Unreviewed, rolling out r194328.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-12-21  Ryan Haddad  <ryanhaddad@apple.com>
2
3         Unreviewed, rolling out r194328.
4
5         This change appears to have caused failures in JSC tests
6
7         Reverted changeset:
8
9         "[INTL] Implement String.prototype.localeCompare in ECMA-402"
10         https://bugs.webkit.org/show_bug.cgi?id=147607
11         http://trac.webkit.org/changeset/194328
12
13 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
14
15         B3->Air lowering incorrectly copy-propagates over ZExt32's
16         https://bugs.webkit.org/show_bug.cgi?id=152365
17
18         Reviewed by Benjamin Poulain.
19
20         The instruction selector thinks that Value's that return Int32's are going to always be lowered
21         to instructions that zero-extend the destination. But this isn't actually true. If you have an
22         Add32 with a destination on the stack (i.e. spilled) then it only writes 4 bytes. Then, the
23         filler will load 8 bytes from the stack at the point of use. So, the use of the Add32 will see
24         garbage in the high bits.
25
26         The fact that the spiller chose to use 8 bytes for a Tmp that gets defined by an Add32 is a
27         pretty sad bug, but:
28
29         - It's entirely up to the spiller to decide how many bytes to use for a Tmp, since we do not
30           ascribe a type to Tmps. We could ascribe types to Tmps, but then coalescing would become
31           harder. Our goal is to fix the bug while still enabling coalescing in cases like "a[i]" where
32           "i" is a 32-bit integer that is computed using operations that already do zero-extension.
33
34         - More broadly, it's strange that the instruction selector decides whether a Value will be
35           lowered to something that zero-extends. That's too constraining, since the most optimal
36           instruction selection might involve something that doesn't zero-extend in cases of spilling, so
37           the zero-extension should only happen if it's actually needed. This means that we need to
38           understand which Air instructions cause zero-extensions.
39
40         - If we know which Air instructions cause zero-extensions, then we don't need the instruction
41           selector to copy-propagate ZExt32's. We have copy-propagation in Air thanks to the register
42           allocator.
43
44         In fact, the register allocator is exactly where all of the pieces come together. It's there that
45         we want to know which operations zero-extend and which don't. It also wants to know how many bits
46         of a Tmp each instruction reads. Armed with that information, the register allocator can emit
47         more optimal spill code, use less stack space for spill slots, and coalesce Move32's. As a bonus,
48         on X86, it replaces Move's with Move32's whenever it can. On X86, Move32 is cheaper.
49
50         This fixes a crash bug in V8/encrypt. After fixing this, I only needed two minor fixes to get
51         V8/encrypt to run. We're about 10% behind LLVM on steady state throughput on this test. It
52         appears to be mostly due to excessive spilling caused by CCall slow paths. That's fixable: we
53         could make CCalls on slow paths use a variant of CCallSpecial that promises not to clobber any
54         registers, and then have it emit spill code around the call itself. LLVM probably gets this
55         optimization from its live range splitting.
56
57         I tried writing a regression test. The problem is that you need garbage on the stack for this to
58         work, and I didn't feel like writing a flaky test. It appears that running V8/encrypt will cover
59         this, so we do have coverage.
60
61         * CMakeLists.txt:
62         * JavaScriptCore.xcodeproj/project.pbxproj:
63         * assembler/AbstractMacroAssembler.h:
64         (JSC::isX86):
65         (JSC::isX86_64):
66         (JSC::optimizeForARMv7IDIVSupported):
67         (JSC::optimizeForX86):
68         (JSC::optimizeForX86_64):
69         * b3/B3LowerToAir.cpp:
70         (JSC::B3::Air::LowerToAir::highBitsAreZero):
71         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
72         (JSC::B3::Air::LowerToAir::lower):
73         * b3/B3PatchpointSpecial.cpp:
74         (JSC::B3::PatchpointSpecial::forEachArg):
75         * b3/B3StackmapSpecial.cpp:
76         (JSC::B3::StackmapSpecial::forEachArgImpl):
77         * b3/B3Value.h:
78         * b3/air/AirAllocateStack.cpp:
79         (JSC::B3::Air::allocateStack):
80         * b3/air/AirArg.cpp:
81         (WTF::printInternal):
82         * b3/air/AirArg.h:
83         (JSC::B3::Air::Arg::pointerWidth):
84         (JSC::B3::Air::Arg::isAnyUse):
85         (JSC::B3::Air::Arg::isColdUse):
86         (JSC::B3::Air::Arg::isEarlyUse):
87         (JSC::B3::Air::Arg::isDef):
88         (JSC::B3::Air::Arg::isZDef):
89         (JSC::B3::Air::Arg::widthForB3Type):
90         (JSC::B3::Air::Arg::conservativeWidth):
91         (JSC::B3::Air::Arg::minimumWidth):
92         (JSC::B3::Air::Arg::bytes):
93         (JSC::B3::Air::Arg::widthForBytes):
94         (JSC::B3::Air::Arg::Arg):
95         (JSC::B3::Air::Arg::forEachTmp):
96         * b3/air/AirCCallSpecial.cpp:
97         (JSC::B3::Air::CCallSpecial::forEachArg):
98         * b3/air/AirEliminateDeadCode.cpp:
99         (JSC::B3::Air::eliminateDeadCode):
100         * b3/air/AirFixPartialRegisterStalls.cpp:
101         (JSC::B3::Air::fixPartialRegisterStalls):
102         * b3/air/AirInst.cpp:
103         (JSC::B3::Air::Inst::hasArgEffects):
104         * b3/air/AirInst.h:
105         (JSC::B3::Air::Inst::forEachTmpFast):
106         (JSC::B3::Air::Inst::forEachTmp):
107         * b3/air/AirInstInlines.h:
108         (JSC::B3::Air::Inst::forEachTmpWithExtraClobberedRegs):
109         * b3/air/AirIteratedRegisterCoalescing.cpp:
110         * b3/air/AirLiveness.h:
111         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
112         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
113         * b3/air/AirOpcode.opcodes:
114         * b3/air/AirSpillEverything.cpp:
115         (JSC::B3::Air::spillEverything):
116         * b3/air/AirTmpWidth.cpp: Added.
117         (JSC::B3::Air::TmpWidth::TmpWidth):
118         (JSC::B3::Air::TmpWidth::~TmpWidth):
119         * b3/air/AirTmpWidth.h: Added.
120         (JSC::B3::Air::TmpWidth::width):
121         (JSC::B3::Air::TmpWidth::defWidth):
122         (JSC::B3::Air::TmpWidth::useWidth):
123         (JSC::B3::Air::TmpWidth::Widths::Widths):
124         * b3/air/AirUseCounts.h:
125         (JSC::B3::Air::UseCounts::UseCounts):
126         * b3/air/opcode_generator.rb:
127         * b3/testb3.cpp:
128         (JSC::B3::testCheckMegaCombo):
129         (JSC::B3::testCheckTrickyMegaCombo):
130         (JSC::B3::testCheckTwoMegaCombos):
131         (JSC::B3::run):
132
133 2015-12-21  Andy VanWagoner  <thetalecrafter@gmail.com>
134
135         [INTL] Implement String.prototype.localeCompare in ECMA-402
136         https://bugs.webkit.org/show_bug.cgi?id=147607
137
138         Reviewed by Darin Adler.
139
140         Add localeCompare in builtin JavaScript that delegates comparing to Intl.Collator.
141         Keep existing native implementation for use if INTL flag is disabled.
142
143         * CMakeLists.txt:
144         * DerivedSources.make:
145         * JavaScriptCore.xcodeproj/project.pbxproj:
146         * builtins/StringPrototype.js: Added.
147         (localeCompare):
148         * runtime/StringPrototype.cpp:
149         (JSC::StringPrototype::finishCreation):
150
151 2015-12-18  Filip Pizlo  <fpizlo@apple.com>
152
153         Implement compareDouble in B3/Air
154         https://bugs.webkit.org/show_bug.cgi?id=150903
155
156         Reviewed by Benjamin Poulain.
157
158         A hole in our coverage is that we don't fuse a double comparison into a branch, then we will
159         crash in the instruction selector. Obviously, we *really* want to fuse double comparisons,
160         but we can't guarantee that this will always happen.
161
162         This also removes all uses of WTF::Dominators verification, since it's extremely slow even in
163         a release build. This speeds up testb3 with validateGraphAtEachPhase=true by an order of
164         magnitude.
165
166         * assembler/MacroAssembler.h:
167         (JSC::MacroAssembler::moveDoubleConditionallyFloat):
168         (JSC::MacroAssembler::compareDouble):
169         (JSC::MacroAssembler::compareFloat):
170         (JSC::MacroAssembler::lea):
171         * b3/B3Dominators.h:
172         (JSC::B3::Dominators::Dominators):
173         * b3/B3LowerToAir.cpp:
174         (JSC::B3::Air::LowerToAir::createCompare):
175         (JSC::B3::Air::LowerToAir::lower):
176         * b3/air/AirOpcode.opcodes:
177         * b3/testb3.cpp:
178         (JSC::B3::testCompare):
179         (JSC::B3::testEqualDouble):
180         (JSC::B3::simpleFunction):
181         (JSC::B3::run):
182         * dfg/DFGDominators.h:
183         (JSC::DFG::Dominators::Dominators):
184
185 2015-12-19  Dan Bernstein  <mitz@apple.com>
186
187         [Mac] WebKit contains dead source code for OS X Mavericks and earlier
188         https://bugs.webkit.org/show_bug.cgi?id=152462
189
190         Reviewed by Alexey Proskuryakov.
191
192         - Removed build setting definitions for OS X 10.9 and earlier, and simplified defintions
193           that became uniform across all OS X versions as a result:
194
195         * Configurations/DebugRelease.xcconfig:
196         * Configurations/FeatureDefines.xcconfig:
197         * Configurations/Version.xcconfig:
198
199         * API/JSBase.h: Removed check against __MAC_OS_X_VERSION_MIN_REQUIRED that was always true.
200
201 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
202
203         [JSC] Streamline Tmp indexing inside the register allocator
204         https://bugs.webkit.org/show_bug.cgi?id=152420
205
206         Reviewed by Filip Pizlo.
207
208         AirIteratedRegisterCoalescing has been accumulating a bit of mess over time.
209
210         When it started, every map addressed by Tmp was using Tmp hashing.
211         That caused massive performance problems. Everything perf sensitive was moved
212         to direct array addressing by the absolute Tmp index. This left the code
213         with half of the function using Tmp, the other half using indices.
214
215         With this patch, almost everything is moved to absolute indexing.
216         There are a few advantages to this:
217         -No more conversion churn for Floating Point registers.
218         -Most of the functions can now be shared between GP and FP.
219         -A bit of clean up since the core algorithm only deals with integers now.
220
221         This patch also changes the index type to be a template argument.
222         That will allow future specialization of "m_interferenceEdges" based
223         on the expected problem size.
224
225         Finally, the code related to the program modification (register assignment
226         and spilling) was moved to the wrapper "IteratedRegisterCoalescing".
227
228         The current split is:
229         -AbstractColoringAllocator: common core. Share as much as possible between
230          GP and FP.
231         -ColoringAllocator: the remaining parts of the algorithm, everything that
232          is specific to GP, FP.
233         -IteratedRegisterCoalescing: the "iterated" part of the algorithm.
234          Try to allocate and modify the code as needed.
235
236         The long term plan is:
237         -Move selectSpill() and the coloring loop to AbstractColoringAllocator.
238         -Specialize m_interferenceEdges to make it faster.
239
240         * b3/air/AirIteratedRegisterCoalescing.cpp:
241         * b3/air/AirTmpInlines.h:
242         (JSC::B3::Air::AbsoluteTmpMapper<Arg::GP>::lastMachineRegisterIndex):
243         (JSC::B3::Air::AbsoluteTmpMapper<Arg::FP>::lastMachineRegisterIndex):
244
245 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
246
247         [JSC] FTLB3Output generates some invalid ZExt32
248         https://bugs.webkit.org/show_bug.cgi?id=151905
249
250         Reviewed by Filip Pizlo.
251
252         FTLLowerDFGToLLVM calls zeroExt() to int32 in some cases.
253         We were generating ZExt32 with Int32 as return type :(
254
255         * ftl/FTLB3Output.h:
256         (JSC::FTL::Output::zeroExt):
257
258 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
259
260         [JSC] Add EqualOrUnordered to B3
261         https://bugs.webkit.org/show_bug.cgi?id=152425
262
263         Reviewed by Mark Lam.
264
265         Add EqualOrUnordered to B3 and use it to implements
266         FTL::Output's NotEqualAndOrdered.
267
268         * b3/B3ConstDoubleValue.cpp:
269         (JSC::B3::ConstDoubleValue::equalOrUnordered):
270         * b3/B3ConstDoubleValue.h:
271         * b3/B3LowerToAir.cpp:
272         (JSC::B3::Air::LowerToAir::createGenericCompare):
273         (JSC::B3::Air::LowerToAir::lower):
274         * b3/B3Opcode.cpp:
275         (WTF::printInternal):
276         * b3/B3Opcode.h:
277         * b3/B3ReduceDoubleToFloat.cpp:
278         (JSC::B3::reduceDoubleToFloat):
279         * b3/B3ReduceStrength.cpp:
280         * b3/B3Validate.cpp:
281         * b3/B3Value.cpp:
282         (JSC::B3::Value::equalOrUnordered):
283         (JSC::B3::Value::returnsBool):
284         (JSC::B3::Value::effects):
285         (JSC::B3::Value::key):
286         (JSC::B3::Value::typeFor):
287         * b3/B3Value.h:
288         * b3/testb3.cpp:
289         (JSC::B3::testBranchEqualOrUnorderedArgs):
290         (JSC::B3::testBranchNotEqualAndOrderedArgs):
291         (JSC::B3::testBranchEqualOrUnorderedDoubleArgImm):
292         (JSC::B3::testBranchEqualOrUnorderedFloatArgImm):
293         (JSC::B3::testBranchEqualOrUnorderedDoubleImms):
294         (JSC::B3::testBranchEqualOrUnorderedFloatImms):
295         (JSC::B3::testBranchEqualOrUnorderedFloatWithUselessDoubleConversion):
296         (JSC::B3::run):
297         * ftl/FTLB3Output.h:
298         (JSC::FTL::Output::doubleNotEqualAndOrdered):
299         (JSC::FTL::Output::doubleNotEqual): Deleted.
300         * ftl/FTLLowerDFGToLLVM.cpp:
301         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
302         * ftl/FTLOutput.h:
303         (JSC::FTL::Output::doubleNotEqualAndOrdered):
304         (JSC::FTL::Output::doubleNotEqual): Deleted.
305
306 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
307
308         [JSC] B3: Add indexed addressing when lowering BitwiseCast
309         https://bugs.webkit.org/show_bug.cgi?id=152432
310
311         Reviewed by Geoffrey Garen.
312
313         The MacroAssembler supports it, we should use it.
314
315         * b3/air/AirOpcode.opcodes:
316         * b3/testb3.cpp:
317         (JSC::B3::testBitwiseCastOnDoubleInMemoryIndexed):
318         (JSC::B3::testBitwiseCastOnInt64InMemoryIndexed):
319
320 2015-12-18  Andreas Kling  <akling@apple.com>
321
322         Make JSString::SafeView less of a footgun.
323         <https://webkit.org/b/152376>
324
325         Reviewed by Darin Adler.
326
327         Remove the "operator StringView()" convenience helper on JSString::SafeString since that
328         made it possible to casually turn the return value from JSString::view() into an unsafe
329         StringView local on the stack with this pattern:
330
331             StringView view = someJSValue.toString(exec)->view(exec);
332
333         The JSString* returned by toString() above will go out of scope by the end of the statement
334         and does not stick around to protect itself from garbage collection.
335
336         It will now look like this instead:
337
338             JSString::SafeView view = someJSValue.toString(exec)->view(exec);
339
340         To be extra clear, the following is not safe:
341
342             StringView view = someJSValue.toString(exec)->view(exec).get();
343
344         By the end of that statement, the JSString::SafeView goes out of scope, and the JSString*
345         is no longer protected from GC.
346
347         I added a couple of forwarding helpers to the SafeView class, and if you need a StringView
348         object from it, you can call .get() just like before.
349
350         Finally I also removed the JSString::SafeView() constructor, since nobody was instantiating
351         empty SafeView objects anyway. This way we don't have to worry about null members.
352
353         * runtime/ArrayPrototype.cpp:
354         (JSC::arrayProtoFuncJoin):
355         * runtime/FunctionConstructor.cpp:
356         (JSC::constructFunctionSkippingEvalEnabledCheck):
357         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
358         (JSC::genericTypedArrayViewProtoFuncJoin):
359         * runtime/JSGlobalObjectFunctions.cpp:
360         (JSC::decode):
361         (JSC::globalFuncParseInt):
362         (JSC::globalFuncParseFloat):
363         (JSC::globalFuncEscape):
364         (JSC::globalFuncUnescape):
365         * runtime/JSONObject.cpp:
366         (JSC::JSONProtoFuncParse):
367         * runtime/JSString.cpp:
368         (JSC::JSString::getPrimitiveNumber):
369         (JSC::JSString::toNumber):
370         * runtime/JSString.h:
371         (JSC::JSString::SafeView::is8Bit):
372         (JSC::JSString::SafeView::length):
373         (JSC::JSString::SafeView::characters8):
374         (JSC::JSString::SafeView::characters16):
375         (JSC::JSString::SafeView::operator[]):
376         (JSC::JSString::SafeView::SafeView):
377         (JSC::JSString::SafeView::get):
378         (JSC::JSString::SafeView::operator StringView): Deleted.
379         * runtime/StringPrototype.cpp:
380         (JSC::stringProtoFuncCharAt):
381         (JSC::stringProtoFuncCharCodeAt):
382         (JSC::stringProtoFuncIndexOf):
383         (JSC::stringProtoFuncNormalize):
384
385 2015-12-18  Saam barati  <sbarati@apple.com>
386
387         BytecodeGenerator::pushLexicalScopeInternal and pushLexicalScope should use enums instead of bools
388         https://bugs.webkit.org/show_bug.cgi?id=152450
389
390         Reviewed by Geoffrey Garen and Joseph Pecoraro.
391
392         This makes comprehending the call sites of these functions
393         easier without looking up the header of the function.
394
395         * bytecompiler/BytecodeGenerator.cpp:
396         (JSC::BytecodeGenerator::BytecodeGenerator):
397         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
398         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
399         (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
400         (JSC::BytecodeGenerator::pushLexicalScope):
401         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
402         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
403         (JSC::BytecodeGenerator::emitPushCatchScope):
404         * bytecompiler/BytecodeGenerator.h:
405         (JSC::BytecodeGenerator::lastOpcodeID):
406         * bytecompiler/NodesCodegen.cpp:
407         (JSC::BlockNode::emitBytecode):
408         (JSC::ForNode::emitBytecode):
409         (JSC::ForInNode::emitMultiLoopBytecode):
410         (JSC::ForOfNode::emitBytecode):
411         (JSC::SwitchNode::emitBytecode):
412         (JSC::ClassExprNode::emitBytecode):
413
414 2015-12-18  Michael Catanzaro  <mcatanzaro@igalia.com>
415
416         Avoid triggering clang's -Wundefined-bool-conversion
417         https://bugs.webkit.org/show_bug.cgi?id=152408
418
419         Reviewed by Mark Lam.
420
421         Add ASSERT_THIS_GC_OBJECT_LOOKS_VALID and ASSERT_THIS_GC_OBJECT_INHERITS to avoid use of
422         ASSERT(this) by ASSERT_GC_OBJECT_LOOKS_VALID and ASSERT_GC_OBJECT_INHERITS.
423
424         * heap/GCAssertions.h:
425
426 2015-12-18  Mark Lam  <mark.lam@apple.com>
427
428         Replace SpecialFastCase profiles with ResultProfiles.
429         https://bugs.webkit.org/show_bug.cgi?id=152433
430
431         Reviewed by Saam Barati.
432
433         This is in preparation for upcoming work to enhance the DFG predictions to deal
434         with untyped operands.
435
436         This patch also enhances some of the arithmetic slow paths (for the LLINT and
437         baseline JIT) to collect result profiling info.  This profiling info is not put
438         to use yet. 
439
440         * CMakeLists.txt:
441         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
442         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
443         * JavaScriptCore.xcodeproj/project.pbxproj:
444         * bytecode/CodeBlock.cpp:
445         (JSC::CodeBlock::dumpRareCaseProfile):
446         (JSC::CodeBlock::dumpResultProfile):
447         (JSC::CodeBlock::printLocationAndOp):
448         (JSC::CodeBlock::dumpBytecode):
449         (JSC::CodeBlock::shrinkToFit):
450         (JSC::CodeBlock::dumpValueProfiles):
451         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
452         (JSC::CodeBlock::resultProfileForBytecodeOffset):
453         (JSC::CodeBlock::updateResultProfileForBytecodeOffset):
454         (JSC::CodeBlock::capabilityLevel):
455         * bytecode/CodeBlock.h:
456         (JSC::CodeBlock::couldTakeSlowCase):
457         (JSC::CodeBlock::addResultProfile):
458         (JSC::CodeBlock::numberOfResultProfiles):
459         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset):
460         (JSC::CodeBlock::couldTakeSpecialFastCase):
461         (JSC::CodeBlock::addSpecialFastCaseProfile): Deleted.
462         (JSC::CodeBlock::numberOfSpecialFastCaseProfiles): Deleted.
463         (JSC::CodeBlock::specialFastCaseProfile): Deleted.
464         (JSC::CodeBlock::specialFastCaseProfileForBytecodeOffset): Deleted.
465         * bytecode/ValueProfile.cpp: Added.
466         (WTF::printInternal):
467         * bytecode/ValueProfile.h:
468         (JSC::getRareCaseProfileBytecodeOffset):
469         (JSC::ResultProfile::ResultProfile):
470         (JSC::ResultProfile::bytecodeOffset):
471         (JSC::ResultProfile::specialFastPathCount):
472         (JSC::ResultProfile::didObserveNonInt32):
473         (JSC::ResultProfile::didObserveDouble):
474         (JSC::ResultProfile::didObserveNonNegZeroDouble):
475         (JSC::ResultProfile::didObserveNegZeroDouble):
476         (JSC::ResultProfile::didObserveNonNumber):
477         (JSC::ResultProfile::didObserveInt32Overflow):
478         (JSC::ResultProfile::setObservedNonNegZeroDouble):
479         (JSC::ResultProfile::setObservedNegZeroDouble):
480         (JSC::ResultProfile::setObservedNonNumber):
481         (JSC::ResultProfile::setObservedInt32Overflow):
482         (JSC::ResultProfile::addressOfFlags):
483         (JSC::ResultProfile::addressOfSpecialFastPathCount):
484         (JSC::ResultProfile::hasBits):
485         (JSC::ResultProfile::setBit):
486         (JSC::getResultProfileBytecodeOffset):
487         * jit/JITArithmetic.cpp:
488         (JSC::JIT::emit_op_div):
489         (JSC::JIT::emit_op_mul):
490         * jit/JITDivGenerator.cpp:
491         (JSC::JITDivGenerator::generateFastPath):
492         * jit/JITDivGenerator.h:
493         (JSC::JITDivGenerator::JITDivGenerator):
494         * jit/JITMulGenerator.cpp:
495         (JSC::JITMulGenerator::generateFastPath):
496         * jit/JITMulGenerator.h:
497         (JSC::JITMulGenerator::JITMulGenerator):
498         * runtime/CommonSlowPaths.cpp:
499         (JSC::SLOW_PATH_DECL):
500
501 2015-12-18  Keith Miller  <keith_miller@apple.com>
502
503         verboseDFGByteCodeParsing option should show the bytecode it is parsing.
504         https://bugs.webkit.org/show_bug.cgi?id=152434
505
506         Reviewed by Michael Saboff.
507
508         * dfg/DFGByteCodeParser.cpp:
509         (JSC::DFG::ByteCodeParser::parseBlock):
510
511 2015-12-18  Csaba Osztrogonác  <ossy@webkit.org>
512
513         [ARM] Add the missing setupArgumentsWithExecState functions after r193974
514         https://bugs.webkit.org/show_bug.cgi?id=152214
515
516         Reviewed by Mark Lam.
517
518         Relanding r194007 after r194248.
519
520         * jit/CCallHelpers.h:
521         (JSC::CCallHelpers::setupArgumentsWithExecState):
522
523 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
524
525         Web Inspector: Remove "local" scope type from the protocol
526         https://bugs.webkit.org/show_bug.cgi?id=152409
527
528         Reviewed by Timothy Hatcher.
529
530         After r194251 the backend no longer sends this scope type.
531         So remove it from the protocol.
532
533         The concept of a Local Scope should be calculatable by the
534         frontend. In fact the way the backend used to do this could
535         easily be done by the frontend. To be done in a follow-up.
536
537         * inspector/InjectedScriptSource.js:
538         * inspector/JSJavaScriptCallFrame.h:
539         * inspector/protocol/Debugger.json:
540
541 2015-12-17  Sukolsak Sakshuwong  <sukolsak@gmail.com>
542
543         [INTL] Implement Collator Compare Functions
544         https://bugs.webkit.org/show_bug.cgi?id=147604
545
546         Reviewed by Darin Adler.
547
548         This patch implements Intl.Collator.prototype.compare() according
549         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
550
551         * runtime/IntlCollator.cpp:
552         (JSC::IntlCollator::~IntlCollator):
553         (JSC::sortLocaleData):
554         (JSC::searchLocaleData):
555         (JSC::IntlCollator::initializeCollator):
556         (JSC::IntlCollator::createCollator):
557         (JSC::IntlCollator::compareStrings):
558         (JSC::IntlCollator::usageString):
559         (JSC::IntlCollator::sensitivityString):
560         (JSC::IntlCollator::resolvedOptions):
561         (JSC::IntlCollator::setBoundCompare):
562         (JSC::IntlCollatorFuncCompare): Deleted.
563         * runtime/IntlCollator.h:
564         (JSC::IntlCollator::usage): Deleted.
565         (JSC::IntlCollator::setUsage): Deleted.
566         (JSC::IntlCollator::locale): Deleted.
567         (JSC::IntlCollator::setLocale): Deleted.
568         (JSC::IntlCollator::collation): Deleted.
569         (JSC::IntlCollator::setCollation): Deleted.
570         (JSC::IntlCollator::numeric): Deleted.
571         (JSC::IntlCollator::setNumeric): Deleted.
572         (JSC::IntlCollator::sensitivity): Deleted.
573         (JSC::IntlCollator::setSensitivity): Deleted.
574         (JSC::IntlCollator::ignorePunctuation): Deleted.
575         (JSC::IntlCollator::setIgnorePunctuation): Deleted.
576         * runtime/IntlCollatorConstructor.cpp:
577         (JSC::constructIntlCollator):
578         (JSC::callIntlCollator):
579         (JSC::sortLocaleData): Deleted.
580         (JSC::searchLocaleData): Deleted.
581         (JSC::initializeCollator): Deleted.
582         * runtime/IntlCollatorPrototype.cpp:
583         (JSC::IntlCollatorFuncCompare):
584         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
585         * runtime/IntlObject.cpp:
586         (JSC::defaultLocale):
587         (JSC::convertICULocaleToBCP47LanguageTag):
588         (JSC::intlStringOption):
589         (JSC::resolveLocale):
590         (JSC::supportedLocales):
591         * runtime/IntlObject.h:
592         * runtime/JSGlobalObject.cpp:
593         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
594         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
595         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
596
597 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
598
599         Provide a way to distinguish a nested lexical block from a function's lexical block
600         https://bugs.webkit.org/show_bug.cgi?id=152361
601
602         Reviewed by Saam Barati.
603
604         * bytecompiler/BytecodeGenerator.h:
605         * bytecompiler/BytecodeGenerator.cpp:
606         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
607         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
608         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
609         (JSC::BytecodeGenerator::emitPushCatchScope):
610         Each of these are specialized scopes. They are not nested lexical scopes.
611         
612         (JSC::BytecodeGenerator::pushLexicalScope):
613         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
614         Include an extra parameter to mark the SymbolTable as a nested lexical or not.
615
616         * bytecompiler/NodesCodegen.cpp:
617         (JSC::BlockNode::emitBytecode):
618         (JSC::ForNode::emitBytecode):
619         (JSC::ForInNode::emitMultiLoopBytecode):
620         (JSC::ForOfNode::emitBytecode):
621         (JSC::SwitchNode::emitBytecode):
622         (JSC::ClassExprNode::emitBytecode):
623         Each of these are cases of non-function nested lexical scopes.
624         So mark the SymbolTable as nested.
625
626         * inspector/protocol/Debugger.json:
627         * inspector/InjectedScriptSource.js:
628         Include a new scope type.
629
630         * inspector/JSJavaScriptCallFrame.h:
631         * inspector/JSJavaScriptCallFrame.cpp:
632         (Inspector::JSJavaScriptCallFrame::scopeType):
633         Use the new "NestedLexical" scope type for nested, non-function,
634         lexical scopes. The Inspector can use this to better describe
635         this scope in the frontend.
636
637         * debugger/DebuggerScope.cpp:
638         (JSC::DebuggerScope::isNestedLexicalScope):
639         * debugger/DebuggerScope.h:
640         * runtime/JSScope.cpp:
641         (JSC::JSScope::isNestedLexicalScope):
642         * runtime/JSScope.h:
643         * runtime/SymbolTable.cpp:
644         (JSC::SymbolTable::SymbolTable):
645         (JSC::SymbolTable::cloneScopePart):
646         * runtime/SymbolTable.h:
647         Access the isNestedLexicalScope bit.
648
649 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
650
651         Unreviewed EFL Build Fix after r194247.
652
653         * interpreter/CallFrame.cpp:
654         (JSC::CallFrame::friendlyFunctionName):
655         Handle compilers that don't realize the switch handles all cases.
656
657 2015-12-17  Keith Miller  <keith_miller@apple.com>
658
659         [ES6] Add support for Symbol.hasInstance
660         https://bugs.webkit.org/show_bug.cgi?id=151839
661
662         Reviewed by Saam Barati.
663
664         Fixed version of r193986, r193983, and r193974.
665
666         This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
667         regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
668         when executing an instanceof expression we would emit three bytecodes: overrides_has_instance, get_by_id,
669         then instanceof. As the spec has changed, we emit a more complicated set of bytecodes in addition to some
670         new ones. First the role of overrides_has_instance and its corresponding DFG node have changed. Now it returns
671         a js-boolean indicating whether the RHS of the instanceof expression (from here on called the constructor for simplicity)
672         needs non-default behavior for resolving the expression. i.e. The constructor has a Symbol.hasInstance that differs from the one on
673         Function.prototype[Symbol.hasInstance] or is a bound/C-API function. Once we get to the DFG this node is generally eliminated as
674         we can prove the value of Symbol.hasInstance is a constant. The second new bytecode is instanceof_custom. insntanceof_custom, just
675         emits a call to slow path code that computes the result.
676
677         In the DFG, there is also a new node, CheckTypeInfoFlags, which checks the type info flags are consistent with the ones provided and
678         OSR exits if the flags are not. Additionally, we attempt to prove that the result of CheckHasValue will be a constant and transform
679         it into a CheckTypeInfoFlags followed by a JSConstant.
680
681         * API/JSCallbackObject.h:
682         * builtins/FunctionPrototype.js:
683         (symbolHasInstance):
684         * bytecode/BytecodeBasicBlock.cpp:
685         (JSC::isBranch): Deleted.
686         * bytecode/BytecodeList.json:
687         * bytecode/BytecodeUseDef.h:
688         (JSC::computeUsesForBytecodeOffset):
689         (JSC::computeDefsForBytecodeOffset):
690         * bytecode/CodeBlock.cpp:
691         (JSC::CodeBlock::dumpBytecode):
692         * bytecode/ExitKind.cpp:
693         (JSC::exitKindToString):
694         * bytecode/ExitKind.h:
695         * bytecode/PreciseJumpTargets.cpp:
696         (JSC::getJumpTargetsForBytecodeOffset): Deleted.
697         * bytecompiler/BytecodeGenerator.cpp:
698         (JSC::BytecodeGenerator::emitOverridesHasInstance):
699         (JSC::BytecodeGenerator::emitInstanceOfCustom):
700         (JSC::BytecodeGenerator::emitCheckHasInstance): Deleted.
701         * bytecompiler/BytecodeGenerator.h:
702         * bytecompiler/NodesCodegen.cpp:
703         (JSC::InstanceOfNode::emitBytecode):
704         * dfg/DFGAbstractInterpreterInlines.h:
705         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
706         * dfg/DFGByteCodeParser.cpp:
707         (JSC::DFG::ByteCodeParser::parseBlock):
708         * dfg/DFGCapabilities.cpp:
709         (JSC::DFG::capabilityLevel):
710         * dfg/DFGClobberize.h:
711         (JSC::DFG::clobberize):
712         * dfg/DFGDoesGC.cpp:
713         (JSC::DFG::doesGC):
714         * dfg/DFGFixupPhase.cpp:
715         (JSC::DFG::FixupPhase::fixupNode):
716         * dfg/DFGHeapLocation.cpp:
717         (WTF::printInternal):
718         * dfg/DFGHeapLocation.h:
719         * dfg/DFGNode.h:
720         (JSC::DFG::Node::hasCellOperand):
721         (JSC::DFG::Node::hasTypeInfoOperand):
722         (JSC::DFG::Node::typeInfoOperand):
723         * dfg/DFGNodeType.h:
724         * dfg/DFGPredictionPropagationPhase.cpp:
725         (JSC::DFG::PredictionPropagationPhase::propagate):
726         * dfg/DFGSafeToExecute.h:
727         (JSC::DFG::safeToExecute):
728         * dfg/DFGSpeculativeJIT.cpp:
729         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
730         (JSC::DFG::SpeculativeJIT::compileInstanceOfCustom):
731         * dfg/DFGSpeculativeJIT.h:
732         (JSC::DFG::SpeculativeJIT::callOperation):
733         * dfg/DFGSpeculativeJIT32_64.cpp:
734         (JSC::DFG::SpeculativeJIT::compile):
735         * dfg/DFGSpeculativeJIT64.cpp:
736         (JSC::DFG::SpeculativeJIT::compile):
737         * ftl/FTLCapabilities.cpp:
738         (JSC::FTL::canCompile):
739         * ftl/FTLIntrinsicRepository.h:
740         * ftl/FTLLowerDFGToLLVM.cpp:
741         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
742         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance):
743         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckTypeInfoFlags):
744         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
745         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance): Deleted.
746         * jit/JIT.cpp:
747         (JSC::JIT::privateCompileMainPass):
748         (JSC::JIT::privateCompileSlowCases):
749         * jit/JIT.h:
750         * jit/JITInlines.h:
751         (JSC::JIT::callOperation):
752         * jit/JITOpcodes.cpp:
753         (JSC::JIT::emit_op_overrides_has_instance):
754         (JSC::JIT::emit_op_instanceof):
755         (JSC::JIT::emit_op_instanceof_custom):
756         (JSC::JIT::emitSlow_op_instanceof):
757         (JSC::JIT::emitSlow_op_instanceof_custom):
758         (JSC::JIT::emit_op_check_has_instance): Deleted.
759         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
760         * jit/JITOpcodes32_64.cpp:
761         (JSC::JIT::emit_op_overrides_has_instance):
762         (JSC::JIT::emit_op_instanceof):
763         (JSC::JIT::emit_op_instanceof_custom):
764         (JSC::JIT::emitSlow_op_instanceof_custom):
765         (JSC::JIT::emit_op_check_has_instance): Deleted.
766         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
767         * jit/JITOperations.cpp:
768         * jit/JITOperations.h:
769         * llint/LLIntData.cpp:
770         (JSC::LLInt::Data::performAssertions):
771         * llint/LLIntSlowPaths.cpp:
772         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
773         * llint/LLIntSlowPaths.h:
774         * llint/LowLevelInterpreter32_64.asm:
775         * llint/LowLevelInterpreter64.asm:
776         * runtime/CommonIdentifiers.h:
777         * runtime/ExceptionHelpers.cpp:
778         (JSC::invalidParameterInstanceofSourceAppender):
779         (JSC::invalidParameterInstanceofNotFunctionSourceAppender):
780         (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender):
781         (JSC::createInvalidInstanceofParameterErrorNotFunction):
782         (JSC::createInvalidInstanceofParameterErrorhasInstanceValueNotFunction):
783         (JSC::createInvalidInstanceofParameterError): Deleted.
784         * runtime/ExceptionHelpers.h:
785         * runtime/FunctionPrototype.cpp:
786         (JSC::FunctionPrototype::addFunctionProperties):
787         * runtime/FunctionPrototype.h:
788         * runtime/JSBoundFunction.cpp:
789         (JSC::isBoundFunction):
790         (JSC::hasInstanceBoundFunction):
791         * runtime/JSBoundFunction.h:
792         * runtime/JSGlobalObject.cpp:
793         (JSC::JSGlobalObject::init):
794         (JSC::JSGlobalObject::visitChildren):
795         * runtime/JSGlobalObject.h:
796         (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
797         * runtime/JSObject.cpp:
798         (JSC::JSObject::hasInstance):
799         (JSC::objectPrivateFuncInstanceOf):
800         * runtime/JSObject.h:
801         * runtime/JSTypeInfo.h:
802         (JSC::TypeInfo::TypeInfo):
803         (JSC::TypeInfo::overridesHasInstance):
804         * runtime/WriteBarrier.h:
805         (JSC::WriteBarrierBase<Unknown>::slot):
806         * tests/es6.yaml:
807         * tests/stress/instanceof-custom-hasinstancesymbol.js: Added.
808         (Constructor):
809         (value):
810         (instanceOf):
811         (body):
812         * tests/stress/symbol-hasInstance.js: Added.
813         (Constructor):
814         (value):
815         (ObjectClass.Symbol.hasInstance):
816         (NumberClass.Symbol.hasInstance):
817
818 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
819
820         Web Inspector: Improve names in Debugger Call Stack section when paused
821         https://bugs.webkit.org/show_bug.cgi?id=152398
822
823         Reviewed by Brian Burg.
824
825         * debugger/DebuggerCallFrame.cpp:
826         (JSC::DebuggerCallFrame::functionName):
827         Provide a better name from the underlying CallFrame.
828
829         * inspector/InjectedScriptSource.js:
830         (InjectedScript.CallFrameProxy):
831         Just call functionName, it will provide a better
832         than nothing function name.
833
834         * runtime/JSFunction.cpp:
835         (JSC::getCalculatedDisplayName):
836         Use emptyString().
837
838         * interpreter/CallFrame.h:
839         * interpreter/CallFrame.cpp:
840         (JSC::CallFrame::friendlyFunctionName):
841         This is the third similiar implementation of this,
842         but all other cases use other "StackFrame" objects.
843         Use the expected names for program code.
844
845 2015-12-16  Joseph Pecoraro  <pecoraro@apple.com>
846
847         Web Inspector: Add JSContext Script Profiling
848         https://bugs.webkit.org/show_bug.cgi?id=151899
849
850         Reviewed by Brian Burg.
851
852         Extend JSC::Debugger to include a profiling client interface
853         that the Inspector can implement to be told about script execution
854         entry and exit points. Add new profiledCall/Evaluate/Construct
855         methods that are entry points that will notify the profiling
856         client if it exists.
857
858         By putting the profiling client on Debugger it avoids having
859         special code paths for a JSGlobalObject being JSContext inspected
860         or a JSGlobalObject in a Page being Web inspected. In either case
861         the JSGlobalObject can go through its debugger() which always
862         reaches the correct inspector instance.
863
864         * CMakeLists.txt:
865         * DerivedSources.make:
866         * JavaScriptCore.xcodeproj/project.pbxproj:
867         Handle new files.
868
869         * runtime/CallData.cpp:
870         (JSC::profiledCall):
871         * runtime/CallData.h:
872         * runtime/Completion.cpp:
873         (JSC::profiledEvaluate):
874         * runtime/Completion.h:
875         (JSC::profiledEvaluate):
876         * runtime/ConstructData.cpp:
877         (JSC::profiledConstruct):
878         * runtime/ConstructData.h:
879         (JSC::profiledConstruct):
880         Create profiled versions of interpreter entry points. If a profiler client is
881         available, this will automatically inform it of entry/exit. Include a reason
882         why this is being profiled. Currently all reasons in JavaScriptCore are enumerated
883         (API, Microtask) and Other is to be used by WebCore or future clients.
884
885         * debugger/ScriptProfilingScope.h: Added.
886         (JSC::ScriptProfilingScope::ScriptProfilingScope):
887         (JSC::ScriptProfilingScope::~ScriptProfilingScope):
888         (JSC::ScriptProfilingScope::shouldStartProfile):
889         (JSC::ScriptProfilingScope::shouldEndProfile):
890         At profiled entry points inform the profiling client if needed.
891
892         * API/JSBase.cpp:
893         (JSEvaluateScript):
894         * API/JSObjectRef.cpp:
895         (JSObjectCallAsFunction):
896         (JSObjectCallAsConstructor):
897         * runtime/JSJob.cpp:
898         (JSC::JSJobMicrotask::run):
899         Use the profiled functions for API and Microtask execution entry points.
900
901         * runtime/JSGlobalObject.cpp:
902         (JSC::JSGlobalObject::hasProfiler):
903         * runtime/JSGlobalObject.h:
904         (JSC::JSGlobalObject::hasProfiler):
905         Extend hasProfiler to also check the new Debugger script profiler.
906
907         * debugger/Debugger.cpp:
908         (JSC::Debugger::setProfilingClient):
909         (JSC::Debugger::willEvaluateScript):
910         (JSC::Debugger::didEvaluateScript):
911         * debugger/Debugger.h:
912         Pass through to the profiling client.
913
914         * inspector/protocol/ScriptProfiler.json: Added.
915         * inspector/agents/InspectorScriptProfilerAgent.cpp: Added.
916         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
917         (Inspector::InspectorScriptProfilerAgent::~InspectorScriptProfilerAgent):
918         (Inspector::InspectorScriptProfilerAgent::didCreateFrontendAndBackend):
919         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
920         (Inspector::InspectorScriptProfilerAgent::startTracking):
921         (Inspector::InspectorScriptProfilerAgent::stopTracking):
922         (Inspector::InspectorScriptProfilerAgent::isAlreadyProfiling):
923         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
924         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
925         (Inspector::toProtocol):
926         (Inspector::InspectorScriptProfilerAgent::addEvent):
927         (Inspector::buildAggregateCallInfoInspectorObject):
928         (Inspector::buildInspectorObject):
929         (Inspector::buildProfileInspectorObject):
930         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
931         * inspector/agents/InspectorScriptProfilerAgent.h: Added.
932         New ScriptProfiler domain to just turn on / off script profiling.
933         It introduces a start/update/complete event model which we want
934         to include in new domains.
935
936         * inspector/InspectorEnvironment.h:
937         * inspector/InjectedScriptBase.cpp:
938         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
939         Simplify this now that we want it to be the same for all clients.
940
941         * inspector/JSGlobalObjectInspectorController.h:
942         * inspector/JSGlobalObjectInspectorController.cpp:
943         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
944         Create the new agent.
945
946         * inspector/InspectorProtocolTypes.h:
947         (Inspector::Protocol::Array::addItem):
948         Allow pushing a double onto a Protocol::Array.
949
950 2015-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
951
952         [ES6] Handle new_generator_func / new_generator_func_exp in DFG / FTL
953         https://bugs.webkit.org/show_bug.cgi?id=152227
954
955         Reviewed by Saam Barati.
956
957         This patch introduces new_generator_func / new_generator_func_exp into DFG and FTL.
958         We add a new DFG Node, NewGeneratorFunction. It will construct a function with GeneratorFunction's structure.
959         The structure of GeneratorFunction is different from one of Function because GeneratorFunction has the different __proto__.
960
961         Instead of extending NewFunction / PhantomNewFunction, we just added new DFG nodes, NewGeneratorFunction and PhantomNewGeneratorFunction.
962         This is because NewGeneratorFunction will generate an object that has different class info from JSFunction (And if JSGeneratorFunction is extended, its size will become different from JSFunction).
963         So, rather than extending NewFunction with generator flag, just adding new DFG nodes seems cleaner.
964
965         Object allocation sinking phase will change NewGeneratorFunction to PhantomNewGeneratorFunction and defer or eliminate its actual materialization.
966         It is completely the same to NewFunction and PhantomNewFunction.
967         And when OSR exit occurs, we need to execute deferred NewGeneratorFunction since Baseline JIT does not consider it.
968         So in FTL operation, we should create JSGeneratorFunction if we see PhantomNewGeneratorFunction materialization.
969
970         * dfg/DFGAbstractInterpreterInlines.h:
971         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
972         * dfg/DFGByteCodeParser.cpp:
973         (JSC::DFG::ByteCodeParser::parseBlock):
974         * dfg/DFGCapabilities.cpp:
975         (JSC::DFG::capabilityLevel):
976         * dfg/DFGClobberize.h:
977         (JSC::DFG::clobberize):
978         * dfg/DFGClobbersExitState.cpp:
979         (JSC::DFG::clobbersExitState):
980         * dfg/DFGDoesGC.cpp:
981         (JSC::DFG::doesGC):
982         * dfg/DFGFixupPhase.cpp:
983         (JSC::DFG::FixupPhase::fixupNode):
984         * dfg/DFGMayExit.cpp:
985         (JSC::DFG::mayExit):
986         * dfg/DFGNode.h:
987         (JSC::DFG::Node::convertToPhantomNewFunction):
988         (JSC::DFG::Node::convertToPhantomNewGeneratorFunction):
989         (JSC::DFG::Node::hasCellOperand):
990         (JSC::DFG::Node::isFunctionAllocation):
991         (JSC::DFG::Node::isPhantomFunctionAllocation):
992         (JSC::DFG::Node::isPhantomAllocation):
993         * dfg/DFGNodeType.h:
994         * dfg/DFGObjectAllocationSinkingPhase.cpp:
995         * dfg/DFGPredictionPropagationPhase.cpp:
996         (JSC::DFG::PredictionPropagationPhase::propagate):
997         * dfg/DFGSafeToExecute.h:
998         (JSC::DFG::safeToExecute):
999         * dfg/DFGSpeculativeJIT.cpp:
1000         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1001         * dfg/DFGSpeculativeJIT32_64.cpp:
1002         (JSC::DFG::SpeculativeJIT::compile):
1003         * dfg/DFGSpeculativeJIT64.cpp:
1004         (JSC::DFG::SpeculativeJIT::compile):
1005         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1006         * dfg/DFGStructureRegistrationPhase.cpp:
1007         (JSC::DFG::StructureRegistrationPhase::run):
1008         * dfg/DFGValidate.cpp:
1009         (JSC::DFG::Validate::validateCPS):
1010         (JSC::DFG::Validate::validateSSA):
1011         * ftl/FTLCapabilities.cpp:
1012         (JSC::FTL::canCompile):
1013         * ftl/FTLLowerDFGToLLVM.cpp:
1014         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1015         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
1016         * ftl/FTLOperations.cpp:
1017         (JSC::FTL::operationPopulateObjectInOSR):
1018         (JSC::FTL::operationMaterializeObjectInOSR):
1019         * tests/stress/generator-function-create-optimized.js: Added.
1020         (shouldBe):
1021         (g):
1022         (test.return.gen):
1023         (test):
1024         (test2.gen):
1025         (test2):
1026         * tests/stress/generator-function-declaration-sinking-no-double-allocate.js: Added.
1027         (shouldBe):
1028         (GeneratorFunctionPrototype):
1029         (call):
1030         (f):
1031         (sink):
1032         * tests/stress/generator-function-declaration-sinking-osrexit.js: Added.
1033         (shouldBe):
1034         (GeneratorFunctionPrototype):
1035         (g):
1036         (f):
1037         (sink):
1038         * tests/stress/generator-function-declaration-sinking-put.js: Added.
1039         (shouldBe):
1040         (GeneratorFunctionPrototype):
1041         (g):
1042         (f):
1043         (sink):
1044         * tests/stress/generator-function-expression-sinking-no-double-allocate.js: Added.
1045         (shouldBe):
1046         (GeneratorFunctionPrototype):
1047         (call):
1048         (f):
1049         (sink):
1050         * tests/stress/generator-function-expression-sinking-osrexit.js: Added.
1051         (shouldBe):
1052         (GeneratorFunctionPrototype):
1053         (g):
1054         (sink):
1055         * tests/stress/generator-function-expression-sinking-put.js: Added.
1056         (shouldBe):
1057         (GeneratorFunctionPrototype):
1058         (g):
1059         (sink):
1060
1061 2015-12-16  Michael Saboff  <msaboff@apple.com>
1062
1063         ARM64 MacroAssembler improperly reuses data temp register in test32() and test8() calls
1064         https://bugs.webkit.org/show_bug.cgi?id=152370
1065
1066         Reviewed by Benjamin Poulain.
1067
1068         Changed the test8/32(Address, Register) flavors to use the memoryTempRegister for loading the value
1069         att Address so that it doesn't collide with the subsequent use of dataTempRegister by the
1070         test32(Register, Register) function.
1071
1072         * assembler/MacroAssemblerARM64.h:
1073         (JSC::MacroAssemblerARM64::test32):
1074         (JSC::MacroAssemblerARM64::test8):
1075
1076 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
1077
1078         FTL B3 should support switches
1079         https://bugs.webkit.org/show_bug.cgi?id=152360
1080
1081         Reviewed by Geoffrey Garen.
1082
1083         I implemented this because I was hoping it would less us run V8/crypto, but instead it just led
1084         me to file a fun bug: https://bugs.webkit.org/show_bug.cgi?id=152365.
1085
1086         * ftl/FTLB3Output.h:
1087         (JSC::FTL::Output::check):
1088         (JSC::FTL::Output::switchInstruction):
1089         (JSC::FTL::Output::ret):
1090         * ftl/FTLLowerDFGToLLVM.cpp:
1091         (JSC::FTL::DFG::ftlUnreachable):
1092         (JSC::FTL::DFG::LowerDFGToLLVM::crash):
1093
1094 2015-12-16  Alex Christensen  <achristensen@webkit.org>
1095
1096         Fix internal Windows build
1097         https://bugs.webkit.org/show_bug.cgi?id=152364
1098
1099         Reviewed by Tim Horton.
1100
1101         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1102
1103 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
1104
1105         Improve JSObject::put performance
1106         https://bugs.webkit.org/show_bug.cgi?id=152347
1107
1108         Reviewed by Geoffrey Garen.
1109
1110         This adds a new benchmark called dynbench, which just uses the C++ API to create, modify, and
1111         query objects. This also adds some optimizations to make the JSObject::put code faster by making
1112         it inlinable in places that really need the performance, like JITOperations and LLIntSlowPaths.
1113         Inlining it is optional because the put() method is large. If you want it inlined, call
1114         putInline(). There's a putInline() variant of both JSObject::put() and JSValue::put().
1115
1116         This is up to a 20% improvement for JSObject::put calls that get inlined all the way (like from
1117         JITOperations and the new benchmark) and it's also a speed-up, albeit a smaller one, for
1118         JSObject::put calls that don't get inlined (i.e. those from the DOM and the JSC C++ library code).
1119         Specific speed-ups are as follows. Note that "dynamic context" means that we told PutPropertySlot
1120         that we're not a static put_by_id, which turns off some type inference.
1121
1122         Get By Id: 2% faster
1123         Put By Id Replace: 23% faster
1124         Put By Id Transition + object allocation: 11% faster
1125         Get By Id w/ dynamic context: 5% faster
1126         Put By Id Replace w/ dynamic context: 25% faster
1127         Put By Id Transition + object allocation w/ dynamic context: 10% faster
1128
1129         * JavaScriptCore.xcodeproj/project.pbxproj:
1130         * dynbench.cpp: Added.
1131         (JSC::benchmarkImpl):
1132         (main):
1133         * jit/CallFrameShuffler32_64.cpp:
1134         * jit/CallFrameShuffler64.cpp:
1135         * jit/JITOperations.cpp:
1136         * llint/LLIntSlowPaths.cpp:
1137         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1138         * runtime/ClassInfo.h:
1139         (JSC::ClassInfo::hasStaticProperties):
1140         * runtime/ConsoleClient.cpp:
1141         * runtime/CustomGetterSetter.h:
1142         * runtime/ErrorInstance.cpp:
1143         (JSC::ErrorInstance::finishCreation):
1144         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
1145         * runtime/GetterSetter.h:
1146         (JSC::asGetterSetter):
1147         * runtime/JSCInlines.h:
1148         * runtime/JSCJSValue.h:
1149         * runtime/JSCJSValueInlines.h:
1150         (JSC::JSValue::put):
1151         (JSC::JSValue::putInternal):
1152         (JSC::JSValue::putByIndex):
1153         * runtime/JSObject.cpp:
1154         (JSC::JSObject::put):
1155         (JSC::JSObject::putByIndex):
1156         * runtime/JSObject.h:
1157         (JSC::JSObject::getVectorLength):
1158         (JSC::JSObject::inlineGetOwnPropertySlot):
1159         (JSC::JSObject::get):
1160         (JSC::JSObject::putDirectInternal):
1161
1162 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
1163
1164         Work around a bug in LLVM by flipping the unification order
1165         https://bugs.webkit.org/show_bug.cgi?id=152341
1166         rdar://problem/23920749
1167
1168         Reviewed by Mark Lam.
1169
1170         * dfg/DFGUnificationPhase.cpp:
1171         (JSC::DFG::UnificationPhase::run):
1172
1173 2015-12-16  Saam barati  <sbarati@apple.com>
1174
1175         Add "explicit operator bool" to ScratchRegisterAllocator::PreservedState
1176         https://bugs.webkit.org/show_bug.cgi?id=152337
1177
1178         Reviewed by Mark Lam.
1179
1180         If we have a default constructor, we should also have a way
1181         to tell if a PreservedState is invalid.
1182
1183         * jit/ScratchRegisterAllocator.cpp:
1184         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
1185         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
1186         * jit/ScratchRegisterAllocator.h:
1187         (JSC::ScratchRegisterAllocator::PreservedState::PreservedState):
1188         (JSC::ScratchRegisterAllocator::PreservedState::operator bool):
1189
1190 2015-12-16  Caitlin Potter  <caitp@igalia.com>
1191
1192         [JSC] fix error message for eval/arguments CoverInitializedName in strict code
1193         https://bugs.webkit.org/show_bug.cgi?id=152304
1194
1195         Reviewed by Darin Adler.
1196
1197         Because the error was originally classified as indicating a Pattern, the
1198         error in AssignmentPattern parsing causes the reported message to revert to
1199         the original Expression error message, which in this case is incorrect.
1200
1201         This change modifies the implementation of the strict code
1202         error slightly, and reclassifies the error to prevent the message revert,
1203         which improves the clarity of the message overall.
1204
1205         * parser/Parser.cpp:
1206         (JSC::Parser<LexerType>::parseAssignmentElement):
1207         (JSC::Parser<LexerType>::parseDestructuringPattern):
1208         * parser/Parser.h:
1209         (JSC::Parser::ExpressionErrorClassifier::reclassifyExpressionError):
1210         (JSC::Parser::reclassifyExpressionError):
1211         * tests/stress/destructuring-assignment-syntax.js:
1212
1213 2015-12-16  Joseph Pecoraro  <pecoraro@apple.com>
1214
1215         Builtin source should be minified more
1216         https://bugs.webkit.org/show_bug.cgi?id=152290
1217
1218         Reviewed by Darin Adler.
1219
1220         * Scripts/builtins/builtins_model.py:
1221         (BuiltinFunction.fromString):
1222         Remove primarily empty lines that would just introduce clutter.
1223         We only do the minification in non-Debug configurations, which
1224         is determined by the CONFIGURATION environment variable. You can
1225         see how tests would generate differently, like so:
1226         shell> CONFIGURATION=Release ./Tools/Scripts/run-builtins-generator-tests
1227
1228 2015-12-16  Commit Queue  <commit-queue@webkit.org>
1229
1230         Unreviewed, rolling out r194135.
1231         https://bugs.webkit.org/show_bug.cgi?id=152333
1232
1233         due to missing OSR exit materialization support in FTL
1234         (Requested by yusukesuzuki on #webkit).
1235
1236         Reverted changeset:
1237
1238         "[ES6] Handle new_generator_func / new_generator_func_exp in
1239         DFG / FTL"
1240         https://bugs.webkit.org/show_bug.cgi?id=152227
1241         http://trac.webkit.org/changeset/194135
1242
1243 2015-12-16  Youenn Fablet  <youenn.fablet@crf.canon.fr>
1244
1245         [Fetch API] Add fetch API compile time flag
1246         https://bugs.webkit.org/show_bug.cgi?id=152254
1247
1248         Reviewed by Darin Adler.
1249
1250         * Configurations/FeatureDefines.xcconfig:
1251
1252 2015-12-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1253
1254         [ES6] Handle new_generator_func / new_generator_func_exp in DFG / FTL
1255         https://bugs.webkit.org/show_bug.cgi?id=152227
1256
1257         Reviewed by Saam Barati.
1258
1259         This patch introduces new_generator_func / new_generator_func_exp into DFG and FTL.
1260         We add a new DFG Node, NewGeneratorFunction. It will construct a function with GeneratorFunction's structure.
1261         The structure of GeneratorFunction is different from one of Function because GeneratorFunction has the different __proto__.
1262
1263         * dfg/DFGAbstractInterpreterInlines.h:
1264         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1265         * dfg/DFGByteCodeParser.cpp:
1266         (JSC::DFG::ByteCodeParser::parseBlock):
1267         * dfg/DFGCapabilities.cpp:
1268         (JSC::DFG::capabilityLevel):
1269         * dfg/DFGClobberize.h:
1270         (JSC::DFG::clobberize):
1271         * dfg/DFGClobbersExitState.cpp:
1272         (JSC::DFG::clobbersExitState):
1273         * dfg/DFGDoesGC.cpp:
1274         (JSC::DFG::doesGC):
1275         * dfg/DFGFixupPhase.cpp:
1276         (JSC::DFG::FixupPhase::fixupNode):
1277         * dfg/DFGMayExit.cpp:
1278         (JSC::DFG::mayExit):
1279         * dfg/DFGNode.h:
1280         (JSC::DFG::Node::convertToPhantomNewFunction):
1281         (JSC::DFG::Node::hasCellOperand):
1282         (JSC::DFG::Node::isFunctionAllocation):
1283         * dfg/DFGNodeType.h:
1284         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1285         * dfg/DFGPredictionPropagationPhase.cpp:
1286         (JSC::DFG::PredictionPropagationPhase::propagate):
1287         * dfg/DFGSafeToExecute.h:
1288         (JSC::DFG::safeToExecute):
1289         * dfg/DFGSpeculativeJIT.cpp:
1290         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1291         * dfg/DFGSpeculativeJIT32_64.cpp:
1292         (JSC::DFG::SpeculativeJIT::compile):
1293         * dfg/DFGSpeculativeJIT64.cpp:
1294         (JSC::DFG::SpeculativeJIT::compile):
1295         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1296         * dfg/DFGStructureRegistrationPhase.cpp:
1297         (JSC::DFG::StructureRegistrationPhase::run):
1298         * ftl/FTLCapabilities.cpp:
1299         (JSC::FTL::canCompile):
1300         * ftl/FTLLowerDFGToLLVM.cpp:
1301         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1302         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
1303         * tests/stress/generator-function-create-optimized.js: Added.
1304         (shouldBe):
1305         (g):
1306         (test.return.gen):
1307         (test):
1308         (test2.gen):
1309         (test2):
1310         * tests/stress/generator-function-declaration-sinking-no-double-allocate.js: Added.
1311         (shouldBe):
1312         (GeneratorFunctionPrototype):
1313         (call):
1314         (f):
1315         (sink):
1316         * tests/stress/generator-function-declaration-sinking-osrexit.js: Added.
1317         (shouldBe):
1318         (GeneratorFunctionPrototype):
1319         (g):
1320         (f):
1321         (sink):
1322         * tests/stress/generator-function-declaration-sinking-put.js: Added.
1323         (shouldBe):
1324         (GeneratorFunctionPrototype):
1325         (g):
1326         (f):
1327         (sink):
1328         * tests/stress/generator-function-expression-sinking-no-double-allocate.js: Added.
1329         (shouldBe):
1330         (GeneratorFunctionPrototype):
1331         (call):
1332         (f):
1333         (sink):
1334         * tests/stress/generator-function-expression-sinking-osrexit.js: Added.
1335         (shouldBe):
1336         (GeneratorFunctionPrototype):
1337         (g):
1338         (sink):
1339         * tests/stress/generator-function-expression-sinking-put.js: Added.
1340         (shouldBe):
1341         (GeneratorFunctionPrototype):
1342         (g):
1343         (sink):
1344
1345 2015-12-15  Mark Lam  <mark.lam@apple.com>
1346
1347         Gardening: fix broken 32-bit JSC tests.  Just need to assign a scratch register.
1348         https://bugs.webkit.org/show_bug.cgi?id=152191 
1349
1350         Not reviewed.
1351
1352         * jit/JITArithmetic.cpp:
1353         (JSC::JIT::emitBitBinaryOpFastPath):
1354
1355 2015-12-15  Mark Lam  <mark.lam@apple.com>
1356
1357         Introducing ScratchRegisterAllocator::PreservedState.
1358         https://bugs.webkit.org/show_bug.cgi?id=152315
1359
1360         Reviewed by Geoffrey Garen.
1361
1362         restoreReusedRegistersByPopping() should always be called with 2 values that
1363         matches the expectation of preserveReusedRegistersByPushing().  Those 2 values
1364         are the number of bytes preserved and the ExtraStackSpace requirement.  By
1365         encapsulating them in a ScratchRegisterAllocator::PreservedState, we can make
1366         it less error prone when calling restoreReusedRegistersByPopping().  Now, we only
1367         need to pass it the appropriate PreservedState that its matching
1368         preserveReusedRegistersByPushing() returned.
1369
1370         * bytecode/PolymorphicAccess.cpp:
1371         (JSC::AccessGenerationState::restoreScratch):
1372         (JSC::AccessCase::generate):
1373         (JSC::PolymorphicAccess::regenerate):
1374         * bytecode/PolymorphicAccess.h:
1375         (JSC::AccessGenerationState::AccessGenerationState):
1376         * ftl/FTLCompileBinaryOp.cpp:
1377         (JSC::FTL::generateBinaryBitOpFastPath):
1378         (JSC::FTL::generateRightShiftFastPath):
1379         (JSC::FTL::generateBinaryArithOpFastPath):
1380         * ftl/FTLLazySlowPath.cpp:
1381         (JSC::FTL::LazySlowPath::generate):
1382         * ftl/FTLLowerDFGToLLVM.cpp:
1383         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
1384         * jit/ScratchRegisterAllocator.cpp:
1385         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
1386         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
1387         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
1388         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
1389         * jit/ScratchRegisterAllocator.h:
1390         (JSC::ScratchRegisterAllocator::usedRegisters):
1391         (JSC::ScratchRegisterAllocator::PreservedState::PreservedState):
1392
1393 2015-12-15  Mark Lam  <mark.lam@apple.com>
1394
1395         Polymorphic operand types for DFG and FTL bit operators.
1396         https://bugs.webkit.org/show_bug.cgi?id=152191
1397
1398         Reviewed by Saam Barati.
1399
1400         * bytecode/SpeculatedType.h:
1401         (JSC::isUntypedSpeculationForBitOps):
1402         * dfg/DFGAbstractInterpreterInlines.h:
1403         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1404         * dfg/DFGNode.h:
1405         (JSC::DFG::Node::shouldSpeculateUntypedForBitOps):
1406         - Added check for types not supported by ValueToInt32, and therefore should be
1407           treated as untyped for bitops.
1408
1409         * dfg/DFGClobberize.h:
1410         (JSC::DFG::clobberize):
1411         * dfg/DFGFixupPhase.cpp:
1412         (JSC::DFG::FixupPhase::fixupNode):
1413         - Handled untyped operands.
1414
1415         * dfg/DFGOperations.cpp:
1416         * dfg/DFGOperations.h:
1417         - Added DFG slow path functions for bitops.
1418
1419         * dfg/DFGSpeculativeJIT.cpp:
1420         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
1421         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
1422         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
1423         (JSC::DFG::SpeculativeJIT::compileShiftOp):
1424         * dfg/DFGSpeculativeJIT.h:
1425         - Added DFG backend support untyped operands for bitops.
1426
1427         * dfg/DFGStrengthReductionPhase.cpp:
1428         (JSC::DFG::StrengthReductionPhase::handleNode):
1429         - Limit bitops strength reduction only to when we don't have untyped operands.
1430           This is because values that are not int32s need to be converted to int32.
1431           Without untyped operands, the ValueToInt32 node takes care of this.
1432           With untyped operands, we cannot use ValueToInt32, and need to do the conversion
1433           in the code emitted for the bitop node itself.  For example:
1434
1435               5.5 | 0; // yields 5 because ValueToInt32 converts the 5.5 to a 5.
1436               "abc" | 0; // would yield "abc" instead of the expected 0 if we let
1437                          // strength reduction do its thing.
1438
1439         * ftl/FTLCompileBinaryOp.cpp:
1440         (JSC::FTL::generateBinaryBitOpFastPath):
1441         (JSC::FTL::generateRightShiftFastPath):
1442         (JSC::FTL::generateBinaryOpFastPath):
1443
1444         * ftl/FTLInlineCacheDescriptor.h:
1445         (JSC::FTL::BitAndDescriptor::BitAndDescriptor):
1446         (JSC::FTL::BitAndDescriptor::icSize):
1447         (JSC::FTL::BitAndDescriptor::nodeType):
1448         (JSC::FTL::BitAndDescriptor::opName):
1449         (JSC::FTL::BitAndDescriptor::slowPathFunction):
1450         (JSC::FTL::BitAndDescriptor::nonNumberSlowPathFunction):
1451         (JSC::FTL::BitOrDescriptor::BitOrDescriptor):
1452         (JSC::FTL::BitOrDescriptor::icSize):
1453         (JSC::FTL::BitOrDescriptor::nodeType):
1454         (JSC::FTL::BitOrDescriptor::opName):
1455         (JSC::FTL::BitOrDescriptor::slowPathFunction):
1456         (JSC::FTL::BitOrDescriptor::nonNumberSlowPathFunction):
1457         (JSC::FTL::BitXorDescriptor::BitXorDescriptor):
1458         (JSC::FTL::BitXorDescriptor::icSize):
1459         (JSC::FTL::BitXorDescriptor::nodeType):
1460         (JSC::FTL::BitXorDescriptor::opName):
1461         (JSC::FTL::BitXorDescriptor::slowPathFunction):
1462         (JSC::FTL::BitXorDescriptor::nonNumberSlowPathFunction):
1463         (JSC::FTL::BitLShiftDescriptor::BitLShiftDescriptor):
1464         (JSC::FTL::BitLShiftDescriptor::icSize):
1465         (JSC::FTL::BitLShiftDescriptor::nodeType):
1466         (JSC::FTL::BitLShiftDescriptor::opName):
1467         (JSC::FTL::BitLShiftDescriptor::slowPathFunction):
1468         (JSC::FTL::BitLShiftDescriptor::nonNumberSlowPathFunction):
1469         (JSC::FTL::BitRShiftDescriptor::BitRShiftDescriptor):
1470         (JSC::FTL::BitRShiftDescriptor::icSize):
1471         (JSC::FTL::BitRShiftDescriptor::nodeType):
1472         (JSC::FTL::BitRShiftDescriptor::opName):
1473         (JSC::FTL::BitRShiftDescriptor::slowPathFunction):
1474         (JSC::FTL::BitRShiftDescriptor::nonNumberSlowPathFunction):
1475         (JSC::FTL::BitURShiftDescriptor::BitURShiftDescriptor):
1476         (JSC::FTL::BitURShiftDescriptor::icSize):
1477         (JSC::FTL::BitURShiftDescriptor::nodeType):
1478         (JSC::FTL::BitURShiftDescriptor::opName):
1479         (JSC::FTL::BitURShiftDescriptor::slowPathFunction):
1480         (JSC::FTL::BitURShiftDescriptor::nonNumberSlowPathFunction):
1481         - Added support for bitop ICs.
1482
1483         * ftl/FTLInlineCacheSize.cpp:
1484         (JSC::FTL::sizeOfBitAnd):
1485         (JSC::FTL::sizeOfBitOr):
1486         (JSC::FTL::sizeOfBitXor):
1487         (JSC::FTL::sizeOfBitLShift):
1488         (JSC::FTL::sizeOfBitRShift):
1489         (JSC::FTL::sizeOfBitURShift):
1490         * ftl/FTLInlineCacheSize.h:
1491         - Added new bitop IC sizes.  These are just estimates for now that work adequately,
1492           and are shown to not impact performance on benchmarks.  We will re-tune these
1493           sizes values later in another patch once all snippet ICs have been added.
1494
1495         * ftl/FTLLowerDFGToLLVM.cpp:
1496         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
1497         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
1498         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
1499         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
1500         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
1501         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
1502         - Added support for bitop ICs.
1503
1504         * jit/JITLeftShiftGenerator.cpp:
1505         (JSC::JITLeftShiftGenerator::generateFastPath):
1506         * jit/JITLeftShiftGenerator.h:
1507         (JSC::JITLeftShiftGenerator::JITLeftShiftGenerator):
1508         * jit/JITRightShiftGenerator.cpp:
1509         (JSC::JITRightShiftGenerator::generateFastPath):
1510         - The shift MASM operatons need to ensure that the shiftAmount is not in the same
1511           register as the destination register.  With the baselineJIT and DFG, this is
1512           ensured in how we allocate these registers, and hence, the bug does not manifest.
1513           With the FTL, these registers are not guaranteed to be unique.  Hence, we need
1514           to fix the shift op snippet code to compensate for this. 
1515
1516 2015-12-15  Caitlin Potter  <caitp@igalia.com>
1517
1518         [JSC] SyntaxError if AssignmentElement is `eval` or `arguments` in strict code
1519         https://bugs.webkit.org/show_bug.cgi?id=152302
1520
1521         Reviewed by Mark Lam.
1522
1523         `eval` and `arguments` must not be assigned to in strict code. This
1524         change fixes `language/expressions/assignment/destructuring/obj-id-simple-strict.js`
1525         in Test262, as well as a variety of other similar tests.
1526
1527         * parser/Parser.cpp:
1528         (JSC::Parser<LexerType>::parseAssignmentElement):
1529         (JSC::Parser<LexerType>::parseDestructuringPattern):
1530         * tests/stress/destructuring-assignment-syntax.js:
1531
1532 2015-12-15  Csaba Osztrogonác  <ossy@webkit.org>
1533
1534         URTBF after 194062.
1535
1536         * assembler/MacroAssemblerARM.h:
1537         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Added.
1538         (JSC::MacroAssemblerARM::ceilDouble): Added.
1539
1540 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
1541
1542         FTL B3 should account for localsOffset
1543         https://bugs.webkit.org/show_bug.cgi?id=152288
1544
1545         Reviewed by Saam Barati.
1546
1547         The DFG will build up some data structures that expect to know about offsets from FP. Those data
1548         structures may slide by some offset when the low-level compiler (either LLVM or B3) does stack
1549         allocation. So, the LLVM FTL modifies those data structures based on the real offset that it gets
1550         from LLVM's stackmaps. The B3 code needs to do the same.
1551
1552         I had previously vowed to never put more stuff into FTLB3Compile.cpp, because I didn't want it to
1553         look like FTLCompile.cpp. Up until now, I was successful because I used lambdas installed by
1554         FTLLower. But in this case, I actually think that having code that just does this explicitly in
1555         FTLB3Compile.cpp is least confusing. There is no particular place in FTLLower that would want to
1556         care about this, and we need to ensure that we do this fixup before we run any of the stackmap
1557         generators. In other words, it needs to happen before we call B3::generate(). The ordering
1558         constraints seem like a good reason to have this done explicitly rather than through lambdas.
1559
1560         I wrote a test. The test was failing in trunk because the B3 meaning of anchor().value() is
1561         different from the LLVM meaning. This caused breakage when we used this idiom:
1562
1563             ValueFromBlock foo = m_out.anchor(things);
1564             ...(foo.value()) // we were expecting that foo.value() == things
1565
1566         I never liked this idiom to begin with, so instead of trying to change B3's anchor(), I changed
1567         the idiom to:
1568
1569             LValue fooValue = things;
1570             ValueFromBlock foo = m_out.anchor(fooValue);
1571             ...(fooValue)
1572
1573         This is probably a good idea, since eventually we want B3's anchor() to just return the
1574         UpsilonValue*. To get there, we want to eliminate any situations where code assumes that
1575         ValueFromBlock is an actual object and not just a typedef for a pointer.
1576
1577         * ftl/FTLB3Compile.cpp:
1578         (JSC::FTL::compile):
1579         * ftl/FTLB3Output.cpp:
1580         (JSC::FTL::Output::appendTo):
1581         (JSC::FTL::Output::lockedStackSlot):
1582         * ftl/FTLB3Output.h:
1583         (JSC::FTL::Output::framePointer):
1584         (JSC::FTL::Output::constBool):
1585         (JSC::FTL::Output::constInt32):
1586         * ftl/FTLLowerDFGToLLVM.cpp:
1587         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1588         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
1589         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
1590         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateDirectArguments):
1591         (JSC::FTL::DFG::LowerDFGToLLVM::compileStringCharAt):
1592         (JSC::FTL::DFG::LowerDFGToLLVM::compileForwardVarargs):
1593         (JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty):
1594         (JSC::FTL::DFG::LowerDFGToLLVM::allocateJSArray):
1595         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
1596         * ftl/FTLState.h:
1597         (JSC::FTL::verboseCompilationEnabled):
1598         * tests/stress/ftl-function-dot-arguments-with-callee-saves.js: Added.
1599
1600 2015-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1601
1602         Math.random should have an intrinsic thunk and it should be later handled as a DFG Node
1603         https://bugs.webkit.org/show_bug.cgi?id=152133
1604
1605         Reviewed by Geoffrey Garen.
1606
1607         In this patch, we implement new RandomIntrinsic. It emits a machine code to generate random numbers efficiently.
1608         And later it will be recognized by DFG and converted to ArithRandom node.
1609         It provides type information SpecDoubleReal since Math.random only generates a number within [0, 1.0).
1610
1611         Currently, only 64bit version is supported. On 32bit environment, ArithRandom will be converted to callOperation.
1612         While it emits a function call, ArithRandom node on 32bit still represents SpecDoubleReal as a result type.
1613
1614         * dfg/DFGAbstractHeap.h:
1615         * dfg/DFGAbstractInterpreterInlines.h:
1616         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1617         * dfg/DFGByteCodeParser.cpp:
1618         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1619         * dfg/DFGClobberize.h:
1620         (JSC::DFG::clobberize):
1621         * dfg/DFGDoesGC.cpp:
1622         (JSC::DFG::doesGC):
1623         * dfg/DFGFixupPhase.cpp:
1624         (JSC::DFG::FixupPhase::fixupNode):
1625         * dfg/DFGNodeType.h:
1626         * dfg/DFGOperations.cpp:
1627         * dfg/DFGOperations.h:
1628         * dfg/DFGPredictionPropagationPhase.cpp:
1629         (JSC::DFG::PredictionPropagationPhase::propagate):
1630         * dfg/DFGSafeToExecute.h:
1631         (JSC::DFG::safeToExecute):
1632         * dfg/DFGSpeculativeJIT.h:
1633         (JSC::DFG::SpeculativeJIT::callOperation):
1634         * dfg/DFGSpeculativeJIT32_64.cpp:
1635         (JSC::DFG::SpeculativeJIT::compile):
1636         (JSC::DFG::SpeculativeJIT::compileArithRandom):
1637         * dfg/DFGSpeculativeJIT64.cpp:
1638         (JSC::DFG::SpeculativeJIT::compile):
1639         (JSC::DFG::SpeculativeJIT::compileArithRandom):
1640         * ftl/FTLCapabilities.cpp:
1641         (JSC::FTL::canCompile):
1642         * ftl/FTLLowerDFGToLLVM.cpp:
1643         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1644         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRandom):
1645         * jit/AssemblyHelpers.cpp:
1646         (JSC::emitRandomThunkImpl):
1647         (JSC::AssemblyHelpers::emitRandomThunk):
1648         * jit/AssemblyHelpers.h:
1649         * jit/JITOperations.h:
1650         * jit/ThunkGenerators.cpp:
1651         (JSC::randomThunkGenerator):
1652         * jit/ThunkGenerators.h:
1653         * runtime/Intrinsic.h:
1654         * runtime/JSGlobalObject.h:
1655         (JSC::JSGlobalObject::weakRandomOffset):
1656         * runtime/MathObject.cpp:
1657         (JSC::MathObject::finishCreation):
1658         * runtime/VM.cpp:
1659         (JSC::thunkGeneratorForIntrinsic):
1660         * tests/stress/random-53bit.js: Added.
1661         (test):
1662         * tests/stress/random-in-range.js: Added.
1663         (test):
1664
1665 2015-12-14  Benjamin Poulain  <benjamin@webkit.org>
1666
1667         Rename FTL::Output's ceil64() to doubleCeil()
1668
1669         Rubber-stamped by Filip Pizlo.
1670
1671         ceil64() was a bad name, that's the name convention we use for integers.
1672
1673         * ftl/FTLB3Output.h:
1674         (JSC::FTL::Output::doubleCeil):
1675         (JSC::FTL::Output::ceil64): Deleted.
1676         * ftl/FTLLowerDFGToLLVM.cpp:
1677         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRound):
1678
1679 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
1680
1681         FTL B3 should be able to run n-body.js
1682         https://bugs.webkit.org/show_bug.cgi?id=152281
1683
1684         Reviewed by Benjamin Poulain.
1685
1686         Fix a bug where m_captured was pointing to the start of the captured vars slot rather than the
1687         end, like the rest of the FTL expected.
1688
1689         * ftl/FTLLowerDFGToLLVM.cpp:
1690         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1691
1692 2015-12-14  Benjamin Poulain  <bpoulain@apple.com>
1693
1694         Fix bad copy-paste in r194062
1695
1696         * ftl/FTLB3Output.h:
1697         (JSC::FTL::Output::ceil64):
1698
1699 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
1700
1701         Unreviewed, fix cloop build.
1702
1703         * jit/GPRInfo.cpp:
1704
1705 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
1706
1707         FTL B3 should do PutById
1708         https://bugs.webkit.org/show_bug.cgi?id=152268
1709
1710         Reviewed by Saam Barati.
1711
1712         * CMakeLists.txt:
1713         * JavaScriptCore.xcodeproj/project.pbxproj:
1714         * b3/B3LowerToAir.cpp:
1715         (JSC::B3::Air::LowerToAir::createGenericCompare): I realized that we were missing some useful matching rules.
1716         * b3/testb3.cpp: Added a bunch of tests.
1717         * ftl/FTLLowerDFGToLLVM.cpp:
1718         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById): Do the things.
1719         * jit/GPRInfo.cpp: Added. I had to do this yucky thing because clang was having issues compiling references to this from deeply nested lambdas.
1720         * jit/GPRInfo.h: Added a comment about how patchpointScratchRegister is bizarre and should probably die.
1721
1722 2015-12-14  Benjamin Poulain  <bpoulain@apple.com>
1723
1724         [JSC] Add ceil() support for x86 and expose it to B3
1725         https://bugs.webkit.org/show_bug.cgi?id=152231
1726
1727         Reviewed by Geoffrey Garen.
1728
1729         Most x86 CPUs we care about support ceil() natively
1730         with the round instruction.
1731
1732         This patch expose that behind a runtime flag, use it
1733         in the Math.ceil() thunk and expose it to B3.
1734
1735         * assembler/MacroAssemblerARM64.h:
1736         (JSC::MacroAssemblerARM64::supportsFloatingPointCeil):
1737         * assembler/MacroAssemblerARMv7.h:
1738         (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil):
1739         * assembler/MacroAssemblerMIPS.h:
1740         (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil):
1741         * assembler/MacroAssemblerSH4.h:
1742         (JSC::MacroAssemblerSH4::supportsFloatingPointCeil):
1743         * assembler/MacroAssemblerX86Common.cpp:
1744         * assembler/MacroAssemblerX86Common.h:
1745         (JSC::MacroAssemblerX86Common::ceilDouble):
1746         (JSC::MacroAssemblerX86Common::ceilFloat):
1747         (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil):
1748         (JSC::MacroAssemblerX86Common::supportsLZCNT):
1749         * assembler/X86Assembler.h:
1750         (JSC::X86Assembler::roundss_rr):
1751         (JSC::X86Assembler::roundss_mr):
1752         (JSC::X86Assembler::roundsd_rr):
1753         (JSC::X86Assembler::roundsd_mr):
1754         (JSC::X86Assembler::mfence):
1755         (JSC::X86Assembler::X86InstructionFormatter::threeByteOp):
1756         * b3/B3ConstDoubleValue.cpp:
1757         (JSC::B3::ConstDoubleValue::ceilConstant):
1758         * b3/B3ConstDoubleValue.h:
1759         * b3/B3ConstFloatValue.cpp:
1760         (JSC::B3::ConstFloatValue::ceilConstant):
1761         * b3/B3ConstFloatValue.h:
1762         * b3/B3LowerMacrosAfterOptimizations.cpp:
1763         * b3/B3LowerToAir.cpp:
1764         (JSC::B3::Air::LowerToAir::lower):
1765         * b3/B3Opcode.cpp:
1766         (WTF::printInternal):
1767         * b3/B3Opcode.h:
1768         * b3/B3ReduceDoubleToFloat.cpp:
1769         * b3/B3ReduceStrength.cpp:
1770         * b3/B3Validate.cpp:
1771         * b3/B3Value.cpp:
1772         (JSC::B3::Value::ceilConstant):
1773         (JSC::B3::Value::effects):
1774         (JSC::B3::Value::key):
1775         (JSC::B3::Value::typeFor):
1776         * b3/B3Value.h:
1777         * b3/air/AirOpcode.opcodes:
1778         * b3/testb3.cpp:
1779         (JSC::B3::testCeilArg):
1780         (JSC::B3::testCeilImm):
1781         (JSC::B3::testCeilMem):
1782         (JSC::B3::testCeilCeilArg):
1783         (JSC::B3::testCeilIToD64):
1784         (JSC::B3::testCeilIToD32):
1785         (JSC::B3::testCeilArgWithUselessDoubleConversion):
1786         (JSC::B3::testCeilArgWithEffectfulDoubleConversion):
1787         (JSC::B3::populateWithInterestingValues):
1788         (JSC::B3::run):
1789         * ftl/FTLB3Output.h:
1790         (JSC::FTL::Output::ceil64):
1791         * jit/ThunkGenerators.cpp:
1792         (JSC::ceilThunkGenerator):
1793
1794 2015-12-14  Andreas Kling  <akling@apple.com>
1795
1796         ResourceUsageOverlay should show GC timers.
1797         <https://webkit.org/b/152151>
1798
1799         Reviewed by Darin Adler.
1800
1801         Expose the next fire time (in WTF timestamp style) of a GCActivityCallback.
1802
1803         * heap/GCActivityCallback.cpp:
1804         (JSC::GCActivityCallback::scheduleTimer):
1805         (JSC::GCActivityCallback::cancelTimer):
1806         * heap/GCActivityCallback.h:
1807
1808 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
1809
1810         Unreviewed, fix merge issue in a test.
1811
1812         * b3/testb3.cpp:
1813         (JSC::B3::testCheckTwoMegaCombos):
1814         (JSC::B3::testCheckTwoNonRedundantMegaCombos):
1815
1816 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
1817
1818         B3 should not give ValueReps for the non-stackmap children of a CheckValue to the generator callback
1819         https://bugs.webkit.org/show_bug.cgi?id=152224
1820
1821         Reviewed by Geoffrey Garen.
1822
1823         Previously, a stackmap generator for a Check had to know how many children the B3 value for the
1824         Check had at the time of code generation. That meant that B3 could not change the kind of Check
1825         that it was - for example it cannot turn a Check into a Patchpoint and it cannot turn a CheckAdd
1826         into a Check. But just changing the contract so that the stackmap generation params only get the
1827         stackmap children of the check means that B3 can transform Checks as it likes.
1828
1829         This is meant to aid sinking values into checks.
1830
1831         Also, I found that the effects of a Check did not include HeapRange::top(). I think it's best if
1832         exitsSideways does not imply reading top, the way that it does in DFG. In the DFG, that makes
1833         sense because the exit analysis is orthogonal, so the clobber analysis tells you about the reads
1834         not counting OSR exit - if you need to you can conditionally merge that with World based on a
1835         separate exit analysis. But in B3, the Effects object tells you about both exiting and reading,
1836         and it's computed by one analysis. Prior to this change, Check was not setting reads to top() so
1837         we were effectively saying that Effects::reads is meaningless when exitsSideways is true. It
1838         seems more sensible to instead force the analysis to set reads to top() when setting
1839         exitsSideways to true, not least because we only have one such analysis and many users. But it
1840         also makes sense for another reason: it allows us to bound the set of things that the program
1841         will read after it exits. That might not be useful to us now, but it's a nice feature to get for
1842         free. I've seen language features that have behave like exitsSideways that don't also read top,
1843         like an array bounds check that causes sudden termination without making any promises about how
1844         pretty the crash dump will look.
1845
1846         * b3/B3CheckSpecial.cpp:
1847         (JSC::B3::CheckSpecial::generate):
1848         * b3/B3Opcode.h:
1849         * b3/B3Value.cpp:
1850         (JSC::B3::Value::effects):
1851         * b3/testb3.cpp:
1852         (JSC::B3::testSimpleCheck):
1853         (JSC::B3::testCheckLessThan):
1854         (JSC::B3::testCheckMegaCombo):
1855         (JSC::B3::testCheckAddImm):
1856         (JSC::B3::testCheckAddImmCommute):
1857         (JSC::B3::testCheckAddImmSomeRegister):
1858         (JSC::B3::testCheckAdd):
1859         (JSC::B3::testCheckAdd64):
1860         (JSC::B3::testCheckSubImm):
1861         (JSC::B3::testCheckSubBadImm):
1862         (JSC::B3::testCheckSub):
1863         (JSC::B3::testCheckSub64):
1864         (JSC::B3::testCheckNeg):
1865         (JSC::B3::testCheckNeg64):
1866         (JSC::B3::testCheckMul):
1867         (JSC::B3::testCheckMulMemory):
1868         (JSC::B3::testCheckMul2):
1869         (JSC::B3::testCheckMul64):
1870         * ftl/FTLLowerDFGToLLVM.cpp:
1871         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
1872
1873 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
1874
1875         Air: Support Architecture-specific forms and Opcodes
1876         https://bugs.webkit.org/show_bug.cgi?id=151736
1877
1878         Reviewed by Benjamin Poulain.
1879
1880         This adds really awesome architecture selection to the AirOpcode.opcodes file. If an opcode or
1881         opcode form is unavailable on some architecture, you can still mention its name in C++ code (it'll
1882         still be a member of the enum) but isValidForm() and all other reflective queries will tell you
1883         that it doesn't exist. This will make the instruction selector steer clear of it, and it will
1884         also ensure that the spiller doesn't try to use any unavailable architecture-specific address
1885         forms.
1886
1887         The new capability is documented extensively in a comment in AirOpcode.opcodes.
1888
1889         * b3/air/AirOpcode.opcodes:
1890         * b3/air/opcode_generator.rb:
1891
1892 2015-12-14  Mark Lam  <mark.lam@apple.com>
1893
1894         Misc. small fixes in snippet related code.
1895         https://bugs.webkit.org/show_bug.cgi?id=152259
1896
1897         Reviewed by Saam Barati.
1898
1899         * dfg/DFGSpeculativeJIT.cpp:
1900         (JSC::DFG::SpeculativeJIT::compileArithMul):
1901         - When loading a constant JSValue for a node, use the one that the node already
1902           provides instead of reconstructing it.  This is not a bug, but the fix makes
1903           the code cleaner.
1904
1905         * jit/JITBitAndGenerator.cpp:
1906         (JSC::JITBitAndGenerator::generateFastPath):
1907         - No need to do a bitand with a constant int 0xffffffff operand.
1908
1909         * jit/JITBitOrGenerator.cpp:
1910         (JSC::JITBitOrGenerator::generateFastPath):
1911         - Fix comments: bitor is '|', not '&'.
1912         - No need to do a bitor with a constant int 0 operand.
1913
1914         * jit/JITBitXorGenerator.cpp:
1915         (JSC::JITBitXorGenerator::generateFastPath):
1916         - Fix comments: bitxor is '^', not '&'.
1917
1918         * jit/JITRightShiftGenerator.cpp:
1919         (JSC::JITRightShiftGenerator::generateFastPath):
1920         - Renamed a jump target name to be clearer about its purpose.
1921
1922 2015-12-14  Mark Lam  <mark.lam@apple.com>
1923
1924         We should not employ the snippet code in the DFG if no OSR exit was previously encountered.
1925         https://bugs.webkit.org/show_bug.cgi?id=152255
1926
1927         Reviewed by Saam Barati.
1928
1929         * dfg/DFGFixupPhase.cpp:
1930         (JSC::DFG::FixupPhase::fixupNode):
1931
1932 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
1933
1934         B3->Air compare-branch fusion should fuse even if the result of the comparison is used more than once
1935         https://bugs.webkit.org/show_bug.cgi?id=152198
1936
1937         Reviewed by Benjamin Poulain.
1938
1939         If we have a comparison operation that is branched on from multiple places, then we were
1940         previously executing the comparison to get a boolean result in a register and then we were
1941         testing/branching on that register in multiple places. This is actually less efficient than
1942         just fusing the compare/branch multiple times, even though this means that the comparison
1943         executes multiple times. This would only be bad if the comparison fused loads multiple times,
1944         since duplicating loads is both wrong and inefficient. So, this adds the notion of sharing to
1945         compare/branch fusion. If a compare is shared by multiple branches, then we refuse to fuse
1946         the load.
1947
1948         To write the test, I needed to zero-extend 8 to 32. In the process of thinking about how to
1949         do this, I realized that we needed lowerings for SExt8/SExt16. And I realized that the
1950         lowerings for the other extension operations were not fully fleshed out; for example they
1951         were incapable of load fusion. This patch fixes this and also adds some smart strength
1952         reductions for BitAnd(@x, 0xff/0xffff/0xffffffff) - all of which should be lowered to a zero
1953         extension.
1954
1955         This is a big win on asm.js code. It's not enough to bridge the gap to LLVM, but it's a huge
1956         step in that direction.
1957
1958         * assembler/MacroAssemblerX86Common.h:
1959         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
1960         (JSC::MacroAssemblerX86Common::zeroExtend8To32):
1961         (JSC::MacroAssemblerX86Common::signExtend8To32):
1962         (JSC::MacroAssemblerX86Common::load16):
1963         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
1964         (JSC::MacroAssemblerX86Common::zeroExtend16To32):
1965         (JSC::MacroAssemblerX86Common::signExtend16To32):
1966         (JSC::MacroAssemblerX86Common::store32WithAddressOffsetPatch):
1967         * assembler/X86Assembler.h:
1968         (JSC::X86Assembler::movzbl_rr):
1969         (JSC::X86Assembler::movsbl_rr):
1970         (JSC::X86Assembler::movzwl_rr):
1971         (JSC::X86Assembler::movswl_rr):
1972         (JSC::X86Assembler::cmovl_rr):
1973         * b3/B3LowerToAir.cpp:
1974         (JSC::B3::Air::LowerToAir::createGenericCompare):
1975         (JSC::B3::Air::LowerToAir::lower):
1976         * b3/B3ReduceStrength.cpp:
1977         * b3/air/AirOpcode.opcodes:
1978         * b3/testb3.cpp:
1979         (JSC::B3::testCheckMegaCombo):
1980         (JSC::B3::testCheckTwoMegaCombos):
1981         (JSC::B3::testCheckTwoNonRedundantMegaCombos):
1982         (JSC::B3::testCheckAddImm):
1983         (JSC::B3::testTruncSExt32):
1984         (JSC::B3::testSExt8):
1985         (JSC::B3::testSExt8Fold):
1986         (JSC::B3::testSExt8SExt8):
1987         (JSC::B3::testSExt8SExt16):
1988         (JSC::B3::testSExt8BitAnd):
1989         (JSC::B3::testBitAndSExt8):
1990         (JSC::B3::testSExt16):
1991         (JSC::B3::testSExt16Fold):
1992         (JSC::B3::testSExt16SExt16):
1993         (JSC::B3::testSExt16SExt8):
1994         (JSC::B3::testSExt16BitAnd):
1995         (JSC::B3::testBitAndSExt16):
1996         (JSC::B3::testSExt32BitAnd):
1997         (JSC::B3::testBitAndSExt32):
1998         (JSC::B3::testBasicSelect):
1999         (JSC::B3::run):
2000
2001 2015-12-14  Chris Dumez  <cdumez@apple.com>
2002
2003         Roll out r193974 and follow-up fixes as it caused JSC crashes
2004         https://bugs.webkit.org/show_bug.cgi?id=152256
2005
2006         Unreviewed, Roll out r193974 and follow-up fixes as it caused JSC crashes.
2007
2008         * API/JSCallbackObject.h:
2009         * builtins/FunctionPrototype.js:
2010         * bytecode/BytecodeBasicBlock.cpp:
2011         (JSC::isBranch):
2012         * bytecode/BytecodeList.json:
2013         * bytecode/BytecodeUseDef.h:
2014         (JSC::computeUsesForBytecodeOffset):
2015         (JSC::computeDefsForBytecodeOffset):
2016         * bytecode/CodeBlock.cpp:
2017         (JSC::CodeBlock::dumpBytecode):
2018         * bytecode/ExitKind.cpp:
2019         (JSC::exitKindToString): Deleted.
2020         * bytecode/ExitKind.h:
2021         * bytecode/PreciseJumpTargets.cpp:
2022         (JSC::getJumpTargetsForBytecodeOffset):
2023         * bytecompiler/BytecodeGenerator.cpp:
2024         (JSC::BytecodeGenerator::emitCheckHasInstance):
2025         (JSC::BytecodeGenerator::emitGetById): Deleted.
2026         * bytecompiler/BytecodeGenerator.h:
2027         (JSC::BytecodeGenerator::emitTypeOf): Deleted.
2028         * bytecompiler/NodesCodegen.cpp:
2029         (JSC::InstanceOfNode::emitBytecode):
2030         (JSC::LogicalOpNode::emitBytecode): Deleted.
2031         (JSC::LogicalOpNode::emitBytecodeInConditionContext): Deleted.
2032         * dfg/DFGAbstractInterpreterInlines.h:
2033         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2034         * dfg/DFGByteCodeParser.cpp:
2035         (JSC::DFG::ByteCodeParser::parseBlock):
2036         * dfg/DFGCapabilities.cpp:
2037         (JSC::DFG::capabilityLevel):
2038         * dfg/DFGClobberize.h:
2039         (JSC::DFG::clobberize):
2040         * dfg/DFGDoesGC.cpp:
2041         (JSC::DFG::doesGC):
2042         * dfg/DFGFixupPhase.cpp:
2043         (JSC::DFG::FixupPhase::fixupNode):
2044         * dfg/DFGHeapLocation.cpp:
2045         (WTF::printInternal):
2046         * dfg/DFGHeapLocation.h:
2047         * dfg/DFGNode.h:
2048         (JSC::DFG::Node::hasCellOperand): Deleted.
2049         (JSC::DFG::Node::hasTransition): Deleted.
2050         * dfg/DFGNodeType.h:
2051         * dfg/DFGPredictionPropagationPhase.cpp:
2052         (JSC::DFG::PredictionPropagationPhase::propagate):
2053         * dfg/DFGSafeToExecute.h:
2054         (JSC::DFG::safeToExecute):
2055         * dfg/DFGSpeculativeJIT.cpp:
2056         (JSC::DFG::SpeculativeJIT::compileInstanceOf): Deleted.
2057         (JSC::DFG::SpeculativeJIT::compileArithAdd): Deleted.
2058         * dfg/DFGSpeculativeJIT.h:
2059         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
2060         * dfg/DFGSpeculativeJIT32_64.cpp:
2061         (JSC::DFG::SpeculativeJIT::compile):
2062         * dfg/DFGSpeculativeJIT64.cpp:
2063         (JSC::DFG::SpeculativeJIT::compile):
2064         * ftl/FTLCapabilities.cpp:
2065         (JSC::FTL::canCompile):
2066         * ftl/FTLIntrinsicRepository.h:
2067         * ftl/FTLLowerDFGToLLVM.cpp:
2068         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2069         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance):
2070         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOf): Deleted.
2071         (JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty): Deleted.
2072         * jit/CCallHelpers.h:
2073         (JSC::CCallHelpers::setupArguments): Deleted.
2074         (JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.
2075         * jit/JIT.cpp:
2076         (JSC::JIT::privateCompileMainPass):
2077         (JSC::JIT::privateCompileSlowCases):
2078         * jit/JIT.h:
2079         * jit/JITInlines.h:
2080         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
2081         (JSC::JIT::callOperation): Deleted.
2082         * jit/JITOpcodes.cpp:
2083         (JSC::JIT::emit_op_check_has_instance):
2084         (JSC::JIT::emit_op_instanceof):
2085         (JSC::JIT::emitSlow_op_check_has_instance):
2086         (JSC::JIT::emitSlow_op_instanceof):
2087         (JSC::JIT::emit_op_is_undefined): Deleted.
2088         (JSC::JIT::emitSlow_op_to_number): Deleted.
2089         (JSC::JIT::emitSlow_op_to_string): Deleted.
2090         * jit/JITOpcodes32_64.cpp:
2091         (JSC::JIT::emit_op_check_has_instance):
2092         (JSC::JIT::emit_op_instanceof):
2093         (JSC::JIT::emitSlow_op_check_has_instance):
2094         (JSC::JIT::emitSlow_op_instanceof):
2095         (JSC::JIT::emit_op_is_undefined): Deleted.
2096         * jit/JITOperations.cpp:
2097         * jit/JITOperations.h:
2098         * llint/LLIntData.cpp:
2099         (JSC::LLInt::Data::performAssertions): Deleted.
2100         * llint/LLIntSlowPaths.cpp:
2101         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2102         * llint/LLIntSlowPaths.h:
2103         * llint/LowLevelInterpreter32_64.asm:
2104         * llint/LowLevelInterpreter64.asm:
2105         * runtime/CommonIdentifiers.h:
2106         * runtime/ExceptionHelpers.cpp:
2107         (JSC::invalidParameterInstanceofSourceAppender):
2108         (JSC::createInvalidInstanceofParameterError):
2109         (JSC::createError): Deleted.
2110         (JSC::createNotAFunctionError): Deleted.
2111         (JSC::createNotAnObjectError): Deleted.
2112         * runtime/ExceptionHelpers.h:
2113         * runtime/FunctionPrototype.cpp:
2114         (JSC::FunctionPrototype::addFunctionProperties):
2115         * runtime/FunctionPrototype.h:
2116         * runtime/JSBoundFunction.cpp:
2117         (JSC::JSBoundFunction::create): Deleted.
2118         (JSC::JSBoundFunction::customHasInstance): Deleted.
2119         * runtime/JSBoundFunction.h:
2120         * runtime/JSGlobalObject.cpp:
2121         (JSC::JSGlobalObject::init):
2122         (JSC::JSGlobalObject::visitChildren): Deleted.
2123         * runtime/JSGlobalObject.h:
2124         (JSC::JSGlobalObject::throwTypeErrorGetterSetter): Deleted.
2125         * runtime/JSObject.cpp:
2126         (JSC::JSObject::hasInstance):
2127         (JSC::JSObject::defaultHasInstance): Deleted.
2128         (JSC::JSObject::getPropertyNames): Deleted.
2129         (JSC::JSObject::getOwnPropertyNames): Deleted.
2130         * runtime/JSObject.h:
2131         (JSC::JSFinalObject::create): Deleted.
2132         * runtime/JSTypeInfo.h:
2133         (JSC::TypeInfo::TypeInfo):
2134         (JSC::TypeInfo::overridesHasInstance):
2135         * runtime/WriteBarrier.h:
2136         (JSC::WriteBarrierBase<Unknown>::slot):
2137         * tests/es6.yaml:
2138         * tests/stress/instanceof-custom-hasinstancesymbol.js: Removed.
2139         * tests/stress/symbol-hasInstance.js: Removed.
2140
2141 2015-12-13  Benjamin Poulain  <bpoulain@apple.com>
2142
2143         [JSC] Remove FTL::Output's doubleEqualOrUnordered()
2144         https://bugs.webkit.org/show_bug.cgi?id=152234
2145
2146         Reviewed by Sam Weinig.
2147
2148         It is unused, one less thing to worry about.
2149
2150         * ftl/FTLB3Output.h:
2151         (JSC::FTL::Output::doubleEqualOrUnordered): Deleted.
2152         * ftl/FTLOutput.h:
2153         (JSC::FTL::Output::doubleEqualOrUnordered): Deleted.
2154
2155 2015-12-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2156
2157         [JSC] Should not emit get_by_id for indexed property access
2158         https://bugs.webkit.org/show_bug.cgi?id=151354
2159
2160         Reviewed by Darin Adler.
2161
2162         Before this patch, `a["1"]` is converted to `a.1` get_by_id operation in the bytecode compiler.
2163         get_by_id emits IC. IC rely on the fact that Structure transition occur when adding / removing object's properties.
2164         However, it's not true for indexed element properties. They are stored in the element storage and Structure transition does not occur.
2165
2166         For example, in the following case,
2167
2168              function getOne(a) { return a['1']; }
2169
2170              for (var i = 0; i < 36; ++i)
2171                  getOne({2: true});
2172
2173              if (!getOne({1: true}))
2174                  throw new Error("OUT");
2175
2176         In this case, `a['1']` creates get_by_id. `getOne({2: true})` calls makes getOne's get_by_id to create IC says that,
2177         "when comming this structure chain, there is no property in "1", so we should return `undefined`".
2178
2179         After that, we call `getOne({1: true})`. But in this case, `{2: true}` and `{1: true}` have the same structure chain,
2180         because indexed property addition does not occur structure transition.
2181         So previous IC fast path is used and return `undefined`. But the correct answer is returning `true`.
2182
2183         This patch fixes the above issue. When there is string bracket access, we only emits get_by_id if the given string is not an index.
2184         There are bugs in get_by_id, put_by_id, put_by_id (direct). But only get_by_id poses user observable issue.
2185         Because in the put_by_id case, the generic path just says "this put is uncacheable".
2186
2187         * bytecompiler/BytecodeGenerator.cpp:
2188         (JSC::BytecodeGenerator::emitGetById):
2189         (JSC::BytecodeGenerator::emitPutById):
2190         (JSC::BytecodeGenerator::emitDirectPutById):
2191         * bytecompiler/NodesCodegen.cpp:
2192         (JSC::isNonIndexStringElement):
2193         (JSC::BracketAccessorNode::emitBytecode):
2194         (JSC::FunctionCallBracketNode::emitBytecode):
2195         (JSC::AssignBracketNode::emitBytecode):
2196         (JSC::ObjectPatternNode::bindValue):
2197         * tests/stress/element-property-get-should-not-handled-with-get-by-id.js: Added.
2198         (getOne):
2199
2200 2015-12-13  Andreas Kling  <akling@apple.com>
2201
2202         CachedScript could have a copy-free path for all-ASCII scripts.
2203         <https://webkit.org/b/152203>
2204
2205         Reviewed by Antti Koivisto.
2206
2207         Make SourceProvider vend a StringView instead of a String.
2208         This relaxes the promises that providers have to make about string lifetimes.
2209
2210         This means that on the WebCore side, CachedScript is free to cache a String
2211         internally, while only ever exposing it as a temporary StringView.
2212
2213         A few extra copies (CPU, not memory) are introduced, none of them on hot paths.
2214
2215         * API/JSScriptRef.cpp:
2216         * bytecode/CodeBlock.cpp:
2217         (JSC::CodeBlock::sourceCodeForTools):
2218         (JSC::CodeBlock::dumpSource):
2219         * inspector/ScriptDebugServer.cpp:
2220         (Inspector::ScriptDebugServer::dispatchDidParseSource):
2221         (Inspector::ScriptDebugServer::dispatchFailedToParseSource):
2222         * interpreter/Interpreter.cpp:
2223         (JSC::Interpreter::execute):
2224         * jsc.cpp:
2225         (functionFindTypeForExpression):
2226         (functionHasBasicBlockExecuted):
2227         (functionBasicBlockExecutionCount):
2228         * parser/Lexer.cpp:
2229         (JSC::Lexer<T>::setCode):
2230         * parser/Lexer.h:
2231         (JSC::Lexer<LChar>::setCodeStart):
2232         (JSC::Lexer<UChar>::setCodeStart):
2233         * parser/Parser.h:
2234         (JSC::Parser::getToken):
2235         * parser/SourceCode.cpp:
2236         (JSC::SourceCode::toUTF8):
2237         * parser/SourceCode.h:
2238         (JSC::SourceCode::hash):
2239         (JSC::SourceCode::view):
2240         (JSC::SourceCode::toString): Deleted.
2241         * parser/SourceCodeKey.h:
2242         (JSC::SourceCodeKey::SourceCodeKey):
2243         (JSC::SourceCodeKey::string):
2244         * parser/SourceProvider.h:
2245         (JSC::SourceProvider::getRange):
2246         * runtime/Completion.cpp:
2247         (JSC::loadAndEvaluateModule):
2248         (JSC::loadModule):
2249         * runtime/ErrorInstance.cpp:
2250         (JSC::appendSourceToError):
2251         * runtime/FunctionPrototype.cpp:
2252         (JSC::functionProtoFuncToString):
2253         * tools/FunctionOverrides.cpp:
2254         (JSC::initializeOverrideInfo):
2255         (JSC::FunctionOverrides::initializeOverrideFor):
2256
2257 2015-12-12  Benjamin Poulain  <benjamin@webkit.org>
2258
2259         [JSC] Add lowering for B3's Store8 opcode
2260         https://bugs.webkit.org/show_bug.cgi?id=152208
2261
2262         Reviewed by Geoffrey Garen.
2263
2264         B3 has an opcode to store 8bit values but it had
2265         no lowering.
2266
2267         * b3/B3LowerToAir.cpp:
2268         (JSC::B3::Air::LowerToAir::createStore):
2269         (JSC::B3::Air::LowerToAir::lower):
2270         * b3/air/AirOpcode.opcodes:
2271         * b3/testb3.cpp:
2272         (JSC::B3::testStore8Arg):
2273         (JSC::B3::testStore8Imm):
2274         (JSC::B3::testStorePartial8BitRegisterOnX86):
2275         (JSC::B3::run):
2276
2277 2015-12-12  Csaba Osztrogonác  <ossy@webkit.org>
2278
2279         [ARM] Add the missing setupArgumentsWithExecState functions after r193974
2280         https://bugs.webkit.org/show_bug.cgi?id=152214
2281
2282         Reviewed by Mark Lam.
2283
2284         * jit/CCallHelpers.h:
2285         (JSC::CCallHelpers::setupArgumentsWithExecState):
2286
2287 2015-12-11  Joseph Pecoraro  <pecoraro@apple.com>
2288
2289         Web Inspector: Too many derefs when RemoteInspectorXPCConnection fails to validate connection
2290         https://bugs.webkit.org/show_bug.cgi?id=152213
2291
2292         Rubber-stamped by Ryosuke Niwa.
2293
2294         * inspector/remote/RemoteInspectorXPCConnection.mm:
2295         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2296         We should just close the XPC connection triggering XPC_ERROR_CONNECTION_INVALID
2297         which will then graceful teardown the connection as expected.
2298
2299 2015-12-11  Benjamin Poulain  <bpoulain@apple.com>
2300
2301         [JSC] Add Floating Point Abs() to B3
2302         https://bugs.webkit.org/show_bug.cgi?id=152176
2303
2304         Reviewed by Geoffrey Garen.
2305
2306         This patch adds an Abs() operation for floating point.
2307
2308         On x86, Abs() is implemented by masking the top bit
2309         of the floating point value. On ARM64, there is a builtin
2310         abs opcode.
2311
2312         To account for those differences, B3 use "Abs" as
2313         the cannonical operation. When we are about to lower
2314         to Air, Abs is extended on x86 to get a clean handling
2315         of the mask constants.
2316
2317         This patch has one cool thing related to FTL.
2318         If you do:
2319            @1 = unboxDouble(@0)
2320            @2 = abs(@1)
2321            @3 = boxDouble(@2)
2322
2323         B3ReduceStrength completely eliminate the Double-Integer
2324         conversion.
2325
2326         The strength reduction of Abs is aware that it can do a bit
2327         mask over the bitcast used by unboxing.
2328         If even works if you use floats by forcing fround: reduceDoubleToFloat()
2329         elminiates the useless conversions, followed by ReduceStrength
2330         that removes the switch from GP to FP.
2331
2332         * CMakeLists.txt:
2333         * JavaScriptCore.xcodeproj/project.pbxproj:
2334         * assembler/MacroAssemblerX86Common.h:
2335         (JSC::MacroAssemblerX86Common::andDouble):
2336         (JSC::MacroAssemblerX86Common::andFloat):
2337         * assembler/X86Assembler.h:
2338         (JSC::X86Assembler::andps_rr):
2339         * b3/B3ConstDoubleValue.cpp:
2340         (JSC::B3::ConstDoubleValue::bitAndConstant):
2341         (JSC::B3::ConstDoubleValue::absConstant):
2342         * b3/B3ConstDoubleValue.h:
2343         * b3/B3ConstFloatValue.cpp:
2344         (JSC::B3::ConstFloatValue::bitAndConstant):
2345         (JSC::B3::ConstFloatValue::absConstant):
2346         * b3/B3ConstFloatValue.h:
2347         * b3/B3Generate.cpp:
2348         (JSC::B3::generateToAir):
2349         * b3/B3LowerMacrosAfterOptimizations.cpp: Added.
2350         (JSC::B3::lowerMacrosAfterOptimizations):
2351         * b3/B3LowerMacrosAfterOptimizations.h: Added.
2352         * b3/B3LowerToAir.cpp:
2353         (JSC::B3::Air::LowerToAir::lower):
2354         * b3/B3Opcode.cpp:
2355         (WTF::printInternal):
2356         * b3/B3Opcode.h:
2357         * b3/B3ReduceDoubleToFloat.cpp:
2358         * b3/B3ReduceStrength.cpp:
2359         * b3/B3Validate.cpp:
2360         * b3/B3Value.cpp:
2361         (JSC::B3::Value::absConstant):
2362         (JSC::B3::Value::effects):
2363         (JSC::B3::Value::key):
2364         (JSC::B3::Value::typeFor):
2365         * b3/B3Value.h:
2366         * b3/air/AirOpcode.opcodes:
2367         * b3/testb3.cpp:
2368         (JSC::B3::bitAndDouble):
2369         (JSC::B3::testBitAndArgDouble):
2370         (JSC::B3::testBitAndArgsDouble):
2371         (JSC::B3::testBitAndArgImmDouble):
2372         (JSC::B3::testBitAndImmsDouble):
2373         (JSC::B3::bitAndFloat):
2374         (JSC::B3::testBitAndArgFloat):
2375         (JSC::B3::testBitAndArgsFloat):
2376         (JSC::B3::testBitAndArgImmFloat):
2377         (JSC::B3::testBitAndImmsFloat):
2378         (JSC::B3::testBitAndArgsFloatWithUselessDoubleConversion):
2379         (JSC::B3::testAbsArg):
2380         (JSC::B3::testAbsImm):
2381         (JSC::B3::testAbsMem):
2382         (JSC::B3::testAbsAbsArg):
2383         (JSC::B3::testAbsBitwiseCastArg):
2384         (JSC::B3::testBitwiseCastAbsBitwiseCastArg):
2385         (JSC::B3::testAbsArgWithUselessDoubleConversion):
2386         (JSC::B3::testAbsArgWithEffectfulDoubleConversion):
2387         (JSC::B3::run):
2388         * ftl/FTLB3Output.h:
2389         (JSC::FTL::Output::doubleAbs):
2390
2391 2015-12-11  Mark Lam  <mark.lam@apple.com>
2392
2393         Removed some dead code, and simplified some code in the baseline JIT.
2394         https://bugs.webkit.org/show_bug.cgi?id=152199
2395
2396         Reviewed by Benjamin Poulain.
2397
2398         * jit/JIT.h:
2399         * jit/JITArithmetic.cpp:
2400         (JSC::JIT::emitBitBinaryOpFastPath):
2401         (JSC::JIT::emit_op_bitand):
2402         (JSC::JIT::emitSlow_op_lshift):
2403         (JSC::JIT::emitRightShiftFastPath):
2404         (JSC::JIT::emit_op_rshift):
2405         (JSC::JIT::emitSlow_op_rshift):
2406         (JSC::JIT::emit_op_urshift):
2407         (JSC::JIT::emitSlow_op_urshift):
2408
2409 2015-12-11  Filip Pizlo  <fpizlo@apple.com>
2410
2411         B3::reduceStrength should remove redundant Phi's
2412         https://bugs.webkit.org/show_bug.cgi?id=152184
2413
2414         Reviewed by Benjamin Poulain.
2415
2416         This adds redundant Phi removal using Aycock and Horspools SSA simplification algorithm. This
2417         is needed because even in simple asm.js code, we see a lot of CFG simplification that leaves
2418         behind totally useless Phi's.
2419
2420         * b3/B3PhiChildren.cpp:
2421         (JSC::B3::PhiChildren::PhiChildren):
2422         * b3/B3PhiChildren.h:
2423         (JSC::B3::PhiChildren::at):
2424         (JSC::B3::PhiChildren::operator[]):
2425         (JSC::B3::PhiChildren::phis):
2426         * b3/B3ReduceStrength.cpp:
2427
2428 2015-12-11  Benjamin Poulain  <benjamin@webkit.org>
2429
2430         [JSC] Add an implementation of pow() taking an integer exponent to B3
2431         https://bugs.webkit.org/show_bug.cgi?id=152165
2432
2433         Reviewed by Mark Lam.
2434
2435         LLVM has this really neat optimized opcode for
2436         raising the power of something by an integer exponent.
2437
2438         There is no such native instruction so we need to extend
2439         the existing FTLOutput API to something efficient.
2440
2441         DFG has a pretty competitive implementation. In this patch,
2442         I added a version of it to B3.
2443         I created powDoubleInt32() instead of putting the code directly
2444         in FTL for easier testing and optimization.
2445
2446         * CMakeLists.txt:
2447         * JavaScriptCore.xcodeproj/project.pbxproj:
2448         * b3/B3MathExtras.cpp: Added.
2449         (JSC::B3::powDoubleInt32):
2450         * b3/B3MathExtras.h: Added.
2451         * b3/B3MemoryValue.h:
2452         * b3/testb3.cpp:
2453         (JSC::B3::testPowDoubleByIntegerLoop):
2454         (JSC::B3::run):
2455         * dfg/DFGSpeculativeJIT.cpp:
2456         (JSC::DFG::compileArithPowIntegerFastPath):
2457         * ftl/FTLB3Output.cpp:
2458         (JSC::FTL::Output::doublePowi):
2459         * ftl/FTLB3Output.h:
2460         (JSC::FTL::Output::doublePowi): Deleted.
2461
2462 2015-12-11  Filip Pizlo  <fpizlo@apple.com>
2463
2464         B3 should have CSE
2465         https://bugs.webkit.org/show_bug.cgi?id=150961
2466
2467         Reviewed by Benjamin Poulain.
2468
2469         This implements a very simple CSE for pure values. I need this as a prerequisite for other
2470         optimizations that I'm implementing. For now, this is neutral on imaging-gaussian-blur but a
2471         slow-down on asm.js code. I suspect that the asm.js slow-down is because of other things that are
2472         still going wrong, and anyway, I need CSE to be able to do even the most basic asm.js strength
2473         reductions.
2474
2475         * b3/B3ReduceStrength.cpp:
2476         * b3/B3ReduceStrength.h:
2477         * b3/B3Value.cpp:
2478         (JSC::B3::Value::replaceWithIdentity):
2479         (JSC::B3::Value::key):
2480
2481 2015-12-11  Mark Lam  <mark.lam@apple.com>
2482
2483         Refactoring to reduce potential cut-paste errors with the FTL ICs.
2484         https://bugs.webkit.org/show_bug.cgi?id=152185
2485
2486         Reviewed by Saam Barati.
2487
2488         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2489         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2490         * JavaScriptCore.xcodeproj/project.pbxproj:
2491
2492         * ftl/FTLCompile.cpp:
2493         - ICs now have their own names.  GetById and PutByID fast path ICs no longer just
2494           say "inline cache fast path".
2495
2496         * ftl/FTLCompileBinaryOp.cpp:
2497         (JSC::FTL::generateBinaryArithOpFastPath):
2498         - Fixed an indentation.
2499
2500         * ftl/FTLInlineCacheDescriptor.h:
2501         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
2502         (JSC::FTL::InlineCacheDescriptor::name):
2503         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
2504         (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
2505         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
2506         (JSC::FTL::BinaryOpDescriptor::nodeType):
2507         (JSC::FTL::BinaryOpDescriptor::size):
2508         (JSC::FTL::BinaryOpDescriptor::slowPathFunction):
2509         (JSC::FTL::BinaryOpDescriptor::leftOperand):
2510         (JSC::FTL::BinaryOpDescriptor::BinaryOpDescriptor):
2511         (JSC::FTL::ArithDivDescriptor::ArithDivDescriptor):
2512         (JSC::FTL::ArithDivDescriptor::icSize):
2513         (JSC::FTL::ArithDivDescriptor::nodeType):
2514         (JSC::FTL::ArithDivDescriptor::opName):
2515         (JSC::FTL::ArithDivDescriptor::slowPathFunction):
2516         (JSC::FTL::ArithDivDescriptor::nonNumberSlowPathFunction):
2517         (JSC::FTL::ArithMulDescriptor::ArithMulDescriptor):
2518         (JSC::FTL::ArithMulDescriptor::icSize):
2519         (JSC::FTL::ArithMulDescriptor::nodeType):
2520         (JSC::FTL::ArithMulDescriptor::opName):
2521         (JSC::FTL::ArithMulDescriptor::slowPathFunction):
2522         (JSC::FTL::ArithMulDescriptor::nonNumberSlowPathFunction):
2523         (JSC::FTL::ArithSubDescriptor::ArithSubDescriptor):
2524         (JSC::FTL::ArithSubDescriptor::icSize):
2525         (JSC::FTL::ArithSubDescriptor::nodeType):
2526         (JSC::FTL::ArithSubDescriptor::opName):
2527         (JSC::FTL::ArithSubDescriptor::slowPathFunction):
2528         (JSC::FTL::ArithSubDescriptor::nonNumberSlowPathFunction):
2529         (JSC::FTL::ValueAddDescriptor::ValueAddDescriptor):
2530         (JSC::FTL::ValueAddDescriptor::icSize):
2531         (JSC::FTL::ValueAddDescriptor::nodeType):
2532         (JSC::FTL::ValueAddDescriptor::opName):
2533         (JSC::FTL::ValueAddDescriptor::slowPathFunction):
2534         (JSC::FTL::ValueAddDescriptor::nonNumberSlowPathFunction):
2535         (JSC::FTL::LazySlowPathDescriptor::LazySlowPathDescriptor):
2536         (JSC::FTL::ProbeDescriptor::ProbeDescriptor):
2537         (JSC::FTL::BinaryOpDescriptor::name): Deleted.
2538         (JSC::FTL::BinaryOpDescriptor::fastPathICName): Deleted.
2539         * ftl/FTLInlineCacheDescriptorInlines.h: Removed.
2540         - Consolidate the number of places where we have to fill in a data about new
2541           snippet ICs.  It is all done in FTLInlineCacheDescriptor.h now.   
2542
2543         * ftl/FTLJITFinalizer.cpp:
2544         (JSC::FTL::JITFinalizer::finalizeFunction):
2545
2546         * ftl/FTLLowerDFGToLLVM.cpp:
2547         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp):
2548         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
2549         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
2550         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2551         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
2552         - Introduced a compileUntypedBinaryOp() template and use that at all the FTL
2553           places that need to use a snippet.  This reduces the amount of cut and paste
2554           code.
2555
2556         * ftl/FTLState.h:
2557         - Removed a bad #include.
2558
2559 2015-12-11  Keith Miller  <keith_miller@apple.com>
2560
2561         Overrides has instance should not move ValueFalse to a register then immediately to the stack in the LLInt.
2562         https://bugs.webkit.org/show_bug.cgi?id=152188
2563
2564         Reviewed by Mark Lam.
2565
2566         This fixes a minor issue with the code for the overrides_has_instance in the LLInt. Old code had an extra move,
2567         which is both slow and breaks the build on cloop.
2568
2569         * llint/LowLevelInterpreter64.asm:
2570
2571 2015-12-11  Keith Miller  <keith_miller@apple.com>
2572
2573         [ES6] Add support for Symbol.hasInstance
2574         https://bugs.webkit.org/show_bug.cgi?id=151839
2575
2576         Reviewed by Saam Barati.
2577
2578         This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
2579         regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
2580         when executing an instanceof expression we would emit three bytecodes: overrides_has_instance, get_by_id,
2581         then instanceof. As the spec has changed, we emit a more complicated set of bytecodes in addition to some
2582         new ones. First the role of overrides_has_instance and its corresponding DFG node have changed. Now it returns
2583         a js-boolean indicating whether the RHS of the instanceof expression (from here on called the constructor for simplicity)
2584         needs non-default behavior for resolving the expression. i.e. The constructor has a Symbol.hasInstance that differs from the one on
2585         Function.prototype[Symbol.hasInstance] or is a bound/C-API function. Once we get to the DFG this node is generally eliminated as
2586         we can prove the value of Symbol.hasInstance is a constant. The second new bytecode is instanceof_custom. insntanceof_custom, just
2587         emits a call to slow path code that computes the result.
2588
2589         In the DFG, there is also a new node, CheckTypeInfoFlags, which checks the type info flags are consistent with the ones provided and
2590         OSR exits if the flags are not. Additionally, we attempt to prove that the result of CheckHasValue will be a constant and transform
2591         it into a CheckTypeInfoFlags followed by a JSConstant.
2592
2593         * API/JSCallbackObject.h:
2594         * builtins/FunctionPrototype.js:
2595         (symbolHasInstance):
2596         * bytecode/BytecodeBasicBlock.cpp:
2597         (JSC::isBranch): Deleted.
2598         * bytecode/BytecodeList.json:
2599         * bytecode/BytecodeUseDef.h:
2600         (JSC::computeUsesForBytecodeOffset):
2601         (JSC::computeDefsForBytecodeOffset):
2602         * bytecode/CodeBlock.cpp:
2603         (JSC::CodeBlock::dumpBytecode):
2604         * bytecode/ExitKind.cpp:
2605         (JSC::exitKindToString):
2606         * bytecode/ExitKind.h:
2607         * bytecode/PreciseJumpTargets.cpp:
2608         (JSC::getJumpTargetsForBytecodeOffset): Deleted.
2609         * bytecompiler/BytecodeGenerator.cpp:
2610         (JSC::BytecodeGenerator::emitOverridesHasInstance):
2611         (JSC::BytecodeGenerator::emitInstanceOfCustom):
2612         (JSC::BytecodeGenerator::emitCheckHasInstance): Deleted.
2613         * bytecompiler/BytecodeGenerator.h:
2614         * bytecompiler/NodesCodegen.cpp:
2615         (JSC::InstanceOfNode::emitBytecode):
2616         * dfg/DFGAbstractInterpreterInlines.h:
2617         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2618         * dfg/DFGByteCodeParser.cpp:
2619         (JSC::DFG::ByteCodeParser::parseBlock):
2620         * dfg/DFGCapabilities.cpp:
2621         (JSC::DFG::capabilityLevel):
2622         * dfg/DFGClobberize.h:
2623         (JSC::DFG::clobberize):
2624         * dfg/DFGDoesGC.cpp:
2625         (JSC::DFG::doesGC):
2626         * dfg/DFGFixupPhase.cpp:
2627         (JSC::DFG::FixupPhase::fixupNode):
2628         * dfg/DFGHeapLocation.cpp:
2629         (WTF::printInternal):
2630         * dfg/DFGHeapLocation.h:
2631         * dfg/DFGNode.h:
2632         (JSC::DFG::Node::hasCellOperand):
2633         (JSC::DFG::Node::hasTypeInfoOperand):
2634         (JSC::DFG::Node::typeInfoOperand):
2635         * dfg/DFGNodeType.h:
2636         * dfg/DFGPredictionPropagationPhase.cpp:
2637         (JSC::DFG::PredictionPropagationPhase::propagate):
2638         * dfg/DFGSafeToExecute.h:
2639         (JSC::DFG::safeToExecute):
2640         * dfg/DFGSpeculativeJIT.cpp:
2641         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
2642         (JSC::DFG::SpeculativeJIT::compileInstanceOfCustom):
2643         * dfg/DFGSpeculativeJIT.h:
2644         (JSC::DFG::SpeculativeJIT::callOperation):
2645         * dfg/DFGSpeculativeJIT32_64.cpp:
2646         (JSC::DFG::SpeculativeJIT::compile):
2647         * dfg/DFGSpeculativeJIT64.cpp:
2648         (JSC::DFG::SpeculativeJIT::compile):
2649         * ftl/FTLCapabilities.cpp:
2650         (JSC::FTL::canCompile):
2651         * ftl/FTLIntrinsicRepository.h:
2652         * ftl/FTLLowerDFGToLLVM.cpp:
2653         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2654         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance):
2655         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckTypeInfoFlags):
2656         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
2657         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance): Deleted.
2658         * jit/JIT.cpp:
2659         (JSC::JIT::privateCompileMainPass):
2660         (JSC::JIT::privateCompileSlowCases):
2661         * jit/JIT.h:
2662         * jit/JITInlines.h:
2663         (JSC::JIT::callOperation):
2664         * jit/JITOpcodes.cpp:
2665         (JSC::JIT::emit_op_overrides_has_instance):
2666         (JSC::JIT::emit_op_instanceof):
2667         (JSC::JIT::emit_op_instanceof_custom):
2668         (JSC::JIT::emitSlow_op_instanceof):
2669         (JSC::JIT::emitSlow_op_instanceof_custom):
2670         (JSC::JIT::emit_op_check_has_instance): Deleted.
2671         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
2672         * jit/JITOpcodes32_64.cpp:
2673         (JSC::JIT::emit_op_overrides_has_instance):
2674         (JSC::JIT::emit_op_instanceof):
2675         (JSC::JIT::emit_op_instanceof_custom):
2676         (JSC::JIT::emitSlow_op_instanceof_custom):
2677         (JSC::JIT::emit_op_check_has_instance): Deleted.
2678         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
2679         * jit/JITOperations.cpp:
2680         * jit/JITOperations.h:
2681         * llint/LLIntData.cpp:
2682         (JSC::LLInt::Data::performAssertions):
2683         * llint/LLIntSlowPaths.cpp:
2684         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2685         * llint/LLIntSlowPaths.h:
2686         * llint/LowLevelInterpreter32_64.asm:
2687         * llint/LowLevelInterpreter64.asm:
2688         * runtime/CommonIdentifiers.h:
2689         * runtime/ExceptionHelpers.cpp:
2690         (JSC::invalidParameterInstanceofSourceAppender):
2691         (JSC::invalidParameterInstanceofNotFunctionSourceAppender):
2692         (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender):
2693         (JSC::createInvalidInstanceofParameterErrorNotFunction):
2694         (JSC::createInvalidInstanceofParameterErrorhasInstanceValueNotFunction):
2695         (JSC::createInvalidInstanceofParameterError): Deleted.
2696         * runtime/ExceptionHelpers.h:
2697         * runtime/FunctionPrototype.cpp:
2698         (JSC::FunctionPrototype::addFunctionProperties):
2699         * runtime/FunctionPrototype.h:
2700         * runtime/JSBoundFunction.cpp:
2701         (JSC::isBoundFunction):
2702         (JSC::hasInstanceBoundFunction):
2703         * runtime/JSBoundFunction.h:
2704         * runtime/JSGlobalObject.cpp:
2705         (JSC::JSGlobalObject::init):
2706         (JSC::JSGlobalObject::visitChildren):
2707         * runtime/JSGlobalObject.h:
2708         (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
2709         * runtime/JSObject.cpp:
2710         (JSC::JSObject::hasInstance):
2711         (JSC::objectPrivateFuncInstanceOf):
2712         * runtime/JSObject.h:
2713         * runtime/JSTypeInfo.h:
2714         (JSC::TypeInfo::TypeInfo):
2715         (JSC::TypeInfo::overridesHasInstance):
2716         * runtime/WriteBarrier.h:
2717         (JSC::WriteBarrierBase<Unknown>::slot):
2718         * tests/es6.yaml:
2719         * tests/stress/instanceof-custom-hasinstancesymbol.js: Added.
2720         (Constructor):
2721         (value):
2722         (instanceOf):
2723         (body):
2724         * tests/stress/symbol-hasInstance.js: Added.
2725         (Constructor):
2726         (value):
2727         (ObjectClass.Symbol.hasInstance):
2728         (NumberClass.Symbol.hasInstance):
2729
2730 2015-12-11  Joseph Pecoraro  <pecoraro@apple.com>
2731
2732         check-for-inappropriate-objc-class-names should check all class names, not just externally visible ones
2733         https://bugs.webkit.org/show_bug.cgi?id=152156
2734
2735         Reviewed by Dan Bernstein.
2736
2737         * llvm/InitializeLLVMMac.cpp:
2738         Remove stale comment. The ObjC class this comment referenced
2739         has already been removed.
2740
2741 2015-12-11  Benjamin Poulain  <benjamin@webkit.org>
2742
2743         [JSC] Little cleanup of FTLOutput type casts and conversions
2744         https://bugs.webkit.org/show_bug.cgi?id=152166
2745
2746         Reviewed by Geoffrey Garen.
2747
2748         Clean up:
2749         -Change fpCast() to explicit conversion doubleToFloat() and floatToDouble()
2750          to match B3's opcodes.
2751         -Remove unused conversion functions.
2752         -Use the most specific cast function when possible.
2753         -Functions that are only used inside FTLOutput are made private.
2754          In FTLB3Output, those functions were removed.
2755
2756         * ftl/FTLB3Output.h:
2757         (JSC::FTL::Output::doubleToFloat):
2758         (JSC::FTL::Output::floatToDouble):
2759         (JSC::FTL::Output::fround):
2760         (JSC::FTL::Output::fpToInt): Deleted.
2761         (JSC::FTL::Output::fpToUInt): Deleted.
2762         (JSC::FTL::Output::intToFP): Deleted.
2763         (JSC::FTL::Output::unsignedToFP): Deleted.
2764         (JSC::FTL::Output::intCast): Deleted.
2765         (JSC::FTL::Output::fpCast): Deleted.
2766         (JSC::FTL::Output::intToPtr): Deleted.
2767         (JSC::FTL::Output::ptrToInt): Deleted.
2768         * ftl/FTLLowerDFGToLLVM.cpp:
2769         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
2770         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutByVal):
2771         * ftl/FTLOutput.h:
2772         (JSC::FTL::Output::doubleToFloat):
2773         (JSC::FTL::Output::floatToDouble):
2774         (JSC::FTL::Output::intCast):
2775         (JSC::FTL::Output::fpToInt):
2776         (JSC::FTL::Output::fpToUInt):
2777         (JSC::FTL::Output::fpCast):
2778         (JSC::FTL::Output::intToFP):
2779         (JSC::FTL::Output::unsignedToFP):
2780
2781 2015-12-10  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2782
2783         Binding and builtin generators should lowercase RTCXX as rtcXX and not rTCXX
2784         https://bugs.webkit.org/show_bug.cgi?id=152121
2785
2786         Reviewed by Darin Adler.
2787
2788         * Scripts/builtins/builtins_generator.py:
2789         (WK_lcfirst): Added RTC special rule.
2790
2791 2015-12-09  Filip Pizlo  <fpizlo@apple.com>
2792
2793         FTL B3 should be able to run quicksort asm.js test
2794         https://bugs.webkit.org/show_bug.cgi?id=152105
2795
2796         Reviewed by Geoffrey Garen.
2797
2798         This covers making all of the changes needed to run quicksort.js from AsmBench.
2799
2800         - Reintroduced float types to FTLLower since we now have B3::Float.
2801
2802         - Gave FTL::Output the ability to speak of load types and store types separately from LValue
2803           types. This dodges the problem that B3 doesn't have types for Int8 and Int16 but supports loads
2804           and stores of that type.
2805
2806         - Implemented Mod in B3 and wrote tests.
2807
2808         I also fixed a pre-existing bug in a test that appeared to only manifest in release builds.
2809
2810         Currently, B3's performance on asm.js tests is not good. It should be easy to fix:
2811
2812         - B3 should strength-reduce the shifting madness that happens in asm.js memory accesses
2813           https://bugs.webkit.org/show_bug.cgi?id=152106
2814
2815         - B3 constant hoisting should have a story for the asm.js heap constant
2816           https://bugs.webkit.org/show_bug.cgi?id=152107
2817
2818         * b3/B3CCallValue.h:
2819         * b3/B3Const32Value.cpp:
2820         (JSC::B3::Const32Value::divConstant):
2821         (JSC::B3::Const32Value::modConstant):
2822         (JSC::B3::Const32Value::bitAndConstant):
2823         * b3/B3Const32Value.h:
2824         * b3/B3Const64Value.cpp:
2825         (JSC::B3::Const64Value::divConstant):
2826         (JSC::B3::Const64Value::modConstant):
2827         (JSC::B3::Const64Value::bitAndConstant):
2828         * b3/B3Const64Value.h:
2829         * b3/B3ReduceStrength.cpp:
2830         * b3/B3Validate.cpp:
2831         * b3/B3Value.cpp:
2832         (JSC::B3::Value::divConstant):
2833         (JSC::B3::Value::modConstant):
2834         (JSC::B3::Value::bitAndConstant):
2835         * b3/B3Value.h:
2836         * b3/testb3.cpp:
2837         (JSC::B3::testChillDiv64):
2838         (JSC::B3::testMod):
2839         (JSC::B3::testSwitch):
2840         (JSC::B3::run):
2841         * ftl/FTLB3Output.cpp:
2842         (JSC::FTL::Output::load16ZeroExt32):
2843         (JSC::FTL::Output::store):
2844         (JSC::FTL::Output::store32As8):
2845         (JSC::FTL::Output::store32As16):
2846         (JSC::FTL::Output::loadFloatToDouble): Deleted.
2847         * ftl/FTLB3Output.h:
2848         (JSC::FTL::Output::mul):
2849         (JSC::FTL::Output::div):
2850         (JSC::FTL::Output::chillDiv):
2851         (JSC::FTL::Output::rem):
2852         (JSC::FTL::Output::neg):
2853         (JSC::FTL::Output::load32):
2854         (JSC::FTL::Output::load64):
2855         (JSC::FTL::Output::loadPtr):
2856         (JSC::FTL::Output::loadFloat):
2857         (JSC::FTL::Output::loadDouble):
2858         (JSC::FTL::Output::store32):
2859         (JSC::FTL::Output::store64):
2860         (JSC::FTL::Output::storePtr):
2861         (JSC::FTL::Output::storeFloat):
2862         (JSC::FTL::Output::storeDouble):
2863         (JSC::FTL::Output::addPtr):
2864         (JSC::FTL::Output::extractValue):
2865         (JSC::FTL::Output::call):
2866         (JSC::FTL::Output::operation):
2867         * ftl/FTLLowerDFGToLLVM.cpp:
2868         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
2869         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutByVal):
2870         (JSC::FTL::DFG::LowerDFGToLLVM::compileArrayPush):
2871         (JSC::FTL::DFG::LowerDFGToLLVM::compileArrayPop):
2872         * ftl/FTLOutput.cpp:
2873         (JSC::FTL::Output::Output):
2874         (JSC::FTL::Output::store):
2875         (JSC::FTL::Output::check):
2876         (JSC::FTL::Output::load):
2877         * ftl/FTLOutput.h:
2878         (JSC::FTL::Output::load32):
2879         (JSC::FTL::Output::load64):
2880         (JSC::FTL::Output::loadPtr):
2881         (JSC::FTL::Output::loadFloat):
2882         (JSC::FTL::Output::loadDouble):
2883         (JSC::FTL::Output::store32As8):
2884         (JSC::FTL::Output::store32As16):
2885         (JSC::FTL::Output::store32):
2886         (JSC::FTL::Output::store64):
2887         (JSC::FTL::Output::storePtr):
2888         (JSC::FTL::Output::storeFloat):
2889         (JSC::FTL::Output::storeDouble):
2890         (JSC::FTL::Output::addPtr):
2891         (JSC::FTL::Output::loadFloatToDouble): Deleted.
2892         (JSC::FTL::Output::store16): Deleted.
2893
2894 2015-12-10  Filip Pizlo  <fpizlo@apple.com>
2895
2896         Consider still matching an address expression even if B3 has already assigned a Tmp to it
2897         https://bugs.webkit.org/show_bug.cgi?id=150777
2898
2899         Reviewed by Geoffrey Garen.
2900
2901         We need some heuristic for when an address should be computed as a separate instruction. It's
2902         usually profitable to sink the address into the memory access. The previous heuristic meant that
2903         the address would get separate instructions if it was in a separate block from the memory access.
2904         This was messing up codegen of things like PutByVal out-of-bounds, where the address is computed
2905         in one block and then used in another. I don't think that which block owns the address
2906         computation should factor into any heuristic here, since it's so fragile: the compiler may lower
2907         something by splitting blocks and we don't want this to ruin performance.
2908
2909         So, this replaces that heuristic with a more sensible one: the address computation gets its own
2910         instruction if it has a lot of uses. In practice this means that we always sink the address
2911         computation into the memory access.
2912
2913         * b3/B3LowerToAir.cpp:
2914         (JSC::B3::Air::LowerToAir::effectiveAddr):
2915
2916 2015-12-10  Daniel Bates  <dabates@apple.com>
2917
2918         [CSP] eval() is not blocked for stringified literals
2919         https://bugs.webkit.org/show_bug.cgi?id=152158
2920         <rdar://problem/15775625>
2921
2922         Reviewed by Saam Barati.
2923
2924         Fixes an issue where stringified literals can be eval()ed despite being disallowed by
2925         Content Security Policy of the page.
2926
2927         * interpreter/Interpreter.cpp:
2928         (JSC::eval): Throw a JavaScript EvalError exception if eval() is disallowed for the page
2929         and return undefined.
2930         * runtime/JSGlobalObjectFunctions.cpp:
2931         (JSC::globalFuncEval): Ditto.
2932
2933 2015-12-10  Joseph Pecoraro  <pecoraro@apple.com>
2934
2935         Fix jsc symlink creation on iOS
2936         https://bugs.webkit.org/show_bug.cgi?id=152155
2937
2938         Reviewed by Dan Bernstein.
2939
2940         * JavaScriptCore.xcodeproj/project.pbxproj:
2941         Switch from INSTALL_PATH_ACTUAL to just INSTALL_PATH.
2942         Remove now unnecessary INSTALL_PATH_PREFIX use as well.
2943
2944 2015-12-10  Joseph Pecoraro  <pecoraro@apple.com>
2945
2946         Remote Inspector: Verify the identity of the other side of XPC connections
2947         https://bugs.webkit.org/show_bug.cgi?id=152153
2948
2949         Reviewed by Brian Burg.
2950
2951         * JavaScriptCore.xcodeproj/project.pbxproj:
2952         Link with the Security framework.
2953
2954         * inspector/remote/RemoteInspectorXPCConnection.h:
2955         * inspector/remote/RemoteInspectorXPCConnection.mm:
2956         (auditTokenHasEntitlement):
2957         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2958         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection): Deleted.
2959         When receiving the first message, verify the XPC connection
2960         is connected to who we thought we were connected to and
2961         Bail if it isn't.
2962
2963 2015-12-10  Benjamin Poulain  <bpoulain@apple.com>
2964
2965         [JSC] Add a Modulo operator to B3, and a chill variant
2966         https://bugs.webkit.org/show_bug.cgi?id=152110
2967
2968         Reviewed by Geoffrey Garen.
2969
2970         It is basically refactoring the Div and ChillDiv
2971         code to be used by both opcodes.
2972
2973         * b3/B3Common.h:
2974         (JSC::B3::chillDiv):
2975         (JSC::B3::chillMod):
2976         * b3/B3Const32Value.cpp:
2977         (JSC::B3::Const32Value::modConstant):
2978         * b3/B3Const32Value.h:
2979         * b3/B3Const64Value.cpp:
2980         (JSC::B3::Const64Value::modConstant):
2981         * b3/B3Const64Value.h:
2982         * b3/B3ConstDoubleValue.cpp:
2983         (JSC::B3::ConstDoubleValue::modConstant):
2984         * b3/B3ConstDoubleValue.h:
2985         * b3/B3LowerMacros.cpp:
2986         * b3/B3LowerToAir.cpp:
2987         (JSC::B3::Air::LowerToAir::lower):
2988         (JSC::B3::Air::LowerToAir::lowerX86Div):
2989         * b3/B3Opcode.cpp:
2990         (WTF::printInternal):
2991         * b3/B3Opcode.h:
2992         * b3/B3ReduceStrength.cpp:
2993         * b3/B3Validate.cpp:
2994         * b3/B3Value.cpp:
2995         (JSC::B3::Value::modConstant):
2996         (JSC::B3::Value::effects):
2997         (JSC::B3::Value::key):
2998         (JSC::B3::Value::typeFor):
2999         * b3/B3Value.h:
3000         * b3/testb3.cpp:
3001         (JSC::B3::testModArgDouble):
3002         (JSC::B3::testModArgsDouble):
3003         (JSC::B3::testModArgImmDouble):
3004         (JSC::B3::testModImmArgDouble):
3005         (JSC::B3::testModImmsDouble):
3006         (JSC::B3::testModArgFloat):
3007         (JSC::B3::testModArgsFloat):
3008         (JSC::B3::testModArgImmFloat):
3009         (JSC::B3::testModImmArgFloat):
3010         (JSC::B3::testModImmsFloat):
3011         (JSC::B3::testModArg):
3012         (JSC::B3::testModArgs):
3013         (JSC::B3::testModImms):
3014         (JSC::B3::testModArg32):
3015         (JSC::B3::testModArgs32):
3016         (JSC::B3::testModImms32):
3017         (JSC::B3::testChillModArg):
3018         (JSC::B3::testChillModArgs):
3019         (JSC::B3::testChillModImms):
3020         (JSC::B3::testChillModArg32):
3021         (JSC::B3::testChillModArgs32):
3022         (JSC::B3::testChillModImms32):
3023         (JSC::B3::run):
3024         * ftl/FTLB3Output.h:
3025         (JSC::FTL::Output::mod):
3026         (JSC::FTL::Output::chillMod):
3027         (JSC::FTL::Output::doubleMod):
3028         (JSC::FTL::Output::rem): Deleted.
3029         (JSC::FTL::Output::doubleRem): Deleted.
3030         * ftl/FTLLowerDFGToLLVM.cpp:
3031         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMod):
3032         * ftl/FTLOutput.cpp:
3033         (JSC::FTL::Output::chillMod):
3034         * ftl/FTLOutput.h:
3035         (JSC::FTL::Output::mod):
3036         (JSC::FTL::Output::doubleMod):
3037         (JSC::FTL::Output::rem): Deleted.
3038         (JSC::FTL::Output::doubleRem): Deleted.
3039
3040 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
3041
3042         [B3] Add new files to the cmake build system
3043         https://bugs.webkit.org/show_bug.cgi?id=152120
3044
3045         Reviewed by Filip Pizlo.
3046
3047         * CMakeLists.txt:
3048
3049 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
3050
3051         [B3] Use mark pragmas only if it is supported
3052         https://bugs.webkit.org/show_bug.cgi?id=152123
3053
3054         Reviewed by Mark Lam.
3055
3056         * ftl/FTLB3Output.h:
3057
3058 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
3059
3060         [B3] Typo fix in testb3.cpp
3061         https://bugs.webkit.org/show_bug.cgi?id=152126
3062
3063         Reviewed by Mark Lam.
3064
3065         * b3/testb3.cpp:
3066         (JSC::B3::populateWithInterestingValues):
3067
3068 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
3069
3070         [B3] Fix unused-but-set-variable warning
3071         https://bugs.webkit.org/show_bug.cgi?id=152122
3072
3073         Reviewed by Mark Lam.
3074
3075         * ftl/FTLLowerDFGToLLVM.cpp:
3076         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3077
3078 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
3079
3080         [B3] Make GCC ignore warnings in FTLB3Output.h
3081         https://bugs.webkit.org/show_bug.cgi?id=152124
3082
3083         Reviewed by Mark Lam.
3084
3085         * ftl/FTLB3Output.h:
3086
3087 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
3088
3089         [EFL] Remove the unused IncrementalSweeper::m_isTimerFrozen member after r193749
3090         https://bugs.webkit.org/show_bug.cgi?id=152127
3091
3092         Reviewed by Mark Lam.
3093
3094         * heap/IncrementalSweeper.h:
3095
3096 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
3097
3098         Source/JavaScriptCore/create_hash_table shouldn't be too verbose
3099         https://bugs.webkit.org/show_bug.cgi?id=151861
3100
3101         Reviewed by Darin Adler.
3102
3103         * create_hash_table:
3104
3105 2015-12-10  Youenn Fablet  <youenn.fablet@crf.canon.fr>
3106
3107         JSC Builtins should use safe array methods
3108         https://bugs.webkit.org/show_bug.cgi?id=151501
3109
3110         Reviewed by Darin Adler.
3111
3112         Adding @push and @shift to Array prototype.
3113         Using @push in TypedArray built-in.
3114
3115         Covered by added test in LayoutTests/js/builtins
3116
3117         * builtins/TypedArray.prototype.js:
3118         (filter):
3119         * runtime/ArrayPrototype.cpp:
3120         (JSC::ArrayPrototype::finishCreation):
3121         * runtime/CommonIdentifiers.h:
3122
3123 2015-12-08  Filip Pizlo  <fpizlo@apple.com>
3124
3125         FTL B3 should have basic GetById support
3126         https://bugs.webkit.org/show_bug.cgi?id=152035
3127
3128         Reviewed by Saam Barati.
3129
3130         Adds basic GetById support. This was so easy to do. Unlike the LLVM code for this, the B3 code is
3131         entirely self-contained within the getById() method in LowerDFG.
3132
3133         I discovered that we weren't folding Check(NotEqual(x, 0)) to Check(x). This was preventing us
3134         from generating good code for Check(NotEqual(BitAnd(x, tagMask), 0)), since the BitAnd was
3135         concealed. This was an easy strength reduction rule to add.
3136
3137         Finally, I found it easier to say append(value, rep) than append(ConstrainedValue(value, rep)), so
3138         I added that API. The old ConstrainedValue form is still super useful in other places, like
3139         compileCallOrConstruct(), where the two-argument form would be awkward. It's great to have both
3140         APIs to pick from.
3141
3142         * b3/B3ReduceStrength.cpp:
3143         * b3/B3StackmapValue.cpp:
3144         (JSC::B3::StackmapValue::~StackmapValue):
3145         (JSC::B3::StackmapValue::append):
3146         * b3/B3StackmapValue.h:
3147         * dfg/DFGCommon.h:
3148         * ftl/FTLLowerDFGToLLVM.cpp:
3149         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
3150
3151 2015-12-09  Saam barati  <sbarati@apple.com>
3152
3153         Update generators' features.json to indicate that we have a spec compliant implementation
3154         https://bugs.webkit.org/show_bug.cgi?id=152085
3155
3156         Reviewed by Joseph Pecoraro.
3157
3158         * features.json:
3159
3160 2015-12-09  Saam barati  <sbarati@apple.com>
3161
3162         Update features.json w.r.t tail calls
3163         https://bugs.webkit.org/show_bug.cgi?id=152072
3164
3165         Reviewed by Michael Saboff.
3166
3167         * features.json:
3168
3169 2015-12-09  Saam barati  <sbarati@apple.com>
3170
3171         we should emit op_watchdog after op_enter
3172         https://bugs.webkit.org/show_bug.cgi?id=151972
3173
3174         Reviewed by Mark Lam.
3175
3176         This also solves the issue of watchdog not being
3177         observed when we loop purely through tail calls.
3178
3179         * API/tests/ExecutionTimeLimitTest.cpp:
3180         (testExecutionTimeLimit):
3181         * bytecompiler/BytecodeGenerator.cpp:
3182         (JSC::BytecodeGenerator::BytecodeGenerator):
3183         (JSC::BytecodeGenerator::emitProfiledOpcode):
3184         (JSC::BytecodeGenerator::emitEnter):
3185         (JSC::BytecodeGenerator::emitLoopHint):
3186         * bytecompiler/BytecodeGenerator.h:
3187
3188 2015-12-08  Benjamin Poulain  <bpoulain@apple.com>
3189
3190         [JSC] Improve how B3 lowers Add() and Sub() on x86
3191         https://bugs.webkit.org/show_bug.cgi?id=152026
3192
3193         Reviewed by Geoffrey Garen.
3194
3195         The assembler was missing some important x86 forms of
3196         ADD and SUB that were making our lowering
3197         unfriendly with register allocation.
3198
3199         First, we were missing a 3 operand version of Add
3200         implement with LEA. As a result, an Add would
3201         be lowered as:
3202             Move op1->srcDest
3203             Add op2, srcDest
3204         The problem with such code is that op2 and srcDest
3205         interferes. It is impossible to assign them the same
3206         machine register.
3207
3208         With the new Add form, we have:
3209             Add op1, op2, dest
3210         without interferences between any of those values.
3211         The add is implement by a LEA without scaling or displacement.
3212
3213         This patch also adds missing forms of Add and Sub with
3214         direct addressing for arguments. This avoids dealing with Tmps
3215         that only exist for those operations.
3216
3217         Finally, the lowering of adding something to itself was updated accordingly.
3218         Such operation is transformed in Shl by 2. The lowering of Shl
3219         was adding an explicit Move, preventing the use of LEA when it
3220         is useful.
3221         Instead of having an explicit move, I changed the direct addressing
3222         forms to only be selected if the two operands are different.
3223         A Move is then added by appendBinOp() if needed.
3224
3225         * assembler/MacroAssemblerX86Common.h:
3226         (JSC::MacroAssemblerX86Common::add32):
3227         (JSC::MacroAssemblerX86Common::x86Lea32):
3228         * assembler/MacroAssemblerX86_64.h:
3229         (JSC::MacroAssemblerX86_64::add64):
3230         (JSC::MacroAssemblerX86_64::x86Lea64):
3231         (JSC::MacroAssemblerX86_64::sub64):
3232         * assembler/X86Assembler.h:
3233         (JSC::X86Assembler::addq_rm):
3234         (JSC::X86Assembler::subq_mr):
3235         (JSC::X86Assembler::subq_rm):
3236         (JSC::X86Assembler::subq_im):
3237         (JSC::X86Assembler::leal_mr):
3238         (JSC::X86Assembler::leaq_mr):
3239         * b3/B3LowerToAir.cpp:
3240         (JSC::B3::Air::LowerToAir::appendBinOp):
3241         (JSC::B3::Air::LowerToAir::lower):
3242         * b3/air/AirOpcode.opcodes:
3243         * b3/testb3.cpp:
3244         (JSC::B3::testAddArgMem):
3245         (JSC::B3::testAddMemArg):
3246         (JSC::B3::testAddImmMem):
3247         (JSC::B3::testAddArg32):
3248         (JSC::B3::testAddArgMem32):
3249         (JSC::B3::testAddMemArg32):
3250         (JSC::B3::testAddImmMem32):
3251         (JSC::B3::testSubArgMem):
3252         (JSC::B3::testSubMemArg):
3253         (JSC::B3::testSubImmMem):
3254         (JSC::B3::testSubMemImm):
3255         (JSC::B3::testSubMemArg32):
3256         (JSC::B3::testSubArgMem32):
3257         (JSC::B3::testSubImmMem32):
3258         (JSC::B3::testSubMemImm32):
3259         (JSC::B3::run):
3260
3261 2015-12-08  Mark Lam  <mark.lam@apple.com>
3262
3263         Factoring out common DFG code for bitwise and shift operators.
3264         https://bugs.webkit.org/show_bug.cgi?id=152019
3265
3266         Reviewed by Michael Saboff.
3267
3268         * dfg/DFGSpeculativeJIT.cpp:
3269         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
3270         (JSC::DFG::SpeculativeJIT::compileShiftOp):
3271         * dfg/DFGSpeculativeJIT.h:
3272         * dfg/DFGSpeculativeJIT32_64.cpp:
3273         (JSC::DFG::SpeculativeJIT::compile):
3274         * dfg/DFGSpeculativeJIT64.cpp:
3275         (JSC::DFG::SpeculativeJIT::compile):
3276
3277 2015-12-08  Mark Lam  <mark.lam@apple.com>
3278
3279         DFG and FTL should be resilient against cases where both snippet operands are constant.
3280         https://bugs.webkit.org/show_bug.cgi?id=152017
3281
3282         Reviewed by Michael Saboff.
3283
3284         The DFG front end may not always constant fold cases where both operands are
3285         constant.  As a result, the DFG and FTL back ends needs to be resilient against
3286         this when using snippet generators since the generators do not support the case
3287         where both operands are constant.  The strategy for handling this 2 const operands
3288         case is to treat at least one of them as a variable if both are constant. 
3289
3290         * dfg/DFGSpeculativeJIT.cpp:
3291         (JSC::DFG::SpeculativeJIT::compileValueAdd):
3292         - Also remove the case for folding 2 constant operands.  It is the front end's
3293           job to do so, not the back end here.
3294
3295         (JSC::DFG::SpeculativeJIT::compileArithSub):
3296         (JSC::DFG::SpeculativeJIT::compileArithMul):
3297         * ftl/FTLLowerDFGToLLVM.cpp:
3298         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
3299         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
3300
3301 2015-12-08  Mark Lam  <mark.lam@apple.com>
3302
3303         Snippefy shift operators for the baseline JIT.
3304         https://bugs.webkit.org/show_bug.cgi?id=151875
3305
3306         Reviewed by Geoffrey Garen.
3307
3308         * CMakeLists.txt:
3309         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3310         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3311         * JavaScriptCore.xcodeproj/project.pbxproj:
3312         * jit/JIT.h:
3313
3314         * jit/JITArithmetic.cpp:
3315         (JSC::JIT::emitBitBinaryOpFastPath):
3316         - Don't need GPRInfo:: qualifiers.  Removed them to reduce verbosity.
3317         - Also removed the emitStoreInt32() case for storing the result on 32-bit ports.
3318           This is because:
3319           1. The client should not make assumptions about whether the snippet fast path
3320              only include cases where the result tag already contain the IntTag.
3321           2. The "(op1 == result || op2 == result)" condition for skipping the IntTag
3322              storage, is only valid for the bitand, bitor, and bitxor implementations.
3323              It is invalid for the lshift implementation that uses this code now.
3324           Instead, we'll always unconditionally store what the result tag that the
3325           snippet computed for us.
3326
3327         (JSC::JIT::emit_op_lshift):
3328         (JSC::JIT::emitSlow_op_lshift):
3329         (JSC::JIT::emitRightShiftFastPath):
3330         (JSC::JIT::emit_op_rshift):
3331         (JSC::JIT::emitSlow_op_rshift):
3332         (JSC::JIT::emit_op_urshift):
3333         (JSC::JIT::emitSlow_op_urshift):
3334
3335         * jit/JITArithmetic32_64.cpp:
3336         (JSC::JIT::emit_op_lshift): Deleted.
3337         (JSC::JIT::emitSlow_op_lshift): Deleted.
3338         (JSC::JIT::emitRightShift): Deleted.
3339         (JSC::JIT::emitRightShiftSlowCase): Deleted.
3340         (JSC::JIT::emit_op_rshift): Deleted.
3341         (JSC::JIT::emitSlow_op_rshift): Deleted.
3342         (JSC::JIT::emit_op_urshift): Deleted.
3343         (JSC::JIT::emitSlow_op_urshift): Deleted.
3344
3345         * jit/JITLeftShiftGenerator.cpp: Added.
3346         (JSC::JITLeftShiftGenerator::generateFastPath):
3347         * jit/JITLeftShiftGenerator.h: Added.
3348         (JSC::JITLeftShiftGenerator::JITLeftShiftGenerator):
3349         * jit/JITRightShiftGenerator.cpp: Added.
3350         (JSC::JITRightShiftGenerator::generateFastPath):
3351         * jit/JITRightShiftGenerator.h: Added.
3352         (JSC::JITRightShiftGenerator::JITRightShiftGenerator):
3353
3354         * tests/stress/op_lshift.js:
3355         * tests/stress/op_rshift.js:
3356         * tests/stress/op_urshift.js:
3357         - Fixed some values and added others that are meaningful for testing shifts.
3358
3359         * tests/stress/resources/binary-op-test.js:
3360         (stringifyIfNeeded):
3361         (generateBinaryTests):
3362         - Fixed the test generator to give unique names to all the generated test
3363           functions.  Without this, multiple tests may end up using the same global
3364           test function.  As a result, with enough test values to test, the function may
3365           get prematurely JITted, and the computed expected result which is supposed to
3366           be computed by the LLINT, may end up being computed by a JIT instead.
3367
3368 2015-12-08  Joseph Pecoraro  <pecoraro@apple.com>
3369
3370         Create a Sandbox SPI header
3371         https://bugs.webkit.org/show_bug.cgi?id=151981
3372
3373         Reviewed by Andy Estes.
3374
3375         * inspector/remote/RemoteInspector.mm:
3376
3377 2015-12-08  Filip Pizlo  <fpizlo@apple.com>
3378
3379         DFG::UnificationPhase should merge isProfitableToUnbox, since this may have been set in ByteCodeParser
3380         https://bugs.webkit.org/show_bug.cgi?id=152011
3381         rdar://problem/23777875
3382
3383         Reviewed by Michael Saboff.
3384