Remove unused m_writtenVariables from the parser and related bits
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-04-20  Saam barati  <sbarati@apple.com>
2
3         Remove unused m_writtenVariables from the parser and related bits
4         https://bugs.webkit.org/show_bug.cgi?id=156784
5
6         Reviewed by Yusuke Suzuki.
7
8         This isn't a octane/codeload speedup even though we're doing less work in
9         collectFreeVariables. But it's good to get rid of things that are not used.
10
11         * parser/Nodes.h:
12         (JSC::ScopeNode::usesEval):
13         (JSC::ScopeNode::usesArguments):
14         (JSC::ScopeNode::usesArrowFunction):
15         (JSC::ScopeNode::isStrictMode):
16         (JSC::ScopeNode::setUsesArguments):
17         (JSC::ScopeNode::usesThis):
18         (JSC::ScopeNode::modifiesParameter): Deleted.
19         (JSC::ScopeNode::modifiesArguments): Deleted.
20         * parser/Parser.cpp:
21         (JSC::Parser<LexerType>::parseInner):
22         (JSC::Parser<LexerType>::parseAssignmentExpression):
23         * parser/Parser.h:
24         (JSC::Scope::Scope):
25         (JSC::Scope::hasDeclaredParameter):
26         (JSC::Scope::preventAllVariableDeclarations):
27         (JSC::Scope::collectFreeVariables):
28         (JSC::Scope::mergeInnerArrowFunctionFeatures):
29         (JSC::Scope::getSloppyModeHoistedFunctions):
30         (JSC::Scope::getCapturedVars):
31         (JSC::Scope::setStrictMode):
32         (JSC::Scope::strictMode):
33         (JSC::Scope::fillParametersForSourceProviderCache):
34         (JSC::Scope::restoreFromSourceProviderCache):
35         (JSC::Parser::hasDeclaredParameter):
36         (JSC::Parser::exportName):
37         (JSC::Scope::declareWrite): Deleted.
38         (JSC::Parser::declareWrite): Deleted.
39         * parser/ParserModes.h:
40
41 2016-04-19  Saam barati  <sbarati@apple.com>
42
43         Unreviewed, fix cloop build after r199754.
44
45         * jsc.cpp:
46         (jscmain):
47
48 2016-04-19  Michael Saboff  <msaboff@apple.com>
49
50         iTunes crashing JavaScriptCore.dll
51         https://bugs.webkit.org/show_bug.cgi?id=156647
52
53         Reviewed by Filip Pizlo.
54
55         Given that there there are only 128 FLS indices compared to over a 1000 for TLS,
56         I eliminated the thread specific m_threadSpecificForThread and instead we look
57         for the current thread in m_registeredThreads list when we need it.
58         In most cases there will only be one thread.
59
60         Added THREAD_SPECIFIC_CALL to signature of ThreadSpecific remove callbacks
61         to set the calling convention correctly for Windows 32 bit.
62
63         * heap/MachineStackMarker.cpp:
64         (JSC::ActiveMachineThreadsManager::remove):
65         (JSC::MachineThreads::MachineThreads):
66         (JSC::MachineThreads::~MachineThreads):
67         (JSC::MachineThreads::addCurrentThread):
68         (JSC::MachineThreads::machineThreadForCurrentThread):
69         (JSC::MachineThreads::removeThread):
70         * heap/MachineStackMarker.h:
71
72 2016-04-19  Benjamin Poulain  <bpoulain@webkit.org>
73
74         [JSC] Small cleanup of RegisterAtOffsetList
75         https://bugs.webkit.org/show_bug.cgi?id=156779
76
77         Reviewed by Mark Lam.
78
79         I was wondering why RegisterAtOffsetList always cache-miss.
80         It looks like it is doing more than it needs to.
81
82         We do not need to sort the values. The total order of
83         RegisterAtOffset is:
84         1) Order of Reg.
85         2) Order of offsets.
86         We already generate the list in order.
87
88         Also allocate the right array size ahead of filling the array.
89
90         * jit/RegisterAtOffsetList.cpp:
91         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
92         (JSC::RegisterAtOffsetList::sort): Deleted.
93         * jit/RegisterAtOffsetList.h:
94         (JSC::RegisterAtOffsetList::append): Deleted.
95
96 2016-04-19  Saam barati  <sbarati@apple.com>
97
98         Add a couple UNLIKELY macros in parseMemberExpression
99         https://bugs.webkit.org/show_bug.cgi?id=156775
100
101         Reviewed by Filip Pizlo.
102
103         These UNLIKELY macros have to do with the base of the
104         member expression being 'super'. I think it's safe to
105         argue that this is truly UNLIKELY. I am seeing speedups
106         sometimes on Octane codeload. Usually around 0.5%. Sometimes 1%.
107
108         * parser/Parser.cpp:
109         (JSC::Parser<LexerType>::parseMemberExpression):
110
111 2016-04-19  Saam barati  <sbarati@apple.com>
112
113         allow jsc shell to dump sampling profiler data
114         https://bugs.webkit.org/show_bug.cgi?id=156725
115
116         Reviewed by Benjamin Poulain.
117
118         This patch adds a '--reportSamplingProfilerData' option to the
119         JSC shell which will enable the sampling profiler and dump
120         its data at the end of execution. The dump will include the
121         40 hottest functions and the 80 hottest bytecode locations.
122         If you're using this option to debug, it's easy to just hack
123         on the code to make it dump more or less information.
124
125         * jsc.cpp:
126         (CommandLine::parseArguments):
127         (jscmain):
128         * runtime/Options.h:
129         * runtime/SamplingProfiler.cpp:
130         (JSC::SamplingProfiler::processUnverifiedStackTraces):
131         (JSC::SamplingProfiler::stackTracesAsJSON):
132         (JSC::SamplingProfiler::reportTopFunctions):
133         (JSC::SamplingProfiler::reportTopBytecodes):
134         * runtime/SamplingProfiler.h:
135         (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):
136         (JSC::SamplingProfiler::StackFrame::hasBytecodeIndex):
137         (JSC::SamplingProfiler::StackFrame::hasCodeBlockHash):
138         (JSC::SamplingProfiler::setStopWatch):
139
140 2016-04-19  Mark Lam  <mark.lam@apple.com>
141
142         Re-landing: ES6: Implement RegExp.prototype[@@search].
143         https://bugs.webkit.org/show_bug.cgi?id=156331
144
145         Reviewed by Keith Miller.
146
147         What changed?
148         1. Implemented search builtin in RegExpPrototype.js.
149            The native path is now used as a fast path.
150         2. Added DFG support for an IsRegExpObjectIntrinsic (modelled after the
151            IsJSArrayIntrinsic).
152         3. Renamed @isRegExp to @isRegExpObject to match the new IsRegExpObjectIntrinsic.
153         4. Change the esSpecIsRegExpObject() implementation to check if the object's
154            JSType is RegExpObjectType instead of walking the classinfo chain.
155
156         * builtins/RegExpPrototype.js:
157         (search):
158         * builtins/StringPrototype.js:
159         (search):
160         - fixed some indentation.
161
162         * dfg/DFGAbstractInterpreterInlines.h:
163         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
164         * dfg/DFGByteCodeParser.cpp:
165         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
166         * dfg/DFGClobberize.h:
167         (JSC::DFG::clobberize):
168         * dfg/DFGDoesGC.cpp:
169         (JSC::DFG::doesGC):
170         * dfg/DFGFixupPhase.cpp:
171         (JSC::DFG::FixupPhase::fixupNode):
172         * dfg/DFGNodeType.h:
173         * dfg/DFGPredictionPropagationPhase.cpp:
174         (JSC::DFG::PredictionPropagationPhase::propagate):
175         * dfg/DFGSafeToExecute.h:
176         (JSC::DFG::safeToExecute):
177         * dfg/DFGSpeculativeJIT.cpp:
178         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
179         (JSC::DFG::SpeculativeJIT::compileIsRegExpObject):
180         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
181         * dfg/DFGSpeculativeJIT.h:
182         * dfg/DFGSpeculativeJIT32_64.cpp:
183         (JSC::DFG::SpeculativeJIT::compile):
184         * dfg/DFGSpeculativeJIT64.cpp:
185         (JSC::DFG::SpeculativeJIT::compile):
186         * ftl/FTLCapabilities.cpp:
187         (JSC::FTL::canCompile):
188         * ftl/FTLLowerDFGToB3.cpp:
189         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
190         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
191         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
192         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
193         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
194         (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject):
195         (JSC::FTL::DFG::LowerDFGToB3::isType):
196         * runtime/Intrinsic.h:
197         - Added IsRegExpObjectIntrinsic.
198
199         * runtime/CommonIdentifiers.h:
200
201         * runtime/ECMAScriptSpecInternalFunctions.cpp:
202         (JSC::esSpecIsConstructor):
203         - Changed to use uncheckedArgument since this is only called from internal code.
204         (JSC::esSpecIsRegExpObject):
205         (JSC::esSpecIsRegExp): Deleted.
206         * runtime/ECMAScriptSpecInternalFunctions.h:
207         - Changed to check the object for a JSType of RegExpObjectType.
208
209         * runtime/JSGlobalObject.cpp:
210         (JSC::JSGlobalObject::init):
211         - Added split fast path.
212
213         * runtime/RegExpPrototype.cpp:
214         (JSC::RegExpPrototype::finishCreation):
215         (JSC::regExpProtoFuncSearchFast):
216         (JSC::regExpProtoFuncSearch): Deleted.
217         * runtime/RegExpPrototype.h:
218
219         * tests/es6.yaml:
220         * tests/stress/regexp-search.js:
221         - Rebased test.
222
223 2016-04-19  Mark Lam  <mark.lam@apple.com>
224
225         Replace $vm.printValue() with $vm.value().
226         https://bugs.webkit.org/show_bug.cgi?id=156767
227
228         Reviewed by Saam Barati.
229
230         When debugging with $vm, this change allows us to do this:
231
232             $vm.print("myObj = " + $vm.value(myObj) + "\n");
233
234         ... instead of having to do this:
235
236             $vm.print("myObj = ");
237             $vm.printValue(myObj);
238             $vm.print("\n");
239
240         * tools/JSDollarVMPrototype.cpp:
241         (JSC::JSDollarVMPrototype::printValue):
242         (JSC::functionValue):
243         (JSC::JSDollarVMPrototype::finishCreation):
244         (JSC::functionPrintValue): Deleted.
245
246 2016-04-18  Oliver Hunt  <oliver@apple.com>
247
248         Enable separated heap by default on ios
249         https://bugs.webkit.org/show_bug.cgi?id=156720
250
251         Reviewed by ggaren.
252
253         * runtime/Options.cpp:
254         (JSC::recomputeDependentOptions):
255
256 2016-04-19  Mark Lam  <mark.lam@apple.com>
257
258         Re-landing: ES6: Implement String.prototype.split and RegExp.prototype[@@split].
259         https://bugs.webkit.org/show_bug.cgi?id=156013
260
261         Reviewed by Keith Miller.
262
263         * CMakeLists.txt:
264         * JavaScriptCore.xcodeproj/project.pbxproj:
265         * builtins/GlobalObject.js:
266         (speciesConstructor):
267         * builtins/PromisePrototype.js:
268         - refactored to use the @speciesConstructor internal function.
269
270         * builtins/RegExpPrototype.js:
271         (advanceStringIndex):
272         - refactored from @advanceStringIndexUnicode() to be match the spec.
273           Benchmarks show that there's no advantage in doing the unicode check outside
274           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
275           spec (especially since @@split needs to call advanceStringIndex from more than
276           1 location).
277         (match):
278         - Removed an unnecessary call to @Object because it was already proven above.
279         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
280           Again, there's no perf regression for this.
281         (regExpExec):
282         (hasObservableSideEffectsForRegExpSplit):
283         (split):
284         (advanceStringIndexUnicode): Deleted.
285
286         * builtins/StringPrototype.js:
287         (split):
288         - Modified to use RegExp.prototype[@@split].
289
290         * bytecode/BytecodeIntrinsicRegistry.cpp:
291         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
292         (JSC::BytecodeIntrinsicRegistry::lookup):
293         * bytecode/BytecodeIntrinsicRegistry.h:
294         - Added the @@split symbol.
295
296         * runtime/CommonIdentifiers.h:
297         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
298         (JSC::esSpecIsConstructor):
299         (JSC::esSpecIsRegExp):
300         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
301
302         * runtime/JSGlobalObject.cpp:
303         (JSC::getGetterById):
304         (JSC::JSGlobalObject::init):
305
306         * runtime/PropertyDescriptor.cpp:
307         (JSC::PropertyDescriptor::setDescriptor):
308         - Removed an assert that is no longer valid.
309
310         * runtime/RegExpObject.h:
311         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
312           fast path.
313
314         * runtime/RegExpPrototype.cpp:
315         (JSC::RegExpPrototype::finishCreation):
316         (JSC::regExpProtoFuncExec):
317         (JSC::regExpProtoFuncSearch):
318         (JSC::advanceStringIndex):
319         (JSC::regExpProtoFuncSplitFast):
320         * runtime/RegExpPrototype.h:
321
322         * runtime/StringObject.h:
323         (JSC::jsStringWithReuse):
324         (JSC::jsSubstring):
325         - Hoisted some utility functions from StringPrototype.cpp so that they can be
326           reused by the regexp split fast path.
327
328         * runtime/StringPrototype.cpp:
329         (JSC::StringPrototype::finishCreation):
330         (JSC::stringProtoFuncSplitFast):
331         (JSC::stringProtoFuncSubstr):
332         (JSC::builtinStringSubstrInternal):
333         (JSC::stringProtoFuncSubstring):
334         (JSC::stringIncludesImpl):
335         (JSC::stringProtoFuncIncludes):
336         (JSC::builtinStringIncludesInternal):
337         (JSC::jsStringWithReuse): Deleted.
338         (JSC::jsSubstring): Deleted.
339         (JSC::stringProtoFuncSplit): Deleted.
340         * runtime/StringPrototype.h:
341
342         * tests/es6.yaml:
343
344 2016-04-19  Commit Queue  <commit-queue@webkit.org>
345
346         Unreviewed, rolling out r199726.
347         https://bugs.webkit.org/show_bug.cgi?id=156748
348
349         WebKit tests crash on Windows 32 (Requested by msaboff on
350         #webkit).
351
352         Reverted changeset:
353
354         "iTunes crashing JavaScriptCore.dll"
355         https://bugs.webkit.org/show_bug.cgi?id=156647
356         http://trac.webkit.org/changeset/199726
357
358 2016-04-19  Michael Saboff  <msaboff@apple.com>
359
360         iTunes crashing JavaScriptCore.dll
361         https://bugs.webkit.org/show_bug.cgi?id=156647
362
363         Reviewed by Saam Barati.
364
365         Given that there there are only 128 FLS indices compared to over a 1000 for TLS, I
366         eliminated the thread specific m_threadSpecificForThread and instead we look for the
367         current thread in m_registeredThreads list when we need it.  In most cases there
368         will only be one thread.
369
370         * heap/MachineStackMarker.cpp:
371         (JSC::MachineThreads::MachineThreads):
372         (JSC::MachineThreads::~MachineThreads):
373         (JSC::MachineThreads::addCurrentThread):
374         (JSC::MachineThreads::machineThreadForCurrentThread):
375         (JSC::MachineThreads::removeThread):
376         * heap/MachineStackMarker.h:
377
378 2016-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
379
380         [INTL] Use @thisNumberValue instead of `instanceof @Number`
381         https://bugs.webkit.org/show_bug.cgi?id=156680
382
383         Reviewed by Saam Barati.
384
385         Use @thisNumberValue instead of `instanceof @Number`.
386         `instanceof @Number` is not enough;
387         For example, given 2 realms, the object created in one realm does not
388         inherit the Number of another realm.
389         Another example is that the object which does not inherit Number.
390
391         ```
392         var number = new Number(42);
393         number.__proto__ = null;
394         ```
395
396         * builtins/NumberPrototype.js:
397         (toLocaleString):
398         * runtime/CommonIdentifiers.h:
399         * runtime/JSGlobalObject.cpp:
400         (JSC::JSGlobalObject::init):
401         * runtime/NumberPrototype.cpp:
402         (JSC::numberProtoFuncValueOf):
403         * runtime/NumberPrototype.h:
404         * tests/stress/number-to-locale-string-should-accept-strange-number-objects.js: Added.
405         (shouldBe):
406
407 2016-04-19  Commit Queue  <commit-queue@webkit.org>
408
409         Unreviewed, rolling out r199712.
410         https://bugs.webkit.org/show_bug.cgi?id=156741
411
412         It caused a serious regression on 32 bit platform (Requested
413         by gskachkov on #webkit).
414
415         Reverted changeset:
416
417         "calling super() a second time in a constructor should throw"
418         https://bugs.webkit.org/show_bug.cgi?id=151113
419         http://trac.webkit.org/changeset/199712
420
421 2016-04-09  Skachkov Oleksandr  <gskachkov@gmail.com>
422
423         calling super() a second time in a constructor should throw
424         https://bugs.webkit.org/show_bug.cgi?id=151113
425
426         Reviewed by Saam Barati and Keith Miller.
427
428         Currently, our implementation checks if 'super()' was called in a constructor more 
429         than once and raises a RuntimeError before the second call. According to the spec 
430         we need to raise an error just after the second super() is finished and before 
431         the new 'this' is assigned https://esdiscuss.org/topic/duplicate-super-call-behaviour. 
432         To implement this behavior this patch adds a new op code, op_is_empty, that is used 
433         to check if 'this' is empty.
434
435         * bytecode/BytecodeList.json:
436         * bytecode/BytecodeUseDef.h:
437         (JSC::computeUsesForBytecodeOffset):
438         (JSC::computeDefsForBytecodeOffset):
439         * bytecode/CodeBlock.cpp:
440         (JSC::CodeBlock::dumpBytecode):
441         * bytecompiler/BytecodeGenerator.cpp:
442         (JSC::BytecodeGenerator::emitIsEmpty):
443         * bytecompiler/BytecodeGenerator.h:
444         * bytecompiler/NodesCodegen.cpp:
445         (JSC::FunctionCallValueNode::emitBytecode):
446         * dfg/DFGAbstractInterpreterInlines.h:
447         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
448         * dfg/DFGByteCodeParser.cpp:
449         (JSC::DFG::ByteCodeParser::parseBlock):
450         * dfg/DFGCapabilities.cpp:
451         (JSC::DFG::capabilityLevel):
452         * dfg/DFGClobberize.h:
453         (JSC::DFG::clobberize):
454         * dfg/DFGDoesGC.cpp:
455         (JSC::DFG::doesGC):
456         * dfg/DFGFixupPhase.cpp:
457         (JSC::DFG::FixupPhase::fixupNode):
458         * dfg/DFGNodeType.h:
459         * dfg/DFGPredictionPropagationPhase.cpp:
460         (JSC::DFG::PredictionPropagationPhase::propagate):
461         * dfg/DFGSafeToExecute.h:
462         (JSC::DFG::safeToExecute):
463         * dfg/DFGSpeculativeJIT32_64.cpp:
464         (JSC::DFG::SpeculativeJIT::compile):
465         * dfg/DFGSpeculativeJIT64.cpp:
466         (JSC::DFG::SpeculativeJIT::compile):
467         * ftl/FTLCapabilities.cpp:
468         (JSC::FTL::canCompile):
469         * ftl/FTLLowerDFGToB3.cpp:
470         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
471         (JSC::FTL::DFG::LowerDFGToB3::compileIsEmpty):
472         * jit/JIT.cpp:
473         (JSC::JIT::privateCompileMainPass):
474         * jit/JIT.h:
475         * jit/JITOpcodes.cpp:
476         (JSC::JIT::emit_op_is_empty):
477         * jit/JITOpcodes32_64.cpp:
478         (JSC::JIT::emit_op_is_empty):
479         * llint/LowLevelInterpreter32_64.asm:
480         * llint/LowLevelInterpreter64.asm:
481         * tests/stress/class-syntax-double-constructor.js: Added.
482
483 2016-04-18  Benjamin Poulain  <bpoulain@apple.com>
484
485         [JSC] Fix some overhead affecting small codegen
486         https://bugs.webkit.org/show_bug.cgi?id=156728
487
488         Reviewed by Filip Pizlo.
489
490         * assembler/AbstractMacroAssembler.h:
491         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
492         (JSC::AbstractMacroAssembler::random):
493         cryptographicallyRandomNumber() is very costly.
494         We only need it in lowering some very particular cases
495         of non-trusted immediates. No inline cache needs that.
496
497         * assembler/LinkBuffer.h:
498         (JSC::LinkBuffer::link):
499         * jit/JIT.h:
500         * jit/JITInlines.h:
501         (JSC::JIT::addSlowCase):
502         Do not copy the JumpList to access its elements.
503
504 2016-04-18  Saam barati  <sbarati@apple.com>
505
506         implement dynamic scope accesses in the DFG/FTL
507         https://bugs.webkit.org/show_bug.cgi?id=156567
508
509         Reviewed by Geoffrey Garen.
510
511         This patch adds dynamic scope operations to the DFG/FTL.
512         This patch adds three new DFG nodes: ResolveScope, PutDynamicVar and GetDynamicVar.
513         When we encounter a Dynamic/UnresolvedProperty/UnresolvedPropertyWithVarInjectionChecks
514         resolve type, we will compile dynamic scope resolution nodes. When we encounter
515         a resolve type that needs var injection checks and the var injection
516         watchpoint has already been fired, we will compile dynamic scope resolution
517         nodes.
518
519         This patch also adds a new value to the InitializationMode enum: ConstInitialization.
520         There was a subtle bug where we used to never compile the var injection variant of the 
521         resolve type for an eval that injected a var where there was also a global lexical variable with the same name. 
522         For example, the store compiled in this eval("var foo = 20;") wouldn't be compiled 
523         with var injection checks if there was global let/const variable named "foo".
524         So there was the potential for the injected var to store to the GlobalLexicalObject.
525         I found this bug because my initial implementation in the DFG/FTL ran into it.
526         The reason this bug existed is because when we compile a const initialization,
527         we never need a var injections check. The const initialization always
528         knows where to store its value. This same logic leaked into the above eval's 
529         "var foo = 20" store. This new enum value allows us to distinguish const
530         initialization stores from non-const initialization stores.
531
532         (I also changed InitializationMode to be an enum class instead of an enum).
533
534         * bytecode/CodeBlock.cpp:
535         (JSC::CodeBlock::finishCreation):
536         * bytecompiler/BytecodeGenerator.cpp:
537         (JSC::BytecodeGenerator::generate):
538         (JSC::BytecodeGenerator::BytecodeGenerator):
539         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
540         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
541         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
542         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
543         (JSC::BytecodeGenerator::emitGetFromScope):
544         (JSC::BytecodeGenerator::initializeVariable):
545         (JSC::BytecodeGenerator::emitInstanceOf):
546         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
547         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
548         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
549         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
550         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
551         * bytecompiler/NodesCodegen.cpp:
552         (JSC::PostfixNode::emitResolve):
553         (JSC::PrefixNode::emitResolve):
554         (JSC::ReadModifyResolveNode::emitBytecode):
555         (JSC::initializationModeForAssignmentContext):
556         (JSC::AssignResolveNode::emitBytecode):
557         (JSC::EmptyLetExpression::emitBytecode):
558         (JSC::ForInNode::emitLoopHeader):
559         (JSC::ForOfNode::emitBytecode):
560         (JSC::ClassExprNode::emitBytecode):
561         (JSC::BindingNode::bindValue):
562         (JSC::AssignmentElementNode::bindValue):
563         (JSC::RestParameterNode::emit):
564         * dfg/DFGAbstractInterpreterInlines.h:
565         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
566         * dfg/DFGByteCodeParser.cpp:
567         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
568         (JSC::DFG::ByteCodeParser::promoteToConstant):
569         (JSC::DFG::ByteCodeParser::needsDynamicLookup):
570         (JSC::DFG::ByteCodeParser::planLoad):
571         (JSC::DFG::ByteCodeParser::parseBlock):
572         * dfg/DFGCapabilities.cpp:
573         (JSC::DFG::capabilityLevel):
574         * dfg/DFGClobberize.h:
575         (JSC::DFG::clobberize):
576         * dfg/DFGDoesGC.cpp:
577         (JSC::DFG::doesGC):
578         * dfg/DFGFixupPhase.cpp:
579         (JSC::DFG::FixupPhase::fixupNode):
580         * dfg/DFGNode.h:
581         (JSC::DFG::Node::hasIdentifier):
582         (JSC::DFG::Node::identifierNumber):
583         (JSC::DFG::Node::hasGetPutInfo):
584         (JSC::DFG::Node::getPutInfo):
585         (JSC::DFG::Node::hasAccessorAttributes):
586         * dfg/DFGNodeType.h:
587         * dfg/DFGOperations.cpp:
588         * dfg/DFGOperations.h:
589         * dfg/DFGPredictionPropagationPhase.cpp:
590         (JSC::DFG::PredictionPropagationPhase::propagate):
591         * dfg/DFGSafeToExecute.h:
592         (JSC::DFG::safeToExecute):
593         * dfg/DFGSpeculativeJIT.cpp:
594         (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById):
595         (JSC::DFG::SpeculativeJIT::compileResolveScope):
596         (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
597         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
598         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
599         * dfg/DFGSpeculativeJIT.h:
600         (JSC::DFG::SpeculativeJIT::callOperation):
601         * dfg/DFGSpeculativeJIT32_64.cpp:
602         (JSC::DFG::SpeculativeJIT::compile):
603         * dfg/DFGSpeculativeJIT64.cpp:
604         (JSC::DFG::SpeculativeJIT::compile):
605         * ftl/FTLCapabilities.cpp:
606         (JSC::FTL::canCompile):
607         * ftl/FTLLowerDFGToB3.cpp:
608         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
609         (JSC::FTL::DFG::LowerDFGToB3::compare):
610         (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
611         (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
612         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
613         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
614         * jit/CCallHelpers.h:
615         (JSC::CCallHelpers::setupArgumentsWithExecState):
616         * jit/JITOperations.cpp:
617         * jit/JITOperations.h:
618         * jit/JITPropertyAccess.cpp:
619         (JSC::JIT::emit_op_put_to_scope):
620         (JSC::JIT::emitSlow_op_put_to_scope):
621         * jit/JITPropertyAccess32_64.cpp:
622         (JSC::JIT::emit_op_put_to_scope):
623         (JSC::JIT::emitSlow_op_put_to_scope):
624         * llint/LLIntData.cpp:
625         (JSC::LLInt::Data::performAssertions):
626         * llint/LLIntSlowPaths.cpp:
627         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
628         * llint/LowLevelInterpreter.asm:
629         * llint/LowLevelInterpreter64.asm:
630         * runtime/GetPutInfo.h:
631         (JSC::resolveModeName):
632         (JSC::initializationModeName):
633         (JSC::isInitialization):
634         (JSC::makeType):
635         (JSC::GetPutInfo::GetPutInfo):
636         * runtime/JSScope.cpp:
637         (JSC::abstractAccess):
638
639 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
640
641         Disable AVX.
642
643         Rubber stampted by Benjamin Poulain.
644
645         AVX is silly. If you use it and some of your other code isn't careful with float register bits, you
646         will run 10x slower. We could fix the underlying issue, but it's better to stay away from this odd
647         instruction subset.
648
649         This fixes a massive regression on some real code.
650
651         * assembler/MacroAssemblerX86Common.h:
652         (JSC::MacroAssemblerX86Common::supportsAVX):
653         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
654
655 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
656
657         ToThis should have a fast path based on type info flags
658         https://bugs.webkit.org/show_bug.cgi?id=156712
659
660         Reviewed by Geoffrey Garen.
661
662         Prior to this change, if we couldn't nail down the type of ToThis to something easy, we'd emit code
663         that would take slow path if the argument was not a final object. We'd end up taking that slow path
664         a lot.
665
666         This adds a type info flag for ToThis having non-obvious behavior and changes the DFG and FTL paths
667         to test this flag. This is a sub-1% speed-up on SunSpider and Octane.
668
669         * dfg/DFGSpeculativeJIT32_64.cpp:
670         (JSC::DFG::SpeculativeJIT::compile):
671         * dfg/DFGSpeculativeJIT64.cpp:
672         (JSC::DFG::SpeculativeJIT::compile):
673         * ftl/FTLLowerDFGToB3.cpp:
674         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
675         * runtime/JSGlobalObject.h:
676         (JSC::JSGlobalObject::create):
677         * runtime/JSLexicalEnvironment.h:
678         (JSC::JSLexicalEnvironment::create):
679         * runtime/JSString.h:
680         * runtime/JSTypeInfo.h:
681         (JSC::TypeInfo::overridesGetOwnPropertySlot):
682         (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
683         (JSC::TypeInfo::structureIsImmortal):
684         (JSC::TypeInfo::overridesToThis):
685         (JSC::TypeInfo::overridesGetPropertyNames):
686         (JSC::TypeInfo::prohibitsPropertyCaching):
687         (JSC::TypeInfo::getOwnPropertySlotIsImpure):
688         * runtime/StrictEvalActivation.h:
689         (JSC::StrictEvalActivation::create):
690         * runtime/Symbol.h:
691
692 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
693
694         Check to see how the perf bots react to megamorphic load being disabled.
695
696         Rubber stamped by Chris Dumez.
697
698         * runtime/Options.h:
699
700 2016-04-18  Keith Miller  <keith_miller@apple.com>
701
702         We should support delete in the DFG
703         https://bugs.webkit.org/show_bug.cgi?id=156607
704
705         Reviewed by Benjamin Poulain.
706
707         This patch adds support for the delete in the DFG as it appears that
708         some major frameworks use the operation in particularly hot functions.
709         As a result, even if the function rarely ever calls delete we would never
710         tier up to the DFG. This patch also changes operationDeleteById to take a
711         UniquedStringImpl and return a size_t.
712
713         * dfg/DFGAbstractInterpreterInlines.h:
714         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
715         * dfg/DFGByteCodeParser.cpp:
716         (JSC::DFG::ByteCodeParser::parseBlock):
717         * dfg/DFGCapabilities.cpp:
718         (JSC::DFG::capabilityLevel):
719         * dfg/DFGClobberize.h:
720         (JSC::DFG::clobberize):
721         * dfg/DFGDoesGC.cpp:
722         (JSC::DFG::doesGC):
723         * dfg/DFGFixupPhase.cpp:
724         (JSC::DFG::FixupPhase::fixupNode):
725         * dfg/DFGNode.h:
726         (JSC::DFG::Node::hasIdentifier):
727         * dfg/DFGNodeType.h:
728         * dfg/DFGPredictionPropagationPhase.cpp:
729         (JSC::DFG::PredictionPropagationPhase::propagate):
730         * dfg/DFGSafeToExecute.h:
731         (JSC::DFG::safeToExecute):
732         * dfg/DFGSpeculativeJIT.cpp:
733         (JSC::DFG::SpeculativeJIT::compileDeleteById):
734         * dfg/DFGSpeculativeJIT.h:
735         (JSC::DFG::SpeculativeJIT::callOperation):
736         * dfg/DFGSpeculativeJIT32_64.cpp:
737         (JSC::DFG::SpeculativeJIT::compile):
738         * dfg/DFGSpeculativeJIT64.cpp:
739         (JSC::DFG::SpeculativeJIT::compile):
740         * jit/JIT.h:
741         * jit/JITInlines.h:
742         (JSC::JIT::callOperation):
743         * jit/JITOperations.cpp:
744         * jit/JITOperations.h:
745         * jit/JITPropertyAccess.cpp:
746         (JSC::JIT::emit_op_del_by_id):
747         * jit/JITPropertyAccess32_64.cpp:
748         (JSC::JIT::emit_op_del_by_id):
749
750 2016-04-17  Filip Pizlo  <fpizlo@apple.com>
751
752         FTL should pin the tag registers at inline caches
753         https://bugs.webkit.org/show_bug.cgi?id=156678
754
755         Reviewed by Saam Barati.
756
757         This is a long-overdue fix to our inline caches. Back when we had LLVM, we couldn't rely on the tags
758         being pinned to any registers. So, if the inline caches needed tags, they'd have to materialize them.
759         
760         This removes those materializations. This should reduce the amount of code generated in inline caches
761         and it should make inline caches faster. The effect appears to be small.
762
763         It may be that after this change, we'll even be able to kill the
764         HaveTagRegisters/DoNotHaveTagRegisters logic.
765
766         * bytecode/PolymorphicAccess.cpp:
767         (JSC::AccessCase::generateWithGuard):
768         (JSC::AccessCase::generateImpl):
769         * ftl/FTLLowerDFGToB3.cpp:
770         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
771         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
772         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
773         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
774         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
775         (JSC::FTL::DFG::LowerDFGToB3::getById):
776         * jit/Repatch.cpp:
777         (JSC::readCallTarget):
778         (JSC::linkPolymorphicCall):
779         * jit/ThunkGenerators.cpp:
780         (JSC::virtualThunkFor):
781
782 2016-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
783
784         [ES7] yield star should not return if the inner iterator.throw returns { done: true }
785         https://bugs.webkit.org/show_bug.cgi?id=156576
786
787         Reviewed by Saam Barati.
788
789         This is slight generator fix in ES7. When calling generator.throw(),
790         the yield-star should call the throw() of the inner generator. At that
791         time, when the result of throw() is { done: true}, the generator should
792         not stop itself.
793
794             function * gen()
795             {
796                 yield * (function * () {
797                     try {
798                         yield 42;
799                     } catch (error) { }
800                 }());
801                 // Continue executing.
802                 yield 42;
803             }
804
805             let g = gen();
806             g.next();
807             shouldBe(g.throw().value, 42);
808
809
810         * builtins/GeneratorPrototype.js:
811         (generatorResume):
812         (next):
813         (return):
814         (throw):
815         * bytecode/BytecodeIntrinsicRegistry.cpp:
816         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
817         * bytecode/BytecodeIntrinsicRegistry.h:
818         * bytecompiler/BytecodeGenerator.cpp:
819         (JSC::BytecodeGenerator::emitDelegateYield):
820         * runtime/JSGeneratorFunction.h:
821         * tests/stress/generator-yield-star.js:
822         (gen):
823         * tests/stress/yield-star-throw-continue.js: Added.
824         (shouldBe):
825         (generator):
826         (shouldThrow):
827
828 2016-04-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>
829
830         Fix incorrect assumption that APPLE implies Mac.
831         https://bugs.webkit.org/show_bug.cgi?id=156683
832     
833         Addresses build failure introduced in r199094
834
835         Reviewed by Alex Christensen.
836
837         * CMakeLists.txt:
838
839 2016-04-17  Benjamin Poulain  <bpoulain@apple.com>
840
841         [JSC] ReduceDoubleToFloat should work accross Phis
842         https://bugs.webkit.org/show_bug.cgi?id=156603
843         <rdar://problem/25736205>
844
845         Reviewed by Saam Barati and Filip Pizlo.
846
847         This patch extends B3's ReduceDoubleToFloat phase to work accross
848         Upsilon-Phis. This is important to optimize loops and some crazy cases.
849
850         In its simplest form, we can have conversion propagated from something
851         like this:
852             Double @1 = Phi()
853             Float @2 = DoubleToFloat(@1)
854
855         When that happens, we just need to propagate that the result only
856         need float precision accross all values coming to this Phi.
857
858
859         There are more complicated cases when the value produced is effectively Float
860         but the user of the value does not do DoubleToFloat.
861
862         Typically, we have something like:
863             #1
864                 @1 = ConstDouble(1)
865                 @2 = Upsilon(@1, ^5)
866             #2
867                 @3 = FloatToDouble(@x)
868                 @4 = Upsilon(@3, ^5)
869             #3
870                 @5 = Phi()
871                 @6 = Add(@5, @somethingFloat)
872                 @7 = DoubleToFloat(@6)
873
874         Here with a Phi-Upsilon that is a Double but can be represented
875         as Float without loss of precision.
876
877         It is valuable to convert such Phis to float if and only if the value
878         is used as float. Otherwise, you may be just adding useless conversions
879         (for example, two double constants that flow into a double Add should not
880         turn into two float constant flowing into a FloatToDouble then Add).
881
882
883         ReduceDoubleToFloat do two analysis passes to gather the necessary
884         meta information. Then we have a simplify() phase to actually reduce
885         operation. Finally, the cleanup() pass put the graph into a valid
886         state again.
887
888         The two analysis passes work by disproving that something is float.
889         -findCandidates() accumulates anything used as Double.
890         -findPhisContainingFloat() accumulates phis that would lose precision
891          by converting the input to float.
892
893         With this change, Unity3D improves by ~1.5%, box2d-f32 improves
894         by ~2.8% (on Haswell).
895
896         * b3/B3ReduceDoubleToFloat.cpp:
897         (JSC::B3::reduceDoubleToFloat):
898         * b3/testb3.cpp:
899         (JSC::B3::testCompareTwoFloatToDouble):
900         (JSC::B3::testCompareOneFloatToDouble):
901         (JSC::B3::testCompareFloatToDoubleThroughPhi):
902         (JSC::B3::testDoubleToFloatThroughPhi):
903         (JSC::B3::testDoubleProducerPhiToFloatConversion):
904         (JSC::B3::testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
905         (JSC::B3::testDoubleProducerPhiWithNonFloatConst):
906         (JSC::B3::testStoreDoubleConstantAsFloat):
907         (JSC::B3::run):
908         * tests/stress/double-compare-to-float.js: Added.
909         (canSimplifyToFloat):
910         (canSimplifyToFloatWithConstant):
911         (cannotSimplifyA):
912         (cannotSimplifyB):
913         * tests/stress/double-to-float.js: Added.
914         (upsilonReferencingItsPhi):
915         (upsilonReferencingItsPhiAllFloat):
916         (upsilonReferencingItsPhiWithoutConversion):
917         (conversionPropagages):
918         (chainedUpsilonBothConvert):
919         (chainedUpsilonFirstConvert):
920
921 2016-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
922
923         [ES6] Use @isObject to check Object Type instead of using instanceof
924         https://bugs.webkit.org/show_bug.cgi?id=156676
925
926         Reviewed by Darin Adler.
927
928         Use @isObject instead of `instanceof @Object`.
929         The `instanceof` check is not enough to check Object Type.
930         For example, given 2 realms, the object created in one realm does not inherit the Object of another realm.
931         Another example is that the object which does not inherit Object.
932         This object can be easily created by calling `Object.create(null)`.
933
934         * builtins/RegExpPrototype.js:
935         (match):
936         * jsc.cpp:
937         (GlobalObject::finishCreation):
938         (functionCreateGlobalObject):
939         * tests/stress/regexp-match-in-other-realm-should-work.js: Added.
940         (shouldBe):
941         * tests/stress/regexp-match-should-work-with-objects-not-inheriting-object-prototype.js: Added.
942         (shouldBe):
943         (regexp.exec):
944
945 2016-04-17  Darin Adler  <darin@apple.com>
946
947         Remove more uses of Deprecated::ScriptXXX
948         https://bugs.webkit.org/show_bug.cgi?id=156660
949
950         Reviewed by Antti Koivisto.
951
952         * bindings/ScriptFunctionCall.cpp:
953         (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted
954         unneeded overloads that take a ScriptObject and ScriptValue.
955         * bindings/ScriptFunctionCall.h: Ditto.
956
957         * bindings/ScriptObject.h: Added operator so this can change
958         itself into a JSObject*. Helps while phasing this class out.
959
960         * bindings/ScriptValue.h: Export toInspectorValue so it can be
961         used in WebCore.
962
963         * inspector/InjectedScriptManager.cpp:
964         (Inspector::InjectedScriptManager::createInjectedScript): Changed
965         return value from Deprecated::ScriptObject to JSObject*.
966         (Inspector::InjectedScriptManager::injectedScriptFor): Updated for
967         the return value change above.
968         * inspector/InjectedScriptManager.h: Ditto.
969
970 2016-04-16  Benjamin Poulain  <bpoulain@webkit.org>
971
972         [JSC] DFG should support relational comparisons of Number and Other
973         https://bugs.webkit.org/show_bug.cgi?id=156669
974
975         Reviewed by Darin Adler.
976
977         In Sunspider/3d-raytrace, DFG falls back to JSValue in some important
978         relational compare because profiling sees "undefined" from time to time.
979
980         This case is fairly common outside Sunspider too because of out-of-bounds array access.
981         Unfortunately for us, our fallback for compare is really inefficient.
982
983         Fortunately, relational comparison with null/undefined/true/false are trival.
984         We can just convert both side to Double. That's what this patch adds.
985
986         I also extended constant folding for those cases because I noticed
987         a bunch of "undefined" constant going through DoubleRep at runtime.
988
989         * dfg/DFGAbstractInterpreterInlines.h:
990         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
991         * dfg/DFGFixupPhase.cpp:
992         (JSC::DFG::FixupPhase::fixupNode):
993         * tests/stress/compare-number-and-other.js: Added.
994         (opaqueSideEffect):
995         (let.operator.of.operators.eval.testPolymorphic):
996         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.eval.testMonomorphic):
997         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicLeftConstant):
998         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicRightConstant):
999         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.i.testPolymorphic):
1000
1001 2016-04-16  Benjamin Poulain  <bpoulain@apple.com>
1002
1003         [JSC] FRound/Negate can produce an impure NaN out of a pure NaN
1004         https://bugs.webkit.org/show_bug.cgi?id=156528
1005
1006         Reviewed by Filip Pizlo.
1007
1008         If you fround a double with the bits 0xfff7000000000000
1009         you get 0xfffe000000000000. The first is a pure NaN, the second isn't.
1010
1011         This is without test because I could not find a way to create a 0xfff7000000000000
1012         while convincing DFG that its pure.
1013         When we purify NaNs from typed array, we use a specific value of NaN if the input
1014         is any NaN, making testing tricky.
1015
1016         * bytecode/SpeculatedType.cpp:
1017         (JSC::typeOfDoubleNegation):
1018
1019 2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>
1020
1021         JS::DFG::nodeValuePairListDump does not compile with libstdc++ 4.8
1022         https://bugs.webkit.org/show_bug.cgi?id=156670
1023
1024         Reviewed by Darin Adler.
1025
1026         * dfg/DFGNode.h:
1027         (JSC::DFG::nodeValuePairListDump): Modified to use lambda as comparator.
1028
1029 2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>
1030
1031         [mips] Implemented moveZeroToDouble.
1032         https://bugs.webkit.org/show_bug.cgi?id=155429
1033
1034         Reviewed by Darin Adler.
1035
1036         This function is required to fix compilation after r197687.
1037
1038         * assembler/MacroAssemblerMIPS.h:
1039         (JSC::MacroAssemblerMIPS::moveZeroToDouble):
1040
1041 2016-04-15  Darin Adler  <darin@apple.com>
1042
1043         Reduce use of Deprecated::ScriptXXX classes
1044         https://bugs.webkit.org/show_bug.cgi?id=156632
1045
1046         Reviewed by Alex Christensen.
1047
1048         * bindings/ScriptFunctionCall.cpp:
1049         (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted version that takes a Deprecated::ScriptValue.
1050         (Deprecated::ScriptFunctionCall::call): Changed to return a JSValue.
1051         * bindings/ScriptFunctionCall.h: Updated for the above.
1052
1053         * bindings/ScriptValue.cpp:
1054         (Inspector::jsToInspectorValue): Moved from Deprecated namespace to Inspector namespace. Later, we should
1055         move this to another source file in the inspector directory.
1056         (Inspector::toInspectorValue): Added.
1057         (Deprecated::ScriptValue::toInspectorValue): Updated for change to underlying function.
1058         * bindings/ScriptValue.h: Update for the above.
1059
1060         * inspector/InjectedScript.cpp:
1061         (Inspector::InjectedScript::evaluateOnCallFrame): Changed arguments and return values from
1062         Deprecated::ScriptValue to JSC::JSValue.
1063         (Inspector::InjectedScript::functionDetails): Ditto.
1064         (Inspector::InjectedScript::wrapCallFrames): Ditto.
1065         (Inspector::InjectedScript::wrapObject): Ditto.
1066         (Inspector::InjectedScript::wrapTable): Ditto.
1067         (Inspector::InjectedScript::previewValue): Ditto.
1068         (Inspector::InjectedScript::setExceptionValue): Ditto.
1069         (Inspector::InjectedScript::findObjectById): Ditto.
1070         (Inspector::InjectedScript::inspectObject): Ditto.
1071         * inspector/InjectedScript.h: Ditto.
1072         * inspector/InjectedScriptBase.cpp:
1073         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled): Ditto.
1074         (Inspector::InjectedScriptBase::makeCall): Ditto.
1075         * inspector/InjectedScriptBase.h: Ditto.
1076         * inspector/InjectedScriptModule.cpp:
1077         (Inspector::InjectedScriptModule::ensureInjected): Ditto.
1078         * inspector/ScriptDebugListener.h: Ditto.
1079         * inspector/ScriptDebugServer.cpp:
1080         (Inspector::ScriptDebugServer::evaluateBreakpointAction): Ditto.
1081         (Inspector::ScriptDebugServer::dispatchDidPause): Ditto.
1082         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
1083         (Inspector::ScriptDebugServer::exceptionOrCaughtValue): Ditto.
1084         * inspector/ScriptDebugServer.h: Ditto.
1085         * inspector/agents/InspectorDebuggerAgent.cpp:
1086         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason): Ditto.
1087         (Inspector::InspectorDebuggerAgent::didPause): Ditto.
1088         (Inspector::InspectorDebuggerAgent::breakpointActionProbe): Ditto.
1089         (Inspector::InspectorDebuggerAgent::didContinue): Ditto.
1090         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): Ditto.
1091         * inspector/agents/InspectorDebuggerAgent.h: Ditto.
1092         * inspector/agents/InspectorHeapAgent.cpp:
1093         (Inspector::InspectorHeapAgent::getPreview): Ditto.
1094         (Inspector::InspectorHeapAgent::getRemoteObject): Ditto.
1095
1096 2016-04-15  Keith Miller  <keith_miller@apple.com>
1097
1098         Some JIT/DFG operations need NativeCallFrameTracers
1099         https://bugs.webkit.org/show_bug.cgi?id=156650
1100
1101         Reviewed by Michael Saboff.
1102
1103         Some of our operation functions did not have native call frame
1104         tracers. This meant that we would crash occasionally on some
1105         of our tests when they triggered a GC in one of the functions
1106         without a tracer. In particular, this was exemplified by another
1107         upcoming patch when calling operationSetFunctionName.
1108
1109         This patch does not add tests since this happens consistently in
1110         the patch adding delete_by_id to the DFG.
1111
1112         * dfg/DFGOperations.cpp:
1113         * jit/JITOperations.cpp:
1114
1115 2016-04-15  Joseph Pecoraro  <pecoraro@apple.com>
1116
1117         Web Inspector: sourceMappingURL not used when sourceURL is set
1118         https://bugs.webkit.org/show_bug.cgi?id=156021
1119         <rdar://problem/25438417>
1120
1121         Reviewed by Timothy Hatcher.
1122
1123         Clean up Debugger.sourceParsed to separately include:
1124
1125             - url ("resource URL", "source url" in JSC APIs)
1126             - sourceURL - //# sourceURL directive
1127
1128         By always having the resource URL the Web Inspector frontend
1129         can better match this Script to a Resource of the same URL,
1130         and decide to use the sourceURL if it is available when
1131         appropriate.
1132
1133         * inspector/protocol/Debugger.json:
1134         * inspector/agents/InspectorDebuggerAgent.cpp:
1135         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1136         (Inspector::InspectorDebuggerAgent::didParseSource):
1137         Send the new sourceParsed parameters.
1138
1139 2016-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1140
1141         Web Inspector: Cleanup inspector/debugger tests
1142         https://bugs.webkit.org/show_bug.cgi?id=156619
1143
1144         Reviewed by Brian Burg.
1145
1146         While cleaning up the tests it exposed the fact that breakpoints
1147         were not getting disabled when the inspector closes. This means
1148         that opening the inspector, with breakpoints, and closing the
1149         inspector, would leave the JSC::Debugger thinking breakpoints
1150         are active. The JSC::Debugger should be reset.
1151
1152         * inspector/agents/InspectorDebuggerAgent.cpp:
1153         (Inspector::InspectorDebuggerAgent::disable):
1154
1155 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1156
1157         CopiedBlock should be 64kB
1158
1159         Reviewed by Benjamin Poulain.
1160
1161         Let's try another value.
1162
1163         This is 25% faster on kraken-audio-beat-detection on Mac Pro.
1164
1165         * heap/CopiedBlock.h:
1166
1167 2016-04-15  Zan Dobersek  <zdobersek@igalia.com>
1168
1169         Tail call optimizations lead to crashes on ARM Thumb + Linux
1170         https://bugs.webkit.org/show_bug.cgi?id=150083
1171
1172         Reviewed by Csaba Osztrogon√°c.
1173
1174         * assembler/AbstractMacroAssembler.h:
1175         (JSC::AbstractMacroAssembler::repatchNearCall): In case of a tail call relink to the
1176         data location of the destination, and not the executable address. This is needed for
1177         the ARM Thumb2 platform where both the source and destination addresses of a jump relink
1178         must not have the bottom bit decorated, as asserted in ARMv7Assembler::relinkJump().
1179         * jit/Repatch.cpp:
1180         (JSC::linkPolymorphicCall): Similarly, when linking a tail call we must link to the
1181         address that has a non-decorated bottom bit, as asserted in ARMv7Assembler::linkJumpAbsolute().
1182
1183 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1184
1185         Unreviewed, rolling out r199567.
1186
1187         performance regression on kraken on macbook*
1188
1189         Reverted changeset:
1190
1191         "CopiedBlock should be 8kB"
1192         https://bugs.webkit.org/show_bug.cgi?id=156610
1193         http://trac.webkit.org/changeset/199567
1194
1195 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1196
1197         CopiedBlock should be 8kB
1198         https://bugs.webkit.org/show_bug.cgi?id=156610
1199
1200         Reviewed by Michael Saboff.
1201
1202         On Mac Pro, this is:
1203
1204             15% faster on kraken-audio-beat-detection
1205
1206             5% faster on v8-splay
1207
1208         Hopefully, this will be OK on MacBook* bots as well.
1209
1210         32kB is the full size of L1 cache on x86. So, allocating and zero-filling
1211         a 32kB CopiedBlock would basically flush the L1 cache. We can ameliorate
1212         this problem by using smaller blocks -- or, if that doesn't work, we can
1213         use larger blocks to amortize the cost.
1214
1215         * heap/CopiedBlock.h:
1216
1217 2016-04-14  Filip Pizlo  <fpizlo@apple.com>
1218
1219         PolymorphicAccess should try to generate a stub only once
1220         https://bugs.webkit.org/show_bug.cgi?id=156555
1221
1222         Reviewed by Geoffrey Garen.
1223         
1224         This changes the PolymorphicAccess heuristics to reduce the amount of code generation even
1225         more than before. We used to always generate a monomorphic stub for the first case we saw.
1226         This change disables that. This change also increases the buffering countdown to match the
1227         cool-down repatch count. This means that we will allow for ten slow paths for adding cases,
1228         then we will generate a stub, and then we will go into cool-down and the repatching slow
1229         paths will not even attempt repatching for a while. After we emerge from cool-down - which
1230         requires a bunch of slow path calls - we will again wait for ten slow paths to get new
1231         cases. Note that it only takes 13 cases to cause the stub to give up on future repatching
1232         entirely. Also, most stubs don't ever get to 10 cases. Therefore, for most stubs this change
1233         means that each IC will repatch once. If they make it to two repatching, then the likelihood
1234         of a third becomes infinitesimal because of all of the rules that come into play at that
1235         point (the size limit being 13, the fact that we go into exponential cool-down every time we
1236         generate code, and the fact that if we have lots of self cases then we will create a
1237         catch-all megamorphic load case).
1238
1239         This also undoes a change to the megamorphic optimization that I think was unintentional.
1240         As in the change that originally introduced megamorphic loads, we want to do this only if we
1241         would otherwise exhaust the max size of the IC. This is because megamorphic loads are pretty
1242         expensive and it's best to use them only if we know that the alternative is giving up on
1243         caching.
1244
1245         This is neutral on JS benchmarks, but looks like it's another speed-up for page loading.
1246
1247         * bytecode/PolymorphicAccess.cpp:
1248         (JSC::AccessCase::canBeReplacedByMegamorphicLoad):
1249         (JSC::AccessCase::canReplace):
1250         (JSC::AccessCase::dump):
1251         (JSC::PolymorphicAccess::regenerate):
1252         * bytecode/StructureStubInfo.cpp:
1253         (JSC::StructureStubInfo::StructureStubInfo):
1254         * runtime/Options.h:
1255
1256 2016-04-14  Mark Lam  <mark.lam@apple.com>
1257
1258         Update treatment of invoking RegExp.prototype methods on RegExp.prototype.
1259         https://bugs.webkit.org/show_bug.cgi?id=155922
1260
1261         Reviewed by Keith Miller.
1262
1263         According to the TC39 committee, when invoking the following RegExp.prototype
1264         methods on the RegExp.prototype:
1265         1. RegExp.prototype.flags yields ""
1266         2. RegExp.prototype.global yields undefined
1267         3. RegExp.prototype.ignoreCase yields undefined
1268         4. RegExp.prototype.multiline yields undefined
1269         5. RegExp.prototype.unicode yields undefined
1270         6. RegExp.prototype.source yields "(?:)"
1271         7. RegExp.prototype.sticky yields undefined
1272         8. RegExp.prototype.toString() yields "/(?:)/"
1273
1274         and RegExp.prototype is still NOT an instance of RegExp.  The above behavior
1275         changes is a special dispensation applicable only to RegExp.prototype.  The ES6
1276         spec of throwing errors still applies if those methods are applied to anything =
1277         else that is not a RegExp object.
1278
1279         * runtime/RegExpPrototype.cpp:
1280         (JSC::regExpProtoGetterGlobal):
1281         (JSC::regExpProtoGetterIgnoreCase):
1282         (JSC::regExpProtoGetterMultiline):
1283         (JSC::regExpProtoGetterSticky):
1284         (JSC::regExpProtoGetterUnicode):
1285         (JSC::regExpProtoGetterFlags):
1286         (JSC::regExpProtoGetterSource):
1287         - Implemented new behavior.
1288
1289         * tests/es6/miscellaneous_built-in_prototypes_are_not_instances.js:
1290         (test):
1291         - Updated to match current kangax test.
1292
1293 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1294
1295         Some imported ES6 tests are missing __createIterableObject
1296         https://bugs.webkit.org/show_bug.cgi?id=156584
1297
1298         Reviewed by Keith Miller.
1299
1300         These tests were failing because I neglected to include __createIterableObject
1301         when I first imported them. Now they pass.
1302
1303         * tests/es6.yaml:
1304         * tests/es6/Array_static_methods_Array.from_generic_iterables.js:
1305         (iterator.next):
1306         (iterable.Symbol.iterator):
1307         (__createIterableObject):
1308         (test):
1309         * tests/es6/Array_static_methods_Array.from_instances_of_generic_iterables.js:
1310         (iterator.next):
1311         (iterable.Symbol.iterator):
1312         (__createIterableObject):
1313         (test):
1314         * tests/es6/Array_static_methods_Array.from_iterator_closing.js:
1315         (iterator.next):
1316         (iterable.Symbol.iterator):
1317         (__createIterableObject):
1318         * tests/es6/Array_static_methods_Array.from_map_function_generic_iterables.js:
1319         (iterator.next):
1320         (iterable.Symbol.iterator):
1321         (__createIterableObject):
1322         (test):
1323         * tests/es6/Array_static_methods_Array.from_map_function_instances_of_iterables.js:
1324         (iterator.next):
1325         (iterable.Symbol.iterator):
1326         (__createIterableObject):
1327         (test):
1328         * tests/es6/Map_iterator_closing.js:
1329         (iterator.next):
1330         (iterable.Symbol.iterator):
1331         (__createIterableObject):
1332         * tests/es6/Promise_Promise.all_generic_iterables.js:
1333         (iterator.next):
1334         (iterable.Symbol.iterator):
1335         (__createIterableObject):
1336         (test.asyncTestPassed):
1337         * tests/es6/Promise_Promise.race_generic_iterables.js:
1338         (iterator.next):
1339         (iterable.Symbol.iterator):
1340         (__createIterableObject):
1341         (test.asyncTestPassed):
1342         * tests/es6/Set_iterator_closing.js:
1343         (iterator.next):
1344         (iterable.Symbol.iterator):
1345         (__createIterableObject):
1346         * tests/es6/WeakMap_iterator_closing.js:
1347         (iterator.next):
1348         (iterable.Symbol.iterator):
1349         (__createIterableObject):
1350         * tests/es6/WeakSet_iterator_closing.js:
1351         (iterator.next):
1352         (iterable.Symbol.iterator):
1353         (__createIterableObject):
1354         * tests/es6/destructuring_iterator_closing.js:
1355         (iterator.next):
1356         (iterable.Symbol.iterator):
1357         (__createIterableObject):
1358         * tests/es6/destructuring_with_generic_iterables.js:
1359         (iterator.next):
1360         (iterable.Symbol.iterator):
1361         (__createIterableObject):
1362         (test):
1363         * tests/es6/destructuring_with_instances_of_generic_iterables.js:
1364         (iterator.next):
1365         (iterable.Symbol.iterator):
1366         (__createIterableObject):
1367         (test):
1368         * tests/es6/for..of_loops_iterator_closing_break.js:
1369         (iterator.next):
1370         (iterable.Symbol.iterator):
1371         (__createIterableObject):
1372         * tests/es6/for..of_loops_iterator_closing_throw.js:
1373         (iterator.next):
1374         (iterable.Symbol.iterator):
1375         (__createIterableObject):
1376         * tests/es6/for..of_loops_with_generic_iterables.js:
1377         (iterator.next):
1378         (iterable.Symbol.iterator):
1379         (__createIterableObject):
1380         (test):
1381         * tests/es6/for..of_loops_with_instances_of_generic_iterables.js:
1382         (iterator.next):
1383         (iterable.Symbol.iterator):
1384         (__createIterableObject):
1385         (test):
1386         * tests/es6/generators_yield_star_generic_iterables.js:
1387         (iterator.next):
1388         (iterable.Symbol.iterator):
1389         (__createIterableObject):
1390         * tests/es6/generators_yield_star_iterator_closing_via_throw.js:
1391         (iterator.next):
1392         (iterable.Symbol.iterator):
1393         (__createIterableObject):
1394         * tests/es6/spread_..._operator_with_generic_iterables_in_arrays.js:
1395         (iterator.next):
1396         (iterable.Symbol.iterator):
1397         (__createIterableObject):
1398         (test):
1399         * tests/es6/spread_..._operator_with_generic_iterables_in_calls.js:
1400         (iterator.next):
1401         (iterable.Symbol.iterator):
1402         (__createIterableObject):
1403         (test):
1404         * tests/es6/spread_..._operator_with_instances_of_iterables_in_arrays.js:
1405         (iterator.next):
1406         (iterable.Symbol.iterator):
1407         (__createIterableObject):
1408         (test):
1409         * tests/es6/spread_..._operator_with_instances_of_iterables_in_calls.js:
1410         (iterator.next):
1411         (iterable.Symbol.iterator):
1412         (__createIterableObject):
1413         (test):
1414
1415 2016-04-13  Alex Christensen  <achristensen@webkit.org>
1416
1417         CMake MiniBrowser should be an app bundle
1418         https://bugs.webkit.org/show_bug.cgi?id=156521
1419
1420         Reviewed by Brent Fulgham.
1421
1422         * PlatformMac.cmake:
1423         Unreviewed build fix.  Define __STDC_WANT_LIB_EXT1__ so we can find memset_s.
1424
1425 2016-04-13  Joseph Pecoraro  <pecoraro@apple.com>
1426
1427         JSContext Inspector: Improve Class instances and JSC API Exported Values view in Console / ObjectTree
1428         https://bugs.webkit.org/show_bug.cgi?id=156566
1429         <rdar://problem/16392365>
1430
1431         Reviewed by Timothy Hatcher.
1432
1433         * inspector/InjectedScriptSource.js:
1434         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
1435         Treat non-basic object types as not lossless so they can be expanded.
1436         Show non-enumerable native getters in Object previews.
1437
1438 2016-04-13  Michael Saboff  <msaboff@apple.com>
1439
1440         Some tests fail with ES6 `u` (Unicode) flag for regular expressions
1441         https://bugs.webkit.org/show_bug.cgi?id=151597
1442
1443         Reviewed by Geoffrey Garen.
1444
1445         Added two new tables to handle the anomolies of \w and \W CharacterClassEscapes
1446         when specified in RegExp's with both the unicode and ignoreCase flags.  Given the
1447         case folding rules described in the standard vie the meta function Canonicalize(),
1448         which allow cross ASCII case folding when unicode is specified, the unicode characters
1449         \u017f (small sharp s) and \u212a (kelvin symbol) are part of the \w (word) characterClassEscape.
1450         This is true because they case fold to 's' and 'k' respectively.  Because they case fold
1451         to lower case letters, the corresponding letters, 'k', 'K', 's' and 'S', are also matched with
1452         \W with the unicode and ignoreCase flags.
1453
1454         * create_regex_tables:
1455         * yarr/YarrPattern.cpp:
1456         (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
1457         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
1458         (JSC::Yarr::YarrPattern::YarrPattern):
1459         * yarr/YarrPattern.h:
1460         (JSC::Yarr::YarrPattern::wordcharCharacterClass):
1461         (JSC::Yarr::YarrPattern::wordUnicodeIgnoreCaseCharCharacterClass):
1462         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
1463         (JSC::Yarr::YarrPattern::nonwordUnicodeIgnoreCaseCharCharacterClass):
1464
1465 2016-04-13  Commit Queue  <commit-queue@webkit.org>
1466
1467         Unreviewed, rolling out r199502 and r199511.
1468         https://bugs.webkit.org/show_bug.cgi?id=156557
1469
1470         Appears to have in-browser perf regression (Requested by mlam
1471         on #webkit).
1472
1473         Reverted changesets:
1474
1475         "ES6: Implement String.prototype.split and
1476         RegExp.prototype[@@split]."
1477         https://bugs.webkit.org/show_bug.cgi?id=156013
1478         http://trac.webkit.org/changeset/199502
1479
1480         "ES6: Implement RegExp.prototype[@@search]."
1481         https://bugs.webkit.org/show_bug.cgi?id=156331
1482         http://trac.webkit.org/changeset/199511
1483
1484 2016-04-13  Keith Miller  <keith_miller@apple.com>
1485
1486         isJSArray should use ArrayType rather than the ClassInfo
1487         https://bugs.webkit.org/show_bug.cgi?id=156551
1488
1489         Reviewed by Filip Pizlo.
1490
1491         Using the JSType rather than the ClassInfo should be slightly faster
1492         since the type is inline on the cell whereas the ClassInfo is only
1493         on the structure.
1494
1495         * runtime/JSArray.h:
1496         (JSC::isJSArray):
1497
1498 2016-04-13  Mark Lam  <mark.lam@apple.com>
1499
1500         ES6: Implement RegExp.prototype[@@search].
1501         https://bugs.webkit.org/show_bug.cgi?id=156331
1502
1503         Reviewed by Keith Miller.
1504
1505         What changed?
1506         1. Implemented search builtin in RegExpPrototype.js.
1507            The native path is now used as a fast path.
1508         2. Added DFG support for an IsRegExpObjectIntrinsic (modelled after the
1509            IsJSArrayIntrinsic).
1510         3. Renamed @isRegExp to @isRegExpObject to match the new IsRegExpObjectIntrinsic.
1511         4. Change the esSpecIsRegExpObject() implementation to check if the object's
1512            JSType is RegExpObjectType instead of walking the classinfo chain.
1513
1514         * builtins/RegExpPrototype.js:
1515         (search):
1516         * builtins/StringPrototype.js:
1517         (search):
1518         - fixed some indentation.
1519
1520         * dfg/DFGAbstractInterpreterInlines.h:
1521         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1522         * dfg/DFGByteCodeParser.cpp:
1523         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1524         * dfg/DFGClobberize.h:
1525         (JSC::DFG::clobberize):
1526         * dfg/DFGDoesGC.cpp:
1527         (JSC::DFG::doesGC):
1528         * dfg/DFGFixupPhase.cpp:
1529         (JSC::DFG::FixupPhase::fixupNode):
1530         * dfg/DFGNodeType.h:
1531         * dfg/DFGPredictionPropagationPhase.cpp:
1532         (JSC::DFG::PredictionPropagationPhase::propagate):
1533         * dfg/DFGSafeToExecute.h:
1534         (JSC::DFG::safeToExecute):
1535         * dfg/DFGSpeculativeJIT.cpp:
1536         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
1537         (JSC::DFG::SpeculativeJIT::compileIsRegExpObject):
1538         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
1539         * dfg/DFGSpeculativeJIT.h:
1540         * dfg/DFGSpeculativeJIT32_64.cpp:
1541         (JSC::DFG::SpeculativeJIT::compile):
1542         * dfg/DFGSpeculativeJIT64.cpp:
1543         (JSC::DFG::SpeculativeJIT::compile):
1544         * ftl/FTLCapabilities.cpp:
1545         (JSC::FTL::canCompile):
1546         * ftl/FTLLowerDFGToB3.cpp:
1547         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1548         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
1549         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
1550         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
1551         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
1552         (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject):
1553         (JSC::FTL::DFG::LowerDFGToB3::isType):
1554         * runtime/Intrinsic.h:
1555         - Added IsRegExpObjectIntrinsic.
1556
1557         * runtime/CommonIdentifiers.h:
1558
1559         * runtime/ECMAScriptSpecInternalFunctions.cpp:
1560         (JSC::esSpecIsConstructor):
1561         - Changed to use uncheckedArgument since this is only called from internal code.
1562         (JSC::esSpecIsRegExpObject):
1563         (JSC::esSpecIsRegExp): Deleted.
1564         * runtime/ECMAScriptSpecInternalFunctions.h:
1565         - Changed to check the object for a JSType of RegExpObjectType.
1566
1567         * runtime/JSGlobalObject.cpp:
1568         (JSC::JSGlobalObject::init):
1569         - Added split fast path.
1570
1571         * runtime/RegExpPrototype.cpp:
1572         (JSC::RegExpPrototype::finishCreation):
1573         (JSC::regExpProtoFuncSearchFast):
1574         (JSC::regExpProtoFuncSearch): Deleted.
1575         * runtime/RegExpPrototype.h:
1576
1577         * tests/es6.yaml:
1578         * tests/stress/regexp-search.js:
1579         - Rebased test.
1580
1581 2016-04-12  Filip Pizlo  <fpizlo@apple.com>
1582
1583         PolymorphicAccess::regenerate() shouldn't have to clone non-generated AccessCases
1584         https://bugs.webkit.org/show_bug.cgi?id=156493
1585
1586         Reviewed by Geoffrey Garen.
1587
1588         Cloning AccessCases is only necessary if they hold some artifacts that are used by code that
1589         they already generated. So, if the state is not Generated, we don't have to bother with
1590         cloning them.
1591
1592         This should speed up PolymorphicAccess regeneration a bit more.
1593
1594         * bytecode/PolymorphicAccess.cpp:
1595         (JSC::AccessCase::commit):
1596         (JSC::PolymorphicAccess::regenerate):
1597
1598 2016-04-13  Mark Lam  <mark.lam@apple.com>
1599
1600         ES6: Implement String.prototype.split and RegExp.prototype[@@split].
1601         https://bugs.webkit.org/show_bug.cgi?id=156013
1602
1603         Reviewed by Keith Miller.
1604
1605         Re-landing r199393 now that the shadow chicken crash has been fixed.
1606
1607         * CMakeLists.txt:
1608         * JavaScriptCore.xcodeproj/project.pbxproj:
1609         * builtins/GlobalObject.js:
1610         (speciesConstructor):
1611         * builtins/PromisePrototype.js:
1612         - refactored to use the @speciesConstructor internal function.
1613
1614         * builtins/RegExpPrototype.js:
1615         (advanceStringIndex):
1616         - refactored from @advanceStringIndexUnicode() to be match the spec.
1617           Benchmarks show that there's no advantage in doing the unicode check outside
1618           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
1619           spec (especially since @@split needs to call advanceStringIndex from more than
1620           1 location).
1621         (match):
1622         - Removed an unnecessary call to @Object because it was already proven above.
1623         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
1624           Again, there's no perf regression for this.
1625         (regExpExec):
1626         (hasObservableSideEffectsForRegExpSplit):
1627         (split):
1628         (advanceStringIndexUnicode): Deleted.
1629
1630         * builtins/StringPrototype.js:
1631         (split):
1632         - Modified to use RegExp.prototype[@@split].
1633
1634         * bytecode/BytecodeIntrinsicRegistry.cpp:
1635         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1636         (JSC::BytecodeIntrinsicRegistry::lookup):
1637         * bytecode/BytecodeIntrinsicRegistry.h:
1638         - Added the @@split symbol.
1639
1640         * runtime/CommonIdentifiers.h:
1641         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
1642         (JSC::esSpecIsConstructor):
1643         (JSC::esSpecIsRegExp):
1644         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
1645
1646         * runtime/JSGlobalObject.cpp:
1647         (JSC::getGetterById):
1648         (JSC::JSGlobalObject::init):
1649
1650         * runtime/PropertyDescriptor.cpp:
1651         (JSC::PropertyDescriptor::setDescriptor):
1652         - Removed an assert that is no longer valid.
1653
1654         * runtime/RegExpObject.h:
1655         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
1656           fast path.
1657
1658         * runtime/RegExpPrototype.cpp:
1659         (JSC::RegExpPrototype::finishCreation):
1660         (JSC::regExpProtoFuncExec):
1661         (JSC::regExpProtoFuncSearch):
1662         (JSC::advanceStringIndex):
1663         (JSC::regExpProtoFuncSplitFast):
1664         * runtime/RegExpPrototype.h:
1665
1666         * runtime/StringObject.h:
1667         (JSC::jsStringWithReuse):
1668         (JSC::jsSubstring):
1669         - Hoisted some utility functions from StringPrototype.cpp so that they can be
1670           reused by the regexp split fast path.
1671
1672         * runtime/StringPrototype.cpp:
1673         (JSC::StringPrototype::finishCreation):
1674         (JSC::stringProtoFuncSplitFast):
1675         (JSC::stringProtoFuncSubstr):
1676         (JSC::builtinStringSubstrInternal):
1677         (JSC::stringProtoFuncSubstring):
1678         (JSC::stringIncludesImpl):
1679         (JSC::stringProtoFuncIncludes):
1680         (JSC::builtinStringIncludesInternal):
1681         (JSC::jsStringWithReuse): Deleted.
1682         (JSC::jsSubstring): Deleted.
1683         (JSC::stringProtoFuncSplit): Deleted.
1684         * runtime/StringPrototype.h:
1685
1686         * tests/es6.yaml:
1687
1688 2016-04-13  Mark Lam  <mark.lam@apple.com>
1689
1690         ShadowChicken::visitChildren() should not visit tailMarkers and throwMarkers.
1691         https://bugs.webkit.org/show_bug.cgi?id=156532
1692
1693         Reviewed by Saam Barati and Filip Pizlo.
1694
1695         ShadowChicken can store tailMarkers and throwMarkers in its log, specifically in
1696         the callee field of a log packet.  However, ShadowChicken::visitChildren()
1697         unconditionally visits the callee field of each packet as if they are real
1698         objects.  If visitChildren() encounters one of these markers in the log, we get a
1699         crash.
1700
1701         This crash was observed in the v8-v6/v8-regexp.js stress test running with shadow
1702         chicken when r199393 landed.  r199393 introduced tail calls to a RegExp split
1703         fast path, and the v8-regexp.js test exercised this fast path a lot.  Throw in
1704         some timely GCs, and we get a crash party.
1705
1706         The fix is to have ShadowChicken::visitChildren() filter out the tailMarker and
1707         throwMarker.
1708
1709         Alternatively, if perf is an issue, we can allocate 2 dedicated objects for
1710         these markers so that ShadowChicken can continue to visit them.  For now, I'm
1711         going with the filter.
1712
1713         * interpreter/ShadowChicken.cpp:
1714         (JSC::ShadowChicken::visitChildren):
1715
1716 2016-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1717
1718         [ES6] Add @@toStringTag to GeneratorFunction
1719         https://bugs.webkit.org/show_bug.cgi?id=156499
1720
1721         Reviewed by Mark Lam.
1722
1723         GeneratorFunction.prototype has @@toStringTag property, "GeneratorFunction".
1724         https://tc39.github.io/ecma262/#sec-generatorfunction.prototype-@@tostringtag
1725
1726         * runtime/GeneratorFunctionPrototype.cpp:
1727         (JSC::GeneratorFunctionPrototype::finishCreation):
1728         * tests/es6.yaml:
1729         * tests/es6/well-known_symbols_Symbol.toStringTag_new_built-ins.js: Added.
1730         (test):
1731
1732 2016-04-13  Alberto Garcia  <berto@igalia.com>
1733
1734         Fix build in glibc-based BSD systems
1735         https://bugs.webkit.org/show_bug.cgi?id=156533
1736
1737         Reviewed by Carlos Garcia Campos.
1738
1739         Change the order of the #elif conditionals so glibc-based BSD
1740         systems (e.g. Debian GNU/kFreeBSD) use the code inside the
1741         OS(FREEBSD) blocks.
1742
1743         * heap/MachineStackMarker.cpp:
1744         (JSC::MachineThreads::Thread::Registers::stackPointer):
1745         (JSC::MachineThreads::Thread::Registers::framePointer):
1746         (JSC::MachineThreads::Thread::Registers::instructionPointer):
1747         (JSC::MachineThreads::Thread::Registers::llintPC):
1748
1749 2016-04-12  Keith Miller  <keith_miller@apple.com>
1750
1751         Unreviewed undo change from ArrayClass to ArrayWithUndecided, which
1752         was not intedend to land with r199397.
1753
1754         * runtime/ArrayPrototype.h:
1755         (JSC::ArrayPrototype::createStructure):
1756
1757 2016-04-12  Mark Lam  <mark.lam@apple.com>
1758
1759         Rollout: ES6: Implement String.prototype.split and RegExp.prototype[@@split].
1760         https://bugs.webkit.org/show_bug.cgi?id=156013
1761
1762         Speculative rollout to fix 32-bit shadow-chicken.yaml/tests/v8-v6/v8-regexp.js.shadow-chicken test failure.
1763
1764         Not reviewed.
1765
1766         * CMakeLists.txt:
1767         * JavaScriptCore.xcodeproj/project.pbxproj:
1768         * builtins/GlobalObject.js:
1769         (speciesGetter):
1770         (speciesConstructor): Deleted.
1771         * builtins/PromisePrototype.js:
1772         * builtins/RegExpPrototype.js:
1773         (advanceStringIndexUnicode):
1774         (match):
1775         (advanceStringIndex): Deleted.
1776         (regExpExec): Deleted.
1777         (hasObservableSideEffectsForRegExpSplit): Deleted.
1778         (split): Deleted.
1779         * builtins/StringPrototype.js:
1780         (repeat):
1781         (split): Deleted.
1782         * bytecode/BytecodeIntrinsicRegistry.cpp:
1783         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1784         (JSC::BytecodeIntrinsicRegistry::lookup):
1785         * bytecode/BytecodeIntrinsicRegistry.h:
1786         * runtime/CommonIdentifiers.h:
1787         * runtime/ECMAScriptSpecInternalFunctions.cpp: Removed.
1788         * runtime/ECMAScriptSpecInternalFunctions.h: Removed.
1789         * runtime/JSGlobalObject.cpp:
1790         (JSC::JSGlobalObject::setGlobalThis):
1791         (JSC::JSGlobalObject::init):
1792         (JSC::getGetterById): Deleted.
1793         * runtime/PropertyDescriptor.cpp:
1794         (JSC::PropertyDescriptor::setDescriptor):
1795         * runtime/RegExpObject.h:
1796         (JSC::RegExpObject::offsetOfLastIndexIsWritable):
1797         * runtime/RegExpPrototype.cpp:
1798         (JSC::RegExpPrototype::finishCreation):
1799         (JSC::regExpProtoFuncExec):
1800         (JSC::regExpProtoFuncSearch):
1801         (JSC::advanceStringIndex): Deleted.
1802         (JSC::regExpProtoFuncSplitFast): Deleted.
1803         * runtime/RegExpPrototype.h:
1804         * runtime/StringObject.h:
1805         (JSC::jsStringWithReuse): Deleted.
1806         (JSC::jsSubstring): Deleted.
1807         * runtime/StringPrototype.cpp:
1808         (JSC::StringPrototype::finishCreation):
1809         (JSC::jsStringWithReuse):
1810         (JSC::jsSubstring):
1811         (JSC::substituteBackreferencesSlow):
1812         (JSC::splitStringByOneCharacterImpl):
1813         (JSC::stringProtoFuncSplit):
1814         (JSC::stringProtoFuncSubstr):
1815         (JSC::stringProtoFuncSubstring):
1816         (JSC::stringProtoFuncEndsWith):
1817         (JSC::stringProtoFuncIncludes):
1818         (JSC::stringProtoFuncIterator):
1819         (JSC::stringProtoFuncSplitFast): Deleted.
1820         (JSC::builtinStringSubstrInternal): Deleted.
1821         (JSC::stringIncludesImpl): Deleted.
1822         (JSC::builtinStringIncludesInternal): Deleted.
1823         * runtime/StringPrototype.h:
1824         * tests/es6.yaml:
1825
1826 2016-04-12  Mark Lam  <mark.lam@apple.com>
1827
1828         Remove 2 unused JSC options.
1829         https://bugs.webkit.org/show_bug.cgi?id=156526
1830
1831         Reviewed by Benjamin Poulain.
1832
1833         The options JSC_assertICSizing and JSC_dumpFailedICSizing are no longer in use
1834         now that we have B3.
1835
1836         * runtime/Options.h:
1837
1838 2016-04-12  Keith Miller  <keith_miller@apple.com>
1839
1840         [ES6] Add support for Symbol.isConcatSpreadable.
1841         https://bugs.webkit.org/show_bug.cgi?id=155351
1842
1843         Reviewed by Saam Barati.
1844
1845         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
1846         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
1847         a builtin performant. First, four new DFG intrinsics were added.
1848
1849         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
1850            the Array.isArray function.
1851         2) IsJSArray: checks the first child is a JSArray object.
1852         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
1853         4) CallObjectConstructor: an intrinsic of the Object constructor.
1854
1855         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
1856         we are able to prove that the first child is an Array or for ToObject an Object.
1857
1858         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
1859         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
1860         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
1861         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
1862         into a contiguous array).
1863
1864         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
1865         values onto the result array. This works roughly the same as the two array fast path using the same methodology
1866         to decide if we can memcpy the other butterfly into the result butterfly.
1867
1868         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
1869         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
1870         dataLog function on it.
1871
1872         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
1873         JSValueOperand if the operand's use count is one.
1874
1875         * JavaScriptCore.xcodeproj/project.pbxproj:
1876         * builtins/ArrayPrototype.js:
1877         (concatSlowPath):
1878         (concat):
1879         * bytecode/BytecodeIntrinsicRegistry.cpp:
1880         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1881         * bytecode/BytecodeIntrinsicRegistry.h:
1882         * dfg/DFGAbstractInterpreterInlines.h:
1883         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1884         * dfg/DFGByteCodeParser.cpp:
1885         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1886         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1887         * dfg/DFGClobberize.h:
1888         (JSC::DFG::clobberize):
1889         * dfg/DFGDoesGC.cpp:
1890         (JSC::DFG::doesGC):
1891         * dfg/DFGFixupPhase.cpp:
1892         (JSC::DFG::FixupPhase::fixupNode):
1893         * dfg/DFGNodeType.h:
1894         * dfg/DFGOperations.cpp:
1895         * dfg/DFGOperations.h:
1896         * dfg/DFGPredictionPropagationPhase.cpp:
1897         (JSC::DFG::PredictionPropagationPhase::propagate):
1898         * dfg/DFGSafeToExecute.h:
1899         (JSC::DFG::safeToExecute):
1900         * dfg/DFGSpeculativeJIT.cpp:
1901         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1902         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
1903         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
1904         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
1905         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
1906         * dfg/DFGSpeculativeJIT.h:
1907         (JSC::DFG::SpeculativeJIT::callOperation):
1908         * dfg/DFGSpeculativeJIT32_64.cpp:
1909         (JSC::DFG::SpeculativeJIT::compile):
1910         * dfg/DFGSpeculativeJIT64.cpp:
1911         (JSC::DFG::SpeculativeJIT::compile):
1912         * ftl/FTLCapabilities.cpp:
1913         (JSC::FTL::canCompile):
1914         * ftl/FTLLowerDFGToB3.cpp:
1915         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1916         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
1917         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
1918         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
1919         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
1920         (JSC::FTL::DFG::LowerDFGToB3::isArray):
1921         * jit/JITOperations.h:
1922         * jsc.cpp:
1923         (GlobalObject::finishCreation):
1924         (functionDataLogValue):
1925         * runtime/ArrayConstructor.cpp:
1926         (JSC::ArrayConstructor::finishCreation):
1927         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
1928         * runtime/ArrayConstructor.h:
1929         (JSC::isArrayConstructor):
1930         * runtime/ArrayPrototype.cpp:
1931         (JSC::ArrayPrototype::finishCreation):
1932         (JSC::arrayProtoPrivateFuncIsJSArray):
1933         (JSC::moveElements):
1934         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1935         (JSC::arrayProtoPrivateFuncAppendMemcpy):
1936         (JSC::arrayProtoFuncConcat): Deleted.
1937         * runtime/ArrayPrototype.h:
1938         (JSC::ArrayPrototype::createStructure):
1939         * runtime/CommonIdentifiers.h:
1940         * runtime/Intrinsic.h:
1941         * runtime/JSArray.cpp:
1942         (JSC::JSArray::appendMemcpy):
1943         (JSC::JSArray::fastConcatWith): Deleted.
1944         * runtime/JSArray.h:
1945         (JSC::JSArray::createStructure):
1946         (JSC::JSArray::fastConcatType): Deleted.
1947         * runtime/JSArrayInlines.h: Added.
1948         (JSC::JSArray::memCopyWithIndexingType):
1949         (JSC::JSArray::canFastCopy):
1950         * runtime/JSGlobalObject.cpp:
1951         (JSC::JSGlobalObject::init):
1952         * runtime/JSType.h:
1953         * runtime/ObjectConstructor.h:
1954         (JSC::constructObject):
1955         * tests/es6.yaml:
1956         * tests/stress/array-concat-spread-object.js: Added.
1957         (arrayEq):
1958         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
1959         (arrayEq):
1960         * tests/stress/array-concat-spread-proxy.js: Added.
1961         (arrayEq):
1962         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
1963         (arrayEq):
1964         * tests/stress/array-species-config-array-constructor.js:
1965
1966 2016-04-12  Saam barati  <sbarati@apple.com>
1967
1968         Lets not iterate over the constant pool twice every time we link a code block
1969         https://bugs.webkit.org/show_bug.cgi?id=156517
1970
1971         Reviewed by Mark Lam.
1972
1973         I introduced a second iteration over the constant pool when I implemented
1974         block scoping. I did this because we must clone all the symbol tables when
1975         we link a CodeBlock. We can just do this cloning when setting the constant
1976         registers for the first time. There is no need to iterate over the constant
1977         pool a second time.
1978
1979         * bytecode/CodeBlock.cpp:
1980         (JSC::CodeBlock::finishCreation):
1981         (JSC::CodeBlock::~CodeBlock):
1982         (JSC::CodeBlock::setConstantRegisters):
1983         (JSC::CodeBlock::setAlternative):
1984         * bytecode/CodeBlock.h:
1985         (JSC::CodeBlock::replaceConstant):
1986         (JSC::CodeBlock::setConstantRegisters): Deleted.
1987
1988 2016-04-12  Mark Lam  <mark.lam@apple.com>
1989
1990         ES6: Implement String.prototype.split and RegExp.prototype[@@split].
1991         https://bugs.webkit.org/show_bug.cgi?id=156013
1992
1993         Reviewed by Keith Miller.
1994
1995         * CMakeLists.txt:
1996         * JavaScriptCore.xcodeproj/project.pbxproj:
1997         * builtins/GlobalObject.js:
1998         (speciesConstructor):
1999         * builtins/PromisePrototype.js:
2000         - refactored to use the @speciesConstructor internal function.
2001
2002         * builtins/RegExpPrototype.js:
2003         (advanceStringIndex):
2004         - refactored from @advanceStringIndexUnicode() to be match the spec.
2005           Benchmarks show that there's no advantage in doing the unicode check outside
2006           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
2007           spec (especially since @@split needs to call advanceStringIndex from more than
2008           1 location).
2009         (match):
2010         - Removed an unnecessary call to @Object because it was already proven above.
2011         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
2012           Again, there's no perf regression for this.
2013         (regExpExec):
2014         (hasObservableSideEffectsForRegExpSplit):
2015         (split):
2016         (advanceStringIndexUnicode): Deleted.
2017
2018         * builtins/StringPrototype.js:
2019         (split):
2020         - Modified to use RegExp.prototype[@@split].
2021
2022         * bytecode/BytecodeIntrinsicRegistry.cpp:
2023         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2024         (JSC::BytecodeIntrinsicRegistry::lookup):
2025         * bytecode/BytecodeIntrinsicRegistry.h:
2026         - Added the @@split symbol.
2027
2028         * runtime/CommonIdentifiers.h:
2029         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
2030         (JSC::esSpecIsConstructor):
2031         (JSC::esSpecIsRegExp):
2032         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
2033
2034         * runtime/JSGlobalObject.cpp:
2035         (JSC::getGetterById):
2036         (JSC::JSGlobalObject::init):
2037
2038         * runtime/PropertyDescriptor.cpp:
2039         (JSC::PropertyDescriptor::setDescriptor):
2040         - Removed an assert that is no longer valid.
2041
2042         * runtime/RegExpObject.h:
2043         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
2044           fast path.
2045
2046         * runtime/RegExpPrototype.cpp:
2047         (JSC::RegExpPrototype::finishCreation):
2048         (JSC::regExpProtoFuncExec):
2049         (JSC::regExpProtoFuncSearch):
2050         (JSC::advanceStringIndex):
2051         (JSC::regExpProtoFuncSplitFast):
2052         * runtime/RegExpPrototype.h:
2053
2054         * runtime/StringObject.h:
2055         (JSC::jsStringWithReuse):
2056         (JSC::jsSubstring):
2057         - Hoisted some utility functions from StringPrototype.cpp so that they can be
2058           reused by the regexp split fast path.
2059
2060         * runtime/StringPrototype.cpp:
2061         (JSC::StringPrototype::finishCreation):
2062         (JSC::stringProtoFuncSplitFast):
2063         (JSC::stringProtoFuncSubstr):
2064         (JSC::builtinStringSubstrInternal):
2065         (JSC::stringProtoFuncSubstring):
2066         (JSC::stringIncludesImpl):
2067         (JSC::stringProtoFuncIncludes):
2068         (JSC::builtinStringIncludesInternal):
2069         (JSC::jsStringWithReuse): Deleted.
2070         (JSC::jsSubstring): Deleted.
2071         (JSC::stringProtoFuncSplit): Deleted.
2072         * runtime/StringPrototype.h:
2073
2074         * tests/es6.yaml:
2075
2076 2016-04-12  Keith Miller  <keith_miller@apple.com>
2077
2078         AbstractValue should use the result type to filter structures
2079         https://bugs.webkit.org/show_bug.cgi?id=156516
2080
2081         Reviewed by Geoffrey Garen.
2082
2083         When filtering an AbstractValue with a SpeculatedType we would not use the merged type when
2084         filtering out the valid structures (despite what the comment directly above said). This
2085         would cause us to crash if our structure-set was Top and the two speculated types were
2086         different kinds of cells.
2087
2088         * dfg/DFGAbstractValue.cpp:
2089         (JSC::DFG::AbstractValue::filter):
2090         * tests/stress/ai-consistency-filter-cells.js: Added.
2091         (get value):
2092         (attribute.value.get record):
2093         (attribute.attrs.get this):
2094         (get foo):
2095         (let.thisValue.return.serialize):
2096         (let.thisValue.transformFor):
2097
2098 2016-04-12  Filip Pizlo  <fpizlo@apple.com>
2099
2100         Unreviewed, remove FIXME for https://bugs.webkit.org/show_bug.cgi?id=156457 and replace it
2101         with a comment that describes what we do now.
2102
2103         * bytecode/PolymorphicAccess.h:
2104
2105 2016-04-12  Saam barati  <sbarati@apple.com>
2106
2107         isLocked() assertion broke builds because ConcurrentJITLock isn't always a real lock.
2108
2109         Rubber-stamped by Filip Pizlo.
2110
2111         * bytecode/CodeBlock.cpp:
2112         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2113         (JSC::CodeBlock::ensureResultProfile):
2114
2115 2016-04-11  Filip Pizlo  <fpizlo@apple.com>
2116
2117         PolymorphicAccess should buffer AccessCases before regenerating
2118         https://bugs.webkit.org/show_bug.cgi?id=156457
2119
2120         Reviewed by Benjamin Poulain.
2121
2122         Prior to this change, whenever we added an AccessCase to a PolymorphicAccess, we would
2123         regenerate the whole stub. That meant that we'd do O(N^2) work for N access cases.
2124
2125         One way to fix this is to have each AccessCase generate a stub just for itself, which
2126         cascades down to the already-generated cases. But that removes the binary switch
2127         optimization, which makes the IC perform great even when there are many cases.
2128
2129         This change fixes the issue by buffering access cases. When we take slow path and try to add
2130         a new case, the StructureStubInfo will usually just buffer the new case without generating
2131         new code. We simply guarantee that after we buffer a case, we will take at most
2132         Options::repatchBufferingCountdown() slow path calls before generating code for it. That
2133         option is currently 7. Taking 7 more slow paths means that we have 7 more opportunities to
2134         gather more access cases, or to realize that this IC is too crazy to bother with.
2135
2136         This change ensures that the DFG still gets the same kind of profiling. This is because the
2137         buffered AccessCases are still part of PolymorphicAccess and so are still scanned by
2138         GetByIdStatus and PutByIdStatus. The fact that the AccessCases hadn't been generated and so
2139         hadn't executed doesn't change much. Mainly, it increases the likelihood that the DFG will
2140         see an access case that !couldStillSucceed(). The DFG's existing profile parsing logic can
2141         handle this just fine.
2142         
2143         There are a bunch of algorithmic changes here. StructureStubInfo now caches the set of
2144         structures that it has seen as a guard to prevent adding lots of redundant cases, in case
2145         we see the same 7 cases after buffering the first one. This cache means we won't wastefully
2146         allocate 7 identical AccessCase instances. PolymorphicAccess is now restructured around
2147         having separate addCase() and regenerate() calls. That means a bit more moving data around.
2148         So far that seems OK for performance, probably since it's O(N) work rather than O(N^2) work.
2149         There is room for improvement for future patches, to be sure.
2150         
2151         This is benchmarking as slightly positive or neutral on JS benchmarks. It's meant to reduce
2152         pathologies I saw in page loads.
2153
2154         * bytecode/GetByIdStatus.cpp:
2155         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2156         * bytecode/PolymorphicAccess.cpp:
2157         (JSC::PolymorphicAccess::PolymorphicAccess):
2158         (JSC::PolymorphicAccess::~PolymorphicAccess):
2159         (JSC::PolymorphicAccess::addCases):
2160         (JSC::PolymorphicAccess::addCase):
2161         (JSC::PolymorphicAccess::visitWeak):
2162         (JSC::PolymorphicAccess::dump):
2163         (JSC::PolymorphicAccess::commit):
2164         (JSC::PolymorphicAccess::regenerate):
2165         (JSC::PolymorphicAccess::aboutToDie):
2166         (WTF::printInternal):
2167         (JSC::PolymorphicAccess::regenerateWithCases): Deleted.
2168         (JSC::PolymorphicAccess::regenerateWithCase): Deleted.
2169         * bytecode/PolymorphicAccess.h:
2170         (JSC::AccessCase::isGetter):
2171         (JSC::AccessCase::callLinkInfo):
2172         (JSC::AccessGenerationResult::AccessGenerationResult):
2173         (JSC::AccessGenerationResult::madeNoChanges):
2174         (JSC::AccessGenerationResult::gaveUp):
2175         (JSC::AccessGenerationResult::buffered):
2176         (JSC::AccessGenerationResult::generatedNewCode):
2177         (JSC::AccessGenerationResult::generatedFinalCode):
2178         (JSC::AccessGenerationResult::shouldGiveUpNow):
2179         (JSC::AccessGenerationResult::generatedSomeCode):
2180         (JSC::PolymorphicAccess::isEmpty):
2181         (JSC::PolymorphicAccess::size):
2182         (JSC::PolymorphicAccess::at):
2183         * bytecode/PutByIdStatus.cpp:
2184         (JSC::PutByIdStatus::computeForStubInfo):
2185         * bytecode/StructureStubInfo.cpp:
2186         (JSC::StructureStubInfo::StructureStubInfo):
2187         (JSC::StructureStubInfo::addAccessCase):
2188         (JSC::StructureStubInfo::reset):
2189         (JSC::StructureStubInfo::visitWeakReferences):
2190         * bytecode/StructureStubInfo.h:
2191         (JSC::StructureStubInfo::considerCaching):
2192         (JSC::StructureStubInfo::willRepatch): Deleted.
2193         (JSC::StructureStubInfo::willCoolDown): Deleted.
2194         * jit/JITOperations.cpp:
2195         * jit/Repatch.cpp:
2196         (JSC::tryCacheGetByID):
2197         (JSC::repatchGetByID):
2198         (JSC::tryCachePutByID):
2199         (JSC::repatchPutByID):
2200         (JSC::tryRepatchIn):
2201         (JSC::repatchIn):
2202         * runtime/JSCJSValue.h:
2203         * runtime/JSCJSValueInlines.h:
2204         (JSC::JSValue::putByIndex):
2205         (JSC::JSValue::structureOrNull):
2206         (JSC::JSValue::structureOrUndefined):
2207         * runtime/Options.h:
2208
2209 2016-04-12  Saam barati  <sbarati@apple.com>
2210
2211         There is a race with the compiler thread and the main thread with result profiles
2212         https://bugs.webkit.org/show_bug.cgi?id=156503
2213
2214         Reviewed by Filip Pizlo.
2215
2216         The compiler thread should not be asking for a result
2217         profile while the execution thread is creating one.
2218         We must guard against such races with a lock.
2219
2220         * bytecode/CodeBlock.cpp:
2221         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2222         (JSC::CodeBlock::ensureResultProfile):
2223         (JSC::CodeBlock::capabilityLevel):
2224         * bytecode/CodeBlock.h:
2225         (JSC::CodeBlock::couldTakeSlowCase):
2226         (JSC::CodeBlock::numberOfResultProfiles):
2227         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset):
2228         (JSC::CodeBlock::ensureResultProfile): Deleted.
2229
2230 2016-04-12  Commit Queue  <commit-queue@webkit.org>
2231
2232         Unreviewed, rolling out r199339.
2233         https://bugs.webkit.org/show_bug.cgi?id=156505
2234
2235         memset_s is indeed necessary (Requested by alexchristensen_ on
2236         #webkit).
2237
2238         Reverted changeset:
2239
2240         "Build fix after r199299."
2241         https://bugs.webkit.org/show_bug.cgi?id=155508
2242         http://trac.webkit.org/changeset/199339
2243
2244 2016-04-12  Guillaume Emont  <guijemont@igalia.com>
2245
2246         MIPS: add MacroAssemblerMIPS::store8(TrustedImm32,ImplicitAddress)
2247         https://bugs.webkit.org/show_bug.cgi?id=156481
2248
2249         This method with this signature is used by r199075, and therefore
2250         WebKit doesn't build on MIPS since then.
2251
2252         Reviewed by Mark Lam.
2253
2254         * assembler/MacroAssemblerMIPS.h:
2255         (JSC::MacroAssemblerMIPS::store8):
2256
2257 2016-04-12  Saam barati  <sbarati@apple.com>
2258
2259         We incorrectly parse arrow function expressions
2260         https://bugs.webkit.org/show_bug.cgi?id=156373
2261
2262         Reviewed by Mark Lam.
2263
2264         This patch removes the notion of "isEndOfArrowFunction".
2265         This was a very weird function and it was incorrect.
2266         It checked that the arrow functions with concise body
2267         grammar production "had a valid ending". "had a valid
2268         ending" is in quotes because concise body arrow functions
2269         have a valid ending as long as their body has a valid
2270         assignment expression. I've removed all notion of this
2271         function because it was wrong and was causing us
2272         to throw syntax errors on valid programs.
2273
2274         * parser/Lexer.cpp:
2275         (JSC::Lexer<T>::nextTokenIsColon):
2276         (JSC::Lexer<T>::lex):
2277         (JSC::Lexer<T>::setTokenPosition): Deleted.
2278         * parser/Lexer.h:
2279         (JSC::Lexer::setIsReparsingFunction):
2280         (JSC::Lexer::isReparsingFunction):
2281         (JSC::Lexer::lineNumber):
2282         * parser/Parser.cpp:
2283         (JSC::Parser<LexerType>::parseInner):
2284         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
2285         (JSC::Parser<LexerType>::parseFunctionInfo):
2286         * parser/Parser.h:
2287         (JSC::Parser::matchIdentifierOrKeyword):
2288         (JSC::Parser::tokenStart):
2289         (JSC::Parser::autoSemiColon):
2290         (JSC::Parser::canRecurse):
2291         (JSC::Parser::isEndOfArrowFunction): Deleted.
2292         (JSC::Parser::setEndOfStatement): Deleted.
2293         * tests/stress/arrowfunction-others.js:
2294         (testCase):
2295         (simpleArrowFunction):
2296         (truthy):
2297         (falsey):
2298
2299 2016-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2300
2301         [JSC] addStaticGlobals should emit SymbolTableEntry watchpoints to encourage constant folding in DFG
2302         https://bugs.webkit.org/show_bug.cgi?id=155110
2303
2304         Reviewed by Saam Barati.
2305
2306         `addStaticGlobals` does not emit SymbolTableEntry watchpoints for the added entries.
2307         So, all the global variable lookups pointing to these static globals are not converted
2308         into constants in DFGBytecodeGenerator: this fact leaves these lookups as GetGlobalVar.
2309         Such thing avoids constant folding chance and emits CheckCell for @privateFunction inlining.
2310         This operation is pure overhead.
2311
2312         Static globals are not configurable, and they are typically non-writable.
2313         So they are constants in almost all the cases.
2314
2315         This patch initializes watchpoints for these static globals.
2316         These watchpoints allow DFG to convert these nodes into constants in DFG BytecodeParser.
2317         These watchpoints includes many builtin operations and `undefined`.
2318
2319         The microbenchmark, many-foreach-calls shows 5 - 7% improvement since it removes unnecessary CheckCell.
2320
2321         * bytecode/VariableWriteFireDetail.h:
2322         * runtime/JSGlobalObject.cpp:
2323         (JSC::JSGlobalObject::addGlobalVar):
2324         (JSC::JSGlobalObject::addStaticGlobals):
2325         * runtime/JSSymbolTableObject.h:
2326         (JSC::symbolTablePutTouchWatchpointSet):
2327         (JSC::symbolTablePutInvalidateWatchpointSet):
2328         (JSC::symbolTablePut):
2329         (JSC::symbolTablePutWithAttributesTouchWatchpointSet): Deleted.
2330         * runtime/SymbolTable.h:
2331         (JSC::SymbolTableEntry::SymbolTableEntry):
2332         (JSC::SymbolTableEntry::operator=):
2333         (JSC::SymbolTableEntry::swap):
2334
2335 2016-04-12  Alex Christensen  <achristensen@webkit.org>
2336
2337         Build fix after r199299.
2338         https://bugs.webkit.org/show_bug.cgi?id=155508
2339
2340         * jit/ExecutableAllocatorFixedVMPool.cpp:
2341         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2342         memset_s is not defined.  __STDC_WANT_LIB_EXT1__ is not defined anywhere.
2343         Since the return value is unused and set_constraint_handler_s is never called
2344         I'm chaning it to memset.
2345
2346 2016-04-11  Benjamin Poulain  <bpoulain@apple.com>
2347
2348         [JSC] B3 can use undefined bits or not defined required bits when spilling
2349         https://bugs.webkit.org/show_bug.cgi?id=156486
2350
2351         Reviewed by Filip Pizlo.
2352
2353         Spilling had issues when replacing arguments in place.
2354
2355         The problems are:
2356         1) If we have a 32bit stackslot, a x86 instruction could still try to load 64bits from it.
2357         2) If we have a 64bit stackslot, Move32 would only set half the bits.
2358         3) We were reducing Move to Move32 even if the top bits are read from the stack slot.
2359
2360         The case 1 appear with something like this:
2361             Move32 %tmp0, %tmp1
2362             Op64 %tmp1, %tmp2, %tmp3
2363         When we spill %tmp1, the stack slot is 32bit, Move32 sets 32bits
2364         but Op64 supports addressing for %tmp1. When we substitute %tmp1 in Op64,
2365         we are creating a 64bit read for a 32bit stack slot.
2366
2367         The case 2 is an other common one. If we have:
2368             BB#1
2369                 Move32 %tmp0, %tmp1
2370                 Jump #3
2371             BB#2
2372                 Op64 %tmp0, %tmp1
2373                 Jump #3
2374             BB#3
2375                 Use64 %tmp1
2376
2377         We have a stack slot of 64bits. When spilling %tmp1 in #1, we are
2378         effectively doing a 32bit store on the stack slot, leaving the top bits undefined.
2379
2380         Case 3 is pretty much the same as 2 but we create the Move32 ourself
2381         because the source is a 32bit with ZDef.
2382
2383         Case (1) is solved by requiring that the stack slot is at least as large as the largest
2384         use/def of that tmp.
2385
2386         Case (2) and (3) are solved by not replacing a Tmp by an Address if the Def
2387         is smaller than the stack slot.
2388
2389         * b3/air/AirIteratedRegisterCoalescing.cpp:
2390         * b3/testb3.cpp:
2391         (JSC::B3::testSpillDefSmallerThanUse):
2392         (JSC::B3::testSpillUseLargerThanDef):
2393         (JSC::B3::run):
2394
2395 2016-04-11  Brian Burg  <bburg@apple.com>
2396
2397         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
2398         https://bugs.webkit.org/show_bug.cgi?id=156407
2399         <rdar://problem/25627659>
2400
2401         Reviewed by Joseph Pecoraro.
2402
2403         There's no point having these subclasses as they don't save any space.
2404         Add a StringImpl to the union and merge some implementations of writeJSON.
2405
2406         Rename m_data to m_map and explicitly name the union as InspectorValue::m_value.
2407         If the value is a string and the string is not empty or null (i.e., it has a
2408         StringImpl), then we need to ref() and deref() the string as the InspectorValue
2409         is created or destroyed.
2410
2411         Move uses of the subclass to InspectorValue and delete redundant methods.
2412         Now, most InspectorValue methods are non-virtual so they can be templated.
2413
2414         * bindings/ScriptValue.cpp:
2415         (Deprecated::jsToInspectorValue):
2416         * inspector/InjectedScriptBase.cpp:
2417         (Inspector::InjectedScriptBase::makeCall):
2418         Don't used deleted subclasses.
2419
2420         * inspector/InspectorValues.cpp:
2421         (Inspector::InspectorValue::null):
2422         (Inspector::InspectorValue::create):
2423         (Inspector::InspectorValue::asValue):
2424         (Inspector::InspectorValue::asBoolean):
2425         (Inspector::InspectorValue::asDouble):
2426         (Inspector::InspectorValue::asInteger):
2427         (Inspector::InspectorValue::asString):
2428         These only need one implementation now.
2429
2430         (Inspector::InspectorValue::writeJSON):
2431         Still a virtual method since Object and Array need their members.
2432
2433         (Inspector::InspectorObjectBase::InspectorObjectBase):
2434         (Inspector::InspectorBasicValue::asBoolean): Deleted.
2435         (Inspector::InspectorBasicValue::asDouble): Deleted.
2436         (Inspector::InspectorBasicValue::asInteger): Deleted.
2437         (Inspector::InspectorBasicValue::writeJSON): Deleted.
2438         (Inspector::InspectorString::asString): Deleted.
2439         (Inspector::InspectorString::writeJSON): Deleted.
2440         (Inspector::InspectorString::create): Deleted.
2441         (Inspector::InspectorBasicValue::create): Deleted.
2442
2443         * inspector/InspectorValues.h:
2444         (Inspector::InspectorObjectBase::find):
2445         (Inspector::InspectorObjectBase::setBoolean):
2446         (Inspector::InspectorObjectBase::setInteger):
2447         (Inspector::InspectorObjectBase::setDouble):
2448         (Inspector::InspectorObjectBase::setString):
2449         (Inspector::InspectorObjectBase::setValue):
2450         (Inspector::InspectorObjectBase::setObject):
2451         (Inspector::InspectorObjectBase::setArray):
2452         (Inspector::InspectorArrayBase::pushBoolean):
2453         (Inspector::InspectorArrayBase::pushInteger):
2454         (Inspector::InspectorArrayBase::pushDouble):
2455         (Inspector::InspectorArrayBase::pushString):
2456         (Inspector::InspectorArrayBase::pushValue):
2457         (Inspector::InspectorArrayBase::pushObject):
2458         (Inspector::InspectorArrayBase::pushArray):
2459         Use new factory methods.
2460
2461         * replay/EncodedValue.cpp:
2462         (JSC::ScalarEncodingTraits<bool>::encodeValue):
2463         (JSC::ScalarEncodingTraits<double>::encodeValue):
2464         (JSC::ScalarEncodingTraits<float>::encodeValue):
2465         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
2466         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
2467         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
2468         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
2469         * replay/EncodedValue.h:
2470         Use new factory methods.
2471
2472 2016-04-11  Filip Pizlo  <fpizlo@apple.com>
2473
2474         It should be possible to edit StructureStubInfo without recompiling the world
2475         https://bugs.webkit.org/show_bug.cgi?id=156470
2476
2477         Reviewed by Keith Miller.
2478
2479         This change makes it less painful to make changes to the IC code. It used to be that any
2480         change to StructureStubInfo caused every JIT-related file to get recompiled. Now only a
2481         smaller set of files - ones that actually peek into StructureStubInfo - will recompile. This
2482         is mainly because CodeBlock.h no longer includes StructureStubInfo.h.
2483
2484         * bytecode/ByValInfo.h:
2485         * bytecode/CodeBlock.cpp:
2486         * bytecode/CodeBlock.h:
2487         * bytecode/GetByIdStatus.cpp:
2488         * bytecode/GetByIdStatus.h:
2489         * bytecode/PutByIdStatus.cpp:
2490         * bytecode/PutByIdStatus.h:
2491         * bytecode/StructureStubInfo.h:
2492         (JSC::getStructureStubInfoCodeOrigin):
2493         * dfg/DFGByteCodeParser.cpp:
2494         * dfg/DFGJITCompiler.cpp:
2495         * dfg/DFGOSRExitCompilerCommon.cpp:
2496         * dfg/DFGSpeculativeJIT.h:
2497         * ftl/FTLLowerDFGToB3.cpp:
2498         * ftl/FTLSlowPathCall.h:
2499         * jit/IntrinsicEmitter.cpp:
2500         * jit/JITInlineCacheGenerator.cpp:
2501         * jit/JITInlineCacheGenerator.h:
2502         * jit/JITOperations.cpp:
2503         * jit/JITPropertyAccess.cpp:
2504         * jit/JITPropertyAccess32_64.cpp:
2505
2506 2016-04-11  Skachkov Oleksandr  <gskachkov@gmail.com>
2507
2508         Remove NewArrowFunction from DFG IR
2509         https://bugs.webkit.org/show_bug.cgi?id=156439
2510
2511         Reviewed by Saam Barati.
2512
2513         It seems that NewArrowFunction was left in DFG IR during refactoring by mistake.
2514
2515         * dfg/DFGAbstractInterpreterInlines.h:
2516         * dfg/DFGClobberize.h:
2517         (JSC::DFG::clobberize):
2518         * dfg/DFGClobbersExitState.cpp:
2519         * dfg/DFGDoesGC.cpp:
2520         * dfg/DFGFixupPhase.cpp:
2521         * dfg/DFGMayExit.cpp:
2522         * dfg/DFGNode.h:
2523         (JSC::DFG::Node::convertToPhantomNewFunction):
2524         * dfg/DFGNodeType.h:
2525         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2526         * dfg/DFGPredictionPropagationPhase.cpp:
2527         * dfg/DFGSafeToExecute.h:
2528         * dfg/DFGSpeculativeJIT.cpp:
2529         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2530         * dfg/DFGSpeculativeJIT32_64.cpp:
2531         * dfg/DFGSpeculativeJIT64.cpp:
2532         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2533         * dfg/DFGStructureRegistrationPhase.cpp:
2534         * ftl/FTLCapabilities.cpp:
2535         * ftl/FTLLowerDFGToB3.cpp:
2536         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2537
2538 2016-04-05  Oliver Hunt  <oliver@apple.com>
2539
2540         Remove compile time define for SEPARATED_HEAP
2541         https://bugs.webkit.org/show_bug.cgi?id=155508
2542
2543         Reviewed by Mark Lam.
2544
2545         Remove the SEPARATED_HEAP compile time flag. The separated
2546         heap is available, but off by default, on x86_64, ARMv7, and
2547         ARM64.
2548
2549         Working through the issues that happened last time essentially
2550         required implementing the ARMv7 path for the separated heap
2551         just so I could find all the ways it was going wrong.
2552
2553         We fixed all the logic by making the branch and jump logic in
2554         the linker and assemblers take two parameters, the location to
2555         write to, and the location we'll actually be writing to. We 
2556         need to do this because it's no longer sufficient to compute
2557         jumps relative to region the linker is writing to.
2558
2559         The repatching jump, branch, and call functions only need the
2560         executable address as the patching is performed directly using
2561         performJITMemcpy function which works in terms of the executable
2562         address.
2563
2564         There is no performance impact on jsc-benchmarks with the separate
2565         heap either emabled or disabled.
2566
2567         * Configurations/FeatureDefines.xcconfig:
2568         * assembler/ARM64Assembler.h:
2569         (JSC::ARM64Assembler::linkJump):
2570         (JSC::ARM64Assembler::linkCall):
2571         (JSC::ARM64Assembler::relinkJump):
2572         (JSC::ARM64Assembler::relinkCall):
2573         (JSC::ARM64Assembler::link):
2574         (JSC::ARM64Assembler::linkJumpOrCall):
2575         (JSC::ARM64Assembler::linkCompareAndBranch):
2576         (JSC::ARM64Assembler::linkConditionalBranch):
2577         (JSC::ARM64Assembler::linkTestAndBranch):
2578         (JSC::ARM64Assembler::relinkJumpOrCall):
2579         * assembler/ARMv7Assembler.h:
2580         (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2):
2581         (JSC::ARMv7Assembler::revertJumpTo_movT3):
2582         (JSC::ARMv7Assembler::link):
2583         (JSC::ARMv7Assembler::linkJump):
2584         (JSC::ARMv7Assembler::relinkJump):
2585         (JSC::ARMv7Assembler::repatchCompact):
2586         (JSC::ARMv7Assembler::replaceWithJump):
2587         (JSC::ARMv7Assembler::replaceWithLoad):
2588         (JSC::ARMv7Assembler::replaceWithAddressComputation):
2589         (JSC::ARMv7Assembler::setInt32):
2590         (JSC::ARMv7Assembler::setUInt7ForLoad):
2591         (JSC::ARMv7Assembler::isB):
2592         (JSC::ARMv7Assembler::isBX):
2593         (JSC::ARMv7Assembler::isMOV_imm_T3):
2594         (JSC::ARMv7Assembler::isMOVT):
2595         (JSC::ARMv7Assembler::isNOP_T1):
2596         (JSC::ARMv7Assembler::isNOP_T2):
2597         (JSC::ARMv7Assembler::linkJumpT1):
2598         (JSC::ARMv7Assembler::linkJumpT2):
2599         (JSC::ARMv7Assembler::linkJumpT3):
2600         (JSC::ARMv7Assembler::linkJumpT4):
2601         (JSC::ARMv7Assembler::linkConditionalJumpT4):
2602         (JSC::ARMv7Assembler::linkBX):
2603         (JSC::ARMv7Assembler::linkConditionalBX):
2604         (JSC::ARMv7Assembler::linkJumpAbsolute):
2605         * assembler/LinkBuffer.cpp:
2606         (JSC::LinkBuffer::copyCompactAndLinkCode):
2607         * assembler/MacroAssemblerARM64.h:
2608         (JSC::MacroAssemblerARM64::link):
2609         * assembler/MacroAssemblerARMv7.h:
2610         (JSC::MacroAssemblerARMv7::link):
2611         * jit/ExecutableAllocator.h:
2612         (JSC::performJITMemcpy):
2613         * jit/ExecutableAllocatorFixedVMPool.cpp:
2614         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2615         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2616         (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion):
2617         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Deleted.
2618         * runtime/Options.cpp:
2619         (JSC::recomputeDependentOptions):
2620         * runtime/Options.h:
2621
2622 2016-04-10  Filip Pizlo  <fpizlo@apple.com>
2623
2624         Clean up how we reason about the states of AccessCases
2625         https://bugs.webkit.org/show_bug.cgi?id=156454
2626
2627         Reviewed by Mark Lam.
2628         
2629         Currently when we add an AccessCase to a PolymorphicAccess stub, we regenerate the stub.
2630         That means that as we grow a stub to have N cases, we will do O(N^2) generation work. I want
2631         to explore buffering AccessCases so that we can do O(N) generation work instead. But to
2632         before I go there, I want to make sure that the statefulness of AccessCase makes sense. So,
2633         I broke it down into three different states and added assertions about the transitions. I
2634         also broke out a separate operation called AccessCase::commit(), which is the work that
2635         cannot be buffered since there cannot be any JS effects between when the AccessCase was
2636         created and when we do the work in commit().
2637         
2638         This opens up a fairly obvious path to buffering AccessCases: add them to the list without
2639         regenerating. Then when we do eventually trigger regeneration, those cases will get cloned
2640         and generated automagically. This patch doesn't implement this technique yet, but gives us
2641         an opportunity to independently test the scaffolding necessary to do it.
2642
2643         This is perf-neutral on lots of tests.
2644
2645         * bytecode/PolymorphicAccess.cpp:
2646         (JSC::AccessGenerationResult::dump):
2647         (JSC::AccessCase::clone):
2648         (JSC::AccessCase::commit):
2649         (JSC::AccessCase::guardedByStructureCheck):
2650         (JSC::AccessCase::dump):
2651         (JSC::AccessCase::generateWithGuard):
2652         (JSC::AccessCase::generate):
2653         (JSC::AccessCase::generateImpl):
2654         (JSC::PolymorphicAccess::regenerateWithCases):
2655         (JSC::PolymorphicAccess::regenerate):
2656         (WTF::printInternal):
2657         * bytecode/PolymorphicAccess.h:
2658         (JSC::AccessCase::type):
2659         (JSC::AccessCase::state):
2660         (JSC::AccessCase::offset):
2661         (JSC::AccessCase::viaProxy):
2662         (JSC::AccessCase::callLinkInfo):
2663         * bytecode/StructureStubInfo.cpp:
2664         (JSC::StructureStubInfo::addAccessCase):
2665         * bytecode/Watchpoint.h:
2666         * dfg/DFGOperations.cpp:
2667         * jit/Repatch.cpp:
2668         (JSC::repatchGetByID):
2669         (JSC::repatchPutByID):
2670         (JSC::repatchIn):
2671         * runtime/VM.cpp:
2672         (JSC::VM::dumpRegExpTrace):
2673         (JSC::VM::ensureWatchpointSetForImpureProperty):
2674         (JSC::VM::registerWatchpointForImpureProperty):
2675         (JSC::VM::addImpureProperty):
2676         * runtime/VM.h:
2677
2678 2016-04-11  Fujii Hironori  <Hironori.Fujii@jp.sony.com>
2679
2680         [CMake] Make FOLDER property INHERITED
2681         https://bugs.webkit.org/show_bug.cgi?id=156460
2682
2683         Reviewed by Brent Fulgham.
2684
2685         * CMakeLists.txt:
2686         * shell/CMakeLists.txt:
2687         * shell/PlatformWin.cmake:
2688         Set FOLDER property as a directory property not a target property
2689
2690 2016-04-09  Keith Miller  <keith_miller@apple.com>
2691
2692         tryGetById should be supported by the DFG/FTL
2693         https://bugs.webkit.org/show_bug.cgi?id=156378
2694
2695         Reviewed by Filip Pizlo.
2696
2697         This patch adds support for tryGetById in the DFG/FTL. It adds a new DFG node
2698         TryGetById, which acts similarly to the normal GetById DFG node. One key
2699         difference between GetById and TryGetById is that in the LLInt and Baseline
2700         we do not profile the result type. This profiling is unnessary for the current
2701         use case of tryGetById, which is expected to be a strict equality comparision
2702         against a specific object or undefined. In either case other DFG optimizations
2703         will make this equally fast with or without the profiling information.
2704
2705         Additionally, this patch adds new reuse modes for JSValueRegsTemporary that take
2706         an operand and attempt to reuse the registers for that operand if they are free
2707         after the current DFG node.
2708
2709         * bytecode/GetByIdStatus.cpp:
2710         (JSC::GetByIdStatus::computeFromLLInt):
2711         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2712         * dfg/DFGAbstractInterpreterInlines.h:
2713         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2714         * dfg/DFGByteCodeParser.cpp:
2715         (JSC::DFG::ByteCodeParser::handleGetById):
2716         (JSC::DFG::ByteCodeParser::parseBlock):
2717         * dfg/DFGCapabilities.cpp:
2718         (JSC::DFG::capabilityLevel):
2719         * dfg/DFGClobberize.h:
2720         (JSC::DFG::clobberize):
2721         * dfg/DFGDoesGC.cpp:
2722         (JSC::DFG::doesGC):
2723         * dfg/DFGFixupPhase.cpp:
2724         (JSC::DFG::FixupPhase::fixupNode):
2725         * dfg/DFGNode.h:
2726         (JSC::DFG::Node::hasIdentifier):
2727         * dfg/DFGNodeType.h:
2728         * dfg/DFGPredictionPropagationPhase.cpp:
2729         (JSC::DFG::PredictionPropagationPhase::propagate):
2730         * dfg/DFGSafeToExecute.h:
2731         (JSC::DFG::safeToExecute):
2732         * dfg/DFGSpeculativeJIT.cpp:
2733         (JSC::DFG::SpeculativeJIT::compileTryGetById):
2734         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
2735         * dfg/DFGSpeculativeJIT.h:
2736         (JSC::DFG::GPRTemporary::operator=):
2737         * dfg/DFGSpeculativeJIT32_64.cpp:
2738         (JSC::DFG::SpeculativeJIT::cachedGetById):
2739         (JSC::DFG::SpeculativeJIT::compile):
2740         * dfg/DFGSpeculativeJIT64.cpp:
2741         (JSC::DFG::SpeculativeJIT::cachedGetById):
2742         (JSC::DFG::SpeculativeJIT::compile):
2743         * ftl/FTLCapabilities.cpp:
2744         (JSC::FTL::canCompile):
2745         * ftl/FTLLowerDFGToB3.cpp:
2746         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2747         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
2748         (JSC::FTL::DFG::LowerDFGToB3::getById):
2749         * jit/JITOperations.cpp:
2750         * jit/JITOperations.h:
2751         * tests/stress/try-get-by-id.js:
2752         (tryGetByIdTextStrict):
2753         (get let):
2754         (let.get createBuiltin):
2755         (get throw):
2756         (getCaller.obj.1.throw.new.Error): Deleted.
2757
2758 2016-04-09  Saam barati  <sbarati@apple.com>
2759
2760         Allocation sinking SSA Defs are allowed to have replacements
2761         https://bugs.webkit.org/show_bug.cgi?id=156444
2762
2763         Reviewed by Filip Pizlo.
2764
2765         Consider the following program and the annotations that explain why
2766         the SSA defs we create in allocation sinking can have replacements.
2767
2768         function foo(a1) {
2769             let o1 = {x: 20, y: 50};
2770             let o2 = {y: 40, o1: o1};
2771             let o3 = {};
2772         
2773             // We're Defing a new variable here, call it o3_field.
2774             // o3_field is defing the value that is the result of 
2775             // a GetByOffset that gets eliminated through allocation sinking.
2776             o3.field = o1.y;
2777         
2778             dontCSE();
2779         
2780             // This control flow is here to not allow the phase to consult
2781             // its local SSA mapping (which properly handles replacements)
2782             // for the value of o3_field.
2783             if (a1) {
2784                 a1 = true; 
2785             } else {
2786                 a1 = false;
2787             }
2788         
2789             // Here, we ask for the reaching def of o3_field, and assert
2790             // it doesn't have a replacement. It does have a replacement
2791             // though. The original Def was the GetByOffset. We replaced
2792             // that GetByOffset with the value of the o1_y variable.
2793             let value = o3.field;
2794             assert(value === 50);
2795         }
2796
2797         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2798         * tests/stress/allocation-sinking-defs-may-have-replacements.js: Added.
2799         (dontCSE):
2800         (assert):
2801         (foo):
2802
2803 2016-04-09  Commit Queue  <commit-queue@webkit.org>
2804
2805         Unreviewed, rolling out r199242.
2806         https://bugs.webkit.org/show_bug.cgi?id=156442
2807
2808         Caused many many leaks (Requested by ap on #webkit).
2809
2810         Reverted changeset:
2811
2812         "Web Inspector: get rid of InspectorBasicValue and
2813         InspectorString subclasses"
2814         https://bugs.webkit.org/show_bug.cgi?id=156407
2815         http://trac.webkit.org/changeset/199242
2816
2817 2016-04-09  Filip Pizlo  <fpizlo@apple.com>
2818
2819         Debug JSC test failure: stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool
2820         https://bugs.webkit.org/show_bug.cgi?id=156406
2821
2822         Reviewed by Saam Barati.
2823
2824         The failure was because the GC ran from within the butterfly allocation call in a put_by_id
2825         transition AccessCase that had to deal with indexing storage. When the GC runs in a call from a stub,
2826         then we need to be extra careful:
2827
2828         1) The GC may reset the IC and delete the stub. So, the stub needs to tell the GC that it might be on
2829            the stack during GC, so that the GC keeps it alive if it's currently running.
2830         
2831         2) If the stub uses (dereferences or stores) some object after the call, then we need to ensure that
2832            the stub routine knows about that object independently of the IC.
2833         
2834         In the case of put_by_id transitions that use a helper to allocate the butterfly, we have both
2835         issues. A long time ago, we had to deal with (2), and we still had code to handle that case, although
2836         it appears to be dead. This change revives that code and glues it together with PolymorphicAccess.
2837
2838         * bytecode/PolymorphicAccess.cpp:
2839         (JSC::AccessCase::alternateBase):
2840         (JSC::AccessCase::doesCalls):
2841         (JSC::AccessCase::couldStillSucceed):
2842         (JSC::AccessCase::generate):
2843         (JSC::PolymorphicAccess::regenerate):
2844         * bytecode/PolymorphicAccess.h:
2845         (JSC::AccessCase::customSlotBase):
2846         (JSC::AccessCase::isGetter):
2847         (JSC::AccessCase::doesCalls): Deleted.
2848         * jit/GCAwareJITStubRoutine.cpp:
2849         (JSC::GCAwareJITStubRoutine::markRequiredObjectsInternal):
2850         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
2851         (JSC::MarkingGCAwareJITStubRoutine::~MarkingGCAwareJITStubRoutine):
2852         (JSC::MarkingGCAwareJITStubRoutine::markRequiredObjectsInternal):
2853         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
2854         (JSC::createJITStubRoutine):
2855         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
2856         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::~MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
2857         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::markRequiredObjectsInternal): Deleted.
2858         * jit/GCAwareJITStubRoutine.h:
2859         (JSC::createJITStubRoutine):
2860
2861 2016-04-08  Joseph Pecoraro  <pecoraro@apple.com>
2862
2863         Web Inspector: XHRs and Web Worker scripts are not searchable
2864         https://bugs.webkit.org/show_bug.cgi?id=154214
2865         <rdar://problem/24643587>
2866
2867         Reviewed by Timothy Hatcher.
2868
2869         * inspector/protocol/Page.json:
2870         Add optional requestId to search results properties and search
2871         parameters for when the frameId and url are not enough. XHR
2872         resources, and "Other" resources will use this.
2873
2874 2016-04-08  Guillaume Emont  <guijemont@igalia.com>
2875
2876         MIPS: support Signed cond in branchTest32()
2877         https://bugs.webkit.org/show_bug.cgi?id=156260
2878
2879         This is needed since r197688 makes use of it.
2880
2881         Reviewed by Mark Lam.
2882
2883         * assembler/MacroAssemblerMIPS.h:
2884         (JSC::MacroAssemblerMIPS::branchTest32):
2885
2886 2016-04-08  Alex Christensen  <achristensen@webkit.org>
2887
2888         Progress towards running CMake WebKit2 on Mac
2889         https://bugs.webkit.org/show_bug.cgi?id=156426
2890
2891         Reviewed by Tim Horton.
2892
2893         * PlatformMac.cmake:
2894
2895 2016-04-08  Saam barati  <sbarati@apple.com>
2896
2897         Debugger may dereference m_currentCallFrame even after the VM has gone idle
2898         https://bugs.webkit.org/show_bug.cgi?id=156413
2899
2900         Reviewed by Mark Lam.
2901
2902         There is a bug where the debugger may dereference its m_currentCallFrame
2903         pointer after that pointer becomes invalid to read from. This happens like so:
2904
2905         We may step over an instruction which causes the end of execution for the
2906         current program. This causes the VM to exit. Then, we perform a GC which
2907         causes us to collect the global object. The global object being collected
2908         causes us to detach the debugger. In detaching, we think we still have a 
2909         valid m_currentCallFrame, we dereference it, and crash. The solution is to
2910         make sure we're paused when dereferencing this pointer inside ::detach().
2911
2912         * debugger/Debugger.cpp:
2913         (JSC::Debugger::detach):
2914
2915 2016-04-08  Brian Burg  <bburg@apple.com>
2916
2917         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
2918         https://bugs.webkit.org/show_bug.cgi?id=156407
2919         <rdar://problem/25627659>
2920
2921         Reviewed by Timothy Hatcher.
2922
2923         There's no point having these subclasses as they don't save any space.
2924         Add m_stringValue to the union and merge some implementations of writeJSON.
2925         Move uses of the subclass to InspectorValue and delete redundant methods.
2926         Now, most InspectorValue methods are non-virtual so they can be templated.
2927
2928         * bindings/ScriptValue.cpp:
2929         (Deprecated::jsToInspectorValue):
2930         * inspector/InjectedScriptBase.cpp:
2931         (Inspector::InjectedScriptBase::makeCall):
2932         Don't used deleted subclasses.
2933
2934         * inspector/InspectorValues.cpp:
2935         (Inspector::InspectorValue::null):
2936         (Inspector::InspectorValue::create):
2937         (Inspector::InspectorValue::asValue):
2938         (Inspector::InspectorValue::asBoolean):
2939         (Inspector::InspectorValue::asDouble):
2940         (Inspector::InspectorValue::asInteger):
2941         (Inspector::InspectorValue::asString):
2942         These only need one implementation now.
2943
2944         (Inspector::InspectorValue::writeJSON):
2945         Still a virtual method since Object and Array need their members.
2946
2947         (Inspector::InspectorObjectBase::InspectorObjectBase):
2948         (Inspector::InspectorBasicValue::asBoolean): Deleted.
2949         (Inspector::InspectorBasicValue::asDouble): Deleted.
2950         (Inspector::InspectorBasicValue::asInteger): Deleted.
2951         (Inspector::InspectorBasicValue::writeJSON): Deleted.
2952         (Inspector::InspectorString::asString): Deleted.
2953         (Inspector::InspectorString::writeJSON): Deleted.
2954         (Inspector::InspectorString::create): Deleted.
2955         (Inspector::InspectorBasicValue::create): Deleted.
2956
2957         * inspector/InspectorValues.h:
2958         (Inspector::InspectorObjectBase::setBoolean):
2959         (Inspector::InspectorObjectBase::setInteger):
2960         (Inspector::InspectorObjectBase::setDouble):
2961         (Inspector::InspectorObjectBase::setString):
2962         (Inspector::InspectorArrayBase::pushBoolean):
2963         (Inspector::InspectorArrayBase::pushInteger):
2964         (Inspector::InspectorArrayBase::pushDouble):
2965         (Inspector::InspectorArrayBase::pushString):
2966         Use new factory methods.
2967
2968         * replay/EncodedValue.cpp:
2969         (JSC::ScalarEncodingTraits<bool>::encodeValue):
2970         (JSC::ScalarEncodingTraits<double>::encodeValue):
2971         (JSC::ScalarEncodingTraits<float>::encodeValue):
2972         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
2973         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
2974         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
2975         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
2976         * replay/EncodedValue.h:
2977         Use new factory methods.
2978
2979 2016-04-08  Filip Pizlo  <fpizlo@apple.com>
2980
2981         Add IC support for arguments.length
2982         https://bugs.webkit.org/show_bug.cgi?id=156389
2983
2984         Reviewed by Geoffrey Garen.
2985         
2986         This adds support for caching accesses to arguments.length for both DirectArguments and
2987         ScopedArguments. In strict mode, we already cached these accesses since they were just
2988         normal properties.
2989
2990         Amazingly, we also already supported caching of overridden arguments.length in both
2991         DirectArguments and ScopedArguments. This is because when you override, the property gets
2992         materialized as a normal JS property and the structure is changed.
2993         
2994         This patch painstakingly preserves our previous caching of overridden length while
2995         introducing caching of non-overridden length (i.e. the common case). In fact, we even cache
2996         the case where it could either be overridden or not, since we just end up with an AccessCase
2997         for each and they cascade to each other.
2998
2999         This is a >3x speed-up on microbenchmarks that do arguments.length in a polymorphic context.
3000         Entirely monomorphic accesses were already handled by the DFG.
3001
3002         * bytecode/PolymorphicAccess.cpp:
3003         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
3004         (JSC::AccessCase::guardedByStructureCheck):
3005         (JSC::AccessCase::generateWithGuard):
3006         (JSC::AccessCase::generate):
3007         (WTF::printInternal):
3008         * bytecode/PolymorphicAccess.h:
3009         * jit/ICStats.h:
3010         * jit/JITOperations.cpp:
3011         * jit/Repatch.cpp:
3012         (JSC::tryCacheGetByID):
3013         (JSC::tryCachePutByID):
3014         (JSC::tryRepatchIn):
3015         * tests/stress/direct-arguments-override-length-then-access-normal-length.js: Added.
3016         (args):
3017         (foo):
3018         (result.foo):
3019
3020 2016-04-08  Benjamin Poulain  <bpoulain@apple.com>
3021
3022         UInt32ToNumber should have an Int52 path
3023         https://bugs.webkit.org/show_bug.cgi?id=125704
3024
3025         Reviewed by Filip Pizlo.
3026
3027         When dealing with big numbers, fall back to Int52 instead
3028         of double when possible.
3029
3030         * dfg/DFGAbstractInterpreterInlines.h:
3031         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3032         * dfg/DFGFixupPhase.cpp:
3033         (JSC::DFG::FixupPhase::fixupNode):
3034         * dfg/DFGPredictionPropagationPhase.cpp:
3035         (JSC::DFG::PredictionPropagationPhase::propagate):
3036         * dfg/DFGSpeculativeJIT.cpp:
3037         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
3038         * ftl/FTLLowerDFGToB3.cpp:
3039         (JSC::FTL::DFG::LowerDFGToB3::compileUInt32ToNumber):
3040
3041 2016-04-08  Brian Burg  <bburg@apple.com>
3042
3043         Web Inspector: protocol generator should emit an error when 'type' is used instead of '$ref'
3044         https://bugs.webkit.org/show_bug.cgi?id=156275
3045         <rdar://problem/25569331>
3046
3047         Reviewed by Darin Adler.
3048
3049         * inspector/protocol/Heap.json: Fix a mistake that's now caught by the protocol generator.
3050
3051         * inspector/scripts/codegen/models.py:
3052         (TypeReference.__init__): Check here if type_kind is on a whitelist of primitive types.
3053         (TypeReference.referenced_name): Update comment.
3054
3055         Add a new test specifically for the case when the type would otherwise be resolved. Rebaseline.
3056
3057         * inspector/scripts/tests/expected/fail-on-type-reference-as-primitive-type.json-error: Added.
3058         * inspector/scripts/tests/expected/fail-on-unknown-type-reference-in-type-declaration.json-error:
3059         * inspector/scripts/tests/fail-on-type-reference-as-primitive-type.json: Added.
3060
3061 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3062
3063         Remove ENABLE(ENABLE_ES6_CLASS_SYNTAX) guards
3064         https://bugs.webkit.org/show_bug.cgi?id=156384
3065
3066         Reviewed by Ryosuke Niwa.
3067
3068         * Configurations/FeatureDefines.xcconfig:
3069         * features.json: Mark as Done.
3070         * parser/Parser.cpp:
3071         (JSC::Parser<LexerType>::parseExportDeclaration):
3072         (JSC::Parser<LexerType>::parseStatementListItem):
3073         (JSC::Parser<LexerType>::parsePrimaryExpression):
3074         (JSC::Parser<LexerType>::parseMemberExpression):
3075
3076 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
3077
3078         Implementing caching transition puts that need to reallocate with indexing storage
3079         https://bugs.webkit.org/show_bug.cgi?id=130914
3080
3081         Reviewed by Saam Barati.
3082
3083         This enables the IC's put_by_id path to handle reallocating the out-of-line storage even if
3084         the butterfly has indexing storage. Like the DFG, we do this by calling operations that
3085         reallocate the butterfly. Those use JSObject API and do all of the nasty work for us, like
3086         triggering a barrier.
3087
3088         This does a bunch of refactoring to how PolymorphicAccess makes calls. It's a lot easier to
3089         do it now because the hard work is hidden under AccessGenerationState methods. This means
3090         that custom accessors now share logic with put_by_id transitions.
3091
3092         * bytecode/PolymorphicAccess.cpp:
3093         (JSC::AccessGenerationState::succeed):
3094         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
3095         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
3096         (JSC::AccessGenerationState::originalCallSiteIndex):
3097         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
3098         (JSC::AccessCase::AccessCase):
3099         (JSC::AccessCase::transition):
3100         (JSC::AccessCase::generate):
3101         (JSC::PolymorphicAccess::regenerate):
3102         * bytecode/PolymorphicAccess.h:
3103         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
3104         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
3105         * dfg/DFGOperations.cpp:
3106         * dfg/DFGOperations.h:
3107         * jit/JITOperations.cpp:
3108         * jit/JITOperations.h:
3109
3110 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3111
3112         Remote Inspector: When disallowing remote inspection on a debuggable, a listing is still sent to debuggers
3113         https://bugs.webkit.org/show_bug.cgi?id=156380
3114         <rdar://problem/25323727>
3115
3116         Reviewed by Timothy Hatcher.
3117
3118         * inspector/remote/RemoteInspector.mm:
3119         (Inspector::RemoteInspector::updateTarget):
3120         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
3121         When a target has been updated and it no longer generates a listing,
3122         we should remove the old listing as that is now stale and should
3123         not be sent. Not generating a listing means this target is no
3124         longer allowed to be debugged.
3125
3126 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3127
3128         Web Inspector: Not necessary to validate webinspectord connection on iOS
3129         https://bugs.webkit.org/show_bug.cgi?id=156377
3130         <rdar://problem/25612460>
3131
3132         Reviewed by Simon Fraser.
3133
3134         * inspector/remote/RemoteInspectorXPCConnection.h:
3135         * inspector/remote/RemoteInspectorXPCConnection.mm:
3136         (Inspector::RemoteInspectorXPCConnection::handleEvent):
3137
3138 2016-04-07  Keith Miller  <keith_miller@apple.com>
3139
3140         Rename ArrayMode::supportsLength to supportsSelfLength
3141         https://bugs.webkit.org/show_bug.cgi?id=156374
3142
3143         Reviewed by Filip Pizlo.
3144
3145         The name supportsLength is confusing because TypedArray have a
3146         length function however it is on the prototype and not on the
3147         instance. supportsSelfLength makes more sense since we use the
3148         function during fixup to tell if we can intrinsic the length
3149         property lookup on self accesses.
3150
3151         * dfg/DFGArrayMode.h:
3152         (JSC::DFG::ArrayMode::supportsSelfLength):
3153         (JSC::DFG::ArrayMode::supportsLength): Deleted.
3154         * dfg/DFGFixupPhase.cpp:
3155         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
3156
3157 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3158
3159         Web Inspector: ProfileView source links are off by 1 line, worse in pretty printed code
3160         https://bugs.webkit.org/show_bug.cgi?id=156371
3161
3162         Reviewed by Timothy Hatcher.
3163
3164         * inspector/protocol/ScriptProfiler.json:
3165         Clarify that these locations are 1-based.
3166
3167 2016-04-07  Jon Davis  <jond@apple.com>
3168
3169         Add Web Animations API to Feature Status Page
3170         https://bugs.webkit.org/show_bug.cgi?id=156360
3171
3172         Reviewed by Timothy Hatcher.
3173
3174         * features.json:
3175
3176 2016-04-07  Saam barati  <sbarati@apple.com>
3177
3178         Invalid assertion inside DebuggerScope::getOwnPropertySlot
3179         https://bugs.webkit.org/show_bug.cgi?id=156357
3180
3181         Reviewed by Keith Miller.
3182
3183         The Type Profiler might profile JS code that uses DebuggerScope and accesses properties
3184         on it. Therefore, it may have a DebuggerScope object in its log. Objects in the log
3185         are subject to having their getOwnPropertySlot method called. Therefore, the DebuggerScope
3186         might not always be in a valid state when its getOwnPropertySlot method is called.
3187         Therefore, the assertion invalid.
3188
3189         * debugger/DebuggerScope.cpp:
3190         (JSC::DebuggerScope::getOwnPropertySlot):
3191
3192 2016-04-07  Saam barati  <sbarati@apple.com>
3193
3194         Initial implementation of annex b.3.3 behavior was incorrect
3195         https://bugs.webkit.org/show_bug.cgi?id=156276
3196
3197         Reviewed by Keith Miller.
3198
3199         I almost got annex B.3.3 correct in my first implementation.
3200         There is a subtlety here I got wrong. We always create a local binding for
3201         a function at the very beginning of execution of a block scope. So we
3202         hoist function declarations to their local binding within a given
3203         block scope. When we actually evaluate the function declaration statement
3204         itself, we must lookup the binding in the current scope, and bind the
3205         value to the binding in the "var" scope. We perform the following
3206         abstract operations when executing a function declaration statement.
3207
3208         f = lookupBindingInCurrentScope("func")
3209         store(varScope, "func", f)
3210
3211         I got this wrong by performing the store to the var binding at the beginning
3212         of the block scope instead of when we evaluate the function declaration statement.
3213         This behavior is observable. For example, a program could change the value
3214         of "func" before the actual function declaration statement executes.
3215         Consider the following two functions:
3216         ```
3217         function foo1() {
3218             // func === undefined
3219             {
3220                 // typeof func === "function"
3221                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
3222                 func = 20 // This sets the local "func" binding to 20.
3223             }
3224             // typeof func === "function"
3225         }
3226
3227         function foo2() {
3228             // func === undefined
3229             {
3230                 // typeof func === "function"
3231                 func = 20 // This sets the local "func" binding to 20.
3232                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
3233             }
3234             // func === 20
3235         }
3236         ```
3237
3238         * bytecompiler/BytecodeGenerator.cpp:
3239         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
3240         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
3241         * bytecompiler/BytecodeGenerator.h:
3242         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
3243         * bytecompiler/NodesCodegen.cpp:
3244         (JSC::FuncDeclNode::emitBytecode):
3245         * tests/stress/sloppy-mode-function-hoisting.js:
3246         (test.foo):
3247         (test):
3248         (test.):
3249         (test.bar):
3250         (test.switch.case.0):
3251         (test.capFoo1):
3252         (test.switch.capFoo2):
3253         (test.outer):
3254         (foo):
3255
3256 2016-04-07  Alex Christensen  <achristensen@webkit.org>
3257
3258         Build fix after r199170
3259
3260         * CMakeLists.txt:
3261
3262 2016-04-07  Keith Miller  <keith_miller@apple.com>
3263
3264         We should support the ability to do a non-effectful getById
3265         https://bugs.webkit.org/show_bug.cgi?id=156116
3266
3267         Reviewed by Benjamin Poulain.
3268
3269         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
3270         useful because it enables us to take different code paths based on values that we would
3271         otherwise not be able to have knowledge of. This patch adds this new feature called
3272         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
3273         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
3274         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
3275         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
3276         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
3277         the global object that indicates we could not get the result.
3278
3279         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
3280         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
3281         get_by_id the same way we would for load and return the value at the appropriate offset.
3282         Additionally, in order to make sure the we can properly compare the GetterSetter object
3283         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
3284         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
3285         likely to have little to no impact on memory usage as normal accessors are generally rare.
3286
3287         * JavaScriptCore.xcodeproj/project.pbxproj:
3288         * builtins/BuiltinExecutableCreator.cpp: Added.
3289         (JSC::createBuiltinExecutable):
3290         * builtins/BuiltinExecutableCreator.h: Copied from Source/JavaScriptCore/builtins/BuiltinExecutables.h.
3291         * builtins/BuiltinExecutables.cpp:
3292         (JSC::BuiltinExecutables::createDefaultConstructor):
3293         (JSC::BuiltinExecutables::createBuiltinExecutable):
3294         (JSC::createBuiltinExecutable):
3295         (JSC::BuiltinExecutables::createExecutable):
3296         (JSC::createExecutableInternal): Deleted.
3297         * builtins/BuiltinExecutables.h:
3298         * bytecode/BytecodeIntrinsicRegistry.h:
3299         * bytecode/BytecodeList.json:
3300         * bytecode/BytecodeUseDef.h:
3301         (JSC::computeUsesForBytecodeOffset):
3302         (JSC::computeDefsForBytecodeOffset):
3303         * bytecode/CodeBlock.cpp:
3304         (JSC::CodeBlock::dumpBytecode):
3305         * bytecode/PolymorphicAccess.cpp:
3306         (JSC::AccessCase::tryGet):
3307         (JSC::AccessCase::generate):
3308         (WTF::printInternal):
3309         * bytecode/PolymorphicAccess.h:
3310         (JSC::AccessCase::isGet): Deleted.
3311         (JSC::AccessCase::isPut): Deleted.
3312         (JSC::AccessCase::isIn): Deleted.
3313         * bytecode/StructureStubInfo.cpp:
3314         (JSC::StructureStubInfo::reset):
3315         * bytecode/StructureStubInfo.h:
3316         * bytecompiler/BytecodeGenerator.cpp:
3317         (JSC::BytecodeGenerator::emitTryGetById):
3318         * bytecompiler/BytecodeGenerator.h:
3319         * bytecompiler/NodesCodegen.cpp:
3320         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
3321         * dfg/DFGSpeculativeJIT32_64.cpp:
3322         (JSC::DFG::SpeculativeJIT::cachedGetById):
3323         * dfg/DFGSpeculativeJIT64.cpp:
3324         (JSC::DFG::SpeculativeJIT::cachedGetById):
3325         * ftl/FTLLowerDFGToB3.cpp:
3326         (JSC::FTL::DFG::LowerDFGToB3::getById):
3327         * jit/JIT.cpp:
3328         (JSC::JIT::privateCompileMainPass):
3329         (JSC::JIT::privateCompileSlowCases):
3330         * jit/JIT.h:
3331         * jit/JITInlineCacheGenerator.cpp:
3332         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
3333         * jit/JITInlineCacheGenerator.h:
3334         * jit/JITInlines.h:
3335         (JSC::JIT::callOperation):
3336         * jit/JITOperations.cpp:
3337         * jit/JITOperations.h:
3338         * jit/JITPropertyAccess.cpp:
3339         (JSC::JIT::emitGetByValWithCachedId):
3340         (JSC::JIT::emit_op_try_get_by_id):
3341         (JSC::JIT::emitSlow_op_try_get_by_id):
3342         (JSC::JIT::emit_op_get_by_id):
3343         * jit/JITPropertyAccess32_64.cpp:
3344         (JSC::JIT::emitGetByValWithCachedId):
3345         (JSC::JIT::emit_op_try_get_by_id):
3346         (JSC::JIT::emitSlow_op_try_get_by_id):
3347         (JSC::JIT::emit_op_get_by_id):
3348         * jit/Repatch.cpp:
3349         (JSC::repatchByIdSelfAccess):
3350         (JSC::appropriateOptimizingGetByIdFunction):
3351         (JSC::appropriateGenericGetByIdFunction):
3352         (JSC::tryCacheGetByID):
3353         (JSC::repatchGetByID):
3354         (JSC::resetGetByID):
3355         * jit/Repatch.h:
3356         * jsc.cpp:
3357         (GlobalObject::finishCreation):
3358         (functionGetGetterSetter):
3359         (functionCreateBuiltin):
3360         * llint/LLIntData.cpp:
3361         (JSC::LLInt::Data::performAssertions):
3362         * llint/LLIntSlowPaths.cpp:
3363         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3364         * llint/LLIntSlowPaths.h:
3365         * llint/LowLevelInterpreter.asm:
3366         * runtime/GetterSetter.cpp:
3367         * runtime/GetterSetter.h:
3368         * runtime/JSType.h:
3369         * runtime/PropertySlot.cpp:
3370         (JSC::PropertySlot::getPureResult):
3371         * runtime/PropertySlot.h:
3372         * runtime/ProxyObject.cpp:
3373         (JSC::ProxyObject::getOwnPropertySlotCommon):
3374         * tests/stress/try-get-by-id.js: Added.