Modern IDB (Workers): Enable INDEXED_DATABASE_IN_WORKERS compile time flag, but disab...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-04-20  Brady Eidson  <beidson@apple.com>
2
3         Modern IDB (Workers): Enable INDEXED_DATABASE_IN_WORKERS compile time flag, but disabled in RuntimeEnabledFeatures.
4         https://bugs.webkit.org/show_bug.cgi?id=156782
5
6         Reviewed by Alex Christensen.
7
8         * Configurations/FeatureDefines.xcconfig:
9
10 2016-04-20  Saam barati  <sbarati@apple.com>
11
12         Remove unused m_writtenVariables from the parser and related bits
13         https://bugs.webkit.org/show_bug.cgi?id=156784
14
15         Reviewed by Yusuke Suzuki.
16
17         This isn't a octane/codeload speedup even though we're doing less work in
18         collectFreeVariables. But it's good to get rid of things that are not used.
19
20         * parser/Nodes.h:
21         (JSC::ScopeNode::usesEval):
22         (JSC::ScopeNode::usesArguments):
23         (JSC::ScopeNode::usesArrowFunction):
24         (JSC::ScopeNode::isStrictMode):
25         (JSC::ScopeNode::setUsesArguments):
26         (JSC::ScopeNode::usesThis):
27         (JSC::ScopeNode::modifiesParameter): Deleted.
28         (JSC::ScopeNode::modifiesArguments): Deleted.
29         * parser/Parser.cpp:
30         (JSC::Parser<LexerType>::parseInner):
31         (JSC::Parser<LexerType>::parseAssignmentExpression):
32         * parser/Parser.h:
33         (JSC::Scope::Scope):
34         (JSC::Scope::hasDeclaredParameter):
35         (JSC::Scope::preventAllVariableDeclarations):
36         (JSC::Scope::collectFreeVariables):
37         (JSC::Scope::mergeInnerArrowFunctionFeatures):
38         (JSC::Scope::getSloppyModeHoistedFunctions):
39         (JSC::Scope::getCapturedVars):
40         (JSC::Scope::setStrictMode):
41         (JSC::Scope::strictMode):
42         (JSC::Scope::fillParametersForSourceProviderCache):
43         (JSC::Scope::restoreFromSourceProviderCache):
44         (JSC::Parser::hasDeclaredParameter):
45         (JSC::Parser::exportName):
46         (JSC::Scope::declareWrite): Deleted.
47         (JSC::Parser::declareWrite): Deleted.
48         * parser/ParserModes.h:
49
50 2016-04-19  Saam barati  <sbarati@apple.com>
51
52         Unreviewed, fix cloop build after r199754.
53
54         * jsc.cpp:
55         (jscmain):
56
57 2016-04-19  Michael Saboff  <msaboff@apple.com>
58
59         iTunes crashing JavaScriptCore.dll
60         https://bugs.webkit.org/show_bug.cgi?id=156647
61
62         Reviewed by Filip Pizlo.
63
64         Given that there there are only 128 FLS indices compared to over a 1000 for TLS,
65         I eliminated the thread specific m_threadSpecificForThread and instead we look
66         for the current thread in m_registeredThreads list when we need it.
67         In most cases there will only be one thread.
68
69         Added THREAD_SPECIFIC_CALL to signature of ThreadSpecific remove callbacks
70         to set the calling convention correctly for Windows 32 bit.
71
72         * heap/MachineStackMarker.cpp:
73         (JSC::ActiveMachineThreadsManager::remove):
74         (JSC::MachineThreads::MachineThreads):
75         (JSC::MachineThreads::~MachineThreads):
76         (JSC::MachineThreads::addCurrentThread):
77         (JSC::MachineThreads::machineThreadForCurrentThread):
78         (JSC::MachineThreads::removeThread):
79         * heap/MachineStackMarker.h:
80
81 2016-04-19  Benjamin Poulain  <bpoulain@webkit.org>
82
83         [JSC] Small cleanup of RegisterAtOffsetList
84         https://bugs.webkit.org/show_bug.cgi?id=156779
85
86         Reviewed by Mark Lam.
87
88         I was wondering why RegisterAtOffsetList always cache-miss.
89         It looks like it is doing more than it needs to.
90
91         We do not need to sort the values. The total order of
92         RegisterAtOffset is:
93         1) Order of Reg.
94         2) Order of offsets.
95         We already generate the list in order.
96
97         Also allocate the right array size ahead of filling the array.
98
99         * jit/RegisterAtOffsetList.cpp:
100         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
101         (JSC::RegisterAtOffsetList::sort): Deleted.
102         * jit/RegisterAtOffsetList.h:
103         (JSC::RegisterAtOffsetList::append): Deleted.
104
105 2016-04-19  Saam barati  <sbarati@apple.com>
106
107         Add a couple UNLIKELY macros in parseMemberExpression
108         https://bugs.webkit.org/show_bug.cgi?id=156775
109
110         Reviewed by Filip Pizlo.
111
112         These UNLIKELY macros have to do with the base of the
113         member expression being 'super'. I think it's safe to
114         argue that this is truly UNLIKELY. I am seeing speedups
115         sometimes on Octane codeload. Usually around 0.5%. Sometimes 1%.
116
117         * parser/Parser.cpp:
118         (JSC::Parser<LexerType>::parseMemberExpression):
119
120 2016-04-19  Saam barati  <sbarati@apple.com>
121
122         allow jsc shell to dump sampling profiler data
123         https://bugs.webkit.org/show_bug.cgi?id=156725
124
125         Reviewed by Benjamin Poulain.
126
127         This patch adds a '--reportSamplingProfilerData' option to the
128         JSC shell which will enable the sampling profiler and dump
129         its data at the end of execution. The dump will include the
130         40 hottest functions and the 80 hottest bytecode locations.
131         If you're using this option to debug, it's easy to just hack
132         on the code to make it dump more or less information.
133
134         * jsc.cpp:
135         (CommandLine::parseArguments):
136         (jscmain):
137         * runtime/Options.h:
138         * runtime/SamplingProfiler.cpp:
139         (JSC::SamplingProfiler::processUnverifiedStackTraces):
140         (JSC::SamplingProfiler::stackTracesAsJSON):
141         (JSC::SamplingProfiler::reportTopFunctions):
142         (JSC::SamplingProfiler::reportTopBytecodes):
143         * runtime/SamplingProfiler.h:
144         (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):
145         (JSC::SamplingProfiler::StackFrame::hasBytecodeIndex):
146         (JSC::SamplingProfiler::StackFrame::hasCodeBlockHash):
147         (JSC::SamplingProfiler::setStopWatch):
148
149 2016-04-19  Mark Lam  <mark.lam@apple.com>
150
151         Re-landing: ES6: Implement RegExp.prototype[@@search].
152         https://bugs.webkit.org/show_bug.cgi?id=156331
153
154         Reviewed by Keith Miller.
155
156         What changed?
157         1. Implemented search builtin in RegExpPrototype.js.
158            The native path is now used as a fast path.
159         2. Added DFG support for an IsRegExpObjectIntrinsic (modelled after the
160            IsJSArrayIntrinsic).
161         3. Renamed @isRegExp to @isRegExpObject to match the new IsRegExpObjectIntrinsic.
162         4. Change the esSpecIsRegExpObject() implementation to check if the object's
163            JSType is RegExpObjectType instead of walking the classinfo chain.
164
165         * builtins/RegExpPrototype.js:
166         (search):
167         * builtins/StringPrototype.js:
168         (search):
169         - fixed some indentation.
170
171         * dfg/DFGAbstractInterpreterInlines.h:
172         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
173         * dfg/DFGByteCodeParser.cpp:
174         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
175         * dfg/DFGClobberize.h:
176         (JSC::DFG::clobberize):
177         * dfg/DFGDoesGC.cpp:
178         (JSC::DFG::doesGC):
179         * dfg/DFGFixupPhase.cpp:
180         (JSC::DFG::FixupPhase::fixupNode):
181         * dfg/DFGNodeType.h:
182         * dfg/DFGPredictionPropagationPhase.cpp:
183         (JSC::DFG::PredictionPropagationPhase::propagate):
184         * dfg/DFGSafeToExecute.h:
185         (JSC::DFG::safeToExecute):
186         * dfg/DFGSpeculativeJIT.cpp:
187         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
188         (JSC::DFG::SpeculativeJIT::compileIsRegExpObject):
189         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
190         * dfg/DFGSpeculativeJIT.h:
191         * dfg/DFGSpeculativeJIT32_64.cpp:
192         (JSC::DFG::SpeculativeJIT::compile):
193         * dfg/DFGSpeculativeJIT64.cpp:
194         (JSC::DFG::SpeculativeJIT::compile):
195         * ftl/FTLCapabilities.cpp:
196         (JSC::FTL::canCompile):
197         * ftl/FTLLowerDFGToB3.cpp:
198         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
199         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
200         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
201         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
202         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
203         (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject):
204         (JSC::FTL::DFG::LowerDFGToB3::isType):
205         * runtime/Intrinsic.h:
206         - Added IsRegExpObjectIntrinsic.
207
208         * runtime/CommonIdentifiers.h:
209
210         * runtime/ECMAScriptSpecInternalFunctions.cpp:
211         (JSC::esSpecIsConstructor):
212         - Changed to use uncheckedArgument since this is only called from internal code.
213         (JSC::esSpecIsRegExpObject):
214         (JSC::esSpecIsRegExp): Deleted.
215         * runtime/ECMAScriptSpecInternalFunctions.h:
216         - Changed to check the object for a JSType of RegExpObjectType.
217
218         * runtime/JSGlobalObject.cpp:
219         (JSC::JSGlobalObject::init):
220         - Added split fast path.
221
222         * runtime/RegExpPrototype.cpp:
223         (JSC::RegExpPrototype::finishCreation):
224         (JSC::regExpProtoFuncSearchFast):
225         (JSC::regExpProtoFuncSearch): Deleted.
226         * runtime/RegExpPrototype.h:
227
228         * tests/es6.yaml:
229         * tests/stress/regexp-search.js:
230         - Rebased test.
231
232 2016-04-19  Mark Lam  <mark.lam@apple.com>
233
234         Replace $vm.printValue() with $vm.value().
235         https://bugs.webkit.org/show_bug.cgi?id=156767
236
237         Reviewed by Saam Barati.
238
239         When debugging with $vm, this change allows us to do this:
240
241             $vm.print("myObj = " + $vm.value(myObj) + "\n");
242
243         ... instead of having to do this:
244
245             $vm.print("myObj = ");
246             $vm.printValue(myObj);
247             $vm.print("\n");
248
249         * tools/JSDollarVMPrototype.cpp:
250         (JSC::JSDollarVMPrototype::printValue):
251         (JSC::functionValue):
252         (JSC::JSDollarVMPrototype::finishCreation):
253         (JSC::functionPrintValue): Deleted.
254
255 2016-04-18  Oliver Hunt  <oliver@apple.com>
256
257         Enable separated heap by default on ios
258         https://bugs.webkit.org/show_bug.cgi?id=156720
259
260         Reviewed by ggaren.
261
262         * runtime/Options.cpp:
263         (JSC::recomputeDependentOptions):
264
265 2016-04-19  Mark Lam  <mark.lam@apple.com>
266
267         Re-landing: ES6: Implement String.prototype.split and RegExp.prototype[@@split].
268         https://bugs.webkit.org/show_bug.cgi?id=156013
269
270         Reviewed by Keith Miller.
271
272         * CMakeLists.txt:
273         * JavaScriptCore.xcodeproj/project.pbxproj:
274         * builtins/GlobalObject.js:
275         (speciesConstructor):
276         * builtins/PromisePrototype.js:
277         - refactored to use the @speciesConstructor internal function.
278
279         * builtins/RegExpPrototype.js:
280         (advanceStringIndex):
281         - refactored from @advanceStringIndexUnicode() to be match the spec.
282           Benchmarks show that there's no advantage in doing the unicode check outside
283           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
284           spec (especially since @@split needs to call advanceStringIndex from more than
285           1 location).
286         (match):
287         - Removed an unnecessary call to @Object because it was already proven above.
288         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
289           Again, there's no perf regression for this.
290         (regExpExec):
291         (hasObservableSideEffectsForRegExpSplit):
292         (split):
293         (advanceStringIndexUnicode): Deleted.
294
295         * builtins/StringPrototype.js:
296         (split):
297         - Modified to use RegExp.prototype[@@split].
298
299         * bytecode/BytecodeIntrinsicRegistry.cpp:
300         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
301         (JSC::BytecodeIntrinsicRegistry::lookup):
302         * bytecode/BytecodeIntrinsicRegistry.h:
303         - Added the @@split symbol.
304
305         * runtime/CommonIdentifiers.h:
306         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
307         (JSC::esSpecIsConstructor):
308         (JSC::esSpecIsRegExp):
309         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
310
311         * runtime/JSGlobalObject.cpp:
312         (JSC::getGetterById):
313         (JSC::JSGlobalObject::init):
314
315         * runtime/PropertyDescriptor.cpp:
316         (JSC::PropertyDescriptor::setDescriptor):
317         - Removed an assert that is no longer valid.
318
319         * runtime/RegExpObject.h:
320         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
321           fast path.
322
323         * runtime/RegExpPrototype.cpp:
324         (JSC::RegExpPrototype::finishCreation):
325         (JSC::regExpProtoFuncExec):
326         (JSC::regExpProtoFuncSearch):
327         (JSC::advanceStringIndex):
328         (JSC::regExpProtoFuncSplitFast):
329         * runtime/RegExpPrototype.h:
330
331         * runtime/StringObject.h:
332         (JSC::jsStringWithReuse):
333         (JSC::jsSubstring):
334         - Hoisted some utility functions from StringPrototype.cpp so that they can be
335           reused by the regexp split fast path.
336
337         * runtime/StringPrototype.cpp:
338         (JSC::StringPrototype::finishCreation):
339         (JSC::stringProtoFuncSplitFast):
340         (JSC::stringProtoFuncSubstr):
341         (JSC::builtinStringSubstrInternal):
342         (JSC::stringProtoFuncSubstring):
343         (JSC::stringIncludesImpl):
344         (JSC::stringProtoFuncIncludes):
345         (JSC::builtinStringIncludesInternal):
346         (JSC::jsStringWithReuse): Deleted.
347         (JSC::jsSubstring): Deleted.
348         (JSC::stringProtoFuncSplit): Deleted.
349         * runtime/StringPrototype.h:
350
351         * tests/es6.yaml:
352
353 2016-04-19  Commit Queue  <commit-queue@webkit.org>
354
355         Unreviewed, rolling out r199726.
356         https://bugs.webkit.org/show_bug.cgi?id=156748
357
358         WebKit tests crash on Windows 32 (Requested by msaboff on
359         #webkit).
360
361         Reverted changeset:
362
363         "iTunes crashing JavaScriptCore.dll"
364         https://bugs.webkit.org/show_bug.cgi?id=156647
365         http://trac.webkit.org/changeset/199726
366
367 2016-04-19  Michael Saboff  <msaboff@apple.com>
368
369         iTunes crashing JavaScriptCore.dll
370         https://bugs.webkit.org/show_bug.cgi?id=156647
371
372         Reviewed by Saam Barati.
373
374         Given that there there are only 128 FLS indices compared to over a 1000 for TLS, I
375         eliminated the thread specific m_threadSpecificForThread and instead we look for the
376         current thread in m_registeredThreads list when we need it.  In most cases there
377         will only be one thread.
378
379         * heap/MachineStackMarker.cpp:
380         (JSC::MachineThreads::MachineThreads):
381         (JSC::MachineThreads::~MachineThreads):
382         (JSC::MachineThreads::addCurrentThread):
383         (JSC::MachineThreads::machineThreadForCurrentThread):
384         (JSC::MachineThreads::removeThread):
385         * heap/MachineStackMarker.h:
386
387 2016-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
388
389         [INTL] Use @thisNumberValue instead of `instanceof @Number`
390         https://bugs.webkit.org/show_bug.cgi?id=156680
391
392         Reviewed by Saam Barati.
393
394         Use @thisNumberValue instead of `instanceof @Number`.
395         `instanceof @Number` is not enough;
396         For example, given 2 realms, the object created in one realm does not
397         inherit the Number of another realm.
398         Another example is that the object which does not inherit Number.
399
400         ```
401         var number = new Number(42);
402         number.__proto__ = null;
403         ```
404
405         * builtins/NumberPrototype.js:
406         (toLocaleString):
407         * runtime/CommonIdentifiers.h:
408         * runtime/JSGlobalObject.cpp:
409         (JSC::JSGlobalObject::init):
410         * runtime/NumberPrototype.cpp:
411         (JSC::numberProtoFuncValueOf):
412         * runtime/NumberPrototype.h:
413         * tests/stress/number-to-locale-string-should-accept-strange-number-objects.js: Added.
414         (shouldBe):
415
416 2016-04-19  Commit Queue  <commit-queue@webkit.org>
417
418         Unreviewed, rolling out r199712.
419         https://bugs.webkit.org/show_bug.cgi?id=156741
420
421         It caused a serious regression on 32 bit platform (Requested
422         by gskachkov on #webkit).
423
424         Reverted changeset:
425
426         "calling super() a second time in a constructor should throw"
427         https://bugs.webkit.org/show_bug.cgi?id=151113
428         http://trac.webkit.org/changeset/199712
429
430 2016-04-09  Skachkov Oleksandr  <gskachkov@gmail.com>
431
432         calling super() a second time in a constructor should throw
433         https://bugs.webkit.org/show_bug.cgi?id=151113
434
435         Reviewed by Saam Barati and Keith Miller.
436
437         Currently, our implementation checks if 'super()' was called in a constructor more 
438         than once and raises a RuntimeError before the second call. According to the spec 
439         we need to raise an error just after the second super() is finished and before 
440         the new 'this' is assigned https://esdiscuss.org/topic/duplicate-super-call-behaviour. 
441         To implement this behavior this patch adds a new op code, op_is_empty, that is used 
442         to check if 'this' is empty.
443
444         * bytecode/BytecodeList.json:
445         * bytecode/BytecodeUseDef.h:
446         (JSC::computeUsesForBytecodeOffset):
447         (JSC::computeDefsForBytecodeOffset):
448         * bytecode/CodeBlock.cpp:
449         (JSC::CodeBlock::dumpBytecode):
450         * bytecompiler/BytecodeGenerator.cpp:
451         (JSC::BytecodeGenerator::emitIsEmpty):
452         * bytecompiler/BytecodeGenerator.h:
453         * bytecompiler/NodesCodegen.cpp:
454         (JSC::FunctionCallValueNode::emitBytecode):
455         * dfg/DFGAbstractInterpreterInlines.h:
456         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
457         * dfg/DFGByteCodeParser.cpp:
458         (JSC::DFG::ByteCodeParser::parseBlock):
459         * dfg/DFGCapabilities.cpp:
460         (JSC::DFG::capabilityLevel):
461         * dfg/DFGClobberize.h:
462         (JSC::DFG::clobberize):
463         * dfg/DFGDoesGC.cpp:
464         (JSC::DFG::doesGC):
465         * dfg/DFGFixupPhase.cpp:
466         (JSC::DFG::FixupPhase::fixupNode):
467         * dfg/DFGNodeType.h:
468         * dfg/DFGPredictionPropagationPhase.cpp:
469         (JSC::DFG::PredictionPropagationPhase::propagate):
470         * dfg/DFGSafeToExecute.h:
471         (JSC::DFG::safeToExecute):
472         * dfg/DFGSpeculativeJIT32_64.cpp:
473         (JSC::DFG::SpeculativeJIT::compile):
474         * dfg/DFGSpeculativeJIT64.cpp:
475         (JSC::DFG::SpeculativeJIT::compile):
476         * ftl/FTLCapabilities.cpp:
477         (JSC::FTL::canCompile):
478         * ftl/FTLLowerDFGToB3.cpp:
479         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
480         (JSC::FTL::DFG::LowerDFGToB3::compileIsEmpty):
481         * jit/JIT.cpp:
482         (JSC::JIT::privateCompileMainPass):
483         * jit/JIT.h:
484         * jit/JITOpcodes.cpp:
485         (JSC::JIT::emit_op_is_empty):
486         * jit/JITOpcodes32_64.cpp:
487         (JSC::JIT::emit_op_is_empty):
488         * llint/LowLevelInterpreter32_64.asm:
489         * llint/LowLevelInterpreter64.asm:
490         * tests/stress/class-syntax-double-constructor.js: Added.
491
492 2016-04-18  Benjamin Poulain  <bpoulain@apple.com>
493
494         [JSC] Fix some overhead affecting small codegen
495         https://bugs.webkit.org/show_bug.cgi?id=156728
496
497         Reviewed by Filip Pizlo.
498
499         * assembler/AbstractMacroAssembler.h:
500         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
501         (JSC::AbstractMacroAssembler::random):
502         cryptographicallyRandomNumber() is very costly.
503         We only need it in lowering some very particular cases
504         of non-trusted immediates. No inline cache needs that.
505
506         * assembler/LinkBuffer.h:
507         (JSC::LinkBuffer::link):
508         * jit/JIT.h:
509         * jit/JITInlines.h:
510         (JSC::JIT::addSlowCase):
511         Do not copy the JumpList to access its elements.
512
513 2016-04-18  Saam barati  <sbarati@apple.com>
514
515         implement dynamic scope accesses in the DFG/FTL
516         https://bugs.webkit.org/show_bug.cgi?id=156567
517
518         Reviewed by Geoffrey Garen.
519
520         This patch adds dynamic scope operations to the DFG/FTL.
521         This patch adds three new DFG nodes: ResolveScope, PutDynamicVar and GetDynamicVar.
522         When we encounter a Dynamic/UnresolvedProperty/UnresolvedPropertyWithVarInjectionChecks
523         resolve type, we will compile dynamic scope resolution nodes. When we encounter
524         a resolve type that needs var injection checks and the var injection
525         watchpoint has already been fired, we will compile dynamic scope resolution
526         nodes.
527
528         This patch also adds a new value to the InitializationMode enum: ConstInitialization.
529         There was a subtle bug where we used to never compile the var injection variant of the 
530         resolve type for an eval that injected a var where there was also a global lexical variable with the same name. 
531         For example, the store compiled in this eval("var foo = 20;") wouldn't be compiled 
532         with var injection checks if there was global let/const variable named "foo".
533         So there was the potential for the injected var to store to the GlobalLexicalObject.
534         I found this bug because my initial implementation in the DFG/FTL ran into it.
535         The reason this bug existed is because when we compile a const initialization,
536         we never need a var injections check. The const initialization always
537         knows where to store its value. This same logic leaked into the above eval's 
538         "var foo = 20" store. This new enum value allows us to distinguish const
539         initialization stores from non-const initialization stores.
540
541         (I also changed InitializationMode to be an enum class instead of an enum).
542
543         * bytecode/CodeBlock.cpp:
544         (JSC::CodeBlock::finishCreation):
545         * bytecompiler/BytecodeGenerator.cpp:
546         (JSC::BytecodeGenerator::generate):
547         (JSC::BytecodeGenerator::BytecodeGenerator):
548         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
549         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
550         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
551         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
552         (JSC::BytecodeGenerator::emitGetFromScope):
553         (JSC::BytecodeGenerator::initializeVariable):
554         (JSC::BytecodeGenerator::emitInstanceOf):
555         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
556         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
557         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
558         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
559         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
560         * bytecompiler/NodesCodegen.cpp:
561         (JSC::PostfixNode::emitResolve):
562         (JSC::PrefixNode::emitResolve):
563         (JSC::ReadModifyResolveNode::emitBytecode):
564         (JSC::initializationModeForAssignmentContext):
565         (JSC::AssignResolveNode::emitBytecode):
566         (JSC::EmptyLetExpression::emitBytecode):
567         (JSC::ForInNode::emitLoopHeader):
568         (JSC::ForOfNode::emitBytecode):
569         (JSC::ClassExprNode::emitBytecode):
570         (JSC::BindingNode::bindValue):
571         (JSC::AssignmentElementNode::bindValue):
572         (JSC::RestParameterNode::emit):
573         * dfg/DFGAbstractInterpreterInlines.h:
574         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
575         * dfg/DFGByteCodeParser.cpp:
576         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
577         (JSC::DFG::ByteCodeParser::promoteToConstant):
578         (JSC::DFG::ByteCodeParser::needsDynamicLookup):
579         (JSC::DFG::ByteCodeParser::planLoad):
580         (JSC::DFG::ByteCodeParser::parseBlock):
581         * dfg/DFGCapabilities.cpp:
582         (JSC::DFG::capabilityLevel):
583         * dfg/DFGClobberize.h:
584         (JSC::DFG::clobberize):
585         * dfg/DFGDoesGC.cpp:
586         (JSC::DFG::doesGC):
587         * dfg/DFGFixupPhase.cpp:
588         (JSC::DFG::FixupPhase::fixupNode):
589         * dfg/DFGNode.h:
590         (JSC::DFG::Node::hasIdentifier):
591         (JSC::DFG::Node::identifierNumber):
592         (JSC::DFG::Node::hasGetPutInfo):
593         (JSC::DFG::Node::getPutInfo):
594         (JSC::DFG::Node::hasAccessorAttributes):
595         * dfg/DFGNodeType.h:
596         * dfg/DFGOperations.cpp:
597         * dfg/DFGOperations.h:
598         * dfg/DFGPredictionPropagationPhase.cpp:
599         (JSC::DFG::PredictionPropagationPhase::propagate):
600         * dfg/DFGSafeToExecute.h:
601         (JSC::DFG::safeToExecute):
602         * dfg/DFGSpeculativeJIT.cpp:
603         (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById):
604         (JSC::DFG::SpeculativeJIT::compileResolveScope):
605         (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
606         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
607         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
608         * dfg/DFGSpeculativeJIT.h:
609         (JSC::DFG::SpeculativeJIT::callOperation):
610         * dfg/DFGSpeculativeJIT32_64.cpp:
611         (JSC::DFG::SpeculativeJIT::compile):
612         * dfg/DFGSpeculativeJIT64.cpp:
613         (JSC::DFG::SpeculativeJIT::compile):
614         * ftl/FTLCapabilities.cpp:
615         (JSC::FTL::canCompile):
616         * ftl/FTLLowerDFGToB3.cpp:
617         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
618         (JSC::FTL::DFG::LowerDFGToB3::compare):
619         (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
620         (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
621         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
622         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
623         * jit/CCallHelpers.h:
624         (JSC::CCallHelpers::setupArgumentsWithExecState):
625         * jit/JITOperations.cpp:
626         * jit/JITOperations.h:
627         * jit/JITPropertyAccess.cpp:
628         (JSC::JIT::emit_op_put_to_scope):
629         (JSC::JIT::emitSlow_op_put_to_scope):
630         * jit/JITPropertyAccess32_64.cpp:
631         (JSC::JIT::emit_op_put_to_scope):
632         (JSC::JIT::emitSlow_op_put_to_scope):
633         * llint/LLIntData.cpp:
634         (JSC::LLInt::Data::performAssertions):
635         * llint/LLIntSlowPaths.cpp:
636         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
637         * llint/LowLevelInterpreter.asm:
638         * llint/LowLevelInterpreter64.asm:
639         * runtime/GetPutInfo.h:
640         (JSC::resolveModeName):
641         (JSC::initializationModeName):
642         (JSC::isInitialization):
643         (JSC::makeType):
644         (JSC::GetPutInfo::GetPutInfo):
645         * runtime/JSScope.cpp:
646         (JSC::abstractAccess):
647
648 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
649
650         Disable AVX.
651
652         Rubber stampted by Benjamin Poulain.
653
654         AVX is silly. If you use it and some of your other code isn't careful with float register bits, you
655         will run 10x slower. We could fix the underlying issue, but it's better to stay away from this odd
656         instruction subset.
657
658         This fixes a massive regression on some real code.
659
660         * assembler/MacroAssemblerX86Common.h:
661         (JSC::MacroAssemblerX86Common::supportsAVX):
662         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
663
664 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
665
666         ToThis should have a fast path based on type info flags
667         https://bugs.webkit.org/show_bug.cgi?id=156712
668
669         Reviewed by Geoffrey Garen.
670
671         Prior to this change, if we couldn't nail down the type of ToThis to something easy, we'd emit code
672         that would take slow path if the argument was not a final object. We'd end up taking that slow path
673         a lot.
674
675         This adds a type info flag for ToThis having non-obvious behavior and changes the DFG and FTL paths
676         to test this flag. This is a sub-1% speed-up on SunSpider and Octane.
677
678         * dfg/DFGSpeculativeJIT32_64.cpp:
679         (JSC::DFG::SpeculativeJIT::compile):
680         * dfg/DFGSpeculativeJIT64.cpp:
681         (JSC::DFG::SpeculativeJIT::compile):
682         * ftl/FTLLowerDFGToB3.cpp:
683         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
684         * runtime/JSGlobalObject.h:
685         (JSC::JSGlobalObject::create):
686         * runtime/JSLexicalEnvironment.h:
687         (JSC::JSLexicalEnvironment::create):
688         * runtime/JSString.h:
689         * runtime/JSTypeInfo.h:
690         (JSC::TypeInfo::overridesGetOwnPropertySlot):
691         (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
692         (JSC::TypeInfo::structureIsImmortal):
693         (JSC::TypeInfo::overridesToThis):
694         (JSC::TypeInfo::overridesGetPropertyNames):
695         (JSC::TypeInfo::prohibitsPropertyCaching):
696         (JSC::TypeInfo::getOwnPropertySlotIsImpure):
697         * runtime/StrictEvalActivation.h:
698         (JSC::StrictEvalActivation::create):
699         * runtime/Symbol.h:
700
701 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
702
703         Check to see how the perf bots react to megamorphic load being disabled.
704
705         Rubber stamped by Chris Dumez.
706
707         * runtime/Options.h:
708
709 2016-04-18  Keith Miller  <keith_miller@apple.com>
710
711         We should support delete in the DFG
712         https://bugs.webkit.org/show_bug.cgi?id=156607
713
714         Reviewed by Benjamin Poulain.
715
716         This patch adds support for the delete in the DFG as it appears that
717         some major frameworks use the operation in particularly hot functions.
718         As a result, even if the function rarely ever calls delete we would never
719         tier up to the DFG. This patch also changes operationDeleteById to take a
720         UniquedStringImpl and return a size_t.
721
722         * dfg/DFGAbstractInterpreterInlines.h:
723         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
724         * dfg/DFGByteCodeParser.cpp:
725         (JSC::DFG::ByteCodeParser::parseBlock):
726         * dfg/DFGCapabilities.cpp:
727         (JSC::DFG::capabilityLevel):
728         * dfg/DFGClobberize.h:
729         (JSC::DFG::clobberize):
730         * dfg/DFGDoesGC.cpp:
731         (JSC::DFG::doesGC):
732         * dfg/DFGFixupPhase.cpp:
733         (JSC::DFG::FixupPhase::fixupNode):
734         * dfg/DFGNode.h:
735         (JSC::DFG::Node::hasIdentifier):
736         * dfg/DFGNodeType.h:
737         * dfg/DFGPredictionPropagationPhase.cpp:
738         (JSC::DFG::PredictionPropagationPhase::propagate):
739         * dfg/DFGSafeToExecute.h:
740         (JSC::DFG::safeToExecute):
741         * dfg/DFGSpeculativeJIT.cpp:
742         (JSC::DFG::SpeculativeJIT::compileDeleteById):
743         * dfg/DFGSpeculativeJIT.h:
744         (JSC::DFG::SpeculativeJIT::callOperation):
745         * dfg/DFGSpeculativeJIT32_64.cpp:
746         (JSC::DFG::SpeculativeJIT::compile):
747         * dfg/DFGSpeculativeJIT64.cpp:
748         (JSC::DFG::SpeculativeJIT::compile):
749         * jit/JIT.h:
750         * jit/JITInlines.h:
751         (JSC::JIT::callOperation):
752         * jit/JITOperations.cpp:
753         * jit/JITOperations.h:
754         * jit/JITPropertyAccess.cpp:
755         (JSC::JIT::emit_op_del_by_id):
756         * jit/JITPropertyAccess32_64.cpp:
757         (JSC::JIT::emit_op_del_by_id):
758
759 2016-04-17  Filip Pizlo  <fpizlo@apple.com>
760
761         FTL should pin the tag registers at inline caches
762         https://bugs.webkit.org/show_bug.cgi?id=156678
763
764         Reviewed by Saam Barati.
765
766         This is a long-overdue fix to our inline caches. Back when we had LLVM, we couldn't rely on the tags
767         being pinned to any registers. So, if the inline caches needed tags, they'd have to materialize them.
768         
769         This removes those materializations. This should reduce the amount of code generated in inline caches
770         and it should make inline caches faster. The effect appears to be small.
771
772         It may be that after this change, we'll even be able to kill the
773         HaveTagRegisters/DoNotHaveTagRegisters logic.
774
775         * bytecode/PolymorphicAccess.cpp:
776         (JSC::AccessCase::generateWithGuard):
777         (JSC::AccessCase::generateImpl):
778         * ftl/FTLLowerDFGToB3.cpp:
779         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
780         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
781         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
782         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
783         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
784         (JSC::FTL::DFG::LowerDFGToB3::getById):
785         * jit/Repatch.cpp:
786         (JSC::readCallTarget):
787         (JSC::linkPolymorphicCall):
788         * jit/ThunkGenerators.cpp:
789         (JSC::virtualThunkFor):
790
791 2016-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
792
793         [ES7] yield star should not return if the inner iterator.throw returns { done: true }
794         https://bugs.webkit.org/show_bug.cgi?id=156576
795
796         Reviewed by Saam Barati.
797
798         This is slight generator fix in ES7. When calling generator.throw(),
799         the yield-star should call the throw() of the inner generator. At that
800         time, when the result of throw() is { done: true}, the generator should
801         not stop itself.
802
803             function * gen()
804             {
805                 yield * (function * () {
806                     try {
807                         yield 42;
808                     } catch (error) { }
809                 }());
810                 // Continue executing.
811                 yield 42;
812             }
813
814             let g = gen();
815             g.next();
816             shouldBe(g.throw().value, 42);
817
818
819         * builtins/GeneratorPrototype.js:
820         (generatorResume):
821         (next):
822         (return):
823         (throw):
824         * bytecode/BytecodeIntrinsicRegistry.cpp:
825         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
826         * bytecode/BytecodeIntrinsicRegistry.h:
827         * bytecompiler/BytecodeGenerator.cpp:
828         (JSC::BytecodeGenerator::emitDelegateYield):
829         * runtime/JSGeneratorFunction.h:
830         * tests/stress/generator-yield-star.js:
831         (gen):
832         * tests/stress/yield-star-throw-continue.js: Added.
833         (shouldBe):
834         (generator):
835         (shouldThrow):
836
837 2016-04-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>
838
839         Fix incorrect assumption that APPLE implies Mac.
840         https://bugs.webkit.org/show_bug.cgi?id=156683
841     
842         Addresses build failure introduced in r199094
843
844         Reviewed by Alex Christensen.
845
846         * CMakeLists.txt:
847
848 2016-04-17  Benjamin Poulain  <bpoulain@apple.com>
849
850         [JSC] ReduceDoubleToFloat should work accross Phis
851         https://bugs.webkit.org/show_bug.cgi?id=156603
852         <rdar://problem/25736205>
853
854         Reviewed by Saam Barati and Filip Pizlo.
855
856         This patch extends B3's ReduceDoubleToFloat phase to work accross
857         Upsilon-Phis. This is important to optimize loops and some crazy cases.
858
859         In its simplest form, we can have conversion propagated from something
860         like this:
861             Double @1 = Phi()
862             Float @2 = DoubleToFloat(@1)
863
864         When that happens, we just need to propagate that the result only
865         need float precision accross all values coming to this Phi.
866
867
868         There are more complicated cases when the value produced is effectively Float
869         but the user of the value does not do DoubleToFloat.
870
871         Typically, we have something like:
872             #1
873                 @1 = ConstDouble(1)
874                 @2 = Upsilon(@1, ^5)
875             #2
876                 @3 = FloatToDouble(@x)
877                 @4 = Upsilon(@3, ^5)
878             #3
879                 @5 = Phi()
880                 @6 = Add(@5, @somethingFloat)
881                 @7 = DoubleToFloat(@6)
882
883         Here with a Phi-Upsilon that is a Double but can be represented
884         as Float without loss of precision.
885
886         It is valuable to convert such Phis to float if and only if the value
887         is used as float. Otherwise, you may be just adding useless conversions
888         (for example, two double constants that flow into a double Add should not
889         turn into two float constant flowing into a FloatToDouble then Add).
890
891
892         ReduceDoubleToFloat do two analysis passes to gather the necessary
893         meta information. Then we have a simplify() phase to actually reduce
894         operation. Finally, the cleanup() pass put the graph into a valid
895         state again.
896
897         The two analysis passes work by disproving that something is float.
898         -findCandidates() accumulates anything used as Double.
899         -findPhisContainingFloat() accumulates phis that would lose precision
900          by converting the input to float.
901
902         With this change, Unity3D improves by ~1.5%, box2d-f32 improves
903         by ~2.8% (on Haswell).
904
905         * b3/B3ReduceDoubleToFloat.cpp:
906         (JSC::B3::reduceDoubleToFloat):
907         * b3/testb3.cpp:
908         (JSC::B3::testCompareTwoFloatToDouble):
909         (JSC::B3::testCompareOneFloatToDouble):
910         (JSC::B3::testCompareFloatToDoubleThroughPhi):
911         (JSC::B3::testDoubleToFloatThroughPhi):
912         (JSC::B3::testDoubleProducerPhiToFloatConversion):
913         (JSC::B3::testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
914         (JSC::B3::testDoubleProducerPhiWithNonFloatConst):
915         (JSC::B3::testStoreDoubleConstantAsFloat):
916         (JSC::B3::run):
917         * tests/stress/double-compare-to-float.js: Added.
918         (canSimplifyToFloat):
919         (canSimplifyToFloatWithConstant):
920         (cannotSimplifyA):
921         (cannotSimplifyB):
922         * tests/stress/double-to-float.js: Added.
923         (upsilonReferencingItsPhi):
924         (upsilonReferencingItsPhiAllFloat):
925         (upsilonReferencingItsPhiWithoutConversion):
926         (conversionPropagages):
927         (chainedUpsilonBothConvert):
928         (chainedUpsilonFirstConvert):
929
930 2016-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
931
932         [ES6] Use @isObject to check Object Type instead of using instanceof
933         https://bugs.webkit.org/show_bug.cgi?id=156676
934
935         Reviewed by Darin Adler.
936
937         Use @isObject instead of `instanceof @Object`.
938         The `instanceof` check is not enough to check Object Type.
939         For example, given 2 realms, the object created in one realm does not inherit the Object of another realm.
940         Another example is that the object which does not inherit Object.
941         This object can be easily created by calling `Object.create(null)`.
942
943         * builtins/RegExpPrototype.js:
944         (match):
945         * jsc.cpp:
946         (GlobalObject::finishCreation):
947         (functionCreateGlobalObject):
948         * tests/stress/regexp-match-in-other-realm-should-work.js: Added.
949         (shouldBe):
950         * tests/stress/regexp-match-should-work-with-objects-not-inheriting-object-prototype.js: Added.
951         (shouldBe):
952         (regexp.exec):
953
954 2016-04-17  Darin Adler  <darin@apple.com>
955
956         Remove more uses of Deprecated::ScriptXXX
957         https://bugs.webkit.org/show_bug.cgi?id=156660
958
959         Reviewed by Antti Koivisto.
960
961         * bindings/ScriptFunctionCall.cpp:
962         (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted
963         unneeded overloads that take a ScriptObject and ScriptValue.
964         * bindings/ScriptFunctionCall.h: Ditto.
965
966         * bindings/ScriptObject.h: Added operator so this can change
967         itself into a JSObject*. Helps while phasing this class out.
968
969         * bindings/ScriptValue.h: Export toInspectorValue so it can be
970         used in WebCore.
971
972         * inspector/InjectedScriptManager.cpp:
973         (Inspector::InjectedScriptManager::createInjectedScript): Changed
974         return value from Deprecated::ScriptObject to JSObject*.
975         (Inspector::InjectedScriptManager::injectedScriptFor): Updated for
976         the return value change above.
977         * inspector/InjectedScriptManager.h: Ditto.
978
979 2016-04-16  Benjamin Poulain  <bpoulain@webkit.org>
980
981         [JSC] DFG should support relational comparisons of Number and Other
982         https://bugs.webkit.org/show_bug.cgi?id=156669
983
984         Reviewed by Darin Adler.
985
986         In Sunspider/3d-raytrace, DFG falls back to JSValue in some important
987         relational compare because profiling sees "undefined" from time to time.
988
989         This case is fairly common outside Sunspider too because of out-of-bounds array access.
990         Unfortunately for us, our fallback for compare is really inefficient.
991
992         Fortunately, relational comparison with null/undefined/true/false are trival.
993         We can just convert both side to Double. That's what this patch adds.
994
995         I also extended constant folding for those cases because I noticed
996         a bunch of "undefined" constant going through DoubleRep at runtime.
997
998         * dfg/DFGAbstractInterpreterInlines.h:
999         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1000         * dfg/DFGFixupPhase.cpp:
1001         (JSC::DFG::FixupPhase::fixupNode):
1002         * tests/stress/compare-number-and-other.js: Added.
1003         (opaqueSideEffect):
1004         (let.operator.of.operators.eval.testPolymorphic):
1005         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.eval.testMonomorphic):
1006         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicLeftConstant):
1007         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicRightConstant):
1008         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.i.testPolymorphic):
1009
1010 2016-04-16  Benjamin Poulain  <bpoulain@apple.com>
1011
1012         [JSC] FRound/Negate can produce an impure NaN out of a pure NaN
1013         https://bugs.webkit.org/show_bug.cgi?id=156528
1014
1015         Reviewed by Filip Pizlo.
1016
1017         If you fround a double with the bits 0xfff7000000000000
1018         you get 0xfffe000000000000. The first is a pure NaN, the second isn't.
1019
1020         This is without test because I could not find a way to create a 0xfff7000000000000
1021         while convincing DFG that its pure.
1022         When we purify NaNs from typed array, we use a specific value of NaN if the input
1023         is any NaN, making testing tricky.
1024
1025         * bytecode/SpeculatedType.cpp:
1026         (JSC::typeOfDoubleNegation):
1027
1028 2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>
1029
1030         JS::DFG::nodeValuePairListDump does not compile with libstdc++ 4.8
1031         https://bugs.webkit.org/show_bug.cgi?id=156670
1032
1033         Reviewed by Darin Adler.
1034
1035         * dfg/DFGNode.h:
1036         (JSC::DFG::nodeValuePairListDump): Modified to use lambda as comparator.
1037
1038 2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>
1039
1040         [mips] Implemented moveZeroToDouble.
1041         https://bugs.webkit.org/show_bug.cgi?id=155429
1042
1043         Reviewed by Darin Adler.
1044
1045         This function is required to fix compilation after r197687.
1046
1047         * assembler/MacroAssemblerMIPS.h:
1048         (JSC::MacroAssemblerMIPS::moveZeroToDouble):
1049
1050 2016-04-15  Darin Adler  <darin@apple.com>
1051
1052         Reduce use of Deprecated::ScriptXXX classes
1053         https://bugs.webkit.org/show_bug.cgi?id=156632
1054
1055         Reviewed by Alex Christensen.
1056
1057         * bindings/ScriptFunctionCall.cpp:
1058         (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted version that takes a Deprecated::ScriptValue.
1059         (Deprecated::ScriptFunctionCall::call): Changed to return a JSValue.
1060         * bindings/ScriptFunctionCall.h: Updated for the above.
1061
1062         * bindings/ScriptValue.cpp:
1063         (Inspector::jsToInspectorValue): Moved from Deprecated namespace to Inspector namespace. Later, we should
1064         move this to another source file in the inspector directory.
1065         (Inspector::toInspectorValue): Added.
1066         (Deprecated::ScriptValue::toInspectorValue): Updated for change to underlying function.
1067         * bindings/ScriptValue.h: Update for the above.
1068
1069         * inspector/InjectedScript.cpp:
1070         (Inspector::InjectedScript::evaluateOnCallFrame): Changed arguments and return values from
1071         Deprecated::ScriptValue to JSC::JSValue.
1072         (Inspector::InjectedScript::functionDetails): Ditto.
1073         (Inspector::InjectedScript::wrapCallFrames): Ditto.
1074         (Inspector::InjectedScript::wrapObject): Ditto.
1075         (Inspector::InjectedScript::wrapTable): Ditto.
1076         (Inspector::InjectedScript::previewValue): Ditto.
1077         (Inspector::InjectedScript::setExceptionValue): Ditto.
1078         (Inspector::InjectedScript::findObjectById): Ditto.
1079         (Inspector::InjectedScript::inspectObject): Ditto.
1080         * inspector/InjectedScript.h: Ditto.
1081         * inspector/InjectedScriptBase.cpp:
1082         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled): Ditto.
1083         (Inspector::InjectedScriptBase::makeCall): Ditto.
1084         * inspector/InjectedScriptBase.h: Ditto.
1085         * inspector/InjectedScriptModule.cpp:
1086         (Inspector::InjectedScriptModule::ensureInjected): Ditto.
1087         * inspector/ScriptDebugListener.h: Ditto.
1088         * inspector/ScriptDebugServer.cpp:
1089         (Inspector::ScriptDebugServer::evaluateBreakpointAction): Ditto.
1090         (Inspector::ScriptDebugServer::dispatchDidPause): Ditto.
1091         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
1092         (Inspector::ScriptDebugServer::exceptionOrCaughtValue): Ditto.
1093         * inspector/ScriptDebugServer.h: Ditto.
1094         * inspector/agents/InspectorDebuggerAgent.cpp:
1095         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason): Ditto.
1096         (Inspector::InspectorDebuggerAgent::didPause): Ditto.
1097         (Inspector::InspectorDebuggerAgent::breakpointActionProbe): Ditto.
1098         (Inspector::InspectorDebuggerAgent::didContinue): Ditto.
1099         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): Ditto.
1100         * inspector/agents/InspectorDebuggerAgent.h: Ditto.
1101         * inspector/agents/InspectorHeapAgent.cpp:
1102         (Inspector::InspectorHeapAgent::getPreview): Ditto.
1103         (Inspector::InspectorHeapAgent::getRemoteObject): Ditto.
1104
1105 2016-04-15  Keith Miller  <keith_miller@apple.com>
1106
1107         Some JIT/DFG operations need NativeCallFrameTracers
1108         https://bugs.webkit.org/show_bug.cgi?id=156650
1109
1110         Reviewed by Michael Saboff.
1111
1112         Some of our operation functions did not have native call frame
1113         tracers. This meant that we would crash occasionally on some
1114         of our tests when they triggered a GC in one of the functions
1115         without a tracer. In particular, this was exemplified by another
1116         upcoming patch when calling operationSetFunctionName.
1117
1118         This patch does not add tests since this happens consistently in
1119         the patch adding delete_by_id to the DFG.
1120
1121         * dfg/DFGOperations.cpp:
1122         * jit/JITOperations.cpp:
1123
1124 2016-04-15  Joseph Pecoraro  <pecoraro@apple.com>
1125
1126         Web Inspector: sourceMappingURL not used when sourceURL is set
1127         https://bugs.webkit.org/show_bug.cgi?id=156021
1128         <rdar://problem/25438417>
1129
1130         Reviewed by Timothy Hatcher.
1131
1132         Clean up Debugger.sourceParsed to separately include:
1133
1134             - url ("resource URL", "source url" in JSC APIs)
1135             - sourceURL - //# sourceURL directive
1136
1137         By always having the resource URL the Web Inspector frontend
1138         can better match this Script to a Resource of the same URL,
1139         and decide to use the sourceURL if it is available when
1140         appropriate.
1141
1142         * inspector/protocol/Debugger.json:
1143         * inspector/agents/InspectorDebuggerAgent.cpp:
1144         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1145         (Inspector::InspectorDebuggerAgent::didParseSource):
1146         Send the new sourceParsed parameters.
1147
1148 2016-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1149
1150         Web Inspector: Cleanup inspector/debugger tests
1151         https://bugs.webkit.org/show_bug.cgi?id=156619
1152
1153         Reviewed by Brian Burg.
1154
1155         While cleaning up the tests it exposed the fact that breakpoints
1156         were not getting disabled when the inspector closes. This means
1157         that opening the inspector, with breakpoints, and closing the
1158         inspector, would leave the JSC::Debugger thinking breakpoints
1159         are active. The JSC::Debugger should be reset.
1160
1161         * inspector/agents/InspectorDebuggerAgent.cpp:
1162         (Inspector::InspectorDebuggerAgent::disable):
1163
1164 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1165
1166         CopiedBlock should be 64kB
1167
1168         Reviewed by Benjamin Poulain.
1169
1170         Let's try another value.
1171
1172         This is 25% faster on kraken-audio-beat-detection on Mac Pro.
1173
1174         * heap/CopiedBlock.h:
1175
1176 2016-04-15  Zan Dobersek  <zdobersek@igalia.com>
1177
1178         Tail call optimizations lead to crashes on ARM Thumb + Linux
1179         https://bugs.webkit.org/show_bug.cgi?id=150083
1180
1181         Reviewed by Csaba Osztrogon√°c.
1182
1183         * assembler/AbstractMacroAssembler.h:
1184         (JSC::AbstractMacroAssembler::repatchNearCall): In case of a tail call relink to the
1185         data location of the destination, and not the executable address. This is needed for
1186         the ARM Thumb2 platform where both the source and destination addresses of a jump relink
1187         must not have the bottom bit decorated, as asserted in ARMv7Assembler::relinkJump().
1188         * jit/Repatch.cpp:
1189         (JSC::linkPolymorphicCall): Similarly, when linking a tail call we must link to the
1190         address that has a non-decorated bottom bit, as asserted in ARMv7Assembler::linkJumpAbsolute().
1191
1192 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1193
1194         Unreviewed, rolling out r199567.
1195
1196         performance regression on kraken on macbook*
1197
1198         Reverted changeset:
1199
1200         "CopiedBlock should be 8kB"
1201         https://bugs.webkit.org/show_bug.cgi?id=156610
1202         http://trac.webkit.org/changeset/199567
1203
1204 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1205
1206         CopiedBlock should be 8kB
1207         https://bugs.webkit.org/show_bug.cgi?id=156610
1208
1209         Reviewed by Michael Saboff.
1210
1211         On Mac Pro, this is:
1212
1213             15% faster on kraken-audio-beat-detection
1214
1215             5% faster on v8-splay
1216
1217         Hopefully, this will be OK on MacBook* bots as well.
1218
1219         32kB is the full size of L1 cache on x86. So, allocating and zero-filling
1220         a 32kB CopiedBlock would basically flush the L1 cache. We can ameliorate
1221         this problem by using smaller blocks -- or, if that doesn't work, we can
1222         use larger blocks to amortize the cost.
1223
1224         * heap/CopiedBlock.h:
1225
1226 2016-04-14  Filip Pizlo  <fpizlo@apple.com>
1227
1228         PolymorphicAccess should try to generate a stub only once
1229         https://bugs.webkit.org/show_bug.cgi?id=156555
1230
1231         Reviewed by Geoffrey Garen.
1232         
1233         This changes the PolymorphicAccess heuristics to reduce the amount of code generation even
1234         more than before. We used to always generate a monomorphic stub for the first case we saw.
1235         This change disables that. This change also increases the buffering countdown to match the
1236         cool-down repatch count. This means that we will allow for ten slow paths for adding cases,
1237         then we will generate a stub, and then we will go into cool-down and the repatching slow
1238         paths will not even attempt repatching for a while. After we emerge from cool-down - which
1239         requires a bunch of slow path calls - we will again wait for ten slow paths to get new
1240         cases. Note that it only takes 13 cases to cause the stub to give up on future repatching
1241         entirely. Also, most stubs don't ever get to 10 cases. Therefore, for most stubs this change
1242         means that each IC will repatch once. If they make it to two repatching, then the likelihood
1243         of a third becomes infinitesimal because of all of the rules that come into play at that
1244         point (the size limit being 13, the fact that we go into exponential cool-down every time we
1245         generate code, and the fact that if we have lots of self cases then we will create a
1246         catch-all megamorphic load case).
1247
1248         This also undoes a change to the megamorphic optimization that I think was unintentional.
1249         As in the change that originally introduced megamorphic loads, we want to do this only if we
1250         would otherwise exhaust the max size of the IC. This is because megamorphic loads are pretty
1251         expensive and it's best to use them only if we know that the alternative is giving up on
1252         caching.
1253
1254         This is neutral on JS benchmarks, but looks like it's another speed-up for page loading.
1255
1256         * bytecode/PolymorphicAccess.cpp:
1257         (JSC::AccessCase::canBeReplacedByMegamorphicLoad):
1258         (JSC::AccessCase::canReplace):
1259         (JSC::AccessCase::dump):
1260         (JSC::PolymorphicAccess::regenerate):
1261         * bytecode/StructureStubInfo.cpp:
1262         (JSC::StructureStubInfo::StructureStubInfo):
1263         * runtime/Options.h:
1264
1265 2016-04-14  Mark Lam  <mark.lam@apple.com>
1266
1267         Update treatment of invoking RegExp.prototype methods on RegExp.prototype.
1268         https://bugs.webkit.org/show_bug.cgi?id=155922
1269
1270         Reviewed by Keith Miller.
1271
1272         According to the TC39 committee, when invoking the following RegExp.prototype
1273         methods on the RegExp.prototype:
1274         1. RegExp.prototype.flags yields ""
1275         2. RegExp.prototype.global yields undefined
1276         3. RegExp.prototype.ignoreCase yields undefined
1277         4. RegExp.prototype.multiline yields undefined
1278         5. RegExp.prototype.unicode yields undefined
1279         6. RegExp.prototype.source yields "(?:)"
1280         7. RegExp.prototype.sticky yields undefined
1281         8. RegExp.prototype.toString() yields "/(?:)/"
1282
1283         and RegExp.prototype is still NOT an instance of RegExp.  The above behavior
1284         changes is a special dispensation applicable only to RegExp.prototype.  The ES6
1285         spec of throwing errors still applies if those methods are applied to anything =
1286         else that is not a RegExp object.
1287
1288         * runtime/RegExpPrototype.cpp:
1289         (JSC::regExpProtoGetterGlobal):
1290         (JSC::regExpProtoGetterIgnoreCase):
1291         (JSC::regExpProtoGetterMultiline):
1292         (JSC::regExpProtoGetterSticky):
1293         (JSC::regExpProtoGetterUnicode):
1294         (JSC::regExpProtoGetterFlags):
1295         (JSC::regExpProtoGetterSource):
1296         - Implemented new behavior.
1297
1298         * tests/es6/miscellaneous_built-in_prototypes_are_not_instances.js:
1299         (test):
1300         - Updated to match current kangax test.
1301
1302 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1303
1304         Some imported ES6 tests are missing __createIterableObject
1305         https://bugs.webkit.org/show_bug.cgi?id=156584
1306
1307         Reviewed by Keith Miller.
1308
1309         These tests were failing because I neglected to include __createIterableObject
1310         when I first imported them. Now they pass.
1311
1312         * tests/es6.yaml:
1313         * tests/es6/Array_static_methods_Array.from_generic_iterables.js:
1314         (iterator.next):
1315         (iterable.Symbol.iterator):
1316         (__createIterableObject):
1317         (test):
1318         * tests/es6/Array_static_methods_Array.from_instances_of_generic_iterables.js:
1319         (iterator.next):
1320         (iterable.Symbol.iterator):
1321         (__createIterableObject):
1322         (test):
1323         * tests/es6/Array_static_methods_Array.from_iterator_closing.js:
1324         (iterator.next):
1325         (iterable.Symbol.iterator):
1326         (__createIterableObject):
1327         * tests/es6/Array_static_methods_Array.from_map_function_generic_iterables.js:
1328         (iterator.next):
1329         (iterable.Symbol.iterator):
1330         (__createIterableObject):
1331         (test):
1332         * tests/es6/Array_static_methods_Array.from_map_function_instances_of_iterables.js:
1333         (iterator.next):
1334         (iterable.Symbol.iterator):
1335         (__createIterableObject):
1336         (test):
1337         * tests/es6/Map_iterator_closing.js:
1338         (iterator.next):
1339         (iterable.Symbol.iterator):
1340         (__createIterableObject):
1341         * tests/es6/Promise_Promise.all_generic_iterables.js:
1342         (iterator.next):
1343         (iterable.Symbol.iterator):
1344         (__createIterableObject):
1345         (test.asyncTestPassed):
1346         * tests/es6/Promise_Promise.race_generic_iterables.js:
1347         (iterator.next):
1348         (iterable.Symbol.iterator):
1349         (__createIterableObject):
1350         (test.asyncTestPassed):
1351         * tests/es6/Set_iterator_closing.js:
1352         (iterator.next):
1353         (iterable.Symbol.iterator):
1354         (__createIterableObject):
1355         * tests/es6/WeakMap_iterator_closing.js:
1356         (iterator.next):
1357         (iterable.Symbol.iterator):
1358         (__createIterableObject):
1359         * tests/es6/WeakSet_iterator_closing.js:
1360         (iterator.next):
1361         (iterable.Symbol.iterator):
1362         (__createIterableObject):
1363         * tests/es6/destructuring_iterator_closing.js:
1364         (iterator.next):
1365         (iterable.Symbol.iterator):
1366         (__createIterableObject):
1367         * tests/es6/destructuring_with_generic_iterables.js:
1368         (iterator.next):
1369         (iterable.Symbol.iterator):
1370         (__createIterableObject):
1371         (test):
1372         * tests/es6/destructuring_with_instances_of_generic_iterables.js:
1373         (iterator.next):
1374         (iterable.Symbol.iterator):
1375         (__createIterableObject):
1376         (test):
1377         * tests/es6/for..of_loops_iterator_closing_break.js:
1378         (iterator.next):
1379         (iterable.Symbol.iterator):
1380         (__createIterableObject):
1381         * tests/es6/for..of_loops_iterator_closing_throw.js:
1382         (iterator.next):
1383         (iterable.Symbol.iterator):
1384         (__createIterableObject):
1385         * tests/es6/for..of_loops_with_generic_iterables.js:
1386         (iterator.next):
1387         (iterable.Symbol.iterator):
1388         (__createIterableObject):
1389         (test):
1390         * tests/es6/for..of_loops_with_instances_of_generic_iterables.js:
1391         (iterator.next):
1392         (iterable.Symbol.iterator):
1393         (__createIterableObject):
1394         (test):
1395         * tests/es6/generators_yield_star_generic_iterables.js:
1396         (iterator.next):
1397         (iterable.Symbol.iterator):
1398         (__createIterableObject):
1399         * tests/es6/generators_yield_star_iterator_closing_via_throw.js:
1400         (iterator.next):
1401         (iterable.Symbol.iterator):
1402         (__createIterableObject):
1403         * tests/es6/spread_..._operator_with_generic_iterables_in_arrays.js:
1404         (iterator.next):
1405         (iterable.Symbol.iterator):
1406         (__createIterableObject):
1407         (test):
1408         * tests/es6/spread_..._operator_with_generic_iterables_in_calls.js:
1409         (iterator.next):
1410         (iterable.Symbol.iterator):
1411         (__createIterableObject):
1412         (test):
1413         * tests/es6/spread_..._operator_with_instances_of_iterables_in_arrays.js:
1414         (iterator.next):
1415         (iterable.Symbol.iterator):
1416         (__createIterableObject):
1417         (test):
1418         * tests/es6/spread_..._operator_with_instances_of_iterables_in_calls.js:
1419         (iterator.next):
1420         (iterable.Symbol.iterator):
1421         (__createIterableObject):
1422         (test):
1423
1424 2016-04-13  Alex Christensen  <achristensen@webkit.org>
1425
1426         CMake MiniBrowser should be an app bundle
1427         https://bugs.webkit.org/show_bug.cgi?id=156521
1428
1429         Reviewed by Brent Fulgham.
1430
1431         * PlatformMac.cmake:
1432         Unreviewed build fix.  Define __STDC_WANT_LIB_EXT1__ so we can find memset_s.
1433
1434 2016-04-13  Joseph Pecoraro  <pecoraro@apple.com>
1435
1436         JSContext Inspector: Improve Class instances and JSC API Exported Values view in Console / ObjectTree
1437         https://bugs.webkit.org/show_bug.cgi?id=156566
1438         <rdar://problem/16392365>
1439
1440         Reviewed by Timothy Hatcher.
1441
1442         * inspector/InjectedScriptSource.js:
1443         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
1444         Treat non-basic object types as not lossless so they can be expanded.
1445         Show non-enumerable native getters in Object previews.
1446
1447 2016-04-13  Michael Saboff  <msaboff@apple.com>
1448
1449         Some tests fail with ES6 `u` (Unicode) flag for regular expressions
1450         https://bugs.webkit.org/show_bug.cgi?id=151597
1451
1452         Reviewed by Geoffrey Garen.
1453
1454         Added two new tables to handle the anomolies of \w and \W CharacterClassEscapes
1455         when specified in RegExp's with both the unicode and ignoreCase flags.  Given the
1456         case folding rules described in the standard vie the meta function Canonicalize(),
1457         which allow cross ASCII case folding when unicode is specified, the unicode characters
1458         \u017f (small sharp s) and \u212a (kelvin symbol) are part of the \w (word) characterClassEscape.
1459         This is true because they case fold to 's' and 'k' respectively.  Because they case fold
1460         to lower case letters, the corresponding letters, 'k', 'K', 's' and 'S', are also matched with
1461         \W with the unicode and ignoreCase flags.
1462
1463         * create_regex_tables:
1464         * yarr/YarrPattern.cpp:
1465         (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
1466         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
1467         (JSC::Yarr::YarrPattern::YarrPattern):
1468         * yarr/YarrPattern.h:
1469         (JSC::Yarr::YarrPattern::wordcharCharacterClass):
1470         (JSC::Yarr::YarrPattern::wordUnicodeIgnoreCaseCharCharacterClass):
1471         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
1472         (JSC::Yarr::YarrPattern::nonwordUnicodeIgnoreCaseCharCharacterClass):
1473
1474 2016-04-13  Commit Queue  <commit-queue@webkit.org>
1475
1476         Unreviewed, rolling out r199502 and r199511.
1477         https://bugs.webkit.org/show_bug.cgi?id=156557
1478
1479         Appears to have in-browser perf regression (Requested by mlam
1480         on #webkit).
1481
1482         Reverted changesets:
1483
1484         "ES6: Implement String.prototype.split and
1485         RegExp.prototype[@@split]."
1486         https://bugs.webkit.org/show_bug.cgi?id=156013
1487         http://trac.webkit.org/changeset/199502
1488
1489         "ES6: Implement RegExp.prototype[@@search]."
1490         https://bugs.webkit.org/show_bug.cgi?id=156331
1491         http://trac.webkit.org/changeset/199511
1492
1493 2016-04-13  Keith Miller  <keith_miller@apple.com>
1494
1495         isJSArray should use ArrayType rather than the ClassInfo
1496         https://bugs.webkit.org/show_bug.cgi?id=156551
1497
1498         Reviewed by Filip Pizlo.
1499
1500         Using the JSType rather than the ClassInfo should be slightly faster
1501         since the type is inline on the cell whereas the ClassInfo is only
1502         on the structure.
1503
1504         * runtime/JSArray.h:
1505         (JSC::isJSArray):
1506
1507 2016-04-13  Mark Lam  <mark.lam@apple.com>
1508
1509         ES6: Implement RegExp.prototype[@@search].
1510         https://bugs.webkit.org/show_bug.cgi?id=156331
1511
1512         Reviewed by Keith Miller.
1513
1514         What changed?
1515         1. Implemented search builtin in RegExpPrototype.js.
1516            The native path is now used as a fast path.
1517         2. Added DFG support for an IsRegExpObjectIntrinsic (modelled after the
1518            IsJSArrayIntrinsic).
1519         3. Renamed @isRegExp to @isRegExpObject to match the new IsRegExpObjectIntrinsic.
1520         4. Change the esSpecIsRegExpObject() implementation to check if the object's
1521            JSType is RegExpObjectType instead of walking the classinfo chain.
1522
1523         * builtins/RegExpPrototype.js:
1524         (search):
1525         * builtins/StringPrototype.js:
1526         (search):
1527         - fixed some indentation.
1528
1529         * dfg/DFGAbstractInterpreterInlines.h:
1530         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1531         * dfg/DFGByteCodeParser.cpp:
1532         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1533         * dfg/DFGClobberize.h:
1534         (JSC::DFG::clobberize):
1535         * dfg/DFGDoesGC.cpp:
1536         (JSC::DFG::doesGC):
1537         * dfg/DFGFixupPhase.cpp:
1538         (JSC::DFG::FixupPhase::fixupNode):
1539         * dfg/DFGNodeType.h:
1540         * dfg/DFGPredictionPropagationPhase.cpp:
1541         (JSC::DFG::PredictionPropagationPhase::propagate):
1542         * dfg/DFGSafeToExecute.h:
1543         (JSC::DFG::safeToExecute):
1544         * dfg/DFGSpeculativeJIT.cpp:
1545         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
1546         (JSC::DFG::SpeculativeJIT::compileIsRegExpObject):
1547         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
1548         * dfg/DFGSpeculativeJIT.h:
1549         * dfg/DFGSpeculativeJIT32_64.cpp:
1550         (JSC::DFG::SpeculativeJIT::compile):
1551         * dfg/DFGSpeculativeJIT64.cpp:
1552         (JSC::DFG::SpeculativeJIT::compile):
1553         * ftl/FTLCapabilities.cpp:
1554         (JSC::FTL::canCompile):
1555         * ftl/FTLLowerDFGToB3.cpp:
1556         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1557         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
1558         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
1559         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
1560         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
1561         (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject):
1562         (JSC::FTL::DFG::LowerDFGToB3::isType):
1563         * runtime/Intrinsic.h:
1564         - Added IsRegExpObjectIntrinsic.
1565
1566         * runtime/CommonIdentifiers.h:
1567
1568         * runtime/ECMAScriptSpecInternalFunctions.cpp:
1569         (JSC::esSpecIsConstructor):
1570         - Changed to use uncheckedArgument since this is only called from internal code.
1571         (JSC::esSpecIsRegExpObject):
1572         (JSC::esSpecIsRegExp): Deleted.
1573         * runtime/ECMAScriptSpecInternalFunctions.h:
1574         - Changed to check the object for a JSType of RegExpObjectType.
1575
1576         * runtime/JSGlobalObject.cpp:
1577         (JSC::JSGlobalObject::init):
1578         - Added split fast path.
1579
1580         * runtime/RegExpPrototype.cpp:
1581         (JSC::RegExpPrototype::finishCreation):
1582         (JSC::regExpProtoFuncSearchFast):
1583         (JSC::regExpProtoFuncSearch): Deleted.
1584         * runtime/RegExpPrototype.h:
1585
1586         * tests/es6.yaml:
1587         * tests/stress/regexp-search.js:
1588         - Rebased test.
1589
1590 2016-04-12  Filip Pizlo  <fpizlo@apple.com>
1591
1592         PolymorphicAccess::regenerate() shouldn't have to clone non-generated AccessCases
1593         https://bugs.webkit.org/show_bug.cgi?id=156493
1594
1595         Reviewed by Geoffrey Garen.
1596
1597         Cloning AccessCases is only necessary if they hold some artifacts that are used by code that
1598         they already generated. So, if the state is not Generated, we don't have to bother with
1599         cloning them.
1600
1601         This should speed up PolymorphicAccess regeneration a bit more.
1602
1603         * bytecode/PolymorphicAccess.cpp:
1604         (JSC::AccessCase::commit):
1605         (JSC::PolymorphicAccess::regenerate):
1606
1607 2016-04-13  Mark Lam  <mark.lam@apple.com>
1608
1609         ES6: Implement String.prototype.split and RegExp.prototype[@@split].
1610         https://bugs.webkit.org/show_bug.cgi?id=156013
1611
1612         Reviewed by Keith Miller.
1613
1614         Re-landing r199393 now that the shadow chicken crash has been fixed.
1615
1616         * CMakeLists.txt:
1617         * JavaScriptCore.xcodeproj/project.pbxproj:
1618         * builtins/GlobalObject.js:
1619         (speciesConstructor):
1620         * builtins/PromisePrototype.js:
1621         - refactored to use the @speciesConstructor internal function.
1622
1623         * builtins/RegExpPrototype.js:
1624         (advanceStringIndex):
1625         - refactored from @advanceStringIndexUnicode() to be match the spec.
1626           Benchmarks show that there's no advantage in doing the unicode check outside
1627           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
1628           spec (especially since @@split needs to call advanceStringIndex from more than
1629           1 location).
1630         (match):
1631         - Removed an unnecessary call to @Object because it was already proven above.
1632         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
1633           Again, there's no perf regression for this.
1634         (regExpExec):
1635         (hasObservableSideEffectsForRegExpSplit):
1636         (split):
1637         (advanceStringIndexUnicode): Deleted.
1638
1639         * builtins/StringPrototype.js:
1640         (split):
1641         - Modified to use RegExp.prototype[@@split].
1642
1643         * bytecode/BytecodeIntrinsicRegistry.cpp:
1644         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1645         (JSC::BytecodeIntrinsicRegistry::lookup):
1646         * bytecode/BytecodeIntrinsicRegistry.h:
1647         - Added the @@split symbol.
1648
1649         * runtime/CommonIdentifiers.h:
1650         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
1651         (JSC::esSpecIsConstructor):
1652         (JSC::esSpecIsRegExp):
1653         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
1654
1655         * runtime/JSGlobalObject.cpp:
1656         (JSC::getGetterById):
1657         (JSC::JSGlobalObject::init):
1658
1659         * runtime/PropertyDescriptor.cpp:
1660         (JSC::PropertyDescriptor::setDescriptor):
1661         - Removed an assert that is no longer valid.
1662
1663         * runtime/RegExpObject.h:
1664         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
1665           fast path.
1666
1667         * runtime/RegExpPrototype.cpp:
1668         (JSC::RegExpPrototype::finishCreation):
1669         (JSC::regExpProtoFuncExec):
1670         (JSC::regExpProtoFuncSearch):
1671         (JSC::advanceStringIndex):
1672         (JSC::regExpProtoFuncSplitFast):
1673         * runtime/RegExpPrototype.h:
1674
1675         * runtime/StringObject.h:
1676         (JSC::jsStringWithReuse):
1677         (JSC::jsSubstring):
1678         - Hoisted some utility functions from StringPrototype.cpp so that they can be
1679           reused by the regexp split fast path.
1680
1681         * runtime/StringPrototype.cpp:
1682         (JSC::StringPrototype::finishCreation):
1683         (JSC::stringProtoFuncSplitFast):
1684         (JSC::stringProtoFuncSubstr):
1685         (JSC::builtinStringSubstrInternal):
1686         (JSC::stringProtoFuncSubstring):
1687         (JSC::stringIncludesImpl):
1688         (JSC::stringProtoFuncIncludes):
1689         (JSC::builtinStringIncludesInternal):
1690         (JSC::jsStringWithReuse): Deleted.
1691         (JSC::jsSubstring): Deleted.
1692         (JSC::stringProtoFuncSplit): Deleted.
1693         * runtime/StringPrototype.h:
1694
1695         * tests/es6.yaml:
1696
1697 2016-04-13  Mark Lam  <mark.lam@apple.com>
1698
1699         ShadowChicken::visitChildren() should not visit tailMarkers and throwMarkers.
1700         https://bugs.webkit.org/show_bug.cgi?id=156532
1701
1702         Reviewed by Saam Barati and Filip Pizlo.
1703
1704         ShadowChicken can store tailMarkers and throwMarkers in its log, specifically in
1705         the callee field of a log packet.  However, ShadowChicken::visitChildren()
1706         unconditionally visits the callee field of each packet as if they are real
1707         objects.  If visitChildren() encounters one of these markers in the log, we get a
1708         crash.
1709
1710         This crash was observed in the v8-v6/v8-regexp.js stress test running with shadow
1711         chicken when r199393 landed.  r199393 introduced tail calls to a RegExp split
1712         fast path, and the v8-regexp.js test exercised this fast path a lot.  Throw in
1713         some timely GCs, and we get a crash party.
1714
1715         The fix is to have ShadowChicken::visitChildren() filter out the tailMarker and
1716         throwMarker.
1717
1718         Alternatively, if perf is an issue, we can allocate 2 dedicated objects for
1719         these markers so that ShadowChicken can continue to visit them.  For now, I'm
1720         going with the filter.
1721
1722         * interpreter/ShadowChicken.cpp:
1723         (JSC::ShadowChicken::visitChildren):
1724
1725 2016-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1726
1727         [ES6] Add @@toStringTag to GeneratorFunction
1728         https://bugs.webkit.org/show_bug.cgi?id=156499
1729
1730         Reviewed by Mark Lam.
1731
1732         GeneratorFunction.prototype has @@toStringTag property, "GeneratorFunction".
1733         https://tc39.github.io/ecma262/#sec-generatorfunction.prototype-@@tostringtag
1734
1735         * runtime/GeneratorFunctionPrototype.cpp:
1736         (JSC::GeneratorFunctionPrototype::finishCreation):
1737         * tests/es6.yaml:
1738         * tests/es6/well-known_symbols_Symbol.toStringTag_new_built-ins.js: Added.
1739         (test):
1740
1741 2016-04-13  Alberto Garcia  <berto@igalia.com>
1742
1743         Fix build in glibc-based BSD systems
1744         https://bugs.webkit.org/show_bug.cgi?id=156533
1745
1746         Reviewed by Carlos Garcia Campos.
1747
1748         Change the order of the #elif conditionals so glibc-based BSD
1749         systems (e.g. Debian GNU/kFreeBSD) use the code inside the
1750         OS(FREEBSD) blocks.
1751
1752         * heap/MachineStackMarker.cpp:
1753         (JSC::MachineThreads::Thread::Registers::stackPointer):
1754         (JSC::MachineThreads::Thread::Registers::framePointer):
1755         (JSC::MachineThreads::Thread::Registers::instructionPointer):
1756         (JSC::MachineThreads::Thread::Registers::llintPC):
1757
1758 2016-04-12  Keith Miller  <keith_miller@apple.com>
1759
1760         Unreviewed undo change from ArrayClass to ArrayWithUndecided, which
1761         was not intedend to land with r199397.
1762
1763         * runtime/ArrayPrototype.h:
1764         (JSC::ArrayPrototype::createStructure):
1765
1766 2016-04-12  Mark Lam  <mark.lam@apple.com>
1767
1768         Rollout: ES6: Implement String.prototype.split and RegExp.prototype[@@split].
1769         https://bugs.webkit.org/show_bug.cgi?id=156013
1770
1771         Speculative rollout to fix 32-bit shadow-chicken.yaml/tests/v8-v6/v8-regexp.js.shadow-chicken test failure.
1772
1773         Not reviewed.
1774
1775         * CMakeLists.txt:
1776         * JavaScriptCore.xcodeproj/project.pbxproj:
1777         * builtins/GlobalObject.js:
1778         (speciesGetter):
1779         (speciesConstructor): Deleted.
1780         * builtins/PromisePrototype.js:
1781         * builtins/RegExpPrototype.js:
1782         (advanceStringIndexUnicode):
1783         (match):
1784         (advanceStringIndex): Deleted.
1785         (regExpExec): Deleted.
1786         (hasObservableSideEffectsForRegExpSplit): Deleted.
1787         (split): Deleted.
1788         * builtins/StringPrototype.js:
1789         (repeat):
1790         (split): Deleted.
1791         * bytecode/BytecodeIntrinsicRegistry.cpp:
1792         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1793         (JSC::BytecodeIntrinsicRegistry::lookup):
1794         * bytecode/BytecodeIntrinsicRegistry.h:
1795         * runtime/CommonIdentifiers.h:
1796         * runtime/ECMAScriptSpecInternalFunctions.cpp: Removed.
1797         * runtime/ECMAScriptSpecInternalFunctions.h: Removed.
1798         * runtime/JSGlobalObject.cpp:
1799         (JSC::JSGlobalObject::setGlobalThis):
1800         (JSC::JSGlobalObject::init):
1801         (JSC::getGetterById): Deleted.
1802         * runtime/PropertyDescriptor.cpp:
1803         (JSC::PropertyDescriptor::setDescriptor):
1804         * runtime/RegExpObject.h:
1805         (JSC::RegExpObject::offsetOfLastIndexIsWritable):
1806         * runtime/RegExpPrototype.cpp:
1807         (JSC::RegExpPrototype::finishCreation):
1808         (JSC::regExpProtoFuncExec):
1809         (JSC::regExpProtoFuncSearch):
1810         (JSC::advanceStringIndex): Deleted.
1811         (JSC::regExpProtoFuncSplitFast): Deleted.
1812         * runtime/RegExpPrototype.h:
1813         * runtime/StringObject.h:
1814         (JSC::jsStringWithReuse): Deleted.
1815         (JSC::jsSubstring): Deleted.
1816         * runtime/StringPrototype.cpp:
1817         (JSC::StringPrototype::finishCreation):
1818         (JSC::jsStringWithReuse):
1819         (JSC::jsSubstring):
1820         (JSC::substituteBackreferencesSlow):
1821         (JSC::splitStringByOneCharacterImpl):
1822         (JSC::stringProtoFuncSplit):
1823         (JSC::stringProtoFuncSubstr):
1824         (JSC::stringProtoFuncSubstring):
1825         (JSC::stringProtoFuncEndsWith):
1826         (JSC::stringProtoFuncIncludes):
1827         (JSC::stringProtoFuncIterator):
1828         (JSC::stringProtoFuncSplitFast): Deleted.
1829         (JSC::builtinStringSubstrInternal): Deleted.
1830         (JSC::stringIncludesImpl): Deleted.
1831         (JSC::builtinStringIncludesInternal): Deleted.
1832         * runtime/StringPrototype.h:
1833         * tests/es6.yaml:
1834
1835 2016-04-12  Mark Lam  <mark.lam@apple.com>
1836
1837         Remove 2 unused JSC options.
1838         https://bugs.webkit.org/show_bug.cgi?id=156526
1839
1840         Reviewed by Benjamin Poulain.
1841
1842         The options JSC_assertICSizing and JSC_dumpFailedICSizing are no longer in use
1843         now that we have B3.
1844
1845         * runtime/Options.h:
1846
1847 2016-04-12  Keith Miller  <keith_miller@apple.com>
1848
1849         [ES6] Add support for Symbol.isConcatSpreadable.
1850         https://bugs.webkit.org/show_bug.cgi?id=155351
1851
1852         Reviewed by Saam Barati.
1853
1854         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
1855         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
1856         a builtin performant. First, four new DFG intrinsics were added.
1857
1858         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
1859            the Array.isArray function.
1860         2) IsJSArray: checks the first child is a JSArray object.
1861         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
1862         4) CallObjectConstructor: an intrinsic of the Object constructor.
1863
1864         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
1865         we are able to prove that the first child is an Array or for ToObject an Object.
1866
1867         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
1868         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
1869         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
1870         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
1871         into a contiguous array).
1872
1873         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
1874         values onto the result array. This works roughly the same as the two array fast path using the same methodology
1875         to decide if we can memcpy the other butterfly into the result butterfly.
1876
1877         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
1878         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
1879         dataLog function on it.
1880
1881         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
1882         JSValueOperand if the operand's use count is one.
1883
1884         * JavaScriptCore.xcodeproj/project.pbxproj:
1885         * builtins/ArrayPrototype.js:
1886         (concatSlowPath):
1887         (concat):
1888         * bytecode/BytecodeIntrinsicRegistry.cpp:
1889         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1890         * bytecode/BytecodeIntrinsicRegistry.h:
1891         * dfg/DFGAbstractInterpreterInlines.h:
1892         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1893         * dfg/DFGByteCodeParser.cpp:
1894         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1895         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1896         * dfg/DFGClobberize.h:
1897         (JSC::DFG::clobberize):
1898         * dfg/DFGDoesGC.cpp:
1899         (JSC::DFG::doesGC):
1900         * dfg/DFGFixupPhase.cpp:
1901         (JSC::DFG::FixupPhase::fixupNode):
1902         * dfg/DFGNodeType.h:
1903         * dfg/DFGOperations.cpp:
1904         * dfg/DFGOperations.h:
1905         * dfg/DFGPredictionPropagationPhase.cpp:
1906         (JSC::DFG::PredictionPropagationPhase::propagate):
1907         * dfg/DFGSafeToExecute.h:
1908         (JSC::DFG::safeToExecute):
1909         * dfg/DFGSpeculativeJIT.cpp:
1910         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1911         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
1912         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
1913         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
1914         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
1915         * dfg/DFGSpeculativeJIT.h:
1916         (JSC::DFG::SpeculativeJIT::callOperation):
1917         * dfg/DFGSpeculativeJIT32_64.cpp:
1918         (JSC::DFG::SpeculativeJIT::compile):
1919         * dfg/DFGSpeculativeJIT64.cpp:
1920         (JSC::DFG::SpeculativeJIT::compile):
1921         * ftl/FTLCapabilities.cpp:
1922         (JSC::FTL::canCompile):
1923         * ftl/FTLLowerDFGToB3.cpp:
1924         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1925         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
1926         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
1927         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
1928         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
1929         (JSC::FTL::DFG::LowerDFGToB3::isArray):
1930         * jit/JITOperations.h:
1931         * jsc.cpp:
1932         (GlobalObject::finishCreation):
1933         (functionDataLogValue):
1934         * runtime/ArrayConstructor.cpp:
1935         (JSC::ArrayConstructor::finishCreation):
1936         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
1937         * runtime/ArrayConstructor.h:
1938         (JSC::isArrayConstructor):
1939         * runtime/ArrayPrototype.cpp:
1940         (JSC::ArrayPrototype::finishCreation):
1941         (JSC::arrayProtoPrivateFuncIsJSArray):
1942         (JSC::moveElements):
1943         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1944         (JSC::arrayProtoPrivateFuncAppendMemcpy):
1945         (JSC::arrayProtoFuncConcat): Deleted.
1946         * runtime/ArrayPrototype.h:
1947         (JSC::ArrayPrototype::createStructure):
1948         * runtime/CommonIdentifiers.h:
1949         * runtime/Intrinsic.h:
1950         * runtime/JSArray.cpp:
1951         (JSC::JSArray::appendMemcpy):
1952         (JSC::JSArray::fastConcatWith): Deleted.
1953         * runtime/JSArray.h:
1954         (JSC::JSArray::createStructure):
1955         (JSC::JSArray::fastConcatType): Deleted.
1956         * runtime/JSArrayInlines.h: Added.
1957         (JSC::JSArray::memCopyWithIndexingType):
1958         (JSC::JSArray::canFastCopy):
1959         * runtime/JSGlobalObject.cpp:
1960         (JSC::JSGlobalObject::init):
1961         * runtime/JSType.h:
1962         * runtime/ObjectConstructor.h:
1963         (JSC::constructObject):
1964         * tests/es6.yaml:
1965         * tests/stress/array-concat-spread-object.js: Added.
1966         (arrayEq):
1967         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
1968         (arrayEq):
1969         * tests/stress/array-concat-spread-proxy.js: Added.
1970         (arrayEq):
1971         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
1972         (arrayEq):
1973         * tests/stress/array-species-config-array-constructor.js:
1974
1975 2016-04-12  Saam barati  <sbarati@apple.com>
1976
1977         Lets not iterate over the constant pool twice every time we link a code block
1978         https://bugs.webkit.org/show_bug.cgi?id=156517
1979
1980         Reviewed by Mark Lam.
1981
1982         I introduced a second iteration over the constant pool when I implemented
1983         block scoping. I did this because we must clone all the symbol tables when
1984         we link a CodeBlock. We can just do this cloning when setting the constant
1985         registers for the first time. There is no need to iterate over the constant
1986         pool a second time.
1987
1988         * bytecode/CodeBlock.cpp:
1989         (JSC::CodeBlock::finishCreation):
1990         (JSC::CodeBlock::~CodeBlock):
1991         (JSC::CodeBlock::setConstantRegisters):
1992         (JSC::CodeBlock::setAlternative):
1993         * bytecode/CodeBlock.h:
1994         (JSC::CodeBlock::replaceConstant):
1995         (JSC::CodeBlock::setConstantRegisters): Deleted.
1996
1997 2016-04-12  Mark Lam  <mark.lam@apple.com>
1998
1999         ES6: Implement String.prototype.split and RegExp.prototype[@@split].
2000         https://bugs.webkit.org/show_bug.cgi?id=156013
2001
2002         Reviewed by Keith Miller.
2003
2004         * CMakeLists.txt:
2005         * JavaScriptCore.xcodeproj/project.pbxproj:
2006         * builtins/GlobalObject.js:
2007         (speciesConstructor):
2008         * builtins/PromisePrototype.js:
2009         - refactored to use the @speciesConstructor internal function.
2010
2011         * builtins/RegExpPrototype.js:
2012         (advanceStringIndex):
2013         - refactored from @advanceStringIndexUnicode() to be match the spec.
2014           Benchmarks show that there's no advantage in doing the unicode check outside
2015           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
2016           spec (especially since @@split needs to call advanceStringIndex from more than
2017           1 location).
2018         (match):
2019         - Removed an unnecessary call to @Object because it was already proven above.
2020         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
2021           Again, there's no perf regression for this.
2022         (regExpExec):
2023         (hasObservableSideEffectsForRegExpSplit):
2024         (split):
2025         (advanceStringIndexUnicode): Deleted.
2026
2027         * builtins/StringPrototype.js:
2028         (split):
2029         - Modified to use RegExp.prototype[@@split].
2030
2031         * bytecode/BytecodeIntrinsicRegistry.cpp:
2032         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2033         (JSC::BytecodeIntrinsicRegistry::lookup):
2034         * bytecode/BytecodeIntrinsicRegistry.h:
2035         - Added the @@split symbol.
2036
2037         * runtime/CommonIdentifiers.h:
2038         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
2039         (JSC::esSpecIsConstructor):
2040         (JSC::esSpecIsRegExp):
2041         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
2042
2043         * runtime/JSGlobalObject.cpp:
2044         (JSC::getGetterById):
2045         (JSC::JSGlobalObject::init):
2046
2047         * runtime/PropertyDescriptor.cpp:
2048         (JSC::PropertyDescriptor::setDescriptor):
2049         - Removed an assert that is no longer valid.
2050
2051         * runtime/RegExpObject.h:
2052         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
2053           fast path.
2054
2055         * runtime/RegExpPrototype.cpp:
2056         (JSC::RegExpPrototype::finishCreation):
2057         (JSC::regExpProtoFuncExec):
2058         (JSC::regExpProtoFuncSearch):
2059         (JSC::advanceStringIndex):
2060         (JSC::regExpProtoFuncSplitFast):
2061         * runtime/RegExpPrototype.h:
2062
2063         * runtime/StringObject.h:
2064         (JSC::jsStringWithReuse):
2065         (JSC::jsSubstring):
2066         - Hoisted some utility functions from StringPrototype.cpp so that they can be
2067           reused by the regexp split fast path.
2068
2069         * runtime/StringPrototype.cpp:
2070         (JSC::StringPrototype::finishCreation):
2071         (JSC::stringProtoFuncSplitFast):
2072         (JSC::stringProtoFuncSubstr):
2073         (JSC::builtinStringSubstrInternal):
2074         (JSC::stringProtoFuncSubstring):
2075         (JSC::stringIncludesImpl):
2076         (JSC::stringProtoFuncIncludes):
2077         (JSC::builtinStringIncludesInternal):
2078         (JSC::jsStringWithReuse): Deleted.
2079         (JSC::jsSubstring): Deleted.
2080         (JSC::stringProtoFuncSplit): Deleted.
2081         * runtime/StringPrototype.h:
2082
2083         * tests/es6.yaml:
2084
2085 2016-04-12  Keith Miller  <keith_miller@apple.com>
2086
2087         AbstractValue should use the result type to filter structures
2088         https://bugs.webkit.org/show_bug.cgi?id=156516
2089
2090         Reviewed by Geoffrey Garen.
2091
2092         When filtering an AbstractValue with a SpeculatedType we would not use the merged type when
2093         filtering out the valid structures (despite what the comment directly above said). This
2094         would cause us to crash if our structure-set was Top and the two speculated types were
2095         different kinds of cells.
2096
2097         * dfg/DFGAbstractValue.cpp:
2098         (JSC::DFG::AbstractValue::filter):
2099         * tests/stress/ai-consistency-filter-cells.js: Added.
2100         (get value):
2101         (attribute.value.get record):
2102         (attribute.attrs.get this):
2103         (get foo):
2104         (let.thisValue.return.serialize):
2105         (let.thisValue.transformFor):
2106
2107 2016-04-12  Filip Pizlo  <fpizlo@apple.com>
2108
2109         Unreviewed, remove FIXME for https://bugs.webkit.org/show_bug.cgi?id=156457 and replace it
2110         with a comment that describes what we do now.
2111
2112         * bytecode/PolymorphicAccess.h:
2113
2114 2016-04-12  Saam barati  <sbarati@apple.com>
2115
2116         isLocked() assertion broke builds because ConcurrentJITLock isn't always a real lock.
2117
2118         Rubber-stamped by Filip Pizlo.
2119
2120         * bytecode/CodeBlock.cpp:
2121         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2122         (JSC::CodeBlock::ensureResultProfile):
2123
2124 2016-04-11  Filip Pizlo  <fpizlo@apple.com>
2125
2126         PolymorphicAccess should buffer AccessCases before regenerating
2127         https://bugs.webkit.org/show_bug.cgi?id=156457
2128
2129         Reviewed by Benjamin Poulain.
2130
2131         Prior to this change, whenever we added an AccessCase to a PolymorphicAccess, we would
2132         regenerate the whole stub. That meant that we'd do O(N^2) work for N access cases.
2133
2134         One way to fix this is to have each AccessCase generate a stub just for itself, which
2135         cascades down to the already-generated cases. But that removes the binary switch
2136         optimization, which makes the IC perform great even when there are many cases.
2137
2138         This change fixes the issue by buffering access cases. When we take slow path and try to add
2139         a new case, the StructureStubInfo will usually just buffer the new case without generating
2140         new code. We simply guarantee that after we buffer a case, we will take at most
2141         Options::repatchBufferingCountdown() slow path calls before generating code for it. That
2142         option is currently 7. Taking 7 more slow paths means that we have 7 more opportunities to
2143         gather more access cases, or to realize that this IC is too crazy to bother with.
2144
2145         This change ensures that the DFG still gets the same kind of profiling. This is because the
2146         buffered AccessCases are still part of PolymorphicAccess and so are still scanned by
2147         GetByIdStatus and PutByIdStatus. The fact that the AccessCases hadn't been generated and so
2148         hadn't executed doesn't change much. Mainly, it increases the likelihood that the DFG will
2149         see an access case that !couldStillSucceed(). The DFG's existing profile parsing logic can
2150         handle this just fine.
2151         
2152         There are a bunch of algorithmic changes here. StructureStubInfo now caches the set of
2153         structures that it has seen as a guard to prevent adding lots of redundant cases, in case
2154         we see the same 7 cases after buffering the first one. This cache means we won't wastefully
2155         allocate 7 identical AccessCase instances. PolymorphicAccess is now restructured around
2156         having separate addCase() and regenerate() calls. That means a bit more moving data around.
2157         So far that seems OK for performance, probably since it's O(N) work rather than O(N^2) work.
2158         There is room for improvement for future patches, to be sure.
2159         
2160         This is benchmarking as slightly positive or neutral on JS benchmarks. It's meant to reduce
2161         pathologies I saw in page loads.
2162
2163         * bytecode/GetByIdStatus.cpp:
2164         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2165         * bytecode/PolymorphicAccess.cpp:
2166         (JSC::PolymorphicAccess::PolymorphicAccess):
2167         (JSC::PolymorphicAccess::~PolymorphicAccess):
2168         (JSC::PolymorphicAccess::addCases):
2169         (JSC::PolymorphicAccess::addCase):
2170         (JSC::PolymorphicAccess::visitWeak):
2171         (JSC::PolymorphicAccess::dump):
2172         (JSC::PolymorphicAccess::commit):
2173         (JSC::PolymorphicAccess::regenerate):
2174         (JSC::PolymorphicAccess::aboutToDie):
2175         (WTF::printInternal):
2176         (JSC::PolymorphicAccess::regenerateWithCases): Deleted.
2177         (JSC::PolymorphicAccess::regenerateWithCase): Deleted.
2178         * bytecode/PolymorphicAccess.h:
2179         (JSC::AccessCase::isGetter):
2180         (JSC::AccessCase::callLinkInfo):
2181         (JSC::AccessGenerationResult::AccessGenerationResult):
2182         (JSC::AccessGenerationResult::madeNoChanges):
2183         (JSC::AccessGenerationResult::gaveUp):
2184         (JSC::AccessGenerationResult::buffered):
2185         (JSC::AccessGenerationResult::generatedNewCode):
2186         (JSC::AccessGenerationResult::generatedFinalCode):
2187         (JSC::AccessGenerationResult::shouldGiveUpNow):
2188         (JSC::AccessGenerationResult::generatedSomeCode):
2189         (JSC::PolymorphicAccess::isEmpty):
2190         (JSC::PolymorphicAccess::size):
2191         (JSC::PolymorphicAccess::at):
2192         * bytecode/PutByIdStatus.cpp:
2193         (JSC::PutByIdStatus::computeForStubInfo):
2194         * bytecode/StructureStubInfo.cpp:
2195         (JSC::StructureStubInfo::StructureStubInfo):
2196         (JSC::StructureStubInfo::addAccessCase):
2197         (JSC::StructureStubInfo::reset):
2198         (JSC::StructureStubInfo::visitWeakReferences):
2199         * bytecode/StructureStubInfo.h:
2200         (JSC::StructureStubInfo::considerCaching):
2201         (JSC::StructureStubInfo::willRepatch): Deleted.
2202         (JSC::StructureStubInfo::willCoolDown): Deleted.
2203         * jit/JITOperations.cpp:
2204         * jit/Repatch.cpp:
2205         (JSC::tryCacheGetByID):
2206         (JSC::repatchGetByID):
2207         (JSC::tryCachePutByID):
2208         (JSC::repatchPutByID):
2209         (JSC::tryRepatchIn):
2210         (JSC::repatchIn):
2211         * runtime/JSCJSValue.h:
2212         * runtime/JSCJSValueInlines.h:
2213         (JSC::JSValue::putByIndex):
2214         (JSC::JSValue::structureOrNull):
2215         (JSC::JSValue::structureOrUndefined):
2216         * runtime/Options.h:
2217
2218 2016-04-12  Saam barati  <sbarati@apple.com>
2219
2220         There is a race with the compiler thread and the main thread with result profiles
2221         https://bugs.webkit.org/show_bug.cgi?id=156503
2222
2223         Reviewed by Filip Pizlo.
2224
2225         The compiler thread should not be asking for a result
2226         profile while the execution thread is creating one.
2227         We must guard against such races with a lock.
2228
2229         * bytecode/CodeBlock.cpp:
2230         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2231         (JSC::CodeBlock::ensureResultProfile):
2232         (JSC::CodeBlock::capabilityLevel):
2233         * bytecode/CodeBlock.h:
2234         (JSC::CodeBlock::couldTakeSlowCase):
2235         (JSC::CodeBlock::numberOfResultProfiles):
2236         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset):
2237         (JSC::CodeBlock::ensureResultProfile): Deleted.
2238
2239 2016-04-12  Commit Queue  <commit-queue@webkit.org>
2240
2241         Unreviewed, rolling out r199339.
2242         https://bugs.webkit.org/show_bug.cgi?id=156505
2243
2244         memset_s is indeed necessary (Requested by alexchristensen_ on
2245         #webkit).
2246
2247         Reverted changeset:
2248
2249         "Build fix after r199299."
2250         https://bugs.webkit.org/show_bug.cgi?id=155508
2251         http://trac.webkit.org/changeset/199339
2252
2253 2016-04-12  Guillaume Emont  <guijemont@igalia.com>
2254
2255         MIPS: add MacroAssemblerMIPS::store8(TrustedImm32,ImplicitAddress)
2256         https://bugs.webkit.org/show_bug.cgi?id=156481
2257
2258         This method with this signature is used by r199075, and therefore
2259         WebKit doesn't build on MIPS since then.
2260
2261         Reviewed by Mark Lam.
2262
2263         * assembler/MacroAssemblerMIPS.h:
2264         (JSC::MacroAssemblerMIPS::store8):
2265
2266 2016-04-12  Saam barati  <sbarati@apple.com>
2267
2268         We incorrectly parse arrow function expressions
2269         https://bugs.webkit.org/show_bug.cgi?id=156373
2270
2271         Reviewed by Mark Lam.
2272
2273         This patch removes the notion of "isEndOfArrowFunction".
2274         This was a very weird function and it was incorrect.
2275         It checked that the arrow functions with concise body
2276         grammar production "had a valid ending". "had a valid
2277         ending" is in quotes because concise body arrow functions
2278         have a valid ending as long as their body has a valid
2279         assignment expression. I've removed all notion of this
2280         function because it was wrong and was causing us
2281         to throw syntax errors on valid programs.
2282
2283         * parser/Lexer.cpp:
2284         (JSC::Lexer<T>::nextTokenIsColon):
2285         (JSC::Lexer<T>::lex):
2286         (JSC::Lexer<T>::setTokenPosition): Deleted.
2287         * parser/Lexer.h:
2288         (JSC::Lexer::setIsReparsingFunction):
2289         (JSC::Lexer::isReparsingFunction):
2290         (JSC::Lexer::lineNumber):
2291         * parser/Parser.cpp:
2292         (JSC::Parser<LexerType>::parseInner):
2293         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
2294         (JSC::Parser<LexerType>::parseFunctionInfo):
2295         * parser/Parser.h:
2296         (JSC::Parser::matchIdentifierOrKeyword):
2297         (JSC::Parser::tokenStart):
2298         (JSC::Parser::autoSemiColon):
2299         (JSC::Parser::canRecurse):
2300         (JSC::Parser::isEndOfArrowFunction): Deleted.
2301         (JSC::Parser::setEndOfStatement): Deleted.
2302         * tests/stress/arrowfunction-others.js:
2303         (testCase):
2304         (simpleArrowFunction):
2305         (truthy):
2306         (falsey):
2307
2308 2016-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2309
2310         [JSC] addStaticGlobals should emit SymbolTableEntry watchpoints to encourage constant folding in DFG
2311         https://bugs.webkit.org/show_bug.cgi?id=155110
2312
2313         Reviewed by Saam Barati.
2314
2315         `addStaticGlobals` does not emit SymbolTableEntry watchpoints for the added entries.
2316         So, all the global variable lookups pointing to these static globals are not converted
2317         into constants in DFGBytecodeGenerator: this fact leaves these lookups as GetGlobalVar.
2318         Such thing avoids constant folding chance and emits CheckCell for @privateFunction inlining.
2319         This operation is pure overhead.
2320
2321         Static globals are not configurable, and they are typically non-writable.
2322         So they are constants in almost all the cases.
2323
2324         This patch initializes watchpoints for these static globals.
2325         These watchpoints allow DFG to convert these nodes into constants in DFG BytecodeParser.
2326         These watchpoints includes many builtin operations and `undefined`.
2327
2328         The microbenchmark, many-foreach-calls shows 5 - 7% improvement since it removes unnecessary CheckCell.
2329
2330         * bytecode/VariableWriteFireDetail.h:
2331         * runtime/JSGlobalObject.cpp:
2332         (JSC::JSGlobalObject::addGlobalVar):
2333         (JSC::JSGlobalObject::addStaticGlobals):
2334         * runtime/JSSymbolTableObject.h:
2335         (JSC::symbolTablePutTouchWatchpointSet):
2336         (JSC::symbolTablePutInvalidateWatchpointSet):
2337         (JSC::symbolTablePut):
2338         (JSC::symbolTablePutWithAttributesTouchWatchpointSet): Deleted.
2339         * runtime/SymbolTable.h:
2340         (JSC::SymbolTableEntry::SymbolTableEntry):
2341         (JSC::SymbolTableEntry::operator=):
2342         (JSC::SymbolTableEntry::swap):
2343
2344 2016-04-12  Alex Christensen  <achristensen@webkit.org>
2345
2346         Build fix after r199299.
2347         https://bugs.webkit.org/show_bug.cgi?id=155508
2348
2349         * jit/ExecutableAllocatorFixedVMPool.cpp:
2350         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2351         memset_s is not defined.  __STDC_WANT_LIB_EXT1__ is not defined anywhere.
2352         Since the return value is unused and set_constraint_handler_s is never called
2353         I'm chaning it to memset.
2354
2355 2016-04-11  Benjamin Poulain  <bpoulain@apple.com>
2356
2357         [JSC] B3 can use undefined bits or not defined required bits when spilling
2358         https://bugs.webkit.org/show_bug.cgi?id=156486
2359
2360         Reviewed by Filip Pizlo.
2361
2362         Spilling had issues when replacing arguments in place.
2363
2364         The problems are:
2365         1) If we have a 32bit stackslot, a x86 instruction could still try to load 64bits from it.
2366         2) If we have a 64bit stackslot, Move32 would only set half the bits.
2367         3) We were reducing Move to Move32 even if the top bits are read from the stack slot.
2368
2369         The case 1 appear with something like this:
2370             Move32 %tmp0, %tmp1
2371             Op64 %tmp1, %tmp2, %tmp3
2372         When we spill %tmp1, the stack slot is 32bit, Move32 sets 32bits
2373         but Op64 supports addressing for %tmp1. When we substitute %tmp1 in Op64,
2374         we are creating a 64bit read for a 32bit stack slot.
2375
2376         The case 2 is an other common one. If we have:
2377             BB#1
2378                 Move32 %tmp0, %tmp1
2379                 Jump #3
2380             BB#2
2381                 Op64 %tmp0, %tmp1
2382                 Jump #3
2383             BB#3
2384                 Use64 %tmp1
2385
2386         We have a stack slot of 64bits. When spilling %tmp1 in #1, we are
2387         effectively doing a 32bit store on the stack slot, leaving the top bits undefined.
2388
2389         Case 3 is pretty much the same as 2 but we create the Move32 ourself
2390         because the source is a 32bit with ZDef.
2391
2392         Case (1) is solved by requiring that the stack slot is at least as large as the largest
2393         use/def of that tmp.
2394
2395         Case (2) and (3) are solved by not replacing a Tmp by an Address if the Def
2396         is smaller than the stack slot.
2397
2398         * b3/air/AirIteratedRegisterCoalescing.cpp:
2399         * b3/testb3.cpp:
2400         (JSC::B3::testSpillDefSmallerThanUse):
2401         (JSC::B3::testSpillUseLargerThanDef):
2402         (JSC::B3::run):
2403
2404 2016-04-11  Brian Burg  <bburg@apple.com>
2405
2406         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
2407         https://bugs.webkit.org/show_bug.cgi?id=156407
2408         <rdar://problem/25627659>
2409
2410         Reviewed by Joseph Pecoraro.
2411
2412         There's no point having these subclasses as they don't save any space.
2413         Add a StringImpl to the union and merge some implementations of writeJSON.
2414
2415         Rename m_data to m_map and explicitly name the union as InspectorValue::m_value.
2416         If the value is a string and the string is not empty or null (i.e., it has a
2417         StringImpl), then we need to ref() and deref() the string as the InspectorValue
2418         is created or destroyed.
2419
2420         Move uses of the subclass to InspectorValue and delete redundant methods.
2421         Now, most InspectorValue methods are non-virtual so they can be templated.
2422
2423         * bindings/ScriptValue.cpp:
2424         (Deprecated::jsToInspectorValue):
2425         * inspector/InjectedScriptBase.cpp:
2426         (Inspector::InjectedScriptBase::makeCall):
2427         Don't used deleted subclasses.
2428
2429         * inspector/InspectorValues.cpp:
2430         (Inspector::InspectorValue::null):
2431         (Inspector::InspectorValue::create):
2432         (Inspector::InspectorValue::asValue):
2433         (Inspector::InspectorValue::asBoolean):
2434         (Inspector::InspectorValue::asDouble):
2435         (Inspector::InspectorValue::asInteger):
2436         (Inspector::InspectorValue::asString):
2437         These only need one implementation now.
2438
2439         (Inspector::InspectorValue::writeJSON):
2440         Still a virtual method since Object and Array need their members.
2441
2442         (Inspector::InspectorObjectBase::InspectorObjectBase):
2443         (Inspector::InspectorBasicValue::asBoolean): Deleted.
2444         (Inspector::InspectorBasicValue::asDouble): Deleted.
2445         (Inspector::InspectorBasicValue::asInteger): Deleted.
2446         (Inspector::InspectorBasicValue::writeJSON): Deleted.
2447         (Inspector::InspectorString::asString): Deleted.
2448         (Inspector::InspectorString::writeJSON): Deleted.
2449         (Inspector::InspectorString::create): Deleted.
2450         (Inspector::InspectorBasicValue::create): Deleted.
2451
2452         * inspector/InspectorValues.h:
2453         (Inspector::InspectorObjectBase::find):
2454         (Inspector::InspectorObjectBase::setBoolean):
2455         (Inspector::InspectorObjectBase::setInteger):
2456         (Inspector::InspectorObjectBase::setDouble):
2457         (Inspector::InspectorObjectBase::setString):
2458         (Inspector::InspectorObjectBase::setValue):
2459         (Inspector::InspectorObjectBase::setObject):
2460         (Inspector::InspectorObjectBase::setArray):
2461         (Inspector::InspectorArrayBase::pushBoolean):
2462         (Inspector::InspectorArrayBase::pushInteger):
2463         (Inspector::InspectorArrayBase::pushDouble):
2464         (Inspector::InspectorArrayBase::pushString):
2465         (Inspector::InspectorArrayBase::pushValue):
2466         (Inspector::InspectorArrayBase::pushObject):
2467         (Inspector::InspectorArrayBase::pushArray):
2468         Use new factory methods.
2469
2470         * replay/EncodedValue.cpp:
2471         (JSC::ScalarEncodingTraits<bool>::encodeValue):
2472         (JSC::ScalarEncodingTraits<double>::encodeValue):
2473         (JSC::ScalarEncodingTraits<float>::encodeValue):
2474         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
2475         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
2476         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
2477         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
2478         * replay/EncodedValue.h:
2479         Use new factory methods.
2480
2481 2016-04-11  Filip Pizlo  <fpizlo@apple.com>
2482
2483         It should be possible to edit StructureStubInfo without recompiling the world
2484         https://bugs.webkit.org/show_bug.cgi?id=156470
2485
2486         Reviewed by Keith Miller.
2487
2488         This change makes it less painful to make changes to the IC code. It used to be that any
2489         change to StructureStubInfo caused every JIT-related file to get recompiled. Now only a
2490         smaller set of files - ones that actually peek into StructureStubInfo - will recompile. This
2491         is mainly because CodeBlock.h no longer includes StructureStubInfo.h.
2492
2493         * bytecode/ByValInfo.h:
2494         * bytecode/CodeBlock.cpp:
2495         * bytecode/CodeBlock.h:
2496         * bytecode/GetByIdStatus.cpp:
2497         * bytecode/GetByIdStatus.h:
2498         * bytecode/PutByIdStatus.cpp:
2499         * bytecode/PutByIdStatus.h:
2500         * bytecode/StructureStubInfo.h:
2501         (JSC::getStructureStubInfoCodeOrigin):
2502         * dfg/DFGByteCodeParser.cpp:
2503         * dfg/DFGJITCompiler.cpp:
2504         * dfg/DFGOSRExitCompilerCommon.cpp:
2505         * dfg/DFGSpeculativeJIT.h:
2506         * ftl/FTLLowerDFGToB3.cpp:
2507         * ftl/FTLSlowPathCall.h:
2508         * jit/IntrinsicEmitter.cpp:
2509         * jit/JITInlineCacheGenerator.cpp:
2510         * jit/JITInlineCacheGenerator.h:
2511         * jit/JITOperations.cpp:
2512         * jit/JITPropertyAccess.cpp:
2513         * jit/JITPropertyAccess32_64.cpp:
2514
2515 2016-04-11  Skachkov Oleksandr  <gskachkov@gmail.com>
2516
2517         Remove NewArrowFunction from DFG IR
2518         https://bugs.webkit.org/show_bug.cgi?id=156439
2519
2520         Reviewed by Saam Barati.
2521
2522         It seems that NewArrowFunction was left in DFG IR during refactoring by mistake.
2523
2524         * dfg/DFGAbstractInterpreterInlines.h:
2525         * dfg/DFGClobberize.h:
2526         (JSC::DFG::clobberize):
2527         * dfg/DFGClobbersExitState.cpp:
2528         * dfg/DFGDoesGC.cpp:
2529         * dfg/DFGFixupPhase.cpp:
2530         * dfg/DFGMayExit.cpp:
2531         * dfg/DFGNode.h:
2532         (JSC::DFG::Node::convertToPhantomNewFunction):
2533         * dfg/DFGNodeType.h:
2534         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2535         * dfg/DFGPredictionPropagationPhase.cpp:
2536         * dfg/DFGSafeToExecute.h:
2537         * dfg/DFGSpeculativeJIT.cpp:
2538         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2539         * dfg/DFGSpeculativeJIT32_64.cpp:
2540         * dfg/DFGSpeculativeJIT64.cpp:
2541         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2542         * dfg/DFGStructureRegistrationPhase.cpp:
2543         * ftl/FTLCapabilities.cpp:
2544         * ftl/FTLLowerDFGToB3.cpp:
2545         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2546
2547 2016-04-05  Oliver Hunt  <oliver@apple.com>
2548
2549         Remove compile time define for SEPARATED_HEAP
2550         https://bugs.webkit.org/show_bug.cgi?id=155508
2551
2552         Reviewed by Mark Lam.
2553
2554         Remove the SEPARATED_HEAP compile time flag. The separated
2555         heap is available, but off by default, on x86_64, ARMv7, and
2556         ARM64.
2557
2558         Working through the issues that happened last time essentially
2559         required implementing the ARMv7 path for the separated heap
2560         just so I could find all the ways it was going wrong.
2561
2562         We fixed all the logic by making the branch and jump logic in
2563         the linker and assemblers take two parameters, the location to
2564         write to, and the location we'll actually be writing to. We 
2565         need to do this because it's no longer sufficient to compute
2566         jumps relative to region the linker is writing to.
2567
2568         The repatching jump, branch, and call functions only need the
2569         executable address as the patching is performed directly using
2570         performJITMemcpy function which works in terms of the executable
2571         address.
2572
2573         There is no performance impact on jsc-benchmarks with the separate
2574         heap either emabled or disabled.
2575
2576         * Configurations/FeatureDefines.xcconfig:
2577         * assembler/ARM64Assembler.h:
2578         (JSC::ARM64Assembler::linkJump):
2579         (JSC::ARM64Assembler::linkCall):
2580         (JSC::ARM64Assembler::relinkJump):
2581         (JSC::ARM64Assembler::relinkCall):
2582         (JSC::ARM64Assembler::link):
2583         (JSC::ARM64Assembler::linkJumpOrCall):
2584         (JSC::ARM64Assembler::linkCompareAndBranch):
2585         (JSC::ARM64Assembler::linkConditionalBranch):
2586         (JSC::ARM64Assembler::linkTestAndBranch):
2587         (JSC::ARM64Assembler::relinkJumpOrCall):
2588         * assembler/ARMv7Assembler.h:
2589         (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2):
2590         (JSC::ARMv7Assembler::revertJumpTo_movT3):
2591         (JSC::ARMv7Assembler::link):
2592         (JSC::ARMv7Assembler::linkJump):
2593         (JSC::ARMv7Assembler::relinkJump):
2594         (JSC::ARMv7Assembler::repatchCompact):
2595         (JSC::ARMv7Assembler::replaceWithJump):
2596         (JSC::ARMv7Assembler::replaceWithLoad):
2597         (JSC::ARMv7Assembler::replaceWithAddressComputation):
2598         (JSC::ARMv7Assembler::setInt32):
2599         (JSC::ARMv7Assembler::setUInt7ForLoad):
2600         (JSC::ARMv7Assembler::isB):
2601         (JSC::ARMv7Assembler::isBX):
2602         (JSC::ARMv7Assembler::isMOV_imm_T3):
2603         (JSC::ARMv7Assembler::isMOVT):
2604         (JSC::ARMv7Assembler::isNOP_T1):
2605         (JSC::ARMv7Assembler::isNOP_T2):
2606         (JSC::ARMv7Assembler::linkJumpT1):
2607         (JSC::ARMv7Assembler::linkJumpT2):
2608         (JSC::ARMv7Assembler::linkJumpT3):
2609         (JSC::ARMv7Assembler::linkJumpT4):
2610         (JSC::ARMv7Assembler::linkConditionalJumpT4):
2611         (JSC::ARMv7Assembler::linkBX):
2612         (JSC::ARMv7Assembler::linkConditionalBX):
2613         (JSC::ARMv7Assembler::linkJumpAbsolute):
2614         * assembler/LinkBuffer.cpp:
2615         (JSC::LinkBuffer::copyCompactAndLinkCode):
2616         * assembler/MacroAssemblerARM64.h:
2617         (JSC::MacroAssemblerARM64::link):
2618         * assembler/MacroAssemblerARMv7.h:
2619         (JSC::MacroAssemblerARMv7::link):
2620         * jit/ExecutableAllocator.h:
2621         (JSC::performJITMemcpy):
2622         * jit/ExecutableAllocatorFixedVMPool.cpp:
2623         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2624         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2625         (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion):
2626         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Deleted.
2627         * runtime/Options.cpp:
2628         (JSC::recomputeDependentOptions):
2629         * runtime/Options.h:
2630
2631 2016-04-10  Filip Pizlo  <fpizlo@apple.com>
2632
2633         Clean up how we reason about the states of AccessCases
2634         https://bugs.webkit.org/show_bug.cgi?id=156454
2635
2636         Reviewed by Mark Lam.
2637         
2638         Currently when we add an AccessCase to a PolymorphicAccess stub, we regenerate the stub.
2639         That means that as we grow a stub to have N cases, we will do O(N^2) generation work. I want
2640         to explore buffering AccessCases so that we can do O(N) generation work instead. But to
2641         before I go there, I want to make sure that the statefulness of AccessCase makes sense. So,
2642         I broke it down into three different states and added assertions about the transitions. I
2643         also broke out a separate operation called AccessCase::commit(), which is the work that
2644         cannot be buffered since there cannot be any JS effects between when the AccessCase was
2645         created and when we do the work in commit().
2646         
2647         This opens up a fairly obvious path to buffering AccessCases: add them to the list without
2648         regenerating. Then when we do eventually trigger regeneration, those cases will get cloned
2649         and generated automagically. This patch doesn't implement this technique yet, but gives us
2650         an opportunity to independently test the scaffolding necessary to do it.
2651
2652         This is perf-neutral on lots of tests.
2653
2654         * bytecode/PolymorphicAccess.cpp:
2655         (JSC::AccessGenerationResult::dump):
2656         (JSC::AccessCase::clone):
2657         (JSC::AccessCase::commit):
2658         (JSC::AccessCase::guardedByStructureCheck):
2659         (JSC::AccessCase::dump):
2660         (JSC::AccessCase::generateWithGuard):
2661         (JSC::AccessCase::generate):
2662         (JSC::AccessCase::generateImpl):
2663         (JSC::PolymorphicAccess::regenerateWithCases):
2664         (JSC::PolymorphicAccess::regenerate):
2665         (WTF::printInternal):
2666         * bytecode/PolymorphicAccess.h:
2667         (JSC::AccessCase::type):
2668         (JSC::AccessCase::state):
2669         (JSC::AccessCase::offset):
2670         (JSC::AccessCase::viaProxy):
2671         (JSC::AccessCase::callLinkInfo):
2672         * bytecode/StructureStubInfo.cpp:
2673         (JSC::StructureStubInfo::addAccessCase):
2674         * bytecode/Watchpoint.h:
2675         * dfg/DFGOperations.cpp:
2676         * jit/Repatch.cpp:
2677         (JSC::repatchGetByID):
2678         (JSC::repatchPutByID):
2679         (JSC::repatchIn):
2680         * runtime/VM.cpp:
2681         (JSC::VM::dumpRegExpTrace):
2682         (JSC::VM::ensureWatchpointSetForImpureProperty):
2683         (JSC::VM::registerWatchpointForImpureProperty):
2684         (JSC::VM::addImpureProperty):
2685         * runtime/VM.h:
2686
2687 2016-04-11  Fujii Hironori  <Hironori.Fujii@jp.sony.com>
2688
2689         [CMake] Make FOLDER property INHERITED
2690         https://bugs.webkit.org/show_bug.cgi?id=156460
2691
2692         Reviewed by Brent Fulgham.
2693
2694         * CMakeLists.txt:
2695         * shell/CMakeLists.txt:
2696         * shell/PlatformWin.cmake:
2697         Set FOLDER property as a directory property not a target property
2698
2699 2016-04-09  Keith Miller  <keith_miller@apple.com>
2700
2701         tryGetById should be supported by the DFG/FTL
2702         https://bugs.webkit.org/show_bug.cgi?id=156378
2703
2704         Reviewed by Filip Pizlo.
2705
2706         This patch adds support for tryGetById in the DFG/FTL. It adds a new DFG node
2707         TryGetById, which acts similarly to the normal GetById DFG node. One key
2708         difference between GetById and TryGetById is that in the LLInt and Baseline
2709         we do not profile the result type. This profiling is unnessary for the current
2710         use case of tryGetById, which is expected to be a strict equality comparision
2711         against a specific object or undefined. In either case other DFG optimizations
2712         will make this equally fast with or without the profiling information.
2713
2714         Additionally, this patch adds new reuse modes for JSValueRegsTemporary that take
2715         an operand and attempt to reuse the registers for that operand if they are free
2716         after the current DFG node.
2717
2718         * bytecode/GetByIdStatus.cpp:
2719         (JSC::GetByIdStatus::computeFromLLInt):
2720         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2721         * dfg/DFGAbstractInterpreterInlines.h:
2722         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2723         * dfg/DFGByteCodeParser.cpp:
2724         (JSC::DFG::ByteCodeParser::handleGetById):
2725         (JSC::DFG::ByteCodeParser::parseBlock):
2726         * dfg/DFGCapabilities.cpp:
2727         (JSC::DFG::capabilityLevel):
2728         * dfg/DFGClobberize.h:
2729         (JSC::DFG::clobberize):
2730         * dfg/DFGDoesGC.cpp:
2731         (JSC::DFG::doesGC):
2732         * dfg/DFGFixupPhase.cpp:
2733         (JSC::DFG::FixupPhase::fixupNode):
2734         * dfg/DFGNode.h:
2735         (JSC::DFG::Node::hasIdentifier):
2736         * dfg/DFGNodeType.h:
2737         * dfg/DFGPredictionPropagationPhase.cpp:
2738         (JSC::DFG::PredictionPropagationPhase::propagate):
2739         * dfg/DFGSafeToExecute.h:
2740         (JSC::DFG::safeToExecute):
2741         * dfg/DFGSpeculativeJIT.cpp:
2742         (JSC::DFG::SpeculativeJIT::compileTryGetById):
2743         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
2744         * dfg/DFGSpeculativeJIT.h:
2745         (JSC::DFG::GPRTemporary::operator=):
2746         * dfg/DFGSpeculativeJIT32_64.cpp:
2747         (JSC::DFG::SpeculativeJIT::cachedGetById):
2748         (JSC::DFG::SpeculativeJIT::compile):
2749         * dfg/DFGSpeculativeJIT64.cpp:
2750         (JSC::DFG::SpeculativeJIT::cachedGetById):
2751         (JSC::DFG::SpeculativeJIT::compile):
2752         * ftl/FTLCapabilities.cpp:
2753         (JSC::FTL::canCompile):
2754         * ftl/FTLLowerDFGToB3.cpp:
2755         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2756         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
2757         (JSC::FTL::DFG::LowerDFGToB3::getById):
2758         * jit/JITOperations.cpp:
2759         * jit/JITOperations.h:
2760         * tests/stress/try-get-by-id.js:
2761         (tryGetByIdTextStrict):
2762         (get let):
2763         (let.get createBuiltin):
2764         (get throw):
2765         (getCaller.obj.1.throw.new.Error): Deleted.
2766
2767 2016-04-09  Saam barati  <sbarati@apple.com>
2768
2769         Allocation sinking SSA Defs are allowed to have replacements
2770         https://bugs.webkit.org/show_bug.cgi?id=156444
2771
2772         Reviewed by Filip Pizlo.
2773
2774         Consider the following program and the annotations that explain why
2775         the SSA defs we create in allocation sinking can have replacements.
2776
2777         function foo(a1) {
2778             let o1 = {x: 20, y: 50};
2779             let o2 = {y: 40, o1: o1};
2780             let o3 = {};
2781         
2782             // We're Defing a new variable here, call it o3_field.
2783             // o3_field is defing the value that is the result of 
2784             // a GetByOffset that gets eliminated through allocation sinking.
2785             o3.field = o1.y;
2786         
2787             dontCSE();
2788         
2789             // This control flow is here to not allow the phase to consult
2790             // its local SSA mapping (which properly handles replacements)
2791             // for the value of o3_field.
2792             if (a1) {
2793                 a1 = true; 
2794             } else {
2795                 a1 = false;
2796             }
2797         
2798             // Here, we ask for the reaching def of o3_field, and assert
2799             // it doesn't have a replacement. It does have a replacement
2800             // though. The original Def was the GetByOffset. We replaced
2801             // that GetByOffset with the value of the o1_y variable.
2802             let value = o3.field;
2803             assert(value === 50);
2804         }
2805
2806         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2807         * tests/stress/allocation-sinking-defs-may-have-replacements.js: Added.
2808         (dontCSE):
2809         (assert):
2810         (foo):
2811
2812 2016-04-09  Commit Queue  <commit-queue@webkit.org>
2813
2814         Unreviewed, rolling out r199242.
2815         https://bugs.webkit.org/show_bug.cgi?id=156442
2816
2817         Caused many many leaks (Requested by ap on #webkit).
2818
2819         Reverted changeset:
2820
2821         "Web Inspector: get rid of InspectorBasicValue and
2822         InspectorString subclasses"
2823         https://bugs.webkit.org/show_bug.cgi?id=156407
2824         http://trac.webkit.org/changeset/199242
2825
2826 2016-04-09  Filip Pizlo  <fpizlo@apple.com>
2827
2828         Debug JSC test failure: stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool
2829         https://bugs.webkit.org/show_bug.cgi?id=156406
2830
2831         Reviewed by Saam Barati.
2832
2833         The failure was because the GC ran from within the butterfly allocation call in a put_by_id
2834         transition AccessCase that had to deal with indexing storage. When the GC runs in a call from a stub,
2835         then we need to be extra careful:
2836
2837         1) The GC may reset the IC and delete the stub. So, the stub needs to tell the GC that it might be on
2838            the stack during GC, so that the GC keeps it alive if it's currently running.
2839         
2840         2) If the stub uses (dereferences or stores) some object after the call, then we need to ensure that
2841            the stub routine knows about that object independently of the IC.
2842         
2843         In the case of put_by_id transitions that use a helper to allocate the butterfly, we have both
2844         issues. A long time ago, we had to deal with (2), and we still had code to handle that case, although
2845         it appears to be dead. This change revives that code and glues it together with PolymorphicAccess.
2846
2847         * bytecode/PolymorphicAccess.cpp:
2848         (JSC::AccessCase::alternateBase):
2849         (JSC::AccessCase::doesCalls):
2850         (JSC::AccessCase::couldStillSucceed):
2851         (JSC::AccessCase::generate):
2852         (JSC::PolymorphicAccess::regenerate):
2853         * bytecode/PolymorphicAccess.h:
2854         (JSC::AccessCase::customSlotBase):
2855         (JSC::AccessCase::isGetter):
2856         (JSC::AccessCase::doesCalls): Deleted.
2857         * jit/GCAwareJITStubRoutine.cpp:
2858         (JSC::GCAwareJITStubRoutine::markRequiredObjectsInternal):
2859         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
2860         (JSC::MarkingGCAwareJITStubRoutine::~MarkingGCAwareJITStubRoutine):
2861         (JSC::MarkingGCAwareJITStubRoutine::markRequiredObjectsInternal):
2862         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
2863         (JSC::createJITStubRoutine):
2864         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
2865         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::~MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
2866         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::markRequiredObjectsInternal): Deleted.
2867         * jit/GCAwareJITStubRoutine.h:
2868         (JSC::createJITStubRoutine):
2869
2870 2016-04-08  Joseph Pecoraro  <pecoraro@apple.com>
2871
2872         Web Inspector: XHRs and Web Worker scripts are not searchable
2873         https://bugs.webkit.org/show_bug.cgi?id=154214
2874         <rdar://problem/24643587>
2875
2876         Reviewed by Timothy Hatcher.
2877
2878         * inspector/protocol/Page.json:
2879         Add optional requestId to search results properties and search
2880         parameters for when the frameId and url are not enough. XHR
2881         resources, and "Other" resources will use this.
2882
2883 2016-04-08  Guillaume Emont  <guijemont@igalia.com>
2884
2885         MIPS: support Signed cond in branchTest32()
2886         https://bugs.webkit.org/show_bug.cgi?id=156260
2887
2888         This is needed since r197688 makes use of it.
2889
2890         Reviewed by Mark Lam.
2891
2892         * assembler/MacroAssemblerMIPS.h:
2893         (JSC::MacroAssemblerMIPS::branchTest32):
2894
2895 2016-04-08  Alex Christensen  <achristensen@webkit.org>
2896
2897         Progress towards running CMake WebKit2 on Mac
2898         https://bugs.webkit.org/show_bug.cgi?id=156426
2899
2900         Reviewed by Tim Horton.
2901
2902         * PlatformMac.cmake:
2903
2904 2016-04-08  Saam barati  <sbarati@apple.com>
2905
2906         Debugger may dereference m_currentCallFrame even after the VM has gone idle
2907         https://bugs.webkit.org/show_bug.cgi?id=156413
2908
2909         Reviewed by Mark Lam.
2910
2911         There is a bug where the debugger may dereference its m_currentCallFrame
2912         pointer after that pointer becomes invalid to read from. This happens like so:
2913
2914         We may step over an instruction which causes the end of execution for the
2915         current program. This causes the VM to exit. Then, we perform a GC which
2916         causes us to collect the global object. The global object being collected
2917         causes us to detach the debugger. In detaching, we think we still have a 
2918         valid m_currentCallFrame, we dereference it, and crash. The solution is to
2919         make sure we're paused when dereferencing this pointer inside ::detach().
2920
2921         * debugger/Debugger.cpp:
2922         (JSC::Debugger::detach):
2923
2924 2016-04-08  Brian Burg  <bburg@apple.com>
2925
2926         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
2927         https://bugs.webkit.org/show_bug.cgi?id=156407
2928         <rdar://problem/25627659>
2929
2930         Reviewed by Timothy Hatcher.
2931
2932         There's no point having these subclasses as they don't save any space.
2933         Add m_stringValue to the union and merge some implementations of writeJSON.
2934         Move uses of the subclass to InspectorValue and delete redundant methods.
2935         Now, most InspectorValue methods are non-virtual so they can be templated.
2936
2937         * bindings/ScriptValue.cpp:
2938         (Deprecated::jsToInspectorValue):
2939         * inspector/InjectedScriptBase.cpp:
2940         (Inspector::InjectedScriptBase::makeCall):
2941         Don't used deleted subclasses.
2942
2943         * inspector/InspectorValues.cpp:
2944         (Inspector::InspectorValue::null):
2945         (Inspector::InspectorValue::create):
2946         (Inspector::InspectorValue::asValue):
2947         (Inspector::InspectorValue::asBoolean):
2948         (Inspector::InspectorValue::asDouble):
2949         (Inspector::InspectorValue::asInteger):
2950         (Inspector::InspectorValue::asString):
2951         These only need one implementation now.
2952
2953         (Inspector::InspectorValue::writeJSON):
2954         Still a virtual method since Object and Array need their members.
2955
2956         (Inspector::InspectorObjectBase::InspectorObjectBase):
2957         (Inspector::InspectorBasicValue::asBoolean): Deleted.
2958         (Inspector::InspectorBasicValue::asDouble): Deleted.
2959         (Inspector::InspectorBasicValue::asInteger): Deleted.
2960         (Inspector::InspectorBasicValue::writeJSON): Deleted.
2961         (Inspector::InspectorString::asString): Deleted.
2962         (Inspector::InspectorString::writeJSON): Deleted.
2963         (Inspector::InspectorString::create): Deleted.
2964         (Inspector::InspectorBasicValue::create): Deleted.
2965
2966         * inspector/InspectorValues.h:
2967         (Inspector::InspectorObjectBase::setBoolean):
2968         (Inspector::InspectorObjectBase::setInteger):
2969         (Inspector::InspectorObjectBase::setDouble):
2970         (Inspector::InspectorObjectBase::setString):
2971         (Inspector::InspectorArrayBase::pushBoolean):
2972         (Inspector::InspectorArrayBase::pushInteger):
2973         (Inspector::InspectorArrayBase::pushDouble):
2974         (Inspector::InspectorArrayBase::pushString):
2975         Use new factory methods.
2976
2977         * replay/EncodedValue.cpp:
2978         (JSC::ScalarEncodingTraits<bool>::encodeValue):
2979         (JSC::ScalarEncodingTraits<double>::encodeValue):
2980         (JSC::ScalarEncodingTraits<float>::encodeValue):
2981         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
2982         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
2983         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
2984         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
2985         * replay/EncodedValue.h:
2986         Use new factory methods.
2987
2988 2016-04-08  Filip Pizlo  <fpizlo@apple.com>
2989
2990         Add IC support for arguments.length
2991         https://bugs.webkit.org/show_bug.cgi?id=156389
2992
2993         Reviewed by Geoffrey Garen.
2994         
2995         This adds support for caching accesses to arguments.length for both DirectArguments and
2996         ScopedArguments. In strict mode, we already cached these accesses since they were just
2997         normal properties.
2998
2999         Amazingly, we also already supported caching of overridden arguments.length in both
3000         DirectArguments and ScopedArguments. This is because when you override, the property gets
3001         materialized as a normal JS property and the structure is changed.
3002         
3003         This patch painstakingly preserves our previous caching of overridden length while
3004         introducing caching of non-overridden length (i.e. the common case). In fact, we even cache
3005         the case where it could either be overridden or not, since we just end up with an AccessCase
3006         for each and they cascade to each other.
3007
3008         This is a >3x speed-up on microbenchmarks that do arguments.length in a polymorphic context.
3009         Entirely monomorphic accesses were already handled by the DFG.
3010
3011         * bytecode/PolymorphicAccess.cpp:
3012         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
3013         (JSC::AccessCase::guardedByStructureCheck):
3014         (JSC::AccessCase::generateWithGuard):
3015         (JSC::AccessCase::generate):
3016         (WTF::printInternal):
3017         * bytecode/PolymorphicAccess.h:
3018         * jit/ICStats.h:
3019         * jit/JITOperations.cpp:
3020         * jit/Repatch.cpp:
3021         (JSC::tryCacheGetByID):
3022         (JSC::tryCachePutByID):
3023         (JSC::tryRepatchIn):
3024         * tests/stress/direct-arguments-override-length-then-access-normal-length.js: Added.
3025         (args):
3026         (foo):
3027         (result.foo):
3028
3029 2016-04-08  Benjamin Poulain  <bpoulain@apple.com>
3030
3031         UInt32ToNumber should have an Int52 path
3032         https://bugs.webkit.org/show_bug.cgi?id=125704
3033
3034         Reviewed by Filip Pizlo.
3035
3036         When dealing with big numbers, fall back to Int52 instead
3037         of double when possible.
3038
3039         * dfg/DFGAbstractInterpreterInlines.h:
3040         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3041         * dfg/DFGFixupPhase.cpp:
3042         (JSC::DFG::FixupPhase::fixupNode):
3043         * dfg/DFGPredictionPropagationPhase.cpp:
3044         (JSC::DFG::PredictionPropagationPhase::propagate):
3045         * dfg/DFGSpeculativeJIT.cpp:
3046         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
3047         * ftl/FTLLowerDFGToB3.cpp:
3048         (JSC::FTL::DFG::LowerDFGToB3::compileUInt32ToNumber):
3049
3050 2016-04-08  Brian Burg  <bburg@apple.com>
3051
3052         Web Inspector: protocol generator should emit an error when 'type' is used instead of '$ref'
3053         https://bugs.webkit.org/show_bug.cgi?id=156275
3054         <rdar://problem/25569331>
3055
3056         Reviewed by Darin Adler.
3057
3058         * inspector/protocol/Heap.json: Fix a mistake that's now caught by the protocol generator.
3059
3060         * inspector/scripts/codegen/models.py:
3061         (TypeReference.__init__): Check here if type_kind is on a whitelist of primitive types.
3062         (TypeReference.referenced_name): Update comment.
3063
3064         Add a new test specifically for the case when the type would otherwise be resolved. Rebaseline.
3065
3066         * inspector/scripts/tests/expected/fail-on-type-reference-as-primitive-type.json-error: Added.
3067         * inspector/scripts/tests/expected/fail-on-unknown-type-reference-in-type-declaration.json-error:
3068         * inspector/scripts/tests/fail-on-type-reference-as-primitive-type.json: Added.
3069
3070 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3071
3072         Remove ENABLE(ENABLE_ES6_CLASS_SYNTAX) guards
3073         https://bugs.webkit.org/show_bug.cgi?id=156384
3074
3075         Reviewed by Ryosuke Niwa.
3076
3077         * Configurations/FeatureDefines.xcconfig:
3078         * features.json: Mark as Done.
3079         * parser/Parser.cpp:
3080         (JSC::Parser<LexerType>::parseExportDeclaration):
3081         (JSC::Parser<LexerType>::parseStatementListItem):
3082         (JSC::Parser<LexerType>::parsePrimaryExpression):
3083         (JSC::Parser<LexerType>::parseMemberExpression):
3084
3085 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
3086
3087         Implementing caching transition puts that need to reallocate with indexing storage
3088         https://bugs.webkit.org/show_bug.cgi?id=130914
3089
3090         Reviewed by Saam Barati.
3091
3092         This enables the IC's put_by_id path to handle reallocating the out-of-line storage even if
3093         the butterfly has indexing storage. Like the DFG, we do this by calling operations that
3094         reallocate the butterfly. Those use JSObject API and do all of the nasty work for us, like
3095         triggering a barrier.
3096
3097         This does a bunch of refactoring to how PolymorphicAccess makes calls. It's a lot easier to
3098         do it now because the hard work is hidden under AccessGenerationState methods. This means
3099         that custom accessors now share logic with put_by_id transitions.
3100
3101         * bytecode/PolymorphicAccess.cpp:
3102         (JSC::AccessGenerationState::succeed):
3103         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
3104         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
3105         (JSC::AccessGenerationState::originalCallSiteIndex):
3106         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
3107         (JSC::AccessCase::AccessCase):
3108         (JSC::AccessCase::transition):
3109         (JSC::AccessCase::generate):
3110         (JSC::PolymorphicAccess::regenerate):
3111         * bytecode/PolymorphicAccess.h:
3112         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
3113         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
3114         * dfg/DFGOperations.cpp:
3115         * dfg/DFGOperations.h:
3116         * jit/JITOperations.cpp:
3117         * jit/JITOperations.h:
3118
3119 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3120
3121         Remote Inspector: When disallowing remote inspection on a debuggable, a listing is still sent to debuggers
3122         https://bugs.webkit.org/show_bug.cgi?id=156380
3123         <rdar://problem/25323727>
3124
3125         Reviewed by Timothy Hatcher.
3126
3127         * inspector/remote/RemoteInspector.mm:
3128         (Inspector::RemoteInspector::updateTarget):
3129         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
3130         When a target has been updated and it no longer generates a listing,
3131         we should remove the old listing as that is now stale and should
3132         not be sent. Not generating a listing means this target is no
3133         longer allowed to be debugged.
3134
3135 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3136
3137         Web Inspector: Not necessary to validate webinspectord connection on iOS
3138         https://bugs.webkit.org/show_bug.cgi?id=156377
3139         <rdar://problem/25612460>
3140
3141         Reviewed by Simon Fraser.
3142
3143         * inspector/remote/RemoteInspectorXPCConnection.h:
3144         * inspector/remote/RemoteInspectorXPCConnection.mm:
3145         (Inspector::RemoteInspectorXPCConnection::handleEvent):
3146
3147 2016-04-07  Keith Miller  <keith_miller@apple.com>
3148
3149         Rename ArrayMode::supportsLength to supportsSelfLength
3150         https://bugs.webkit.org/show_bug.cgi?id=156374
3151
3152         Reviewed by Filip Pizlo.
3153
3154         The name supportsLength is confusing because TypedArray have a
3155         length function however it is on the prototype and not on the
3156         instance. supportsSelfLength makes more sense since we use the
3157         function during fixup to tell if we can intrinsic the length
3158         property lookup on self accesses.
3159
3160         * dfg/DFGArrayMode.h:
3161         (JSC::DFG::ArrayMode::supportsSelfLength):
3162         (JSC::DFG::ArrayMode::supportsLength): Deleted.
3163         * dfg/DFGFixupPhase.cpp:
3164         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
3165
3166 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3167
3168         Web Inspector: ProfileView source links are off by 1 line, worse in pretty printed code
3169         https://bugs.webkit.org/show_bug.cgi?id=156371
3170
3171         Reviewed by Timothy Hatcher.
3172
3173         * inspector/protocol/ScriptProfiler.json:
3174         Clarify that these locations are 1-based.
3175
3176 2016-04-07  Jon Davis  <jond@apple.com>
3177
3178         Add Web Animations API to Feature Status Page
3179         https://bugs.webkit.org/show_bug.cgi?id=156360
3180
3181         Reviewed by Timothy Hatcher.
3182
3183         * features.json:
3184
3185 2016-04-07  Saam barati  <sbarati@apple.com>
3186
3187         Invalid assertion inside DebuggerScope::getOwnPropertySlot
3188         https://bugs.webkit.org/show_bug.cgi?id=156357
3189
3190         Reviewed by Keith Miller.
3191
3192         The Type Profiler might profile JS code that uses DebuggerScope and accesses properties
3193         on it. Therefore, it may have a DebuggerScope object in its log. Objects in the log
3194         are subject to having their getOwnPropertySlot method called. Therefore, the DebuggerScope
3195         might not always be in a valid state when its getOwnPropertySlot method is called.
3196         Therefore, the assertion invalid.
3197
3198         * debugger/DebuggerScope.cpp:
3199         (JSC::DebuggerScope::getOwnPropertySlot):
3200
3201 2016-04-07  Saam barati  <sbarati@apple.com>
3202
3203         Initial implementation of annex b.3.3 behavior was incorrect
3204         https://bugs.webkit.org/show_bug.cgi?id=156276
3205
3206         Reviewed by Keith Miller.
3207
3208         I almost got annex B.3.3 correct in my first implementation.
3209         There is a subtlety here I got wrong. We always create a local binding for
3210         a function at the very beginning of execution of a block scope. So we
3211         hoist function declarations to their local binding within a given
3212         block scope. When we actually evaluate the function declaration statement
3213         itself, we must lookup the binding in the current scope, and bind the
3214         value to the binding in the "var" scope. We perform the following
3215         abstract operations when executing a function declaration statement.
3216
3217         f = lookupBindingInCurrentScope("func")
3218         store(varScope, "func", f)
3219
3220         I got this wrong by performing the store to the var binding at the beginning
3221         of the block scope instead of when we evaluate the function declaration statement.
3222         This behavior is observable. For example, a program could change the value
3223         of "func" before the actual function declaration statement executes.
3224         Consider the following two functions:
3225         ```
3226         function foo1() {
3227             // func === undefined
3228             {
3229                 // typeof func === "function"
3230                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
3231                 func = 20 // This sets the local "func" binding to 20.
3232             }
3233             // typeof func === "function"
3234         }
3235
3236         function foo2() {
3237             // func === undefined
3238             {
3239                 // typeof func === "function"
3240                 func = 20 // This sets the local "func" binding to 20.
3241                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
3242             }
3243             // func === 20
3244         }
3245         ```
3246
3247         * bytecompiler/BytecodeGenerator.cpp:
3248         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
3249         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
3250         * bytecompiler/BytecodeGenerator.h:
3251         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
3252         * bytecompiler/NodesCodegen.cpp:
3253         (JSC::FuncDeclNode::emitBytecode):
3254         * tests/stress/sloppy-mode-function-hoisting.js:
3255         (test.foo):
3256         (test):
3257         (test.):
3258         (test.bar):
3259         (test.switch.case.0):
3260         (test.capFoo1):
3261         (test.switch.capFoo2):
3262         (test.outer):
3263         (foo):
3264
3265 2016-04-07  Alex Christensen  <achristensen@webkit.org>
3266
3267         Build fix after r199170
3268
3269         * CMakeLists.txt:
3270
3271 2016-04-07  Keith Miller  <keith_miller@apple.com>
3272
3273         We should support the ability to do a non-effectful getById
3274         https://bugs.webkit.org/show_bug.cgi?id=156116
3275
3276         Reviewed by Benjamin Poulain.
3277
3278         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
3279         useful because it enables us to take different code paths based on values that we would
3280         otherwise not be able to have knowledge of. This patch adds this new feature called
3281         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
3282         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
3283         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
3284         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
3285         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
3286         the global object that indicates we could not get the result.
3287
3288         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
3289         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
3290         get_by_id the same way we would for load and return the value at the appropriate offset.
3291         Additionally, in order to make sure the we can properly compare the GetterSetter object
3292         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
3293         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
3294         likely to have little to no impact on memory usage as normal accessors are generally rare.
3295
3296         * JavaScriptCore.xcodeproj/project.pbxproj:
3297         * builtins/BuiltinExecutableCreator.cpp: Added.
3298         (JSC::createBuiltinExecutable):
3299         * builtins/BuiltinExecutableCreator.h: Copied from Source/JavaScriptCore/builtins/BuiltinExecutables.h.
3300         * builtins/BuiltinExecutables.cpp:
3301         (JSC::BuiltinExecutables::createDefaultConstructor):
3302         (JSC::BuiltinExecutables::createBuiltinExecutable):
3303         (JSC::createBuiltinExecutable):
3304         (JSC::BuiltinExecutables::createExecutable):
3305         (JSC::createExecutableInternal): Deleted.
3306         * builtins/BuiltinExecutables.h:
3307         * bytecode/BytecodeIntrinsicRegistry.h:
3308         * bytecode/BytecodeList.json:
3309         * bytecode/BytecodeUseDef.h:
3310         (JSC::computeUsesForBytecodeOffset):
3311         (JSC::computeDefsForBytecodeOffset):
3312         * bytecode/CodeBlock.cpp:
3313         (JSC::CodeBlock::dumpBytecode):
3314         * bytecode/PolymorphicAccess.cpp:
3315         (JSC::AccessCase::tryGet):
3316         (JSC::AccessCase::generate):
3317         (WTF::printInternal):
3318         * bytecode/PolymorphicAccess.h:
3319         (JSC::AccessCase::isGet): Deleted.
3320         (JSC::AccessCase::isPut): Deleted.
3321         (JSC::AccessCase::isIn): Deleted.
3322         * bytecode/StructureStubInfo.cpp:
3323         (JSC::StructureStubInfo::reset):
3324         * bytecode/StructureStubInfo.h:
3325         * bytecompiler/BytecodeGenerator.cpp:
3326         (JSC::BytecodeGenerator::emitTryGetById):
3327         * bytecompiler/BytecodeGenerator.h:
3328         * bytecompiler/NodesCodegen.cpp:
3329         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
3330         * dfg/DFGSpeculativeJIT32_64.cpp:
3331         (JSC::DFG::SpeculativeJIT::cachedGetById):
3332         * dfg/DFGSpeculativeJIT64.cpp:
3333         (JSC::DFG::SpeculativeJIT::cachedGetById):
3334         * ftl/FTLLowerDFGToB3.cpp:
3335         (JSC::FTL::DFG::LowerDFGToB3::getById):
3336         * jit/JIT.cpp:
3337         (JSC::JIT::privateCompileMainPass):
3338         (JSC::JIT::privateCompileSlowCases):
3339         * jit/JIT.h:
3340         * jit/JITInlineCacheGenerator.cpp:
3341         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
3342         * jit/JITInlineCacheGenerator.h:
3343         * jit/JITInlines.h:
3344         (JSC::JIT::callOperation):
3345         * jit/JITOperations.cpp:
3346         * jit/JITOperations.h:
3347         * jit/JITPropertyAccess.cpp:
3348         (JSC::JIT::emitGetByValWithCachedId):
3349         (JSC::JIT::emit_op_try_get_by_id):
3350         (JSC::JIT::emitSlow_op_try_get_by_id):
3351         (JSC::JIT::emit_op_get_by_id):
3352         * jit/JITPropertyAccess32_64.cpp:
3353         (JSC::JIT::emitGetByValWithCachedId):
3354         (JSC::JIT::emit_op_try_get_by_id):
3355         (JSC::JIT::emitSlow_op_try_get_by_id):
3356         (JSC::JIT::emit_op_get_by_id):
3357         * jit/Repatch.cpp:
3358         (JSC::repatchByIdSelfAccess):
3359         (JSC::appropriateOptimizingGetByIdFunction):
3360         (JSC::appropriateGenericGetByIdFunction):
3361         (JSC::tryCacheGetByID):
3362         (JSC::repatchGetByID):
3363         (JSC::resetGetByID):
3364         * jit/Repatch.h:
3365         * jsc.cpp:
3366         (GlobalObject::finishCreation):
3367         (functionGetGetterSetter):
3368         (functionCreateBuiltin):
3369         * llint/LLIntData.cpp:
3370         (JSC::LLInt::Data::performAssertions):
3371         * llint/LLIntSlowPaths.cpp:
3372         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3373         * llint/LLIntSlowPaths.h:
3374         * llint/LowLevelInterpreter.asm:
3375