Unreviewed, fix cloop some more.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
2
3         Unreviewed, fix cloop some more.
4
5         * runtime/RegExpInlines.h:
6         (JSC::RegExp::hasCodeFor):
7         (JSC::RegExp::hasMatchOnlyCodeFor):
8
9 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
10
11         Unreviewed, fix cloop.
12
13         * jit/CCallHelpers.cpp:
14
15 2016-03-18  Filip Pizlo  <fpizlo@apple.com>
16
17         JSC should use a shadow stack version of CHICKEN so that debuggers have the option of retrieving tail-deleted frames
18         https://bugs.webkit.org/show_bug.cgi?id=155598
19
20         Reviewed by Saam Barati.
21         
22         JSC is the first JSVM to have proper tail calls. This means that error.stack and the
23         debugger will appear to "delete" strict mode stack frames, if the call that this frame made
24         was in tail position. This is exactly what functional programmers expect - they don't want
25         the VM to waste resources on tail-deleted frames to ensure that it's legal to loop forever
26         using tail calls. It's also something that non-functional programmers fear. It's not clear
27         that tail-deleted frames would actually degrade the debugging experience, but the fear is
28         real, so it's worthwhile to do something about it.
29
30         It turns out that there is at least one tail call implementation that doesn't suffer from
31         this problem. It implements proper tail calls in the sense that you won't run out of memory
32         by tail-looping. It also has the power to show you tail-deleted frames in a backtrace, so
33         long as you haven't yet run out of memory. It's called CHICKEN Scheme, and it's one of my
34         favorite hacks:
35         
36         http://www.more-magic.net/posts/internals-gc.html
37
38         CHICKEN does many awesome things. The intuition from CHICKEN that we use here is a simple
39         one: what if a tail call still kept the tail-deleted frame, and the GC actually deleted that
40         frame only once we proved that there was insufficient memory to keep it around.
41         
42         CHICKEN does this by reshaping the C stack with longjmp/setjmp. We can't do that because we
43         can have arbitrary native code, and that native code does not have relocatable stack frames.
44         
45         But we can do something almost like CHICKEN on a shadow stack. It's a common trick to have a
46         VM maintain two stacks - the actual execution stack plus a shadow stack that has some extra
47         information. The shadow stack can be reshaped, moved, etc, since the VM tightly controls its
48         layout. The main stack can then continue to obey ABI rules.
49
50         This patch implements a mechanism for being able to display stack traces that include
51         tail-deleted frames. It uses a shadow stack that behaves like a CHICKEN stack: it has all
52         frames all the time, though we will collect the tail-deleted ones if the stack gets too big.
53         This new mechanism is called ShadowChicken, obviously: it's CHICKEN on a shadow stack.
54         
55         ShadowChicken is always on, but individual CodeBlocks may make their own choices about
56         whether to opt into it. They will do that at bytecompile time based on the debugger mode on
57         their global object.
58
59         When no CodeBlock opts in, there is no overhead, since ShadowChicken ends up doing nothing
60         in that case. Well, except when exceptions are thrown. Then it might do some work, but it's
61         minor.
62
63         When all CodeBlocks opt in, there is about 6% overhead. That's too much overhead to enable
64         this all the time, but it's low enough to justify enabling in the Inspector. It's currently
65         enabled on all CodeBlocks only when you use an Option. Otherwise it will auto-enable if the
66         debugger is on.
67
68         Note that ShadowChicken attempts to gracefully handle the presence of stack frames that have
69         no logging. This is essential since we *can* have debugging enabled in one GlobalObject and
70         disabled in another. Also, some frames don't do ShadowChicken because they just haven't been
71         hacked to do it yet. Native frames fall into this category, as do the VM entry frames.
72
73         This doesn't yet wire ShadowChicken into DebuggerCallFrame. That will take more work. It
74         just makes a ShadowChicken stack walk function available to jsc. It's used from the
75         shadow-chicken tests.
76
77         * API/JSContextRef.cpp:
78         (BacktraceFunctor::BacktraceFunctor):
79         (BacktraceFunctor::operator()):
80         (JSContextCreateBacktrace):
81         * CMakeLists.txt:
82         * JavaScriptCore.xcodeproj/project.pbxproj:
83         * bytecode/BytecodeList.json:
84         * bytecode/BytecodeUseDef.h:
85         (JSC::computeUsesForBytecodeOffset):
86         (JSC::computeDefsForBytecodeOffset):
87         * bytecode/CodeBlock.cpp:
88         (JSC::CodeBlock::dumpBytecode):
89         (JSC::RecursionCheckFunctor::RecursionCheckFunctor):
90         (JSC::RecursionCheckFunctor::operator()):
91         (JSC::CodeBlock::noticeIncomingCall):
92         * bytecompiler/BytecodeGenerator.cpp:
93         (JSC::BytecodeGenerator::emitEnter):
94         (JSC::BytecodeGenerator::emitCallInTailPosition):
95         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
96         (JSC::BytecodeGenerator::emitCallVarargs):
97         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
98         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
99         (JSC::BytecodeGenerator::emitCallDefineProperty):
100         * bytecompiler/BytecodeGenerator.h:
101         * debugger/DebuggerCallFrame.cpp:
102         (JSC::LineAndColumnFunctor::operator()):
103         (JSC::LineAndColumnFunctor::column):
104         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
105         (JSC::FindCallerMidStackFunctor::operator()):
106         (JSC::DebuggerCallFrame::DebuggerCallFrame):
107         * dfg/DFGAbstractInterpreterInlines.h:
108         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
109         * dfg/DFGByteCodeParser.cpp:
110         (JSC::DFG::ByteCodeParser::parseBlock):
111         * dfg/DFGClobberize.h:
112         (JSC::DFG::clobberize):
113         * dfg/DFGDoesGC.cpp:
114         (JSC::DFG::doesGC):
115         * dfg/DFGFixupPhase.cpp:
116         (JSC::DFG::FixupPhase::fixupNode):
117         * dfg/DFGNodeType.h:
118         * dfg/DFGPredictionPropagationPhase.cpp:
119         (JSC::DFG::PredictionPropagationPhase::propagate):
120         * dfg/DFGSafeToExecute.h:
121         (JSC::DFG::safeToExecute):
122         * dfg/DFGSpeculativeJIT32_64.cpp:
123         (JSC::DFG::SpeculativeJIT::compile):
124         * dfg/DFGSpeculativeJIT64.cpp:
125         (JSC::DFG::SpeculativeJIT::compile):
126         * ftl/FTLAbstractHeapRepository.cpp:
127         * ftl/FTLAbstractHeapRepository.h:
128         * ftl/FTLCapabilities.cpp:
129         (JSC::FTL::canCompile):
130         * ftl/FTLLowerDFGToB3.cpp:
131         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
132         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
133         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
134         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
135         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
136         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
137         (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket):
138         (JSC::FTL::DFG::LowerDFGToB3::boolify):
139         * heap/Heap.cpp:
140         (JSC::Heap::markRoots):
141         (JSC::Heap::visitSamplingProfiler):
142         (JSC::Heap::visitShadowChicken):
143         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
144         (JSC::Heap::collectImpl):
145         * heap/Heap.h:
146         * inspector/ScriptCallStackFactory.cpp:
147         (Inspector::CreateScriptCallStackFunctor::CreateScriptCallStackFunctor):
148         (Inspector::CreateScriptCallStackFunctor::operator()):
149         (Inspector::createScriptCallStack):
150         * interpreter/CallFrame.h:
151         (JSC::ExecState::iterate):
152         * interpreter/Interpreter.cpp:
153         (JSC::DumpRegisterFunctor::DumpRegisterFunctor):
154         (JSC::DumpRegisterFunctor::operator()):
155         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
156         (JSC::GetStackTraceFunctor::operator()):
157         (JSC::Interpreter::getStackTrace):
158         (JSC::GetCatchHandlerFunctor::handler):
159         (JSC::GetCatchHandlerFunctor::operator()):
160         (JSC::notifyDebuggerOfUnwinding):
161         (JSC::UnwindFunctor::UnwindFunctor):
162         (JSC::UnwindFunctor::operator()):
163         (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer):
164         * interpreter/ShadowChicken.cpp: Added.
165         (JSC::ShadowChicken::Packet::dump):
166         (JSC::ShadowChicken::Frame::dump):
167         (JSC::ShadowChicken::ShadowChicken):
168         (JSC::ShadowChicken::~ShadowChicken):
169         (JSC::ShadowChicken::log):
170         (JSC::ShadowChicken::update):
171         (JSC::ShadowChicken::visitChildren):
172         (JSC::ShadowChicken::reset):
173         (JSC::ShadowChicken::dump):
174         (JSC::ShadowChicken::functionsOnStack):
175         * interpreter/ShadowChicken.h: Added.
176         (JSC::ShadowChicken::Packet::Packet):
177         (JSC::ShadowChicken::Packet::tailMarker):
178         (JSC::ShadowChicken::Packet::throwMarker):
179         (JSC::ShadowChicken::Packet::prologue):
180         (JSC::ShadowChicken::Packet::tail):
181         (JSC::ShadowChicken::Packet::throwPacket):
182         (JSC::ShadowChicken::Packet::operator bool):
183         (JSC::ShadowChicken::Packet::isPrologue):
184         (JSC::ShadowChicken::Packet::isTail):
185         (JSC::ShadowChicken::Packet::isThrow):
186         (JSC::ShadowChicken::Frame::Frame):
187         (JSC::ShadowChicken::Frame::operator==):
188         (JSC::ShadowChicken::Frame::operator!=):
189         (JSC::ShadowChicken::log):
190         (JSC::ShadowChicken::logSize):
191         (JSC::ShadowChicken::addressOfLogCursor):
192         (JSC::ShadowChicken::logEnd):
193         * interpreter/ShadowChickenInlines.h: Added.
194         (JSC::ShadowChicken::iterate):
195         * interpreter/StackVisitor.h:
196         (JSC::StackVisitor::Frame::callee):
197         (JSC::StackVisitor::Frame::codeBlock):
198         (JSC::StackVisitor::Frame::bytecodeOffset):
199         (JSC::StackVisitor::Frame::inlineCallFrame):
200         (JSC::StackVisitor::Frame::isJSFrame):
201         (JSC::StackVisitor::Frame::isInlinedFrame):
202         (JSC::StackVisitor::visit):
203         * jit/CCallHelpers.cpp: Added.
204         (JSC::CCallHelpers::logShadowChickenProloguePacket):
205         (JSC::CCallHelpers::logShadowChickenTailPacket):
206         (JSC::CCallHelpers::setupShadowChickenPacket):
207         * jit/CCallHelpers.h:
208         (JSC::CCallHelpers::prepareForTailCallSlow):
209         * jit/JIT.cpp:
210         (JSC::JIT::privateCompileMainPass):
211         * jit/JIT.h:
212         * jit/JITExceptions.cpp:
213         (JSC::genericUnwind):
214         * jit/JITOpcodes.cpp:
215         (JSC::JIT::emit_op_resume):
216         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
217         (JSC::JIT::emit_op_log_shadow_chicken_tail):
218         * jit/JITOperations.cpp:
219         * jit/JITOperations.h:
220         * jsc.cpp:
221         (GlobalObject::finishCreation):
222         (FunctionJSCStackFunctor::FunctionJSCStackFunctor):
223         (FunctionJSCStackFunctor::operator()):
224         (functionClearSamplingFlags):
225         (functionShadowChickenFunctionsOnStack):
226         (functionReadline):
227         * llint/LLIntOffsetsExtractor.cpp:
228         * llint/LLIntSlowPaths.cpp:
229         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
230         (JSC::LLInt::llint_throw_stack_overflow_error):
231         * llint/LLIntSlowPaths.h:
232         * llint/LowLevelInterpreter.asm:
233         * profiler/ProfileGenerator.cpp:
234         (JSC::AddParentForConsoleStartFunctor::foundParent):
235         (JSC::AddParentForConsoleStartFunctor::operator()):
236         * runtime/Error.cpp:
237         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
238         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
239         (JSC::addErrorInfoAndGetBytecodeOffset):
240         * runtime/JSFunction.cpp:
241         (JSC::RetrieveArgumentsFunctor::result):
242         (JSC::RetrieveArgumentsFunctor::operator()):
243         (JSC::retrieveArguments):
244         (JSC::RetrieveCallerFunctionFunctor::result):
245         (JSC::RetrieveCallerFunctionFunctor::operator()):
246         (JSC::retrieveCallerFunction):
247         * runtime/JSGlobalObjectFunctions.cpp:
248         (JSC::GlobalFuncProtoGetterFunctor::result):
249         (JSC::GlobalFuncProtoGetterFunctor::operator()):
250         (JSC::globalFuncProtoGetter):
251         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
252         (JSC::GlobalFuncProtoSetterFunctor::operator()):
253         * runtime/NullSetterFunction.cpp:
254         (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
255         (JSC::GetCallerStrictnessFunctor::operator()):
256         (JSC::GetCallerStrictnessFunctor::callerIsStrict):
257         (JSC::callerIsStrict):
258         * runtime/ObjectConstructor.cpp:
259         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
260         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
261         (JSC::objectConstructorGetPrototypeOf):
262         * runtime/Options.h:
263         * runtime/VM.cpp:
264         (JSC::VM::VM):
265         (JSC::SetEnabledProfilerFunctor::operator()):
266         * runtime/VM.h:
267         (JSC::VM::shouldBuilderPCToCodeOriginMapping):
268         (JSC::VM::bytecodeIntrinsicRegistry):
269         (JSC::VM::shadowChicken):
270         * tests/stress/resources/shadow-chicken-support.js: Added.
271         (describeFunction):
272         (describeArray):
273         (expectStack):
274         (initialize):
275         * tests/stress/shadow-chicken-disabled.js: Added.
276         (test1.foo):
277         (test1.bar):
278         (test1.baz):
279         (test1):
280         (test2.foo):
281         (test2.bar):
282         (test2.baz):
283         (test2):
284         (test3.foo):
285         (test3.bar):
286         (test3.baz):
287         (test3):
288         * tests/stress/shadow-chicken-enabled.js: Added.
289         (test1.foo):
290         (test1.bar):
291         (test1.baz):
292         (test1):
293         (test2.foo):
294         (test2.bar):
295         (test2.baz):
296         (test2):
297         (test3.bob):
298         (test3.thingy):
299         (test3.foo):
300         (test3.bar):
301         (test3.baz):
302         (test3):
303         (test4.bob):
304         (test4.thingy):
305         (test4.foo):
306         (test4.bar):
307         (test4.baz):
308         (test4):
309         (test5.foo):
310         (test5):
311         * tools/JSDollarVMPrototype.cpp:
312         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
313         (JSC::CallerFrameJITTypeFunctor::operator()):
314         (JSC::CallerFrameJITTypeFunctor::jitType):
315         (JSC::functionLLintTrue):
316         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
317         (JSC::CellAddressCheckFunctor::operator()):
318         (JSC::JSDollarVMPrototype::isValidCell):
319         (JSC::JSDollarVMPrototype::isValidCodeBlock):
320         (JSC::JSDollarVMPrototype::codeBlockForFrame):
321         (JSC::PrintFrameFunctor::PrintFrameFunctor):
322         (JSC::PrintFrameFunctor::operator()):
323         (JSC::printCallFrame):
324
325 2016-03-19  Filip Pizlo  <fpizlo@apple.com>
326
327         DFG and FTL should constant-fold RegExpExec, RegExpTest, and StringReplace
328         https://bugs.webkit.org/show_bug.cgi?id=155270
329
330         Reviewed by Saam Barati.
331
332         This enables constant-folding of RegExpExec, RegExpTest, and StringReplace.
333
334         It's now possible to run Yarr on the JIT threads. Since previous work on constant-folding
335         strings gave the DFG an API for reasoning about JSString constants in terms of
336         JIT-thread-local WTF::Strings, it's now super easy to just pass strings to Yarr and build IR
337         based on the results.
338
339         But RegExpExec is hard: the folded version still must allocate a RegExpMatchesArray. We must
340         use the same Structure that the code would have used or else we'll pollute the program's
341         inline caches. Also, RegExpMatchesArray.h|cpp will allocate the array and its named
342         properties in one go - we don't want to lose that optimization. So, this patch enables
343         MaterializeNewObject to allocate objects or arrays with any number of indexed or named
344         properties. Previously it could only handle objects (but not arrays) and named properties
345         (but not indexed ones).
346
347         This also adds a few minor things for setting the RegExpConstructor cached result.
348
349         This is about a 2x speed-up on microbenchmarks when we fold a match success and about a
350         8x speed-up when we fold a match failure. It's a 10% speed-up on Octane/regexp.
351
352         * JavaScriptCore.xcodeproj/project.pbxproj:
353         * dfg/DFGAbstractInterpreterInlines.h:
354         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
355         * dfg/DFGClobberize.h:
356         (JSC::DFG::clobberize):
357         * dfg/DFGDoesGC.cpp:
358         (JSC::DFG::doesGC):
359         * dfg/DFGFixupPhase.cpp:
360         (JSC::DFG::FixupPhase::fixupNode):
361         * dfg/DFGGraph.cpp:
362         (JSC::DFG::Graph::dump):
363         * dfg/DFGInsertionSet.cpp:
364         (JSC::DFG::InsertionSet::insertSlow):
365         (JSC::DFG::InsertionSet::execute):
366         * dfg/DFGInsertionSet.h:
367         (JSC::DFG::InsertionSet::insertCheck):
368         * dfg/DFGLazyJSValue.cpp:
369         (JSC::DFG::LazyJSValue::tryGetString):
370         * dfg/DFGMayExit.cpp:
371         (JSC::DFG::mayExit):
372         * dfg/DFGNode.h:
373         (JSC::DFG::StackAccessData::flushedAt):
374         (JSC::DFG::OpInfo::OpInfo): Deleted.
375         * dfg/DFGNodeType.h:
376         * dfg/DFGObjectAllocationSinkingPhase.cpp:
377         * dfg/DFGObjectMaterializationData.cpp:
378         (JSC::DFG::ObjectMaterializationData::dump):
379         (JSC::DFG::PhantomPropertyValue::dump): Deleted.
380         (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore): Deleted.
381         (JSC::DFG::ObjectMaterializationData::similarityScore): Deleted.
382         * dfg/DFGObjectMaterializationData.h:
383         (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue): Deleted.
384         (JSC::DFG::PhantomPropertyValue::operator==): Deleted.
385         * dfg/DFGOpInfo.h: Added.
386         (JSC::DFG::OpInfo::OpInfo):
387         * dfg/DFGOperations.cpp:
388         * dfg/DFGOperations.h:
389         * dfg/DFGPredictionPropagationPhase.cpp:
390         (JSC::DFG::PredictionPropagationPhase::propagate):
391         * dfg/DFGPromotedHeapLocation.cpp:
392         (WTF::printInternal):
393         * dfg/DFGPromotedHeapLocation.h:
394         * dfg/DFGSafeToExecute.h:
395         (JSC::DFG::safeToExecute):
396         * dfg/DFGSpeculativeJIT.cpp:
397         (JSC::DFG::SpeculativeJIT::~SpeculativeJIT):
398         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
399         (JSC::DFG::SpeculativeJIT::emitGetLength):
400         (JSC::DFG::SpeculativeJIT::compileLazyJSConstant):
401         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
402         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
403         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): Deleted.
404         * dfg/DFGSpeculativeJIT.h:
405         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
406         * dfg/DFGSpeculativeJIT32_64.cpp:
407         (JSC::DFG::SpeculativeJIT::compile):
408         * dfg/DFGSpeculativeJIT64.cpp:
409         (JSC::DFG::SpeculativeJIT::compile):
410         * dfg/DFGStoreBarrierInsertionPhase.cpp:
411         * dfg/DFGStrengthReductionPhase.cpp:
412         (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
413         (JSC::DFG::StrengthReductionPhase::handleNode):
414         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
415         (JSC::DFG::StrengthReductionPhase::executeInsertionSet):
416         * dfg/DFGValidate.cpp:
417         (JSC::DFG::Validate::validate):
418         (JSC::DFG::Validate::validateCPS):
419         * ftl/FTLAbstractHeapRepository.cpp:
420         * ftl/FTLAbstractHeapRepository.h:
421         * ftl/FTLCapabilities.cpp:
422         (JSC::FTL::canCompile):
423         * ftl/FTLLowerDFGToB3.cpp:
424         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
425         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
426         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
427         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
428         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
429         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
430         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
431         (JSC::FTL::DFG::LowerDFGToB3::storageForTransition):
432         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
433         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
434         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
435         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
436         * ftl/FTLOperations.cpp:
437         (JSC::FTL::operationPopulateObjectInOSR):
438         (JSC::FTL::operationNewObjectWithButterfly): Deleted.
439         * ftl/FTLOperations.h:
440         * inspector/ContentSearchUtilities.cpp:
441         * runtime/JSObject.h:
442         (JSC::JSObject::createRawObject):
443         (JSC::JSFinalObject::create):
444         * runtime/RegExp.cpp:
445         (JSC::RegExp::compile):
446         (JSC::RegExp::match):
447         (JSC::RegExp::matchConcurrently):
448         (JSC::RegExp::compileMatchOnly):
449         (JSC::RegExp::deleteCode):
450         * runtime/RegExp.h:
451         * runtime/RegExpCachedResult.h:
452         (JSC::RegExpCachedResult::offsetOfLastRegExp):
453         (JSC::RegExpCachedResult::offsetOfLastInput):
454         (JSC::RegExpCachedResult::offsetOfResult):
455         (JSC::RegExpCachedResult::offsetOfReified):
456         * runtime/RegExpConstructor.h:
457         (JSC::RegExpConstructor::offsetOfCachedResult):
458         * runtime/RegExpInlines.h:
459         (JSC::RegExp::hasCodeFor):
460         (JSC::RegExp::compileIfNecessary):
461         (JSC::RegExp::matchInline):
462         (JSC::RegExp::hasMatchOnlyCodeFor):
463         (JSC::RegExp::compileIfNecessaryMatchOnly):
464         * runtime/RegExpObjectInlines.h:
465         (JSC::RegExpObject::execInline):
466         * runtime/StringPrototype.cpp:
467         (JSC::substituteBackreferencesSlow):
468         (JSC::substituteBackreferencesInline):
469         (JSC::substituteBackreferences):
470         (JSC::StringRange::StringRange):
471         * runtime/StringPrototype.h:
472         * runtime/VM.h:
473         * tests/stress/simple-regexp-exec-folding-fail.js: Added.
474         (foo):
475         * tests/stress/simple-regexp-exec-folding.js: Added.
476         (foo):
477         * tests/stress/simple-regexp-test-folding-fail.js: Added.
478         (foo):
479         * tests/stress/simple-regexp-test-folding.js: Added.
480         (foo):
481         * yarr/RegularExpression.cpp:
482         * yarr/Yarr.h:
483         * yarr/YarrInterpreter.cpp:
484         (JSC::Yarr::Interpreter::interpret):
485         (JSC::Yarr::ByteCompiler::ByteCompiler):
486         (JSC::Yarr::ByteCompiler::compile):
487         (JSC::Yarr::ByteCompiler::checkInput):
488         (JSC::Yarr::byteCompile):
489         (JSC::Yarr::interpret):
490         * yarr/YarrInterpreter.h:
491         (JSC::Yarr::BytecodePattern::BytecodePattern):
492
493 2016-04-05  Keith Miller  <keith_miller@apple.com>
494
495         We should support the ability to do a non-effectful getById
496         https://bugs.webkit.org/show_bug.cgi?id=156116
497
498         Reviewed by Benjamin Poulain.
499
500         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
501         useful because it enables us to take different code paths based on values that we would
502         otherwise not be able to have knowledge of. This patch adds this new feature called
503         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
504         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
505         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
506         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
507         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
508         the global object that indicates we could not get the result.
509
510         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
511         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
512         get_by_id the same way we would for load and return the value at the appropriate offset.
513         Additionally, in order to make sure the we can properly compare the GetterSetter object
514         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
515         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
516         likely to have little to no impact on memory usage as normal accessors are generally rare.
517
518         * JavaScriptCore.xcodeproj/project.pbxproj:
519         * builtins/BuiltinExecutables.cpp:
520         (JSC::BuiltinExecutables::createDefaultConstructor):
521         (JSC::BuiltinExecutables::createBuiltinExecutable):
522         (JSC::createBuiltinExecutable):
523         (JSC::BuiltinExecutables::createExecutable):
524         (JSC::createExecutableInternal): Deleted.
525         * builtins/BuiltinExecutables.h:
526         * bytecode/BytecodeIntrinsicRegistry.h:
527         * bytecode/BytecodeList.json:
528         * bytecode/BytecodeUseDef.h:
529         (JSC::computeUsesForBytecodeOffset):
530         (JSC::computeDefsForBytecodeOffset):
531         * bytecode/CodeBlock.cpp:
532         (JSC::CodeBlock::dumpBytecode):
533         * bytecode/PolymorphicAccess.cpp:
534         (JSC::AccessCase::tryGet):
535         (JSC::AccessCase::generate):
536         (WTF::printInternal):
537         * bytecode/PolymorphicAccess.h:
538         (JSC::AccessCase::isGet): Deleted.
539         (JSC::AccessCase::isPut): Deleted.
540         (JSC::AccessCase::isIn): Deleted.
541         * bytecode/StructureStubInfo.cpp:
542         (JSC::StructureStubInfo::reset):
543         * bytecode/StructureStubInfo.h:
544         * bytecompiler/BytecodeGenerator.cpp:
545         (JSC::BytecodeGenerator::emitTryGetById):
546         * bytecompiler/BytecodeGenerator.h:
547         * bytecompiler/NodesCodegen.cpp:
548         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
549         * dfg/DFGSpeculativeJIT32_64.cpp:
550         (JSC::DFG::SpeculativeJIT::cachedGetById):
551         * dfg/DFGSpeculativeJIT64.cpp:
552         (JSC::DFG::SpeculativeJIT::cachedGetById):
553         * ftl/FTLLowerDFGToB3.cpp:
554         (JSC::FTL::DFG::LowerDFGToB3::getById):
555         * jit/JIT.cpp:
556         (JSC::JIT::privateCompileMainPass):
557         (JSC::JIT::privateCompileSlowCases):
558         * jit/JIT.h:
559         * jit/JITInlineCacheGenerator.cpp:
560         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
561         * jit/JITInlineCacheGenerator.h:
562         * jit/JITInlines.h:
563         (JSC::JIT::callOperation):
564         * jit/JITOperations.cpp:
565         * jit/JITOperations.h:
566         * jit/JITPropertyAccess.cpp:
567         (JSC::JIT::emitGetByValWithCachedId):
568         (JSC::JIT::emit_op_try_get_by_id):
569         (JSC::JIT::emitSlow_op_try_get_by_id):
570         (JSC::JIT::emit_op_get_by_id):
571         * jit/JITPropertyAccess32_64.cpp:
572         (JSC::JIT::emitGetByValWithCachedId):
573         (JSC::JIT::emit_op_try_get_by_id):
574         (JSC::JIT::emitSlow_op_try_get_by_id):
575         (JSC::JIT::emit_op_get_by_id):
576         * jit/Repatch.cpp:
577         (JSC::repatchByIdSelfAccess):
578         (JSC::appropriateOptimizingGetByIdFunction):
579         (JSC::appropriateGenericGetByIdFunction):
580         (JSC::tryCacheGetByID):
581         (JSC::repatchGetByID):
582         (JSC::resetGetByID):
583         * jit/Repatch.h:
584         * jsc.cpp:
585         (GlobalObject::finishCreation):
586         (functionGetGetterSetter):
587         (functionCreateBuiltin):
588         * llint/LLIntData.cpp:
589         (JSC::LLInt::Data::performAssertions):
590         * llint/LLIntSlowPaths.cpp:
591         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
592         * llint/LLIntSlowPaths.h:
593         * llint/LowLevelInterpreter.asm:
594         * runtime/GetterSetter.cpp:
595         * runtime/GetterSetter.h:
596         * runtime/JSType.h:
597         * runtime/PropertySlot.cpp:
598         (JSC::PropertySlot::getPureResult):
599         * runtime/PropertySlot.h:
600         * runtime/ProxyObject.cpp:
601         (JSC::ProxyObject::getOwnPropertySlotCommon):
602         * tests/stress/try-get-by-id.js: Added.
603         (tryGetByIdText):
604         (getCaller.obj.1.throw.new.Error.let.func):
605         (getCaller.obj.1.throw.new.Error):
606         (throw.new.Error.get let):
607         (throw.new.Error.):
608         (throw.new.Error.let.get createBuiltin):
609         (get let):
610         (let.get createBuiltin):
611         (let.func):
612         (get let.func):
613         (get throw):
614
615 2016-04-05  Saam barati  <sbarati@apple.com>
616
617         jsc-layout-tests.yaml/js/script-tests/regress-141098.js failing on Yosemite Debug after r198989
618         https://bugs.webkit.org/show_bug.cgi?id=156187
619
620         Reviewed by Filip Pizlo.
621
622         This is a speculative fix. Lets see if the prevents the timeout.
623
624         * parser/Parser.cpp:
625         (JSC::Parser<LexerType>::parseStatementListItem):
626
627 2016-04-04  Filip Pizlo  <fpizlo@apple.com>
628
629         PolymorphicAccess should have a MegamorphicLoad case
630         https://bugs.webkit.org/show_bug.cgi?id=156182
631
632         Reviewed by Geoffrey Garen and Keith Miller.
633
634         This introduces a new case to PolymorphicAccess called MegamorphicLoad. This inlines the lookup in
635         the PropertyTable. It's cheaper than switching on a huge number of cases and it's cheaper than
636         calling into C++ to do the same job - particularly since inlining the lookup into an access means
637         that we can precompute the hash code.
638
639         When writing the inline code for the hashtable lookup, I found that our hashing algorithm was not
640         optimal. It used a double-hashing method for reducing collision pathologies. This is great for
641         improving the performance of some worst-case scenarios. But this misses the point of a hashtable: we
642         want to optimize the average-case performance. When optimizing for average-case, we can choose to
643         either focus on maximizing the likelihood of the fast case happening, or to minimize the cost of the
644         worst-case, or to minimize the cost of the fast case. Even a very basic hashtable will achieve a high
645         probability of hitting the fast case. So, doing work to reduce the likelihood of a worst-case
646         pathology only makes sense if it also preserves the good performance of the fast case, or reduces the
647         likelihood of the worst-case by so much that it's a win for the average case even with a slow-down in
648         the fast case.
649
650         I don't believe, based on looking at how the double-hashing is implemented, that it's possible that
651         this preserves the good performance of the fast case. It requires at least one more value to be live
652         around the loop, and dramatically increases the register pressure at key points inside the loop. The
653         biggest offender is the doubleHash() method itself. There is no getting around how bad this is: if
654         the compiler live-range-splits that method to death to avoid degrading register pressure elsewhere
655         then we will pay a steep price anytime we take the second iteration around the loop; but if the
656         compiler doesn't split around the call then the hashtable lookup fast path will be full of spills on
657         some architectures (I performed biological register allocation and found that I needed 9 registers
658         for complete lookup, while x86-64 has only 6 callee-saves; OTOH ARM64 has 10 callee-saves so it might
659         be better off).
660
661         Hence, this patch changes the hashtable lookup to use simple linear probing. This was not a slow-down
662         on anything, and it made MegamorphicLoad much more sensible since it is less likely to have to spill.
663
664         There are some other small changes in this patch, like rationalizing the IC's choice between giving
665         up after a repatch (i.e. never trying again) and just pretending that nothing happened (so we can
666         try to repatch again in the future). It looked like the code in Repatch.cpp was set up to be able to
667         choose between those options, but we weren't fully taking advantage of it because the
668         regenerateWithCase() method just returned null for any failure, and didn't say whether it was the
669         sort of failure that renders the inline cache unrepatchable (like memory allocation failure). Now
670         this is all made explicit. I wanted to make sure this change happened in this patch since the
671         MegamorphicLoad code automagically generates a MegamorphicLoad case by coalescing other cases. Since
672         this is intended to avoid blowing out the cache and making it unrepatchable, I wanted to make sure
673         that the rules for giving up were something that made sense to me.
674         
675         This is a big win on microbenchmarks. It's neutral on traditional JS benchmarks. It's a slight
676         speed-up for page loading, because many real websites like to have megamorphic property accesses.
677
678         * bytecode/PolymorphicAccess.cpp:
679         (JSC::AccessGenerationResult::dump):
680         (JSC::AccessGenerationState::addWatchpoint):
681         (JSC::AccessCase::get):
682         (JSC::AccessCase::megamorphicLoad):
683         (JSC::AccessCase::replace):
684         (JSC::AccessCase::guardedByStructureCheck):
685         (JSC::AccessCase::couldStillSucceed):
686         (JSC::AccessCase::canBeReplacedByMegamorphicLoad):
687         (JSC::AccessCase::canReplace):
688         (JSC::AccessCase::generateWithGuard):
689         (JSC::AccessCase::generate):
690         (JSC::PolymorphicAccess::PolymorphicAccess):
691         (JSC::PolymorphicAccess::~PolymorphicAccess):
692         (JSC::PolymorphicAccess::regenerateWithCases):
693         (JSC::PolymorphicAccess::regenerateWithCase):
694         (WTF::printInternal):
695         * bytecode/PolymorphicAccess.h:
696         (JSC::AccessCase::isGet):
697         (JSC::AccessCase::isPut):
698         (JSC::AccessCase::isIn):
699         (JSC::AccessGenerationResult::AccessGenerationResult):
700         (JSC::AccessGenerationResult::operator==):
701         (JSC::AccessGenerationResult::operator!=):
702         (JSC::AccessGenerationResult::operator bool):
703         (JSC::AccessGenerationResult::kind):
704         (JSC::AccessGenerationResult::code):
705         (JSC::AccessGenerationResult::madeNoChanges):
706         (JSC::AccessGenerationResult::gaveUp):
707         (JSC::AccessGenerationResult::generatedNewCode):
708         (JSC::PolymorphicAccess::isEmpty):
709         (JSC::AccessGenerationState::AccessGenerationState):
710         * bytecode/StructureStubInfo.cpp:
711         (JSC::StructureStubInfo::aboutToDie):
712         (JSC::StructureStubInfo::addAccessCase):
713         * bytecode/StructureStubInfo.h:
714         * jit/AssemblyHelpers.cpp:
715         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
716         (JSC::AssemblyHelpers::loadProperty):
717         (JSC::emitRandomThunkImpl):
718         (JSC::AssemblyHelpers::emitRandomThunk):
719         (JSC::AssemblyHelpers::emitLoadStructure):
720         * jit/AssemblyHelpers.h:
721         (JSC::AssemblyHelpers::loadValue):
722         (JSC::AssemblyHelpers::moveValueRegs):
723         (JSC::AssemblyHelpers::argumentsStart):
724         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
725         (JSC::AssemblyHelpers::emitLoadStructure): Deleted.
726         * jit/GPRInfo.cpp:
727         (JSC::JSValueRegs::dump):
728         * jit/GPRInfo.h:
729         (JSC::JSValueRegs::uses):
730         * jit/Repatch.cpp:
731         (JSC::replaceWithJump):
732         (JSC::tryCacheGetByID):
733         (JSC::tryCachePutByID):
734         (JSC::tryRepatchIn):
735         * jit/ThunkGenerators.cpp:
736         (JSC::virtualThunkFor):
737         * runtime/Options.h:
738         * runtime/PropertyMapHashTable.h:
739         (JSC::PropertyTable::begin):
740         (JSC::PropertyTable::find):
741         (JSC::PropertyTable::get):
742         * runtime/Structure.h:
743
744 2016-04-05  Antoine Quint  <graouts@apple.com>
745
746         [WebGL2] Turn the ENABLE_WEBGL2 flag on
747         https://bugs.webkit.org/show_bug.cgi?id=156061
748         <rdar://problem/25463193>
749
750         Reviewed by Alex Christensen.
751
752         * Configurations/FeatureDefines.xcconfig:
753         * runtime/CommonIdentifiers.h:
754
755         Define the conditionalized classes WebGL2RenderingContext and WebGLVertexArrayObject. 
756
757 2016-04-04  Zan Dobersek  <zdobersek@igalia.com>
758
759         Add missing EABI_32BIT_DUMMY_ARG arguments for some callOperation(J_JITOperation_EGReoJ, ...) overloads
760         https://bugs.webkit.org/show_bug.cgi?id=156161
761
762         Reviewed by Yusuke Suzuki.
763
764         r197641 added a couple of callOperation(J_JITOperation_EGReoJ, ...) overloads
765         that handle arguments split into the tag and the payload. The two were split
766         between the last argument register and the stack on 32-bit ARM EABI systems,
767         causing incorrect behavior.
768
769         Adding EABI_32BIT_DUMMY_ARG pushes the tag and payload together onto the
770         stack, removing the issue.
771
772         * dfg/DFGSpeculativeJIT.h:
773         (JSC::DFG::SpeculativeJIT::callOperation):
774
775 2016-04-04  Joseph Pecoraro  <pecoraro@apple.com>
776
777         Avoid copying ModuleLoaderObject.js to resources bundle
778         https://bugs.webkit.org/show_bug.cgi?id=156188
779         <rdar://problem/25534383>
780
781         Reviewed by Alexey Proskuryakov.
782
783         * JavaScriptCore.xcodeproj/project.pbxproj:
784
785 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
786
787         Unreviewed, rolling out r199016.
788         https://bugs.webkit.org/show_bug.cgi?id=156140
789
790         "Regressed Octane and Kraken on the perf bots."
791
792         Reverted changeset:
793
794         CopiedBlock should be 16kB
795         https://bugs.webkit.org/show_bug.cgi?id=156168
796         http://trac.webkit.org/changeset/199016
797
798 2016-04-04  Benjamin Poulain  <bpoulain@apple.com>
799
800         [JSC][x86] Fix an assertion in MacroAssembler::branch8()
801         https://bugs.webkit.org/show_bug.cgi?id=156181
802
803         Reviewed by Geoffrey Garen.
804
805         * assembler/MacroAssemblerX86Common.h:
806         (JSC::MacroAssemblerX86Common::branch8):
807         The test was wrong because valid negative numbers have ones
808         in the top bits.
809
810         I replaced the assertion to be explicit about the valid range.
811
812 2016-04-04  Chris Dumez  <cdumez@apple.com>
813
814         Regression(r196145): Crash in getOwnPropertyDescriptor on http://www.history.com/shows/vikings
815         https://bugs.webkit.org/show_bug.cgi?id=156136
816         <rdar://problem/25410767>
817
818         Reviewed by Ryosuke Niwa.
819
820         Add a few more identifiers for using in the generated bindings.
821
822         * runtime/CommonIdentifiers.h:
823
824 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
825
826         CopiedBlock should be 16kB
827         https://bugs.webkit.org/show_bug.cgi?id=156168
828
829         Reviewed by Mark Lam.
830
831         MarkedBlock is 16kB, and bmalloc's largest fast-path allocation is 16kB,
832         and the largest page size on Apple devices is 16kB -- so this change
833         should improve sharing and recycling and keep us on the fast path more.
834
835         32kB is also super aggro. At 16kB, we support allocations up to 8kB,
836         which covers 99.3% of allocations on facebook.com. The 32kB block size
837         only covered an additional 0.2% of allocations.
838
839         * heap/CopiedBlock.h:
840
841 2016-04-04  Carlos Garcia Campos  <cgarcia@igalia.com>
842
843         REGRESSION(r198792): [GTK] Inspector crashes in Inspector::Protocol::getEnumConstantValue since r198792
844         https://bugs.webkit.org/show_bug.cgi?id=155745
845         <rdar://problem/25289456>
846
847         Reviewed by Brian Burg.
848
849         The problem is that we are generating the Inspector::Protocol::getEnumConstantValue() method and the
850         enum_constant_values array for every framework that has enum values. So, in case of GTK port we have two
851         implementations, one for the inspector in JavaScriptCore and another one for Web Automation in WebKit2, but when
852         using the inspector in WebKit2 we always end up using the one in WebKit2. Since the enum_constant_values array
853         is smaller in WebKit2 than the one in JavaScriptCore, we crash every time we receive an enum value higher than
854         the array size. We need to disambiguate the getEnumConstantValue() generated and used for every framework, so we
855         can use a specific namespace for the enum conversion methods.
856
857         * inspector/agents/InspectorDebuggerAgent.cpp:
858         (Inspector::breakpointActionTypeForString): Use Inspector::Protocol::InspectorHelpers.
859         * inspector/scripts/codegen/cpp_generator.py:
860         (CppGenerator.helpers_namespace): Return the namespace name that should be used for the helper methods.
861         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
862         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): Use
863         CppGenerator.helpers_namespace() to use the right namespace when using getEnumConstantValue().
864         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Ditto.
865         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
866         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): Ditto.
867         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
868         (CppProtocolTypesHeaderGenerator.generate_output): Move declaration of getEnumConstantValue to a helper function.
869         (_generate_enum_constant_value_conversion_methods): Do not emit any code if there aren't enums and ensure all
870         conversion methods are declared inside the helpers namespace.
871         (_generate_builder_setter_for_member): Use CppGenerator.helpers_namespace() to use the right namespace when
872         using getEnumConstantValue().
873         (_generate_unchecked_setter_for_member): Ditto.
874         (_generate_declarations_for_enum_conversion_methods): Return a list instead of a string so that we can return an
875         empty list in case of not emitting any code. The caller will use extend() that has no effect when an empty list
876         is passed.
877         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
878         (CppProtocolTypesImplementationGenerator.generate_output): Use the new helper function to generate both the enum
879         mapping and conversion methods inside the helpers namespace.
880         (CppProtocolTypesImplementationGenerator._generate_enum_mapping): Return a list instead of a string so that we
881         can return an empty list in case of not emitting any code.
882         (CppProtocolTypesImplementationGenerator._generate_enum_mapping_and_conversion_methods): Ensure we only emit
883         code when there are enum values, and it's generated inside the helpers namespace.
884         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
885         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
886         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
887         * inspector/scripts/tests/expected/enum-values.json-result:
888         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
889         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
890         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
891         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
892         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
893         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
894         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
895         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
896         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
897
898 2016-04-04  Csaba Osztrogonác  <ossy@webkit.org>
899
900         Unreviewed ARM buildfix after r198981.
901
902         * assembler/MacroAssemblerARM.h:
903         (JSC::MacroAssemblerARM::roundTowardZeroDouble):
904
905 2016-04-03  Saam barati  <sbarati@apple.com>
906
907         Implement Annex B.3.3 function hoisting rules for function code
908         https://bugs.webkit.org/show_bug.cgi?id=155672
909
910         Reviewed by Geoffrey Garen.
911
912         The spec states that functions declared inside a function
913         inside a block scope are subject to the rules of Annex B.3.3:
914         https://tc39.github.io/ecma262/#sec-block-level-function-declarations-web-legacy-compatibility-semantics
915
916         The rule states that functions declared in such blocks should
917         be local bindings of the block. If declaring the function's name
918         as a "var" in the function would not lead to a syntax error (i.e,
919         if we don't have a let/const/class variable with the same name)
920         and if we don't have a parameter with the same name, then we
921         implictly also declare the funcion name as a "var". When evaluating
922         the block statement we bind the hoisted "var" to be the value
923         of the local function binding.
924
925         There is one more thing we do for web compatibility. We allow
926         function declarations inside if/else statements that aren't
927         blocks. For such statements, we transform the code as if the
928         function were declared inside a block statement. For example:
929         ``` function foo() { if (cond) function baz() { } }```
930         is transformed into:
931         ``` function foo() { if (cond) { function baz() { } } }```
932
933         * bytecompiler/BytecodeGenerator.cpp:
934         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
935         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
936         * bytecompiler/BytecodeGenerator.h:
937         * parser/Nodes.cpp:
938         (JSC::ScopeNode::ScopeNode):
939         (JSC::ProgramNode::ProgramNode):
940         (JSC::ModuleProgramNode::ModuleProgramNode):
941         (JSC::EvalNode::EvalNode):
942         (JSC::FunctionNode::FunctionNode):
943         * parser/Nodes.h:
944         (JSC::ScopeNode::hasCapturedVariables):
945         (JSC::ScopeNode::captures):
946         (JSC::ScopeNode::hasSloppyModeHoistedFunction):
947         (JSC::ScopeNode::varDeclarations):
948         (JSC::ProgramNode::startColumn):
949         (JSC::ProgramNode::endColumn):
950         (JSC::EvalNode::startColumn):
951         (JSC::EvalNode::endColumn):
952         (JSC::ModuleProgramNode::startColumn):
953         (JSC::ModuleProgramNode::endColumn):
954         * parser/Parser.cpp:
955         (JSC::Parser<LexerType>::Parser):
956         (JSC::Parser<LexerType>::parseInner):
957         (JSC::Parser<LexerType>::didFinishParsing):
958         (JSC::Parser<LexerType>::parseStatement):
959         (JSC::Parser<LexerType>::parseIfStatement):
960         * parser/Parser.h:
961         (JSC::Scope::declareVariable):
962         (JSC::Scope::declareFunction):
963         (JSC::Scope::addSloppyModeHoistableFunctionCandidate):
964         (JSC::Scope::appendFunction):
965         (JSC::Scope::declareParameter):
966         (JSC::Scope::mergeInnerArrowFunctionFeatures):
967         (JSC::Scope::getSloppyModeHoistedFunctions):
968         (JSC::Scope::getCapturedVars):
969         (JSC::ScopeRef::containingScope):
970         (JSC::ScopeRef::operator==):
971         (JSC::ScopeRef::operator!=):
972         (JSC::Parser::declareFunction):
973         (JSC::Parser::hasDeclaredVariable):
974         (JSC::Parser::isFunctionMetadataNode):
975         (JSC::Parser::DepthManager::DepthManager):
976         (JSC::Parser<LexerType>::parse):
977         * parser/VariableEnvironment.h:
978         (JSC::VariableEnvironmentEntry::isImported):
979         (JSC::VariableEnvironmentEntry::isImportedNamespace):
980         (JSC::VariableEnvironmentEntry::isFunction):
981         (JSC::VariableEnvironmentEntry::isParameter):
982         (JSC::VariableEnvironmentEntry::isSloppyModeHoistingCandidate):
983         (JSC::VariableEnvironmentEntry::setIsCaptured):
984         (JSC::VariableEnvironmentEntry::setIsConst):
985         (JSC::VariableEnvironmentEntry::setIsImported):
986         (JSC::VariableEnvironmentEntry::setIsImportedNamespace):
987         (JSC::VariableEnvironmentEntry::setIsFunction):
988         (JSC::VariableEnvironmentEntry::setIsParameter):
989         (JSC::VariableEnvironmentEntry::setIsSloppyModeHoistingCandidate):
990         (JSC::VariableEnvironmentEntry::clearIsVar):
991         * runtime/CodeCache.h:
992         (JSC::SourceCodeValue::SourceCodeValue):
993         * runtime/JSScope.cpp:
994         * runtime/JSScope.h:
995         * tests/es6.yaml:
996         * tests/stress/sloppy-mode-function-hoisting.js: Added.
997         (assert):
998         (test):
999         (falsey):
1000         (truthy):
1001         (test.):
1002         (test.a):
1003         (test.f):
1004         (test.let.funcs.f):
1005         (test.catch.f):
1006         (test.foo):
1007         (test.bar):
1008         (test.switch.case.0):
1009         (test.else.f):
1010         (test.b):
1011         (test.c):
1012         (test.d):
1013         (test.e):
1014         (test.g):
1015         (test.h):
1016         (test.i):
1017         (test.j):
1018         (test.k):
1019         (test.l):
1020         (test.m):
1021         (test.n):
1022         (test.o):
1023         (test.p):
1024         (test.q):
1025         (test.r):
1026         (test.s):
1027         (test.t):
1028         (test.u):
1029         (test.v):
1030         (test.w):
1031         (test.x):
1032         (test.y):
1033         (test.z):
1034         (foo):
1035         (bar):
1036         (falsey.bar):
1037         (baz):
1038         (falsey.baz):
1039
1040 2016-04-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1041
1042         Unreviewed, turn ES6 for-in loop test success
1043         https://bugs.webkit.org/show_bug.cgi?id=155451
1044
1045         * tests/es6.yaml:
1046
1047 2016-04-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1048
1049         [JSC] Add truncate operation (rounding to zero)
1050         https://bugs.webkit.org/show_bug.cgi?id=156072
1051
1052         Reviewed by Saam Barati.
1053
1054         Add TruncIntrinsic for Math.trunc. DFG handles it as ArithTrunc.
1055         In DFG, ArithTrunc behaves similar to ArithRound, ArithCeil, and ArithFloor.
1056         ArithTrunc rounds the value towards zero.
1057
1058         And we rewrite @toInteger to use @trunc instead of @abs, @floor, negation and branch.
1059         This is completely the same to what we do in JSValue::toInteger.
1060
1061         Since DFG recognize it, DFG can convert ArithTrunc to Identity if the given argument is Int32.
1062         This is useful because almost all the argument is Int32 in @toLength -> @toInteger -> @trunc case.
1063         In such cases, we can eliminate trunc() call.
1064
1065         As a bonus, to speed up Math.trunc operation, we use x86 SSE round and frintz in ARM64 for ArithRound.
1066         In DFG, we emit these instructions. In FTL, we use Patchpoint to emit these instructions to avoid adding a new B3 IR.
1067
1068         * assembler/MacroAssemblerARM64.h:
1069         (JSC::MacroAssemblerARM64::roundTowardZeroDouble):
1070         (JSC::MacroAssemblerARM64::roundTowardZeroFloat):
1071         * assembler/MacroAssemblerARMv7.h:
1072         (JSC::MacroAssemblerARMv7::roundTowardZeroDouble):
1073         * assembler/MacroAssemblerMIPS.h:
1074         (JSC::MacroAssemblerMIPS::roundTowardZeroDouble):
1075         * assembler/MacroAssemblerSH4.h:
1076         (JSC::MacroAssemblerSH4::roundTowardZeroDouble):
1077         * assembler/MacroAssemblerX86Common.h:
1078         (JSC::MacroAssemblerX86Common::roundTowardZeroDouble):
1079         (JSC::MacroAssemblerX86Common::roundTowardZeroFloat):
1080         * builtins/GlobalObject.js:
1081         (toInteger):
1082         * dfg/DFGAbstractInterpreterInlines.h:
1083         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1084         * dfg/DFGByteCodeParser.cpp:
1085         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1086         * dfg/DFGClobberize.h:
1087         (JSC::DFG::clobberize):
1088         * dfg/DFGDoesGC.cpp:
1089         (JSC::DFG::doesGC):
1090         * dfg/DFGFixupPhase.cpp:
1091         (JSC::DFG::FixupPhase::fixupNode):
1092         * dfg/DFGGraph.h:
1093         (JSC::DFG::Graph::roundShouldSpeculateInt32):
1094         * dfg/DFGNode.h:
1095         (JSC::DFG::Node::arithNodeFlags):
1096         (JSC::DFG::Node::hasHeapPrediction):
1097         (JSC::DFG::Node::hasArithRoundingMode):
1098         * dfg/DFGNodeType.h:
1099         * dfg/DFGPredictionPropagationPhase.cpp:
1100         (JSC::DFG::PredictionPropagationPhase::propagate):
1101         * dfg/DFGSafeToExecute.h:
1102         (JSC::DFG::safeToExecute):
1103         * dfg/DFGSpeculativeJIT.cpp:
1104         (JSC::DFG::SpeculativeJIT::compileArithRounding):
1105         * dfg/DFGSpeculativeJIT.h:
1106         * dfg/DFGSpeculativeJIT32_64.cpp:
1107         (JSC::DFG::SpeculativeJIT::compile):
1108         * dfg/DFGSpeculativeJIT64.cpp:
1109         (JSC::DFG::SpeculativeJIT::compile):
1110         * ftl/FTLCapabilities.cpp:
1111         (JSC::FTL::canCompile):
1112         * ftl/FTLLowerDFGToB3.cpp:
1113         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1114         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
1115         * ftl/FTLOutput.cpp:
1116         (JSC::FTL::Output::doubleTrunc):
1117         * ftl/FTLOutput.h:
1118         * jit/ThunkGenerators.cpp:
1119         (JSC::truncThunkGenerator):
1120         * jit/ThunkGenerators.h:
1121         * runtime/CommonIdentifiers.h:
1122         * runtime/Intrinsic.h:
1123         * runtime/JSGlobalObject.cpp:
1124         (JSC::JSGlobalObject::init):
1125         * runtime/MathObject.cpp:
1126         (JSC::MathObject::finishCreation):
1127         * runtime/MathObject.h:
1128         * runtime/VM.cpp:
1129         (JSC::thunkGeneratorForIntrinsic):
1130         * tests/stress/math-rounding-infinity.js:
1131         (testTrunc):
1132         * tests/stress/math-rounding-nan.js:
1133         (testTrunc):
1134         * tests/stress/math-rounding-negative-zero.js:
1135         (testTrunc):
1136         * tests/stress/math-trunc-arith-rounding-mode.js: Added.
1137         (firstCareAboutZeroSecondDoesNot):
1138         (firstDoNotCareAboutZeroSecondDoes):
1139         (warmup):
1140         (verifyNegativeZeroIsPreserved):
1141         * tests/stress/math-trunc-basics.js: Added.
1142         (mathTruncOnIntegers):
1143         (mathTruncOnDoubles):
1144         (mathTruncOnBooleans):
1145         (uselessMathTrunc):
1146         (mathTruncWithOverflow):
1147         (mathTruncConsumedAsDouble):
1148         (mathTruncDoesNotCareAboutMinusZero):
1149         (mathTruncNoArguments):
1150         (mathTruncTooManyArguments):
1151         (testMathTruncOnConstants):
1152         (mathTruncStructTransition):
1153         (Math.trunc):
1154         * tests/stress/math-trunc-should-be-truncate.js: Added.
1155         (mathTrunc):
1156
1157 2016-04-03  Skachkov Oleksandr  <gskachkov@gmail.com>
1158
1159         [ES6] Class syntax. Access to new.target inside of the eval should not lead to SyntaxError
1160         https://bugs.webkit.org/show_bug.cgi?id=155545
1161
1162         Reviewed by Saam Barati.
1163        
1164         Current patch allow to invoke new.target in eval if this eval is executed within function, 
1165         otherwise this will lead to Syntax error 
1166    
1167         * bytecode/EvalCodeCache.h:
1168         (JSC::EvalCodeCache::getSlow):
1169         * bytecode/ExecutableInfo.h:
1170         (JSC::ExecutableInfo::ExecutableInfo):
1171         (JSC::ExecutableInfo::evalContextType):
1172         * bytecode/UnlinkedCodeBlock.cpp:
1173         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1174         * bytecode/UnlinkedCodeBlock.h:
1175         (JSC::UnlinkedCodeBlock::evalContextType):
1176         * bytecode/UnlinkedFunctionExecutable.cpp:
1177         (JSC::generateUnlinkedFunctionCodeBlock):
1178         * debugger/DebuggerCallFrame.cpp:
1179         (JSC::DebuggerCallFrame::evaluate):
1180         * interpreter/Interpreter.cpp:
1181         (JSC::eval):
1182         * parser/Parser.cpp:
1183         (JSC::Parser<LexerType>::Parser):
1184         (JSC::Parser<LexerType>::parseMemberExpression):
1185         * parser/Parser.h:
1186         (JSC::Scope::Scope):
1187         (JSC::Scope::setEvalContextType):
1188         (JSC::Scope::evalContextType):
1189         (JSC::parse):
1190         * runtime/CodeCache.cpp:
1191         (JSC::CodeCache::getGlobalCodeBlock):
1192         (JSC::CodeCache::getProgramCodeBlock):
1193         (JSC::CodeCache::getEvalCodeBlock):
1194         (JSC::CodeCache::getModuleProgramCodeBlock):
1195         * runtime/CodeCache.h:
1196         * runtime/Executable.cpp:
1197         (JSC::ScriptExecutable::ScriptExecutable):
1198         (JSC::EvalExecutable::create):
1199         (JSC::EvalExecutable::EvalExecutable):
1200         (JSC::ProgramExecutable::ProgramExecutable):
1201         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
1202         (JSC::FunctionExecutable::FunctionExecutable):
1203         * runtime/Executable.h:
1204         (JSC::ScriptExecutable::evalContextType):
1205         * runtime/JSGlobalObject.cpp:
1206         (JSC::JSGlobalObject::createEvalCodeBlock):
1207         * runtime/JSGlobalObjectFunctions.cpp:
1208         (JSC::globalFuncEval):
1209         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1210         * tests/stress/new-target.js:
1211
1212 2016-04-02  Commit Queue  <commit-queue@webkit.org>
1213
1214         Unreviewed, rolling out r198976.
1215         https://bugs.webkit.org/show_bug.cgi?id=156140
1216
1217         "Causes js/regress/array-nonarray-polymorhpic-access.html to
1218         crash." (Requested by ddkilzer on #webkit).
1219
1220         Reverted changeset:
1221
1222         "[JSC] Initialize SSA's live values at tail lazily"
1223         https://bugs.webkit.org/show_bug.cgi?id=156126
1224         http://trac.webkit.org/changeset/198976
1225
1226 2016-04-02  Benjamin Poulain  <bpoulain@apple.com>
1227
1228         [JSC] Initialize SSA's live values at tail lazily
1229         https://bugs.webkit.org/show_bug.cgi?id=156126
1230
1231         Reviewed by Mark Lam.
1232
1233         Setting up the clean state early looks harmless but it is
1234         actually quite expensive.
1235
1236         The problem is AbstractValue is gigantic, you really want
1237         to minimize how much you touch that memory.
1238
1239         By removing the initialization, most blocks only
1240         get 2 or 3 accesses. Once to setup the value, and a few
1241         queries for merging the current block with the successors.
1242
1243         * dfg/DFGInPlaceAbstractState.cpp:
1244         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1245         (JSC::DFG::setLiveValues): Deleted.
1246         (JSC::DFG::InPlaceAbstractState::initialize): Deleted.
1247
1248 2016-04-02  Benjamin Poulain  <bpoulain@apple.com>
1249
1250         [JSC] Add an option to avoid disassembling baseline code for the JSC Profiler
1251         https://bugs.webkit.org/show_bug.cgi?id=156127
1252
1253         Reviewed by Mark Lam.
1254
1255         The profiler run out of memory on big programs if you dump
1256         the baseline disassembly.
1257
1258         * jit/JIT.cpp:
1259         (JSC::JIT::privateCompile):
1260         * runtime/Options.h:
1261
1262 2016-04-02  Dan Bernstein  <mitz@apple.com>
1263
1264         jsc binary embedded in relocatable JavaScriptCore.framework links against system JavaScriptCore.framework
1265         https://bugs.webkit.org/show_bug.cgi?id=156134
1266         <rdar://problem/25443824>
1267
1268         Reviewed by Mark Lam.
1269
1270         * Configurations/JSC.xcconfig: Define WK_RELOCATABLE_FRAMEWORKS_LDFLAGS when building
1271           relocatable frameworks to include a -dyld_env option setting DYLD_FRAMEWORK_PATH to point
1272           to the directory containing JavaScript.framework, and add
1273           WK_RELOCATABLE_FRAMEWORKS_LDFLAGS to OTHER_LDFLAGS.
1274
1275 2016-04-01  Benjamin Poulain  <bpoulain@apple.com>
1276
1277         [JSC][x86] Add the 3 operands form of floating point substraction
1278         https://bugs.webkit.org/show_bug.cgi?id=156095
1279
1280         Reviewed by Geoffrey Garen.
1281
1282         Same old, same old. Add the AVX form of subsd and subss.
1283
1284         Unfortunately, we cannot benefit from the 3 register form
1285         in B3 yet because the Air script does not support CPU flags yet.
1286         That can be fixed later.
1287
1288         * assembler/MacroAssemblerX86Common.h:
1289         (JSC::MacroAssemblerX86Common::subDouble):
1290         (JSC::MacroAssemblerX86Common::subFloat):
1291         * assembler/X86Assembler.h:
1292         (JSC::X86Assembler::vsubsd_rr):
1293         (JSC::X86Assembler::subsd_mr):
1294         (JSC::X86Assembler::vsubsd_mr):
1295         (JSC::X86Assembler::vsubss_rr):
1296         (JSC::X86Assembler::subss_mr):
1297         (JSC::X86Assembler::vsubss_mr):
1298         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1299         * b3/air/AirOpcode.opcodes:
1300
1301 2016-04-01  Alberto Garcia  <berto@igalia.com>
1302
1303         [JSC] Missing PATH_MAX definition
1304         https://bugs.webkit.org/show_bug.cgi?id=156102
1305
1306         Reviewed by Yusuke Suzuki.
1307
1308         Not all systems define PATH_MAX, so add a fallback value that is
1309         long enough.
1310
1311         * jsc.cpp:
1312
1313 2016-03-31  Benjamin Poulain  <bpoulain@apple.com>
1314
1315         [JSC] CFA's valuesAtHead should be a list, not a map
1316         https://bugs.webkit.org/show_bug.cgi?id=156087
1317
1318         Reviewed by Mark Lam.
1319
1320         One more step toward moving to the Air-style of liveness analysis:
1321
1322         Make DFG's valuesAtHead a list of Node*-AbstractValue.
1323         This patch alone is already a speedup because our many CFAs
1324         spend an unreasonable amount of time updating at block boundaries.
1325
1326         * dfg/DFGBasicBlock.h:
1327         * dfg/DFGCFAPhase.cpp:
1328         (JSC::DFG::CFAPhase::performBlockCFA):
1329         * dfg/DFGGraph.cpp:
1330         (JSC::DFG::Graph::dump):
1331         * dfg/DFGInPlaceAbstractState.cpp:
1332         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1333         (JSC::DFG::setLiveValues):
1334         (JSC::DFG::InPlaceAbstractState::merge):
1335         * dfg/DFGNode.h:
1336         (JSC::DFG::nodeValuePairComparator):
1337         (JSC::DFG::nodeValuePairListDump):
1338
1339 2016-03-31  Saam barati  <sbarati@apple.com>
1340
1341         Revert rewrite const as var workaround
1342         https://bugs.webkit.org/show_bug.cgi?id=155393
1343
1344         Reviewed by Mark Lam.
1345
1346         * parser/Parser.h:
1347         (JSC::Parser::next):
1348         (JSC::Parser::nextExpectIdentifier):
1349         * runtime/VM.h:
1350         (JSC::VM::setShouldRewriteConstAsVar): Deleted.
1351         (JSC::VM::shouldRewriteConstAsVar): Deleted.
1352
1353 2016-03-31  Saam barati  <sbarati@apple.com>
1354
1355         [ES6] Disallow var assignments in for-in loops
1356         https://bugs.webkit.org/show_bug.cgi?id=155451
1357
1358         Reviewed by Mark Lam.
1359
1360         We're doing this in its own patch instead of the patch for https://bugs.webkit.org/show_bug.cgi?id=155384
1361         because last time we made this change it broke some websites. Lets try making
1362         it again because it's what the ES6 mandates. If it still breaks things we will
1363         roll it out.
1364
1365         * parser/Parser.cpp:
1366         (JSC::Parser<LexerType>::parseForStatement):
1367
1368 2016-03-31  Saam barati  <sbarati@apple.com>
1369
1370         parsing arrow function expressions slows down the parser by 8% lets recoup some loss
1371         https://bugs.webkit.org/show_bug.cgi?id=155988
1372
1373         Reviewed by Benjamin Poulain.
1374
1375         We used to eagerly check if we're parsing an arrow function.
1376         We did this inside parseAssignmentExpression(), and it was
1377         very costly. The reason it was costly is that arrow functions
1378         might start with an identifier. This means anytime we saw an
1379         identifier we would have to do a lookahead, and then most likely
1380         backtrack because more often than not, we wouldn't see "=>"
1381         as the next token.
1382
1383         In this patch I implement a new approach. We just parse
1384         the lhs of an assignment expression eagerly without doing any
1385         lookahead. Retroactively, if we see that we might have started
1386         with an arrow function, and we don't have a valid lhs or the
1387         next token is a "=>", we try to parse as an arrow function.
1388
1389         Here are a few examples motivating why this is valid:
1390
1391         `x => x`
1392         In this example:
1393         - "x" is a valid arrow function starting point.
1394         - "x" also happens to be a valid lhs
1395         - because we see "=>" as the next token, we parse as an arrow function and succeed.
1396
1397         `(x) => x`
1398         In this example:
1399         - "(" is a valid arrow function starting point.
1400         - "(x)" also happens to be a valid lhs
1401         - because we see "=>" as the next token, we parse as an arrow function and succeed.
1402
1403         `({x = 30}) => x;`
1404         In this example:
1405         - "(" is a valid arrow function starting point.
1406         - "({x = 30})" is NOT a valid lhs. Because of this, we try to parse it as an arrow function and succeed.
1407
1408         There is one interesting implementation detail where we might
1409         parse something that is both a valid LHS but happens
1410         to actually be the arrow function parameters. The valid LHS
1411         parsing might declare such variables as "uses" which would cause 
1412         weird capture analysis. This patch also introduces a mechanism
1413         to backtrack on used variable analysis.
1414
1415         This is a 3.5%-4.5% octane code load speedup.
1416
1417         * parser/Lexer.h:
1418         (JSC::Lexer::sawError):
1419         (JSC::Lexer::setSawError):
1420         (JSC::Lexer::getErrorMessage):
1421         (JSC::Lexer::setErrorMessage):
1422         (JSC::Lexer::sourceURL):
1423         (JSC::Lexer::sourceMappingURL):
1424         * parser/Parser.cpp:
1425         (JSC::Parser<LexerType>::isArrowFunctionParameters):
1426         (JSC::Parser<LexerType>::parseAssignmentExpression):
1427         (JSC::Parser<LexerType>::parsePrimaryExpression):
1428         * parser/Parser.h:
1429         (JSC::Scope::Scope):
1430         (JSC::Scope::startSwitch):
1431         (JSC::Scope::declareParameter):
1432         (JSC::Scope::usedVariablesContains):
1433         (JSC::Scope::useVariable):
1434         (JSC::Scope::pushUsedVariableSet):
1435         (JSC::Scope::currentUsedVariablesSize):
1436         (JSC::Scope::revertToPreviousUsedVariables):
1437         (JSC::Scope::setNeedsFullActivation):
1438         (JSC::Scope::needsFullActivation):
1439         (JSC::Scope::isArrowFunctionBoundary):
1440         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1441         (JSC::Scope::collectFreeVariables):
1442         (JSC::Scope::fillParametersForSourceProviderCache):
1443         (JSC::Scope::restoreFromSourceProviderCache):
1444         (JSC::Scope::setIsModule):
1445
1446 2016-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1447
1448         Fails to build in Linux / PowerPC due to different ucontext_t definition
1449         https://bugs.webkit.org/show_bug.cgi?id=156015
1450
1451         Reviewed by Michael Catanzaro.
1452
1453         PPC does not have mcontext_t in ucontext_t::uc_mcontext.
1454         So we take the special way to retrieve mcontext_t in PPC.
1455
1456         * heap/MachineStackMarker.cpp:
1457         (pthreadSignalHandlerSuspendResume):
1458
1459 2016-03-31  Benjamin Poulain  <benjamin@webkit.org>
1460
1461         [JSC][x86] Add the indexed forms of floating point addition and multiplication
1462         https://bugs.webkit.org/show_bug.cgi?id=156058
1463
1464         Reviewed by Geoffrey Garen.
1465
1466         B3 supports lowering [base, index] addresses into
1467         arbitrary instructions but we were not using that feature.
1468
1469         This patch adds the missing support for the lowering
1470         of Add and Mul.
1471
1472         * assembler/MacroAssemblerX86Common.h:
1473         (JSC::MacroAssemblerX86Common::addDouble):
1474         (JSC::MacroAssemblerX86Common::addFloat):
1475         (JSC::MacroAssemblerX86Common::mulDouble):
1476         (JSC::MacroAssemblerX86Common::mulFloat):
1477         * assembler/X86Assembler.h:
1478         (JSC::X86Assembler::addsd_mr):
1479         (JSC::X86Assembler::vaddsd_mr):
1480         (JSC::X86Assembler::addss_mr):
1481         (JSC::X86Assembler::vaddss_mr):
1482         (JSC::X86Assembler::mulsd_mr):
1483         (JSC::X86Assembler::vmulsd_mr):
1484         (JSC::X86Assembler::mulss_mr):
1485         (JSC::X86Assembler::vmulss_mr):
1486         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1487         * b3/B3LowerToAir.cpp:
1488         (JSC::B3::Air::LowerToAir::appendBinOp):
1489         Unlike the Addr form, we never need to transform a Tmp
1490         into an Index for spilling.
1491
1492         Instead of duplicating all the code in MacroAssembler, I can
1493         just have the lowering phase try using addresses for the first
1494         argument when possible.
1495
1496         * b3/air/AirOpcode.opcodes:
1497         * b3/air/testair.cpp:
1498         (JSC::B3::Air::testX86VMULSDBaseNeedsRex):
1499         (JSC::B3::Air::testX86VMULSDIndexNeedsRex):
1500         (JSC::B3::Air::testX86VMULSDBaseIndexNeedRex):
1501         (JSC::B3::Air::run):
1502
1503 2016-03-31  Saam barati  <sbarati@apple.com>
1504
1505         DFG JIT bug in typeof constant folding where the input to typeof is an object or function
1506         https://bugs.webkit.org/show_bug.cgi?id=156034
1507         <rdar://problem/25446785>
1508
1509         Reviewed by Ryosuke Niwa.
1510
1511         AI would constant fold TypeOf to the string "object" if it saw that
1512         its input type didn't expand past the types contained in the set 
1513         "SpecObject - SpecObjectOther". But, SpecObject contains SpecFunction.
1514         And typeof of a function should return "function". This patch fixes
1515         this bug by making sure we constant fold to object iff the type
1516         doesn't expand past the set "SpecObject - SpecObjectOther - SpecFunction".
1517
1518         * dfg/DFGAbstractInterpreterInlines.h:
1519         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1520         * tests/stress/typeof-dfg-function-or-object.js: Added.
1521         (assert):
1522         (foo.else.o):
1523         (foo):
1524
1525 2016-03-31  Mark Lam  <mark.lam@apple.com>
1526
1527         Gardening: Build and logic fix after r198873.
1528         https://bugs.webkit.org/show_bug.cgi?id=156043
1529
1530         Not reviewed.
1531
1532         * assembler/MacroAssemblerX86Common.h:
1533         (JSC::MacroAssemblerX86Common::addFloat):
1534         - 2 args were meant to be ordered differently in order to call the other addFloat.
1535           Instead, there was an infinite recursion bug.  This is now fixed.
1536
1537 2016-03-30  Benjamin Poulain  <benjamin@webkit.org>
1538
1539         [JSC][x86] Add the 3 operands forms of floating point addition and multiplication
1540         https://bugs.webkit.org/show_bug.cgi?id=156043
1541
1542         Reviewed by Geoffrey Garen.
1543
1544         When they are available, VADD and VMUL are better options to lower
1545         floating point addition and multiplication.
1546
1547         In the simple cases when one of the operands is aliased to the destination,
1548         those forms have the same size or 1 byte shorter depending on the registers.
1549
1550         In the more advanced cases, we gain nice advantages with the new forms:
1551         -We can get rid of the MoveDouble in front the instruction when we cannot
1552          alias.
1553         -We can disable aliasing entirely in Air. That is useful for latency
1554          since computing coalescing is not exactly cheap.
1555
1556         * assembler/MacroAssemblerX86Common.cpp:
1557         * assembler/MacroAssemblerX86Common.h:
1558         (JSC::MacroAssemblerX86Common::and32):
1559         (JSC::MacroAssemblerX86Common::mul32):
1560         (JSC::MacroAssemblerX86Common::or32):
1561         (JSC::MacroAssemblerX86Common::xor32):
1562         (JSC::MacroAssemblerX86Common::branchAdd32):
1563         The change in B3LowerToAir exposed a bug in the fake 3 operands
1564         forms of those instructions. If the address is equal to
1565         the destination, we were nuking the address.
1566
1567         For example,
1568             Add32([%r11], %eax, %r11)
1569         would generate:
1570             move %eax, %r11
1571             add32 [%r11], %r11
1572         which crashes.
1573
1574         I updated codegen of those cases to support that case through
1575             load32 [%r11], %r11
1576             add32 %eax, %r11
1577
1578         The weird case were all arguments have the same registers
1579         is handled too.
1580
1581         (JSC::MacroAssemblerX86Common::addDouble):
1582         (JSC::MacroAssemblerX86Common::addFloat):
1583         (JSC::MacroAssemblerX86Common::mulDouble):
1584         (JSC::MacroAssemblerX86Common::mulFloat):
1585         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
1586         (JSC::MacroAssemblerX86Common::supportsAVX):
1587         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
1588         * assembler/MacroAssemblerX86_64.h:
1589         (JSC::MacroAssemblerX86_64::branchAdd64):
1590         * assembler/X86Assembler.h:
1591         (JSC::X86Assembler::vaddsd_rr):
1592         (JSC::X86Assembler::vaddsd_mr):
1593         (JSC::X86Assembler::vaddss_rr):
1594         (JSC::X86Assembler::vaddss_mr):
1595         (JSC::X86Assembler::vmulsd_rr):
1596         (JSC::X86Assembler::vmulsd_mr):
1597         (JSC::X86Assembler::vmulss_rr):
1598         (JSC::X86Assembler::vmulss_mr):
1599         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1600         * b3/B3LowerToAir.cpp:
1601         (JSC::B3::Air::LowerToAir::appendBinOp):
1602         Add the 3 operand forms so that we lower Add and Mul
1603         to the best form directly.
1604
1605         I will change how we lower the fake 3 operands instructions
1606         but the codegen should end up the same in most cases.
1607         The new codegen is the load32 + op above.
1608
1609         * b3/air/AirInstInlines.h:
1610         (JSC::B3::Air::Inst::shouldTryAliasingDef):
1611         * b3/air/testair.cpp:
1612         (JSC::B3::Air::testX86VMULSD):
1613         (JSC::B3::Air::testX86VMULSDDestRex):
1614         (JSC::B3::Air::testX86VMULSDOp1DestRex):
1615         (JSC::B3::Air::testX86VMULSDOp2DestRex):
1616         (JSC::B3::Air::testX86VMULSDOpsDestRex):
1617         (JSC::B3::Air::testX86VMULSDAddr):
1618         (JSC::B3::Air::testX86VMULSDAddrOpRexAddr):
1619         (JSC::B3::Air::testX86VMULSDDestRexAddr):
1620         (JSC::B3::Air::testX86VMULSDRegOpDestRexAddr):
1621         (JSC::B3::Air::testX86VMULSDAddrOpDestRexAddr):
1622         Make sure we have some coverage for AVX encoding of instructions.
1623
1624 2016-03-30  Saam Barati  <sbarati@apple.com>
1625
1626         Change some release asserts in CodeBlock linking into debug asserts
1627         https://bugs.webkit.org/show_bug.cgi?id=155500
1628
1629         Reviewed by Filip Pizlo.
1630
1631         * bytecode/CodeBlock.cpp:
1632         (JSC::CodeBlock::finishCreation):
1633
1634 2016-03-30  Joseph Pecoraro  <pecoraro@apple.com>
1635
1636         Remove unused ScriptProfiler.Samples.totalTime
1637         https://bugs.webkit.org/show_bug.cgi?id=156002
1638
1639         Reviewed by Saam Barati.
1640
1641         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1642         (Inspector::buildSamples):
1643         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1644         * inspector/protocol/ScriptProfiler.json:
1645         Remove totalTime.
1646
1647         * runtime/SamplingProfiler.cpp:
1648         (JSC::SamplingProfiler::SamplingProfiler): Deleted.
1649         * runtime/SamplingProfiler.h:
1650         (JSC::SamplingProfiler::totalTime): Deleted.
1651         Remove now unused m_totalTime.
1652
1653 2016-03-30  Michael Saboff  <msaboff@apple.com>
1654
1655         [ES6] Quantified unicode regular expressions do not work for counts greater than 1
1656         https://bugs.webkit.org/show_bug.cgi?id=156044
1657
1658         Reviewed by Mark Lam.
1659
1660         Fixed incorrect indexing of non-BMP characters in fixed patterns.  The old code
1661         was indexing by character units, a single JS character, instead of code points
1662         which is 2 JS characters.
1663
1664         * yarr/YarrInterpreter.cpp:
1665         (JSC::Yarr::Interpreter::matchDisjunction):
1666
1667 2016-03-30  Mark Lam  <mark.lam@apple.com>
1668
1669         Make the $vm debugging tools available to builtins as @$vm.
1670         https://bugs.webkit.org/show_bug.cgi?id=156012
1671
1672         Reviewed by Saam Barati.
1673
1674         We also need some debugging tools for builtin development.  The $vm object will
1675         be made available to builtins as @$vm, which gives us, amongst many goodies,
1676         @$vm.print() (which prints the toString() values of its args) and
1677         @$vm.printValue() (which dataLogs its arg as a JSValue).  @$vm will only be
1678         available if we run with JSC_useDollarVM=true.
1679
1680         Also changed @$vm.print() to not automatically insert a space between the
1681         printing of each of its args.  This makes it clearer as to what will be printed
1682         i.e. it will only print what is passed to it.
1683
1684         * builtins/BuiltinNames.h:
1685         (JSC::BuiltinNames::BuiltinNames):
1686         (JSC::BuiltinNames::dollarVMPublicName):
1687         (JSC::BuiltinNames::dollarVMPrivateName):
1688         * runtime/JSGlobalObject.cpp:
1689         (JSC::JSGlobalObject::init):
1690         * tools/JSDollarVMPrototype.cpp:
1691         (JSC::functionPrint):
1692
1693 2016-03-30  Keith Miller  <keith_miller@apple.com>
1694
1695         Unreviewed, buildfix.
1696
1697         * bytecode/BytecodeIntrinsicRegistry.h:
1698
1699 2016-03-30  Keith Miller <keith_miller@apple.com>
1700
1701         Unreviewed, rollout r198808. The patch causes crashes on 32-bit and appears to be a JSBench regression.
1702
1703 2016-03-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1704
1705         [JSC] Implement String.prototype.repeat in builtins JS
1706         https://bugs.webkit.org/show_bug.cgi?id=155974
1707
1708         Reviewed by Darin Adler.
1709
1710         This patch converts C++ String.prototype.repeat implementation into JS builtins.
1711         |this| in strict mode is correctly inferred as String[1]. This fact encourages us
1712         to write PrimitiveTypes.prototype.XXX methods in builtin JS.
1713
1714         LayoutTests/js/string-repeat.html already covers the tests for this change.
1715
1716         Note: String.prototype.repeat functionality is similar to Harmony's
1717         String.prototype.{padStart, padEnd}. It's nice to port them to builtin JS in
1718         the other patch.
1719
1720         The existing C++ code has the fast path for singleCharacterString repeating.
1721         Since this use is important (e.g. generating N length spaces: ' '.repeat(N)),
1722         we keep this fast path as @repeatCharacter().
1723
1724         The performance results show that, while the performance of the single character fast path
1725         is neutral, other string repeating has significant speed up.
1726         There are two reasons.
1727
1728         1. Not resolving string rope.
1729
1730         We added several tests postfixed "not-resolving". In that tests, we do not touch the content
1731         of the generated string. As a result, the generated rope is not resolved.
1732
1733         2. O(log N) intermediate JSRopeStrings.
1734
1735         In the existing C++ implementation, we use JSString::RopeBuilder. We iterate N times and append
1736         the given string to the builder.
1737         In this case, the intermediate rope strings generated in JSString::RopeBuilder is O(N).
1738         In JS builtin implementation, we only iterate log N times. As a result, the number of the
1739         intermediate rope strings becomes O(log N).
1740
1741         [1]: http://trac.webkit.org/changeset/195938
1742
1743         * builtins/StringPrototype.js:
1744         (repeatSlowPath):
1745         (repeat):
1746         * bytecode/BytecodeIntrinsicRegistry.cpp:
1747         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1748         * bytecode/BytecodeIntrinsicRegistry.h:
1749         * runtime/CommonIdentifiers.h:
1750         * runtime/JSGlobalObject.cpp:
1751         (JSC::JSGlobalObject::init):
1752         * runtime/StringPrototype.cpp:
1753         (JSC::stringProtoFuncRepeatCharacter):
1754         (JSC::StringPrototype::finishCreation): Deleted.
1755         (JSC::stringProtoFuncRepeat): Deleted.
1756         * runtime/StringPrototype.h:
1757         * tests/stress/string-repeat-edge-cases.js: Added.
1758         (shouldBe):
1759         (let.object.toString):
1760         (valueOf):
1761         (shouldThrow):
1762
1763 2016-03-30  Benjamin Poulain  <benjamin@webkit.org>
1764
1765         [JSC] Update udis86
1766         https://bugs.webkit.org/show_bug.cgi?id=156005
1767
1768         Reviewed by Geoffrey Garen.
1769
1770         * CMakeLists.txt:
1771         * DerivedSources.make:
1772         * JavaScriptCore.xcodeproj/project.pbxproj:
1773         * disassembler/udis86/differences.txt:
1774         * disassembler/udis86/itab.py: Removed.
1775         * disassembler/udis86/optable.xml:
1776         * disassembler/udis86/ud_itab.py: Added.
1777         * disassembler/udis86/ud_opcode.py:
1778         * disassembler/udis86/ud_optable.py: Removed.
1779         * disassembler/udis86/udis86.c:
1780         * disassembler/udis86/udis86_decode.c:
1781         * disassembler/udis86/udis86_decode.h:
1782         * disassembler/udis86/udis86_extern.h:
1783         * disassembler/udis86/udis86_input.c: Removed.
1784         * disassembler/udis86/udis86_input.h: Removed.
1785         * disassembler/udis86/udis86_syn-att.c:
1786         * disassembler/udis86/udis86_syn.h:
1787         * disassembler/udis86/udis86_types.h:
1788         * disassembler/udis86/udis86_udint.h:
1789
1790 2016-03-30  Benjamin Poulain  <bpoulain@apple.com>
1791
1792         [JSC] Get rid of operationInitGlobalConst(), it is useless
1793         https://bugs.webkit.org/show_bug.cgi?id=156010
1794
1795         Reviewed by Geoffrey Garen.
1796
1797         * jit/JITOperations.cpp:
1798         * jit/JITOperations.h:
1799
1800 2016-03-29  Saam barati  <sbarati@apple.com>
1801
1802         Fix typos in our error messages and remove some trailing periods
1803         https://bugs.webkit.org/show_bug.cgi?id=155985
1804
1805         Reviewed by Mark Lam.
1806
1807         * bytecompiler/BytecodeGenerator.cpp:
1808         (JSC::BytecodeGenerator::BytecodeGenerator):
1809         * runtime/ArrayConstructor.h:
1810         (JSC::isArray):
1811         * runtime/ProxyConstructor.cpp:
1812         (JSC::makeRevocableProxy):
1813         (JSC::proxyRevocableConstructorThrowError):
1814         (JSC::ProxyConstructor::finishCreation):
1815         (JSC::constructProxyObject):
1816         * runtime/ProxyObject.cpp:
1817         (JSC::ProxyObject::finishCreation):
1818         (JSC::performProxyGet):
1819         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1820         (JSC::ProxyObject::performHasProperty):
1821         (JSC::ProxyObject::performPut):
1822         (JSC::performProxyCall):
1823         (JSC::performProxyConstruct):
1824         (JSC::ProxyObject::performDelete):
1825         (JSC::ProxyObject::performPreventExtensions):
1826         (JSC::ProxyObject::performIsExtensible):
1827         (JSC::ProxyObject::performDefineOwnProperty):
1828         (JSC::ProxyObject::performGetOwnPropertyNames):
1829         (JSC::ProxyObject::performSetPrototype):
1830         (JSC::ProxyObject::performGetPrototype):
1831         * runtime/StringPrototype.cpp:
1832         (JSC::stringProtoFuncStartsWith):
1833         (JSC::stringProtoFuncEndsWith):
1834         (JSC::stringProtoFuncIncludes):
1835         * runtime/Structure.cpp:
1836         (JSC::Structure::preventExtensionsTransition):
1837         * tests/stress/proxy-basic.js:
1838         * tests/stress/proxy-construct.js:
1839         (throw.new.Error):
1840         (assert):
1841         * tests/stress/proxy-define-own-property.js:
1842         (assert):
1843         (throw.new.Error):
1844         (i.catch):
1845         (assert.set get catch):
1846         * tests/stress/proxy-delete.js:
1847         (assert):
1848         * tests/stress/proxy-get-own-property.js:
1849         (assert):
1850         (i.catch):
1851         (set get let):
1852         * tests/stress/proxy-get-prototype-of.js:
1853         (assert):
1854         (assert.get let):
1855         (assert.get catch):
1856         * tests/stress/proxy-has-property.js:
1857         (assert):
1858         * tests/stress/proxy-is-array.js:
1859         (test):
1860         * tests/stress/proxy-is-extensible.js:
1861         (assert):
1862         * tests/stress/proxy-json.js:
1863         (assert):
1864         (test):
1865         * tests/stress/proxy-own-keys.js:
1866         (assert):
1867         (i.catch):
1868         * tests/stress/proxy-prevent-extensions.js:
1869         (assert):
1870         * tests/stress/proxy-property-descriptor.js:
1871         * tests/stress/proxy-revoke.js:
1872         (assert):
1873         (throw.new.Error.):
1874         (throw.new.Error):
1875         (shouldThrowNullHandler):
1876         * tests/stress/proxy-set-prototype-of.js:
1877         (assert.set let):
1878         (assert.set catch):
1879         (assert):
1880         (set catch):
1881         * tests/stress/proxy-set.js:
1882         (throw.new.Error.let.handler.set 45):
1883         (throw.new.Error):
1884         * tests/stress/proxy-with-private-symbols.js:
1885         (assert):
1886         * tests/stress/proxy-with-unbalanced-getter-setter.js:
1887         (assert):
1888         * tests/stress/reflect-set-proxy-set.js:
1889         (throw.new.Error.let.handler.set 45):
1890         (throw.new.Error):
1891         * tests/stress/reflect-set-receiver-proxy-set.js:
1892         (let.handler.set 45):
1893         (catch):
1894         * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js:
1895         (test):
1896         (test.get let):
1897
1898 2016-03-29  Keith Miller  <keith_miller@apple.com>
1899
1900         [ES6] Add support for Symbol.isConcatSpreadable.
1901         https://bugs.webkit.org/show_bug.cgi?id=155351
1902
1903         Reviewed by Saam Barati.
1904
1905         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
1906         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
1907         a builtin performant. First, four new DFG intrinsics were added.
1908
1909         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
1910            the Array.isArray function.
1911         2) IsJSArray: checks the first child is a JSArray object.
1912         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
1913         4) CallObjectConstructor: an intrinsic of the Object constructor.
1914
1915         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
1916         we are able to prove that the first child is an Array or for ToObject an Object.
1917
1918         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
1919         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
1920         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
1921         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
1922         into a contiguous array).
1923
1924         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
1925         values onto the result array. This works roughly the same as the two array fast path using the same methodology
1926         to decide if we can memcpy the other butterfly into the result butterfly.
1927
1928         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
1929         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
1930         dataLog function on it.
1931
1932         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
1933         JSValueOperand if the operand's use count is one.
1934
1935         * JavaScriptCore.xcodeproj/project.pbxproj:
1936         * builtins/ArrayPrototype.js:
1937         (concatSlowPath):
1938         (concat):
1939         * bytecode/BytecodeIntrinsicRegistry.cpp:
1940         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1941         * bytecode/BytecodeIntrinsicRegistry.h:
1942         * dfg/DFGAbstractInterpreterInlines.h:
1943         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1944         * dfg/DFGByteCodeParser.cpp:
1945         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1946         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1947         * dfg/DFGClobberize.h:
1948         (JSC::DFG::clobberize):
1949         * dfg/DFGDoesGC.cpp:
1950         (JSC::DFG::doesGC):
1951         * dfg/DFGFixupPhase.cpp:
1952         (JSC::DFG::FixupPhase::fixupNode):
1953         * dfg/DFGNodeType.h:
1954         * dfg/DFGOperations.cpp:
1955         * dfg/DFGOperations.h:
1956         * dfg/DFGPredictionPropagationPhase.cpp:
1957         (JSC::DFG::PredictionPropagationPhase::propagate):
1958         * dfg/DFGSafeToExecute.h:
1959         (JSC::DFG::safeToExecute):
1960         * dfg/DFGSpeculativeJIT.cpp:
1961         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1962         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
1963         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
1964         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
1965         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
1966         * dfg/DFGSpeculativeJIT.h:
1967         (JSC::DFG::SpeculativeJIT::callOperation):
1968         * dfg/DFGSpeculativeJIT32_64.cpp:
1969         (JSC::DFG::SpeculativeJIT::compile):
1970         * dfg/DFGSpeculativeJIT64.cpp:
1971         (JSC::DFG::SpeculativeJIT::compile):
1972         * ftl/FTLCapabilities.cpp:
1973         (JSC::FTL::canCompile):
1974         * ftl/FTLLowerDFGToB3.cpp:
1975         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1976         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
1977         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
1978         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
1979         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
1980         (JSC::FTL::DFG::LowerDFGToB3::isArray):
1981         * jit/JITOperations.h:
1982         * jsc.cpp:
1983         (WTF::RuntimeArray::createStructure):
1984         (GlobalObject::finishCreation):
1985         (functionDebug):
1986         (functionDataLogValue):
1987         * runtime/ArrayConstructor.cpp:
1988         (JSC::ArrayConstructor::finishCreation):
1989         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
1990         * runtime/ArrayConstructor.h:
1991         (JSC::isArrayConstructor):
1992         * runtime/ArrayPrototype.cpp:
1993         (JSC::ArrayPrototype::finishCreation):
1994         (JSC::arrayProtoPrivateFuncIsJSArray):
1995         (JSC::moveElements):
1996         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1997         (JSC::arrayProtoPrivateFuncAppendMemcpy):
1998         (JSC::arrayProtoFuncConcat): Deleted.
1999         * runtime/ArrayPrototype.h:
2000         (JSC::ArrayPrototype::createStructure):
2001         * runtime/CommonIdentifiers.h:
2002         * runtime/Intrinsic.h:
2003         * runtime/JSArray.cpp:
2004         (JSC::JSArray::appendMemcpy):
2005         (JSC::JSArray::fastConcatWith): Deleted.
2006         * runtime/JSArray.h:
2007         (JSC::JSArray::createStructure):
2008         (JSC::JSArray::fastConcatType): Deleted.
2009         * runtime/JSArrayInlines.h: Added.
2010         (JSC::JSArray::memCopyWithIndexingType):
2011         (JSC::JSArray::canFastCopy):
2012         * runtime/JSGlobalObject.cpp:
2013         (JSC::JSGlobalObject::init):
2014         * runtime/JSType.h:
2015         * runtime/ObjectConstructor.h:
2016         (JSC::constructObject):
2017         * tests/es6.yaml:
2018         * tests/stress/array-concat-spread-object.js: Added.
2019         (arrayEq):
2020         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
2021         (arrayEq):
2022         * tests/stress/array-concat-spread-proxy.js: Added.
2023         (arrayEq):
2024         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
2025         (arrayEq):
2026         * tests/stress/array-species-config-array-constructor.js:
2027
2028 2016-03-29  Saam barati  <sbarati@apple.com>
2029
2030         We don't properly optimize TDZ checks when we declare a let variable without an initializer
2031         https://bugs.webkit.org/show_bug.cgi?id=150453
2032
2033         Reviewed by Mark Lam.
2034
2035         * bytecompiler/NodesCodegen.cpp:
2036         (JSC::EmptyLetExpression::emitBytecode):
2037
2038 2016-03-29  Saam barati  <sbarati@apple.com>
2039
2040         Allow builtin JS functions to be intrinsics
2041         https://bugs.webkit.org/show_bug.cgi?id=155960
2042
2043         Reviewed by Mark Lam.
2044
2045         Builtin functions can now be recognized as intrinsics inside
2046         the DFG. This gives us the flexibility to either lower a builtin
2047         as an intrinsic in the DFG or as a normal function call.
2048         Because we may decide to not lower it as an intrinsic, the DFG
2049         inliner could still inline the function call.
2050
2051         You can annotate a builtin function like so to make
2052         it be recognized as an intrinsic.
2053         ```
2054         [intrinsic=FooIntrinsic] function foo() { ... }
2055         ```
2056         where FooIntrinsic is an enum value of the Intrinsic enum.
2057
2058         So in the future if we write RegExp.prototype.test as a builtin, we would do:
2059         ``` RegExpPrototype.js
2060         [intrinsic=RegExpTestIntrinsic] function test() { ... }
2061         ```
2062
2063         * Scripts/builtins/builtins_generate_combined_implementation.py:
2064         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2065         * Scripts/builtins/builtins_generate_separate_implementation.py:
2066         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2067         * Scripts/builtins/builtins_generator.py:
2068         (BuiltinsGenerator.generate_embedded_code_string_section_for_function):
2069         * Scripts/builtins/builtins_model.py:
2070         (BuiltinObject.__init__):
2071         (BuiltinFunction):
2072         (BuiltinFunction.__init__):
2073         (BuiltinFunction.fromString):
2074         (BuiltinFunction.__str__):
2075         * Scripts/builtins/builtins_templates.py:
2076         * bytecode/UnlinkedFunctionExecutable.cpp:
2077         (JSC::UnlinkedFunctionExecutable::visitChildren):
2078         (JSC::UnlinkedFunctionExecutable::link):
2079         * bytecode/UnlinkedFunctionExecutable.h:
2080         * dfg/DFGByteCodeParser.cpp:
2081         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2082         * runtime/Executable.cpp:
2083         (JSC::ExecutableBase::clearCode):
2084         (JSC::NativeExecutable::destroy):
2085         (JSC::ScriptExecutable::ScriptExecutable):
2086         (JSC::EvalExecutable::create):
2087         (JSC::EvalExecutable::EvalExecutable):
2088         (JSC::ProgramExecutable::ProgramExecutable):
2089         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2090         (JSC::FunctionExecutable::FunctionExecutable):
2091         (JSC::ExecutableBase::intrinsic): Deleted.
2092         (JSC::NativeExecutable::intrinsic): Deleted.
2093         * runtime/Executable.h:
2094         (JSC::ExecutableBase::ExecutableBase):
2095         (JSC::ExecutableBase::hasJITCodeFor):
2096         (JSC::ExecutableBase::intrinsic):
2097         (JSC::ExecutableBase::intrinsicFor):
2098         (JSC::ScriptExecutable::finishCreation):
2099         * runtime/Intrinsic.h:
2100
2101 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
2102
2103         JSC::Debugger cleanup after recent changes
2104         https://bugs.webkit.org/show_bug.cgi?id=155982
2105
2106         Reviewed by Mark Lam.
2107
2108         * debugger/Debugger.cpp:
2109         (JSC::Debugger::Debugger):
2110         Initialize with breakpoints disabled. Web Inspector always informs
2111         the backend if it should enable or disable breakpoints on startup.
2112
2113         (JSC::Debugger::setProfilingClient):
2114         When using the Sampling profiler we do not need to recompile.
2115
2116 2016-03-29  Saam barati  <sbarati@apple.com>
2117
2118         "Can not" => "cannot" in String.prototype error messages
2119         https://bugs.webkit.org/show_bug.cgi?id=155895
2120
2121         Reviewed by Mark Lam.
2122
2123         * runtime/StringPrototype.cpp:
2124         (JSC::stringProtoFuncStartsWith):
2125         (JSC::stringProtoFuncEndsWith):
2126         (JSC::stringProtoFuncIncludes):
2127         * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js:
2128         (test):
2129         (test.get let):
2130
2131 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
2132
2133         Web Inspector: We should have a way to capture heap snapshots programatically.
2134         https://bugs.webkit.org/show_bug.cgi?id=154407
2135         <rdar://problem/24726292>
2136
2137         Reviewed by Timothy Hatcher.
2138
2139         * inspector/protocol/Console.json:
2140         Add a new Console.heapSnapshot event for when a heap snapshot is taken.
2141
2142         * runtime/ConsolePrototype.cpp:
2143         (JSC::ConsolePrototype::finishCreation):
2144         (JSC::consoleProtoFuncProfile):
2145         (JSC::consoleProtoFuncProfileEnd):
2146         (JSC::consoleProtoFuncTakeHeapSnapshot):
2147         * runtime/ConsoleClient.h:
2148         Add the console.takeHeapSnapshot method and dispatch to the ConsoleClient.
2149
2150         * inspector/JSGlobalObjectConsoleClient.cpp:
2151         (Inspector::JSGlobalObjectConsoleClient::takeHeapSnapshot):
2152         * inspector/JSGlobalObjectConsoleClient.h:
2153         Have the InspectorConsoleAgent handle this.
2154
2155         * inspector/JSGlobalObjectInspectorController.cpp:
2156         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2157         * inspector/agents/InspectorConsoleAgent.cpp:
2158         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
2159         (Inspector::InspectorConsoleAgent::takeHeapSnapshot):
2160         * inspector/agents/InspectorConsoleAgent.h:
2161         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
2162         (Inspector::JSGlobalObjectConsoleAgent::JSGlobalObjectConsoleAgent):
2163         * inspector/agents/JSGlobalObjectConsoleAgent.h:
2164         Give the ConsoleAgent a HeapAgent pointer so that it can have the HeapAgent
2165         perform the snapshot building work like it normally does.
2166
2167 2016-03-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2168
2169         REGRESSION(r192914): 10% regression on Sunspider's date-format-tofte
2170         https://bugs.webkit.org/show_bug.cgi?id=155559
2171
2172         Reviewed by Saam Barati.
2173
2174         The fast path of the eval function is the super hot path in date-format-tofte.
2175         Any performance regression is not allowed here.
2176         Before this patch, we allocated SourceCode in the fast path.
2177         This allocation incurs 10% performance regression.
2178
2179         This patch removes this allocation in the fast path.
2180         And change the key of the EvalCodeCache to EvalCodeCache::CacheKey.
2181         It combines RefPtr<StringImpl> and isArrowFunctionContext.
2182         Since EvalCodeCache does not cache any eval code evaluated under the strict mode,
2183         it is unnecessary to include several options (ThisTDZMode, and DerivedContextType) in the cache map's key.
2184         But isArrowFunctionContext is necessary since the sloppy mode arrow function exists.
2185
2186         To validate this change, we add a new test that evaluates the same code
2187         under the non-arrow function context and the arrow function context.
2188
2189         After introducing CacheKey, we observed 1% regression compared to the RefPtr<StringImpl> keyed case.
2190         This is because HashMap<RefPtr<T>, ...>::get(T*) is specially optimized; this path is inlined while the normal ::get() is not inlined.
2191         To avoid this performance regression, we introduce HashMap::fastGet, that aggressively encourages inlining.
2192         The relationship between fastGet() and get() is similar to fastAdd() and add().
2193         After applying this change, the evaluation shows no performance regression in comparison with the RefPtr<StringImpl> keyed case.
2194
2195         * bytecode/EvalCodeCache.h:
2196         (JSC::EvalCodeCache::CacheKey::CacheKey):
2197         (JSC::EvalCodeCache::CacheKey::hash):
2198         (JSC::EvalCodeCache::CacheKey::isEmptyValue):
2199         (JSC::EvalCodeCache::CacheKey::operator==):
2200         (JSC::EvalCodeCache::CacheKey::isHashTableDeletedValue):
2201         (JSC::EvalCodeCache::CacheKey::Hash::hash):
2202         (JSC::EvalCodeCache::CacheKey::Hash::equal):
2203         (JSC::EvalCodeCache::tryGet):
2204         (JSC::EvalCodeCache::getSlow):
2205         (JSC::EvalCodeCache::isCacheable):
2206         * interpreter/Interpreter.cpp:
2207         (JSC::eval):
2208         * tests/stress/eval-in-arrow-function.js: Added.
2209         (shouldBe):
2210         (i):
2211
2212 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
2213
2214         Audit WebCore builtins for user overridable code
2215         https://bugs.webkit.org/show_bug.cgi?id=155923
2216
2217         Reviewed by Youenn Fablet.
2218
2219         * runtime/CommonIdentifiers.h:
2220         * runtime/ObjectConstructor.cpp:
2221         (JSC::ObjectConstructor::finishCreation):
2222         Expose @Object.@defineProperty to built-ins.
2223
2224 2016-03-28  Benjamin Poulain  <bpoulain@apple.com>
2225
2226         [JSC] ArithSub should not propagate "UsesAsOther"
2227         https://bugs.webkit.org/show_bug.cgi?id=155932
2228
2229         Reviewed by Mark Lam.
2230
2231         The node ArithSub was backpropagating UsesAsOther.
2232         This causes any GetByVal on a Double Array to have an extra
2233         hole check if it flows into an ArithSub.
2234
2235         The definition of ArithSub (12.8.4.1) has both operands go
2236         through ToNumber(). ToNumber() on "undefined" always produces
2237         NaN. It is safe to ignore the NaN marker from hole when
2238         the DAG flows into ArithSub.
2239
2240         This patch also adds this change and test coverage to ArithAdd.
2241         ArithAdd was not a problem in practice because it is only
2242         generated before Fixup if both operands are known to be numerical.
2243         The change to ArithAdd is there to protect us of the ArithSub-like
2244         problems if we ever improve our support of arithmetic operators.
2245
2246         * dfg/DFGBackwardsPropagationPhase.cpp:
2247         (JSC::DFG::BackwardsPropagationPhase::propagate):
2248         * tests/stress/arith-add-on-double-array-with-holes.js: Added.
2249         (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
2250         (let.testCase.of.testCases.observableHoleOnLhs):
2251         (let.testCase.of.testCases.nonObservableHoleOnRhs):
2252         (let.testCase.of.testCases.observableHoleOnRhs):
2253         * tests/stress/arith-sub-on-double-array-with-holes.js: Added.
2254         (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
2255         (let.testCase.of.testCases.observableHoleOnLhs):
2256         (let.testCase.of.testCases.nonObservableHoleOnRhs):
2257         (let.testCase.of.testCases.observableHoleOnRhs):
2258         * tests/stress/value-add-on-double-array-with-holes.js: Added.
2259         (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
2260         (let.testCase.of.testCases.observableHoleOnLhs):
2261         (let.testCase.of.testCases.nonObservableHoleOnRhs):
2262         (let.testCase.of.testCases.observableHoleOnRhs):
2263
2264 2016-03-28  Brian Burg  <bburg@apple.com>
2265
2266         Web Inspector: protocol generator should generate C++ string-to-enum helper functions
2267         https://bugs.webkit.org/show_bug.cgi?id=155691
2268         <rdar://problem/25258078>
2269
2270         Reviewed by Timothy Hatcher.
2271
2272         There's a lot of code throughout the Inspector agents and automation code
2273         that needs to convert a raw string into a typed protocol enum. Generate
2274         some helpers that do this conversion so clients can move over to using it.
2275
2276         These helpers are necessary for when we eventually switch to calling backend
2277         dispatcher handlers with typed arguments instead of untyped JSON objects.
2278
2279         To correctly generate a conversion function for an anonymous enum, the
2280         generator needs to be able to get the containing object type's declaration.
2281         Since the model's Type object each have only one instance, there is a
2282         one-to-one association between type and its declaration.
2283
2284         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2285         (CppProtocolTypesHeaderGenerator.generate_output):
2286         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
2287         Clean up this method to use methodcaller to sort types by raw name.
2288
2289         (_generate_declarations_for_enum_conversion_methods):
2290         (_generate_declarations_for_enum_conversion_methods.return_type_with_export_macro):
2291         (_generate_declarations_for_enum_conversion_methods.type_member_is_anonymous_enum_type):
2292         Added. Generates a new section with an unfilled template and specializations of
2293         the template for every named and anonymous enum in every domain. Guards for
2294         domains wrap the forward declarations. This is added to the end of the header
2295         file so that specializations for both types of enums are in the same place.
2296
2297         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2298         (CppProtocolTypesImplementationGenerator.generate_output):
2299         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
2300         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.type_member_is_anonymous_enum_type):
2301         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body):
2302         Added. Generate a static array of offsets into the enum constant value array.
2303         Then, loop over this array of offsets and do string comparisons against the
2304         provided string and enum constant values at the relevant offsets for this enum.
2305
2306         * inspector/scripts/codegen/generator_templates.py:
2307         (GeneratorTemplates): Update copyright year in generated files.
2308
2309         * inspector/scripts/codegen/models.py:
2310         (AliasedType.__init__):
2311         (EnumType.__init__):
2312         (EnumType.enum_values):
2313         (EnumType.declaration):
2314         (ArrayType.__init__):
2315         (ArrayType.declaration):
2316         (ObjectType.__init__):
2317         (ObjectType.declaration):
2318         (Protocol.resolve_types):
2319         (Protocol.lookup_type_reference):
2320         Pass the type declaration to Type constructors if available. If not,
2321         fill in a placeholder name for the type in the constructor instead of caller.
2322
2323         Rebaseline all the things, mostly for copyright block changes.
2324
2325         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2326         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2327         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2328         * inspector/scripts/tests/expected/enum-values.json-result:
2329         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2330         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2331         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2332         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2333         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2334         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2335         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2336         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2337         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2338
2339 2016-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2340
2341         Misc. JavaScriptCore built-ins cleanups
2342         https://bugs.webkit.org/show_bug.cgi?id=155920
2343
2344         Reviewed by Mark Lam.
2345
2346         * builtins/RegExpPrototype.js:
2347         (match):
2348         No need for an else after an if that always returns.
2349
2350         * builtins/TypedArrayConstructor.js:
2351         (of):
2352         Fix error message to use the correct function name.
2353
2354         (allocateInt8Array):
2355         (allocateInt16Array):
2356         (allocateInt32Array):
2357         (allocateUint32Array):
2358         (allocateUint16Array):
2359         (allocateUint8Array):
2360         (allocateUint8ClampedArray):
2361         (allocateFloat32Array):
2362         (allocateFloat64Array):
2363         Cleanup style to be like all the other code.
2364
2365         * tests/stress/typedarray-of.js:
2366         Test the exception message.
2367
2368 2016-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2369
2370         Date.prototype.toLocaleDateString uses overridable Object.create
2371         https://bugs.webkit.org/show_bug.cgi?id=155917
2372
2373         Reviewed by Mark Lam.
2374
2375         * builtins/DatePrototype.js:
2376         (toLocaleString.toDateTimeOptionsAnyAll):
2377         (toLocaleDateString.toDateTimeOptionsDateDate):
2378         (toLocaleTimeString.toDateTimeOptionsTimeTime):
2379         Switch from @Object.create to @Object.@create to guarentee we are
2380         using the built-in create method and not user defined code.
2381
2382         * runtime/CommonIdentifiers.h:
2383         * runtime/ObjectConstructor.cpp:
2384         (JSC::ObjectConstructor::finishCreation):
2385         Setup the @create private symbol.
2386
2387 2016-03-25  Benjamin Poulain  <bpoulain@apple.com>
2388
2389         [JSC] Put the x86 Assembler on a binary diet
2390         https://bugs.webkit.org/show_bug.cgi?id=155683
2391
2392         Reviewed by Darin Adler.
2393
2394         The MacroAssemblers are heavily inlined. This is unfortunately
2395         important for baseline JIT where many branches can be eliminated
2396         at compile time.
2397
2398         This inlining causes a lot of binary bloat. The phases
2399         lowering to ASM are massively large.
2400
2401         This patch improves the situation a bit for x86 through
2402         many small improvements:
2403
2404         -Every instruction starts with ensureSpace(). The slow
2405          path realloc the buffer.
2406          From that slow path, only fastRealloc() was a function
2407          call. What is around does not need to be fast, I moved
2408          the whole grow() function out of line for those cases.
2409
2410         -When testing multiple registers for REX requirements,
2411          we had something like this:
2412              byteRegRequiresRex(reg) || byteRegRequiresRex(rm)
2413              regRequiresRex(index) || regRequiresRex(base)
2414          Those were producing multiple test-and-branch. Those branches
2415          are effectively random so we don't have to care about individual
2416          branches being predictable.
2417
2418          The new code effectively does:
2419              byteRegRequiresRex(reg | rm)
2420              regRequiresRex(index | base)
2421
2422         -Change "ModRmMode" to have the value we can OR directly
2423          to the generated ModRm.
2424          This is important because some ModRM code is so large
2425          that is goes out of line;
2426
2427         -Finally, a big change on how we write to the AssemblerBuffer.
2428
2429          Previously, instructions were written byte by byte into
2430          the assembler buffer of the MacroAssembler.
2431
2432          The problem with that is the compiler cannot prove that
2433          the buffer pointer and the AssemblerBuffer are not pointing
2434          to the same memory.
2435
2436          Because of that, before any write, all the local register
2437          were pushed back to the AssemblerBuffer memory, then everything
2438          was read back after the write to compute the next write.
2439
2440          I attempted to use the "restrict" keyword and wrapper types
2441          to help Clang with that but nothing worked.
2442
2443          The current solution is to keep a local copy of the index
2444          and the buffer pointer in the scope of each instruction.
2445          That is done by AssemblerBuffer::LocalWriter.
2446
2447          Since LocalWriter only exists locally, it stays in
2448          register and we don't have all the memory churn between
2449          each byte writing. This also allows clang to combine
2450          obvious cases since there are no longer observable side
2451          effects between bytes.
2452
2453         This patch reduces the binary size by 66k. It is a small
2454         speed-up on Sunspider.
2455
2456         * assembler/AssemblerBuffer.h:
2457         (JSC::AssemblerBuffer::ensureSpace):
2458         (JSC::AssemblerBuffer::LocalWriter::LocalWriter):
2459         (JSC::AssemblerBuffer::LocalWriter::~LocalWriter):
2460         (JSC::AssemblerBuffer::LocalWriter::putByteUnchecked):
2461         (JSC::AssemblerBuffer::LocalWriter::putShortUnchecked):
2462         (JSC::AssemblerBuffer::LocalWriter::putIntUnchecked):
2463         (JSC::AssemblerBuffer::LocalWriter::putInt64Unchecked):
2464         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
2465         (JSC::AssemblerBuffer::putIntegral):
2466         (JSC::AssemblerBuffer::outOfLineGrow):
2467         * assembler/MacroAssemblerX86Common.h:
2468         * assembler/X86Assembler.h:
2469         (JSC::X86Assembler::X86InstructionFormatter::byteRegRequiresRex):
2470         (JSC::X86Assembler::X86InstructionFormatter::regRequiresRex):
2471         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::LocalBufferWriter):
2472         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRex):
2473         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexW):
2474         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexIf):
2475         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexIfNeeded):
2476         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::putModRm):
2477         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::putModRmSib):
2478         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::registerModRM):
2479         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::memoryModRM):
2480         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp): Deleted.
2481         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp_disp32): Deleted.
2482         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp_disp8): Deleted.
2483         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp): Deleted.
2484         (JSC::X86Assembler::X86InstructionFormatter::threeByteOp): Deleted.
2485         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64): Deleted.
2486         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64_disp32): Deleted.
2487         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64_disp8): Deleted.
2488         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp64): Deleted.
2489         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8): Deleted.
2490         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp8): Deleted.
2491         (JSC::X86Assembler::X86InstructionFormatter::emitRex): Deleted.
2492         (JSC::X86Assembler::X86InstructionFormatter::emitRexW): Deleted.
2493         (JSC::X86Assembler::X86InstructionFormatter::emitRexIf): Deleted.
2494         (JSC::X86Assembler::X86InstructionFormatter::emitRexIfNeeded): Deleted.
2495         (JSC::X86Assembler::X86InstructionFormatter::putModRm): Deleted.
2496         (JSC::X86Assembler::X86InstructionFormatter::putModRmSib): Deleted.
2497         (JSC::X86Assembler::X86InstructionFormatter::registerModRM): Deleted.
2498         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM): Deleted.
2499
2500 2016-03-25  Saam barati  <sbarati@apple.com>
2501
2502         RegExp.prototype.test should be an intrinsic again
2503         https://bugs.webkit.org/show_bug.cgi?id=155861
2504
2505         Reviewed by Yusuke Suzuki.
2506
2507         * runtime/RegExpPrototype.cpp:
2508         (JSC::RegExpPrototype::finishCreation):
2509
2510 2016-03-25  Mark Lam  <mark.lam@apple.com>
2511
2512         ES6's throwing of TypeErrors on access of RegExp.prototype flag properties breaks websites.
2513         https://bugs.webkit.org/show_bug.cgi?id=155904
2514
2515         Reviewed by Geoffrey Garen.
2516
2517         There exists a JS library XRegExp (see http://xregexp.com) that extends the regexp
2518         implementation.  XRegExp does feature testing by comparing RegExp.prototype.sticky
2519         to undefined.  See:
2520
2521         Example 1. https://github.com/slevithan/xregexp/blob/28a2b033c5951477bed8c7c867ddf7e89c431cd4/tests/perf/index.html
2522             ...
2523             } else if (knownVersion[version]) {
2524                 // Hack around ES6 incompatibility in XRegExp versions prior to 3.0.0
2525                 if (parseInt(version, 10) < 3) {
2526                     delete RegExp.prototype.sticky;
2527             }
2528             ...
2529
2530         Example 2. https://github.com/slevithan/xregexp/blob/d0e665d4068cec4d15919215b098b2373f1f12e9/tests/perf/versions/xregexp-all-v2.0.0.js
2531             ...
2532             // Check for flag y support (Firefox 3+)
2533                 hasNativeY = RegExp.prototype.sticky !== undef,
2534             ...
2535
2536         The ES6 spec states that we should throw a TypeError here because RegExp.prototype
2537         is not a RegExp object, and the sticky getter is only allowed to be called on
2538         RegExp objects.  See https://tc39.github.io/ecma262/2016/#sec-get-regexp.prototype.sticky.
2539         As a result, websites that uses XRegExp can break (e.g. some Atlassian tools).
2540
2541         As a workaround, we'll return undefined instead of throwing on access of these
2542         flag properties that may be used for feature testing.
2543
2544         * runtime/RegExpPrototype.cpp:
2545         (JSC::regExpProtoGetterGlobal):
2546         (JSC::regExpProtoGetterIgnoreCase):
2547         (JSC::regExpProtoGetterMultiline):
2548         (JSC::regExpProtoGetterSticky):
2549         (JSC::regExpProtoGetterUnicode):
2550
2551 2016-03-25  Caitlin Potter  <caitp@igalia.com>
2552
2553         [JSC] fix divide-by-zero in String.prototype.padStart/padEnd
2554         https://bugs.webkit.org/show_bug.cgi?id=155903
2555
2556         Reviewed by Filip Pizlo.
2557
2558         * runtime/StringPrototype.cpp:
2559         (JSC::padString):
2560
2561 2016-03-25  Benjamin Poulain  <benjamin@webkit.org>
2562
2563         [JSC] materialize-past-butterfly-allocation.js time out in debug
2564
2565         * tests/stress/materialize-past-butterfly-allocation.js:
2566         The test times out on the debug bots. We suspect there is nothing
2567         wrong, just overkill loops.
2568
2569 2016-03-25  Brian Burg  <bburg@apple.com>
2570
2571         Web Inspector: protocol generator should prefix C++ filenames with the protocol group
2572         https://bugs.webkit.org/show_bug.cgi?id=155859
2573         <rdar://problem/25349859>
2574
2575         Reviewed by Alex Christensen and Joseph Pecoraro.
2576
2577         Like for generated Objective-C files, we should use the 'protocol group' name
2578         as the prefix for generated C++ files so that headers from different protocol
2579         groups have unambiguous names.
2580
2581         * inspector/scripts/codegen/cpp_generator.py:
2582         (CppGenerator):
2583         (CppGenerator.__init__):
2584         (CppGenerator.protocol_name):
2585         Make all C++ code generators extend the CppGenerator python class and use the
2586         protocol_name() instance method. This matches a recent change to the ObjC generator.
2587
2588         * inspector/scripts/codegen/cpp_generator_templates.py:
2589         (CppGeneratorTemplates):
2590         Drive-by cleanup to use #pragma once instead of header guards.
2591
2592         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2593         (CppAlternateBackendDispatcherHeaderGenerator):
2594         (CppAlternateBackendDispatcherHeaderGenerator.__init__):
2595         (CppAlternateBackendDispatcherHeaderGenerator.output_filename):
2596         (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
2597         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2598         (CppBackendDispatcherHeaderGenerator):
2599         (CppBackendDispatcherHeaderGenerator.__init__):
2600         (CppBackendDispatcherHeaderGenerator.output_filename):
2601         (CppBackendDispatcherHeaderGenerator.generate_output):
2602         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2603         (CppBackendDispatcherImplementationGenerator):
2604         (CppBackendDispatcherImplementationGenerator.__init__):
2605         (CppBackendDispatcherImplementationGenerator.output_filename):
2606         (CppBackendDispatcherImplementationGenerator.generate_output):
2607         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2608         (CppFrontendDispatcherHeaderGenerator):
2609         (CppFrontendDispatcherHeaderGenerator.__init__):
2610         (CppFrontendDispatcherHeaderGenerator.output_filename):
2611         (CppFrontendDispatcherHeaderGenerator.generate_output):
2612         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2613         (CppFrontendDispatcherImplementationGenerator):
2614         (CppFrontendDispatcherImplementationGenerator.__init__):
2615         (CppFrontendDispatcherImplementationGenerator.output_filename):
2616         (CppFrontendDispatcherImplementationGenerator.generate_output):
2617         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2618         (CppProtocolTypesHeaderGenerator):
2619         (CppProtocolTypesHeaderGenerator.__init__):
2620         (CppProtocolTypesHeaderGenerator.output_filename):
2621         (CppProtocolTypesHeaderGenerator.generate_output):
2622         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2623         (CppProtocolTypesImplementationGenerator):
2624         (CppProtocolTypesImplementationGenerator.__init__):
2625         (CppProtocolTypesImplementationGenerator.output_filename):
2626         (CppProtocolTypesImplementationGenerator.generate_output):
2627         Use the protocol_name() instance method to compute generated protocol file names.
2628
2629         * inspector/scripts/codegen/models.py:
2630         Explicitly set the 'protocol_group' for the Inspector protocol.
2631
2632         Rebaseline generator test results.
2633
2634         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2635         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2636         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2637         * inspector/scripts/tests/expected/enum-values.json-result:
2638         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2639         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2640         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2641         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2642         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2643         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2644         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2645         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2646         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2647
2648 2016-03-25  Keith Miller  <keith_miller@apple.com>
2649
2650         putByIndexBeyondVectorLengthWithoutAttributes should not crash if it can't ensureLength
2651         https://bugs.webkit.org/show_bug.cgi?id=155730
2652
2653         Reviewed by Saam Barati.
2654
2655         This patch makes ensureLength return a boolean indicating if it was able to set the length.
2656         ensureLength also no longer sets the butterfly to null if the allocation of the butterfly
2657         fails. All of ensureLengths callers including putByIndexBeyondVectorLengthWithoutAttributes
2658         have been adapted to throw an out of memory error if ensureLength fails.
2659
2660         * runtime/JSArray.cpp:
2661         (JSC::JSArray::setLength):
2662         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2663         * runtime/JSObject.cpp:
2664         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2665         (JSC::JSObject::ensureLengthSlow):
2666         * runtime/JSObject.h:
2667         (JSC::JSObject::ensureLength):
2668
2669 2016-03-25  Caitlin Potter  <caitp@igalia.com>
2670
2671         [JSC] implement String.prototype.padStart() and String.prototype.padEnd() proposal
2672         https://bugs.webkit.org/show_bug.cgi?id=155795
2673
2674         Reviewed by Darin Adler.
2675
2676         Implements ECMAScript proposal http://tc39.github.io/proposal-string-pad-start-end/
2677         Currently at Stage 3.
2678
2679         * runtime/JSString.h:
2680         * runtime/StringPrototype.cpp:
2681         (JSC::StringPrototype::finishCreation):
2682         (JSC::repeatCharacter):
2683         (JSC::repeatStringPattern):
2684         (JSC::padString):
2685         (JSC::stringProtoFuncPadEnd):
2686         (JSC::stringProtoFuncPadStart):
2687         * tests/es6.yaml:
2688         * tests/es6/String.prototype_methods_String.prototype.padEnd.js: Added.
2689         * tests/es6/String.prototype_methods_String.prototype.padStart.js: Added.
2690
2691 2016-03-24  Alex Christensen  <achristensen@webkit.org>
2692
2693         Fix Mac CMake build.
2694
2695         * PlatformMac.cmake:
2696         Link to Security framework.
2697
2698 2016-03-24  Saam barati  <sbarati@apple.com>
2699
2700         ES6: Implement IsRegExp function and use where needed in String.prototype.* methods
2701         https://bugs.webkit.org/show_bug.cgi?id=155854
2702
2703         Reviewed by Mark Lam.
2704
2705         This patch is a straight forward implementation of IsRegExp
2706         in the ES6 spec:
2707         https://tc39.github.io/ecma262/#sec-isregexp
2708         We now use this IsRegExp function inside String.prototype.(startsWith | endsWith | includes)
2709         as is dictated by the spec.
2710
2711         * runtime/RegExpConstructor.h:
2712         (JSC::RegExpConstructor::recordMatch):
2713         (JSC::isRegExp):
2714         * runtime/StringPrototype.cpp:
2715         (JSC::stringProtoFuncStartsWith):
2716         (JSC::stringProtoFuncEndsWith):
2717         (JSC::stringProtoFuncIncludes):
2718         * tests/es6.yaml:
2719         * tests/es6/well-known_symbols_Symbol.match_String.prototype.endsWith.js: Added.
2720         (test):
2721         * tests/es6/well-known_symbols_Symbol.match_String.prototype.includes.js: Added.
2722         (test):
2723         * tests/es6/well-known_symbols_Symbol.match_String.prototype.startsWith.js: Added.
2724         (test):
2725         * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js: Added.
2726         (assert):
2727         (test):
2728         (test.get let):
2729         (get let):
2730
2731 2016-03-24  Saam barati  <sbarati@apple.com>
2732
2733         Web Inspector: Separate Debugger enable state from the debugger breakpoints enabled state
2734         https://bugs.webkit.org/show_bug.cgi?id=152193
2735         <rdar://problem/23867520>
2736
2737         Reviewed by Joseph Pecoraro.
2738
2739         When all breakpoints are disabled, we can recompile all JS
2740         code and remove the necessary debugging code that is emitted.
2741         This allows for the code that is executing to be almost as fast
2742         as it is with the debugger completely disabled. This is in preparation for:
2743         https://bugs.webkit.org/show_bug.cgi?id=155809
2744         which will introduce a high fidelity profiler. That profiler
2745         could be built off the principle that breakpoints are disabled
2746         when we're performing a high fidelity profile. Doing so, for example,
2747         allows the sampling profiler to better measure the real performance
2748         of the JS of a particular application.
2749
2750         * debugger/Debugger.cpp:
2751         (JSC::Debugger::setBreakpointsActivated):
2752         (JSC::Debugger::setPauseOnExceptionsState):
2753         * debugger/Debugger.h:
2754         * dfg/DFGGraph.cpp:
2755         (JSC::DFG::Graph::Graph):
2756         * inspector/JSGlobalObjectScriptDebugServer.cpp:
2757         (Inspector::JSGlobalObjectScriptDebugServer::attachDebugger):
2758         (Inspector::JSGlobalObjectScriptDebugServer::detachDebugger):
2759         * inspector/agents/InspectorDebuggerAgent.cpp:
2760         (Inspector::InspectorDebuggerAgent::enable):
2761         * runtime/Executable.cpp:
2762         (JSC::ScriptExecutable::newCodeBlockFor):
2763         * runtime/JSGlobalObject.cpp:
2764         (JSC::JSGlobalObject::createProgramCodeBlock):
2765         (JSC::JSGlobalObject::createEvalCodeBlock):
2766         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2767         (JSC::JSGlobalObject::queueMicrotask):
2768         (JSC::JSGlobalObject::hasDebugger):
2769         (JSC::JSGlobalObject::hasInteractiveDebugger):
2770         * runtime/JSGlobalObject.h:
2771         (JSC::JSGlobalObject::runtimeFlags):
2772         (JSC::JSGlobalObject::hasDebugger): Deleted.
2773
2774 2016-03-24  Michael Saboff  <msaboff@apple.com>
2775
2776         Create private builtin helper advanceStringIndexUnicode() for use by RegExp builtins
2777         https://bugs.webkit.org/show_bug.cgi?id=155855
2778
2779         Reviewed by Mark Lam.
2780
2781         Moved advanceStringIndexUnicode() as a separate helper.  Added it as a private builtin
2782         to the GlobalObject like other private builtins.
2783
2784         * builtins/RegExpPrototype.js:
2785         (advanceStringIndexUnicode):
2786         (match):
2787         (match.advanceStringIndexUnicode): Deleted.
2788         * runtime/JSGlobalObject.cpp:
2789         (JSC::JSGlobalObject::init):
2790
2791 2016-03-24  Michael Saboff  <msaboff@apple.com>
2792
2793         [ES6] Add Proxy based tests for RegExp.prototype[@@match]
2794         https://bugs.webkit.org/show_bug.cgi?id=155807
2795
2796         Reviewed by Saam Barati.
2797
2798         Added new test that uses Proxy to verify RegExp.prototype[@@match] processing
2799         conforms to the ES6 standard
2800
2801         Modified builtin RegExp.prototype[@@match] to be ES6 spec conformant.
2802
2803         Updated es6.yaml as Proxy_internal_get_calls_RegExp.prototype[Symbol.match].js now passes.
2804
2805         * builtins/RegExpPrototype.js:
2806         (match):
2807         * tests/es6.yaml: Updated.
2808         * tests/stress/regexp-match-proxy.js: Added.
2809         (assert):
2810         (let.getProxyNullExec.new.Proxy):
2811         (let.getSetProxyNullExec.new.Proxy):
2812         (get resetTracking):
2813         (let.getSetProxyMatches_s.new.Proxy):
2814         (set get getSetProxyNullExec):
2815         (let.getSetProxyMatches_tx_Greedy.new.Proxy):
2816         (set get getSetProxyMatches_s):
2817         (let.getSetProxyMatchesUnicode_digit_nonGreedy.new.Proxy):
2818         (set get getSetProxyMatches_tx_Greedy):
2819
2820 2016-03-24  Michael Saboff  <msaboff@apple.com>
2821
2822         [ES6] Greedy unicode RegExp's don't properly backtrack past non BMP characters
2823         https://bugs.webkit.org/show_bug.cgi?id=155829
2824
2825         Reviewed by Saam Barati.
2826
2827         When we backup when matching part of a unicode pattern, we can't just backup one character.
2828         Instead we need to save our start position before trying to match a character and
2829         restore the position if the match fails.  This was done in other places, but wasn't
2830         done for all greedy types.
2831
2832         Fixed matchGlobal() to properly handle advancing past non BMP characters.
2833
2834         * runtime/RegExpObject.cpp:
2835         (JSC::RegExpObject::matchGlobal):
2836         * runtime/RegExpObjectInlines.h:
2837         (JSC::RegExpObject::advanceStringUnicode):
2838         * yarr/YarrInterpreter.cpp:
2839         (JSC::Yarr::Interpreter::matchCharacterClass):
2840         (JSC::Yarr::Interpreter::matchDisjunction):
2841
2842 2016-03-24  Benjamin Poulain  <bpoulain@apple.com>
2843
2844         [JSC] In some cases, the integer range optimization phase never converges
2845         https://bugs.webkit.org/show_bug.cgi?id=155828
2846         rdar://problem/25155460
2847
2848         Reviewed by Filip Pizlo.
2849
2850         In certain conditions, the integer range optimization phase continuously
2851         changes the representation of the same truth, preventing it from
2852         converging to a stable state.
2853
2854         The bug starts by having the same ground truth incomming into a block
2855         in different valid forms. For example, you can have x < 42 coming as:
2856             1) x < 42
2857             2) x < 41 + 1
2858             3) x < 43 - 1
2859
2860         Having those 3 alone coming from predecessors would be okay, we would
2861         just accumulate them. The problem is when you have a combination
2862         of rule that filter out the previously obtained truth, then add a new
2863         form of the same truth.
2864
2865         Let's use the test case as an example. We have two incoming blocks:
2866             Block #1:
2867               -i < 42
2868               -i != 41
2869             Block #2:
2870               -i < 41
2871               -i == 42 - 42 (i == 0 refining the rule above).
2872
2873         Let say that our conditions at head are now [i < 41, i < 42 - 1].
2874
2875         If we merge block #2:
2876               -i < 42 and i < 41      -> i < 42
2877               -i < 42 and i < 42 - 1  -> i < 42
2878               -i != 41 and i < 41     -> i < 41
2879               -i != 41 and i < 42 - 1 -> nothing
2880
2881         The new head is: [i < 41, i < 42]
2882
2883         If we merge block #1:
2884               -i < 41 and i < 41       -> i < 41
2885               -i < 41 and i < 42       -> i < 42
2886               -i == 42 - 42 and i < 41 -> (i < 41 and i < 42 - 1)
2887               -i == 42 - 42 and i < 42 -> i < 42
2888
2889         After filter, we are back to [i < 41, i < 42 - 1].
2890
2891         There are several variations of this idea where the same truth
2892         rotate different forms with each merge().
2893
2894         One possible solution is to make filter() more aggressive
2895         to avoid the better form occuring at merge(). I'll probably
2896         do that at some point but that seems fragile since the same
2897         problem could reappear if merge() is later improved.
2898
2899         For this patch, I went with a more generic solution after
2900         merge(): if the generated form is equivalent to one that
2901         previously existed at head, pick the existing form.
2902
2903         In the previous example, what happens is we only have
2904         either [i < 41] or [i < 42 - 1] but never both simultaneously.
2905
2906         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2907         * tests/stress/integer-range-optimization-constant-representation-1.js: Added.
2908         * tests/stress/integer-range-optimization-constant-representation-2.js: Added.
2909         Two variation. One timeout in release because of the additional flags.
2910         The other is gets more type of run but only assert in debug.
2911
2912 2016-03-23  Commit Queue  <commit-queue@webkit.org>
2913
2914         Unreviewed, rolling out r198582.
2915         https://bugs.webkit.org/show_bug.cgi?id=155812
2916
2917         "It broke debugging in the web inspector" (Requested by
2918         saamyjoon on #webkit).
2919
2920         Reverted changeset:
2921
2922         "We should not disable inlining when the debugger is enabled"
2923         https://bugs.webkit.org/show_bug.cgi?id=155741
2924         http://trac.webkit.org/changeset/198582
2925
2926 2016-03-23  Michael Saboff  <msaboff@apple.com>
2927
2928         JavaScriptCore ArrayPrototype::join shouldn't cache butterfly when it makes effectful calls
2929         https://bugs.webkit.org/show_bug.cgi?id=155776
2930
2931         Reviewed by Saam Barati.
2932
2933         Array.join ends up calling toString, possibly on some object.  Since these calls
2934         could be effectful and could change the array itself, we can't hold the butterfly
2935         pointer while making effectful calls.  Changed the code to fall back to the general
2936         case when an effectful toString() call might be made.
2937
2938         * runtime/ArrayPrototype.cpp:
2939         (JSC::join):
2940         * runtime/JSStringJoiner.h:
2941         (JSC::JSStringJoiner::appendWithoutSideEffects): New helper that doesn't make effectful
2942         toString() calls.
2943         (JSC::JSStringJoiner::append): Built upon appendWithoutSideEffects.
2944
2945 2016-03-23  Keith Miller  <keith_miller@apple.com>
2946
2947         Array.prototype native functions' species constructors should work with proxies
2948         https://bugs.webkit.org/show_bug.cgi?id=155798
2949
2950         Reviewed by Mark Lam.
2951
2952         Before native the species constructors were checking if the this value was a JSArray.
2953         Instead they should look check that the this value returns true on Array.isArray.
2954
2955         * runtime/ArrayPrototype.cpp:
2956         (JSC::speciesConstructArray):
2957         * tests/es6.yaml:
2958         * tests/stress/proxy-array-prototype-methods.js:
2959
2960 2016-03-23  Saam barati  <sbarati@apple.com>
2961
2962         We should not disable inlining when the debugger is enabled
2963         https://bugs.webkit.org/show_bug.cgi?id=155741
2964
2965         Reviewed by Oliver Hunt.
2966
2967         We can enable inlining when the debugger is enabled as long
2968         as we make sure we still jettison the proper CodeBlocks when
2969         a breakpoint is set. This means that for any optimized CodeBlock,
2970         we must ask if any of its inlinees contain the breakpoint that
2971         is being set. If any inlinees do contain the breakpoint, we must
2972         jettison the machine code block that they are a part of.
2973
2974         * debugger/Debugger.cpp:
2975         (JSC::Debugger::toggleBreakpoint):
2976         (JSC::Debugger::applyBreakpoints):
2977         * dfg/DFGByteCodeParser.cpp:
2978         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2979         (JSC::DFG::ByteCodeParser::setLocal):
2980         (JSC::DFG::ByteCodeParser::flush):
2981         (JSC::DFG::ByteCodeParser::flushForTerminal):
2982         (JSC::DFG::ByteCodeParser::inliningCost):
2983         * dfg/DFGGraph.cpp:
2984         (JSC::DFG::Graph::Graph):
2985         (JSC::DFG::Graph::~Graph):
2986         * dfg/DFGGraph.h:
2987         (JSC::DFG::Graph::hasDebuggerEnabled): Deleted.
2988         * dfg/DFGStackLayoutPhase.cpp:
2989         (JSC::DFG::StackLayoutPhase::run):
2990         * ftl/FTLCompile.cpp:
2991         (JSC::FTL::compile):
2992
2993 2016-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2994
2995         [ES6] Allow undefined/null for Symbol.search and Symbol.match
2996         https://bugs.webkit.org/show_bug.cgi?id=155785
2997
2998         Reviewed by Saam Barati.
2999
3000         Undefined and null for Symbol.search and Symbol.match properties of the given RegExp (like) object are allowed.
3001         When they are specified, we go to the fallback path; creating the RegExp with the given object and matching.
3002
3003         * builtins/StringPrototype.js:
3004         (match):
3005         (search):
3006         * tests/stress/string-symbol-customization.js: Added.
3007         (shouldBe):
3008         (shouldThrow):
3009
3010 2016-03-22  Caitlin Potter  <caitp@igalia.com>
3011
3012         [JSC] correctly handle indexed properties in Object.getOwnPropertyDescriptors
3013         https://bugs.webkit.org/show_bug.cgi?id=155563
3014
3015         Reviewed by Saam Barati.
3016
3017         * runtime/JSObject.h:
3018         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
3019         * runtime/ObjectConstructor.cpp:
3020         (JSC::objectConstructorGetOwnPropertyDescriptors):
3021
3022 2016-03-22  Saam Barati  <sbarati@apple.com>
3023
3024         We should FTL compile code when the debugger is enabled
3025         https://bugs.webkit.org/show_bug.cgi?id=155740
3026
3027         Reviewed by Oliver Hunt.
3028
3029         There was no fundamental reason why we didn't support debugging
3030         with the FTL. It looks like this was just an oversight. We had
3031         a Breakpoint node in the DFG that amounted to a nop. By removing
3032         this node, we now support debugging in the FTL. Anytime a breakpoint
3033         is set, we will jettison any DFG/FTL CodeBlocks that contain the breakpoint
3034         that was set.
3035
3036         * dfg/DFGAbstractInterpreterInlines.h:
3037         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3038         * dfg/DFGByteCodeParser.cpp:
3039         (JSC::DFG::ByteCodeParser::parseBlock):
3040         * dfg/DFGClobberize.h:
3041         (JSC::DFG::clobberize):
3042         * dfg/DFGDoesGC.cpp:
3043         (JSC::DFG::doesGC):
3044         * dfg/DFGFixupPhase.cpp:
3045         (JSC::DFG::FixupPhase::fixupNode):
3046         * dfg/DFGNodeType.h:
3047         * dfg/DFGPredictionPropagationPhase.cpp:
3048         (JSC::DFG::PredictionPropagationPhase::propagate):
3049         * dfg/DFGSafeToExecute.h:
3050         (JSC::DFG::safeToExecute):
3051         * dfg/DFGSpeculativeJIT32_64.cpp:
3052         (JSC::DFG::SpeculativeJIT::compile):
3053         * dfg/DFGSpeculativeJIT64.cpp:
3054         (JSC::DFG::SpeculativeJIT::compile):
3055
3056 2016-03-22  Keith Miller  <keith_miller@apple.com>
3057
3058         REGRESSION(r197543): Use-after-free on storage/indexeddb/transaction-abort-private.html
3059         https://bugs.webkit.org/show_bug.cgi?id=155067
3060
3061         Reviewed by Filip Pizlo.
3062
3063         GCIncommingRefCountedSets need to be finalized before we start
3064         destructing members of the Heap object. Previously, we would
3065         clear all our ArrayBuffer objects when the GCIncommingRefCountedSet
3066         holding them was destroyed. However, ArrayBuffers have a weak
3067         reference to their wrappers. When we would attempt to destroy the
3068         ArrayBuffer object we would end up accessing the WeakImpl for
3069         the weak reference, which had already been freed as we destroyed
3070         our weak block. The solution to this is to move the old
3071         GCIncommingRefCountedSet destructor functionality to a new
3072         function lastChanceToFinalize. This function is called when
3073         we finalize our other objects on Heap destruction.
3074
3075         * heap/GCIncomingRefCountedSet.h:
3076         * heap/GCIncomingRefCountedSetInlines.h:
3077         (JSC::GCIncomingRefCountedSet<T>::lastChanceToFinalize):
3078         (JSC::GCIncomingRefCountedSet<T>::~GCIncomingRefCountedSet): Deleted.
3079         * heap/Heap.cpp:
3080         (JSC::Heap::lastChanceToFinalize):
3081
3082 2016-03-22  Per Arne Vollan  <peavo@outlook.com>
3083
3084         [Win] [64-bit] Remove MSVC 2013 FMA3 Bug Workaround
3085         https://bugs.webkit.org/show_bug.cgi?id=141499
3086
3087         Reviewed by Brent Fulgham.
3088
3089         As we have moved on to VS2015, this workaround is no longer needed.
3090
3091         * API/tests/testapi.c:
3092         (main):
3093         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp:
3094         (wWinMain):
3095         * jsc.cpp:
3096         (main):
3097         * testRegExp.cpp:
3098         (main):
3099
3100 2016-03-22  Michael Saboff  <msaboff@apple.com>
3101
3102         [ES6] Implement RegExp.prototype[@@match]
3103         https://bugs.webkit.org/show_bug.cgi?id=155711
3104
3105         Reviewed by Filip Pizlo.
3106
3107         Implemented ES6 spec for String.prototype.match and RegExp.prototype[@@match].
3108         Implemented both as builtins, with String.prototype.match calling 
3109         RegExp.prototype[@@match].
3110
3111         For performance reasons, RegExp.prototype[@@match] has a C++ fast path when
3112         RegExp.prototype.exec has not been overridden.  This fast path,
3113         RegExpObject::matchGlobal, was taken from the prior StringPrototype::match.
3114         It only handles global matches.
3115
3116         Added new test, stress/regexp-match.js.
3117
3118         Updated various tests for changes exception string and now passing ES6 behavior.
3119
3120         * CMakeLists.txt: 
3121         * DerivedSources.make:
3122         * JavaScriptCore.xcodeproj/project.pbxproj:
3123         Added builtins/RegExpPrototype.js and eliminated RegExpPrototype.lut.h.
3124
3125         * builtins/RegExpPrototype.js: Added.
3126         (match.advanceStringIndexUnicode): Helper.
3127         (match): Implements RegExp.prototype[@@match].
3128         * builtins/StringPrototype.js:
3129         (match): Implements String.prototype.match.
3130
3131         * bytecode/BytecodeIntrinsicRegistry.cpp:
3132         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3133         (JSC::BytecodeIntrinsicRegistry::lookup):
3134         * bytecode/BytecodeIntrinsicRegistry.h:
3135         * runtime/CommonIdentifiers.h:
3136         Added Symbol.match and builtins @match and @exec.
3137
3138         * runtime/RegExpObject.cpp:
3139         * runtime/RegExpObject.h:
3140         * runtime/RegExpObjectInlines.h:
3141         (JSC::RegExpObject::matchGlobal): Added.
3142         (JSC::RegExpObject::advanceStringUnicode): Added helper.
3143
3144         * runtime/RegExpPrototype.cpp:
3145         * runtime/RegExpPrototype.h:
3146         (JSC::RegExpPrototype::RegExpPrototype):
3147         (JSC::RegExpPrototype::finishCreation):
3148         (JSC::RegExpPrototype::visitChildren):
3149         (JSC::regExpProtoFuncMatchPrivate):
3150         (JSC::RegExpPrototype::getOwnPropertySlot): Deleted.
3151         (JSC::RegExpPrototype::create):
3152         Restructured to create properties explicitly due to having two names for native regExpProtoFuncExec.
3153
3154         * runtime/StringPrototype.cpp:
3155         (JSC::StringPrototype::finishCreation):
3156         Made match a builtin.
3157         Removed unused declaration of stringProtoFuncSearch() since it was made a builtin.
3158
3159         * tests/es6.yaml:
3160         * tests/stress/regexp-match.js: Added.
3161         (shouldBe):
3162         (shouldThrow):
3163         (errorKey.toString):
3164         (primitive.of.primitives.shouldThrow):
3165         (testRegExpMatch):
3166         (testMatch):
3167         (testBoth):
3168         (alwaysUnmatch):
3169
3170 2016-03-22  Caitlin Potter  <caitp@igalia.com>
3171
3172         [JSC] allow duplicate property names returned from Proxy ownKeys() trap
3173         https://bugs.webkit.org/show_bug.cgi?id=155560
3174
3175         Reviewed by Darin Adler.
3176
3177         Specification allows duplicate property names to be reported by the
3178         Proxy ownKeys() trap --- and this is observable in any API which
3179         operates on the returned list, such as Object.keys(),
3180         Object.getOwnPropertyNames(), Object.getOwnPropertySymbols(), or
3181         Object.getOwnPropertyDescriptors().
3182
3183         * runtime/PropertyNameArray.h:
3184         (JSC::PropertyNameArray::addUnchecked):
3185         (JSC::PropertyNameArray::add):
3186         (JSC::PropertyNameArray::addKnownUnique): Deleted.
3187         * runtime/ProxyObject.cpp:
3188         (JSC::ProxyObject::performGetOwnPropertyNames):
3189         * runtime/Structure.cpp:
3190         (JSC::Structure::getPropertyNamesFromStructure):
3191
3192 2016-03-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3193
3194         [JSC] Clean up Math.floor thunk and use SSE round instruction
3195         https://bugs.webkit.org/show_bug.cgi?id=155705
3196
3197         Reviewed by Geoffrey Garen.
3198
3199         SSE now allow us to use round instruction to implement Math.floor.
3200         MacroAssembler's floorDouble is now only used in ARM64, but it can be allowed in x86 SSE.
3201
3202         * jit/ThunkGenerators.cpp:
3203         (JSC::floorThunkGenerator):
3204
3205 2016-03-21  Konstantin Tokarev  <annulen@yandex.ru>
3206
3207         Fixed compilation with GCC 4.8.
3208         https://bugs.webkit.org/show_bug.cgi?id=155698
3209
3210         Reviewed by Alexey Proskuryakov.
3211
3212         GCC 4.8 does not allow aggregate initialization for type with deleted
3213         constructor, see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=52707.
3214
3215         * dfg/DFGCSEPhase.cpp: Added ctor for ImpureDataSlot.
3216
3217 2016-03-21  Joonghun Park  <jh718.park@samsung.com>
3218
3219         [JSC] Add ArrayBuffer::tryCreate and change the callsites where it is needed
3220         https://bugs.webkit.org/show_bug.cgi?id=155328
3221
3222         Reviewed by Darin Adler.
3223
3224         * API/JSTypedArray.cpp:
3225         (JSObjectMakeTypedArray):
3226         (JSObjectMakeArrayBufferWithBytesNoCopy):
3227         * runtime/ArrayBuffer.h:
3228         (JSC::ArrayBuffer::create):
3229         (JSC::ArrayBuffer::tryCreate):
3230         (JSC::ArrayBuffer::createUninitialized):
3231         (JSC::ArrayBuffer::tryCreateUninitialized):
3232         (JSC::ArrayBuffer::createInternal):
3233         * runtime/GenericTypedArrayViewInlines.h:
3234         (JSC::GenericTypedArrayView<Adaptor>::create):
3235         (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
3236         * runtime/JSArrayBufferConstructor.cpp:
3237         (JSC::constructArrayBuffer):
3238
3239 2016-03-20  Dan Bernstein  <mitz@apple.com>
3240
3241         [Mac] Determine TARGET_MAC_OS_X_VERSION_MAJOR from MACOSX_DEPLOYMENT_TARGET rather than from MAC_OS_X_VERSION_MAJOR
3242         https://bugs.webkit.org/show_bug.cgi?id=155707
3243         <rdar://problem/24980691>
3244
3245         Reviewed by Darin Adler.
3246
3247         * Configurations/Base.xcconfig: Set TARGET_MAC_OS_X_VERSION_MAJOR based on the last
3248           component of MACOSX_DEPLOYMENT_TARGET.
3249         * Configurations/DebugRelease.xcconfig: For engineering builds, preserve the behavior of
3250           TARGET_MAC_OS_X_VERSION_MAJOR being the host’s OS version.
3251
3252 2016-03-20  Michael Saboff  <msaboff@apple.com>
3253
3254         Crash in stress/regexp-matches-array-slow-put.js due to stomping on memory when having bad time
3255         https://bugs.webkit.org/show_bug.cgi?id=155679
3256
3257         Reviewed by Saam Barati.
3258
3259         Allocate out of line storage based on what the structure says it needs
3260         in JSArray::tryCreateUninitialized.
3261
3262         * runtime/JSArray.h:
3263         (JSC::JSArray::tryCreateUninitialized):
3264
3265 2016-03-20  Joseph Pecoraro  <pecoraro@apple.com>
3266
3267         Crash on DFG::WorkList thread in JSC::Heap::isCollecting for destroyed Web Worker
3268         https://bugs.webkit.org/show_bug.cgi?id=155678
3269         <rdar://problem/25251439>
3270
3271         Reviewed by Filip Pizlo.
3272
3273         This fixes a crash that we saw with GuardMalloc. If the Plan was
3274         Cancelled it may not be safe to access the VM. If the Plan was
3275         cancelled we are just going to bail anyways, so keep the ASSERT but
3276         short-circuit if the plan was Cancelled.
3277
3278         * dfg/DFGWorklist.cpp:
3279         (JSC::DFG::Worklist::runThread):
3280
3281 2016-03-20  Dan Bernstein  <mitz@apple.com>
3282
3283         Update build settings
3284
3285         Rubber-stamped by Andy Estes.
3286
3287         * Configurations/DebugRelease.xcconfig:
3288         * Configurations/FeatureDefines.xcconfig:
3289         * Configurations/Version.xcconfig:
3290
3291 2016-03-19  Skachkov Oleksandr  <gskachkov@gmail.com>
3292
3293         [ES6] Arrow function syntax. Update syntax error text 'super is only valid inside functions' to more suitable
3294         https://bugs.webkit.org/show_bug.cgi?id=155491
3295
3296         Reviewed by Saam Barati.
3297
3298         Current message 'super is only valid inside of funcitons' is not correct 
3299         after patch for https://bugs.webkit.org/show_bug.cgi?id=153864 because 
3300         it is allow to use 'super' in eval. Current patch replace old message by
3301         'Super is only valid inside functions or 'eval' inside a function' and 
3302         fix tests that rely on this message.
3303
3304         * parser/Parser.cpp:
3305         (JSC::Parser<LexerType>::parseMemberExpression):
3306         * tests/stress/generator-with-super.js:
3307         (shouldThrow):
3308         * tests/stress/modules-syntax-error.js:
3309         * tests/stress/super-in-lexical-scope.js:
3310         * tests/stress/tagged-templates-syntax.js:
3311
3312 2016-03-19  Mark Lam  <mark.lam@apple.com>
3313
3314         ES6 spec requires that ErrorPrototype not be an Error object.
3315         https://bugs.webkit.org/show_bug.cgi?id=155680
3316
3317         Reviewed by Michael Saboff.
3318
3319         The ES6 spec states that Error.prototype should not be an instance of Error:
3320         https://tc39.github.io/ecma262/#sec-properties-of-the-error-prototype-object
3321
3322         "The Error prototype object is an ordinary object. It is not an Error instance
3323         and does not have an [[ErrorData]] internal slot."
3324
3325         This patch changes ErrorPrototype to conform to the above specification.
3326
3327         * runtime/ErrorConstructor.cpp:
3328         (JSC::ErrorConstructor::finishCreation):
3329         * runtime/ErrorPrototype.cpp:
3330         (JSC::ErrorPrototype::ErrorPrototype):
3331         (JSC::ErrorPrototype::finishCreation):
3332         (JSC::ErrorPrototype::getOwnPropertySlot):
3333         * runtime/ErrorPrototype.h:
3334         (JSC::ErrorPrototype::create):
3335
3336         * runtime/NativeErrorConstructor.cpp:
3337         (JSC::NativeErrorConstructor::finishCreation):
3338         * runtime/NativeErrorPrototype.cpp:
3339         (JSC::NativeErrorPrototype::NativeErrorPrototype):
3340         (JSC::NativeErrorPrototype::finishCreation):
3341         * runtime/NativeErrorPrototype.h:
3342         (JSC::NativeErrorPrototype::create):
3343         - updated to no longer need a JSGlobalObject argument.
3344
3345         * tests/es6/miscellaneous_built-in_prototypes_are_not_instances.js:
3346         - updated to match the kangax version of this test.
3347