods): Do not emit any code if there aren't enums and ensure all
        conversion methods are declared inside the helpers namespace.
        (_generate_builder_setter_for_member): Use CppGenerator.helpers_namespace() to use the right namespace when
        using getEnumConstantValue().
        (_generate_unchecked_setter_for_member): Ditto.
        (_generate_declarations_for_enum_conversion_methods): Return a list instead of a string so that we can return an
        empty list in case of not emitting any code. The caller will use extend() that has no effect when an empty list
        is passed.
        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
        (CppProtocolTypesImplementationGenerator.generate_output): Use the new helper function to generate both the enum
        mapping and conversion methods inside the helpers namespace.
        (CppProtocolTypesImplementationGenerator._generate_enum_mapping): Return a list instead of a string so that we
        can return an empty list in case of not emitting any code.
        (CppProtocolTypesImplementationGenerator._generate_enum_mapping_and_conversion_methods): Ensure we only emit
        code when there are enum values, and it's generated inside the helpers namespace.
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/enum-values.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:

2016-04-04  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed ARM buildfix after r198981.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::roundTowardZeroDouble):

2016-04-03  Saam barati  <sbarati@apple.com>

        Implement Annex B.3.3 function hoisting rules for function code
        https://bugs.webkit.org/show_bug.cgi?id=155672

        Reviewed by Geoffrey Garen.

        The spec states that functions declared inside a function
        inside a block scope are subject to the rules of Annex B.3.3:
        https://tc39.github.io/ecma262/#sec-block-level-function-declarations-web-legacy-compatibility-semantics

        The rule states that functions declared in such blocks should
        be local bindings of the block. If declaring the function's name
        as a "var" in the function would not lead to a syntax error (i.e,
        if we don't have a let/const/class variable with the same name)
        and if we don't have a parameter with the same name, then we
        implictly also declare the funcion name as a "var". When evaluating
        the block statement we bind the hoisted "var" to be the value
        of the local function binding.

        There is one more thing we do for web compatibility. We allow
        function declarations inside if/else statements that aren't
        blocks. For such statements, we transform the code as if the
        function were declared inside a block statement. For example:
        ``` function foo() { if (cond) function baz() { } }```
        is transformed into:
        ``` function foo() { if (cond) { function baz() { } } }```

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
        (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
        * bytecompiler/BytecodeGenerator.h:
        * parser/Nodes.cpp:
        (JSC::ScopeNode::ScopeNode):
        (JSC::ProgramNode::ProgramNode):
        (JSC::ModuleProgramNode::ModuleProgramNode):
        (JSC::EvalNode::EvalNode):
        (JSC::FunctionNode::FunctionNode):
        * parser/Nodes.h:
        (JSC::ScopeNode::hasCapturedVariables):
        (JSC::ScopeNode::captures):
        (JSC::ScopeNode::hasSloppyModeHoistedFunction):
        (JSC::ScopeNode::varDeclarations):
        (JSC::ProgramNode::startColumn):
        (JSC::ProgramNode::endColumn):
        (JSC::EvalNode::startColumn):
        (JSC::EvalNode::endColumn):
        (JSC::ModuleProgramNode::startColumn):
        (JSC::ModuleProgramNode::endColumn):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::didFinishParsing):
        (JSC::Parser<LexerType>::parseStatement):
        (JSC::Parser<LexerType>::parseIfStatement):
        * parser/Parser.h:
        (JSC::Scope::declareVariable):
        (JSC::Scope::declareFunction):
        (JSC::Scope::addSloppyModeHoistableFunctionCandidate):
        (JSC::Scope::appendFunction):
        (JSC::Scope::declareParameter):
        (JSC::Scope::mergeInnerArrowFunctionFeatures):
        (JSC::Scope::getSloppyModeHoistedFunctions):
        (JSC::Scope::getCapturedVars):
        (JSC::ScopeRef::containingScope):
        (JSC::ScopeRef::operator==):
        (JSC::ScopeRef::operator!=):
        (JSC::Parser::declareFunction):
        (JSC::Parser::hasDeclaredVariable):
        (JSC::Parser::isFunctionMetadataNode):
        (JSC::Parser::DepthManager::DepthManager):
        (JSC::Parser<LexerType>::parse):
        * parser/VariableEnvironment.h:
        (JSC::VariableEnvironmentEntry::isImported):
        (JSC::VariableEnvironmentEntry::isImportedNamespace):
        (JSC::VariableEnvironmentEntry::isFunction):
        (JSC::VariableEnvironmentEntry::isParameter):
        (JSC::VariableEnvironmentEntry::isSloppyModeHoistingCandidate):
        (JSC::VariableEnvironmentEntry::setIsCaptured):
        (JSC::VariableEnvironmentEntry::setIsConst):
        (JSC::VariableEnvironmentEntry::setIsImported):
        (JSC::VariableEnvironmentEntry::setIsImportedNamespace):
        (JSC::VariableEnvironmentEntry::setIsFunction):
        (JSC::VariableEnvironmentEntry::setIsParameter):
        (JSC::VariableEnvironmentEntry::setIsSloppyModeHoistingCandidate):
        (JSC::VariableEnvironmentEntry::clearIsVar):
        * runtime/CodeCache.h:
        (JSC::SourceCodeValue::SourceCodeValue):
        * runtime/JSScope.cpp:
        * runtime/JSScope.h:
        * tests/es6.yaml:
        * tests/stress/sloppy-mode-function-hoisting.js: Added.
        (assert):
        (test):
        (falsey):
        (truthy):
        (test.):
        (test.a):
        (test.f):
        (test.let.funcs.f):
        (test.catch.f):
        (test.foo):
        (test.bar):
        (test.switch.case.0):
        (test.else.f):
        (test.b):
        (test.c):
        (test.d):
        (test.e):
        (test.g):
        (test.h):
        (test.i):
        (test.j):
        (test.k):
        (test.l):
        (test.m):
        (test.n):
        (test.o):
        (test.p):
        (test.q):
        (test.r):
        (test.s):
        (test.t):
        (test.u):
        (test.v):
        (test.w):
        (test.x):
        (test.y):
        (test.z):
        (foo):
        (bar):
        (falsey.bar):
        (baz):
        (falsey.baz):

2016-04-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, turn ES6 for-in loop test success
        https://bugs.webkit.org/show_bug.cgi?id=155451

        * tests/es6.yaml:

2016-04-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add truncate operation (rounding to zero)
        https://bugs.webkit.org/show_bug.cgi?id=156072

        Reviewed by Saam Barati.

        Add TruncIntrinsic for Math.trunc. DFG handles it as ArithTrunc.
        In DFG, ArithTrunc behaves similar to ArithRound, ArithCeil, and ArithFloor.
        ArithTrunc rounds the value towards zero.

        And we rewrite @toInteger to use @trunc instead of @abs, @floor, negation and branch.
        This is completely the same to what we do in JSValue::toInteger.

        Since DFG recognize it, DFG can convert ArithTrunc to Identity if the given argument is Int32.
        This is useful because almost all the argument is Int32 in @toLength -> @toInteger -> @trunc case.
        In such cases, we can eliminate trunc() call.

        As a bonus, to speed up Math.trunc operation, we use x86 SSE round and frintz in ARM64 for ArithRound.
        In DFG, we emit these instructions. In FTL, we use Patchpoint to emit these instructions to avoid adding a new B3 IR.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::roundTowardZeroDouble):
        (JSC::MacroAssemblerARM64::roundTowardZeroFloat):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::roundTowardZeroDouble):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::roundTowardZeroDouble):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::roundTowardZeroDouble):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::roundTowardZeroDouble):
        (JSC::MacroAssemblerX86Common::roundTowardZeroFloat):
        * builtins/GlobalObject.js:
        (toInteger):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::roundShouldSpeculateInt32):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::arithNodeFlags):
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasArithRoundingMode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithRounding):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
        * ftl/FTLOutput.cpp:
        (JSC::FTL::Output::doubleTrunc):
        * ftl/FTLOutput.h:
        * jit/ThunkGenerators.cpp:
        (JSC::truncThunkGenerator):
        * jit/ThunkGenerators.h:
        * runtime/CommonIdentifiers.h:
        * runtime/Intrinsic.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        * runtime/MathObject.h:
        * runtime/VM.cpp:
        (JSC::thunkGeneratorForIntrinsic):
        * tests/stress/math-rounding-infinity.js:
        (testTrunc):
        * tests/stress/math-rounding-nan.js:
        (testTrunc):
        * tests/stress/math-rounding-negative-zero.js:
        (testTrunc):
        * tests/stress/math-trunc-arith-rounding-mode.js: Added.
        (firstCareAboutZeroSecondDoesNot):
        (firstDoNotCareAboutZeroSecondDoes):
        (warmup):
        (verifyNegativeZeroIsPreserved):
        * tests/stress/math-trunc-basics.js: Added.
        (mathTruncOnIntegers):
        (mathTruncOnDoubles):
        (mathTruncOnBooleans):
        (uselessMathTrunc):
        (mathTruncWithOverflow):
        (mathTruncConsumedAsDouble):
        (mathTruncDoesNotCareAboutMinusZero):
        (mathTruncNoArguments):
        (mathTruncTooManyArguments):
        (testMathTruncOnConstants):
        (mathTruncStructTransition):
        (Math.trunc):
        * tests/stress/math-trunc-should-be-truncate.js: Added.
        (mathTrunc):

2016-04-03  Skachkov Oleksandr  <gskachkov@gmail.com>

        [ES6] Class syntax. Access to new.target inside of the eval should not lead to SyntaxError
        https://bugs.webkit.org/show_bug.cgi?id=155545

        Reviewed by Saam Barati.
       
        Current patch allow to invoke new.target in eval if this eval is executed within function, 
        otherwise this will lead to Syntax error 
   
        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::getSlow):
        * bytecode/ExecutableInfo.h:
        (JSC::ExecutableInfo::ExecutableInfo):
        (JSC::ExecutableInfo::evalContextType):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::evalContextType):
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::generateUnlinkedFunctionCodeBlock):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluate):
        * interpreter/Interpreter.cpp:
        (JSC::eval):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseMemberExpression):
        * parser/Parser.h:
        (JSC::Scope::Scope):
        (JSC::Scope::setEvalContextType):
        (JSC::Scope::evalContextType):
        (JSC::parse):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        (JSC::CodeCache::getModuleProgramCodeBlock):
        * runtime/CodeCache.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::EvalExecutable::create):
        (JSC::EvalExecutable::EvalExecutable):
        (JSC::ProgramExecutable::ProgramExecutable):
        (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
        (JSC::FunctionExecutable::FunctionExecutable):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::evalContextType):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createEvalCodeBlock):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * tests/stress/arrowfunction-lexical-bind-newtarget.js:
        * tests/stress/new-target.js:

2016-04-02  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r198976.
        https://bugs.webkit.org/show_bug.cgi?id=156140

        "Causes js/regress/array-nonarray-polymorhpic-access.html to
        crash." (Requested by ddkilzer on #webkit).

        Reverted changeset:

        "[JSC] Initialize SSA's live values at tail lazily"
        https://bugs.webkit.org/show_bug.cgi?id=156126
        http://trac.webkit.org/changeset/198976

2016-04-02  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Initialize SSA's live values at tail lazily
        https://bugs.webkit.org/show_bug.cgi?id=156126

        Reviewed by Mark Lam.

        Setting up the clean state early looks harmless but it is
        actually quite expensive.

        The problem is AbstractValue is gigantic, you really want
        to minimize how much you touch that memory.

        By removing the initialization, most blocks only
        get 2 or 3 accesses. Once to setup the value, and a few
        queries for merging the current block with the successors.

        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::endBasicBlock):
        (JSC::DFG::setLiveValues): Deleted.
        (JSC::DFG::InPlaceAbstractState::initialize): Deleted.

2016-04-02  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Add an option to avoid disassembling baseline code for the JSC Profiler
        https://bugs.webkit.org/show_bug.cgi?id=156127

        Reviewed by Mark Lam.

        The profiler run out of memory on big programs if you dump
        the baseline disassembly.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * runtime/Options.h:

2016-04-02  Dan Bernstein  <mitz@apple.com>

        jsc binary embedded in relocatable JavaScriptCore.framework links against system JavaScriptCore.framework
        https://bugs.webkit.org/show_bug.cgi?id=156134
        <rdar://problem/25443824>

        Reviewed by Mark Lam.

        * Configurations/JSC.xcconfig: Define WK_RELOCATABLE_FRAMEWORKS_LDFLAGS when building
          relocatable frameworks to include a -dyld_env option setting DYLD_FRAMEWORK_PATH to point
          to the directory containing JavaScript.framework, and add
          WK_RELOCATABLE_FRAMEWORKS_LDFLAGS to OTHER_LDFLAGS.

2016-04-01  Benjamin Poulain  <bpoulain@apple.com>

        [JSC][x86] Add the 3 operands form of floating point substraction
        https://bugs.webkit.org/show_bug.cgi?id=156095

        Reviewed by Geoffrey Garen.

        Same old, same old. Add the AVX form of subsd and subss.

        Unfortunately, we cannot benefit from the 3 register form
        in B3 yet because the Air script does not support CPU flags yet.
        That can be fixed later.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::subDouble):
        (JSC::MacroAssemblerX86Common::subFloat):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::vsubsd_rr):
        (JSC::X86Assembler::subsd_mr):
        (JSC::X86Assembler::vsubsd_mr):
        (JSC::X86Assembler::vsubss_rr):
        (JSC::X86Assembler::subss_mr):
        (JSC::X86Assembler::vsubss_mr):
        (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
        * b3/air/AirOpcode.opcodes:

2016-04-01  Alberto Garcia  <berto@igalia.com>

        [JSC] Missing PATH_MAX definition
        https://bugs.webkit.org/show_bug.cgi?id=156102

        Reviewed by Yusuke Suzuki.

        Not all systems define PATH_MAX, so add a fallback value that is
        long enough.

        * jsc.cpp:

2016-03-31  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] CFA's valuesAtHead should be a list, not a map
        https://bugs.webkit.org/show_bug.cgi?id=156087

        Reviewed by Mark Lam.

        One more step toward moving to the Air-style of liveness analysis:

        Make DFG's valuesAtHead a list of Node*-AbstractValue.
        This patch alone is already a speedup because our many CFAs
        spend an unreasonable amount of time updating at block boundaries.

        * dfg/DFGBasicBlock.h:
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
        (JSC::DFG::setLiveValues):
        (JSC::DFG::InPlaceAbstractState::merge):
        * dfg/DFGNode.h:
        (JSC::DFG::nodeValuePairComparator):
        (JSC::DFG::nodeValuePairListDump):

2016-03-31  Saam barati  <sbarati@apple.com>

        Revert rewrite const as var workaround
        https://bugs.webkit.org/show_bug.cgi?id=155393

        Reviewed by Mark Lam.

        * parser/Parser.h:
        (JSC::Parser::next):
        (JSC::Parser::nextExpectIdentifier):
        * runtime/VM.h:
        (JSC::VM::setShouldRewriteConstAsVar): Deleted.
        (JSC::VM::shouldRewriteConstAsVar): Deleted.

2016-03-31  Saam barati  <sbarati@apple.com>

        [ES6] Disallow var assignments in for-in loops
        https://bugs.webkit.org/show_bug.cgi?id=155451

        Reviewed by Mark Lam.

        We're doing this in its own patch instead of the patch for https://bugs.webkit.org/show_bug.cgi?id=155384
        because last time we made this change it broke some websites. Lets try making
        it again because it's what the ES6 mandates. If it still breaks things we will
        roll it out.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseForStatement):

2016-03-31  Saam barati  <sbarati@apple.com>

        parsing arrow function expressions slows down the parser by 8% lets recoup some loss
        https://bugs.webkit.org/show_bug.cgi?id=155988

        Reviewed by Benjamin Poulain.

        We used to eagerly check if we're parsing an arrow function.
        We did this inside parseAssignmentExpression(), and it was
        very costly. The reason it was costly is that arrow functions
        might start with an identifier. This means anytime we saw an
        identifier we would have to do a lookahead, and then most likely
        backtrack because more often than not, we wouldn't see "=>"
        as the next token.

        In this patch I implement a new approach. We just parse
        the lhs of an assignment expression eagerly without doing any
        lookahead. Retroactively, if we see that we might have started
        with an arrow function, and we don't have a valid lhs or the
        next token is a "=>", we try to parse as an arrow function.

        Here are a few examples motivating why this is valid:

        `x => x`
        In this example:
        - "x" is a valid arrow function starting point.
        - "x" also happens to be a valid lhs
        - because we see "=>" as the next token, we parse as an arrow function and succeed.

        `(x) => x`
        In this example:
        - "(" is a valid arrow function starting point.
        - "(x)" also happens to be a valid lhs
        - because we see "=>" as the next token, we parse as an arrow function and succeed.

        `({x = 30}) => x;`
        In this example:
        - "(" is a valid arrow function starting point.
        - "({x = 30})" is NOT a valid lhs. Because of this, we try to parse it as an arrow function and succeed.

        There is one interesting implementation detail where we might
        parse something that is both a valid LHS but happens
        to actually be the arrow function parameters. The valid LHS
        parsing might declare such variables as "uses" which would cause 
        weird capture analysis. This patch also introduces a mechanism
        to backtrack on used variable analysis.

        This is a 3.5%-4.5% octane code load speedup.

        * parser/Lexer.h:
        (JSC::Lexer::sawError):
        (JSC::Lexer::setSawError):
        (JSC::Lexer::getErrorMessage):
        (JSC::Lexer::setErrorMessage):
        (JSC::Lexer::sourceURL):
        (JSC::Lexer::sourceMappingURL):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::isArrowFunctionParameters):
        (JSC::Parser<LexerType>::parseAssignmentExpression):
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        * parser/Parser.h:
        (JSC::Scope::Scope):
        (JSC::Scope::startSwitch):
        (JSC::Scope::declareParameter):
        (JSC::Scope::usedVariablesContains):
        (JSC::Scope::useVariable):
        (JSC::Scope::pushUsedVariableSet):
        (JSC::Scope::currentUsedVariablesSize):
        (JSC::Scope::revertToPreviousUsedVariables):
        (JSC::Scope::setNeedsFullActivation):
        (JSC::Scope::needsFullActivation):
        (JSC::Scope::isArrowFunctionBoundary):
        (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
        (JSC::Scope::collectFreeVariables):
        (JSC::Scope::fillParametersForSourceProviderCache):
        (JSC::Scope::restoreFromSourceProviderCache):
        (JSC::Scope::setIsModule):

2016-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>

        Fails to build in Linux / PowerPC due to different ucontext_t definition
        https://bugs.webkit.org/show_bug.cgi?id=156015

        Reviewed by Michael Catanzaro.

        PPC does not have mcontext_t in ucontext_t::uc_mcontext.
        So we take the special way to retrieve mcontext_t in PPC.

        * heap/MachineStackMarker.cpp:
        (pthreadSignalHandlerSuspendResume):

2016-03-31  Benjamin Poulain  <benjamin@webkit.org>

        [JSC][x86] Add the indexed forms of floating point addition and multiplication
        https://bugs.webkit.org/show_bug.cgi?id=156058

        Reviewed by Geoffrey Garen.

        B3 supports lowering [base, index] addresses into
        arbitrary instructions but we were not using that feature.

        This patch adds the missing support for the lowering
        of Add and Mul.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::addDouble):
        (JSC::MacroAssemblerX86Common::addFloat):
        (JSC::MacroAssemblerX86Common::mulDouble):
        (JSC::MacroAssemblerX86Common::mulFloat):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::addsd_mr):
        (JSC::X86Assembler::vaddsd_mr):
        (JSC::X86Assembler::addss_mr):
        (JSC::X86Assembler::vaddss_mr):
        (JSC::X86Assembler::mulsd_mr):
        (JSC::X86Assembler::vmulsd_mr):
        (JSC::X86Assembler::mulss_mr):
        (JSC::X86Assembler::vmulss_mr):
        (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::appendBinOp):
        Unlike the Addr form, we never need to transform a Tmp
        into an Index for spilling.

        Instead of duplicating all the code in MacroAssembler, I can
        just have the lowering phase try using addresses for the first
        argument when possible.

        * b3/air/AirOpcode.opcodes:
        * b3/air/testair.cpp:
        (JSC::B3::Air::testX86VMULSDBaseNeedsRex):
        (JSC::B3::Air::testX86VMULSDIndexNeedsRex):
        (JSC::B3::Air::testX86VMULSDBaseIndexNeedRex):
        (JSC::B3::Air::run):

2016-03-31  Saam barati  <sbarati@apple.com>

        DFG JIT bug in typeof constant folding where the input to typeof is an object or function
        https://bugs.webkit.org/show_bug.cgi?id=156034
        <rdar://problem/25446785>

        Reviewed by Ryosuke Niwa.

        AI would constant fold TypeOf to the string "object" if it saw that
        its input type didn't expand past the types contained in the set 
        "SpecObject - SpecObjectOther". But, SpecObject contains SpecFunction.
        And typeof of a function should return "function". This patch fixes
        this bug by making sure we constant fold to object iff the type
        doesn't expand past the set "SpecObject - SpecObjectOther - SpecFunction".

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * tests/stress/typeof-dfg-function-or-object.js: Added.
        (assert):
        (foo.else.o):
        (foo):

2016-03-31  Mark Lam  <mark.lam@apple.com>

        Gardening: Build and logic fix after r198873.
        https://bugs.webkit.org/show_bug.cgi?id=156043

        Not reviewed.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::addFloat):
        - 2 args were meant to be ordered differently in order to call the other addFloat.
          Instead, there was an infinite recursion bug.  This is now fixed.

2016-03-30  Benjamin Poulain  <benjamin@webkit.org>

        [JSC][x86] Add the 3 operands forms of floating point addition and multiplication
        https://bugs.webkit.org/show_bug.cgi?id=156043

        Reviewed by Geoffrey Garen.

        When they are available, VADD and VMUL are better options to lower
        floating point addition and multiplication.

        In the simple cases when one of the operands is aliased to the destination,
        those forms have the same size or 1 byte shorter depending on the registers.

        In the more advanced cases, we gain nice advantages with the new forms:
        -We can get rid of the MoveDouble in front the instruction when we cannot
         alias.
        -We can disable aliasing entirely in Air. That is useful for latency
         since computing coalescing is not exactly cheap.

        * assembler/MacroAssemblerX86Common.cpp:
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::and32):
        (JSC::MacroAssemblerX86Common::mul32):
        (JSC::MacroAssemblerX86Common::or32):
        (JSC::MacroAssemblerX86Common::xor32):
        (JSC::MacroAssemblerX86Common::branchAdd32):
        The change in B3LowerToAir exposed a bug in the fake 3 operands
        forms of those instructions. If the address is equal to
        the destination, we were nuking the address.

        For example,
            Add32([%r11], %eax, %r11)
        would generate:
            move %eax, %r11
            add32 [%r11], %r11
        which crashes.

        I updated codegen of those cases to support that case through
            load32 [%r11], %r11
            add32 %eax, %r11

        The weird case were all arguments have the same registers
        is handled too.

        (JSC::MacroAssemblerX86Common::addDouble):
        (JSC::MacroAssemblerX86Common::addFloat):
        (JSC::MacroAssemblerX86Common::mulDouble):
        (JSC::MacroAssemblerX86Common::mulFloat):
        (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
        (JSC::MacroAssemblerX86Common::supportsAVX):
        (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::branchAdd64):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::vaddsd_rr):
        (JSC::X86Assembler::vaddsd_mr):
        (JSC::X86Assembler::vaddss_rr):
        (JSC::X86Assembler::vaddss_mr):
        (JSC::X86Assembler::vmulsd_rr):
        (JSC::X86Assembler::vmulsd_mr):
        (JSC::X86Assembler::vmulss_rr):
        (JSC::X86Assembler::vmulss_mr):
        (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::appendBinOp):
        Add the 3 operand forms so that we lower Add and Mul
        to the best form directly.

        I will change how we lower the fake 3 operands instructions
        but the codegen should end up the same in most cases.
        The new codegen is the load32 + op above.

        * b3/air/AirInstInlines.h:
        (JSC::B3::Air::Inst::shouldTryAliasingDef):
        * b3/air/testair.cpp:
        (JSC::B3::Air::testX86VMULSD):
        (JSC::B3::Air::testX86VMULSDDestRex):
        (JSC::B3::Air::testX86VMULSDOp1DestRex):
        (JSC::B3::Air::testX86VMULSDOp2DestRex):
        (JSC::B3::Air::testX86VMULSDOpsDestRex):
        (JSC::B3::Air::testX86VMULSDAddr):
        (JSC::B3::Air::testX86VMULSDAddrOpRexAddr):
        (JSC::B3::Air::testX86VMULSDDestRexAddr):
        (JSC::B3::Air::testX86VMULSDRegOpDestRexAddr):
        (JSC::B3::Air::testX86VMULSDAddrOpDestRexAddr):
        Make sure we have some coverage for AVX encoding of instructions.

2016-03-30  Saam Barati  <sbarati@apple.com>

        Change some release asserts in CodeBlock linking into debug asserts
        https://bugs.webkit.org/show_bug.cgi?id=155500

        Reviewed by Filip Pizlo.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):

2016-03-30  Joseph Pecoraro  <pecoraro@apple.com>

        Remove unused ScriptProfiler.Samples.totalTime
        https://bugs.webkit.org/show_bug.cgi?id=156002

        Reviewed by Saam Barati.

        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        (Inspector::buildSamples):
        (Inspector::InspectorScriptProfilerAgent::trackingComplete):
        * inspector/protocol/ScriptProfiler.json:
        Remove totalTime.

        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::SamplingProfiler): Deleted.
        * runtime/SamplingProfiler.h:
        (JSC::SamplingProfiler::totalTime): Deleted.
        Remove now unused m_totalTime.

2016-03-30  Michael Saboff  <msaboff@apple.com>

        [ES6] Quantified unicode regular expressions do not work for counts greater than 1
        https://bugs.webkit.org/show_bug.cgi?id=156044

        Reviewed by Mark Lam.

        Fixed incorrect indexing of non-BMP characters in fixed patterns.  The old code
        was indexing by character units, a single JS character, instead of code points
        which is 2 JS characters.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::matchDisjunction):

2016-03-30  Mark Lam  <mark.lam@apple.com>

        Make the $vm debugging tools available to builtins as @$vm.
        https://bugs.webkit.org/show_bug.cgi?id=156012

        Reviewed by Saam Barati.

        We also need some debugging tools for builtin development.  The $vm object will
        be made available to builtins as @$vm, which gives us, amongst many goodies,
        @$vm.print() (which prints the toString() values of its args) and
        @$vm.printValue() (which dataLogs its arg as a JSValue).  @$vm will only be
        available if we run with JSC_useDollarVM=true.

        Also changed @$vm.print() to not automatically insert a space between the
        printing of each of its args.  This makes it clearer as to what will be printed
        i.e. it will only print what is passed to it.

        * builtins/BuiltinNames.h:
        (JSC::BuiltinNames::BuiltinNames):
        (JSC::BuiltinNames::dollarVMPublicName):
        (JSC::BuiltinNames::dollarVMPrivateName):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * tools/JSDollarVMPrototype.cpp:
        (JSC::functionPrint):

2016-03-30  Keith Miller  <keith_miller@apple.com>

        Unreviewed, buildfix.

        * bytecode/BytecodeIntrinsicRegistry.h:

2016-03-30  Keith Miller <keith_miller@apple.com>

        Unreviewed, rollout r198808. The patch causes crashes on 32-bit and appears to be a JSBench regression.

2016-03-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Implement String.prototype.repeat in builtins JS
        https://bugs.webkit.org/show_bug.cgi?id=155974

        Reviewed by Darin Adler.

        This patch converts C++ String.prototype.repeat implementation into JS builtins.
        |this| in strict mode is correctly inferred as String[1]. This fact encourages us
        to write PrimitiveTypes.prototype.XXX methods in builtin JS.

        LayoutTests/js/string-repeat.html already covers the tests for this change.

        Note: String.prototype.repeat functionality is similar to Harmony's
        String.prototype.{padStart, padEnd}. It's nice to port them to builtin JS in
        the other patch.

        The existing C++ code has the fast path for singleCharacterString repeating.
        Since this use is important (e.g. generating N length spaces: ' '.repeat(N)),
        we keep this fast path as @repeatCharacter().

        The performance results show that, while the performance of the single character fast path
        is neutral, other string repeating has significant speed up.
        There are two reasons.

        1. Not resolving string rope.

        We added several tests postfixed "not-resolving". In that tests, we do not touch the content
        of the generated string. As a result, the generated rope is not resolved.

        2. O(log N) intermediate JSRopeStrings.

        In the existing C++ implementation, we use JSString::RopeBuilder. We iterate N times and append
        the given string to the builder.
        In this case, the intermediate rope strings generated in JSString::RopeBuilder is O(N).
        In JS builtin implementation, we only iterate log N times. As a result, the number of the
        intermediate rope strings becomes O(log N).

        [1]: http://trac.webkit.org/changeset/195938

        * builtins/StringPrototype.js:
        (repeatSlowPath):
        (repeat):
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncRepeatCharacter):
        (JSC::StringPrototype::finishCreation): Deleted.
        (JSC::stringProtoFuncRepeat): Deleted.
        * runtime/StringPrototype.h:
        * tests/stress/string-repeat-edge-cases.js: Added.
        (shouldBe):
        (let.object.toString):
        (valueOf):
        (shouldThrow):

2016-03-30  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Update udis86
        https://bugs.webkit.org/show_bug.cgi?id=156005

        Reviewed by Geoffrey Garen.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * disassembler/udis86/differences.txt:
        * disassembler/udis86/itab.py: Removed.
        * disassembler/udis86/optable.xml:
        * disassembler/udis86/ud_itab.py: Added.
        * disassembler/udis86/ud_opcode.py:
        * disassembler/udis86/ud_optable.py: Removed.
        * disassembler/udis86/udis86.c:
        * disassembler/udis86/udis86_decode.c:
        * disassembler/udis86/udis86_decode.h:
        * disassembler/udis86/udis86_extern.h:
        * disassembler/udis86/udis86_input.c: Removed.
        * disassembler/udis86/udis86_input.h: Removed.
        * disassembler/udis86/udis86_syn-att.c:
        * disassembler/udis86/udis86_syn.h:
        * disassembler/udis86/udis86_types.h:
        * disassembler/udis86/udis86_udint.h:

2016-03-30  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Get rid of operationInitGlobalConst(), it is useless
        https://bugs.webkit.org/show_bug.cgi?id=156010

        Reviewed by Geoffrey Garen.

        * jit/JITOperations.cpp:
        * jit/JITOperations.h:

2016-03-29  Saam barati  <sbarati@apple.com>

        Fix typos in our error messages and remove some trailing periods
        https://bugs.webkit.org/show_bug.cgi?id=155985

        Reviewed by Mark Lam.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * runtime/ArrayConstructor.h:
        (JSC::isArray):
        * runtime/ProxyConstructor.cpp:
        (JSC::makeRevocableProxy):
        (JSC::proxyRevocableConstructorThrowError):
        (JSC::ProxyConstructor::finishCreation):
        (JSC::constructProxyObject):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::finishCreation):
        (JSC::performProxyGet):
        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
        (JSC::ProxyObject::performHasProperty):
        (JSC::ProxyObject::performPut):
        (JSC::performProxyCall):
        (JSC::performProxyConstruct):
        (JSC::ProxyObject::performDelete):
        (JSC::ProxyObject::performPreventExtensions):
        (JSC::ProxyObject::performIsExtensible):
        (JSC::ProxyObject::performDefineOwnProperty):
        (JSC::ProxyObject::performGetOwnPropertyNames):
        (JSC::ProxyObject::performSetPrototype):
        (JSC::ProxyObject::performGetPrototype):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncStartsWith):
        (JSC::stringProtoFuncEndsWith):
        (JSC::stringProtoFuncIncludes):
        * runtime/Structure.cpp:
        (JSC::Structure::preventExtensionsTransition):
        * tests/stress/proxy-basic.js:
        * tests/stress/proxy-construct.js:
        (throw.new.Error):
        (assert):
        * tests/stress/proxy-define-own-property.js:
        (assert):
        (throw.new.Error):
        (i.catch):
        (assert.set get catch):
        * tests/stress/proxy-delete.js:
        (assert):
        * tests/stress/proxy-get-own-property.js:
        (assert):
        (i.catch):
        (set get let):
        * tests/stress/proxy-get-prototype-of.js:
        (assert):
        (assert.get let):
        (assert.get catch):
        * tests/stress/proxy-has-property.js:
        (assert):
        * tests/stress/proxy-is-array.js:
        (test):
        * tests/stress/proxy-is-extensible.js:
        (assert):
        * tests/stress/proxy-json.js:
        (assert):
        (test):
        * tests/stress/proxy-own-keys.js:
        (assert):
        (i.catch):
        * tests/stress/proxy-prevent-extensions.js:
        (assert):
        * tests/stress/proxy-property-descriptor.js:
        * tests/stress/proxy-revoke.js:
        (assert):
        (throw.new.Error.):
        (throw.new.Error):
        (shouldThrowNullHandler):
        * tests/stress/proxy-set-prototype-of.js:
        (assert.set let):
        (assert.set catch):
        (assert):
        (set catch):
        * tests/stress/proxy-set.js:
        (throw.new.Error.let.handler.set 45):
        (throw.new.Error):
        * tests/stress/proxy-with-private-symbols.js:
        (assert):
        * tests/stress/proxy-with-unbalanced-getter-setter.js:
        (assert):
        * tests/stress/reflect-set-proxy-set.js:
        (throw.new.Error.let.handler.set 45):
        (throw.new.Error):
        * tests/stress/reflect-set-receiver-proxy-set.js:
        (let.handler.set 45):
        (catch):
        * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js:
        (test):
        (test.get let):

2016-03-29  Keith Miller  <keith_miller@apple.com>

        [ES6] Add support for Symbol.isConcatSpreadable.
        https://bugs.webkit.org/show_bug.cgi?id=155351

        Reviewed by Saam Barati.

        This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
        Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
        a builtin performant. First, four new DFG intrinsics were added.

        1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
           the Array.isArray function.
        2) IsJSArray: checks the first child is a JSArray object.
        3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
        4) CallObjectConstructor: an intrinsic of the Object constructor.

        IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
        we are able to prove that the first child is an Array or for ToObject an Object.

        In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
        code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
        were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
        the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
        into a contiguous array).

        This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
        values onto the result array. This works roughly the same as the two array fast path using the same methodology
        to decide if we can memcpy the other butterfly into the result butterfly.

        Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
        name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
        dataLog function on it.

        Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
        JSValueOperand if the operand's use count is one.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/ArrayPrototype.js:
        (concatSlowPath):
        (concat):
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::compileIsJSArray):
        (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
        (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
        (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
        (JSC::FTL::DFG::LowerDFGToB3::isArray):
        * jit/JITOperations.h:
        * jsc.cpp:
        (WTF::RuntimeArray::createStructure):
        (GlobalObject::finishCreation):
        (functionDebug):
        (functionDataLogValue):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::finishCreation):
        (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
        * runtime/ArrayConstructor.h:
        (JSC::isArrayConstructor):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        (JSC::arrayProtoPrivateFuncIsJSArray):
        (JSC::moveElements):
        (JSC::arrayProtoPrivateFuncConcatMemcpy):
        (JSC::arrayProtoPrivateFuncAppendMemcpy):
        (JSC::arrayProtoFuncConcat): Deleted.
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::createStructure):
        * runtime/CommonIdentifiers.h:
        * runtime/Intrinsic.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::appendMemcpy):
        (JSC::JSArray::fastConcatWith): Deleted.
        * runtime/JSArray.h:
        (JSC::JSArray::createStructure):
        (JSC::JSArray::fastConcatType): Deleted.
        * runtime/JSArrayInlines.h: Added.
        (JSC::JSArray::memCopyWithIndexingType):
        (JSC::JSArray::canFastCopy):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSType.h:
        * runtime/ObjectConstructor.h:
        (JSC::constructObject):
        * tests/es6.yaml:
        * tests/stress/array-concat-spread-object.js: Added.
        (arrayEq):
        * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
        (arrayEq):
        * tests/stress/array-concat-spread-proxy.js: Added.
        (arrayEq):
        * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
        (arrayEq):
        * tests/stress/array-species-config-array-constructor.js:

2016-03-29  Saam barati  <sbarati@apple.com>

        We don't properly optimize TDZ checks when we declare a let variable without an initializer
        https://bugs.webkit.org/show_bug.cgi?id=150453

        Reviewed by Mark Lam.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::EmptyLetExpression::emitBytecode):

2016-03-29  Saam barati  <sbarati@apple.com>

        Allow builtin JS functions to be intrinsics
        https://bugs.webkit.org/show_bug.cgi?id=155960

        Reviewed by Mark Lam.

        Builtin functions can now be recognized as intrinsics inside
        the DFG. This gives us the flexibility to either lower a builtin
        as an intrinsic in the DFG or as a normal function call.
        Because we may decide to not lower it as an intrinsic, the DFG
        inliner could still inline the function call.

        You can annotate a builtin function like so to make
        it be recognized as an intrinsic.
        ```
        [intrinsic=FooIntrinsic] function foo() { ... }
        ```
        where FooIntrinsic is an enum value of the Intrinsic enum.

        So in the future if we write RegExp.prototype.test as a builtin, we would do:
        ``` RegExpPrototype.js
        [intrinsic=RegExpTestIntrinsic] function test() { ... }
        ```

        * Scripts/builtins/builtins_generate_combined_implementation.py:
        (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
        * Scripts/builtins/builtins_generate_separate_implementation.py:
        (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
        * Scripts/builtins/builtins_generator.py:
        (BuiltinsGenerator.generate_embedded_code_string_section_for_function):
        * Scripts/builtins/builtins_model.py:
        (BuiltinObject.__init__):
        (BuiltinFunction):
        (BuiltinFunction.__init__):
        (BuiltinFunction.fromString):
        (BuiltinFunction.__str__):
        * Scripts/builtins/builtins_templates.py:
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::UnlinkedFunctionExecutable::visitChildren):
        (JSC::UnlinkedFunctionExecutable::link):
        * bytecode/UnlinkedFunctionExecutable.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
        * runtime/Executable.cpp:
        (JSC::ExecutableBase::clearCode):
        (JSC::NativeExecutable::destroy):
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::EvalExecutable::create):
        (JSC::EvalExecutable::EvalExecutable):
        (JSC::ProgramExecutable::ProgramExecutable):
        (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::ExecutableBase::intrinsic): Deleted.
        (JSC::NativeExecutable::intrinsic): Deleted.
        * runtime/Executable.h:
        (JSC::ExecutableBase::ExecutableBase):
        (JSC::ExecutableBase::hasJITCodeFor):
        (JSC::ExecutableBase::intrinsic):
        (JSC::ExecutableBase::intrinsicFor):
        (JSC::ScriptExecutable::finishCreation):
        * runtime/Intrinsic.h:

2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>

        JSC::Debugger cleanup after recent changes
        https://bugs.webkit.org/show_bug.cgi?id=155982

        Reviewed by Mark Lam.

        * debugger/Debugger.cpp:
        (JSC::Debugger::Debugger):
        Initialize with breakpoints disabled. Web Inspector always informs
        the backend if it should enable or disable breakpoints on startup.

        (JSC::Debugger::setProfilingClient):
        When using the Sampling profiler we do not need to recompile.

2016-03-29  Saam barati  <sbarati@apple.com>

        "Can not" => "cannot" in String.prototype error messages
        https://bugs.webkit.org/show_bug.cgi?id=155895

        Reviewed by Mark Lam.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncStartsWith):
        (JSC::stringProtoFuncEndsWith):
        (JSC::stringProtoFuncIncludes):
        * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js:
        (test):
        (test.get let):

2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: We should have a way to capture heap snapshots programatically.
        https://bugs.webkit.org/show_bug.cgi?id=154407
        <rdar://problem/24726292>

        Reviewed by Timothy Hatcher.

        * inspector/protocol/Console.json:
        Add a new Console.heapSnapshot event for when a heap snapshot is taken.

        * runtime/ConsolePrototype.cpp:
        (JSC::ConsolePrototype::finishCreation):
        (JSC::consoleProtoFuncProfile):
        (JSC::consoleProtoFuncProfileEnd):
        (JSC::consoleProtoFuncTakeHeapSnapshot):
        * runtime/ConsoleClient.h:
        Add the console.takeHeapSnapshot method and dispatch to the ConsoleClient.

        * inspector/JSGlobalObjectConsoleClient.cpp:
        (Inspector::JSGlobalObjectConsoleClient::takeHeapSnapshot):
        * inspector/JSGlobalObjectConsoleClient.h:
        Have the InspectorConsoleAgent handle this.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
        (Inspector::InspectorConsoleAgent::takeHeapSnapshot):
        * inspector/agents/InspectorConsoleAgent.h:
        * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
        (Inspector::JSGlobalObjectConsoleAgent::JSGlobalObjectConsoleAgent):
        * inspector/agents/JSGlobalObjectConsoleAgent.h:
        Give the ConsoleAgent a HeapAgent pointer so that it can have the HeapAgent
        perform the snapshot building work like it normally does.

2016-03-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        REGRESSION(r192914): 10% regression on Sunspider's date-format-tofte
        https://bugs.webkit.org/show_bug.cgi?id=155559

        Reviewed by Saam Barati.

        The fast path of the eval function is the super hot path in date-format-tofte.
        Any performance regression is not allowed here.
        Before this patch, we allocated SourceCode in the fast path.
        This allocation incurs 10% performance regression.

        This patch removes this allocation in the fast path.
        And change the key of the EvalCodeCache to EvalCodeCache::CacheKey.
        It combines RefPtr<StringImpl> and isArrowFunctionContext.
        Since EvalCodeCache does not cache any eval code evaluated under the strict mode,
        it is unnecessary to include several options (ThisTDZMode, and DerivedContextType) in the cache map's key.
        But isArrowFunctionContext is necessary since the sloppy mode arrow function exists.

        To validate this change, we add a new test that evaluates the same code
        under the non-arrow function context and the arrow function context.

        After introducing CacheKey, we observed 1% regression compared to the RefPtr<StringImpl> keyed case.
        This is because HashMap<RefPtr<T>, ...>::get(T*) is specially optimized; this path is inlined while the normal ::get() is not inlined.
        To avoid this performance regression, we introduce HashMap::fastGet, that aggressively encourages inlining.
        The relationship between fastGet() and get() is similar to fastAdd() and add().
        After applying this change, the evaluation shows no performance regression in comparison with the RefPtr<StringImpl> keyed case.

        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::CacheKey::CacheKey):
        (JSC::EvalCodeCache::CacheKey::hash):
        (JSC::EvalCodeCache::CacheKey::isEmptyValue):
        (JSC::EvalCodeCache::CacheKey::operator==):
        (JSC::EvalCodeCache::CacheKey::isHashTableDeletedValue):
        (JSC::EvalCodeCache::CacheKey::Hash::hash):
        (JSC::EvalCodeCache::CacheKey::Hash::equal):
        (JSC::EvalCodeCache::tryGet):
        (JSC::EvalCodeCache::getSlow):
        (JSC::EvalCodeCache::isCacheable):
        * interpreter/Interpreter.cpp:
        (JSC::eval):
        * tests/stress/eval-in-arrow-function.js: Added.
        (shouldBe):
        (i):

2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>

        Audit WebCore builtins for user overridable code
        https://bugs.webkit.org/show_bug.cgi?id=155923

        Reviewed by Youenn Fablet.

        * runtime/CommonIdentifiers.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::finishCreation):
        Expose @Object.@defineProperty to built-ins.

2016-03-28  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] ArithSub should not propagate "UsesAsOther"
        https://bugs.webkit.org/show_bug.cgi?id=155932

        Reviewed by Mark Lam.

        The node ArithSub was backpropagating UsesAsOther.
        This causes any GetByVal on a Double Array to have an extra
        hole check if it flows into an ArithSub.

        The definition of ArithSub (12.8.4.1) has both operands go
        through ToNumber(). ToNumber() on "undefined" always produces
        NaN. It is safe to ignore the NaN marker from hole when
        the DAG flows into ArithSub.

        This patch also adds this change and test coverage to ArithAdd.
        ArithAdd was not a problem in practice because it is only
        generated before Fixup if both operands are known to be numerical.
        The change to ArithAdd is there to protect us of the ArithSub-like
        problems if we ever improve our support of arithmetic operators.

        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * tests/stress/arith-add-on-double-array-with-holes.js: Added.
        (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
        (let.testCase.of.testCases.observableHoleOnLhs):
        (let.testCase.of.testCases.nonObservableHoleOnRhs):
        (let.testCase.of.testCases.observableHoleOnRhs):
        * tests/stress/arith-sub-on-double-array-with-holes.js: Added.
        (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
        (let.testCase.of.testCases.observableHoleOnLhs):
        (let.testCase.of.testCases.nonObservableHoleOnRhs):
        (let.testCase.of.testCases.observableHoleOnRhs):
        * tests/stress/value-add-on-double-array-with-holes.js: Added.
        (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
        (let.testCase.of.testCases.observableHoleOnLhs):
        (let.testCase.of.testCases.nonObservableHoleOnRhs):
        (let.testCase.of.testCases.observableHoleOnRhs):

2016-03-28  Brian Burg  <bburg@apple.com>

        Web Inspector: protocol generator should generate C++ string-to-enum helper functions
        https://bugs.webkit.org/show_bug.cgi?id=155691
        <rdar://problem/25258078>

        Reviewed by Timothy Hatcher.

        There's a lot of code throughout the Inspector agents and automation code
        that needs to convert a raw string into a typed protocol enum. Generate
        some helpers that do this conversion so clients can move over to using it.

        These helpers are necessary for when we eventually switch to calling backend
        dispatcher handlers with typed arguments instead of untyped JSON objects.

        To correctly generate a conversion function for an anonymous enum, the
        generator needs to be able to get the containing object type's declaration.
        Since the model's Type object each have only one instance, there is a
        one-to-one association between type and its declaration.

        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        (CppProtocolTypesHeaderGenerator.generate_output):
        (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
        Clean up this method to use methodcaller to sort types by raw name.

        (_generate_declarations_for_enum_conversion_methods):
        (_generate_declarations_for_enum_conversion_methods.return_type_with_export_macro):
        (_generate_declarations_for_enum_conversion_methods.type_member_is_anonymous_enum_type):
        Added. Generates a new section with an unfilled template and specializations of
        the template for every named and anonymous enum in every domain. Guards for
        domains wrap the forward declarations. This is added to the end of the header
        file so that specializations for both types of enums are in the same place.

        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
        (CppProtocolTypesImplementationGenerator.generate_output):
        (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
        (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.type_member_is_anonymous_enum_type):
        (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body):
        Added. Generate a static array of offsets into the enum constant value array.
        Then, loop over this array of offsets and do string comparisons against the
        provided string and enum constant values at the relevant offsets for this enum.

        * inspector/scripts/codegen/generator_templates.py:
        (GeneratorTemplates): Update copyright year in generated files.

        * inspector/scripts/codegen/models.py:
        (AliasedType.__init__):
        (EnumType.__init__):
        (EnumType.enum_values):
        (EnumType.declaration):
        (ArrayType.__init__):
        (ArrayType.declaration):
        (ObjectType.__init__):
        (ObjectType.declaration):
        (Protocol.resolve_types):
        (Protocol.lookup_type_reference):
        Pass the type declaration to Type constructors if available. If not,
        fill in a placeholder name for the type in the constructor instead of caller.

        Rebaseline all the things, mostly for copyright block changes.

        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/enum-values.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:

2016-03-25  Joseph Pecoraro  <pecoraro@apple.com>

        Misc. JavaScriptCore built-ins cleanups
        https://bugs.webkit.org/show_bug.cgi?id=155920

        Reviewed by Mark Lam.

        * builtins/RegExpPrototype.js:
        (match):
        No need for an else after an if that always returns.

        * builtins/TypedArrayConstructor.js:
        (of):
        Fix error message to use the correct function name.

        (allocateInt8Array):
        (allocateInt16Array):
        (allocateInt32Array):
        (allocateUint32Array):
        (allocateUint16Array):
        (allocateUint8Array):
        (allocateUint8ClampedArray):
        (allocateFloat32Array):
        (allocateFloat64Array):
        Cleanup style to be like all the other code.

        * tests/stress/typedarray-of.js:
        Test the exception message.

2016-03-25  Joseph Pecoraro  <pecoraro@apple.com>

        Date.prototype.toLocaleDateString uses overridable Object.create
        https://bugs.webkit.org/show_bug.cgi?id=155917

        Reviewed by Mark Lam.

        * builtins/DatePrototype.js:
        (toLocaleString.toDateTimeOptionsAnyAll):
        (toLocaleDateString.toDateTimeOptionsDateDate):
        (toLocaleTimeString.toDateTimeOptionsTimeTime):
        Switch from @Object.create to @Object.@create to guarentee we are
        using the built-in create method and not user defined code.

        * runtime/CommonIdentifiers.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::finishCreation):
        Setup the @create private symbol.

2016-03-25  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Put the x86 Assembler on a binary diet
        https://bugs.webkit.org/show_bug.cgi?id=155683

        Reviewed by Darin Adler.

        The MacroAssemblers are heavily inlined. This is unfortunately
        important for baseline JIT where many branches can be eliminated
        at compile time.

        This inlining causes a lot of binary bloat. The phases
        lowering to ASM are massively large.

        This patch improves the situation a bit for x86 through
        many small improvements:

        -Every instruction starts with ensureSpace(). The slow
         path realloc the buffer.
         From that slow path, only fastRealloc() was a function
         call. What is around does not need to be fast, I moved
         the whole grow() function out of line for those cases.

        -When testing multiple registers for REX requirements,
         we had something like this:
             byteRegRequiresRex(reg) || byteRegRequiresRex(rm)
             regRequiresRex(index) || regRequiresRex(base)
         Those were producing multiple test-and-branch. Those branches
         are effectively random so we don't have to care about individual
         branches being predictable.

         The new code effectively does:
             byteRegRequiresRex(reg | rm)
             regRequiresRex(index | base)

        -Change "ModRmMode" to have the value we can OR directly
         to the generated ModRm.
         This is important because some ModRM code is so large
         that is goes out of line;

        -Finally, a big change on how we write to the AssemblerBuffer.

         Previously, instructions were written byte by byte into
         the assembler buffer of the MacroAssembler.

         The problem with that is the compiler cannot prove that
         the buffer pointer and the AssemblerBuffer are not pointing
         to the same memory.

         Because of that, before any write, all the local register
         were pushed back to the AssemblerBuffer memory, then everything
         was read back after the write to compute the next write.

         I attempted to use the "restrict" keyword and wrapper types
         to help Clang with that but nothing worked.

         The current solution is to keep a local copy of the index
         and the buffer pointer in the scope of each instruction.
         That is done by AssemblerBuffer::LocalWriter.

         Since LocalWriter only exists locally, it stays in
         register and we don't have all the memory churn between
         each byte writing. This also allows clang to combine
         obvious cases since there are no longer observable side
         effects between bytes.

        This patch reduces the binary size by 66k. It is a small
        speed-up on Sunspider.

        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerBuffer::ensureSpace):
        (JSC::AssemblerBuffer::LocalWriter::LocalWriter):
        (JSC::AssemblerBuffer::LocalWriter::~LocalWriter):
        (JSC::AssemblerBuffer::LocalWriter::putByteUnchecked):
        (JSC::AssemblerBuffer::LocalWriter::putShortUnchecked):
        (JSC::AssemblerBuffer::LocalWriter::putIntUnchecked):
        (JSC::AssemblerBuffer::LocalWriter::putInt64Unchecked):
        (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
        (JSC::AssemblerBuffer::putIntegral):
        (JSC::AssemblerBuffer::outOfLineGrow):
        * assembler/MacroAssemblerX86Common.h:
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::X86InstructionFormatter::byteRegRequiresRex):
        (JSC::X86Assembler::X86InstructionFormatter::regRequiresRex):
        (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::LocalBufferWriter):
        (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRex):
        (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexW):
        (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexIf):
        (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexIfNeeded):
        (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::putModRm):
        (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::putModRmSib):
        (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::registerModRM):
        (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::memoryModRM):
        (JSC::X86Assembler::X86InstructionFormatter::oneByteOp): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::oneByteOp_disp32): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::oneByteOp_disp8): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::twoByteOp): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::threeByteOp): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64_disp32): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64_disp8): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::twoByteOp64): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::twoByteOp8): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::emitRex): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::emitRexW): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::emitRexIf): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::emitRexIfNeeded): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::putModRm): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::putModRmSib): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::registerModRM): Deleted.
        (JSC::X86Assembler::X86InstructionFormatter::memoryModRM): Deleted.

2016-03-25  Saam barati  <sbarati@apple.com>

        RegExp.prototype.test should be an intrinsic again
        https://bugs.webkit.org/show_bug.cgi?id=155861

        Reviewed by Yusuke Suzuki.

        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):

2016-03-25  Mark Lam  <mark.lam@apple.com>

        ES6's throwing of TypeErrors on access of RegExp.prototype flag properties breaks websites.
        https://bugs.webkit.org/show_bug.cgi?id=155904

        Reviewed by Geoffrey Garen.

        There exists a JS library XRegExp (see http://xregexp.com) that extends the regexp
        implementation.  XRegExp does feature testing by comparing RegExp.prototype.sticky
        to undefined.  See:

        Example 1. https://github.com/slevithan/xregexp/blob/28a2b033c5951477bed8c7c867ddf7e89c431cd4/tests/perf/index.html
            ...
            } else if (knownVersion[version]) {
                // Hack around ES6 incompatibility in XRegExp versions prior to 3.0.0
                if (parseInt(version, 10) < 3) {
                    delete RegExp.prototype.sticky;
            }
            ...

        Example 2. https://github.com/slevithan/xregexp/blob/d0e665d4068cec4d15919215b098b2373f1f12e9/tests/perf/versions/xregexp-all-v2.0.0.js
            ...
            // Check for flag y support (Firefox 3+)
                hasNativeY = RegExp.prototype.sticky !== undef,
            ...

        The ES6 spec states that we should throw a TypeError here because RegExp.prototype
        is not a RegExp object, and the sticky getter is only allowed to be called on
        RegExp objects.  See https://tc39.github.io/ecma262/2016/#sec-get-regexp.prototype.sticky.
        As a result, websites that uses XRegExp can break (e.g. some Atlassian tools).

        As a workaround, we'll return undefined instead of throwing on access of these
        flag properties that may be used for feature testing.

        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoGetterGlobal):
        (JSC::regExpProtoGetterIgnoreCase):
        (JSC::regExpProtoGetterMultiline):
        (JSC::regExpProtoGetterSticky):
        (JSC::regExpProtoGetterUnicode):

2016-03-25  Caitlin Potter  <caitp@igalia.com>

        [JSC] fix divide-by-zero in String.prototype.padStart/padEnd
        https://bugs.webkit.org/show_bug.cgi?id=155903

        Reviewed by Filip Pizlo.

        * runtime/StringPrototype.cpp:
        (JSC::padString):

2016-03-25  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] materialize-past-butterfly-allocation.js time out in debug

        * tests/stress/materialize-past-butterfly-allocation.js:
        The test times out on the debug bots. We suspect there is nothing
        wrong, just overkill loops.

2016-03-25  Brian Burg  <bburg@apple.com>

        Web Inspector: protocol generator should prefix C++ filenames with the protocol group
        https://bugs.webkit.org/show_bug.cgi?id=155859
        <rdar://problem/25349859>

        Reviewed by Alex Christensen and Joseph Pecoraro.

        Like for generated Objective-C files, we should use the 'protocol group' name
        as the prefix for generated C++ files so that headers from different protocol
        groups have unambiguous names.

        * inspector/scripts/codegen/cpp_generator.py:
        (CppGenerator):
        (CppGenerator.__init__):
        (CppGenerator.protocol_name):
        Make all C++ code generators extend the CppGenerator python class and use the
        protocol_name() instance method. This matches a recent change to the ObjC generator.

        * inspector/scripts/codegen/cpp_generator_templates.py:
        (CppGeneratorTemplates):
        Drive-by cleanup to use #pragma once instead of header guards.

        * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
        (CppAlternateBackendDispatcherHeaderGenerator):
        (CppAlternateBackendDispatcherHeaderGenerator.__init__):
        (CppAlternateBackendDispatcherHeaderGenerator.output_filename):
        (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
        (CppBackendDispatcherHeaderGenerator):
        (CppBackendDispatcherHeaderGenerator.__init__):
        (CppBackendDispatcherHeaderGenerator.output_filename):
        (CppBackendDispatcherHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
        (CppBackendDispatcherImplementationGenerator):
        (CppBackendDispatcherImplementationGenerator.__init__):
        (CppBackendDispatcherImplementationGenerator.output_filename):
        (CppBackendDispatcherImplementationGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
        (CppFrontendDispatcherHeaderGenerator):
        (CppFrontendDispatcherHeaderGenerator.__init__):
        (CppFrontendDispatcherHeaderGenerator.output_filename):
        (CppFrontendDispatcherHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator):
        (CppFrontendDispatcherImplementationGenerator.__init__):
        (CppFrontendDispatcherImplementationGenerator.output_filename):
        (CppFrontendDispatcherImplementationGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        (CppProtocolTypesHeaderGenerator):
        (CppProtocolTypesHeaderGenerator.__init__):
        (CppProtocolTypesHeaderGenerator.output_filename):
        (CppProtocolTypesHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
        (CppProtocolTypesImplementationGenerator):
        (CppProtocolTypesImplementationGenerator.__init__):
        (CppProtocolTypesImplementationGenerator.output_filename):
        (CppProtocolTypesImplementationGenerator.generate_output):
        Use the protocol_name() instance method to compute generated protocol file names.

        * inspector/scripts/codegen/models.py:
        Explicitly set the 'protocol_group' for the Inspector protocol.

        Rebaseline generator test results.

        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/enum-values.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:

2016-03-25  Keith Miller  <keith_miller@apple.com>

        putByIndexBeyondVectorLengthWithoutAttributes should not crash if it can't ensureLength
        https://bugs.webkit.org/show_bug.cgi?id=155730

        Reviewed by Saam Barati.

        This patch makes ensureLength return a boolean indicating if it was able to set the length.
        ensureLength also no longer sets the butterfly to null if the allocation of the butterfly
        fails. All of ensureLengths callers including putByIndexBeyondVectorLengthWithoutAttributes
        have been adapted to throw an out of memory error if ensureLength fails.

        * runtime/JSArray.cpp:
        (JSC::JSArray::setLength):
        (JSC::JSArray::unshiftCountWithAnyIndexingType):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
        (JSC::JSObject::ensureLengthSlow):
        * runtime/JSObject.h:
        (JSC::JSObject::ensureLength):

2016-03-25  Caitlin Potter  <caitp@igalia.com>

        [JSC] implement String.prototype.padStart() and String.prototype.padEnd() proposal
        https://bugs.webkit.org/show_bug.cgi?id=155795

        Reviewed by Darin Adler.

        Implements ECMAScript proposal http://tc39.github.io/proposal-string-pad-start-end/
        Currently at Stage 3.

        * runtime/JSString.h:
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        (JSC::repeatCharacter):
        (JSC::repeatStringPattern):
        (JSC::padString):
        (JSC::stringProtoFuncPadEnd):
        (JSC::stringProtoFuncPadStart):
        * tests/es6.yaml:
        * tests/es6/String.prototype_methods_String.prototype.padEnd.js: Added.
        * tests/es6/String.prototype_methods_String.prototype.padStart.js: Added.

2016-03-24  Alex Christensen  <achristensen@webkit.org>

        Fix Mac CMake build.

        * PlatformMac.cmake:
        Link to Security framework.

2016-03-24  Saam barati  <sbarati@apple.com>

        ES6: Implement IsRegExp function and use where needed in String.prototype.* methods
        https://bugs.webkit.org/show_bug.cgi?id=155854

        Reviewed by Mark Lam.

        This patch is a straight forward implementation of IsRegExp
        in the ES6 spec:
        https://tc39.github.io/ecma262/#sec-isregexp
        We now use this IsRegExp function inside String.prototype.(startsWith | endsWith | includes)
        as is dictated by the spec.

        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::recordMatch):
        (JSC::isRegExp):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncStartsWith):
        (JSC::stringProtoFuncEndsWith):
        (JSC::stringProtoFuncIncludes):
        * tests/es6.yaml:
        * tests/es6/well-known_symbols_Symbol.match_String.prototype.endsWith.js: Added.
        (test):
        * tests/es6/well-known_symbols_Symbol.match_String.prototype.includes.js: Added.
        (test):
        * tests/es6/well-known_symbols_Symbol.match_String.prototype.startsWith.js: Added.
        (test):
        * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js: Added.
        (assert):
        (test):
        (test.get let):
        (get let):

2016-03-24  Saam barati  <sbarati@apple.com>

        Web Inspector: Separate Debugger enable state from the debugger breakpoints enabled state
        https://bugs.webkit.org/show_bug.cgi?id=152193
        <rdar://problem/23867520>

        Reviewed by Joseph Pecoraro.

        When all breakpoints are disabled, we can recompile all JS
        code and remove the necessary debugging code that is emitted.
        This allows for the code that is executing to be almost as fast
        as it is with the debugger completely disabled. This is in preparation for:
        https://bugs.webkit.org/show_bug.cgi?id=155809
        which will introduce a high fidelity profiler. That profiler
        could be built off the principle that breakpoints are disabled
        when we're performing a high fidelity profile. Doing so, for example,
        allows the sampling profiler to better measure the real performance
        of the JS of a particular application.

        * debugger/Debugger.cpp:
        (JSC::Debugger::setBreakpointsActivated):
        (JSC::Debugger::setPauseOnExceptionsState):
        * debugger/Debugger.h:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        * inspector/JSGlobalObjectScriptDebugServer.cpp:
        (Inspector::JSGlobalObjectScriptDebugServer::attachDebugger):
        (Inspector::JSGlobalObjectScriptDebugServer::detachDebugger):
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::enable):
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createProgramCodeBlock):
        (JSC::JSGlobalObject::createEvalCodeBlock):
        (JSC::JSGlobalObject::createModuleProgramCodeBlock):
        (JSC::JSGlobalObject::queueMicrotask):
        (JSC::JSGlobalObject::hasDebugger):
        (JSC::JSGlobalObject::hasInteractiveDebugger):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::runtimeFlags):
        (JSC::JSGlobalObject::hasDebugger): Deleted.

2016-03-24  Michael Saboff  <msaboff@apple.com>

        Create private builtin helper advanceStringIndexUnicode() for use by RegExp builtins
        https://bugs.webkit.org/show_bug.cgi?id=155855

        Reviewed by Mark Lam.

        Moved advanceStringIndexUnicode() as a separate helper.  Added it as a private builtin
        to the GlobalObject like other private builtins.

        * builtins/RegExpPrototype.js:
        (advanceStringIndexUnicode):
        (match):
        (match.advanceStringIndexUnicode): Deleted.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):

2016-03-24  Michael Saboff  <msaboff@apple.com>

        [ES6] Add Proxy based tests for RegExp.prototype[@@match]
        https://bugs.webkit.org/show_bug.cgi?id=155807

        Reviewed by Saam Barati.

        Added new test that uses Proxy to verify RegExp.prototype[@@match] processing
        conforms to the ES6 standard

        Modified builtin RegExp.prototype[@@match] to be ES6 spec conformant.

        Updated es6.yaml as Proxy_internal_get_calls_RegExp.prototype[Symbol.match].js now passes.

        * builtins/RegExpPrototype.js:
        (match):
        * tests/es6.yaml: Updated.
        * tests/stress/regexp-match-proxy.js: Added.
        (assert):
        (let.getProxyNullExec.new.Proxy):
        (let.getSetProxyNullExec.new.Proxy):
        (get resetTracking):
        (let.getSetProxyMatches_s.new.Proxy):
        (set get getSetProxyNullExec):
        (let.getSetProxyMatches_tx_Greedy.new.Proxy):
        (set get getSetProxyMatches_s):
        (let.getSetProxyMatchesUnicode_digit_nonGreedy.new.Proxy):
        (set get getSetProxyMatches_tx_Greedy):

2016-03-24  Michael Saboff  <msaboff@apple.com>

        [ES6] Greedy unicode RegExp's don't properly backtrack past non BMP characters
        https://bugs.webkit.org/show_bug.cgi?id=155829

        Reviewed by Saam Barati.

        When we backup when matching part of a unicode pattern, we can't just backup one character.
        Instead we need to save our start position before trying to match a character and
        restore the position if the match fails.  This was done in other places, but wasn't
        done for all greedy types.

        Fixed matchGlobal() to properly handle advancing past non BMP characters.

        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::matchGlobal):
        * runtime/RegExpObjectInlines.h:
        (JSC::RegExpObject::advanceStringUnicode):
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::matchCharacterClass):
        (JSC::Yarr::Interpreter::matchDisjunction):

2016-03-24  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] In some cases, the integer range optimization phase never converges
        https://bugs.webkit.org/show_bug.cgi?id=155828
        rdar://problem/25155460

        Reviewed by Filip Pizlo.

        In certain conditions, the integer range optimization phase continuously
        changes the representation of the same truth, preventing it from
        converging to a stable state.

        The bug starts by having the same ground truth incomming into a block
        in different valid forms. For example, you can have x < 42 coming as:
            1) x < 42
            2) x < 41 + 1
            3) x < 43 - 1

        Having those 3 alone coming from predecessors would be okay, we would
        just accumulate them. The problem is when you have a combination
        of rule that filter out the previously obtained truth, then add a new
        form of the same truth.

        Let's use the test case as an example. We have two incoming blocks:
            Block #1:
              -i < 42
              -i != 41
            Block #2:
              -i < 41
              -i == 42 - 42 (i == 0 refining the rule above).

        Let say that our conditions at head are now [i < 41, i < 42 - 1].

        If we merge block #2:
              -i < 42 and i < 41      -> i < 42
              -i < 42 and i < 42 - 1  -> i < 42
              -i != 41 and i < 41     -> i < 41
              -i != 41 and i < 42 - 1 -> nothing

        The new head is: [i < 41, i < 42]

        If we merge block #1:
              -i < 41 and i < 41       -> i < 41
              -i < 41 and i < 42       -> i < 42
              -i == 42 - 42 and i < 41 -> (i < 41 and i < 42 - 1)
              -i == 42 - 42 and i < 42 -> i < 42

        After filter, we are back to [i < 41, i < 42 - 1].

        There are several variations of this idea where the same truth
        rotate different forms with each merge().

        One possible solution is to make filter() more aggressive
        to avoid the better form occuring at merge(). I'll probably
        do that at some point but that seems fragile since the same
        problem could reappear if merge() is later improved.

        For this patch, I went with a more generic solution after
        merge(): if the generated form is equivalent to one that
        previously existed at head, pick the existing form.

        In the previous example, what happens is we only have
        either [i < 41] or [i < 42 - 1] but never both simultaneously.

        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
        * tests/stress/integer-range-optimization-constant-representation-1.js: Added.
        * tests/stress/integer-range-optimization-constant-representation-2.js: Added.
        Two variation. One timeout in release because of the additional flags.
        The other is gets more type of run but only assert in debug.

2016-03-23  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r198582.
        https://bugs.webkit.org/show_bug.cgi?id=155812

        "It broke debugging in the web inspector" (Requested by
        saamyjoon on #webkit).

        Reverted changeset:

        "We should not disable inlining when the debugger is enabled"
        https://bugs.webkit.org/show_bug.cgi?id=155741
        http://trac.webkit.org/changeset/198582

2016-03-23  Michael Saboff  <msaboff@apple.com>

        JavaScriptCore ArrayPrototype::join shouldn't cache butterfly when it makes effectful calls
        https://bugs.webkit.org/show_bug.cgi?id=155776

        Reviewed by Saam Barati.

        Array.join ends up calling toString, possibly on some object.  Since these calls
        could be effectful and could change the array itself, we can't hold the butterfly
        pointer while making effectful calls.  Changed the code to fall back to the general
        case when an effectful toString() call might be made.

        * runtime/ArrayPrototype.cpp:
        (JSC::join):
        * runtime/JSStringJoiner.h:
        (JSC::JSStringJoiner::appendWithoutSideEffects): New helper that doesn't make effectful
        toString() calls.
        (JSC::JSStringJoiner::append): Built upon appendWithoutSideEffects.

2016-03-23  Keith Miller  <keith_miller@apple.com>

        Array.prototype native functions' species constructors should work with proxies
        https://bugs.webkit.org/show_bug.cgi?id=155798

        Reviewed by Mark Lam.

        Before native the species constructors were checking if the this value was a JSArray.
        Instead they should look check that the this value returns true on Array.isArray.

        * runtime/ArrayPrototype.cpp:
        (JSC::speciesConstructArray):
        * tests/es6.yaml:
        * tests/stress/proxy-array-prototype-methods.js:

2016-03-23  Saam barati  <sbarati@apple.com>

        We should not disable inlining when the debugger is enabled
        https://bugs.webkit.org/show_bug.cgi?id=155741

        Reviewed by Oliver Hunt.

        We can enable inlining when the debugger is enabled as long
        as we make sure we still jettison the proper CodeBlocks when
        a breakpoint is set. This means that for any optimized CodeBlock,
        we must ask if any of its inlinees contain the breakpoint that
        is being set. If any inlinees do contain the breakpoint, we must
        jettison the machine code block that they are a part of.

        * debugger/Debugger.cpp:
        (JSC::Debugger::toggleBreakpoint):
        (JSC::Debugger::applyBreakpoints):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::flush):
        (JSC::DFG::ByteCodeParser::flushForTerminal):
        (JSC::DFG::ByteCodeParser::inliningCost):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::~Graph):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::hasDebuggerEnabled): Deleted.
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):

2016-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Allow undefined/null for Symbol.search and Symbol.match
        https://bugs.webkit.org/show_bug.cgi?id=155785

        Reviewed by Saam Barati.

        Undefined and null for Symbol.search and Symbol.match properties of the given RegExp (like) object are allowed.
        When they are specified, we go to the fallback path; creating the RegExp with the given object and matching.

        * builtins/StringPrototype.js:
        (match):
        (search):
        * tests/stress/string-symbol-customization.js: Added.
        (shouldBe):
        (shouldThrow):

2016-03-22  Caitlin Potter  <caitp@igalia.com>

        [JSC] correctly handle indexed properties in Object.getOwnPropertyDescriptors
        https://bugs.webkit.org/show_bug.cgi?id=155563

        Reviewed by Saam Barati.

        * runtime/JSObject.h:
        (JSC::JSObject::putOwnDataPropertyMayBeIndex):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyDescriptors):

2016-03-22  Saam Barati  <sbarati@apple.com>

        We should FTL compile code when the debugger is enabled
        https://bugs.webkit.org/show_bug.cgi?id=155740

        Reviewed by Oliver Hunt.

        There was no fundamental reason why we didn't support debugging
        with the FTL. It looks like this was just an oversight. We had
        a Breakpoint node in the DFG that amounted to a nop. By removing
        this node, we now support debugging in the FTL. Anytime a breakpoint
        is set, we will jettison any DFG/FTL CodeBlocks that contain the breakpoint
        that was set.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2016-03-22  Keith Miller  <keith_miller@apple.com>

        REGRESSION(r197543): Use-after-free on storage/indexeddb/transaction-abort-private.html
        https://bugs.webkit.org/show_bug.cgi?id=155067

        Reviewed by Filip Pizlo.

        GCIncommingRefCountedSets need to be finalized before we start
        destructing members of the Heap object. Previously, we would
        clear all our ArrayBuffer objects when the GCIncommingRefCountedSet
        holding them was destroyed. However, ArrayBuffers have a weak
        reference to their wrappers. When we would attempt to destroy the
        ArrayBuffer object we would end up accessing the WeakImpl for
        the weak reference, which had already been freed as we destroyed
        our weak block. The solution to this is to move the old
        GCIncommingRefCountedSet destructor functionality to a new
        function lastChanceToFinalize. This function is called when
        we finalize our other objects on Heap destruction.

        * heap/GCIncomingRefCountedSet.h:
        * heap/GCIncomingRefCountedSetInlines.h:
        (JSC::GCIncomingRefCountedSet<T>::lastChanceToFinalize):
        (JSC::GCIncomingRefCountedSet<T>::~GCIncomingRefCountedSet): Deleted.
        * heap/Heap.cpp:
        (JSC::Heap::lastChanceToFinalize):

2016-03-22  Per Arne Vollan  <peavo@outlook.com>

        [Win] [64-bit] Remove MSVC 2013 FMA3 Bug Workaround
        https://bugs.webkit.org/show_bug.cgi?id=141499

        Reviewed by Brent Fulgham.

        As we have moved on to VS2015, this workaround is no longer needed.

        * API/tests/testapi.c:
        (main):
        * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp:
        (wWinMain):
        * jsc.cpp:
        (main):
        * testRegExp.cpp:
        (main):

2016-03-22  Michael Saboff  <msaboff@apple.com>

        [ES6] Implement RegExp.prototype[@@match]
        https://bugs.webkit.org/show_bug.cgi?id=155711

        Reviewed by Filip Pizlo.

        Implemented ES6 spec for String.prototype.match and RegExp.prototype[@@match].
        Implemented both as builtins, with String.prototype.match calling 
        RegExp.prototype[@@match].

        For performance reasons, RegExp.prototype[@@match] has a C++ fast path when
        RegExp.prototype.exec has not been overridden.  This fast path,
        RegExpObject::matchGlobal, was taken from the prior StringPrototype::match.
        It only handles global matches.

        Added new test, stress/regexp-match.js.

        Updated various tests for changes exception string and now passing ES6 behavior.

        * CMakeLists.txt: 
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Added builtins/RegExpPrototype.js and eliminated RegExpPrototype.lut.h.

        * builtins/RegExpPrototype.js: Added.
        (match.advanceStringIndexUnicode): Helper.
        (match): Implements RegExp.prototype[@@match].
        * builtins/StringPrototype.js:
        (match): Implements String.prototype.match.

        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        (JSC::BytecodeIntrinsicRegistry::lookup):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * runtime/CommonIdentifiers.h:
        Added Symbol.match and builtins @match and @exec.

        * runtime/RegExpObject.cpp:
        * runtime/RegExpObject.h:
        * runtime/RegExpObjectInlines.h:
        (JSC::RegExpObject::matchGlobal): Added.
        (JSC::RegExpObject::advanceStringUnicode): Added helper.

        * runtime/RegExpPrototype.cpp:
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::RegExpPrototype):
        (JSC::RegExpPrototype::finishCreation):
        (JSC::RegExpPrototype::visitChildren):
        (JSC::regExpProtoFuncMatchPrivate):
        (JSC::RegExpPrototype::getOwnPropertySlot): Deleted.
        (JSC::RegExpPrototype::create):
        Restructured to create properties explicitly due to having two names for native regExpProtoFuncExec.

        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        Made match a builtin.
        Removed unused declaration of stringProtoFuncSearch() since it was made a builtin.

        * tests/es6.yaml:
        * tests/stress/regexp-match.js: Added.
        (shouldBe):
        (shouldThrow):
        (errorKey.toString):
        (primitive.of.primitives.shouldThrow):
        (testRegExpMatch):
        (testMatch):
        (testBoth):
        (alwaysUnmatch):

2016-03-22  Caitlin Potter  <caitp@igalia.com>

        [JSC] allow duplicate property names returned from Proxy ownKeys() trap
        https://bugs.webkit.org/show_bug.cgi?id=155560

        Reviewed by Darin Adler.

        Specification allows duplicate property names to be reported by the
        Proxy ownKeys() trap --- and this is observable in any API which
        operates on the returned list, such as Object.keys(),
        Object.getOwnPropertyNames(), Object.getOwnPropertySymbols(), or
        Object.getOwnPropertyDescriptors().

        * runtime/PropertyNameArray.h:
        (JSC::PropertyNameArray::addUnchecked):
        (JSC::PropertyNameArray::add):
        (JSC::PropertyNameArray::addKnownUnique): Deleted.
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::performGetOwnPropertyNames):
        * runtime/Structure.cpp:
        (JSC::Structure::getPropertyNamesFromStructure):

2016-03-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Clean up Math.floor thunk and use SSE round instruction
        https://bugs.webkit.org/show_bug.cgi?id=155705

        Reviewed by Geoffrey Garen.

        SSE now allow us to use round instruction to implement Math.floor.
        MacroAssembler's floorDouble is now only used in ARM64, but it can be allowed in x86 SSE.

        * jit/ThunkGenerators.cpp:
        (JSC::floorThunkGenerator):

2016-03-21  Konstantin Tokarev  <annulen@yandex.ru>

        Fixed compilation with GCC 4.8.
        https://bugs.webkit.org/show_bug.cgi?id=155698

        Reviewed by Alexey Proskuryakov.

        GCC 4.8 does not allow aggregate initialization for type with deleted
        constructor, see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=52707.

        * dfg/DFGCSEPhase.cpp: Added ctor for ImpureDataSlot.

2016-03-21  Joonghun Park  <jh718.park@samsung.com>

        [JSC] Add ArrayBuffer::tryCreate and change the callsites where it is needed
        https://bugs.webkit.org/show_bug.cgi?id=155328

        Reviewed by Darin Adler.

        * API/JSTypedArray.cpp:
        (JSObjectMakeTypedArray):
        (JSObjectMakeArrayBufferWithBytesNoCopy):
        * runtime/ArrayBuffer.h:
        (JSC::ArrayBuffer::create):
        (JSC::ArrayBuffer::tryCreate):
        (JSC::ArrayBuffer::createUninitialized):
        (JSC::ArrayBuffer::tryCreateUninitialized):
        (JSC::ArrayBuffer::createInternal):
        * runtime/GenericTypedArrayViewInlines.h:
        (JSC::GenericTypedArrayView<Adaptor>::create):
        (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::constructArrayBuffer):

2016-03-20  Dan Bernstein  <mitz@apple.com>

        [Mac] Determine TARGET_MAC_OS_X_VERSION_MAJOR from MACOSX_DEPLOYMENT_TARGET rather than from MAC_OS_X_VERSION_MAJOR
        https://bugs.webkit.org/show_bug.cgi?id=155707
        <rdar://problem/24980691>

        Reviewed by Darin Adler.

        * Configurations/Base.xcconfig: Set TARGET_MAC_OS_X_VERSION_MAJOR based on the last
          component of MACOSX_DEPLOYMENT_TARGET.
        * Configurations/DebugRelease.xcconfig: For engineering builds, preserve the behavior of
          TARGET_MAC_OS_X_VERSION_MAJOR being the host’s OS version.

2016-03-20  Michael Saboff  <msaboff@apple.com>

        Crash in stress/regexp-matches-array-slow-put.js due to stomping on memory when having bad time
        https://bugs.webkit.org/show_bug.cgi?id=155679

        Reviewed by Saam Barati.

        Allocate out of line storage based on what the structure says it needs
        in JSArray::tryCreateUninitialized.

        * runtime/JSArray.h:
        (JSC::JSArray::tryCreateUninitialized):

2016-03-20  Joseph Pecoraro  <pecoraro@apple.com>

        Crash on DFG::WorkList thread in JSC::Heap::isCollecting for destroyed Web Worker
        https://bugs.webkit.org/show_bug.cgi?id=155678
        <rdar://problem/25251439>

        Reviewed by Filip Pizlo.

        This fixes a crash that we saw with GuardMalloc. If the Plan was
        Cancelled it may not be safe to access the VM. If the Plan was
        cancelled we are just going to bail anyways, so keep the ASSERT but
        short-circuit if the plan was Cancelled.

        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::runThread):

2016-03-20  Dan Bernstein  <mitz@apple.com>

        Update build settings

        Rubber-stamped by Andy Estes.

        * Configurations/DebugRelease.xcconfig:
        * Configurations/FeatureDefines.xcconfig:
        * Configurations/Version.xcconfig:

2016-03-19  Skachkov Oleksandr  <gskachkov@gmail.com>

        [ES6] Arrow function syntax. Update syntax error text 'super is only valid inside functions' to more suitable
        https://bugs.webkit.org/show_bug.cgi?id=155491

        Reviewed by Saam Barati.

        Current message 'super is only valid inside of funcitons' is not correct 
        after patch for https://bugs.webkit.org/show_bug.cgi?id=153864 because 
        it is allow to use 'super' in eval. Current patch replace old message by
        'Super is only valid inside functions or 'eval' inside a function' and 
        fix tests that rely on this message.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseMemberExpression):
        * tests/stress/generator-with-super.js:
        (shouldThrow):
        * tests/stress/modules-syntax-error.js:
        * tests/stress/super-in-lexical-scope.js:
        * tests/stress/tagged-templates-syntax.js:

2016-03-19  Mark Lam  <mark.lam@apple.com>

        ES6 spec requires that ErrorPrototype not be an Error object.
        https://bugs.webkit.org/show_bug.cgi?id=155680

        Reviewed by Michael Saboff.

        The ES6 spec states that Error.prototype should not be an instance of Error:
        https://tc39.github.io/ecma262/#sec-properties-of-the-error-prototype-object

        "The Error prototype object is an ordinary object. It is not an Error instance
        and does not have an [[ErrorData]] internal slot."

        This patch changes ErrorPrototype to conform to the above specification.

        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::finishCreation):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        (JSC::ErrorPrototype::finishCreation):
        (JSC::ErrorPrototype::getOwnPropertySlot):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::create):

        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::NativeErrorPrototype):
        (JSC::NativeErrorPrototype::finishCreation):
        * runtime/NativeErrorPrototype.h:
        (JSC::NativeErrorPrototype::create):
        - updated to no longer need a JSGlobalObject argument.

        * tests/es6/miscellaneous_built-in_prototypes_are_not_instances.js:
        - updated to match the kangax version of this test.