[INTL] Implement Date.prototype.toLocaleDateString in ECMA-402
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-01-19  Andy VanWagoner  <thetalecrafter@gmail.com>
2
3         [INTL] Implement Date.prototype.toLocaleDateString in ECMA-402
4         https://bugs.webkit.org/show_bug.cgi?id=147612
5
6         Reviewed by Benjamin Poulain.
7
8         Implement toLocaleDateString in builtin JavaScript. Remove comments with
9         spec steps, and instead link to the new HTML version of the spec.
10
11         Avoids creating an extra empty object in the prototype chain of the options
12         object in ToDateTimeOptions. The version used in toLocaleString was updated
13         to match as well.
14
15         * builtins/DatePrototype.js:
16         (toLocaleString.toDateTimeOptionsAnyAll):
17         (toLocaleString):
18         (toLocaleDateString.toDateTimeOptionsDateDate):
19         (toLocaleDateString):
20         * runtime/DatePrototype.cpp:
21         (JSC::DatePrototype::finishCreation):
22
23 2016-01-19  Benjamin Poulain  <bpoulain@apple.com>
24
25         [JSC] fixSpillSlotZDef() crashes on ARM64
26         https://bugs.webkit.org/show_bug.cgi?id=153246
27
28         Reviewed by Geoffrey Garen.
29
30         Moving an immediate to memory is not a valid instruction on ARM64.
31         This patch adds a small workaround for this specific case: an instruction
32         to zero a chunk of memory.
33
34         * assembler/MacroAssemblerARM64.h:
35         (JSC::MacroAssemblerARM64::storeZero32):
36         * assembler/MacroAssemblerX86Common.h:
37         (JSC::MacroAssemblerX86Common::storeZero32):
38         * b3/air/AirFixSpillSlotZDef.h:
39         (JSC::B3::Air::fixSpillSlotZDef):
40         * b3/air/AirOpcode.opcodes:
41
42 2016-01-19  Enrica Casucci  <enrica@apple.com>
43
44         Add support for DataDetectors in WK (iOS).
45         https://bugs.webkit.org/show_bug.cgi?id=152989
46         rdar://problem/22855960
47
48         Reviewed by Tim Horton.
49
50         Adding feature definition for data detection.
51
52         * Configurations/FeatureDefines.xcconfig:
53
54 2016-01-19  Per Arne Vollan  <peavo@outlook.com>
55
56         [B3][Win64] Compile and warning fixes.
57         https://bugs.webkit.org/show_bug.cgi?id=153234
58
59         Reviewed by Alex Christensen.
60
61         The size of 'long' is 4 bytes on Win64. We can use 'long long' instead,
62         when we want the size to be 8 bytes.
63
64         * b3/B3LowerMacrosAfterOptimizations.cpp:
65         * b3/B3ReduceStrength.cpp:
66
67 2016-01-19  Csaba Osztrogonác  <ossy@webkit.org>
68
69         [cmake] Fix the B3 build after r195159
70         https://bugs.webkit.org/show_bug.cgi?id=153232
71
72         Reviewed by Yusuke Suzuki.
73
74         * CMakeLists.txt:
75
76 2016-01-19  Commit Queue  <commit-queue@webkit.org>
77
78         Unreviewed, rolling out r195300.
79         https://bugs.webkit.org/show_bug.cgi?id=153244
80
81         enrica wants more time to fix Windows (Requested by thorton on
82         #webkit).
83
84         Reverted changeset:
85
86         "Add support for DataDetectors in WK (iOS)."
87         https://bugs.webkit.org/show_bug.cgi?id=152989
88         http://trac.webkit.org/changeset/195300
89
90 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
91
92         Reconsider B3's constant motion policy
93         https://bugs.webkit.org/show_bug.cgi?id=152202
94
95         Reviewed by Geoffrey Garen.
96
97         This changes moveConstants() to hoist constants. This is a speed-up on things like mandreel.
98         It has a generally positive impact on the Octane score, but it's within margin of error.
99
100         This also changes IRC to make it a bit more likely to spill constants. We don't want it to
101         spill them too much, because we can't rely on fixObviousSpills() to always replace a load of
102         a constant from the stack with the constant itself, especially in case of instructions that
103         need an extra register to materialize the immediate.
104
105         Also fixed DFG graph dumping to print a bit less things. It was trying to print the results of
106         constant property inference, and this sometimes caused crashes when you dumped the graph at an
107         inopportune time.
108
109         * JavaScriptCore.xcodeproj/project.pbxproj:
110         * b3/B3MoveConstants.cpp:
111         * b3/air/AirArg.h:
112         * b3/air/AirArgInlines.h: Added.
113         (JSC::B3::Air::ArgThingHelper<Tmp>::is):
114         (JSC::B3::Air::ArgThingHelper<Tmp>::as):
115         (JSC::B3::Air::ArgThingHelper<Tmp>::forEachFast):
116         (JSC::B3::Air::ArgThingHelper<Tmp>::forEach):
117         (JSC::B3::Air::ArgThingHelper<Arg>::is):
118         (JSC::B3::Air::ArgThingHelper<Arg>::as):
119         (JSC::B3::Air::ArgThingHelper<Arg>::forEachFast):
120         (JSC::B3::Air::ArgThingHelper<Arg>::forEach):
121         (JSC::B3::Air::Arg::is):
122         (JSC::B3::Air::Arg::as):
123         (JSC::B3::Air::Arg::forEachFast):
124         (JSC::B3::Air::Arg::forEach):
125         * b3/air/AirIteratedRegisterCoalescing.cpp:
126         * b3/air/AirUseCounts.h:
127         (JSC::B3::Air::UseCounts::UseCounts):
128         * dfg/DFGGraph.cpp:
129         (JSC::DFG::Graph::dump):
130
131 2016-01-19  Enrica Casucci  <enrica@apple.com>
132
133         Add support for DataDetectors in WK (iOS).
134         https://bugs.webkit.org/show_bug.cgi?id=152989
135         rdar://problem/22855960
136
137         Reviewed by Tim Horton.
138
139         Adding feature definition.
140
141         * Configurations/FeatureDefines.xcconfig:
142
143 2016-01-17  Filip Pizlo  <fpizlo@apple.com>
144
145         FTL B3 should be just as fast as FTL LLVM on Octane/crypto
146         https://bugs.webkit.org/show_bug.cgi?id=153113
147
148         Reviewed by Saam Barati.
149
150         This is the result of a hacking rampage to close the gap between FTL B3 and FTL LLVM on
151         Octane/crypto. It was a very successful rampage.
152
153         The biggest change in this patch is the introduction of a phase called fixObviousSpills()
154         that fixes patterns like:
155
156         Store register to stack slot and then use stack slot:
157             Move %rcx, (stack42)
158             Foo use:(stack42) // replace (stack42) with %rcx here.
159
160         Load stack slot into register and then use stack slot:
161             Move (stack42), %rcx
162             Foo use:(stack42) // replace (stack42) with %rcx here.
163
164         Store constant into stack slot and then use stack slot:
165             Move $42, %rcx
166             Move %rcx, (stack42)
167             Bar def:%rcx // %rcx isn't available anymore, but we still know that (stack42) is $42
168             Foo use:(stack42) // replace (stack42) with $42 here.
169
170         This phases does these fixups by doing a global forward flow that propagates sets of
171         must-aliases.
172
173         Also added a phase to report register pressure. It pretty-prints code alongside the set of
174         in-use registers above each instruction. Using this phase, I found that our register
175         allocator is actually doing a pretty awesome job. I had previously feared that we'd have to
176         make substantial changes to register allocation. I don't have such a fear anymore, at least
177         for Octane/crypto. In the future, we can check how the regalloc is performing just by
178         enabling logAirRegisterPressure.
179
180         Also fixed some FTL codegen pathologies. We were using bitOr where we meant to use a
181         conditional or. LLVM likes to canonicalize boolean expressions this way. B3, on the other
182         hand, doesn't do this canonicalization and doesn't have logic to decompose it into sequences
183         of branches.
184
185         Also added strength reductions for checked arithmetic. It turns out that LLVM learned how to
186         reduce checked multiply to unchecked multiply in some obvious cases that our existing DFG
187         optimizations lacked. Ideally, our DFG integer range optimization phase would cover this. But
188         the cases of interest were dead simple - the incoming values to the CheckMul were obviously
189         too small to cause overflow. I added such reasoning to B3's strength reduction.
190
191         Finally, this fixes some bugs with how we were handling subwidth spill slots. The register
192         allocator was making two mistakes. First, it might cause a Width64 def or use of a 4-byte
193         spill slot. In that case, it would extend the size of the spill slot to ensure that the use
194         or def is safe. Second, it emulates ZDef on Tmp behavior by emitting a Move32 to initialize
195         the high bits of a spill slot. But this is unsound because of the liveness semantics of spill
196         slots. They cannot have more than one def to initialize their value. I fixed that by making
197         allocateStack() be the thing that fixes ZDefs. That's a change to ZDef semantics: now, ZDef
198         on an anonymous stack slot means that the high bits are zero-filled. I wasn't able to
199         construct a test for this. It might be a hypothetical bug, but still, I like how this
200         simplifies the register allocator.
201
202         This is a ~0.7% speed-up on Octane.
203
204         * CMakeLists.txt:
205         * JavaScriptCore.xcodeproj/project.pbxproj:
206         * b3/B3CheckSpecial.cpp:
207         (JSC::B3::CheckSpecial::hiddenBranch):
208         (JSC::B3::CheckSpecial::forEachArg):
209         (JSC::B3::CheckSpecial::commitHiddenBranch): Deleted.
210         * b3/B3CheckSpecial.h:
211         * b3/B3LowerToAir.cpp:
212         (JSC::B3::Air::LowerToAir::fillStackmap):
213         (JSC::B3::Air::LowerToAir::lower):
214         * b3/B3StackmapValue.h:
215         * b3/air/AirAllocateStack.cpp:
216         (JSC::B3::Air::allocateStack):
217         * b3/air/AirAllocateStack.h:
218         * b3/air/AirArg.h:
219         (JSC::B3::Air::Arg::callArg):
220         (JSC::B3::Air::Arg::stackAddr):
221         (JSC::B3::Air::Arg::isValidScale):
222         * b3/air/AirBasicBlock.cpp:
223         (JSC::B3::Air::BasicBlock::deepDump):
224         (JSC::B3::Air::BasicBlock::dumpHeader):
225         (JSC::B3::Air::BasicBlock::dumpFooter):
226         * b3/air/AirBasicBlock.h:
227         * b3/air/AirCCallSpecial.cpp:
228         (JSC::B3::Air::CCallSpecial::CCallSpecial):
229         (JSC::B3::Air::CCallSpecial::~CCallSpecial):
230         * b3/air/AirCode.h:
231         (JSC::B3::Air::Code::lastPhaseName):
232         (JSC::B3::Air::Code::setEnableRCRS):
233         (JSC::B3::Air::Code::enableRCRS):
234         * b3/air/AirCustom.cpp:
235         (JSC::B3::Air::PatchCustom::isValidForm):
236         (JSC::B3::Air::CCallCustom::isValidForm):
237         * b3/air/AirCustom.h:
238         (JSC::B3::Air::PatchCustom::isValidFormStatic):
239         (JSC::B3::Air::PatchCustom::admitsStack):
240         (JSC::B3::Air::PatchCustom::isValidForm): Deleted.
241         * b3/air/AirEmitShuffle.cpp:
242         (JSC::B3::Air::ShufflePair::dump):
243         (JSC::B3::Air::createShuffle):
244         (JSC::B3::Air::emitShuffle):
245         * b3/air/AirEmitShuffle.h:
246         * b3/air/AirFixObviousSpills.cpp: Added.
247         (JSC::B3::Air::fixObviousSpills):
248         * b3/air/AirFixObviousSpills.h: Added.
249         * b3/air/AirFixSpillSlotZDef.h: Removed.
250         * b3/air/AirGenerate.cpp:
251         (JSC::B3::Air::prepareForGeneration):
252         (JSC::B3::Air::generate):
253         * b3/air/AirHandleCalleeSaves.cpp:
254         (JSC::B3::Air::handleCalleeSaves):
255         * b3/air/AirInst.h:
256         * b3/air/AirInstInlines.h:
257         (JSC::B3::Air::Inst::reportUsedRegisters):
258         (JSC::B3::Air::Inst::admitsStack):
259         (JSC::B3::Air::isShiftValid):
260         * b3/air/AirIteratedRegisterCoalescing.cpp:
261         * b3/air/AirLiveness.h:
262         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
263         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::begin):
264         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::end):
265         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::contains):
266         (JSC::B3::Air::AbstractLiveness::LocalCalc::live):
267         (JSC::B3::Air::AbstractLiveness::LocalCalc::isLive):
268         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
269         (JSC::B3::Air::AbstractLiveness::rawLiveAtHead):
270         (JSC::B3::Air::AbstractLiveness::Iterable::begin):
271         (JSC::B3::Air::AbstractLiveness::Iterable::end):
272         (JSC::B3::Air::AbstractLiveness::Iterable::contains):
273         (JSC::B3::Air::AbstractLiveness::liveAtTail):
274         (JSC::B3::Air::AbstractLiveness::workset):
275         * b3/air/AirLogRegisterPressure.cpp: Added.
276         (JSC::B3::Air::logRegisterPressure):
277         * b3/air/AirLogRegisterPressure.h: Added.
278         * b3/air/AirOptimizeBlockOrder.cpp:
279         (JSC::B3::Air::blocksInOptimizedOrder):
280         (JSC::B3::Air::optimizeBlockOrder):
281         * b3/air/AirOptimizeBlockOrder.h:
282         * b3/air/AirReportUsedRegisters.cpp:
283         (JSC::B3::Air::reportUsedRegisters):
284         * b3/air/AirReportUsedRegisters.h:
285         * b3/air/AirSpillEverything.cpp:
286         (JSC::B3::Air::spillEverything):
287         * b3/air/AirStackSlot.h:
288         (JSC::B3::Air::StackSlot::isLocked):
289         (JSC::B3::Air::StackSlot::index):
290         (JSC::B3::Air::StackSlot::ensureSize):
291         (JSC::B3::Air::StackSlot::alignment):
292         * b3/air/AirValidate.cpp:
293         * ftl/FTLB3Compile.cpp:
294         (JSC::FTL::compile):
295         * ftl/FTLLowerDFGToLLVM.cpp:
296         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
297         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
298         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMod):
299         * jit/RegisterSet.h:
300         (JSC::RegisterSet::get):
301         (JSC::RegisterSet::setAll):
302         (JSC::RegisterSet::merge):
303         (JSC::RegisterSet::filter):
304         * runtime/Options.h:
305
306 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
307
308         Unreviewed, undo unintended commit.
309
310         * dfg/DFGCommon.h:
311
312 2016-01-18  Filip Pizlo  <fpizlo@apple.com>
313
314         Fix Air shuffling assertions
315         https://bugs.webkit.org/show_bug.cgi?id=153213
316
317         Reviewed by Saam Barati.
318
319         Fixes some assertions that I was seeing running JSC tests. Adds a new Air test.
320
321         * assembler/MacroAssemblerX86Common.h:
322         (JSC::MacroAssemblerX86Common::store8):
323         (JSC::MacroAssemblerX86Common::getUnusedRegister):
324         * b3/air/AirEmitShuffle.cpp:
325         (JSC::B3::Air::emitShuffle):
326         * b3/air/AirLowerAfterRegAlloc.cpp:
327         (JSC::B3::Air::lowerAfterRegAlloc):
328         * b3/air/testair.cpp:
329         (JSC::B3::Air::testShuffleRotateWithFringe):
330         (JSC::B3::Air::testShuffleRotateWithFringeInWeirdOrder):
331         (JSC::B3::Air::testShuffleRotateWithLongFringe):
332         (JSC::B3::Air::run):
333
334 2016-01-19  Konstantin Tokarev  <annulen@yandex.ru>
335
336         [mips] Logical instructions allow immediates in range 0..0xffff, not 0x7fff
337         https://bugs.webkit.org/show_bug.cgi?id=152693
338
339         Reviewed by Michael Saboff.
340
341         * offlineasm/mips.rb:
342
343 2016-01-18  Saam barati  <sbarati@apple.com>
344
345         assertions in BytecodeUseDef.h about opcode length are off by one
346         https://bugs.webkit.org/show_bug.cgi?id=153215
347
348         Reviewed by Dan Bernstein.
349
350         * bytecode/BytecodeUseDef.h:
351         (JSC::computeUsesForBytecodeOffset):
352
353 2016-01-18  Saam barati  <sbarati@apple.com>
354
355         FTL doesn't do proper spilling for exception handling when GetById/Snippets go to slow path
356         https://bugs.webkit.org/show_bug.cgi?id=153186
357
358         Reviewed by Michael Saboff.
359
360         Michael was investigating a bug he found while doing the new JSC calling 
361         convention work and it turns out to be a latent bug in FTL try/catch machinery.
362         After I looked at the code again, I realized that what I had previously
363         written is wrong in a subtle way. The FTL callOperation machinery will remove
364         its result register from the set of registers it needs to spill. This is not
365         correct when we have try/catch. We may want to do value recovery on
366         the value that the result register is prior to the call after the call
367         throws an exception. The case that we were solving before was when the 
368         resultRegister == baseRegister in a GetById, or left/rightRegister == resultRegister in a Snippet.
369         This code is correct in wanting to spill in that case, even though it might spill
370         when we don't need it to (i.e the result is not needed for value recovery). Once I
371         investigated this bug further, I realized that the previous rule is just a
372         partial subset of the rule that says we should spill anytime the result is
373         a register we might do value recovery on. This patch implements the rule that
374         says we always want to spill the result when we will do value recovery on it 
375         if an exception is thrown.
376
377         * ftl/FTLCompile.cpp:
378         (JSC::FTL::mmAllocateDataSection):
379         * tests/stress/ftl-try-catch-getter-throw-interesting-value-recovery.js: Added.
380         (assert):
381         (random):
382         (identity):
383         (let.o2.get f):
384         (let.o3.get f):
385         (foo):
386         (i.else):
387
388 2016-01-18  Konstantin Tokarev  <annulen@yandex.ru>
389
390         [MIPS] LLInt: fix calculation of Global Offset Table
391         https://bugs.webkit.org/show_bug.cgi?id=150381
392
393         Offlineasm adds a .cpload $t9 when we create a label in MIPS, which
394         computes address of GOT. However, this instruction requires $t9 to
395         contain address of current function. So we need to set $t9 to pcBase,
396         otherwise GOT-related calculations will be invalid.
397
398         Since offlineasm does not allow direct move to $t9 on MIPS, added new
399         instruction setcallreg which does exactly that.
400
401         Reviewed by Michael Saboff.
402
403         * llint/LowLevelInterpreter.asm:
404         * offlineasm/instructions.rb:
405         * offlineasm/mips.rb:
406
407 2016-01-18  Csaba Osztrogonác  <ossy@webkit.org>
408
409         REGRESSION(r194601): Fix the jsc timeout option of jsc.cpp
410         https://bugs.webkit.org/show_bug.cgi?id=153204
411
412         Reviewed by Michael Catanzaro.
413
414         * jsc.cpp:
415         (main):
416
417 2016-01-18  Csaba Osztrogonác  <ossy@webkit.org>
418
419         [cmake] Add testair to the build system
420         https://bugs.webkit.org/show_bug.cgi?id=153126
421
422         Reviewed by Michael Catanzaro.
423
424         * shell/CMakeLists.txt:
425
426 2016-01-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>
427
428         Ensure that CF_AVAILABLE is undefined when building webkit-gtk
429
430         https://bugs.webkit.org/show_bug.cgi?id=152720
431
432         This change ensures that CF_AVAILABLE is correctly a no-op to
433         address build failure that was observed when building on older
434         versions of OSX.  Previously, CF_AVAILABLE may have been unexpectedly
435         re-defined to the system header value based on include-order.
436
437         Reviewed by Michael Catanzaro.
438
439         * API/WebKitAvailability.h:
440
441 2016-01-17  Julien Brianceau  <jbriance@cisco.com>
442
443         [mips] Fix regT2 and regT3 trampling in MacroAssembler
444         https://bugs.webkit.org/show_bug.cgi?id=153131
445
446         Mips $t2 and $t3 registers were used as temporary registers
447         in MacroAssemblerMIPS.h, whereas they are mapped to regT2
448         and regT3 in LLInt and GPRInfo.
449
450         This patch rearranges register mapping for the mips architecture:
451         - use $t0 and $t1 as temp registers in LLInt (as in MacroAssembler)
452         - use $t7 and $t8 as temp registers in MacroAssembler (as in LLInt)
453         - remove $t6 from temp registers list in LLInt
454         - update GPRInfo.h accordingly
455         - add mips macroScratchRegisters() list in RegisterSet.cpp
456
457         Reviewed by Michael Saboff.
458
459         * assembler/MacroAssemblerMIPS.h:
460         * jit/GPRInfo.h:
461         (JSC::GPRInfo::toRegister):
462         (JSC::GPRInfo::toIndex):
463         * jit/RegisterSet.cpp:
464         (JSC::RegisterSet::macroScratchRegisters):
465         (JSC::RegisterSet::calleeSaveRegisters):
466         * offlineasm/mips.rb:
467
468 2016-01-16  Skachkov Oleksandr  <gskachkov@gmail.com>
469
470         [ES6] Arrow function syntax. Arrow function should support the destructuring parameters.
471         https://bugs.webkit.org/show_bug.cgi?id=146934
472
473         Reviewed by Saam Barati.
474         
475         Added support of destructuring parameters, before arrow function expect only simple parameters,
476         e.g. (), (x), (x, y) or x in assigment expressio. To support destructuring parameters added
477         additional check that check for destructuring paramters if check does not pass for simple parameters.
478
479         * parser/Parser.cpp:
480         (JSC::Parser<LexerType>::isArrowFunctionParameters):
481         (JSC::Parser<LexerType>::parseAssignmentExpression):
482         * parser/Parser.h:
483
484 2016-01-15  Benjamin Poulain  <bpoulain@apple.com>
485
486         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
487         https://bugs.webkit.org/show_bug.cgi?id=153065
488
489         Reviewed by Mark Lam.
490         Reviewed by Filip Pizlo.
491
492         On ARM64, we cannot use signed 32bits offset for memory addressing.
493         There are two available addressing: signed 9bits and unsigned scaled 12bits.
494         Air already knows about it.
495
496         In this patch, the offsets are changed to something valid for ARM64
497         prior to lowering. When an offset is invalid, it is just computed
498         before the instruction and used as the base for addressing.
499
500         * JavaScriptCore.xcodeproj/project.pbxproj:
501         * b3/B3Generate.cpp:
502         (JSC::B3::generateToAir):
503         * b3/B3LegalizeMemoryOffsets.cpp: Added.
504         (JSC::B3::legalizeMemoryOffsets):
505         * b3/B3LegalizeMemoryOffsets.h: Added.
506         * b3/B3LowerToAir.cpp:
507         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
508         * b3/testb3.cpp:
509         (JSC::B3::testLoadWithOffsetImpl):
510         (JSC::B3::testLoadOffsetImm9Max):
511         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
512         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
513         (JSC::B3::testLoadOffsetImm9Min):
514         (JSC::B3::testLoadOffsetImm9MinMinusOne):
515         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
516         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
517         (JSC::B3::run):
518
519 2016-01-15  Alex Christensen  <achristensen@webkit.org>
520
521         Fix internal Windows build
522         https://bugs.webkit.org/show_bug.cgi?id=153142
523
524         Reviewed by Brent Fulgham.
525
526         The internal Windows build builds JavaScriptCore from a directory that is not called JavaScriptCore.
527         Searching for JavaScriptCore/API/APICast.h fails because it is in SomethingElse/API/APICast.h.
528         Since we are including the JavaScriptCore directory, it is not necessary to have JavaScriptCore in
529         the forwarding headers, but removing it allows builds form directories that are not named JavaScriptCore.
530
531         * ForwardingHeaders/JavaScriptCore/APICast.h:
532         * ForwardingHeaders/JavaScriptCore/JSBase.h:
533         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h:
534         * ForwardingHeaders/JavaScriptCore/JSContextRef.h:
535         * ForwardingHeaders/JavaScriptCore/JSObjectRef.h:
536         * ForwardingHeaders/JavaScriptCore/JSRetainPtr.h:
537         * ForwardingHeaders/JavaScriptCore/JSStringRef.h:
538         * ForwardingHeaders/JavaScriptCore/JSStringRefCF.h:
539         * ForwardingHeaders/JavaScriptCore/JSValueRef.h:
540         * ForwardingHeaders/JavaScriptCore/JavaScript.h:
541         * ForwardingHeaders/JavaScriptCore/JavaScriptCore.h:
542         * ForwardingHeaders/JavaScriptCore/OpaqueJSString.h:
543         * ForwardingHeaders/JavaScriptCore/WebKitAvailability.h:
544
545 2016-01-15  Per Arne Vollan  <peavo@outlook.com>
546
547         [B3][Win64] Compile fixes.
548         https://bugs.webkit.org/show_bug.cgi?id=153127
549
550         Reviewed by Alex Christensen.
551
552         MSVC have several overloads of fmod, pow, and ceil. We need to suggest to MSVC
553         which one we want to use.
554
555         * b3/B3LowerMacros.cpp:
556         * b3/B3LowerMacrosAfterOptimizations.cpp:
557         * b3/B3MathExtras.cpp:
558         (JSC::B3::powDoubleInt32):
559         * b3/B3ReduceStrength.cpp:
560
561 2016-01-15  Filip Pizlo  <fpizlo@apple.com>
562
563         Air needs a Shuffle instruction
564         https://bugs.webkit.org/show_bug.cgi?id=152952
565
566         Reviewed by Saam Barati.
567
568         This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
569         multiple moves to perform arbitrary permutations over registers and memory. We call these
570         rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
571         c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
572         use immediates as their source.
573
574         Shuffle is added as a custom instruction, since it has a variable number of arguments. It
575         takes any number of triplets of arguments, where each triplet describes one mapping of the
576         shuffle. For example, to represent (a => b, b => c), we might say:
577
578             Shuffle %a, %b, 64, %b, %c, 64
579
580         Note the "64"s, those are width arguments that describe how many bits of the register are
581         being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
582         most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
583         of the pairs in the example). For GP arguments, the width follows ZDef semantics.
584
585         In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
586         how to use it:
587
588         - C calling convention argument marshalling. Previously we used move instructions. But that's
589           problematic since it introduces artificial interference between the argument registers and
590           the inputs. Using Shuffle removes that interference. This helps a bit.
591
592         - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
593           a cold path, then we want it to appear to the register allocator like it doesn't clobber
594           any registers. Only after register allocation should we handle the clobbering by simply
595           saving all of the live volatile registers to the stack. If you imagine the saving and the
596           argument marshalling, you can see how before the call, we want to have a Shuffle that does
597           both of those things. This is important. If argument marshalling was separate from the
598           saving, then we'd still appear to clobber argument registers. Doing them together as one
599           Shuffle means that the cold call doesn't appear to even clobber the argument registers.
600
601         Unfortunately, I was wrong about cold C calls being the dominant problem with our register
602         allocator right now. Fixing this revealed other problems in my current tuning benchmark,
603         Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
604         functionality we will need to implement other optimizations.
605
606         Relanding after fixing production build.
607
608         * CMakeLists.txt:
609         * JavaScriptCore.xcodeproj/project.pbxproj:
610         * assembler/AbstractMacroAssembler.h:
611         (JSC::isX86_64):
612         (JSC::isIOS):
613         (JSC::optimizeForARMv7IDIVSupported):
614         * assembler/MacroAssemblerX86Common.h:
615         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
616         (JSC::MacroAssemblerX86Common::swap32):
617         (JSC::MacroAssemblerX86Common::moveConditionally32):
618         * assembler/MacroAssemblerX86_64.h:
619         (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
620         (JSC::MacroAssemblerX86_64::swap64):
621         (JSC::MacroAssemblerX86_64::move64ToDouble):
622         * assembler/X86Assembler.h:
623         (JSC::X86Assembler::xchgl_rr):
624         (JSC::X86Assembler::xchgl_rm):
625         (JSC::X86Assembler::xchgq_rr):
626         (JSC::X86Assembler::xchgq_rm):
627         (JSC::X86Assembler::movl_rr):
628         * b3/B3CCallValue.h:
629         * b3/B3Compilation.cpp:
630         (JSC::B3::Compilation::Compilation):
631         (JSC::B3::Compilation::~Compilation):
632         * b3/B3Compilation.h:
633         (JSC::B3::Compilation::code):
634         * b3/B3LowerToAir.cpp:
635         (JSC::B3::Air::LowerToAir::run):
636         (JSC::B3::Air::LowerToAir::createSelect):
637         (JSC::B3::Air::LowerToAir::lower):
638         (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
639         * b3/B3OpaqueByproducts.h:
640         (JSC::B3::OpaqueByproducts::count):
641         * b3/B3StackmapSpecial.cpp:
642         (JSC::B3::StackmapSpecial::isArgValidForValue):
643         (JSC::B3::StackmapSpecial::isArgValidForRep):
644         * b3/air/AirArg.cpp:
645         (JSC::B3::Air::Arg::isStackMemory):
646         (JSC::B3::Air::Arg::isRepresentableAs):
647         (JSC::B3::Air::Arg::usesTmp):
648         (JSC::B3::Air::Arg::canRepresent):
649         (JSC::B3::Air::Arg::isCompatibleType):
650         (JSC::B3::Air::Arg::dump):
651         (WTF::printInternal):
652         * b3/air/AirArg.h:
653         (JSC::B3::Air::Arg::forEachType):
654         (JSC::B3::Air::Arg::isWarmUse):
655         (JSC::B3::Air::Arg::cooled):
656         (JSC::B3::Air::Arg::isEarlyUse):
657         (JSC::B3::Air::Arg::imm64):
658         (JSC::B3::Air::Arg::immPtr):
659         (JSC::B3::Air::Arg::addr):
660         (JSC::B3::Air::Arg::special):
661         (JSC::B3::Air::Arg::widthArg):
662         (JSC::B3::Air::Arg::operator==):
663         (JSC::B3::Air::Arg::isImm64):
664         (JSC::B3::Air::Arg::isSomeImm):
665         (JSC::B3::Air::Arg::isAddr):
666         (JSC::B3::Air::Arg::isIndex):
667         (JSC::B3::Air::Arg::isMemory):
668         (JSC::B3::Air::Arg::isRelCond):
669         (JSC::B3::Air::Arg::isSpecial):
670         (JSC::B3::Air::Arg::isWidthArg):
671         (JSC::B3::Air::Arg::isAlive):
672         (JSC::B3::Air::Arg::base):
673         (JSC::B3::Air::Arg::hasOffset):
674         (JSC::B3::Air::Arg::offset):
675         (JSC::B3::Air::Arg::width):
676         (JSC::B3::Air::Arg::isGPTmp):
677         (JSC::B3::Air::Arg::isGP):
678         (JSC::B3::Air::Arg::isFP):
679         (JSC::B3::Air::Arg::isType):
680         (JSC::B3::Air::Arg::isGPR):
681         (JSC::B3::Air::Arg::isValidForm):
682         (JSC::B3::Air::Arg::forEachTmpFast):
683         * b3/air/AirBasicBlock.h:
684         (JSC::B3::Air::BasicBlock::insts):
685         (JSC::B3::Air::BasicBlock::appendInst):
686         (JSC::B3::Air::BasicBlock::append):
687         * b3/air/AirCCallingConvention.cpp: Added.
688         (JSC::B3::Air::computeCCallingConvention):
689         (JSC::B3::Air::cCallResult):
690         (JSC::B3::Air::buildCCall):
691         * b3/air/AirCCallingConvention.h: Added.
692         * b3/air/AirCode.h:
693         (JSC::B3::Air::Code::proc):
694         * b3/air/AirCustom.cpp: Added.
695         (JSC::B3::Air::CCallCustom::isValidForm):
696         (JSC::B3::Air::CCallCustom::generate):
697         (JSC::B3::Air::ShuffleCustom::isValidForm):
698         (JSC::B3::Air::ShuffleCustom::generate):
699         * b3/air/AirCustom.h:
700         (JSC::B3::Air::PatchCustom::forEachArg):
701         (JSC::B3::Air::PatchCustom::generate):
702         (JSC::B3::Air::CCallCustom::forEachArg):
703         (JSC::B3::Air::CCallCustom::isValidFormStatic):
704         (JSC::B3::Air::CCallCustom::admitsStack):
705         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
706         (JSC::B3::Air::ColdCCallCustom::forEachArg):
707         (JSC::B3::Air::ShuffleCustom::forEachArg):
708         (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
709         (JSC::B3::Air::ShuffleCustom::admitsStack):
710         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
711         * b3/air/AirEmitShuffle.cpp: Added.
712         (JSC::B3::Air::ShufflePair::dump):
713         (JSC::B3::Air::emitShuffle):
714         * b3/air/AirEmitShuffle.h: Added.
715         (JSC::B3::Air::ShufflePair::ShufflePair):
716         (JSC::B3::Air::ShufflePair::src):
717         (JSC::B3::Air::ShufflePair::dst):
718         (JSC::B3::Air::ShufflePair::width):
719         * b3/air/AirGenerate.cpp:
720         (JSC::B3::Air::prepareForGeneration):
721         * b3/air/AirGenerate.h:
722         * b3/air/AirInsertionSet.cpp:
723         (JSC::B3::Air::InsertionSet::insertInsts):
724         (JSC::B3::Air::InsertionSet::execute):
725         * b3/air/AirInsertionSet.h:
726         (JSC::B3::Air::InsertionSet::insertInst):
727         (JSC::B3::Air::InsertionSet::insert):
728         * b3/air/AirInst.h:
729         (JSC::B3::Air::Inst::operator bool):
730         (JSC::B3::Air::Inst::append):
731         * b3/air/AirLowerAfterRegAlloc.cpp: Added.
732         (JSC::B3::Air::lowerAfterRegAlloc):
733         * b3/air/AirLowerAfterRegAlloc.h: Added.
734         * b3/air/AirLowerMacros.cpp: Added.
735         (JSC::B3::Air::lowerMacros):
736         * b3/air/AirLowerMacros.h: Added.
737         * b3/air/AirOpcode.opcodes:
738         * b3/air/AirRegisterPriority.h:
739         (JSC::B3::Air::regsInPriorityOrder):
740         * b3/air/testair.cpp: Added.
741         (hiddenTruthBecauseNoReturnIsStupid):
742         (usage):
743         (JSC::B3::Air::compile):
744         (JSC::B3::Air::invoke):
745         (JSC::B3::Air::compileAndRun):
746         (JSC::B3::Air::testSimple):
747         (JSC::B3::Air::loadConstantImpl):
748         (JSC::B3::Air::loadConstant):
749         (JSC::B3::Air::loadDoubleConstant):
750         (JSC::B3::Air::testShuffleSimpleSwap):
751         (JSC::B3::Air::testShuffleSimpleShift):
752         (JSC::B3::Air::testShuffleLongShift):
753         (JSC::B3::Air::testShuffleLongShiftBackwards):
754         (JSC::B3::Air::testShuffleSimpleRotate):
755         (JSC::B3::Air::testShuffleSimpleBroadcast):
756         (JSC::B3::Air::testShuffleBroadcastAllRegs):
757         (JSC::B3::Air::testShuffleTreeShift):
758         (JSC::B3::Air::testShuffleTreeShiftBackward):
759         (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
760         (JSC::B3::Air::testShuffleMultipleShifts):
761         (JSC::B3::Air::testShuffleRotateWithFringe):
762         (JSC::B3::Air::testShuffleRotateWithLongFringe):
763         (JSC::B3::Air::testShuffleMultipleRotates):
764         (JSC::B3::Air::testShuffleShiftAndRotate):
765         (JSC::B3::Air::testShuffleShiftAllRegs):
766         (JSC::B3::Air::testShuffleRotateAllRegs):
767         (JSC::B3::Air::testShuffleSimpleSwap64):
768         (JSC::B3::Air::testShuffleSimpleShift64):
769         (JSC::B3::Air::testShuffleSwapMixedWidth):
770         (JSC::B3::Air::testShuffleShiftMixedWidth):
771         (JSC::B3::Air::testShuffleShiftMemory):
772         (JSC::B3::Air::testShuffleShiftMemoryLong):
773         (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
774         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
775         (JSC::B3::Air::combineHiLo):
776         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
777         (JSC::B3::Air::testShuffleRotateMemory):
778         (JSC::B3::Air::testShuffleRotateMemory64):
779         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
780         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
781         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
782         (JSC::B3::Air::testShuffleSwapDouble):
783         (JSC::B3::Air::testShuffleShiftDouble):
784         (JSC::B3::Air::run):
785         (run):
786         (main):
787         * b3/testb3.cpp:
788         (JSC::B3::testCallSimple):
789         (JSC::B3::testCallRare):
790         (JSC::B3::testCallRareLive):
791         (JSC::B3::testCallSimplePure):
792         (JSC::B3::run):
793
794 2016-01-15  Andy VanWagoner  <thetalecrafter@gmail.com>
795
796         [INTL] Implement Date.prototype.toLocaleString in ECMA-402
797         https://bugs.webkit.org/show_bug.cgi?id=147611
798
799         Reviewed by Benjamin Poulain.
800
801         Expose dateProtoFuncGetTime as thisTimeValue for builtins.
802         Remove unused code in DateTimeFormat toDateTimeOptions, and make the
803         function specific to the call in initializeDateTimeFormat. Properly
804         throw when the options parameter is null.
805         Add toLocaleString in builtin JavaScript, with it's own specific branch
806         of toDateTimeOptions.
807
808         * CMakeLists.txt:
809         * DerivedSources.make:
810         * JavaScriptCore.xcodeproj/project.pbxproj:
811         * builtins/DatePrototype.js: Added.
812         (toLocaleString.toDateTimeOptionsAnyAll):
813         (toLocaleString):
814         * runtime/CommonIdentifiers.h:
815         * runtime/DatePrototype.cpp:
816         (JSC::DatePrototype::finishCreation):
817         * runtime/DatePrototype.h:
818         * runtime/IntlDateTimeFormat.cpp:
819         (JSC::toDateTimeOptionsAnyDate):
820         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
821         (JSC::toDateTimeOptions): Deleted.
822         * runtime/JSGlobalObject.cpp:
823         (JSC::JSGlobalObject::init):
824
825 2016-01-15  Konstantin Tokarev  <annulen@yandex.ru>
826
827         [mips] Implemented emitFunctionPrologue/Epilogue
828         https://bugs.webkit.org/show_bug.cgi?id=152947
829
830         Reviewed by Michael Saboff.
831
832         * assembler/MacroAssemblerMIPS.h:
833         (JSC::MacroAssemblerMIPS::popPair):
834         (JSC::MacroAssemblerMIPS::pushPair):
835         * jit/AssemblyHelpers.h:
836         (JSC::AssemblyHelpers::emitFunctionPrologue):
837         (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
838         (JSC::AssemblyHelpers::emitFunctionEpilogue):
839
840 2016-01-15  Commit Queue  <commit-queue@webkit.org>
841
842         Unreviewed, rolling out r195084.
843         https://bugs.webkit.org/show_bug.cgi?id=153132
844
845         Broke Production build (Requested by ap on #webkit).
846
847         Reverted changeset:
848
849         "Air needs a Shuffle instruction"
850         https://bugs.webkit.org/show_bug.cgi?id=152952
851         http://trac.webkit.org/changeset/195084
852
853 2016-01-15  Julien Brianceau  <jbriance@cisco.com>
854
855         [mips] Add countLeadingZeros32 implementation in macro assembler
856         https://bugs.webkit.org/show_bug.cgi?id=152886
857
858         Reviewed by Michael Saboff.
859
860         * assembler/MIPSAssembler.h:
861         (JSC::MIPSAssembler::lui):
862         (JSC::MIPSAssembler::clz):
863         (JSC::MIPSAssembler::addiu):
864         * assembler/MacroAssemblerMIPS.h:
865         (JSC::MacroAssemblerMIPS::and32):
866         (JSC::MacroAssemblerMIPS::countLeadingZeros32):
867         (JSC::MacroAssemblerMIPS::lshift32):
868
869 2016-01-14  Filip Pizlo  <fpizlo@apple.com>
870
871         Air needs a Shuffle instruction
872         https://bugs.webkit.org/show_bug.cgi?id=152952
873
874         Reviewed by Saam Barati.
875
876         This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
877         multiple moves to perform arbitrary permutations over registers and memory. We call these
878         rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
879         c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
880         use immediates as their source.
881
882         Shuffle is added as a custom instruction, since it has a variable number of arguments. It
883         takes any number of triplets of arguments, where each triplet describes one mapping of the
884         shuffle. For example, to represent (a => b, b => c), we might say:
885
886             Shuffle %a, %b, 64, %b, %c, 64
887
888         Note the "64"s, those are width arguments that describe how many bits of the register are
889         being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
890         most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
891         of the pairs in the example). For GP arguments, the width follows ZDef semantics.
892
893         In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
894         how to use it:
895
896         - C calling convention argument marshalling. Previously we used move instructions. But that's
897           problematic since it introduces artificial interference between the argument registers and
898           the inputs. Using Shuffle removes that interference. This helps a bit.
899
900         - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
901           a cold path, then we want it to appear to the register allocator like it doesn't clobber
902           any registers. Only after register allocation should we handle the clobbering by simply
903           saving all of the live volatile registers to the stack. If you imagine the saving and the
904           argument marshalling, you can see how before the call, we want to have a Shuffle that does
905           both of those things. This is important. If argument marshalling was separate from the
906           saving, then we'd still appear to clobber argument registers. Doing them together as one
907           Shuffle means that the cold call doesn't appear to even clobber the argument registers.
908
909         Unfortunately, I was wrong about cold C calls being the dominant problem with our register
910         allocator right now. Fixing this revealed other problems in my current tuning benchmark,
911         Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
912         functionality we will need to implement other optimizations.
913
914         * CMakeLists.txt:
915         * JavaScriptCore.xcodeproj/project.pbxproj:
916         * assembler/AbstractMacroAssembler.h:
917         (JSC::isX86_64):
918         (JSC::isIOS):
919         (JSC::optimizeForARMv7IDIVSupported):
920         * assembler/MacroAssemblerX86Common.h:
921         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
922         (JSC::MacroAssemblerX86Common::swap32):
923         (JSC::MacroAssemblerX86Common::moveConditionally32):
924         * assembler/MacroAssemblerX86_64.h:
925         (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
926         (JSC::MacroAssemblerX86_64::swap64):
927         (JSC::MacroAssemblerX86_64::move64ToDouble):
928         * assembler/X86Assembler.h:
929         (JSC::X86Assembler::xchgl_rr):
930         (JSC::X86Assembler::xchgl_rm):
931         (JSC::X86Assembler::xchgq_rr):
932         (JSC::X86Assembler::xchgq_rm):
933         (JSC::X86Assembler::movl_rr):
934         * b3/B3CCallValue.h:
935         * b3/B3Compilation.cpp:
936         (JSC::B3::Compilation::Compilation):
937         (JSC::B3::Compilation::~Compilation):
938         * b3/B3Compilation.h:
939         (JSC::B3::Compilation::code):
940         * b3/B3LowerToAir.cpp:
941         (JSC::B3::Air::LowerToAir::run):
942         (JSC::B3::Air::LowerToAir::createSelect):
943         (JSC::B3::Air::LowerToAir::lower):
944         (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
945         * b3/B3OpaqueByproducts.h:
946         (JSC::B3::OpaqueByproducts::count):
947         * b3/B3StackmapSpecial.cpp:
948         (JSC::B3::StackmapSpecial::isArgValidForValue):
949         (JSC::B3::StackmapSpecial::isArgValidForRep):
950         * b3/air/AirArg.cpp:
951         (JSC::B3::Air::Arg::isStackMemory):
952         (JSC::B3::Air::Arg::isRepresentableAs):
953         (JSC::B3::Air::Arg::usesTmp):
954         (JSC::B3::Air::Arg::canRepresent):
955         (JSC::B3::Air::Arg::isCompatibleType):
956         (JSC::B3::Air::Arg::dump):
957         (WTF::printInternal):
958         * b3/air/AirArg.h:
959         (JSC::B3::Air::Arg::forEachType):
960         (JSC::B3::Air::Arg::isWarmUse):
961         (JSC::B3::Air::Arg::cooled):
962         (JSC::B3::Air::Arg::isEarlyUse):
963         (JSC::B3::Air::Arg::imm64):
964         (JSC::B3::Air::Arg::immPtr):
965         (JSC::B3::Air::Arg::addr):
966         (JSC::B3::Air::Arg::special):
967         (JSC::B3::Air::Arg::widthArg):
968         (JSC::B3::Air::Arg::operator==):
969         (JSC::B3::Air::Arg::isImm64):
970         (JSC::B3::Air::Arg::isSomeImm):
971         (JSC::B3::Air::Arg::isAddr):
972         (JSC::B3::Air::Arg::isIndex):
973         (JSC::B3::Air::Arg::isMemory):
974         (JSC::B3::Air::Arg::isRelCond):
975         (JSC::B3::Air::Arg::isSpecial):
976         (JSC::B3::Air::Arg::isWidthArg):
977         (JSC::B3::Air::Arg::isAlive):
978         (JSC::B3::Air::Arg::base):
979         (JSC::B3::Air::Arg::hasOffset):
980         (JSC::B3::Air::Arg::offset):
981         (JSC::B3::Air::Arg::width):
982         (JSC::B3::Air::Arg::isGPTmp):
983         (JSC::B3::Air::Arg::isGP):
984         (JSC::B3::Air::Arg::isFP):
985         (JSC::B3::Air::Arg::isType):
986         (JSC::B3::Air::Arg::isGPR):
987         (JSC::B3::Air::Arg::isValidForm):
988         (JSC::B3::Air::Arg::forEachTmpFast):
989         * b3/air/AirBasicBlock.h:
990         (JSC::B3::Air::BasicBlock::insts):
991         (JSC::B3::Air::BasicBlock::appendInst):
992         (JSC::B3::Air::BasicBlock::append):
993         * b3/air/AirCCallingConvention.cpp: Added.
994         (JSC::B3::Air::computeCCallingConvention):
995         (JSC::B3::Air::cCallResult):
996         (JSC::B3::Air::buildCCall):
997         * b3/air/AirCCallingConvention.h: Added.
998         * b3/air/AirCode.h:
999         (JSC::B3::Air::Code::proc):
1000         * b3/air/AirCustom.cpp: Added.
1001         (JSC::B3::Air::CCallCustom::isValidForm):
1002         (JSC::B3::Air::CCallCustom::generate):
1003         (JSC::B3::Air::ShuffleCustom::isValidForm):
1004         (JSC::B3::Air::ShuffleCustom::generate):
1005         * b3/air/AirCustom.h:
1006         (JSC::B3::Air::PatchCustom::forEachArg):
1007         (JSC::B3::Air::PatchCustom::generate):
1008         (JSC::B3::Air::CCallCustom::forEachArg):
1009         (JSC::B3::Air::CCallCustom::isValidFormStatic):
1010         (JSC::B3::Air::CCallCustom::admitsStack):
1011         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
1012         (JSC::B3::Air::ColdCCallCustom::forEachArg):
1013         (JSC::B3::Air::ShuffleCustom::forEachArg):
1014         (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
1015         (JSC::B3::Air::ShuffleCustom::admitsStack):
1016         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
1017         * b3/air/AirEmitShuffle.cpp: Added.
1018         (JSC::B3::Air::ShufflePair::dump):
1019         (JSC::B3::Air::emitShuffle):
1020         * b3/air/AirEmitShuffle.h: Added.
1021         (JSC::B3::Air::ShufflePair::ShufflePair):
1022         (JSC::B3::Air::ShufflePair::src):
1023         (JSC::B3::Air::ShufflePair::dst):
1024         (JSC::B3::Air::ShufflePair::width):
1025         * b3/air/AirGenerate.cpp:
1026         (JSC::B3::Air::prepareForGeneration):
1027         * b3/air/AirGenerate.h:
1028         * b3/air/AirInsertionSet.cpp:
1029         (JSC::B3::Air::InsertionSet::insertInsts):
1030         (JSC::B3::Air::InsertionSet::execute):
1031         * b3/air/AirInsertionSet.h:
1032         (JSC::B3::Air::InsertionSet::insertInst):
1033         (JSC::B3::Air::InsertionSet::insert):
1034         * b3/air/AirInst.h:
1035         (JSC::B3::Air::Inst::operator bool):
1036         (JSC::B3::Air::Inst::append):
1037         * b3/air/AirLowerAfterRegAlloc.cpp: Added.
1038         (JSC::B3::Air::lowerAfterRegAlloc):
1039         * b3/air/AirLowerAfterRegAlloc.h: Added.
1040         * b3/air/AirLowerMacros.cpp: Added.
1041         (JSC::B3::Air::lowerMacros):
1042         * b3/air/AirLowerMacros.h: Added.
1043         * b3/air/AirOpcode.opcodes:
1044         * b3/air/AirRegisterPriority.h:
1045         (JSC::B3::Air::regsInPriorityOrder):
1046         * b3/air/testair.cpp: Added.
1047         (hiddenTruthBecauseNoReturnIsStupid):
1048         (usage):
1049         (JSC::B3::Air::compile):
1050         (JSC::B3::Air::invoke):
1051         (JSC::B3::Air::compileAndRun):
1052         (JSC::B3::Air::testSimple):
1053         (JSC::B3::Air::loadConstantImpl):
1054         (JSC::B3::Air::loadConstant):
1055         (JSC::B3::Air::loadDoubleConstant):
1056         (JSC::B3::Air::testShuffleSimpleSwap):
1057         (JSC::B3::Air::testShuffleSimpleShift):
1058         (JSC::B3::Air::testShuffleLongShift):
1059         (JSC::B3::Air::testShuffleLongShiftBackwards):
1060         (JSC::B3::Air::testShuffleSimpleRotate):
1061         (JSC::B3::Air::testShuffleSimpleBroadcast):
1062         (JSC::B3::Air::testShuffleBroadcastAllRegs):
1063         (JSC::B3::Air::testShuffleTreeShift):
1064         (JSC::B3::Air::testShuffleTreeShiftBackward):
1065         (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
1066         (JSC::B3::Air::testShuffleMultipleShifts):
1067         (JSC::B3::Air::testShuffleRotateWithFringe):
1068         (JSC::B3::Air::testShuffleRotateWithLongFringe):
1069         (JSC::B3::Air::testShuffleMultipleRotates):
1070         (JSC::B3::Air::testShuffleShiftAndRotate):
1071         (JSC::B3::Air::testShuffleShiftAllRegs):
1072         (JSC::B3::Air::testShuffleRotateAllRegs):
1073         (JSC::B3::Air::testShuffleSimpleSwap64):
1074         (JSC::B3::Air::testShuffleSimpleShift64):
1075         (JSC::B3::Air::testShuffleSwapMixedWidth):
1076         (JSC::B3::Air::testShuffleShiftMixedWidth):
1077         (JSC::B3::Air::testShuffleShiftMemory):
1078         (JSC::B3::Air::testShuffleShiftMemoryLong):
1079         (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
1080         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
1081         (JSC::B3::Air::combineHiLo):
1082         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
1083         (JSC::B3::Air::testShuffleRotateMemory):
1084         (JSC::B3::Air::testShuffleRotateMemory64):
1085         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
1086         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
1087         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
1088         (JSC::B3::Air::testShuffleSwapDouble):
1089         (JSC::B3::Air::testShuffleShiftDouble):
1090         (JSC::B3::Air::run):
1091         (run):
1092         (main):
1093         * b3/testb3.cpp:
1094         (JSC::B3::testCallSimple):
1095         (JSC::B3::testCallRare):
1096         (JSC::B3::testCallRareLive):
1097         (JSC::B3::testCallSimplePure):
1098         (JSC::B3::run):
1099
1100 2016-01-14  Keith Miller  <keith_miller@apple.com>
1101
1102         Unreviewed mark passing es6 tests as no longer failing.
1103
1104         * tests/es6.yaml:
1105
1106 2016-01-14  Keith Miller  <keith_miller@apple.com>
1107
1108         [ES6] Support subclassing Function.
1109         https://bugs.webkit.org/show_bug.cgi?id=153081
1110
1111         Reviewed by Geoffrey Garen.
1112
1113         This patch enables subclassing the Function object. It also fixes an existing
1114         bug that prevented users from subclassing functions that have a function in
1115         the superclass's prototype property.
1116
1117         * bytecompiler/NodesCodegen.cpp:
1118         (JSC::ClassExprNode::emitBytecode):
1119         * runtime/FunctionConstructor.cpp:
1120         (JSC::constructWithFunctionConstructor):
1121         (JSC::constructFunction):
1122         (JSC::constructFunctionSkippingEvalEnabledCheck):
1123         * runtime/FunctionConstructor.h:
1124         * runtime/JSFunction.cpp:
1125         (JSC::JSFunction::create):
1126         * runtime/JSFunction.h:
1127         (JSC::JSFunction::createImpl):
1128         * runtime/JSFunctionInlines.h:
1129         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1130         (JSC::JSFunction::JSFunction): Deleted.
1131         * tests/stress/class-subclassing-function.js: Added.
1132
1133 2016-01-13  Carlos Garcia Campos  <cgarcia@igalia.com>
1134
1135         [CMake] Do not use LLVM static libraries for FTL JIT
1136         https://bugs.webkit.org/show_bug.cgi?id=151559
1137
1138         Reviewed by Michael Catanzaro.
1139
1140         Allow ports decide whether to prefer linking to llvm static or
1141         dynamic libraries. This patch only changes the behavior of the GTK
1142         port, other ports can change the default behavior by setting
1143         llvmForJSC_LIBRARIES in their platform specific cmake files.
1144
1145         * CMakeLists.txt: Move llvmForJSC library definition after the
1146         WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS, to allow platform specific
1147         files to set their own llvmForJSC_LIBRARIES. When not set, it
1148         defaults to LLVM_STATIC_LIBRARIES. The command to create
1149         WebKitLLVMLibraryToken.h no longer depends on the static
1150         libraries, since we are going to make the build fail anyway when
1151         not found in case of linking to the static libraries. If platform
1152         specific file defined llvmForJSC_INSTALL_DIR llvmForJSC is also
1153         installed to the given destination.
1154         * PlatformGTK.cmake: Set llvmForJSC_LIBRARIES and
1155         llvmForJSC_INSTALL_DIR.
1156
1157 2016-01-13  Saam barati  <sbarati@apple.com>
1158
1159         NativeExecutable should have a name field
1160         https://bugs.webkit.org/show_bug.cgi?id=153083
1161
1162         Reviewed by Geoffrey Garen.
1163
1164         This is going to help the SamplingProfiler come up
1165         with names for NativeExecutable objects it encounters.
1166
1167         * jit/JITThunks.cpp:
1168         (JSC::JITThunks::finalize):
1169         (JSC::JITThunks::hostFunctionStub):
1170         * jit/JITThunks.h:
1171         * runtime/Executable.h:
1172         * runtime/JSBoundFunction.cpp:
1173         (JSC::JSBoundFunction::create):
1174         * runtime/JSFunction.cpp:
1175         (JSC::JSFunction::create):
1176         (JSC::JSFunction::lookUpOrCreateNativeExecutable):
1177         * runtime/JSFunction.h:
1178         (JSC::JSFunction::createImpl):
1179         * runtime/JSNativeStdFunction.cpp:
1180         (JSC::JSNativeStdFunction::create):
1181         * runtime/VM.cpp:
1182         (JSC::thunkGeneratorForIntrinsic):
1183         (JSC::VM::getHostFunction):
1184         * runtime/VM.h:
1185         (JSC::VM::getCTIStub):
1186         (JSC::VM::exceptionOffset):
1187
1188 2016-01-13  Keith Miller  <keith_miller@apple.com>
1189
1190         [ES6] Support subclassing the String builtin object
1191         https://bugs.webkit.org/show_bug.cgi?id=153068
1192
1193         Reviewed by Michael Saboff.
1194
1195         This patch adds subclassing of strings. Also, this patch fixes a bug where we could have
1196         the wrong indexing type for builtins constructed without storage.
1197
1198         * runtime/PrototypeMap.cpp:
1199         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
1200         * runtime/StringConstructor.cpp:
1201         (JSC::constructWithStringConstructor):
1202         * tests/stress/class-subclassing-string.js: Added.
1203         (test):
1204
1205 2016-01-13  Mark Lam  <mark.lam@apple.com>
1206
1207         The StringFromCharCode DFG intrinsic should support untyped operands.
1208         https://bugs.webkit.org/show_bug.cgi?id=153046
1209
1210         Reviewed by Geoffrey Garen.
1211
1212         The current StringFromCharCode DFG intrinsic assumes that its operand charCode
1213         must be an Int32.  This results in 26000+ BadType OSR exits in the LongSpider
1214         crypto-aes benchmark.  With support for Untyped operands, the number of OSR
1215         exits drops to 202.
1216
1217         * dfg/DFGClobberize.h:
1218         (JSC::DFG::clobberize):
1219         * dfg/DFGFixupPhase.cpp:
1220         (JSC::DFG::FixupPhase::fixupNode):
1221         * dfg/DFGOperations.cpp:
1222         * dfg/DFGOperations.h:
1223         * dfg/DFGSpeculativeJIT.cpp:
1224         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1225         * dfg/DFGSpeculativeJIT.h:
1226         (JSC::DFG::SpeculativeJIT::callOperation):
1227         * dfg/DFGValidate.cpp:
1228         (JSC::DFG::Validate::validate):
1229         * runtime/JSCJSValueInlines.h:
1230         (JSC::JSValue::toUInt32):
1231
1232 2016-01-13  Mark Lam  <mark.lam@apple.com>
1233
1234         Use DFG Graph::binary/unaryArithShouldSpeculateInt32/MachineInt() functions consistently.
1235         https://bugs.webkit.org/show_bug.cgi?id=153080
1236
1237         Reviewed by Geoffrey Garen.
1238
1239         We currently have Graph::mulShouldSpeculateInt32/machineInt() and
1240         Graph::negateShouldSpeculateInt32/MachineInt() functions which are only used by
1241         the ArithMul and ArithNegate nodes.  However, the same tests need to be done for
1242         many other arith nodes in the DFG.  This patch renames these functions as
1243         Graph::binaryArithShouldSpeculateInt32/machineInt() and
1244         Graph::unaryArithShouldSpeculateInt32/MachineInt(), and uses them consistently
1245         in the DFG.
1246
1247         * dfg/DFGFixupPhase.cpp:
1248         (JSC::DFG::FixupPhase::fixupNode):
1249         * dfg/DFGGraph.h:
1250         (JSC::DFG::Graph::addShouldSpeculateMachineInt):
1251         (JSC::DFG::Graph::binaryArithShouldSpeculateInt32):
1252         (JSC::DFG::Graph::binaryArithShouldSpeculateMachineInt):
1253         (JSC::DFG::Graph::unaryArithShouldSpeculateInt32):
1254         (JSC::DFG::Graph::unaryArithShouldSpeculateMachineInt):
1255         (JSC::DFG::Graph::mulShouldSpeculateInt32): Deleted.
1256         (JSC::DFG::Graph::mulShouldSpeculateMachineInt): Deleted.
1257         (JSC::DFG::Graph::negateShouldSpeculateInt32): Deleted.
1258         (JSC::DFG::Graph::negateShouldSpeculateMachineInt): Deleted.
1259         * dfg/DFGPredictionPropagationPhase.cpp:
1260         (JSC::DFG::PredictionPropagationPhase::propagate):
1261         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1262
1263 2016-01-13  Joseph Pecoraro  <pecoraro@apple.com>
1264
1265         Web Inspector: Inspector should use the last sourceURL / sourceMappingURL directive
1266         https://bugs.webkit.org/show_bug.cgi?id=153072
1267         <rdar://problem/24168312>
1268
1269         Reviewed by Timothy Hatcher.
1270
1271         * parser/Lexer.cpp:
1272         (JSC::Lexer<T>::parseCommentDirective):
1273         Just keep overwriting the member variable so we end up with
1274         the last directive value.
1275
1276 2016-01-13  Commit Queue  <commit-queue@webkit.org>
1277
1278         Unreviewed, rolling out r194969.
1279         https://bugs.webkit.org/show_bug.cgi?id=153075
1280
1281         This change broke the iOS build (Requested by ryanhaddad on
1282         #webkit).
1283
1284         Reverted changeset:
1285
1286         "[JSC] Legalize Memory Offsets for ARM64 before lowering to
1287         Air"
1288         https://bugs.webkit.org/show_bug.cgi?id=153065
1289         http://trac.webkit.org/changeset/194969
1290
1291 2016-01-13  Benjamin Poulain  <bpoulain@apple.com>
1292
1293         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
1294         https://bugs.webkit.org/show_bug.cgi?id=153065
1295
1296         Reviewed by Mark Lam.
1297         Reviewed by Filip Pizlo.
1298
1299         On ARM64, we cannot use signed 32bits offset for memory addressing.
1300         There are two available addressing: signed 9bits and unsigned scaled 12bits.
1301         Air already knows about it.
1302
1303         In this patch, the offsets are changed to something valid for ARM64
1304         prior to lowering. When an offset is invalid, it is just computed
1305         before the instruction and used as the base for addressing.
1306
1307         * JavaScriptCore.xcodeproj/project.pbxproj:
1308         * b3/B3Generate.cpp:
1309         (JSC::B3::generateToAir):
1310         * b3/B3LegalizeMemoryOffsets.cpp: Added.
1311         (JSC::B3::legalizeMemoryOffsets):
1312         * b3/B3LegalizeMemoryOffsets.h: Added.
1313         * b3/B3LowerToAir.cpp:
1314         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
1315         * b3/testb3.cpp:
1316         (JSC::B3::testLoadWithOffsetImpl):
1317         (JSC::B3::testLoadOffsetImm9Max):
1318         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
1319         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
1320         (JSC::B3::testLoadOffsetImm9Min):
1321         (JSC::B3::testLoadOffsetImm9MinMinusOne):
1322         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
1323         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
1324         (JSC::B3::run):
1325
1326 2016-01-12  Per Arne Vollan  <peavo@outlook.com>
1327
1328         [FTL][Win64] Compile error.
1329         https://bugs.webkit.org/show_bug.cgi?id=153031
1330
1331         Reviewed by Brent Fulgham.
1332
1333         The header file dlfcn.h does not exist on Windows.
1334
1335         * ftl/FTLLowerDFGToLLVM.cpp:
1336
1337 2016-01-12  Ryosuke Niwa  <rniwa@webkit.org>
1338
1339         Add a build flag for custom element
1340         https://bugs.webkit.org/show_bug.cgi?id=153005
1341
1342         Reviewed by Alex Christensen.
1343
1344         * Configurations/FeatureDefines.xcconfig:
1345
1346 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
1347
1348         [JSC] Remove some invalid immediate instruction forms from ARM64 Air
1349         https://bugs.webkit.org/show_bug.cgi?id=153024
1350
1351         Reviewed by Michael Saboff.
1352
1353         * b3/B3BasicBlock.h:
1354         Export the symbols for testb3.
1355
1356         * b3/air/AirOpcode.opcodes:
1357         We had 2 invalid opcodes:
1358         -Compare with immediate just does not exist.
1359         -Test64 with immediate exists but Air does not recognize
1360          the valid form of bit-immediates.
1361
1362         * b3/testb3.cpp:
1363         (JSC::B3::genericTestCompare):
1364         (JSC::B3::testCompareImpl):
1365         Extend the tests to cover what was invalid.
1366
1367 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
1368
1369         [JSC] JSC does not build with FTL_USES_B3 on ARM64
1370         https://bugs.webkit.org/show_bug.cgi?id=153011
1371
1372         Reviewed by Saam Barati.
1373
1374         Apparently the static const member can only be used for constexpr.
1375         C++ is weird.
1376
1377         * jit/GPRInfo.cpp:
1378         * jit/GPRInfo.h:
1379
1380 2016-01-11  Johan K. Jensen  <jj@johanjensen.dk>
1381
1382         Web Inspector: console.count() shouldn't show a colon in front of a number
1383         https://bugs.webkit.org/show_bug.cgi?id=152038
1384
1385         Reviewed by Brian Burg.
1386
1387         * inspector/agents/InspectorConsoleAgent.cpp:
1388         (Inspector::InspectorConsoleAgent::count):
1389         Do not include title and colon if the title is empty.
1390
1391 2016-01-11  Dan Bernstein  <mitz@apple.com>
1392
1393         Reverted r194317.
1394
1395         Reviewed by Joseph Pecoraro.
1396
1397         r194317 did not contain a change log entry, did not explain the motivation, did not name a
1398         reviewer, and does not seem necessary.
1399
1400         * JavaScriptCore.xcodeproj/project.pbxproj:
1401
1402 2016-01-11  Joseph Pecoraro  <pecoraro@apple.com>
1403
1404         keywords ("super", "delete", etc) should be valid method names
1405         https://bugs.webkit.org/show_bug.cgi?id=144281
1406
1407         Reviewed by Ryosuke Niwa.
1408
1409         * parser/Parser.cpp:
1410         (JSC::Parser<LexerType>::parseClass):
1411         - When parsing "static(" treat it as a method named "static" and not a static method.
1412         - When parsing a keyword treat it like a string method name (get and set are not keywords)
1413         - When parsing a getter / setter method name identifier, allow lookahead to be a keyword
1414
1415         (JSC::Parser<LexerType>::parseGetterSetter):
1416         - When parsing the getter / setter's name, allow it to be a keyword.
1417
1418 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
1419
1420         [JSC] Add Div/Mod and fix Mul for B3 ARM64
1421         https://bugs.webkit.org/show_bug.cgi?id=152978
1422
1423         Reviewed by Filip Pizlo.
1424
1425         Add the 3 operands forms of Mul.
1426         Remove the form taking immediate on ARM64, there are no such instruction.
1427
1428         Add Div with sdiv.
1429
1430         Unfortunately, I discovered ChillMod's division by zero
1431         makes it non-trivial on ARM64. I just made it into a macro like on x86.
1432
1433         * assembler/MacroAssemblerARM64.h:
1434         (JSC::MacroAssemblerARM64::mul32):
1435         (JSC::MacroAssemblerARM64::mul64):
1436         (JSC::MacroAssemblerARM64::div32):
1437         (JSC::MacroAssemblerARM64::div64):
1438         * b3/B3LowerMacros.cpp:
1439         * b3/B3LowerToAir.cpp:
1440         (JSC::B3::Air::LowerToAir::lower):
1441         * b3/air/AirOpcode.opcodes:
1442
1443 2016-01-11  Keith Miller  <keith_miller@apple.com>
1444
1445         Arrays should use the InternalFunctionAllocationProfile when constructing new Arrays
1446         https://bugs.webkit.org/show_bug.cgi?id=152949
1447
1448         Reviewed by Michael Saboff.
1449
1450         This patch updates Array constructors to use the new InternalFunctionAllocationProfile.
1451
1452         * runtime/ArrayConstructor.cpp:
1453         (JSC::constructArrayWithSizeQuirk):
1454         (JSC::constructWithArrayConstructor):
1455         * runtime/InternalFunction.h:
1456         (JSC::InternalFunction::createStructure):
1457         * runtime/JSGlobalObject.h:
1458         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
1459         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
1460         (JSC::constructEmptyArray):
1461         (JSC::constructArray):
1462         (JSC::constructArrayNegativeIndexed):
1463         * runtime/PrototypeMap.cpp:
1464         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
1465         * runtime/Structure.h:
1466         * runtime/StructureInlines.h:
1467
1468 2016-01-08  Keith Miller  <keith_miller@apple.com>
1469
1470         Use a profile to store allocation structures for subclasses of InternalFunctions
1471         https://bugs.webkit.org/show_bug.cgi?id=152942
1472
1473         Reviewed by Michael Saboff.
1474
1475         This patch adds InternalFunctionAllocationProfile to FunctionRareData, which holds
1476         a cached structure that can be used to quickly allocate any derived class of an InternalFunction.
1477         InternalFunctionAllocationProfile ended up being distinct from ObjectAllocationProfile, due to
1478         constraints imposed by Reflect.construct. Reflect.construct allows the user to pass an arbitrary
1479         constructor as a new.target to any other constructor. This means that a user can pass some
1480         non-derived constructor to an InternalFunction (they can even pass another InternalFunction as the
1481         new.target). If we use the same profile for both InternalFunctions and JS allocations then we always
1482         need to check in both JS code and C++ code that the profiled structure has the same ClassInfo as the
1483         current constructor. By using different profiles, we only need to check the profile in InternalFunctions
1484         as all JS constructed objects share the same ClassInfo (JSFinalObject). This comes at the relatively
1485         low cost of using slightly more memory on FunctionRareData and being slightly more conceptually complex.
1486
1487         Additionally, this patch adds subclassing to some omitted classes.
1488
1489         * API/JSObjectRef.cpp:
1490         (JSObjectMakeDate):
1491         (JSObjectMakeRegExp):
1492         * JavaScriptCore.xcodeproj/project.pbxproj:
1493         * bytecode/InternalFunctionAllocationProfile.h: Added.
1494         (JSC::InternalFunctionAllocationProfile::structure):
1495         (JSC::InternalFunctionAllocationProfile::clear):
1496         (JSC::InternalFunctionAllocationProfile::visitAggregate):
1497         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
1498         * dfg/DFGByteCodeParser.cpp:
1499         (JSC::DFG::ByteCodeParser::parseBlock):
1500         * dfg/DFGOperations.cpp:
1501         * dfg/DFGSpeculativeJIT32_64.cpp:
1502         (JSC::DFG::SpeculativeJIT::compile):
1503         * dfg/DFGSpeculativeJIT64.cpp:
1504         (JSC::DFG::SpeculativeJIT::compile):
1505         * jit/JITOpcodes.cpp:
1506         (JSC::JIT::emit_op_create_this):
1507         * jit/JITOpcodes32_64.cpp:
1508         (JSC::JIT::emit_op_create_this):
1509         * llint/LowLevelInterpreter32_64.asm:
1510         * llint/LowLevelInterpreter64.asm:
1511         * runtime/BooleanConstructor.cpp:
1512         (JSC::constructWithBooleanConstructor):
1513         * runtime/CommonSlowPaths.cpp:
1514         (JSC::SLOW_PATH_DECL):
1515         * runtime/DateConstructor.cpp:
1516         (JSC::constructDate):
1517         (JSC::constructWithDateConstructor):
1518         * runtime/DateConstructor.h:
1519         * runtime/ErrorConstructor.cpp:
1520         (JSC::Interpreter::constructWithErrorConstructor):
1521         * runtime/FunctionRareData.cpp:
1522         (JSC::FunctionRareData::create):
1523         (JSC::FunctionRareData::visitChildren):
1524         (JSC::FunctionRareData::FunctionRareData):
1525         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1526         (JSC::FunctionRareData::clear):
1527         (JSC::FunctionRareData::finishCreation): Deleted.
1528         (JSC::FunctionRareData::initialize): Deleted.
1529         * runtime/FunctionRareData.h:
1530         (JSC::FunctionRareData::offsetOfObjectAllocationProfile):
1531         (JSC::FunctionRareData::objectAllocationProfile):
1532         (JSC::FunctionRareData::objectAllocationStructure):
1533         (JSC::FunctionRareData::allocationProfileWatchpointSet):
1534         (JSC::FunctionRareData::isObjectAllocationProfileInitialized):
1535         (JSC::FunctionRareData::internalFunctionAllocationStructure):
1536         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
1537         (JSC::FunctionRareData::offsetOfAllocationProfile): Deleted.
1538         (JSC::FunctionRareData::allocationProfile): Deleted.
1539         (JSC::FunctionRareData::allocationStructure): Deleted.
1540         (JSC::FunctionRareData::isInitialized): Deleted.
1541         * runtime/InternalFunction.cpp:
1542         (JSC::InternalFunction::createSubclassStructure):
1543         * runtime/InternalFunction.h:
1544         * runtime/JSArrayBufferConstructor.cpp:
1545         (JSC::constructArrayBuffer):
1546         * runtime/JSFunction.cpp:
1547         (JSC::JSFunction::allocateRareData):
1548         (JSC::JSFunction::allocateAndInitializeRareData):
1549         (JSC::JSFunction::initializeRareData):
1550         * runtime/JSFunction.h:
1551         (JSC::JSFunction::rareData):
1552         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1553         (JSC::constructGenericTypedArrayView):
1554         * runtime/JSObject.h:
1555         (JSC::JSFinalObject::typeInfo):
1556         (JSC::JSFinalObject::createStructure):
1557         * runtime/JSPromiseConstructor.cpp:
1558         (JSC::constructPromise):
1559         * runtime/JSPromiseConstructor.h:
1560         * runtime/JSWeakMap.cpp:
1561         * runtime/JSWeakSet.cpp:
1562         * runtime/MapConstructor.cpp:
1563         (JSC::constructMap):
1564         * runtime/NativeErrorConstructor.cpp:
1565         (JSC::Interpreter::constructWithNativeErrorConstructor):
1566         * runtime/NumberConstructor.cpp:
1567         (JSC::constructWithNumberConstructor):
1568         * runtime/PrototypeMap.cpp:
1569         (JSC::PrototypeMap::createEmptyStructure):
1570         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
1571         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
1572         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
1573         * runtime/PrototypeMap.h:
1574         * runtime/RegExpConstructor.cpp:
1575         (JSC::getRegExpStructure):
1576         (JSC::constructRegExp):
1577         (JSC::constructWithRegExpConstructor):
1578         * runtime/RegExpConstructor.h:
1579         * runtime/SetConstructor.cpp:
1580         (JSC::constructSet):
1581         * runtime/WeakMapConstructor.cpp:
1582         (JSC::constructWeakMap):
1583         * runtime/WeakSetConstructor.cpp:
1584         (JSC::constructWeakSet):
1585         * tests/stress/class-subclassing-misc.js:
1586         (A):
1587         (D):
1588         (E):
1589         (WM):
1590         (WS):
1591         (test):
1592         * tests/stress/class-subclassing-typedarray.js: Added.
1593         (test):
1594
1595 2016-01-11  Per Arne Vollan  <peavo@outlook.com>
1596
1597         [B3][Win64] Compile error.
1598         https://bugs.webkit.org/show_bug.cgi?id=152984
1599
1600         Reviewed by Alex Christensen.
1601
1602         Windows does not have bzero, use memset instead.
1603
1604         * b3/air/AirIteratedRegisterCoalescing.cpp:
1605
1606 2016-01-11  Konstantin Tokarev  <annulen@yandex.ru>
1607
1608         Fixed compilation of JavaScriptCore with GCC 4.8 on 32-bit platforms
1609         https://bugs.webkit.org/show_bug.cgi?id=152923
1610
1611         Reviewed by Alex Christensen.
1612
1613         * jit/CallFrameShuffler.h:
1614         (JSC::CallFrameShuffler::assumeCalleeIsCell):
1615
1616 2016-01-11  Csaba Osztrogonác  <ossy@webkit.org>
1617
1618         [B3] Fix control reaches end of non-void function GCC warnings on Linux
1619         https://bugs.webkit.org/show_bug.cgi?id=152887
1620
1621         Reviewed by Mark Lam.
1622
1623         * b3/B3LowerToAir.cpp:
1624         (JSC::B3::Air::LowerToAir::createBranch):
1625         (JSC::B3::Air::LowerToAir::createCompare):
1626         (JSC::B3::Air::LowerToAir::createSelect):
1627         * b3/B3Type.h:
1628         (JSC::B3::sizeofType):
1629         * b3/air/AirArg.cpp:
1630         (JSC::B3::Air::Arg::isRepresentableAs):
1631         * b3/air/AirArg.h:
1632         (JSC::B3::Air::Arg::isAnyUse):
1633         (JSC::B3::Air::Arg::isColdUse):
1634         (JSC::B3::Air::Arg::isEarlyUse):
1635         (JSC::B3::Air::Arg::isLateUse):
1636         (JSC::B3::Air::Arg::isAnyDef):
1637         (JSC::B3::Air::Arg::isEarlyDef):
1638         (JSC::B3::Air::Arg::isLateDef):
1639         (JSC::B3::Air::Arg::isZDef):
1640         (JSC::B3::Air::Arg::widthForB3Type):
1641         (JSC::B3::Air::Arg::isGP):
1642         (JSC::B3::Air::Arg::isFP):
1643         (JSC::B3::Air::Arg::isType):
1644         (JSC::B3::Air::Arg::isValidForm):
1645         * b3/air/AirCode.h:
1646         (JSC::B3::Air::Code::newTmp):
1647         (JSC::B3::Air::Code::numTmps):
1648
1649 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
1650
1651         Make it easier to introduce exotic instructions to Air
1652         https://bugs.webkit.org/show_bug.cgi?id=152953
1653
1654         Reviewed by Benjamin Poulain.
1655
1656         Currently, you can define new "opcodes" in Air using either:
1657
1658         1) New opcode declared in AirOpcode.opcodes.
1659         2) Patch opcode with a new implementation of Air::Special.
1660
1661         With (1), you are limited to fixed-argument-length instructions. There are other
1662         restrictions as well, like that you can only use the roles that the AirOpcode syntax
1663         supports.
1664
1665         With (2), you can do anything you like, but the instruction will be harder to match
1666         since it will share the same opcode as any other Patch. Also, the instruction will have
1667         the Special argument, which means more busy-work when creating the instruction and
1668         validating it.
1669
1670         This introduces an in-between facility called "custom". This replaces what AirOpcode
1671         previously called "special". A custom instruction is one whose behavior is defined by a
1672         FooCustom struct with some static methods. Calls to those methods are emitted by
1673         opcode_generator.rb.
1674
1675         The "custom" facility is powerful enough to be used to implement Patch, with the caveat
1676         that we now treat the Patch instruction specially in a few places. Those places were
1677         already effectively treating it specially by assuming that only Patch instructions have
1678         a Special as their first argument.
1679
1680         This will let me implement the Shuffle instruction (bug 152952), which I think is needed
1681         for performance work.
1682
1683         * JavaScriptCore.xcodeproj/project.pbxproj:
1684         * b3/air/AirCustom.h: Added.
1685         (JSC::B3::Air::PatchCustom::forEachArg):
1686         (JSC::B3::Air::PatchCustom::isValidFormStatic):
1687         (JSC::B3::Air::PatchCustom::isValidForm):
1688         (JSC::B3::Air::PatchCustom::admitsStack):
1689         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
1690         (JSC::B3::Air::PatchCustom::generate):
1691         * b3/air/AirHandleCalleeSaves.cpp:
1692         (JSC::B3::Air::handleCalleeSaves):
1693         * b3/air/AirInst.h:
1694         * b3/air/AirInstInlines.h:
1695         (JSC::B3::Air::Inst::forEach):
1696         (JSC::B3::Air::Inst::extraClobberedRegs):
1697         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
1698         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
1699         (JSC::B3::Air::Inst::reportUsedRegisters):
1700         (JSC::B3::Air::Inst::hasSpecial): Deleted.
1701         * b3/air/AirOpcode.opcodes:
1702         * b3/air/AirReportUsedRegisters.cpp:
1703         (JSC::B3::Air::reportUsedRegisters):
1704         * b3/air/opcode_generator.rb:
1705
1706 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
1707
1708         Turn Check(true) into Patchpoint() followed by Oops
1709         https://bugs.webkit.org/show_bug.cgi?id=152968
1710
1711         Reviewed by Benjamin Poulain.
1712
1713         This is an obvious strength reduction to have, especially since if we discover that the
1714         input to the Check is true after some amount of B3 optimization, then stubbing out the rest
1715         of the basic block unlocks CFG simplification opportunities.
1716
1717         It's also a proof-of-concept for the Check->Patchpoint conversion that I'll use once I
1718         implement sinking (bug 152162).
1719
1720         * b3/B3ControlValue.cpp:
1721         (JSC::B3::ControlValue::convertToJump):
1722         (JSC::B3::ControlValue::convertToOops):
1723         (JSC::B3::ControlValue::dumpMeta):
1724         * b3/B3ControlValue.h:
1725         * b3/B3InsertionSet.h:
1726         (JSC::B3::InsertionSet::insertValue):
1727         * b3/B3InsertionSetInlines.h:
1728         (JSC::B3::InsertionSet::insert):
1729         * b3/B3ReduceStrength.cpp:
1730         * b3/B3StackmapValue.h:
1731         * b3/B3Value.h:
1732         * tests/stress/ftl-force-osr-exit.js: Added.
1733
1734 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
1735
1736         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
1737         https://bugs.webkit.org/show_bug.cgi?id=152840
1738
1739         Reviewed by Mark Lam.
1740
1741         ARM64 has two kinds of addressing with immediates:
1742         -Signed 9bits direct (really only -256 to 255).
1743         -Unsigned 12bits scaled by the load/store size.
1744
1745         When resolving the stack addresses, we easily run
1746         past -256 bytes from FP. Addressing from SP gives us more
1747         room to address the stack efficiently because we can
1748         use unsigned immediates.
1749
1750         * b3/B3StackmapSpecial.cpp:
1751         (JSC::B3::StackmapSpecial::repForArg):
1752         * b3/air/AirAllocateStack.cpp:
1753         (JSC::B3::Air::allocateStack):
1754
1755 2016-01-10  Saam barati  <sbarati@apple.com>
1756
1757         Implement a sampling profiler
1758         https://bugs.webkit.org/show_bug.cgi?id=151713
1759
1760         Reviewed by Filip Pizlo.
1761
1762         This patch implements a sampling profiler for JavaScriptCore
1763         that will be used in the Inspector UI. The implementation works as follows:
1764         We queue the sampling profiler to run a task on a background
1765         thread every 1ms. When the queued task executes, the sampling profiler
1766         will pause the JSC execution thread and attempt to take a stack trace. 
1767         The sampling profiler does everything it can to be very careful
1768         while taking this stack trace. Because it's reading arbitrary memory,
1769         the sampling profiler must validate every pointer it reads from.
1770
1771         The sampling profiler tries to get an ExecutableBase for every call frame
1772         it reads. It first tries to read the CodeBlock slot. It does this because
1773         it can be 100% certain that a pointer is a CodeBlock while it's taking a
1774         stack trace. But, not every call frame will have a CodeBlock. So we must read
1775         the call frame's callee. For these stack traces where we read the callee, we
1776         must verify the callee pointer, and the pointer traversal to an ExecutableBase,
1777         on the main JSC execution thread, and not on the thread taking the stack
1778         trace. We do this verification either before we run the marking phase in
1779         GC, or when somebody asks the SamplingProfiler to materialize its data.
1780
1781         The SamplingProfiler must also be careful to not grab any locks while the JSC execution
1782         thread is paused (this means it can't do anything that mallocs) because
1783         that could cause a deadlock. Therefore, the sampling profiler grabs
1784         locks for all data structures it consults before it pauses the JSC
1785         execution thread.
1786
1787         * CMakeLists.txt:
1788         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1789         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1790         * JavaScriptCore.xcodeproj/project.pbxproj:
1791         * bytecode/CodeBlock.h:
1792         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
1793         (JSC::CodeBlockSet::mark):
1794         * dfg/DFGNodeType.h:
1795         * heap/CodeBlockSet.cpp:
1796         (JSC::CodeBlockSet::add):
1797         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
1798         (JSC::CodeBlockSet::clearMarksForFullCollection):
1799         (JSC::CodeBlockSet::lastChanceToFinalize):
1800         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1801         (JSC::CodeBlockSet::contains):
1802         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
1803         (JSC::CodeBlockSet::remove): Deleted.
1804         * heap/CodeBlockSet.h:
1805         (JSC::CodeBlockSet::getLock):
1806         (JSC::CodeBlockSet::iterate):
1807         The sampling pofiler uses the heap's CodeBlockSet to validate
1808         CodeBlock pointers. This data structure must now be under a lock
1809         because we must be certain we're not pausing the JSC execution thread
1810         while it's manipulating this data structure.
1811
1812         * heap/ConservativeRoots.cpp:
1813         (JSC::ConservativeRoots::ConservativeRoots):
1814         (JSC::ConservativeRoots::grow):
1815         (JSC::ConservativeRoots::genericAddPointer):
1816         (JSC::ConservativeRoots::genericAddSpan):
1817         (JSC::ConservativeRoots::add):
1818         (JSC::CompositeMarkHook::CompositeMarkHook):
1819         (JSC::CompositeMarkHook::mark):
1820         * heap/ConservativeRoots.h:
1821         * heap/Heap.cpp:
1822         (JSC::Heap::markRoots):
1823         (JSC::Heap::visitHandleStack):
1824         (JSC::Heap::visitSamplingProfiler):
1825         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
1826         (JSC::Heap::snapshotMarkedSpace):
1827         * heap/Heap.h:
1828         (JSC::Heap::structureIDTable):
1829         (JSC::Heap::codeBlockSet):
1830         * heap/MachineStackMarker.cpp:
1831         (pthreadSignalHandlerSuspendResume):
1832         (JSC::getCurrentPlatformThread):
1833         (JSC::MachineThreads::MachineThreads):
1834         (JSC::MachineThreads::~MachineThreads):
1835         (JSC::MachineThreads::Thread::createForCurrentThread):
1836         (JSC::MachineThreads::Thread::operator==):
1837         (JSC::isThreadInList):
1838         (JSC::MachineThreads::addCurrentThread):
1839         (JSC::MachineThreads::machineThreadForCurrentThread):
1840         (JSC::MachineThreads::removeThread):
1841         (JSC::MachineThreads::gatherFromCurrentThread):
1842         (JSC::MachineThreads::Thread::Thread):
1843         (JSC::MachineThreads::Thread::~Thread):
1844         (JSC::MachineThreads::Thread::suspend):
1845         (JSC::MachineThreads::Thread::resume):
1846         (JSC::MachineThreads::Thread::getRegisters):
1847         (JSC::MachineThreads::Thread::Registers::stackPointer):
1848         (JSC::MachineThreads::Thread::Registers::framePointer):
1849         (JSC::MachineThreads::Thread::Registers::instructionPointer):
1850         (JSC::MachineThreads::Thread::freeRegisters):
1851         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1852         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
1853         (JSC::MachineThreads::Thread::operator!=): Deleted.
1854         * heap/MachineStackMarker.h:
1855         (JSC::MachineThreads::Thread::operator!=):
1856         (JSC::MachineThreads::getLock):
1857         (JSC::MachineThreads::threadsListHead):
1858         We can now ask a MachineThreads::Thread for its frame pointer
1859         and program counter on darwin and windows platforms. efl
1860         and gtk implementations will happen in another patch.
1861
1862         * heap/MarkedBlockSet.h:
1863         (JSC::MarkedBlockSet::getLock):
1864         (JSC::MarkedBlockSet::add):
1865         (JSC::MarkedBlockSet::remove):
1866         (JSC::MarkedBlockSet::recomputeFilter):
1867         (JSC::MarkedBlockSet::filter):
1868         (JSC::MarkedBlockSet::set):
1869         * heap/MarkedSpace.cpp:
1870         (JSC::Free::Free):
1871         (JSC::Free::operator()):
1872         (JSC::FreeOrShrink::FreeOrShrink):
1873         (JSC::FreeOrShrink::operator()):
1874         (JSC::MarkedSpace::~MarkedSpace):
1875         (JSC::MarkedSpace::isPagedOut):
1876         (JSC::MarkedSpace::freeBlock):
1877         (JSC::MarkedSpace::freeOrShrinkBlock):
1878         (JSC::MarkedSpace::shrink):
1879         * heap/MarkedSpace.h:
1880         (JSC::MarkedSpace::forEachLiveCell):
1881         (JSC::MarkedSpace::forEachDeadCell):
1882         * interpreter/CallFrame.h:
1883         (JSC::ExecState::calleeAsValue):
1884         (JSC::ExecState::callee):
1885         (JSC::ExecState::unsafeCallee):
1886         (JSC::ExecState::codeBlock):
1887         (JSC::ExecState::scope):
1888         * jit/ExecutableAllocator.cpp:
1889         (JSC::ExecutableAllocator::dumpProfile):
1890         (JSC::ExecutableAllocator::getLock):
1891         (JSC::ExecutableAllocator::isValidExecutableMemory):
1892         * jit/ExecutableAllocator.h:
1893         * jit/ExecutableAllocatorFixedVMPool.cpp:
1894         (JSC::ExecutableAllocator::allocate):
1895         (JSC::ExecutableAllocator::isValidExecutableMemory):
1896         (JSC::ExecutableAllocator::getLock):
1897         (JSC::ExecutableAllocator::committedByteCount):
1898         The sampling profiler consults the ExecutableAllocator to check
1899         if the frame pointer it reads is in executable allocated memory.
1900
1901         * jsc.cpp:
1902         (GlobalObject::finishCreation):
1903         (functionCheckModuleSyntax):
1904         (functionStartSamplingProfiler):
1905         (functionSamplingProfilerStackTraces):
1906         * llint/LLIntPCRanges.h: Added.
1907         (JSC::LLInt::isLLIntPC):
1908         * offlineasm/asm.rb:
1909         I added the ability to test whether the PC is executing
1910         LLInt code because this code is not part of the memory
1911         our executable allocator allocates.
1912
1913         * runtime/Executable.h:
1914         (JSC::ExecutableBase::isModuleProgramExecutable):
1915         (JSC::ExecutableBase::isExecutableType):
1916         (JSC::ExecutableBase::isHostFunction):
1917         * runtime/JSLock.cpp:
1918         (JSC::JSLock::didAcquireLock):
1919         (JSC::JSLock::unlock):
1920         * runtime/Options.h:
1921         * runtime/SamplingProfiler.cpp: Added.
1922         (JSC::reportStats):
1923         (JSC::FrameWalker::FrameWalker):
1924         (JSC::FrameWalker::walk):
1925         (JSC::FrameWalker::wasValidWalk):
1926         (JSC::FrameWalker::advanceToParentFrame):
1927         (JSC::FrameWalker::isAtTop):
1928         (JSC::FrameWalker::resetAtMachineFrame):
1929         (JSC::FrameWalker::isValidFramePointer):
1930         (JSC::FrameWalker::isValidCodeBlock):
1931         (JSC::FrameWalker::tryToGetExecutableFromCallee):
1932         The FrameWalker class is used to walk the stack in a safe
1933         manner. It doesn't do anything that would deadlock, and it
1934         validates all pointers that it sees.
1935
1936         (JSC::SamplingProfiler::SamplingProfiler):
1937         (JSC::SamplingProfiler::~SamplingProfiler):
1938         (JSC::SamplingProfiler::visit):
1939         (JSC::SamplingProfiler::shutdown):
1940         (JSC::SamplingProfiler::start):
1941         (JSC::SamplingProfiler::stop):
1942         (JSC::SamplingProfiler::pause):
1943         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1944         (JSC::SamplingProfiler::dispatchIfNecessary):
1945         (JSC::SamplingProfiler::dispatchFunction):
1946         (JSC::SamplingProfiler::noticeJSLockAcquisition):
1947         (JSC::SamplingProfiler::noticeVMEntry):
1948         (JSC::SamplingProfiler::observeStackTrace):
1949         (JSC::SamplingProfiler::clearData):
1950         (JSC::displayName):
1951         (JSC::startLine):
1952         (JSC::startColumn):
1953         (JSC::sourceID):
1954         (JSC::url):
1955         (JSC::SamplingProfiler::stacktracesAsJSON):
1956         * runtime/SamplingProfiler.h: Added.
1957         (JSC::SamplingProfiler::getLock):
1958         (JSC::SamplingProfiler::setTimingInterval):
1959         (JSC::SamplingProfiler::stackTraces):
1960         * runtime/VM.cpp:
1961         (JSC::VM::VM):
1962         (JSC::VM::~VM):
1963         (JSC::VM::setLastStackTop):
1964         (JSC::VM::createContextGroup):
1965         (JSC::VM::ensureWatchdog):
1966         (JSC::VM::ensureSamplingProfiler):
1967         (JSC::thunkGeneratorForIntrinsic):
1968         * runtime/VM.h:
1969         (JSC::VM::watchdog):
1970         (JSC::VM::isSafeToRecurse):
1971         (JSC::VM::lastStackTop):
1972         (JSC::VM::scratchBufferForSize):
1973         (JSC::VM::samplingProfiler):
1974         (JSC::VM::setShouldRewriteConstAsVar):
1975         (JSC::VM::setLastStackTop): Deleted.
1976         * runtime/VMEntryScope.cpp:
1977         (JSC::VMEntryScope::VMEntryScope):
1978         * tests/stress/sampling-profiler: Added.
1979         * tests/stress/sampling-profiler-anonymous-function.js: Added.
1980         (foo):
1981         (baz):
1982         * tests/stress/sampling-profiler-basic.js: Added.
1983         (bar):
1984         (foo):
1985         (nothing):
1986         (top):
1987         (jaz):
1988         (kaz):
1989         (checkInlining):
1990         * tests/stress/sampling-profiler-deep-stack.js: Added.
1991         (foo):
1992         (hellaDeep):
1993         (start):
1994         * tests/stress/sampling-profiler-microtasks.js: Added.
1995         (testResults):
1996         (loop.jaz):
1997         (loop):
1998         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
1999         (assert):
2000         (let.nodePrototype.makeChildIfNeeded):
2001         (makeNode):
2002         (updateCallingContextTree):
2003         (doesTreeHaveStackTrace):
2004         (makeTree):
2005         (runTest):
2006         (dumpTree):
2007         * tools/JSDollarVMPrototype.cpp:
2008         (JSC::JSDollarVMPrototype::isInObjectSpace):
2009         (JSC::JSDollarVMPrototype::isInStorageSpace):
2010         * yarr/YarrJIT.cpp:
2011         (JSC::Yarr::YarrGenerator::generateEnter):
2012         (JSC::Yarr::YarrGenerator::generateReturn):
2013         (JSC::Yarr::YarrGenerator::YarrGenerator):
2014         (JSC::Yarr::YarrGenerator::compile):
2015         (JSC::Yarr::jitCompile):
2016         We now have a boolean that's set to true when
2017         we're executing a RegExp, and to false otherwise.
2018         The boolean lives off of VM.
2019
2020         * CMakeLists.txt:
2021         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2022         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2023         * JavaScriptCore.xcodeproj/project.pbxproj:
2024         * bytecode/CodeBlock.h:
2025         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
2026         (JSC::CodeBlockSet::mark):
2027         * dfg/DFGNodeType.h:
2028         * heap/CodeBlockSet.cpp:
2029         (JSC::CodeBlockSet::add):
2030         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
2031         (JSC::CodeBlockSet::clearMarksForFullCollection):
2032         (JSC::CodeBlockSet::lastChanceToFinalize):
2033         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2034         (JSC::CodeBlockSet::contains):
2035         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
2036         (JSC::CodeBlockSet::remove): Deleted.
2037         * heap/CodeBlockSet.h:
2038         (JSC::CodeBlockSet::getLock):
2039         (JSC::CodeBlockSet::iterate):
2040         * heap/ConservativeRoots.cpp:
2041         (JSC::ConservativeRoots::ConservativeRoots):
2042         (JSC::ConservativeRoots::genericAddPointer):
2043         (JSC::ConservativeRoots::add):
2044         (JSC::CompositeMarkHook::CompositeMarkHook):
2045         (JSC::CompositeMarkHook::mark):
2046         * heap/ConservativeRoots.h:
2047         * heap/Heap.cpp:
2048         (JSC::Heap::markRoots):
2049         (JSC::Heap::visitHandleStack):
2050         (JSC::Heap::visitSamplingProfiler):
2051         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2052         * heap/Heap.h:
2053         (JSC::Heap::structureIDTable):
2054         (JSC::Heap::codeBlockSet):
2055         * heap/HeapInlines.h:
2056         (JSC::Heap::didFreeBlock):
2057         (JSC::Heap::isPointerGCObject):
2058         (JSC::Heap::isValueGCObject):
2059         * heap/MachineStackMarker.cpp:
2060         (pthreadSignalHandlerSuspendResume):
2061         (JSC::getCurrentPlatformThread):
2062         (JSC::MachineThreads::MachineThreads):
2063         (JSC::MachineThreads::~MachineThreads):
2064         (JSC::MachineThreads::Thread::createForCurrentThread):
2065         (JSC::MachineThreads::Thread::operator==):
2066         (JSC::isThreadInList):
2067         (JSC::MachineThreads::addCurrentThread):
2068         (JSC::MachineThreads::machineThreadForCurrentThread):
2069         (JSC::MachineThreads::removeThread):
2070         (JSC::MachineThreads::gatherFromCurrentThread):
2071         (JSC::MachineThreads::Thread::Thread):
2072         (JSC::MachineThreads::Thread::~Thread):
2073         (JSC::MachineThreads::Thread::suspend):
2074         (JSC::MachineThreads::Thread::resume):
2075         (JSC::MachineThreads::Thread::getRegisters):
2076         (JSC::MachineThreads::Thread::Registers::stackPointer):
2077         (JSC::MachineThreads::Thread::Registers::framePointer):
2078         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2079         (JSC::MachineThreads::Thread::freeRegisters):
2080         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
2081         (JSC::MachineThreads::Thread::operator!=): Deleted.
2082         * heap/MachineStackMarker.h:
2083         (JSC::MachineThreads::Thread::operator!=):
2084         (JSC::MachineThreads::getLock):
2085         (JSC::MachineThreads::threadsListHead):
2086         * heap/MarkedBlockSet.h:
2087         * heap/MarkedSpace.cpp:
2088         (JSC::Free::Free):
2089         (JSC::Free::operator()):
2090         (JSC::FreeOrShrink::FreeOrShrink):
2091         (JSC::FreeOrShrink::operator()):
2092         * interpreter/CallFrame.h:
2093         (JSC::ExecState::calleeAsValue):
2094         (JSC::ExecState::callee):
2095         (JSC::ExecState::unsafeCallee):
2096         (JSC::ExecState::codeBlock):
2097         (JSC::ExecState::scope):
2098         * jit/ExecutableAllocator.cpp:
2099         (JSC::ExecutableAllocator::dumpProfile):
2100         (JSC::ExecutableAllocator::getLock):
2101         (JSC::ExecutableAllocator::isValidExecutableMemory):
2102         * jit/ExecutableAllocator.h:
2103         * jit/ExecutableAllocatorFixedVMPool.cpp:
2104         (JSC::ExecutableAllocator::allocate):
2105         (JSC::ExecutableAllocator::isValidExecutableMemory):
2106         (JSC::ExecutableAllocator::getLock):
2107         (JSC::ExecutableAllocator::committedByteCount):
2108         * jsc.cpp:
2109         (GlobalObject::finishCreation):
2110         (functionCheckModuleSyntax):
2111         (functionPlatformSupportsSamplingProfiler):
2112         (functionStartSamplingProfiler):
2113         (functionSamplingProfilerStackTraces):
2114         * llint/LLIntPCRanges.h: Added.
2115         (JSC::LLInt::isLLIntPC):
2116         * offlineasm/asm.rb:
2117         * runtime/Executable.h:
2118         (JSC::ExecutableBase::isModuleProgramExecutable):
2119         (JSC::ExecutableBase::isExecutableType):
2120         (JSC::ExecutableBase::isHostFunction):
2121         * runtime/JSLock.cpp:
2122         (JSC::JSLock::didAcquireLock):
2123         (JSC::JSLock::unlock):
2124         * runtime/Options.h:
2125         * runtime/SamplingProfiler.cpp: Added.
2126         (JSC::reportStats):
2127         (JSC::FrameWalker::FrameWalker):
2128         (JSC::FrameWalker::walk):
2129         (JSC::FrameWalker::wasValidWalk):
2130         (JSC::FrameWalker::advanceToParentFrame):
2131         (JSC::FrameWalker::isAtTop):
2132         (JSC::FrameWalker::resetAtMachineFrame):
2133         (JSC::FrameWalker::isValidFramePointer):
2134         (JSC::FrameWalker::isValidCodeBlock):
2135         (JSC::SamplingProfiler::SamplingProfiler):
2136         (JSC::SamplingProfiler::~SamplingProfiler):
2137         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2138         (JSC::SamplingProfiler::visit):
2139         (JSC::SamplingProfiler::shutdown):
2140         (JSC::SamplingProfiler::start):
2141         (JSC::SamplingProfiler::stop):
2142         (JSC::SamplingProfiler::pause):
2143         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2144         (JSC::SamplingProfiler::dispatchIfNecessary):
2145         (JSC::SamplingProfiler::dispatchFunction):
2146         (JSC::SamplingProfiler::noticeJSLockAcquisition):
2147         (JSC::SamplingProfiler::noticeVMEntry):
2148         (JSC::SamplingProfiler::clearData):
2149         (JSC::displayName):
2150         (JSC::SamplingProfiler::stacktracesAsJSON):
2151         (WTF::printInternal):
2152         * runtime/SamplingProfiler.h: Added.
2153         (JSC::SamplingProfiler::StackFrame::StackFrame):
2154         (JSC::SamplingProfiler::getLock):
2155         (JSC::SamplingProfiler::setTimingInterval):
2156         (JSC::SamplingProfiler::stackTraces):
2157         * runtime/VM.cpp:
2158         (JSC::VM::VM):
2159         (JSC::VM::~VM):
2160         (JSC::VM::setLastStackTop):
2161         (JSC::VM::createContextGroup):
2162         (JSC::VM::ensureWatchdog):
2163         (JSC::VM::ensureSamplingProfiler):
2164         (JSC::thunkGeneratorForIntrinsic):
2165         * runtime/VM.h:
2166         (JSC::VM::watchdog):
2167         (JSC::VM::samplingProfiler):
2168         (JSC::VM::isSafeToRecurse):
2169         (JSC::VM::lastStackTop):
2170         (JSC::VM::scratchBufferForSize):
2171         (JSC::VM::setLastStackTop): Deleted.
2172         * runtime/VMEntryScope.cpp:
2173         (JSC::VMEntryScope::VMEntryScope):
2174         * tests/stress/sampling-profiler: Added.
2175         * tests/stress/sampling-profiler-anonymous-function.js: Added.
2176         (platformSupportsSamplingProfiler.foo):
2177         (platformSupportsSamplingProfiler.baz):
2178         (platformSupportsSamplingProfiler):
2179         * tests/stress/sampling-profiler-basic.js: Added.
2180         (platformSupportsSamplingProfiler.bar):
2181         (platformSupportsSamplingProfiler.foo):
2182         (platformSupportsSamplingProfiler.nothing):
2183         (platformSupportsSamplingProfiler.top):
2184         (platformSupportsSamplingProfiler.jaz):
2185         (platformSupportsSamplingProfiler.kaz):
2186         (platformSupportsSamplingProfiler.checkInlining):
2187         (platformSupportsSamplingProfiler):
2188         * tests/stress/sampling-profiler-deep-stack.js: Added.
2189         (platformSupportsSamplingProfiler.foo):
2190         (platformSupportsSamplingProfiler.let.hellaDeep):
2191         (platformSupportsSamplingProfiler.let.start):
2192         (platformSupportsSamplingProfiler):
2193         * tests/stress/sampling-profiler-microtasks.js: Added.
2194         (platformSupportsSamplingProfiler.testResults):
2195         (platformSupportsSamplingProfiler):
2196         (platformSupportsSamplingProfiler.loop.jaz):
2197         (platformSupportsSamplingProfiler.loop):
2198         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
2199         (assert):
2200         (let.nodePrototype.makeChildIfNeeded):
2201         (makeNode):
2202         (updateCallingContextTree):
2203         (doesTreeHaveStackTrace):
2204         (makeTree):
2205         (runTest):
2206         (dumpTree):
2207         * yarr/YarrJIT.cpp:
2208         (JSC::Yarr::YarrGenerator::generateEnter):
2209         (JSC::Yarr::YarrGenerator::generateReturn):
2210         (JSC::Yarr::YarrGenerator::YarrGenerator):
2211         (JSC::Yarr::YarrGenerator::compile):
2212         (JSC::Yarr::jitCompile):
2213
2214 2016-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2215
2216         [JSC] Iterating over a Set/Map is too slow
2217         https://bugs.webkit.org/show_bug.cgi?id=152691
2218
2219         Reviewed by Saam Barati.
2220
2221         Set#forEach and Set & for-of are very slow. There are 2 reasons.
2222
2223         1. forEach is implemented in C++. And typically, taking JS callback and calling it from C++.
2224
2225         C++ to JS transition seems costly. perf result in Linux machine shows this.
2226
2227             Samples: 23K of event 'cycles', Event count (approx.): 21446074385
2228             34.04%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Interpreter::execute(JSC::CallFrameClosure&)
2229             20.48%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] vmEntryToJavaScript
2230              9.80%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
2231              7.95%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::setProtoFuncForEach(JSC::ExecState*)
2232              5.65%  jsc  perf-22854.map                      [.] 0x00007f5d2c204a6f
2233
2234         Writing forEach in JS eliminates this.
2235
2236             Samples: 23K of event 'cycles', Event count (approx.): 21255691651
2237             62.91%  jsc  perf-22890.map                      [.] 0x00007fd117c0a3b9
2238             24.89%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::privateFuncSetIteratorNext(JSC::ExecState*)
2239              0.29%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&)
2240              0.24%  jsc  [vdso]                              [.] 0x00000000000008e8
2241              0.22%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::predictedMachineCodeSize()
2242              0.16%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] WTF::MetaAllocator::currentStatistics()
2243              0.15%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Lexer<unsigned char>::lex(JSC::JSToken*, unsigned int, bool)
2244
2245         2. Iterator result object allocation is costly.
2246
2247         Iterator result object allocation is costly. Even if the (1) is solved, when executing Set & for-of, perf result shows very slow performance due to (2).
2248
2249             Samples: 108K of event 'cycles', Event count (approx.): 95529273748
2250             18.02%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::createIteratorResultObject(JSC::ExecState*, JSC::JSValue, bool)
2251             15.68%  jsc  jsc                                 [.] JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int)
2252             14.18%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::PrototypeMap::emptyObjectStructureForPrototype(JSC::JSObject*, unsigned int)
2253             13.40%  jsc  perf-25420.map                      [.] 0x00007fce158006a1
2254              6.79%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::StructureTransitionTable::get(WTF::UniquedStringImpl*, unsigned int) const
2255
2256         In the long term, we should implement SetIterator#next in JS and make the iterator result object allocation written in JS to encourage object allocation elimination in FTL.
2257         But seeing the perf result, we can find the easy to fix bottleneck in the current implementation.
2258         Every time createIteratorResultObject creates the empty object and use putDirect to store properties.
2259         The pre-baked Structure* with `done` and `value` properties makes this implementation fast.
2260
2261         After these improvements, the micro benchmark[1] shows the following.
2262
2263         old:
2264             Linked List x 212,776 ops/sec ±0.21% (162 runs sampled)
2265             Array x 376,156 ops/sec ±0.20% (162 runs sampled)
2266             Array forEach x 17,345 ops/sec ±0.99% (137 runs sampled)
2267             Array for-of x 16,518 ops/sec ±0.58% (160 runs sampled)
2268             Set forEach x 13,263 ops/sec ±0.20% (162 runs sampled)
2269             Set for-of x 4,732 ops/sec ±0.34% (123 runs sampled)
2270
2271         new:
2272             Linked List x 210,833 ops/sec ±0.28% (161 runs sampled)
2273             Array x 371,347 ops/sec ±0.36% (162 runs sampled)
2274             Array forEach x 17,460 ops/sec ±0.84% (136 runs sampled)
2275             Array for-of x 16,188 ops/sec ±1.27% (158 runs sampled)
2276             Set forEach x 23,684 ops/sec ±2.46% (139 runs sampled)
2277             Set for-of x 12,176 ops/sec ±0.54% (157 runs sampled)
2278
2279         Set#forEach becomes comparable to Array#forEach. And Set#forEach and Set & for-of are improved (1.79x, and 2.57x).
2280         After this optimizations, they are still much slower than linked list and array.
2281         This should be optimized in the long term.
2282
2283         [1]: https://gist.github.com/Constellation/8db5f5b8f12fe7e283d0
2284
2285         * CMakeLists.txt:
2286         * DerivedSources.make:
2287         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2288         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2289         * JavaScriptCore.xcodeproj/project.pbxproj:
2290         * builtins/MapPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
2291         (forEach):
2292         * builtins/SetPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
2293         (forEach):
2294         * runtime/CommonIdentifiers.h:
2295         * runtime/IteratorOperations.cpp:
2296         (JSC::createIteratorResultObjectStructure):
2297         (JSC::createIteratorResultObject):
2298         * runtime/IteratorOperations.h:
2299         * runtime/JSGlobalObject.cpp:
2300         (JSC::JSGlobalObject::init):
2301         (JSC::JSGlobalObject::visitChildren):
2302         * runtime/JSGlobalObject.h:
2303         (JSC::JSGlobalObject::iteratorResultObjectStructure):
2304         (JSC::JSGlobalObject::iteratorResultStructure): Deleted.
2305         (JSC::JSGlobalObject::iteratorResultStructureOffset): Deleted.
2306         * runtime/MapPrototype.cpp:
2307         (JSC::MapPrototype::getOwnPropertySlot):
2308         (JSC::privateFuncIsMap):
2309         (JSC::privateFuncMapIterator):
2310         (JSC::privateFuncMapIteratorNext):
2311         (JSC::MapPrototype::finishCreation): Deleted.
2312         (JSC::mapProtoFuncForEach): Deleted.
2313         * runtime/MapPrototype.h:
2314         * runtime/SetPrototype.cpp:
2315         (JSC::SetPrototype::getOwnPropertySlot):
2316         (JSC::privateFuncIsSet):
2317         (JSC::privateFuncSetIterator):
2318         (JSC::privateFuncSetIteratorNext):
2319         (JSC::SetPrototype::finishCreation): Deleted.
2320         (JSC::setProtoFuncForEach): Deleted.
2321         * runtime/SetPrototype.h:
2322
2323 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
2324
2325         Unreviewed, fix ARM64 build.
2326
2327         * b3/air/AirOpcode.opcodes:
2328
2329 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
2330
2331         B3 should reduce Trunc(BitOr(value, constant)) where !(constant & 0xffffffff) to Trunc(value)
2332         https://bugs.webkit.org/show_bug.cgi?id=152955
2333
2334         Reviewed by Saam Barati.
2335
2336         This happens when we box an int32 and then immediately unbox it.
2337
2338         This makes an enormous difference on AsmBench/FloatMM. It's a 2x speed-up on that
2339         benchmark. It's neutral elsewhere.
2340
2341         * b3/B3ReduceStrength.cpp:
2342         * b3/testb3.cpp:
2343         (JSC::B3::testPowDoubleByIntegerLoop):
2344         (JSC::B3::testTruncOrHigh):
2345         (JSC::B3::testTruncOrLow):
2346         (JSC::B3::testBitAndOrHigh):
2347         (JSC::B3::testBitAndOrLow):
2348         (JSC::B3::zero):
2349         (JSC::B3::run):
2350
2351 2016-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
2352
2353         [ES6] Arrow function syntax. Get rid of JSArrowFunction and use standard JSFunction class
2354         https://bugs.webkit.org/show_bug.cgi?id=149855
2355
2356         Reviewed by Saam Barati.
2357
2358         JSArrowFunction.h/cpp were removed from JavaScriptCore, because now is used new approach for storing 
2359         'this', 'arguments' and 'super'
2360
2361         * CMakeLists.txt:
2362         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2363         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2364         * JavaScriptCore.xcodeproj/project.pbxproj:
2365         * dfg/DFGAbstractInterpreterInlines.h:
2366         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2367         * dfg/DFGSpeculativeJIT.cpp:
2368         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2369         * dfg/DFGStructureRegistrationPhase.cpp:
2370         (JSC::DFG::StructureRegistrationPhase::run):
2371         * ftl/FTLAbstractHeapRepository.cpp:
2372         * ftl/FTLAbstractHeapRepository.h:
2373         * ftl/FTLLowerDFGToLLVM.cpp:
2374         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2375         * interpreter/Interpreter.cpp:
2376         * interpreter/Interpreter.h:
2377         * jit/JITOpcodes.cpp:
2378         * jit/JITOpcodes32_64.cpp:
2379         * jit/JITOperations.cpp:
2380         * jit/JITOperations.h:
2381         * llint/LLIntOffsetsExtractor.cpp:
2382         * llint/LLIntSlowPaths.cpp:
2383         * runtime/JSArrowFunction.cpp: Removed.
2384         * runtime/JSArrowFunction.h: Removed.
2385         * runtime/JSGlobalObject.cpp:
2386         * runtime/JSGlobalObject.h:
2387
2388 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
2389
2390         It should be possible to run liveness over registers without also tracking Tmps
2391         https://bugs.webkit.org/show_bug.cgi?id=152963
2392
2393         Reviewed by Saam Barati.
2394
2395         This adds a RegLivenessAdapter so that we can run Liveness over registers. This makes it
2396         easier to write certain kinds of phases, like ReportUsedRegisters. I anticipate writing more
2397         code like that for handling cold function calls. It also makes code like that somewhat more
2398         scalable, since we're no longer using HashSets.
2399
2400         Currently, the way we track sets of registers is with a BitVector. Normally, we use the
2401         RegisterSet class, which wraps BitVector, so that we can add()/contains() on Reg's. But in
2402         the liveness analysis, everything gets turned into an index. So, we want to use BitVector
2403         directly. To do that, I needed to make the BitVector API look a bit more like a set API. I
2404         think that this is good, because the lack of set methods (add/remove/contains) has caused
2405         bugs in the past. This makes BitVector have methods both for set operations on bits and array
2406         operations on bits. I think that's good, since BitVector gets used in both contexts.
2407
2408         * b3/B3IndexSet.h:
2409         (JSC::B3::IndexSet::Iterable::iterator::iterator):
2410         (JSC::B3::IndexSet::Iterable::begin):
2411         (JSC::B3::IndexSet::dump):
2412         * b3/air/AirInstInlines.h:
2413         (JSC::B3::Air::ForEach<Tmp>::forEach):
2414         (JSC::B3::Air::ForEach<Arg>::forEach):
2415         (JSC::B3::Air::ForEach<Reg>::forEach):
2416         (JSC::B3::Air::Inst::forEach):
2417         * b3/air/AirLiveness.h:
2418         (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter):
2419         (JSC::B3::Air::RegLivenessAdapter::maxIndex):
2420         (JSC::B3::Air::RegLivenessAdapter::acceptsType):
2421         (JSC::B3::Air::RegLivenessAdapter::valueToIndex):
2422         (JSC::B3::Air::RegLivenessAdapter::indexToValue):
2423         * b3/air/AirReportUsedRegisters.cpp:
2424         (JSC::B3::Air::reportUsedRegisters):
2425         * jit/Reg.h:
2426         (JSC::Reg::next):
2427         (JSC::Reg::index):
2428         (JSC::Reg::maxIndex):
2429         (JSC::Reg::isSet):
2430         (JSC::Reg::operator bool):
2431         * jit/RegisterSet.h:
2432         (JSC::RegisterSet::forEach):
2433
2434 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
2435
2436         [JSC] Make branchMul functional in ARM B3 and minor fixes
2437         https://bugs.webkit.org/show_bug.cgi?id=152889
2438
2439         Reviewed by Mark Lam.
2440
2441         ARM64 does not have a "S" version of MUL setting the flags.
2442         What we do is abstract that in the MacroAssembler. The problem
2443         is that form requires scratch registers.
2444
2445         For simplicity, I just exposed the two scratch registers
2446         for Air. Filip already added the concept of Scratch role,
2447         all I needed was to expose it for opcodes.
2448
2449         * assembler/MacroAssemblerARM64.h:
2450         (JSC::MacroAssemblerARM64::branchMul32):
2451         (JSC::MacroAssemblerARM64::branchMul64):
2452         Expose a version with the scratch registers as arguments.
2453
2454         * b3/B3LowerToAir.cpp:
2455         (JSC::B3::Air::LowerToAir::lower):
2456         Add the new form of CheckMul lowering.
2457
2458         * b3/air/AirOpcode.opcodes:
2459         Expose the new BranchMuls.
2460         Remove all the Test variants that use immediates
2461         since Air can't handle those immediates correctly yet.
2462
2463         * b3/air/opcode_generator.rb:
2464         Expose the Scratch role.
2465
2466         * b3/testb3.cpp:
2467         (JSC::B3::testPatchpointLotsOfLateAnys):
2468         Ooops, the scratch registers were not clobbered. We were just lucky
2469         on x86.
2470
2471 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
2472
2473         [JSC] B3 is unable to do function calls on ARM64
2474         https://bugs.webkit.org/show_bug.cgi?id=152895
2475
2476         Reviewed by Mark Lam.
2477
2478         Apparently iOS does not follow the ARM64 ABI for function calls.
2479         Instead of giving each value a 8 bytes slot, it must be packed
2480         while preserving alignment.
2481
2482         This patch adds a #ifdef to make function calls functional.
2483
2484         * b3/B3LowerToAir.cpp:
2485         (JSC::B3::Air::LowerToAir::marshallCCallArgument):
2486         (JSC::B3::Air::LowerToAir::lower):
2487
2488 2016-01-09  Filip Pizlo  <fpizlo@apple.com>
2489
2490         Air should support Branch64 with immediates
2491         https://bugs.webkit.org/show_bug.cgi?id=152951
2492
2493         Reviewed by Oliver Hunt.
2494
2495         This doesn't significantly improve performance on any benchmarks, but it's great to get this
2496         obvious omission out of the way.
2497
2498         * assembler/MacroAssemblerX86_64.h:
2499         (JSC::MacroAssemblerX86_64::branch64):
2500         * b3/air/AirOpcode.opcodes:
2501         * b3/testb3.cpp:
2502         (JSC::B3::testPowDoubleByIntegerLoop):
2503         (JSC::B3::testBranch64Equal):
2504         (JSC::B3::testBranch64EqualImm):
2505         (JSC::B3::testBranch64EqualMem):
2506         (JSC::B3::testBranch64EqualMemImm):
2507         (JSC::B3::zero):
2508         (JSC::B3::run):
2509
2510 2016-01-09  Dan Bernstein  <mitz@apple.com>
2511
2512         [Cocoa] Allow overriding the frameworks directory independently of using a staging install path
2513         https://bugs.webkit.org/show_bug.cgi?id=152926
2514
2515         Reviewed by Tim Horton.
2516
2517         Introduce a new build setting, WK_OVERRIDE_FRAMEWORKS_DIR. When not empty, it determines
2518         where the frameworks are installed. Setting USE_STAGING_INSTALL_PATH to YES sets
2519         WK_OVERRIDE_FRAMEWORKS_DIR to $(SYSTEM_LIBRARY_DIR)/StagedFrameworks/Safari.
2520
2521         Account for the possibility of WK_OVERRIDE_FRAMEWORKS_DIR containing spaces.
2522
2523         * Configurations/Base.xcconfig:
2524         - Replace STAGED_FRAMEWORKS_SEARCH_PATH in FRAMEWORK_SEARCH_PATHS with
2525           WK_OVERRIDE_FRAMEWORKS_DIR and add quotes to account for spaces.
2526         - Define JAVASCRIPTCORE_FRAMEWORKS_DIR based on WK_OVERRIDE_FRAMEWORKS_DIR.
2527         * Configurations/JSC.xcconfig:
2528           Add quotes to account for spaces.
2529         * Configurations/ToolExecutable.xcconfig:
2530           Ditto.
2531         * postprocess-headers.sh:
2532           Ditto.
2533
2534 2016-01-09  Mark Lam  <mark.lam@apple.com>
2535
2536         The FTL allocated spill slots for BinaryOps is sometimes inaccurate.
2537         https://bugs.webkit.org/show_bug.cgi?id=152918
2538
2539         Reviewed by Filip Pizlo and Saam Barati.
2540
2541         * ftl/FTLCompile.cpp:
2542         - Updated a comment.
2543         * ftl/FTLLowerDFGToLLVM.cpp:
2544         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2545         - The code to compute maxNumberOfCatchSpills was unnecessarily allocating an
2546           extra slot for BinaryOps that don't have Untyped operands, and failing to
2547           allocate that extra slot for some binary ops.  This is now fixed.
2548
2549         * tests/stress/ftl-shr-exception.js:
2550         * tests/stress/ftl-xor-exception.js:
2551         - Un-skipped these tests.  They now pass with this patch.
2552
2553 2016-01-09  Andreas Kling  <akling@apple.com>
2554
2555         Use NeverDestroyed instead of DEPRECATED_DEFINE_STATIC_LOCAL
2556         <https://webkit.org/b/152902>
2557
2558         Reviewed by Anders Carlsson.
2559
2560         Mostly mechanical conversion to NeverDestroyed throughout JavaScriptCore.
2561
2562         * API/JSAPIWrapperObject.mm:
2563         (jsAPIWrapperObjectHandleOwner):
2564         * API/JSManagedValue.mm:
2565         (managedValueHandleOwner):
2566         * inspector/agents/InspectorDebuggerAgent.cpp:
2567         (Inspector::objectGroupForBreakpointAction):
2568         * jit/ExecutableAllocator.cpp:
2569         (JSC::DemandExecutableAllocator::allocators):
2570
2571 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2572
2573         FTL B3 should do varargs tail calls and stack overflows
2574         https://bugs.webkit.org/show_bug.cgi?id=152934
2575
2576         Reviewed by Saam Barati.
2577
2578         I was trying to get tail-call-varargs-no-stack-overflow.js.ftl-no-cjit-validate to work and
2579         at first I hit the stack overflow issue and then I hit the varargs tail call issue. That's
2580         why I have two fixes in one change. Now the test passes.
2581
2582         This reduces the number of failures from 13 to 0.
2583
2584         * ftl/FTLLowerDFGToLLVM.cpp:
2585         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Implement stack overflow handling.
2586         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs): Varargs tail calls need to
2587         append an Oops (i.e. "unreachable").
2588
2589 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2590
2591         B3 needs Neg()
2592         https://bugs.webkit.org/show_bug.cgi?id=152925
2593
2594         Reviewed by Mark Lam.
2595
2596         Previously we said that negation should be represented as Sub(0, x). That's wrong, since
2597         for floats, Sub(0, 0) == 0 while Neg(0) == -0.
2598
2599         One way to solve this would be to say that anyone trying to say Neg(x) where x is a float
2600         should instead say BitXor(x, -0). That's actually correct, but I think that it would be odd
2601         to use bitops to represent floating point operations. Whatever cuteness this would have
2602         bought us would be outweighed by the annoyance of having to write code that matches
2603         Sub(0, x) for integer negation and BitXor(x, -0) for double negation. For example, this
2604         would mean strictly more code for anyone implementing a Neg(Neg(x))=>x strength reduction.
2605         Also, I suspect that the omission of Neg would cause others to make the mistake of using
2606         Sub to represent floating point negation.
2607
2608         So, this introduces a proper Neg() opcode to B3. It's now the canonical way of saying
2609         negation for both ints and floats. For ints, we canonicalize Sub(0, x) to Neg(x). For
2610         floats, we lower it to BitXor(x, -0) on x86.
2611
2612         This reduces the number of failures from 13 to 12.
2613
2614         * assembler/MacroAssemblerX86Common.h:
2615         (JSC::MacroAssemblerX86Common::andFloat):
2616         (JSC::MacroAssemblerX86Common::xorDouble):
2617         (JSC::MacroAssemblerX86Common::xorFloat):
2618         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
2619         * b3/B3LowerMacrosAfterOptimizations.cpp:
2620         * b3/B3LowerToAir.cpp:
2621         (JSC::B3::Air::LowerToAir::lower):
2622         * b3/B3Opcode.cpp:
2623         (WTF::printInternal):
2624         * b3/B3Opcode.h:
2625         * b3/B3ReduceStrength.cpp:
2626         * b3/B3Validate.cpp:
2627         * b3/B3Value.cpp:
2628         (JSC::B3::Value::effects):
2629         (JSC::B3::Value::key):
2630         (JSC::B3::Value::typeFor):
2631         * b3/air/AirOpcode.opcodes:
2632         * ftl/FTLB3Output.cpp:
2633         (JSC::FTL::Output::lockedStackSlot):
2634         (JSC::FTL::Output::neg):
2635         (JSC::FTL::Output::bitNot):
2636         * ftl/FTLB3Output.h:
2637         (JSC::FTL::Output::chillDiv):
2638         (JSC::FTL::Output::mod):
2639         (JSC::FTL::Output::chillMod):
2640         (JSC::FTL::Output::doubleAdd):
2641         (JSC::FTL::Output::doubleSub):
2642         (JSC::FTL::Output::doubleMul):
2643         (JSC::FTL::Output::doubleDiv):
2644         (JSC::FTL::Output::doubleMod):
2645         (JSC::FTL::Output::doubleNeg):
2646         (JSC::FTL::Output::bitAnd):
2647         (JSC::FTL::Output::bitOr):
2648         (JSC::FTL::Output::neg): Deleted.
2649         * tests/stress/ftl-negate-zero.js: Added. This was already covered by op_negate but since
2650         it's such a glaring bug, I thought having a test for it specifically would be good.
2651
2652 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2653
2654         FTL B3 compile() doesn't clear exception handlers before we add FTL-specific ones
2655         https://bugs.webkit.org/show_bug.cgi?id=152922
2656
2657         Reviewed by Saam Barati.
2658
2659         FTL B3 was generating a handler table that first contained the old baseline handlers keyed
2660         by baseline's bytecode indices and then the FTL handlers keyed by FTL callsite index. That's
2661         wrong, since the FTL code block should not contain any baseline handlers. The fix is to
2662         clear the handlers before generation, sort of like FTL LLVM does.
2663
2664         Also added some stuff to make it easier to inspect the handler table.
2665
2666         This reduces the numbe rof failures from 25 to 13.
2667
2668         * bytecode/CodeBlock.cpp:
2669         (JSC::CodeBlock::dumpBytecode):
2670         (JSC::CodeBlock::dumpExceptionHandlers):
2671         (JSC::CodeBlock::beginDumpProfiling):
2672         * bytecode/CodeBlock.h:
2673         * ftl/FTLB3Compile.cpp:
2674         (JSC::FTL::compile):
2675
2676 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2677
2678         B3 incorrectly turns NotEqual(bool, 1) into Equal(bool, 1) instead of Equal(bool, 0)
2679         https://bugs.webkit.org/show_bug.cgi?id=152916
2680
2681         Reviewed by Mark Lam.
2682
2683         This was causing a failure in an ancient DFG layout test. Thanks, ftl-eager-no-cjit!
2684
2685         This reduces the number of failures from 27 to 25.
2686
2687         * b3/B3ReduceStrength.cpp:
2688
2689 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2690
2691         FTL B3 allocateCell() should not crash
2692         https://bugs.webkit.org/show_bug.cgi?id=152909
2693
2694         Reviewed by Mark Lam.
2695
2696         This code was crashing in some tests that forced GC slow paths because it was stubbed out
2697         due to the use of undef. B3 doesn't have undef. In this case, there's no good reason to use
2698         undef. We can just use zero. Since the path is dead anyway in that case, we weren't gaining
2699         any LLVM optimizations by using undef.
2700
2701         This reduces the number of failures from 35 to 27.
2702
2703         * ftl/FTLLowerDFGToLLVM.cpp:
2704         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2705
2706 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2707
2708         FTL B3 fails to realize that binary snippets might choose to omit their fast path
2709         https://bugs.webkit.org/show_bug.cgi?id=152901
2710
2711         Reviewed by Mark Lam.
2712
2713         This reduces the number of failures from 99 to 35.
2714
2715         * ftl/FTLLowerDFGToLLVM.cpp:
2716         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
2717
2718 2016-01-08  Saam barati  <sbarati@apple.com>
2719
2720         restoreCalleeSavesFromVMCalleeSavesBuffer should use the scratch register
2721         https://bugs.webkit.org/show_bug.cgi?id=152879
2722
2723         Reviewed by Filip Pizlo.
2724
2725         We were clobbering a register we needed when picking
2726         a scratch register inside an FTL OSR Exit.
2727
2728         * dfg/DFGThunks.cpp:
2729         (JSC::DFG::osrEntryThunkGenerator):
2730         * jit/AssemblyHelpers.cpp:
2731         (JSC::AssemblyHelpers::emitRandomThunk):
2732         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer):
2733         * jit/AssemblyHelpers.h:
2734         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer):
2735         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
2736         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
2737         (foo):
2738
2739 2016-01-08  Mark Lam  <mark.lam@apple.com>
2740
2741         Rolling out: Rename StringFromCharCode to StringFromSingleCharCode.
2742         https://bugs.webkit.org/show_bug.cgi?id=152897
2743
2744         Not reviewed.
2745
2746         * dfg/DFGAbstractInterpreterInlines.h:
2747         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2748         * dfg/DFGByteCodeParser.cpp:
2749         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2750         * dfg/DFGClobberize.h:
2751         (JSC::DFG::clobberize):
2752         * dfg/DFGDoesGC.cpp:
2753         (JSC::DFG::doesGC):
2754         * dfg/DFGFixupPhase.cpp:
2755         (JSC::DFG::FixupPhase::fixupNode):
2756         * dfg/DFGNodeType.h:
2757         * dfg/DFGOperations.cpp:
2758         * dfg/DFGOperations.h:
2759         * dfg/DFGPredictionPropagationPhase.cpp:
2760         (JSC::DFG::PredictionPropagationPhase::propagate):
2761         * dfg/DFGSafeToExecute.h:
2762         (JSC::DFG::safeToExecute):
2763         * dfg/DFGSpeculativeJIT.cpp:
2764         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
2765         * dfg/DFGSpeculativeJIT32_64.cpp:
2766         (JSC::DFG::SpeculativeJIT::compile):
2767         * dfg/DFGSpeculativeJIT64.cpp:
2768         (JSC::DFG::SpeculativeJIT::compile):
2769         * runtime/StringConstructor.cpp:
2770         (JSC::stringFromCharCode):
2771         (JSC::stringFromSingleCharCode): Deleted.
2772         * runtime/StringConstructor.h:
2773
2774 2016-01-08  Per Arne Vollan  <peavo@outlook.com>
2775
2776         [JSC] Use std::call_once instead of pthread_once when initializing LLVM.
2777         https://bugs.webkit.org/show_bug.cgi?id=152893
2778
2779         Reviewed by Mark Lam.
2780
2781         Use std::call_once since pthreads is not present on all platforms.
2782
2783         * llvm/InitializeLLVM.cpp:
2784         (JSC::initializeLLVMImpl):
2785         (JSC::initializeLLVM):
2786
2787 2016-01-08  Mark Lam  <mark.lam@apple.com>
2788
2789         Rename StringFromCharCode to StringFromSingleCharCode.
2790         https://bugs.webkit.org/show_bug.cgi?id=152897
2791
2792         Reviewed by Daniel Bates.
2793
2794         StringFromSingleCharCode is a better name because the intrinsic it represents
2795         only applies when we are converting from a single char code.  This is purely
2796         a refactoring patch.  There is no semantic change.
2797
2798         * dfg/DFGAbstractInterpreterInlines.h:
2799         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2800         * dfg/DFGByteCodeParser.cpp:
2801         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2802         * dfg/DFGClobberize.h:
2803         (JSC::DFG::clobberize):
2804         * dfg/DFGDoesGC.cpp:
2805         (JSC::DFG::doesGC):
2806         * dfg/DFGFixupPhase.cpp:
2807         (JSC::DFG::FixupPhase::fixupNode):
2808         * dfg/DFGNodeType.h:
2809         * dfg/DFGOperations.cpp:
2810         * dfg/DFGOperations.h:
2811         * dfg/DFGPredictionPropagationPhase.cpp:
2812         (JSC::DFG::PredictionPropagationPhase::propagate):
2813         * dfg/DFGSafeToExecute.h:
2814         (JSC::DFG::safeToExecute):
2815         * dfg/DFGSpeculativeJIT.cpp:
2816         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
2817         * dfg/DFGSpeculativeJIT32_64.cpp:
2818         (JSC::DFG::SpeculativeJIT::compile):
2819         * dfg/DFGSpeculativeJIT64.cpp:
2820         (JSC::DFG::SpeculativeJIT::compile):
2821         * runtime/StringConstructor.cpp:
2822         (JSC::stringFromCharCode):
2823         (JSC::stringFromSingleCharCode):
2824         * runtime/StringConstructor.h:
2825
2826 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
2827
2828         [mips] Fixed unused parameter warnings
2829         https://bugs.webkit.org/show_bug.cgi?id=152885
2830
2831         Reviewed by Mark Lam.
2832
2833         * jit/CCallHelpers.h:
2834         (JSC::CCallHelpers::setupArgumentsWithExecState):
2835
2836 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
2837
2838         [mips] Max value of immediate arg of logical ops is 0xffff
2839         https://bugs.webkit.org/show_bug.cgi?id=152884
2840
2841         Reviewed by Michael Saboff.
2842
2843         Replaced imm.m_value < 65535 checks with imm.m_value <= 65535
2844
2845         * assembler/MacroAssemblerMIPS.h:
2846         (JSC::MacroAssemblerMIPS::and32):
2847         (JSC::MacroAssemblerMIPS::or32):
2848
2849 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
2850
2851         [mips] Add new or32 implementation after r194613
2852         https://bugs.webkit.org/show_bug.cgi?id=152865
2853
2854         Reviewed by Michael Saboff.
2855
2856         * assembler/MacroAssemblerMIPS.h:
2857         (JSC::MacroAssemblerMIPS::or32):
2858
2859 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
2860
2861         FTL B3 lazy slow paths should do exceptions
2862         https://bugs.webkit.org/show_bug.cgi?id=152853
2863
2864         Reviewed by Saam Barati.
2865
2866         This reduces the number of JSC test failures to 97.
2867
2868         * ftl/FTLLowerDFGToLLVM.cpp:
2869         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
2870         * tests/stress/ftl-new-negative-array-size.js: Added.
2871         (foo):
2872
2873 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
2874
2875         Unreviewed, skip more tests that fail.
2876
2877         * tests/stress/ftl-shr-exception.js:
2878         (foo):
2879         * tests/stress/ftl-xor-exception.js:
2880         (foo):
2881
2882 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
2883
2884         FTL B3 binary snippets should do exceptions
2885         https://bugs.webkit.org/show_bug.cgi?id=152852
2886
2887         Reviewed by Saam Barati.
2888
2889         This reduces the number of JSC test failures to 110.
2890
2891         * ftl/FTLLowerDFGToLLVM.cpp:
2892         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
2893         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
2894         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
2895         * tests/stress/ftl-shr-exception.js: Added.
2896         (foo):
2897         (result.foo.valueOf):
2898         * tests/stress/ftl-sub-exception.js: Added.
2899         (foo):
2900         (result.foo.valueOf):
2901         * tests/stress/ftl-xor-exception.js: Added.
2902         (foo):
2903         (result.foo.valueOf):
2904
2905 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
2906
2907         Unreviewed, skipping this test. Looks like LLVM can't handle this one, either.
2908
2909         * tests/stress/ftl-call-varargs-bad-args-exception-interesting-live-state.js:
2910         (foo):
2911
2912 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
2913
2914         Unreviewed, skipping this test. Looks like LLVM can't handle it.
2915
2916         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
2917         (foo):
2918
2919 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
2920
2921         FTL B3 JS calls should do exceptions
2922         https://bugs.webkit.org/show_bug.cgi?id=152851
2923
2924         Reviewed by Geoffrey Garen.
2925
2926         This reduces the number of JSC test failures with FTL B3 to 111.
2927
2928         * dfg/DFGSpeculativeJIT64.cpp:
2929         (JSC::DFG::SpeculativeJIT::emitCall):
2930         * ftl/FTLLowerDFGToLLVM.cpp:
2931         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
2932         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
2933         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
2934         * tests/stress/ftl-call-bad-args-exception-interesting-live-state.js: Added.
2935         * tests/stress/ftl-call-bad-callee-exception-interesting-live-state.js: Added.
2936         * tests/stress/ftl-call-exception-interesting-live-state.js: Added.
2937         * tests/stress/ftl-call-exception-no-catch.js: Added.
2938         * tests/stress/ftl-call-exception.js: Added.
2939         * tests/stress/ftl-call-varargs-bad-callee-exception-interesting-live-state.js: Added.
2940         * tests/stress/ftl-call-varargs-exception-interesting-live-state.js: Added.
2941         * tests/stress/ftl-call-varargs-exception-no-catch.js: Added.
2942         * tests/stress/ftl-call-varargs-exception.js: Added.
2943
2944 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
2945
2946         FTL B3 PutById should do exceptions
2947         https://bugs.webkit.org/show_bug.cgi?id=152850
2948
2949         Reviewed by Saam Barati.
2950
2951         Implemented PutById exception handling by following the idiom used in GetById. Reduces the
2952         number of JSC test failures to 128.
2953
2954         * ftl/FTLLowerDFGToLLVM.cpp:
2955         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
2956         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js: Added.
2957         * tests/stress/ftl-put-by-id-setter-exception-no-catch.js: Added.
2958         * tests/stress/ftl-put-by-id-setter-exception.js: Added.
2959         * tests/stress/ftl-put-by-id-slow-exception-interesting-live-state.js: Added.
2960         * tests/stress/ftl-put-by-id-slow-exception-no-catch.js: Added.
2961         * tests/stress/ftl-put-by-id-slow-exception.js: Added.
2962
2963 2016-01-07  Commit Queue  <commit-queue@webkit.org>
2964
2965         Unreviewed, rolling out r194714.
2966         https://bugs.webkit.org/show_bug.cgi?id=152864
2967
2968         it broke many JSC tests when FTL B3 is enabled (Requested by
2969         pizlo on #webkit).
2970
2971         Reverted changeset:
2972
2973         "[JSC] When resolving Stack arguments, use addressing from SP
2974         when addressing from FP is invalid"
2975         https://bugs.webkit.org/show_bug.cgi?id=152840
2976         http://trac.webkit.org/changeset/194714
2977
2978 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
2979
2980         [mips] Lower immediates of logical operations.
2981         https://bugs.webkit.org/show_bug.cgi?id=152693
2982
2983         On MIPS immediate operands of andi, ori, and xori are required to be 16-bit
2984         non-negative numbers.
2985
2986         Reviewed by Michael Saboff.
2987
2988         * offlineasm/mips.rb:
2989
2990 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
2991
2992         [JSC] Update testCheckSubBadImm() for ARM64
2993         https://bugs.webkit.org/show_bug.cgi?id=152846
2994
2995         Reviewed by Mark Lam.
2996
2997         * b3/testb3.cpp:
2998         (JSC::B3::testCheckSubBadImm):
2999         The test was assuming the constant can always be used
3000         as immediate. That's obviously not the case on ARM64.
3001
3002 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3003
3004         FTL B3 getById() should do exceptions
3005         https://bugs.webkit.org/show_bug.cgi?id=152810
3006
3007         Reviewed by Saam Barati.
3008
3009         This adds abstractions for doing exceptions from patchpoints, and uses them to implement
3010         exceptions from GetById. This covers all of the following ways that a GetById might throw an
3011         exceptions:
3012
3013         - Throw without try/catch from the vmCall() in a GetById(Untyped:)
3014         - Throw with try/catch from the vmCall() in a GetById(Untyped:)
3015         - Throw without try/catch from the callOperation() in the patchpoint of a GetById
3016         - Throw with try/catch from the callOperation() in the patchpoint of a GetById
3017         - Throw without try/catch from the Call IC generated in the patchpoint of a GetById
3018         - Throw with try/catch from the Call IC generated in the patchpoint of a GetById
3019
3020         This requires having a default exception target in FTL-generated code, and ensuring that this
3021         target is generated regardless of whether we have branches to the B3 basic block of the
3022         default exception target. This also requires adding some extra arguments to a
3023         PatchpointValue, and then knowing that the arguments are used for OSR exit and not anything
3024         else. This also requires associating the CallSiteIndex of the patchpoint with the register
3025         set used for exit and with the OSR exit label for the unwind exit.
3026
3027         All of the stuff that you have to worry about when wiring a patchpoint to exception handling
3028         is covered by the new PatchpointExceptionHandle object. You create one by calling
3029         preparePatchpointForExceptions(). This sets up the B3 IR representation of the patchpoint
3030         with stackmap arguments for the exceptional exit, and creates a PatchpointExceptionHandle
3031         object that can be used to create zero or more actual OSR exits. It can create both OSR exits
3032         for operation calls and OSR exits for unwind. You call the
3033         PatchpointExceptionHandle::scheduleExitCreationXXX() methods from the generator callback to
3034         actually get OSR exits.
3035
3036         This API makes heavy use of Box<>, late paths, and link tasks. For example, you can use the
3037         PatchpointExceptionHandle to get a Box<JumpList> that you can append exception jumps to. When
3038         you use this API, it automatically registers a link task that will link the JumpList to the
3039         actual OSR exit label.
3040
3041         This API is very flexible about how you get to the label of the OSR exit. You are encouraged
3042         to use the Box<JumpList> approach, but if you really just need the label, you can also get
3043         a RefPtr<ExceptionTarget> and rely on the fact that the ExceptionTarget object will be able
3044         to vend you the OSR exit label at link-time.
3045
3046         This reduces the number of JSC test failures with FTL B3 from 186 to 133. It also adds a
3047         bunch of new tests specifically for all of the ways you might throw from GetById, and B3
3048         passes all of these new tests. Note that I'm not counting the new tests as part of the
3049         previous 186 test failures (FTL B3 failed all of the new tests prior to this change).
3050
3051         After this change, it should be easy to make all of the other patchpoints also handle
3052         exceptions by just following the preparePatchpointForExceptions() idiom.
3053
3054         * CMakeLists.txt:
3055         * JavaScriptCore.xcodeproj/project.pbxproj:
3056         * b3/B3StackmapValue.h:
3057         * b3/B3ValueRep.cpp:
3058         (JSC::B3::ValueRep::addUsedRegistersTo):
3059         (JSC::B3::ValueRep::usedRegisters):
3060         (JSC::B3::ValueRep::dump):
3061         * b3/B3ValueRep.h:
3062         (JSC::B3::ValueRep::doubleValue):
3063         (JSC::B3::ValueRep::withOffset):
3064         (JSC::B3::ValueRep::usedRegisters):
3065         * ftl/FTLB3Compile.cpp:
3066         (JSC::FTL::compile):
3067         * ftl/FTLB3Output.h:
3068         (JSC::FTL::Output::unreachable):
3069         (JSC::FTL::Output::speculate):
3070         * ftl/FTLExceptionTarget.cpp: Added.
3071         (JSC::FTL::ExceptionTarget::~ExceptionTarget):
3072         (JSC::FTL::ExceptionTarget::label):
3073         (JSC::FTL::ExceptionTarget::jumps):
3074         (JSC::FTL::ExceptionTarget::ExceptionTarget):
3075         * ftl/FTLExceptionTarget.h: Added.
3076         * ftl/FTLJITCode.cpp:
3077         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3078         * ftl/FTLLowerDFGToLLVM.cpp:
3079         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3080         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
3081         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
3082         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
3083         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
3084         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
3085         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
3086         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
3087         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
3088         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
3089         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
3090         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
3091         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
3092         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
3093         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
3094         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
3095         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
3096         * ftl/FTLPatchpointExceptionHandle.cpp: Added.
3097         (JSC::FTL::PatchpointExceptionHandle::create):
3098         (JSC::FTL::PatchpointExceptionHandle::defaultHandle):
3099         (JSC::FTL::PatchpointExceptionHandle::~PatchpointExceptionHandle):
3100         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreation):
3101         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
3102         (JSC::FTL::PatchpointExceptionHandle::PatchpointExceptionHandle):
3103         (JSC::FTL::PatchpointExceptionHandle::createHandle):
3104         * ftl/FTLPatchpointExceptionHandle.h: Added.
3105         * ftl/FTLState.cpp:
3106         * ftl/FTLState.h:
3107         (JSC::FTL::verboseCompilationEnabled):
3108         * tests/stress/ftl-get-by-id-getter-exception-interesting-live-state.js: Added.
3109         * tests/stress/ftl-get-by-id-getter-exception-no-catch.js: Added.
3110         * tests/stress/ftl-get-by-id-getter-exception.js: Added.
3111         * tests/stress/ftl-get-by-id-slow-exception-interesting-live-state.js: Added.
3112         * tests/stress/ftl-get-by-id-slow-exception-no-catch.js: Added.
3113         * tests/stress/ftl-get-by-id-slow-exception.js: Added.
3114         * tests/stress/ftl-operation-exception-interesting-live-state.js: Added.
3115         * tests/stress/ftl-operation-exception-no-catch.js: Added.
3116
3117 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3118
3119         [mips] Implemented missing branch patching methods.
3120         https://bugs.webkit.org/show_bug.cgi?id=152845
3121
3122         Reviewed by Michael Saboff.
3123
3124         * assembler/MacroAssemblerMIPS.h:
3125         (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranch32WithPatch):
3126         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
3127         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
3128
3129 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
3130
3131         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
3132         https://bugs.webkit.org/show_bug.cgi?id=152840
3133
3134         Reviewed by Mark Lam.
3135
3136         ARM64 has two kinds of addressing with immediates:
3137         -Signed 9bits direct (really only -256 to 255).
3138         -Unsigned 12bits scaled by the load/store size.
3139
3140         When resolving the stack addresses, we easily run
3141         past -256 bytes from FP. Addressing from SP gives us more
3142         room to address the stack efficiently because we can
3143         use unsigned immediates.
3144
3145         * b3/B3StackmapSpecial.cpp:
3146         (JSC::B3::StackmapSpecial::repForArg):
3147         * b3/air/AirAllocateStack.cpp:
3148         (JSC::B3::Air::allocateStack):
3149
3150 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3151
3152         [mips] Make repatchCall public to fix compilation.
3153         https://bugs.webkit.org/show_bug.cgi?id=152843
3154
3155         Reviewed by Michael Saboff.
3156
3157         * assembler/MacroAssemblerMIPS.h:
3158         (JSC::MacroAssemblerMIPS::repatchCall):
3159         (JSC::MacroAssemblerMIPS::linkCall): Deleted.
3160
3161 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3162
3163         [mips] Replaced subi with addi in getHostCallReturnValue
3164         https://bugs.webkit.org/show_bug.cgi?id=152841
3165
3166         Reviewed by Michael Saboff.
3167
3168         MIPS architecture does not have subi instruction, addi with negative
3169         number should be used instead.
3170
3171         * jit/JITOperations.cpp:
3172
3173 2016-01-07  Mark Lam  <mark.lam@apple.com>
3174
3175         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
3176         https://bugs.webkit.org/show_bug.cgi?id=152833
3177
3178         Reviewed by Michael Saboff.
3179
3180         Follow-up patch to fix illegal use of memoryTempRegister as the src for ARM64's
3181         store32.
3182
3183         * assembler/MacroAssemblerARM64.h:
3184         (JSC::MacroAssemblerARM64::or32):
3185         (JSC::MacroAssemblerARM64::store):
3186
3187 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3188
3189         [mips] GPRInfo::toArgumentRegister missing
3190         https://bugs.webkit.org/show_bug.cgi?id=152838
3191
3192         Reviewed by Michael Saboff.
3193
3194         * jit/GPRInfo.h:
3195         (JSC::GPRInfo::toArgumentRegister):
3196
3197 2016-01-07  Mark Lam  <mark.lam@apple.com>
3198
3199         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
3200         https://bugs.webkit.org/show_bug.cgi?id=152833
3201
3202         Reviewed by Benjamin Poulain.
3203
3204         * assembler/MacroAssemblerARM.h:
3205         (JSC::MacroAssemblerARM::or32):
3206         - Added some assertions to make sure it is safe to use ARMRegisters::S0 as a temp.
3207         * assembler/MacroAssemblerARM64.h:
3208         (JSC::MacroAssemblerARM64::or32):
3209         - Implement an optimization that avoids reloading the memoryTempRegister when
3210           the immediate is encodable as an instruction immediate.
3211         * assembler/MacroAssemblerARMv7.h:
3212         (JSC::MacroAssemblerARMv7::or32):
3213         - Added an assertion to make sure it is safe to use the dataTempRegister as a temp.
3214         - Implement an optimization that avoids reloading the memoryTempRegister when
3215           the immediate is encodable as an instruction immediate.  In the event that we
3216           cannot encode the immediate, we'll use the addressTempRegister as a temp, and
3217           reload it later.
3218
3219 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3220
3221         [CMake] JSC shell sources should include JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
3222         https://bugs.webkit.org/show_bug.cgi?id=152664
3223
3224         Reviewed by Alex Christensen.
3225
3226         * shell/CMakeLists.txt:
3227
3228 2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>
3229
3230         Web Inspector: CRASH Attempting to pause on CSP violation not inside of script
3231         https://bugs.webkit.org/show_bug.cgi?id=152825
3232         <rdar://problem/24021276>
3233
3234         Reviewed by Timothy Hatcher.
3235
3236         * debugger/Debugger.cpp:
3237         (JSC::Debugger::breakProgram):
3238         We cannot pause if we are not evaluating JavaScript, so bail.
3239
3240 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
3241
3242         [JSC] Re-enable lea() in Air on ARM64
3243         https://bugs.webkit.org/show_bug.cgi?id=152832
3244
3245         Reviewed by Michael Saboff.
3246
3247         Lea() on the MacroAssembler is not the full x86 Lea (the real one being
3248         x86Lea32()). Instead, it is a addPtr() with SP and a constant.
3249
3250         The instruction is required to implement B3's StackSlot. It is not
3251         safe for big offsets but none of the stack operations are at the moment.
3252
3253         * b3/air/AirOpcode.opcodes:
3254
3255 2016-01-07  Julien Brianceau  <jbriance@cisco.com>
3256
3257         [mips] Add two missing abortWithReason implementations
3258         https://bugs.webkit.org/show_bug.cgi?id=136753
3259
3260         Reviewed by Benjamin Poulain.
3261
3262         * assembler/MacroAssemblerMIPS.h:
3263         (JSC::MacroAssemblerMIPS::memoryFence):
3264         (JSC::MacroAssemblerMIPS::abortWithReason):
3265         (JSC::MacroAssemblerMIPS::readCallTarget):
3266
3267 2016-01-07  Csaba Osztrogonác  <ossy@webkit.org>
3268
3269         Add new or32 implementation to MacroAssemblerARM after r194613
3270         https://bugs.webkit.org/show_bug.cgi?id=152784
3271
3272         Reviewed by Benjamin Poulain.
3273
3274         * assembler/MacroAssemblerARM.h:
3275         (JSC::MacroAssemblerARM::or32):
3276
3277 2016-01-06  Mark Lam  <mark.lam@apple.com>
3278
3279         REGRESSION(r194613): JITMulGenerator needs a scratch GPR on 32-bit too.
3280         https://bugs.webkit.org/show_bug.cgi?id=152805
3281
3282         Reviewed by Michael Saboff.
3283
3284         There aren't enough registers on x86 32-bit to allocate the needed scratch GPR.
3285         So, we'll continue to use one of the result registers as the scratch, and
3286         re-compute the result at the end.
3287
3288         * jit/JITMulGenerator.cpp:
3289         (JSC::JITMulGenerator::generateFastPath):
3290
3291 2016-01-06  Anders Carlsson  <andersca@apple.com>
3292
3293         Add a smart block pointer
3294         https://bugs.webkit.org/show_bug.cgi?id=152799
3295
3296         Reviewed by Tim Horton.
3297
3298         Get rid of RemoteTargetBlock and replace it with WTF::BlockPtr<void ()>.
3299
3300         * inspector/remote/RemoteConnectionToTarget.h:
3301         (Inspector::RemoteTargetBlock::RemoteTargetBlock): Deleted.
3302         (Inspector::RemoteTargetBlock::~RemoteTargetBlock): Deleted.
3303         (Inspector::RemoteTargetBlock::operator=): Deleted.
3304         (Inspector::RemoteTargetBlock::operator()): Deleted.
3305         * inspector/remote/RemoteConnectionToTarget.mm:
3306         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
3307         (Inspector::RemoteConnectionToTarget::queueTaskOnPrivateRunLoop):
3308
3309 2016-01-06  Benjamin Poulain  <bpoulain@apple.com>
3310
3311         [JSC] More B3 tests passing on ARM64
3312         https://bugs.webkit.org/show_bug.cgi?id=152787
3313
3314         Reviewed by Michael Saboff.
3315
3316         Some more minor bugs.
3317
3318         * assembler/MacroAssemblerARM64.h:
3319         (JSC::MacroAssemblerARM64::urshift64):
3320         The offset was being truncated. That code was just copied
3321         from the 32bits version of urshift.
3322
3323         * b3/B3LowerToAir.cpp:
3324         (JSC::B3::Air::LowerToAir::createGenericCompare):
3325         Very few instructions can encode -1 as immediate.
3326         TST certainly can't. The fallback works for ARM.
3327
3328         * b3/air/AirOpcode.opcodes:
3329         Bit instructions have very specific immediate encoding.
3330         B3 cannot express that properly yet. I disabled those
3331         forms for now. Immediates encoding is something we'll really 
3332         have to look into at some point for B3 ARM64.
3333
3334 2016-01-06  Michael Catanzaro  <mcatanzaro@igalia.com>
3335
3336         Silence -Wtautological-compare
3337         https://bugs.webkit.org/show_bug.cgi?id=152768
3338
3339         Reviewed by Saam Barati.
3340
3341         * runtime/Options.cpp:
3342         (JSC::Options::setAliasedOption):
3343
3344 2016-01-06  Filip Pizlo  <fpizlo@apple.com>
3345
3346         Make sure that the basic throw-from-operation mode of throwing makes sense in FTL B3
3347         https://bugs.webkit.org/show_bug.cgi?id=152798
3348
3349         Reviewed by Oliver Hunt.
3350
3351         This really just contains one change: we inline emitBranchToOSRExitIfWillCatchException()
3352         into callCheck(), since that was its only caller. This makes it a bit more clear what is
3353         going on.
3354
3355         It turns out that FTL B3 already handled this case properly. I added a test that I believe
3356         illustrates this. Note that although the test uses GetById, which ordinarily throws
3357         exceptions from inside a patchpoint, it uses it in such a way that the exception is thrown
3358         from the operation call for the non-cell bypass path of a GetById(UntypedUse:).
3359
3360         * ftl/FTLLowerDFGToLLVM.cpp:
3361         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
3362         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
3363         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
3364         (JSC::FTL::DFG::LowerDFGToLLVM::emitBranchToOSRExitIfWillCatchException): Deleted.
3365         * tests/stress/ftl-operation-exception.js: Added.
3366         (foo):
3367
3368 2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>
3369
3370         Web Inspector: Remove duplicate check
3371         https://bugs.webkit.org/show_bug.cgi?id=152792
3372
3373         Reviewed by Timothy Hatcher.
3374
3375         * inspector/InjectedScriptSource.js:
3376         (InjectedScript.RemoteObject.prototype._generatePreview): Deleted.
3377         This method is only called from one pl