294d29ba198814810e382a95a2887aae34ee1507
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
2
3         Unreviewed, fix cloop.
4
5         * jit/CCallHelpers.cpp:
6
7 2016-03-18  Filip Pizlo  <fpizlo@apple.com>
8
9         JSC should use a shadow stack version of CHICKEN so that debuggers have the option of retrieving tail-deleted frames
10         https://bugs.webkit.org/show_bug.cgi?id=155598
11
12         Reviewed by Saam Barati.
13         
14         JSC is the first JSVM to have proper tail calls. This means that error.stack and the
15         debugger will appear to "delete" strict mode stack frames, if the call that this frame made
16         was in tail position. This is exactly what functional programmers expect - they don't want
17         the VM to waste resources on tail-deleted frames to ensure that it's legal to loop forever
18         using tail calls. It's also something that non-functional programmers fear. It's not clear
19         that tail-deleted frames would actually degrade the debugging experience, but the fear is
20         real, so it's worthwhile to do something about it.
21
22         It turns out that there is at least one tail call implementation that doesn't suffer from
23         this problem. It implements proper tail calls in the sense that you won't run out of memory
24         by tail-looping. It also has the power to show you tail-deleted frames in a backtrace, so
25         long as you haven't yet run out of memory. It's called CHICKEN Scheme, and it's one of my
26         favorite hacks:
27         
28         http://www.more-magic.net/posts/internals-gc.html
29
30         CHICKEN does many awesome things. The intuition from CHICKEN that we use here is a simple
31         one: what if a tail call still kept the tail-deleted frame, and the GC actually deleted that
32         frame only once we proved that there was insufficient memory to keep it around.
33         
34         CHICKEN does this by reshaping the C stack with longjmp/setjmp. We can't do that because we
35         can have arbitrary native code, and that native code does not have relocatable stack frames.
36         
37         But we can do something almost like CHICKEN on a shadow stack. It's a common trick to have a
38         VM maintain two stacks - the actual execution stack plus a shadow stack that has some extra
39         information. The shadow stack can be reshaped, moved, etc, since the VM tightly controls its
40         layout. The main stack can then continue to obey ABI rules.
41
42         This patch implements a mechanism for being able to display stack traces that include
43         tail-deleted frames. It uses a shadow stack that behaves like a CHICKEN stack: it has all
44         frames all the time, though we will collect the tail-deleted ones if the stack gets too big.
45         This new mechanism is called ShadowChicken, obviously: it's CHICKEN on a shadow stack.
46         
47         ShadowChicken is always on, but individual CodeBlocks may make their own choices about
48         whether to opt into it. They will do that at bytecompile time based on the debugger mode on
49         their global object.
50
51         When no CodeBlock opts in, there is no overhead, since ShadowChicken ends up doing nothing
52         in that case. Well, except when exceptions are thrown. Then it might do some work, but it's
53         minor.
54
55         When all CodeBlocks opt in, there is about 6% overhead. That's too much overhead to enable
56         this all the time, but it's low enough to justify enabling in the Inspector. It's currently
57         enabled on all CodeBlocks only when you use an Option. Otherwise it will auto-enable if the
58         debugger is on.
59
60         Note that ShadowChicken attempts to gracefully handle the presence of stack frames that have
61         no logging. This is essential since we *can* have debugging enabled in one GlobalObject and
62         disabled in another. Also, some frames don't do ShadowChicken because they just haven't been
63         hacked to do it yet. Native frames fall into this category, as do the VM entry frames.
64
65         This doesn't yet wire ShadowChicken into DebuggerCallFrame. That will take more work. It
66         just makes a ShadowChicken stack walk function available to jsc. It's used from the
67         shadow-chicken tests.
68
69         * API/JSContextRef.cpp:
70         (BacktraceFunctor::BacktraceFunctor):
71         (BacktraceFunctor::operator()):
72         (JSContextCreateBacktrace):
73         * CMakeLists.txt:
74         * JavaScriptCore.xcodeproj/project.pbxproj:
75         * bytecode/BytecodeList.json:
76         * bytecode/BytecodeUseDef.h:
77         (JSC::computeUsesForBytecodeOffset):
78         (JSC::computeDefsForBytecodeOffset):
79         * bytecode/CodeBlock.cpp:
80         (JSC::CodeBlock::dumpBytecode):
81         (JSC::RecursionCheckFunctor::RecursionCheckFunctor):
82         (JSC::RecursionCheckFunctor::operator()):
83         (JSC::CodeBlock::noticeIncomingCall):
84         * bytecompiler/BytecodeGenerator.cpp:
85         (JSC::BytecodeGenerator::emitEnter):
86         (JSC::BytecodeGenerator::emitCallInTailPosition):
87         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
88         (JSC::BytecodeGenerator::emitCallVarargs):
89         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
90         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
91         (JSC::BytecodeGenerator::emitCallDefineProperty):
92         * bytecompiler/BytecodeGenerator.h:
93         * debugger/DebuggerCallFrame.cpp:
94         (JSC::LineAndColumnFunctor::operator()):
95         (JSC::LineAndColumnFunctor::column):
96         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
97         (JSC::FindCallerMidStackFunctor::operator()):
98         (JSC::DebuggerCallFrame::DebuggerCallFrame):
99         * dfg/DFGAbstractInterpreterInlines.h:
100         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
101         * dfg/DFGByteCodeParser.cpp:
102         (JSC::DFG::ByteCodeParser::parseBlock):
103         * dfg/DFGClobberize.h:
104         (JSC::DFG::clobberize):
105         * dfg/DFGDoesGC.cpp:
106         (JSC::DFG::doesGC):
107         * dfg/DFGFixupPhase.cpp:
108         (JSC::DFG::FixupPhase::fixupNode):
109         * dfg/DFGNodeType.h:
110         * dfg/DFGPredictionPropagationPhase.cpp:
111         (JSC::DFG::PredictionPropagationPhase::propagate):
112         * dfg/DFGSafeToExecute.h:
113         (JSC::DFG::safeToExecute):
114         * dfg/DFGSpeculativeJIT32_64.cpp:
115         (JSC::DFG::SpeculativeJIT::compile):
116         * dfg/DFGSpeculativeJIT64.cpp:
117         (JSC::DFG::SpeculativeJIT::compile):
118         * ftl/FTLAbstractHeapRepository.cpp:
119         * ftl/FTLAbstractHeapRepository.h:
120         * ftl/FTLCapabilities.cpp:
121         (JSC::FTL::canCompile):
122         * ftl/FTLLowerDFGToB3.cpp:
123         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
124         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
125         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
126         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
127         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
128         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
129         (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket):
130         (JSC::FTL::DFG::LowerDFGToB3::boolify):
131         * heap/Heap.cpp:
132         (JSC::Heap::markRoots):
133         (JSC::Heap::visitSamplingProfiler):
134         (JSC::Heap::visitShadowChicken):
135         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
136         (JSC::Heap::collectImpl):
137         * heap/Heap.h:
138         * inspector/ScriptCallStackFactory.cpp:
139         (Inspector::CreateScriptCallStackFunctor::CreateScriptCallStackFunctor):
140         (Inspector::CreateScriptCallStackFunctor::operator()):
141         (Inspector::createScriptCallStack):
142         * interpreter/CallFrame.h:
143         (JSC::ExecState::iterate):
144         * interpreter/Interpreter.cpp:
145         (JSC::DumpRegisterFunctor::DumpRegisterFunctor):
146         (JSC::DumpRegisterFunctor::operator()):
147         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
148         (JSC::GetStackTraceFunctor::operator()):
149         (JSC::Interpreter::getStackTrace):
150         (JSC::GetCatchHandlerFunctor::handler):
151         (JSC::GetCatchHandlerFunctor::operator()):
152         (JSC::notifyDebuggerOfUnwinding):
153         (JSC::UnwindFunctor::UnwindFunctor):
154         (JSC::UnwindFunctor::operator()):
155         (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer):
156         * interpreter/ShadowChicken.cpp: Added.
157         (JSC::ShadowChicken::Packet::dump):
158         (JSC::ShadowChicken::Frame::dump):
159         (JSC::ShadowChicken::ShadowChicken):
160         (JSC::ShadowChicken::~ShadowChicken):
161         (JSC::ShadowChicken::log):
162         (JSC::ShadowChicken::update):
163         (JSC::ShadowChicken::visitChildren):
164         (JSC::ShadowChicken::reset):
165         (JSC::ShadowChicken::dump):
166         (JSC::ShadowChicken::functionsOnStack):
167         * interpreter/ShadowChicken.h: Added.
168         (JSC::ShadowChicken::Packet::Packet):
169         (JSC::ShadowChicken::Packet::tailMarker):
170         (JSC::ShadowChicken::Packet::throwMarker):
171         (JSC::ShadowChicken::Packet::prologue):
172         (JSC::ShadowChicken::Packet::tail):
173         (JSC::ShadowChicken::Packet::throwPacket):
174         (JSC::ShadowChicken::Packet::operator bool):
175         (JSC::ShadowChicken::Packet::isPrologue):
176         (JSC::ShadowChicken::Packet::isTail):
177         (JSC::ShadowChicken::Packet::isThrow):
178         (JSC::ShadowChicken::Frame::Frame):
179         (JSC::ShadowChicken::Frame::operator==):
180         (JSC::ShadowChicken::Frame::operator!=):
181         (JSC::ShadowChicken::log):
182         (JSC::ShadowChicken::logSize):
183         (JSC::ShadowChicken::addressOfLogCursor):
184         (JSC::ShadowChicken::logEnd):
185         * interpreter/ShadowChickenInlines.h: Added.
186         (JSC::ShadowChicken::iterate):
187         * interpreter/StackVisitor.h:
188         (JSC::StackVisitor::Frame::callee):
189         (JSC::StackVisitor::Frame::codeBlock):
190         (JSC::StackVisitor::Frame::bytecodeOffset):
191         (JSC::StackVisitor::Frame::inlineCallFrame):
192         (JSC::StackVisitor::Frame::isJSFrame):
193         (JSC::StackVisitor::Frame::isInlinedFrame):
194         (JSC::StackVisitor::visit):
195         * jit/CCallHelpers.cpp: Added.
196         (JSC::CCallHelpers::logShadowChickenProloguePacket):
197         (JSC::CCallHelpers::logShadowChickenTailPacket):
198         (JSC::CCallHelpers::setupShadowChickenPacket):
199         * jit/CCallHelpers.h:
200         (JSC::CCallHelpers::prepareForTailCallSlow):
201         * jit/JIT.cpp:
202         (JSC::JIT::privateCompileMainPass):
203         * jit/JIT.h:
204         * jit/JITExceptions.cpp:
205         (JSC::genericUnwind):
206         * jit/JITOpcodes.cpp:
207         (JSC::JIT::emit_op_resume):
208         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
209         (JSC::JIT::emit_op_log_shadow_chicken_tail):
210         * jit/JITOperations.cpp:
211         * jit/JITOperations.h:
212         * jsc.cpp:
213         (GlobalObject::finishCreation):
214         (FunctionJSCStackFunctor::FunctionJSCStackFunctor):
215         (FunctionJSCStackFunctor::operator()):
216         (functionClearSamplingFlags):
217         (functionShadowChickenFunctionsOnStack):
218         (functionReadline):
219         * llint/LLIntOffsetsExtractor.cpp:
220         * llint/LLIntSlowPaths.cpp:
221         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
222         (JSC::LLInt::llint_throw_stack_overflow_error):
223         * llint/LLIntSlowPaths.h:
224         * llint/LowLevelInterpreter.asm:
225         * profiler/ProfileGenerator.cpp:
226         (JSC::AddParentForConsoleStartFunctor::foundParent):
227         (JSC::AddParentForConsoleStartFunctor::operator()):
228         * runtime/Error.cpp:
229         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
230         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
231         (JSC::addErrorInfoAndGetBytecodeOffset):
232         * runtime/JSFunction.cpp:
233         (JSC::RetrieveArgumentsFunctor::result):
234         (JSC::RetrieveArgumentsFunctor::operator()):
235         (JSC::retrieveArguments):
236         (JSC::RetrieveCallerFunctionFunctor::result):
237         (JSC::RetrieveCallerFunctionFunctor::operator()):
238         (JSC::retrieveCallerFunction):
239         * runtime/JSGlobalObjectFunctions.cpp:
240         (JSC::GlobalFuncProtoGetterFunctor::result):
241         (JSC::GlobalFuncProtoGetterFunctor::operator()):
242         (JSC::globalFuncProtoGetter):
243         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
244         (JSC::GlobalFuncProtoSetterFunctor::operator()):
245         * runtime/NullSetterFunction.cpp:
246         (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
247         (JSC::GetCallerStrictnessFunctor::operator()):
248         (JSC::GetCallerStrictnessFunctor::callerIsStrict):
249         (JSC::callerIsStrict):
250         * runtime/ObjectConstructor.cpp:
251         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
252         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
253         (JSC::objectConstructorGetPrototypeOf):
254         * runtime/Options.h:
255         * runtime/VM.cpp:
256         (JSC::VM::VM):
257         (JSC::SetEnabledProfilerFunctor::operator()):
258         * runtime/VM.h:
259         (JSC::VM::shouldBuilderPCToCodeOriginMapping):
260         (JSC::VM::bytecodeIntrinsicRegistry):
261         (JSC::VM::shadowChicken):
262         * tests/stress/resources/shadow-chicken-support.js: Added.
263         (describeFunction):
264         (describeArray):
265         (expectStack):
266         (initialize):
267         * tests/stress/shadow-chicken-disabled.js: Added.
268         (test1.foo):
269         (test1.bar):
270         (test1.baz):
271         (test1):
272         (test2.foo):
273         (test2.bar):
274         (test2.baz):
275         (test2):
276         (test3.foo):
277         (test3.bar):
278         (test3.baz):
279         (test3):
280         * tests/stress/shadow-chicken-enabled.js: Added.
281         (test1.foo):
282         (test1.bar):
283         (test1.baz):
284         (test1):
285         (test2.foo):
286         (test2.bar):
287         (test2.baz):
288         (test2):
289         (test3.bob):
290         (test3.thingy):
291         (test3.foo):
292         (test3.bar):
293         (test3.baz):
294         (test3):
295         (test4.bob):
296         (test4.thingy):
297         (test4.foo):
298         (test4.bar):
299         (test4.baz):
300         (test4):
301         (test5.foo):
302         (test5):
303         * tools/JSDollarVMPrototype.cpp:
304         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
305         (JSC::CallerFrameJITTypeFunctor::operator()):
306         (JSC::CallerFrameJITTypeFunctor::jitType):
307         (JSC::functionLLintTrue):
308         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
309         (JSC::CellAddressCheckFunctor::operator()):
310         (JSC::JSDollarVMPrototype::isValidCell):
311         (JSC::JSDollarVMPrototype::isValidCodeBlock):
312         (JSC::JSDollarVMPrototype::codeBlockForFrame):
313         (JSC::PrintFrameFunctor::PrintFrameFunctor):
314         (JSC::PrintFrameFunctor::operator()):
315         (JSC::printCallFrame):
316
317 2016-03-19  Filip Pizlo  <fpizlo@apple.com>
318
319         DFG and FTL should constant-fold RegExpExec, RegExpTest, and StringReplace
320         https://bugs.webkit.org/show_bug.cgi?id=155270
321
322         Reviewed by Saam Barati.
323
324         This enables constant-folding of RegExpExec, RegExpTest, and StringReplace.
325
326         It's now possible to run Yarr on the JIT threads. Since previous work on constant-folding
327         strings gave the DFG an API for reasoning about JSString constants in terms of
328         JIT-thread-local WTF::Strings, it's now super easy to just pass strings to Yarr and build IR
329         based on the results.
330
331         But RegExpExec is hard: the folded version still must allocate a RegExpMatchesArray. We must
332         use the same Structure that the code would have used or else we'll pollute the program's
333         inline caches. Also, RegExpMatchesArray.h|cpp will allocate the array and its named
334         properties in one go - we don't want to lose that optimization. So, this patch enables
335         MaterializeNewObject to allocate objects or arrays with any number of indexed or named
336         properties. Previously it could only handle objects (but not arrays) and named properties
337         (but not indexed ones).
338
339         This also adds a few minor things for setting the RegExpConstructor cached result.
340
341         This is about a 2x speed-up on microbenchmarks when we fold a match success and about a
342         8x speed-up when we fold a match failure. It's a 10% speed-up on Octane/regexp.
343
344         * JavaScriptCore.xcodeproj/project.pbxproj:
345         * dfg/DFGAbstractInterpreterInlines.h:
346         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
347         * dfg/DFGClobberize.h:
348         (JSC::DFG::clobberize):
349         * dfg/DFGDoesGC.cpp:
350         (JSC::DFG::doesGC):
351         * dfg/DFGFixupPhase.cpp:
352         (JSC::DFG::FixupPhase::fixupNode):
353         * dfg/DFGGraph.cpp:
354         (JSC::DFG::Graph::dump):
355         * dfg/DFGInsertionSet.cpp:
356         (JSC::DFG::InsertionSet::insertSlow):
357         (JSC::DFG::InsertionSet::execute):
358         * dfg/DFGInsertionSet.h:
359         (JSC::DFG::InsertionSet::insertCheck):
360         * dfg/DFGLazyJSValue.cpp:
361         (JSC::DFG::LazyJSValue::tryGetString):
362         * dfg/DFGMayExit.cpp:
363         (JSC::DFG::mayExit):
364         * dfg/DFGNode.h:
365         (JSC::DFG::StackAccessData::flushedAt):
366         (JSC::DFG::OpInfo::OpInfo): Deleted.
367         * dfg/DFGNodeType.h:
368         * dfg/DFGObjectAllocationSinkingPhase.cpp:
369         * dfg/DFGObjectMaterializationData.cpp:
370         (JSC::DFG::ObjectMaterializationData::dump):
371         (JSC::DFG::PhantomPropertyValue::dump): Deleted.
372         (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore): Deleted.
373         (JSC::DFG::ObjectMaterializationData::similarityScore): Deleted.
374         * dfg/DFGObjectMaterializationData.h:
375         (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue): Deleted.
376         (JSC::DFG::PhantomPropertyValue::operator==): Deleted.
377         * dfg/DFGOpInfo.h: Added.
378         (JSC::DFG::OpInfo::OpInfo):
379         * dfg/DFGOperations.cpp:
380         * dfg/DFGOperations.h:
381         * dfg/DFGPredictionPropagationPhase.cpp:
382         (JSC::DFG::PredictionPropagationPhase::propagate):
383         * dfg/DFGPromotedHeapLocation.cpp:
384         (WTF::printInternal):
385         * dfg/DFGPromotedHeapLocation.h:
386         * dfg/DFGSafeToExecute.h:
387         (JSC::DFG::safeToExecute):
388         * dfg/DFGSpeculativeJIT.cpp:
389         (JSC::DFG::SpeculativeJIT::~SpeculativeJIT):
390         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
391         (JSC::DFG::SpeculativeJIT::emitGetLength):
392         (JSC::DFG::SpeculativeJIT::compileLazyJSConstant):
393         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
394         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
395         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): Deleted.
396         * dfg/DFGSpeculativeJIT.h:
397         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
398         * dfg/DFGSpeculativeJIT32_64.cpp:
399         (JSC::DFG::SpeculativeJIT::compile):
400         * dfg/DFGSpeculativeJIT64.cpp:
401         (JSC::DFG::SpeculativeJIT::compile):
402         * dfg/DFGStoreBarrierInsertionPhase.cpp:
403         * dfg/DFGStrengthReductionPhase.cpp:
404         (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
405         (JSC::DFG::StrengthReductionPhase::handleNode):
406         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
407         (JSC::DFG::StrengthReductionPhase::executeInsertionSet):
408         * dfg/DFGValidate.cpp:
409         (JSC::DFG::Validate::validate):
410         (JSC::DFG::Validate::validateCPS):
411         * ftl/FTLAbstractHeapRepository.cpp:
412         * ftl/FTLAbstractHeapRepository.h:
413         * ftl/FTLCapabilities.cpp:
414         (JSC::FTL::canCompile):
415         * ftl/FTLLowerDFGToB3.cpp:
416         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
417         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
418         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
419         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
420         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
421         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
422         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
423         (JSC::FTL::DFG::LowerDFGToB3::storageForTransition):
424         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
425         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
426         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
427         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
428         * ftl/FTLOperations.cpp:
429         (JSC::FTL::operationPopulateObjectInOSR):
430         (JSC::FTL::operationNewObjectWithButterfly): Deleted.
431         * ftl/FTLOperations.h:
432         * inspector/ContentSearchUtilities.cpp:
433         * runtime/JSObject.h:
434         (JSC::JSObject::createRawObject):
435         (JSC::JSFinalObject::create):
436         * runtime/RegExp.cpp:
437         (JSC::RegExp::compile):
438         (JSC::RegExp::match):
439         (JSC::RegExp::matchConcurrently):
440         (JSC::RegExp::compileMatchOnly):
441         (JSC::RegExp::deleteCode):
442         * runtime/RegExp.h:
443         * runtime/RegExpCachedResult.h:
444         (JSC::RegExpCachedResult::offsetOfLastRegExp):
445         (JSC::RegExpCachedResult::offsetOfLastInput):
446         (JSC::RegExpCachedResult::offsetOfResult):
447         (JSC::RegExpCachedResult::offsetOfReified):
448         * runtime/RegExpConstructor.h:
449         (JSC::RegExpConstructor::offsetOfCachedResult):
450         * runtime/RegExpInlines.h:
451         (JSC::RegExp::hasCodeFor):
452         (JSC::RegExp::compileIfNecessary):
453         (JSC::RegExp::matchInline):
454         (JSC::RegExp::hasMatchOnlyCodeFor):
455         (JSC::RegExp::compileIfNecessaryMatchOnly):
456         * runtime/RegExpObjectInlines.h:
457         (JSC::RegExpObject::execInline):
458         * runtime/StringPrototype.cpp:
459         (JSC::substituteBackreferencesSlow):
460         (JSC::substituteBackreferencesInline):
461         (JSC::substituteBackreferences):
462         (JSC::StringRange::StringRange):
463         * runtime/StringPrototype.h:
464         * runtime/VM.h:
465         * tests/stress/simple-regexp-exec-folding-fail.js: Added.
466         (foo):
467         * tests/stress/simple-regexp-exec-folding.js: Added.
468         (foo):
469         * tests/stress/simple-regexp-test-folding-fail.js: Added.
470         (foo):
471         * tests/stress/simple-regexp-test-folding.js: Added.
472         (foo):
473         * yarr/RegularExpression.cpp:
474         * yarr/Yarr.h:
475         * yarr/YarrInterpreter.cpp:
476         (JSC::Yarr::Interpreter::interpret):
477         (JSC::Yarr::ByteCompiler::ByteCompiler):
478         (JSC::Yarr::ByteCompiler::compile):
479         (JSC::Yarr::ByteCompiler::checkInput):
480         (JSC::Yarr::byteCompile):
481         (JSC::Yarr::interpret):
482         * yarr/YarrInterpreter.h:
483         (JSC::Yarr::BytecodePattern::BytecodePattern):
484
485 2016-04-05  Keith Miller  <keith_miller@apple.com>
486
487         We should support the ability to do a non-effectful getById
488         https://bugs.webkit.org/show_bug.cgi?id=156116
489
490         Reviewed by Benjamin Poulain.
491
492         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
493         useful because it enables us to take different code paths based on values that we would
494         otherwise not be able to have knowledge of. This patch adds this new feature called
495         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
496         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
497         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
498         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
499         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
500         the global object that indicates we could not get the result.
501
502         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
503         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
504         get_by_id the same way we would for load and return the value at the appropriate offset.
505         Additionally, in order to make sure the we can properly compare the GetterSetter object
506         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
507         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
508         likely to have little to no impact on memory usage as normal accessors are generally rare.
509
510         * JavaScriptCore.xcodeproj/project.pbxproj:
511         * builtins/BuiltinExecutables.cpp:
512         (JSC::BuiltinExecutables::createDefaultConstructor):
513         (JSC::BuiltinExecutables::createBuiltinExecutable):
514         (JSC::createBuiltinExecutable):
515         (JSC::BuiltinExecutables::createExecutable):
516         (JSC::createExecutableInternal): Deleted.
517         * builtins/BuiltinExecutables.h:
518         * bytecode/BytecodeIntrinsicRegistry.h:
519         * bytecode/BytecodeList.json:
520         * bytecode/BytecodeUseDef.h:
521         (JSC::computeUsesForBytecodeOffset):
522         (JSC::computeDefsForBytecodeOffset):
523         * bytecode/CodeBlock.cpp:
524         (JSC::CodeBlock::dumpBytecode):
525         * bytecode/PolymorphicAccess.cpp:
526         (JSC::AccessCase::tryGet):
527         (JSC::AccessCase::generate):
528         (WTF::printInternal):
529         * bytecode/PolymorphicAccess.h:
530         (JSC::AccessCase::isGet): Deleted.
531         (JSC::AccessCase::isPut): Deleted.
532         (JSC::AccessCase::isIn): Deleted.
533         * bytecode/StructureStubInfo.cpp:
534         (JSC::StructureStubInfo::reset):
535         * bytecode/StructureStubInfo.h:
536         * bytecompiler/BytecodeGenerator.cpp:
537         (JSC::BytecodeGenerator::emitTryGetById):
538         * bytecompiler/BytecodeGenerator.h:
539         * bytecompiler/NodesCodegen.cpp:
540         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
541         * dfg/DFGSpeculativeJIT32_64.cpp:
542         (JSC::DFG::SpeculativeJIT::cachedGetById):
543         * dfg/DFGSpeculativeJIT64.cpp:
544         (JSC::DFG::SpeculativeJIT::cachedGetById):
545         * ftl/FTLLowerDFGToB3.cpp:
546         (JSC::FTL::DFG::LowerDFGToB3::getById):
547         * jit/JIT.cpp:
548         (JSC::JIT::privateCompileMainPass):
549         (JSC::JIT::privateCompileSlowCases):
550         * jit/JIT.h:
551         * jit/JITInlineCacheGenerator.cpp:
552         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
553         * jit/JITInlineCacheGenerator.h:
554         * jit/JITInlines.h:
555         (JSC::JIT::callOperation):
556         * jit/JITOperations.cpp:
557         * jit/JITOperations.h:
558         * jit/JITPropertyAccess.cpp:
559         (JSC::JIT::emitGetByValWithCachedId):
560         (JSC::JIT::emit_op_try_get_by_id):
561         (JSC::JIT::emitSlow_op_try_get_by_id):
562         (JSC::JIT::emit_op_get_by_id):
563         * jit/JITPropertyAccess32_64.cpp:
564         (JSC::JIT::emitGetByValWithCachedId):
565         (JSC::JIT::emit_op_try_get_by_id):
566         (JSC::JIT::emitSlow_op_try_get_by_id):
567         (JSC::JIT::emit_op_get_by_id):
568         * jit/Repatch.cpp:
569         (JSC::repatchByIdSelfAccess):
570         (JSC::appropriateOptimizingGetByIdFunction):
571         (JSC::appropriateGenericGetByIdFunction):
572         (JSC::tryCacheGetByID):
573         (JSC::repatchGetByID):
574         (JSC::resetGetByID):
575         * jit/Repatch.h:
576         * jsc.cpp:
577         (GlobalObject::finishCreation):
578         (functionGetGetterSetter):
579         (functionCreateBuiltin):
580         * llint/LLIntData.cpp:
581         (JSC::LLInt::Data::performAssertions):
582         * llint/LLIntSlowPaths.cpp:
583         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
584         * llint/LLIntSlowPaths.h:
585         * llint/LowLevelInterpreter.asm:
586         * runtime/GetterSetter.cpp:
587         * runtime/GetterSetter.h:
588         * runtime/JSType.h:
589         * runtime/PropertySlot.cpp:
590         (JSC::PropertySlot::getPureResult):
591         * runtime/PropertySlot.h:
592         * runtime/ProxyObject.cpp:
593         (JSC::ProxyObject::getOwnPropertySlotCommon):
594         * tests/stress/try-get-by-id.js: Added.
595         (tryGetByIdText):
596         (getCaller.obj.1.throw.new.Error.let.func):
597         (getCaller.obj.1.throw.new.Error):
598         (throw.new.Error.get let):
599         (throw.new.Error.):
600         (throw.new.Error.let.get createBuiltin):
601         (get let):
602         (let.get createBuiltin):
603         (let.func):
604         (get let.func):
605         (get throw):
606
607 2016-04-05  Saam barati  <sbarati@apple.com>
608
609         jsc-layout-tests.yaml/js/script-tests/regress-141098.js failing on Yosemite Debug after r198989
610         https://bugs.webkit.org/show_bug.cgi?id=156187
611
612         Reviewed by Filip Pizlo.
613
614         This is a speculative fix. Lets see if the prevents the timeout.
615
616         * parser/Parser.cpp:
617         (JSC::Parser<LexerType>::parseStatementListItem):
618
619 2016-04-04  Filip Pizlo  <fpizlo@apple.com>
620
621         PolymorphicAccess should have a MegamorphicLoad case
622         https://bugs.webkit.org/show_bug.cgi?id=156182
623
624         Reviewed by Geoffrey Garen and Keith Miller.
625
626         This introduces a new case to PolymorphicAccess called MegamorphicLoad. This inlines the lookup in
627         the PropertyTable. It's cheaper than switching on a huge number of cases and it's cheaper than
628         calling into C++ to do the same job - particularly since inlining the lookup into an access means
629         that we can precompute the hash code.
630
631         When writing the inline code for the hashtable lookup, I found that our hashing algorithm was not
632         optimal. It used a double-hashing method for reducing collision pathologies. This is great for
633         improving the performance of some worst-case scenarios. But this misses the point of a hashtable: we
634         want to optimize the average-case performance. When optimizing for average-case, we can choose to
635         either focus on maximizing the likelihood of the fast case happening, or to minimize the cost of the
636         worst-case, or to minimize the cost of the fast case. Even a very basic hashtable will achieve a high
637         probability of hitting the fast case. So, doing work to reduce the likelihood of a worst-case
638         pathology only makes sense if it also preserves the good performance of the fast case, or reduces the
639         likelihood of the worst-case by so much that it's a win for the average case even with a slow-down in
640         the fast case.
641
642         I don't believe, based on looking at how the double-hashing is implemented, that it's possible that
643         this preserves the good performance of the fast case. It requires at least one more value to be live
644         around the loop, and dramatically increases the register pressure at key points inside the loop. The
645         biggest offender is the doubleHash() method itself. There is no getting around how bad this is: if
646         the compiler live-range-splits that method to death to avoid degrading register pressure elsewhere
647         then we will pay a steep price anytime we take the second iteration around the loop; but if the
648         compiler doesn't split around the call then the hashtable lookup fast path will be full of spills on
649         some architectures (I performed biological register allocation and found that I needed 9 registers
650         for complete lookup, while x86-64 has only 6 callee-saves; OTOH ARM64 has 10 callee-saves so it might
651         be better off).
652
653         Hence, this patch changes the hashtable lookup to use simple linear probing. This was not a slow-down
654         on anything, and it made MegamorphicLoad much more sensible since it is less likely to have to spill.
655
656         There are some other small changes in this patch, like rationalizing the IC's choice between giving
657         up after a repatch (i.e. never trying again) and just pretending that nothing happened (so we can
658         try to repatch again in the future). It looked like the code in Repatch.cpp was set up to be able to
659         choose between those options, but we weren't fully taking advantage of it because the
660         regenerateWithCase() method just returned null for any failure, and didn't say whether it was the
661         sort of failure that renders the inline cache unrepatchable (like memory allocation failure). Now
662         this is all made explicit. I wanted to make sure this change happened in this patch since the
663         MegamorphicLoad code automagically generates a MegamorphicLoad case by coalescing other cases. Since
664         this is intended to avoid blowing out the cache and making it unrepatchable, I wanted to make sure
665         that the rules for giving up were something that made sense to me.
666         
667         This is a big win on microbenchmarks. It's neutral on traditional JS benchmarks. It's a slight
668         speed-up for page loading, because many real websites like to have megamorphic property accesses.
669
670         * bytecode/PolymorphicAccess.cpp:
671         (JSC::AccessGenerationResult::dump):
672         (JSC::AccessGenerationState::addWatchpoint):
673         (JSC::AccessCase::get):
674         (JSC::AccessCase::megamorphicLoad):
675         (JSC::AccessCase::replace):
676         (JSC::AccessCase::guardedByStructureCheck):
677         (JSC::AccessCase::couldStillSucceed):
678         (JSC::AccessCase::canBeReplacedByMegamorphicLoad):
679         (JSC::AccessCase::canReplace):
680         (JSC::AccessCase::generateWithGuard):
681         (JSC::AccessCase::generate):
682         (JSC::PolymorphicAccess::PolymorphicAccess):
683         (JSC::PolymorphicAccess::~PolymorphicAccess):
684         (JSC::PolymorphicAccess::regenerateWithCases):
685         (JSC::PolymorphicAccess::regenerateWithCase):
686         (WTF::printInternal):
687         * bytecode/PolymorphicAccess.h:
688         (JSC::AccessCase::isGet):
689         (JSC::AccessCase::isPut):
690         (JSC::AccessCase::isIn):
691         (JSC::AccessGenerationResult::AccessGenerationResult):
692         (JSC::AccessGenerationResult::operator==):
693         (JSC::AccessGenerationResult::operator!=):
694         (JSC::AccessGenerationResult::operator bool):
695         (JSC::AccessGenerationResult::kind):
696         (JSC::AccessGenerationResult::code):
697         (JSC::AccessGenerationResult::madeNoChanges):
698         (JSC::AccessGenerationResult::gaveUp):
699         (JSC::AccessGenerationResult::generatedNewCode):
700         (JSC::PolymorphicAccess::isEmpty):
701         (JSC::AccessGenerationState::AccessGenerationState):
702         * bytecode/StructureStubInfo.cpp:
703         (JSC::StructureStubInfo::aboutToDie):
704         (JSC::StructureStubInfo::addAccessCase):
705         * bytecode/StructureStubInfo.h:
706         * jit/AssemblyHelpers.cpp:
707         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
708         (JSC::AssemblyHelpers::loadProperty):
709         (JSC::emitRandomThunkImpl):
710         (JSC::AssemblyHelpers::emitRandomThunk):
711         (JSC::AssemblyHelpers::emitLoadStructure):
712         * jit/AssemblyHelpers.h:
713         (JSC::AssemblyHelpers::loadValue):
714         (JSC::AssemblyHelpers::moveValueRegs):
715         (JSC::AssemblyHelpers::argumentsStart):
716         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
717         (JSC::AssemblyHelpers::emitLoadStructure): Deleted.
718         * jit/GPRInfo.cpp:
719         (JSC::JSValueRegs::dump):
720         * jit/GPRInfo.h:
721         (JSC::JSValueRegs::uses):
722         * jit/Repatch.cpp:
723         (JSC::replaceWithJump):
724         (JSC::tryCacheGetByID):
725         (JSC::tryCachePutByID):
726         (JSC::tryRepatchIn):
727         * jit/ThunkGenerators.cpp:
728         (JSC::virtualThunkFor):
729         * runtime/Options.h:
730         * runtime/PropertyMapHashTable.h:
731         (JSC::PropertyTable::begin):
732         (JSC::PropertyTable::find):
733         (JSC::PropertyTable::get):
734         * runtime/Structure.h:
735
736 2016-04-05  Antoine Quint  <graouts@apple.com>
737
738         [WebGL2] Turn the ENABLE_WEBGL2 flag on
739         https://bugs.webkit.org/show_bug.cgi?id=156061
740         <rdar://problem/25463193>
741
742         Reviewed by Alex Christensen.
743
744         * Configurations/FeatureDefines.xcconfig:
745         * runtime/CommonIdentifiers.h:
746
747         Define the conditionalized classes WebGL2RenderingContext and WebGLVertexArrayObject. 
748
749 2016-04-04  Zan Dobersek  <zdobersek@igalia.com>
750
751         Add missing EABI_32BIT_DUMMY_ARG arguments for some callOperation(J_JITOperation_EGReoJ, ...) overloads
752         https://bugs.webkit.org/show_bug.cgi?id=156161
753
754         Reviewed by Yusuke Suzuki.
755
756         r197641 added a couple of callOperation(J_JITOperation_EGReoJ, ...) overloads
757         that handle arguments split into the tag and the payload. The two were split
758         between the last argument register and the stack on 32-bit ARM EABI systems,
759         causing incorrect behavior.
760
761         Adding EABI_32BIT_DUMMY_ARG pushes the tag and payload together onto the
762         stack, removing the issue.
763
764         * dfg/DFGSpeculativeJIT.h:
765         (JSC::DFG::SpeculativeJIT::callOperation):
766
767 2016-04-04  Joseph Pecoraro  <pecoraro@apple.com>
768
769         Avoid copying ModuleLoaderObject.js to resources bundle
770         https://bugs.webkit.org/show_bug.cgi?id=156188
771         <rdar://problem/25534383>
772
773         Reviewed by Alexey Proskuryakov.
774
775         * JavaScriptCore.xcodeproj/project.pbxproj:
776
777 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
778
779         Unreviewed, rolling out r199016.
780         https://bugs.webkit.org/show_bug.cgi?id=156140
781
782         "Regressed Octane and Kraken on the perf bots."
783
784         Reverted changeset:
785
786         CopiedBlock should be 16kB
787         https://bugs.webkit.org/show_bug.cgi?id=156168
788         http://trac.webkit.org/changeset/199016
789
790 2016-04-04  Benjamin Poulain  <bpoulain@apple.com>
791
792         [JSC][x86] Fix an assertion in MacroAssembler::branch8()
793         https://bugs.webkit.org/show_bug.cgi?id=156181
794
795         Reviewed by Geoffrey Garen.
796
797         * assembler/MacroAssemblerX86Common.h:
798         (JSC::MacroAssemblerX86Common::branch8):
799         The test was wrong because valid negative numbers have ones
800         in the top bits.
801
802         I replaced the assertion to be explicit about the valid range.
803
804 2016-04-04  Chris Dumez  <cdumez@apple.com>
805
806         Regression(r196145): Crash in getOwnPropertyDescriptor on http://www.history.com/shows/vikings
807         https://bugs.webkit.org/show_bug.cgi?id=156136
808         <rdar://problem/25410767>
809
810         Reviewed by Ryosuke Niwa.
811
812         Add a few more identifiers for using in the generated bindings.
813
814         * runtime/CommonIdentifiers.h:
815
816 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
817
818         CopiedBlock should be 16kB
819         https://bugs.webkit.org/show_bug.cgi?id=156168
820
821         Reviewed by Mark Lam.
822
823         MarkedBlock is 16kB, and bmalloc's largest fast-path allocation is 16kB,
824         and the largest page size on Apple devices is 16kB -- so this change
825         should improve sharing and recycling and keep us on the fast path more.
826
827         32kB is also super aggro. At 16kB, we support allocations up to 8kB,
828         which covers 99.3% of allocations on facebook.com. The 32kB block size
829         only covered an additional 0.2% of allocations.
830
831         * heap/CopiedBlock.h:
832
833 2016-04-04  Carlos Garcia Campos  <cgarcia@igalia.com>
834
835         REGRESSION(r198792): [GTK] Inspector crashes in Inspector::Protocol::getEnumConstantValue since r198792
836         https://bugs.webkit.org/show_bug.cgi?id=155745
837         <rdar://problem/25289456>
838
839         Reviewed by Brian Burg.
840
841         The problem is that we are generating the Inspector::Protocol::getEnumConstantValue() method and the
842         enum_constant_values array for every framework that has enum values. So, in case of GTK port we have two
843         implementations, one for the inspector in JavaScriptCore and another one for Web Automation in WebKit2, but when
844         using the inspector in WebKit2 we always end up using the one in WebKit2. Since the enum_constant_values array
845         is smaller in WebKit2 than the one in JavaScriptCore, we crash every time we receive an enum value higher than
846         the array size. We need to disambiguate the getEnumConstantValue() generated and used for every framework, so we
847         can use a specific namespace for the enum conversion methods.
848
849         * inspector/agents/InspectorDebuggerAgent.cpp:
850         (Inspector::breakpointActionTypeForString): Use Inspector::Protocol::InspectorHelpers.
851         * inspector/scripts/codegen/cpp_generator.py:
852         (CppGenerator.helpers_namespace): Return the namespace name that should be used for the helper methods.
853         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
854         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): Use
855         CppGenerator.helpers_namespace() to use the right namespace when using getEnumConstantValue().
856         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Ditto.
857         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
858         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): Ditto.
859         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
860         (CppProtocolTypesHeaderGenerator.generate_output): Move declaration of getEnumConstantValue to a helper function.
861         (_generate_enum_constant_value_conversion_methods): Do not emit any code if there aren't enums and ensure all
862         conversion methods are declared inside the helpers namespace.
863         (_generate_builder_setter_for_member): Use CppGenerator.helpers_namespace() to use the right namespace when
864         using getEnumConstantValue().
865         (_generate_unchecked_setter_for_member): Ditto.
866         (_generate_declarations_for_enum_conversion_methods): Return a list instead of a string so that we can return an
867         empty list in case of not emitting any code. The caller will use extend() that has no effect when an empty list
868         is passed.
869         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
870         (CppProtocolTypesImplementationGenerator.generate_output): Use the new helper function to generate both the enum
871         mapping and conversion methods inside the helpers namespace.
872         (CppProtocolTypesImplementationGenerator._generate_enum_mapping): Return a list instead of a string so that we
873         can return an empty list in case of not emitting any code.
874         (CppProtocolTypesImplementationGenerator._generate_enum_mapping_and_conversion_methods): Ensure we only emit
875         code when there are enum values, and it's generated inside the helpers namespace.
876         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
877         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
878         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
879         * inspector/scripts/tests/expected/enum-values.json-result:
880         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
881         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
882         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
883         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
884         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
885         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
886         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
887         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
888         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
889
890 2016-04-04  Csaba Osztrogonác  <ossy@webkit.org>
891
892         Unreviewed ARM buildfix after r198981.
893
894         * assembler/MacroAssemblerARM.h:
895         (JSC::MacroAssemblerARM::roundTowardZeroDouble):
896
897 2016-04-03  Saam barati  <sbarati@apple.com>
898
899         Implement Annex B.3.3 function hoisting rules for function code
900         https://bugs.webkit.org/show_bug.cgi?id=155672
901
902         Reviewed by Geoffrey Garen.
903
904         The spec states that functions declared inside a function
905         inside a block scope are subject to the rules of Annex B.3.3:
906         https://tc39.github.io/ecma262/#sec-block-level-function-declarations-web-legacy-compatibility-semantics
907
908         The rule states that functions declared in such blocks should
909         be local bindings of the block. If declaring the function's name
910         as a "var" in the function would not lead to a syntax error (i.e,
911         if we don't have a let/const/class variable with the same name)
912         and if we don't have a parameter with the same name, then we
913         implictly also declare the funcion name as a "var". When evaluating
914         the block statement we bind the hoisted "var" to be the value
915         of the local function binding.
916
917         There is one more thing we do for web compatibility. We allow
918         function declarations inside if/else statements that aren't
919         blocks. For such statements, we transform the code as if the
920         function were declared inside a block statement. For example:
921         ``` function foo() { if (cond) function baz() { } }```
922         is transformed into:
923         ``` function foo() { if (cond) { function baz() { } } }```
924
925         * bytecompiler/BytecodeGenerator.cpp:
926         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
927         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
928         * bytecompiler/BytecodeGenerator.h:
929         * parser/Nodes.cpp:
930         (JSC::ScopeNode::ScopeNode):
931         (JSC::ProgramNode::ProgramNode):
932         (JSC::ModuleProgramNode::ModuleProgramNode):
933         (JSC::EvalNode::EvalNode):
934         (JSC::FunctionNode::FunctionNode):
935         * parser/Nodes.h:
936         (JSC::ScopeNode::hasCapturedVariables):
937         (JSC::ScopeNode::captures):
938         (JSC::ScopeNode::hasSloppyModeHoistedFunction):
939         (JSC::ScopeNode::varDeclarations):
940         (JSC::ProgramNode::startColumn):
941         (JSC::ProgramNode::endColumn):
942         (JSC::EvalNode::startColumn):
943         (JSC::EvalNode::endColumn):
944         (JSC::ModuleProgramNode::startColumn):
945         (JSC::ModuleProgramNode::endColumn):
946         * parser/Parser.cpp:
947         (JSC::Parser<LexerType>::Parser):
948         (JSC::Parser<LexerType>::parseInner):
949         (JSC::Parser<LexerType>::didFinishParsing):
950         (JSC::Parser<LexerType>::parseStatement):
951         (JSC::Parser<LexerType>::parseIfStatement):
952         * parser/Parser.h:
953         (JSC::Scope::declareVariable):
954         (JSC::Scope::declareFunction):
955         (JSC::Scope::addSloppyModeHoistableFunctionCandidate):
956         (JSC::Scope::appendFunction):
957         (JSC::Scope::declareParameter):
958         (JSC::Scope::mergeInnerArrowFunctionFeatures):
959         (JSC::Scope::getSloppyModeHoistedFunctions):
960         (JSC::Scope::getCapturedVars):
961         (JSC::ScopeRef::containingScope):
962         (JSC::ScopeRef::operator==):
963         (JSC::ScopeRef::operator!=):
964         (JSC::Parser::declareFunction):
965         (JSC::Parser::hasDeclaredVariable):
966         (JSC::Parser::isFunctionMetadataNode):
967         (JSC::Parser::DepthManager::DepthManager):
968         (JSC::Parser<LexerType>::parse):
969         * parser/VariableEnvironment.h:
970         (JSC::VariableEnvironmentEntry::isImported):
971         (JSC::VariableEnvironmentEntry::isImportedNamespace):
972         (JSC::VariableEnvironmentEntry::isFunction):
973         (JSC::VariableEnvironmentEntry::isParameter):
974         (JSC::VariableEnvironmentEntry::isSloppyModeHoistingCandidate):
975         (JSC::VariableEnvironmentEntry::setIsCaptured):
976         (JSC::VariableEnvironmentEntry::setIsConst):
977         (JSC::VariableEnvironmentEntry::setIsImported):
978         (JSC::VariableEnvironmentEntry::setIsImportedNamespace):
979         (JSC::VariableEnvironmentEntry::setIsFunction):
980         (JSC::VariableEnvironmentEntry::setIsParameter):
981         (JSC::VariableEnvironmentEntry::setIsSloppyModeHoistingCandidate):
982         (JSC::VariableEnvironmentEntry::clearIsVar):
983         * runtime/CodeCache.h:
984         (JSC::SourceCodeValue::SourceCodeValue):
985         * runtime/JSScope.cpp:
986         * runtime/JSScope.h:
987         * tests/es6.yaml:
988         * tests/stress/sloppy-mode-function-hoisting.js: Added.
989         (assert):
990         (test):
991         (falsey):
992         (truthy):
993         (test.):
994         (test.a):
995         (test.f):
996         (test.let.funcs.f):
997         (test.catch.f):
998         (test.foo):
999         (test.bar):
1000         (test.switch.case.0):
1001         (test.else.f):
1002         (test.b):
1003         (test.c):
1004         (test.d):
1005         (test.e):
1006         (test.g):
1007         (test.h):
1008         (test.i):
1009         (test.j):
1010         (test.k):
1011         (test.l):
1012         (test.m):
1013         (test.n):
1014         (test.o):
1015         (test.p):
1016         (test.q):
1017         (test.r):
1018         (test.s):
1019         (test.t):
1020         (test.u):
1021         (test.v):
1022         (test.w):
1023         (test.x):
1024         (test.y):
1025         (test.z):
1026         (foo):
1027         (bar):
1028         (falsey.bar):
1029         (baz):
1030         (falsey.baz):
1031
1032 2016-04-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1033
1034         Unreviewed, turn ES6 for-in loop test success
1035         https://bugs.webkit.org/show_bug.cgi?id=155451
1036
1037         * tests/es6.yaml:
1038
1039 2016-04-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1040
1041         [JSC] Add truncate operation (rounding to zero)
1042         https://bugs.webkit.org/show_bug.cgi?id=156072
1043
1044         Reviewed by Saam Barati.
1045
1046         Add TruncIntrinsic for Math.trunc. DFG handles it as ArithTrunc.
1047         In DFG, ArithTrunc behaves similar to ArithRound, ArithCeil, and ArithFloor.
1048         ArithTrunc rounds the value towards zero.
1049
1050         And we rewrite @toInteger to use @trunc instead of @abs, @floor, negation and branch.
1051         This is completely the same to what we do in JSValue::toInteger.
1052
1053         Since DFG recognize it, DFG can convert ArithTrunc to Identity if the given argument is Int32.
1054         This is useful because almost all the argument is Int32 in @toLength -> @toInteger -> @trunc case.
1055         In such cases, we can eliminate trunc() call.
1056
1057         As a bonus, to speed up Math.trunc operation, we use x86 SSE round and frintz in ARM64 for ArithRound.
1058         In DFG, we emit these instructions. In FTL, we use Patchpoint to emit these instructions to avoid adding a new B3 IR.
1059
1060         * assembler/MacroAssemblerARM64.h:
1061         (JSC::MacroAssemblerARM64::roundTowardZeroDouble):
1062         (JSC::MacroAssemblerARM64::roundTowardZeroFloat):
1063         * assembler/MacroAssemblerARMv7.h:
1064         (JSC::MacroAssemblerARMv7::roundTowardZeroDouble):
1065         * assembler/MacroAssemblerMIPS.h:
1066         (JSC::MacroAssemblerMIPS::roundTowardZeroDouble):
1067         * assembler/MacroAssemblerSH4.h:
1068         (JSC::MacroAssemblerSH4::roundTowardZeroDouble):
1069         * assembler/MacroAssemblerX86Common.h:
1070         (JSC::MacroAssemblerX86Common::roundTowardZeroDouble):
1071         (JSC::MacroAssemblerX86Common::roundTowardZeroFloat):
1072         * builtins/GlobalObject.js:
1073         (toInteger):
1074         * dfg/DFGAbstractInterpreterInlines.h:
1075         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1076         * dfg/DFGByteCodeParser.cpp:
1077         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1078         * dfg/DFGClobberize.h:
1079         (JSC::DFG::clobberize):
1080         * dfg/DFGDoesGC.cpp:
1081         (JSC::DFG::doesGC):
1082         * dfg/DFGFixupPhase.cpp:
1083         (JSC::DFG::FixupPhase::fixupNode):
1084         * dfg/DFGGraph.h:
1085         (JSC::DFG::Graph::roundShouldSpeculateInt32):
1086         * dfg/DFGNode.h:
1087         (JSC::DFG::Node::arithNodeFlags):
1088         (JSC::DFG::Node::hasHeapPrediction):
1089         (JSC::DFG::Node::hasArithRoundingMode):
1090         * dfg/DFGNodeType.h:
1091         * dfg/DFGPredictionPropagationPhase.cpp:
1092         (JSC::DFG::PredictionPropagationPhase::propagate):
1093         * dfg/DFGSafeToExecute.h:
1094         (JSC::DFG::safeToExecute):
1095         * dfg/DFGSpeculativeJIT.cpp:
1096         (JSC::DFG::SpeculativeJIT::compileArithRounding):
1097         * dfg/DFGSpeculativeJIT.h:
1098         * dfg/DFGSpeculativeJIT32_64.cpp:
1099         (JSC::DFG::SpeculativeJIT::compile):
1100         * dfg/DFGSpeculativeJIT64.cpp:
1101         (JSC::DFG::SpeculativeJIT::compile):
1102         * ftl/FTLCapabilities.cpp:
1103         (JSC::FTL::canCompile):
1104         * ftl/FTLLowerDFGToB3.cpp:
1105         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1106         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
1107         * ftl/FTLOutput.cpp:
1108         (JSC::FTL::Output::doubleTrunc):
1109         * ftl/FTLOutput.h:
1110         * jit/ThunkGenerators.cpp:
1111         (JSC::truncThunkGenerator):
1112         * jit/ThunkGenerators.h:
1113         * runtime/CommonIdentifiers.h:
1114         * runtime/Intrinsic.h:
1115         * runtime/JSGlobalObject.cpp:
1116         (JSC::JSGlobalObject::init):
1117         * runtime/MathObject.cpp:
1118         (JSC::MathObject::finishCreation):
1119         * runtime/MathObject.h:
1120         * runtime/VM.cpp:
1121         (JSC::thunkGeneratorForIntrinsic):
1122         * tests/stress/math-rounding-infinity.js:
1123         (testTrunc):
1124         * tests/stress/math-rounding-nan.js:
1125         (testTrunc):
1126         * tests/stress/math-rounding-negative-zero.js:
1127         (testTrunc):
1128         * tests/stress/math-trunc-arith-rounding-mode.js: Added.
1129         (firstCareAboutZeroSecondDoesNot):
1130         (firstDoNotCareAboutZeroSecondDoes):
1131         (warmup):
1132         (verifyNegativeZeroIsPreserved):
1133         * tests/stress/math-trunc-basics.js: Added.
1134         (mathTruncOnIntegers):
1135         (mathTruncOnDoubles):
1136         (mathTruncOnBooleans):
1137         (uselessMathTrunc):
1138         (mathTruncWithOverflow):
1139         (mathTruncConsumedAsDouble):
1140         (mathTruncDoesNotCareAboutMinusZero):
1141         (mathTruncNoArguments):
1142         (mathTruncTooManyArguments):
1143         (testMathTruncOnConstants):
1144         (mathTruncStructTransition):
1145         (Math.trunc):
1146         * tests/stress/math-trunc-should-be-truncate.js: Added.
1147         (mathTrunc):
1148
1149 2016-04-03  Skachkov Oleksandr  <gskachkov@gmail.com>
1150
1151         [ES6] Class syntax. Access to new.target inside of the eval should not lead to SyntaxError
1152         https://bugs.webkit.org/show_bug.cgi?id=155545
1153
1154         Reviewed by Saam Barati.
1155        
1156         Current patch allow to invoke new.target in eval if this eval is executed within function, 
1157         otherwise this will lead to Syntax error 
1158    
1159         * bytecode/EvalCodeCache.h:
1160         (JSC::EvalCodeCache::getSlow):
1161         * bytecode/ExecutableInfo.h:
1162         (JSC::ExecutableInfo::ExecutableInfo):
1163         (JSC::ExecutableInfo::evalContextType):
1164         * bytecode/UnlinkedCodeBlock.cpp:
1165         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1166         * bytecode/UnlinkedCodeBlock.h:
1167         (JSC::UnlinkedCodeBlock::evalContextType):
1168         * bytecode/UnlinkedFunctionExecutable.cpp:
1169         (JSC::generateUnlinkedFunctionCodeBlock):
1170         * debugger/DebuggerCallFrame.cpp:
1171         (JSC::DebuggerCallFrame::evaluate):
1172         * interpreter/Interpreter.cpp:
1173         (JSC::eval):
1174         * parser/Parser.cpp:
1175         (JSC::Parser<LexerType>::Parser):
1176         (JSC::Parser<LexerType>::parseMemberExpression):
1177         * parser/Parser.h:
1178         (JSC::Scope::Scope):
1179         (JSC::Scope::setEvalContextType):
1180         (JSC::Scope::evalContextType):
1181         (JSC::parse):
1182         * runtime/CodeCache.cpp:
1183         (JSC::CodeCache::getGlobalCodeBlock):
1184         (JSC::CodeCache::getProgramCodeBlock):
1185         (JSC::CodeCache::getEvalCodeBlock):
1186         (JSC::CodeCache::getModuleProgramCodeBlock):
1187         * runtime/CodeCache.h:
1188         * runtime/Executable.cpp:
1189         (JSC::ScriptExecutable::ScriptExecutable):
1190         (JSC::EvalExecutable::create):
1191         (JSC::EvalExecutable::EvalExecutable):
1192         (JSC::ProgramExecutable::ProgramExecutable):
1193         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
1194         (JSC::FunctionExecutable::FunctionExecutable):
1195         * runtime/Executable.h:
1196         (JSC::ScriptExecutable::evalContextType):
1197         * runtime/JSGlobalObject.cpp:
1198         (JSC::JSGlobalObject::createEvalCodeBlock):
1199         * runtime/JSGlobalObjectFunctions.cpp:
1200         (JSC::globalFuncEval):
1201         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1202         * tests/stress/new-target.js:
1203
1204 2016-04-02  Commit Queue  <commit-queue@webkit.org>
1205
1206         Unreviewed, rolling out r198976.
1207         https://bugs.webkit.org/show_bug.cgi?id=156140
1208
1209         "Causes js/regress/array-nonarray-polymorhpic-access.html to
1210         crash." (Requested by ddkilzer on #webkit).
1211
1212         Reverted changeset:
1213
1214         "[JSC] Initialize SSA's live values at tail lazily"
1215         https://bugs.webkit.org/show_bug.cgi?id=156126
1216         http://trac.webkit.org/changeset/198976
1217
1218 2016-04-02  Benjamin Poulain  <bpoulain@apple.com>
1219
1220         [JSC] Initialize SSA's live values at tail lazily
1221         https://bugs.webkit.org/show_bug.cgi?id=156126
1222
1223         Reviewed by Mark Lam.
1224
1225         Setting up the clean state early looks harmless but it is
1226         actually quite expensive.
1227
1228         The problem is AbstractValue is gigantic, you really want
1229         to minimize how much you touch that memory.
1230
1231         By removing the initialization, most blocks only
1232         get 2 or 3 accesses. Once to setup the value, and a few
1233         queries for merging the current block with the successors.
1234
1235         * dfg/DFGInPlaceAbstractState.cpp:
1236         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1237         (JSC::DFG::setLiveValues): Deleted.
1238         (JSC::DFG::InPlaceAbstractState::initialize): Deleted.
1239
1240 2016-04-02  Benjamin Poulain  <bpoulain@apple.com>
1241
1242         [JSC] Add an option to avoid disassembling baseline code for the JSC Profiler
1243         https://bugs.webkit.org/show_bug.cgi?id=156127
1244
1245         Reviewed by Mark Lam.
1246
1247         The profiler run out of memory on big programs if you dump
1248         the baseline disassembly.
1249
1250         * jit/JIT.cpp:
1251         (JSC::JIT::privateCompile):
1252         * runtime/Options.h:
1253
1254 2016-04-02  Dan Bernstein  <mitz@apple.com>
1255
1256         jsc binary embedded in relocatable JavaScriptCore.framework links against system JavaScriptCore.framework
1257         https://bugs.webkit.org/show_bug.cgi?id=156134
1258         <rdar://problem/25443824>
1259
1260         Reviewed by Mark Lam.
1261
1262         * Configurations/JSC.xcconfig: Define WK_RELOCATABLE_FRAMEWORKS_LDFLAGS when building
1263           relocatable frameworks to include a -dyld_env option setting DYLD_FRAMEWORK_PATH to point
1264           to the directory containing JavaScript.framework, and add
1265           WK_RELOCATABLE_FRAMEWORKS_LDFLAGS to OTHER_LDFLAGS.
1266
1267 2016-04-01  Benjamin Poulain  <bpoulain@apple.com>
1268
1269         [JSC][x86] Add the 3 operands form of floating point substraction
1270         https://bugs.webkit.org/show_bug.cgi?id=156095
1271
1272         Reviewed by Geoffrey Garen.
1273
1274         Same old, same old. Add the AVX form of subsd and subss.
1275
1276         Unfortunately, we cannot benefit from the 3 register form
1277         in B3 yet because the Air script does not support CPU flags yet.
1278         That can be fixed later.
1279
1280         * assembler/MacroAssemblerX86Common.h:
1281         (JSC::MacroAssemblerX86Common::subDouble):
1282         (JSC::MacroAssemblerX86Common::subFloat):
1283         * assembler/X86Assembler.h:
1284         (JSC::X86Assembler::vsubsd_rr):
1285         (JSC::X86Assembler::subsd_mr):
1286         (JSC::X86Assembler::vsubsd_mr):
1287         (JSC::X86Assembler::vsubss_rr):
1288         (JSC::X86Assembler::subss_mr):
1289         (JSC::X86Assembler::vsubss_mr):
1290         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1291         * b3/air/AirOpcode.opcodes:
1292
1293 2016-04-01  Alberto Garcia  <berto@igalia.com>
1294
1295         [JSC] Missing PATH_MAX definition
1296         https://bugs.webkit.org/show_bug.cgi?id=156102
1297
1298         Reviewed by Yusuke Suzuki.
1299
1300         Not all systems define PATH_MAX, so add a fallback value that is
1301         long enough.
1302
1303         * jsc.cpp:
1304
1305 2016-03-31  Benjamin Poulain  <bpoulain@apple.com>
1306
1307         [JSC] CFA's valuesAtHead should be a list, not a map
1308         https://bugs.webkit.org/show_bug.cgi?id=156087
1309
1310         Reviewed by Mark Lam.
1311
1312         One more step toward moving to the Air-style of liveness analysis:
1313
1314         Make DFG's valuesAtHead a list of Node*-AbstractValue.
1315         This patch alone is already a speedup because our many CFAs
1316         spend an unreasonable amount of time updating at block boundaries.
1317
1318         * dfg/DFGBasicBlock.h:
1319         * dfg/DFGCFAPhase.cpp:
1320         (JSC::DFG::CFAPhase::performBlockCFA):
1321         * dfg/DFGGraph.cpp:
1322         (JSC::DFG::Graph::dump):
1323         * dfg/DFGInPlaceAbstractState.cpp:
1324         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1325         (JSC::DFG::setLiveValues):
1326         (JSC::DFG::InPlaceAbstractState::merge):
1327         * dfg/DFGNode.h:
1328         (JSC::DFG::nodeValuePairComparator):
1329         (JSC::DFG::nodeValuePairListDump):
1330
1331 2016-03-31  Saam barati  <sbarati@apple.com>
1332
1333         Revert rewrite const as var workaround
1334         https://bugs.webkit.org/show_bug.cgi?id=155393
1335
1336         Reviewed by Mark Lam.
1337
1338         * parser/Parser.h:
1339         (JSC::Parser::next):
1340         (JSC::Parser::nextExpectIdentifier):
1341         * runtime/VM.h:
1342         (JSC::VM::setShouldRewriteConstAsVar): Deleted.
1343         (JSC::VM::shouldRewriteConstAsVar): Deleted.
1344
1345 2016-03-31  Saam barati  <sbarati@apple.com>
1346
1347         [ES6] Disallow var assignments in for-in loops
1348         https://bugs.webkit.org/show_bug.cgi?id=155451
1349
1350         Reviewed by Mark Lam.
1351
1352         We're doing this in its own patch instead of the patch for https://bugs.webkit.org/show_bug.cgi?id=155384
1353         because last time we made this change it broke some websites. Lets try making
1354         it again because it's what the ES6 mandates. If it still breaks things we will
1355         roll it out.
1356
1357         * parser/Parser.cpp:
1358         (JSC::Parser<LexerType>::parseForStatement):
1359
1360 2016-03-31  Saam barati  <sbarati@apple.com>
1361
1362         parsing arrow function expressions slows down the parser by 8% lets recoup some loss
1363         https://bugs.webkit.org/show_bug.cgi?id=155988
1364
1365         Reviewed by Benjamin Poulain.
1366
1367         We used to eagerly check if we're parsing an arrow function.
1368         We did this inside parseAssignmentExpression(), and it was
1369         very costly. The reason it was costly is that arrow functions
1370         might start with an identifier. This means anytime we saw an
1371         identifier we would have to do a lookahead, and then most likely
1372         backtrack because more often than not, we wouldn't see "=>"
1373         as the next token.
1374
1375         In this patch I implement a new approach. We just parse
1376         the lhs of an assignment expression eagerly without doing any
1377         lookahead. Retroactively, if we see that we might have started
1378         with an arrow function, and we don't have a valid lhs or the
1379         next token is a "=>", we try to parse as an arrow function.
1380
1381         Here are a few examples motivating why this is valid:
1382
1383         `x => x`
1384         In this example:
1385         - "x" is a valid arrow function starting point.
1386         - "x" also happens to be a valid lhs
1387         - because we see "=>" as the next token, we parse as an arrow function and succeed.
1388
1389         `(x) => x`
1390         In this example:
1391         - "(" is a valid arrow function starting point.
1392         - "(x)" also happens to be a valid lhs
1393         - because we see "=>" as the next token, we parse as an arrow function and succeed.
1394
1395         `({x = 30}) => x;`
1396         In this example:
1397         - "(" is a valid arrow function starting point.
1398         - "({x = 30})" is NOT a valid lhs. Because of this, we try to parse it as an arrow function and succeed.
1399
1400         There is one interesting implementation detail where we might
1401         parse something that is both a valid LHS but happens
1402         to actually be the arrow function parameters. The valid LHS
1403         parsing might declare such variables as "uses" which would cause 
1404         weird capture analysis. This patch also introduces a mechanism
1405         to backtrack on used variable analysis.
1406
1407         This is a 3.5%-4.5% octane code load speedup.
1408
1409         * parser/Lexer.h:
1410         (JSC::Lexer::sawError):
1411         (JSC::Lexer::setSawError):
1412         (JSC::Lexer::getErrorMessage):
1413         (JSC::Lexer::setErrorMessage):
1414         (JSC::Lexer::sourceURL):
1415         (JSC::Lexer::sourceMappingURL):
1416         * parser/Parser.cpp:
1417         (JSC::Parser<LexerType>::isArrowFunctionParameters):
1418         (JSC::Parser<LexerType>::parseAssignmentExpression):
1419         (JSC::Parser<LexerType>::parsePrimaryExpression):
1420         * parser/Parser.h:
1421         (JSC::Scope::Scope):
1422         (JSC::Scope::startSwitch):
1423         (JSC::Scope::declareParameter):
1424         (JSC::Scope::usedVariablesContains):
1425         (JSC::Scope::useVariable):
1426         (JSC::Scope::pushUsedVariableSet):
1427         (JSC::Scope::currentUsedVariablesSize):
1428         (JSC::Scope::revertToPreviousUsedVariables):
1429         (JSC::Scope::setNeedsFullActivation):
1430         (JSC::Scope::needsFullActivation):
1431         (JSC::Scope::isArrowFunctionBoundary):
1432         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1433         (JSC::Scope::collectFreeVariables):
1434         (JSC::Scope::fillParametersForSourceProviderCache):
1435         (JSC::Scope::restoreFromSourceProviderCache):
1436         (JSC::Scope::setIsModule):
1437
1438 2016-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1439
1440         Fails to build in Linux / PowerPC due to different ucontext_t definition
1441         https://bugs.webkit.org/show_bug.cgi?id=156015
1442
1443         Reviewed by Michael Catanzaro.
1444
1445         PPC does not have mcontext_t in ucontext_t::uc_mcontext.
1446         So we take the special way to retrieve mcontext_t in PPC.
1447
1448         * heap/MachineStackMarker.cpp:
1449         (pthreadSignalHandlerSuspendResume):
1450
1451 2016-03-31  Benjamin Poulain  <benjamin@webkit.org>
1452
1453         [JSC][x86] Add the indexed forms of floating point addition and multiplication
1454         https://bugs.webkit.org/show_bug.cgi?id=156058
1455
1456         Reviewed by Geoffrey Garen.
1457
1458         B3 supports lowering [base, index] addresses into
1459         arbitrary instructions but we were not using that feature.
1460
1461         This patch adds the missing support for the lowering
1462         of Add and Mul.
1463
1464         * assembler/MacroAssemblerX86Common.h:
1465         (JSC::MacroAssemblerX86Common::addDouble):
1466         (JSC::MacroAssemblerX86Common::addFloat):
1467         (JSC::MacroAssemblerX86Common::mulDouble):
1468         (JSC::MacroAssemblerX86Common::mulFloat):
1469         * assembler/X86Assembler.h:
1470         (JSC::X86Assembler::addsd_mr):
1471         (JSC::X86Assembler::vaddsd_mr):
1472         (JSC::X86Assembler::addss_mr):
1473         (JSC::X86Assembler::vaddss_mr):
1474         (JSC::X86Assembler::mulsd_mr):
1475         (JSC::X86Assembler::vmulsd_mr):
1476         (JSC::X86Assembler::mulss_mr):
1477         (JSC::X86Assembler::vmulss_mr):
1478         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1479         * b3/B3LowerToAir.cpp:
1480         (JSC::B3::Air::LowerToAir::appendBinOp):
1481         Unlike the Addr form, we never need to transform a Tmp
1482         into an Index for spilling.
1483
1484         Instead of duplicating all the code in MacroAssembler, I can
1485         just have the lowering phase try using addresses for the first
1486         argument when possible.
1487
1488         * b3/air/AirOpcode.opcodes:
1489         * b3/air/testair.cpp:
1490         (JSC::B3::Air::testX86VMULSDBaseNeedsRex):
1491         (JSC::B3::Air::testX86VMULSDIndexNeedsRex):
1492         (JSC::B3::Air::testX86VMULSDBaseIndexNeedRex):
1493         (JSC::B3::Air::run):
1494
1495 2016-03-31  Saam barati  <sbarati@apple.com>
1496
1497         DFG JIT bug in typeof constant folding where the input to typeof is an object or function
1498         https://bugs.webkit.org/show_bug.cgi?id=156034
1499         <rdar://problem/25446785>
1500
1501         Reviewed by Ryosuke Niwa.
1502
1503         AI would constant fold TypeOf to the string "object" if it saw that
1504         its input type didn't expand past the types contained in the set 
1505         "SpecObject - SpecObjectOther". But, SpecObject contains SpecFunction.
1506         And typeof of a function should return "function". This patch fixes
1507         this bug by making sure we constant fold to object iff the type
1508         doesn't expand past the set "SpecObject - SpecObjectOther - SpecFunction".
1509
1510         * dfg/DFGAbstractInterpreterInlines.h:
1511         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1512         * tests/stress/typeof-dfg-function-or-object.js: Added.
1513         (assert):
1514         (foo.else.o):
1515         (foo):
1516
1517 2016-03-31  Mark Lam  <mark.lam@apple.com>
1518
1519         Gardening: Build and logic fix after r198873.
1520         https://bugs.webkit.org/show_bug.cgi?id=156043
1521
1522         Not reviewed.
1523
1524         * assembler/MacroAssemblerX86Common.h:
1525         (JSC::MacroAssemblerX86Common::addFloat):
1526         - 2 args were meant to be ordered differently in order to call the other addFloat.
1527           Instead, there was an infinite recursion bug.  This is now fixed.
1528
1529 2016-03-30  Benjamin Poulain  <benjamin@webkit.org>
1530
1531         [JSC][x86] Add the 3 operands forms of floating point addition and multiplication
1532         https://bugs.webkit.org/show_bug.cgi?id=156043
1533
1534         Reviewed by Geoffrey Garen.
1535
1536         When they are available, VADD and VMUL are better options to lower
1537         floating point addition and multiplication.
1538
1539         In the simple cases when one of the operands is aliased to the destination,
1540         those forms have the same size or 1 byte shorter depending on the registers.
1541
1542         In the more advanced cases, we gain nice advantages with the new forms:
1543         -We can get rid of the MoveDouble in front the instruction when we cannot
1544          alias.
1545         -We can disable aliasing entirely in Air. That is useful for latency
1546          since computing coalescing is not exactly cheap.
1547
1548         * assembler/MacroAssemblerX86Common.cpp:
1549         * assembler/MacroAssemblerX86Common.h:
1550         (JSC::MacroAssemblerX86Common::and32):
1551         (JSC::MacroAssemblerX86Common::mul32):
1552         (JSC::MacroAssemblerX86Common::or32):
1553         (JSC::MacroAssemblerX86Common::xor32):
1554         (JSC::MacroAssemblerX86Common::branchAdd32):
1555         The change in B3LowerToAir exposed a bug in the fake 3 operands
1556         forms of those instructions. If the address is equal to
1557         the destination, we were nuking the address.
1558
1559         For example,
1560             Add32([%r11], %eax, %r11)
1561         would generate:
1562             move %eax, %r11
1563             add32 [%r11], %r11
1564         which crashes.
1565
1566         I updated codegen of those cases to support that case through
1567             load32 [%r11], %r11
1568             add32 %eax, %r11
1569
1570         The weird case were all arguments have the same registers
1571         is handled too.
1572
1573         (JSC::MacroAssemblerX86Common::addDouble):
1574         (JSC::MacroAssemblerX86Common::addFloat):
1575         (JSC::MacroAssemblerX86Common::mulDouble):
1576         (JSC::MacroAssemblerX86Common::mulFloat):
1577         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
1578         (JSC::MacroAssemblerX86Common::supportsAVX):
1579         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
1580         * assembler/MacroAssemblerX86_64.h:
1581         (JSC::MacroAssemblerX86_64::branchAdd64):
1582         * assembler/X86Assembler.h:
1583         (JSC::X86Assembler::vaddsd_rr):
1584         (JSC::X86Assembler::vaddsd_mr):
1585         (JSC::X86Assembler::vaddss_rr):
1586         (JSC::X86Assembler::vaddss_mr):
1587         (JSC::X86Assembler::vmulsd_rr):
1588         (JSC::X86Assembler::vmulsd_mr):
1589         (JSC::X86Assembler::vmulss_rr):
1590         (JSC::X86Assembler::vmulss_mr):
1591         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1592         * b3/B3LowerToAir.cpp:
1593         (JSC::B3::Air::LowerToAir::appendBinOp):
1594         Add the 3 operand forms so that we lower Add and Mul
1595         to the best form directly.
1596
1597         I will change how we lower the fake 3 operands instructions
1598         but the codegen should end up the same in most cases.
1599         The new codegen is the load32 + op above.
1600
1601         * b3/air/AirInstInlines.h:
1602         (JSC::B3::Air::Inst::shouldTryAliasingDef):
1603         * b3/air/testair.cpp:
1604         (JSC::B3::Air::testX86VMULSD):
1605         (JSC::B3::Air::testX86VMULSDDestRex):
1606         (JSC::B3::Air::testX86VMULSDOp1DestRex):
1607         (JSC::B3::Air::testX86VMULSDOp2DestRex):
1608         (JSC::B3::Air::testX86VMULSDOpsDestRex):
1609         (JSC::B3::Air::testX86VMULSDAddr):
1610         (JSC::B3::Air::testX86VMULSDAddrOpRexAddr):
1611         (JSC::B3::Air::testX86VMULSDDestRexAddr):
1612         (JSC::B3::Air::testX86VMULSDRegOpDestRexAddr):
1613         (JSC::B3::Air::testX86VMULSDAddrOpDestRexAddr):
1614         Make sure we have some coverage for AVX encoding of instructions.
1615
1616 2016-03-30  Saam Barati  <sbarati@apple.com>
1617
1618         Change some release asserts in CodeBlock linking into debug asserts
1619         https://bugs.webkit.org/show_bug.cgi?id=155500
1620
1621         Reviewed by Filip Pizlo.
1622
1623         * bytecode/CodeBlock.cpp:
1624         (JSC::CodeBlock::finishCreation):
1625
1626 2016-03-30  Joseph Pecoraro  <pecoraro@apple.com>
1627
1628         Remove unused ScriptProfiler.Samples.totalTime
1629         https://bugs.webkit.org/show_bug.cgi?id=156002
1630
1631         Reviewed by Saam Barati.
1632
1633         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1634         (Inspector::buildSamples):
1635         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1636         * inspector/protocol/ScriptProfiler.json:
1637         Remove totalTime.
1638
1639         * runtime/SamplingProfiler.cpp:
1640         (JSC::SamplingProfiler::SamplingProfiler): Deleted.
1641         * runtime/SamplingProfiler.h:
1642         (JSC::SamplingProfiler::totalTime): Deleted.
1643         Remove now unused m_totalTime.
1644
1645 2016-03-30  Michael Saboff  <msaboff@apple.com>
1646
1647         [ES6] Quantified unicode regular expressions do not work for counts greater than 1
1648         https://bugs.webkit.org/show_bug.cgi?id=156044
1649
1650         Reviewed by Mark Lam.
1651
1652         Fixed incorrect indexing of non-BMP characters in fixed patterns.  The old code
1653         was indexing by character units, a single JS character, instead of code points
1654         which is 2 JS characters.
1655
1656         * yarr/YarrInterpreter.cpp:
1657         (JSC::Yarr::Interpreter::matchDisjunction):
1658
1659 2016-03-30  Mark Lam  <mark.lam@apple.com>
1660
1661         Make the $vm debugging tools available to builtins as @$vm.
1662         https://bugs.webkit.org/show_bug.cgi?id=156012
1663
1664         Reviewed by Saam Barati.
1665
1666         We also need some debugging tools for builtin development.  The $vm object will
1667         be made available to builtins as @$vm, which gives us, amongst many goodies,
1668         @$vm.print() (which prints the toString() values of its args) and
1669         @$vm.printValue() (which dataLogs its arg as a JSValue).  @$vm will only be
1670         available if we run with JSC_useDollarVM=true.
1671
1672         Also changed @$vm.print() to not automatically insert a space between the
1673         printing of each of its args.  This makes it clearer as to what will be printed
1674         i.e. it will only print what is passed to it.
1675
1676         * builtins/BuiltinNames.h:
1677         (JSC::BuiltinNames::BuiltinNames):
1678         (JSC::BuiltinNames::dollarVMPublicName):
1679         (JSC::BuiltinNames::dollarVMPrivateName):
1680         * runtime/JSGlobalObject.cpp:
1681         (JSC::JSGlobalObject::init):
1682         * tools/JSDollarVMPrototype.cpp:
1683         (JSC::functionPrint):
1684
1685 2016-03-30  Keith Miller  <keith_miller@apple.com>
1686
1687         Unreviewed, buildfix.
1688
1689         * bytecode/BytecodeIntrinsicRegistry.h:
1690
1691 2016-03-30  Keith Miller <keith_miller@apple.com>
1692
1693         Unreviewed, rollout r198808. The patch causes crashes on 32-bit and appears to be a JSBench regression.
1694
1695 2016-03-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1696
1697         [JSC] Implement String.prototype.repeat in builtins JS
1698         https://bugs.webkit.org/show_bug.cgi?id=155974
1699
1700         Reviewed by Darin Adler.
1701
1702         This patch converts C++ String.prototype.repeat implementation into JS builtins.
1703         |this| in strict mode is correctly inferred as String[1]. This fact encourages us
1704         to write PrimitiveTypes.prototype.XXX methods in builtin JS.
1705
1706         LayoutTests/js/string-repeat.html already covers the tests for this change.
1707
1708         Note: String.prototype.repeat functionality is similar to Harmony's
1709         String.prototype.{padStart, padEnd}. It's nice to port them to builtin JS in
1710         the other patch.
1711
1712         The existing C++ code has the fast path for singleCharacterString repeating.
1713         Since this use is important (e.g. generating N length spaces: ' '.repeat(N)),
1714         we keep this fast path as @repeatCharacter().
1715
1716         The performance results show that, while the performance of the single character fast path
1717         is neutral, other string repeating has significant speed up.
1718         There are two reasons.
1719
1720         1. Not resolving string rope.
1721
1722         We added several tests postfixed "not-resolving". In that tests, we do not touch the content
1723         of the generated string. As a result, the generated rope is not resolved.
1724
1725         2. O(log N) intermediate JSRopeStrings.
1726
1727         In the existing C++ implementation, we use JSString::RopeBuilder. We iterate N times and append
1728         the given string to the builder.
1729         In this case, the intermediate rope strings generated in JSString::RopeBuilder is O(N).
1730         In JS builtin implementation, we only iterate log N times. As a result, the number of the
1731         intermediate rope strings becomes O(log N).
1732
1733         [1]: http://trac.webkit.org/changeset/195938
1734
1735         * builtins/StringPrototype.js:
1736         (repeatSlowPath):
1737         (repeat):
1738         * bytecode/BytecodeIntrinsicRegistry.cpp:
1739         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1740         * bytecode/BytecodeIntrinsicRegistry.h:
1741         * runtime/CommonIdentifiers.h:
1742         * runtime/JSGlobalObject.cpp:
1743         (JSC::JSGlobalObject::init):
1744         * runtime/StringPrototype.cpp:
1745         (JSC::stringProtoFuncRepeatCharacter):
1746         (JSC::StringPrototype::finishCreation): Deleted.
1747         (JSC::stringProtoFuncRepeat): Deleted.
1748         * runtime/StringPrototype.h:
1749         * tests/stress/string-repeat-edge-cases.js: Added.
1750         (shouldBe):
1751         (let.object.toString):
1752         (valueOf):
1753         (shouldThrow):
1754
1755 2016-03-30  Benjamin Poulain  <benjamin@webkit.org>
1756
1757         [JSC] Update udis86
1758         https://bugs.webkit.org/show_bug.cgi?id=156005
1759
1760         Reviewed by Geoffrey Garen.
1761
1762         * CMakeLists.txt:
1763         * DerivedSources.make:
1764         * JavaScriptCore.xcodeproj/project.pbxproj:
1765         * disassembler/udis86/differences.txt:
1766         * disassembler/udis86/itab.py: Removed.
1767         * disassembler/udis86/optable.xml:
1768         * disassembler/udis86/ud_itab.py: Added.
1769         * disassembler/udis86/ud_opcode.py:
1770         * disassembler/udis86/ud_optable.py: Removed.
1771         * disassembler/udis86/udis86.c:
1772         * disassembler/udis86/udis86_decode.c:
1773         * disassembler/udis86/udis86_decode.h:
1774         * disassembler/udis86/udis86_extern.h:
1775         * disassembler/udis86/udis86_input.c: Removed.
1776         * disassembler/udis86/udis86_input.h: Removed.
1777         * disassembler/udis86/udis86_syn-att.c:
1778         * disassembler/udis86/udis86_syn.h:
1779         * disassembler/udis86/udis86_types.h:
1780         * disassembler/udis86/udis86_udint.h:
1781
1782 2016-03-30  Benjamin Poulain  <bpoulain@apple.com>
1783
1784         [JSC] Get rid of operationInitGlobalConst(), it is useless
1785         https://bugs.webkit.org/show_bug.cgi?id=156010
1786
1787         Reviewed by Geoffrey Garen.
1788
1789         * jit/JITOperations.cpp:
1790         * jit/JITOperations.h:
1791
1792 2016-03-29  Saam barati  <sbarati@apple.com>
1793
1794         Fix typos in our error messages and remove some trailing periods
1795         https://bugs.webkit.org/show_bug.cgi?id=155985
1796
1797         Reviewed by Mark Lam.
1798
1799         * bytecompiler/BytecodeGenerator.cpp:
1800         (JSC::BytecodeGenerator::BytecodeGenerator):
1801         * runtime/ArrayConstructor.h:
1802         (JSC::isArray):
1803         * runtime/ProxyConstructor.cpp:
1804         (JSC::makeRevocableProxy):
1805         (JSC::proxyRevocableConstructorThrowError):
1806         (JSC::ProxyConstructor::finishCreation):
1807         (JSC::constructProxyObject):
1808         * runtime/ProxyObject.cpp:
1809         (JSC::ProxyObject::finishCreation):
1810         (JSC::performProxyGet):
1811         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1812         (JSC::ProxyObject::performHasProperty):
1813         (JSC::ProxyObject::performPut):
1814         (JSC::performProxyCall):
1815         (JSC::performProxyConstruct):
1816         (JSC::ProxyObject::performDelete):
1817         (JSC::ProxyObject::performPreventExtensions):
1818         (JSC::ProxyObject::performIsExtensible):
1819         (JSC::ProxyObject::performDefineOwnProperty):
1820         (JSC::ProxyObject::performGetOwnPropertyNames):
1821         (JSC::ProxyObject::performSetPrototype):
1822         (JSC::ProxyObject::performGetPrototype):
1823         * runtime/StringPrototype.cpp:
1824         (JSC::stringProtoFuncStartsWith):
1825         (JSC::stringProtoFuncEndsWith):
1826         (JSC::stringProtoFuncIncludes):
1827         * runtime/Structure.cpp:
1828         (JSC::Structure::preventExtensionsTransition):
1829         * tests/stress/proxy-basic.js:
1830         * tests/stress/proxy-construct.js:
1831         (throw.new.Error):
1832         (assert):
1833         * tests/stress/proxy-define-own-property.js:
1834         (assert):
1835         (throw.new.Error):
1836         (i.catch):
1837         (assert.set get catch):
1838         * tests/stress/proxy-delete.js:
1839         (assert):
1840         * tests/stress/proxy-get-own-property.js:
1841         (assert):
1842         (i.catch):
1843         (set get let):
1844         * tests/stress/proxy-get-prototype-of.js:
1845         (assert):
1846         (assert.get let):
1847         (assert.get catch):
1848         * tests/stress/proxy-has-property.js:
1849         (assert):
1850         * tests/stress/proxy-is-array.js:
1851         (test):
1852         * tests/stress/proxy-is-extensible.js:
1853         (assert):
1854         * tests/stress/proxy-json.js:
1855         (assert):
1856         (test):
1857         * tests/stress/proxy-own-keys.js:
1858         (assert):
1859         (i.catch):
1860         * tests/stress/proxy-prevent-extensions.js:
1861         (assert):
1862         * tests/stress/proxy-property-descriptor.js:
1863         * tests/stress/proxy-revoke.js:
1864         (assert):
1865         (throw.new.Error.):
1866         (throw.new.Error):
1867         (shouldThrowNullHandler):
1868         * tests/stress/proxy-set-prototype-of.js:
1869         (assert.set let):
1870         (assert.set catch):
1871         (assert):
1872         (set catch):
1873         * tests/stress/proxy-set.js:
1874         (throw.new.Error.let.handler.set 45):
1875         (throw.new.Error):
1876         * tests/stress/proxy-with-private-symbols.js:
1877         (assert):
1878         * tests/stress/proxy-with-unbalanced-getter-setter.js:
1879         (assert):
1880         * tests/stress/reflect-set-proxy-set.js:
1881         (throw.new.Error.let.handler.set 45):
1882         (throw.new.Error):
1883         * tests/stress/reflect-set-receiver-proxy-set.js:
1884         (let.handler.set 45):
1885         (catch):
1886         * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js:
1887         (test):
1888         (test.get let):
1889
1890 2016-03-29  Keith Miller  <keith_miller@apple.com>
1891
1892         [ES6] Add support for Symbol.isConcatSpreadable.
1893         https://bugs.webkit.org/show_bug.cgi?id=155351
1894
1895         Reviewed by Saam Barati.
1896
1897         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
1898         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
1899         a builtin performant. First, four new DFG intrinsics were added.
1900
1901         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
1902            the Array.isArray function.
1903         2) IsJSArray: checks the first child is a JSArray object.
1904         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
1905         4) CallObjectConstructor: an intrinsic of the Object constructor.
1906
1907         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
1908         we are able to prove that the first child is an Array or for ToObject an Object.
1909
1910         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
1911         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
1912         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
1913         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
1914         into a contiguous array).
1915
1916         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
1917         values onto the result array. This works roughly the same as the two array fast path using the same methodology
1918         to decide if we can memcpy the other butterfly into the result butterfly.
1919
1920         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
1921         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
1922         dataLog function on it.
1923
1924         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
1925         JSValueOperand if the operand's use count is one.
1926
1927         * JavaScriptCore.xcodeproj/project.pbxproj:
1928         * builtins/ArrayPrototype.js:
1929         (concatSlowPath):
1930         (concat):
1931         * bytecode/BytecodeIntrinsicRegistry.cpp:
1932         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1933         * bytecode/BytecodeIntrinsicRegistry.h:
1934         * dfg/DFGAbstractInterpreterInlines.h:
1935         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1936         * dfg/DFGByteCodeParser.cpp:
1937         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1938         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1939         * dfg/DFGClobberize.h:
1940         (JSC::DFG::clobberize):
1941         * dfg/DFGDoesGC.cpp:
1942         (JSC::DFG::doesGC):
1943         * dfg/DFGFixupPhase.cpp:
1944         (JSC::DFG::FixupPhase::fixupNode):
1945         * dfg/DFGNodeType.h:
1946         * dfg/DFGOperations.cpp:
1947         * dfg/DFGOperations.h:
1948         * dfg/DFGPredictionPropagationPhase.cpp:
1949         (JSC::DFG::PredictionPropagationPhase::propagate):
1950         * dfg/DFGSafeToExecute.h:
1951         (JSC::DFG::safeToExecute):
1952         * dfg/DFGSpeculativeJIT.cpp:
1953         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1954         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
1955         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
1956         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
1957         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
1958         * dfg/DFGSpeculativeJIT.h:
1959         (JSC::DFG::SpeculativeJIT::callOperation):
1960         * dfg/DFGSpeculativeJIT32_64.cpp:
1961         (JSC::DFG::SpeculativeJIT::compile):
1962         * dfg/DFGSpeculativeJIT64.cpp:
1963         (JSC::DFG::SpeculativeJIT::compile):
1964         * ftl/FTLCapabilities.cpp:
1965         (JSC::FTL::canCompile):
1966         * ftl/FTLLowerDFGToB3.cpp:
1967         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1968         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
1969         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
1970         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
1971         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
1972         (JSC::FTL::DFG::LowerDFGToB3::isArray):
1973         * jit/JITOperations.h:
1974         * jsc.cpp:
1975         (WTF::RuntimeArray::createStructure):
1976         (GlobalObject::finishCreation):
1977         (functionDebug):
1978         (functionDataLogValue):
1979         * runtime/ArrayConstructor.cpp:
1980         (JSC::ArrayConstructor::finishCreation):
1981         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
1982         * runtime/ArrayConstructor.h:
1983         (JSC::isArrayConstructor):
1984         * runtime/ArrayPrototype.cpp:
1985         (JSC::ArrayPrototype::finishCreation):
1986         (JSC::arrayProtoPrivateFuncIsJSArray):
1987         (JSC::moveElements):
1988         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1989         (JSC::arrayProtoPrivateFuncAppendMemcpy):
1990         (JSC::arrayProtoFuncConcat): Deleted.
1991         * runtime/ArrayPrototype.h:
1992         (JSC::ArrayPrototype::createStructure):
1993         * runtime/CommonIdentifiers.h:
1994         * runtime/Intrinsic.h:
1995         * runtime/JSArray.cpp:
1996         (JSC::JSArray::appendMemcpy):
1997         (JSC::JSArray::fastConcatWith): Deleted.
1998         * runtime/JSArray.h:
1999         (JSC::JSArray::createStructure):
2000         (JSC::JSArray::fastConcatType): Deleted.
2001         * runtime/JSArrayInlines.h: Added.
2002         (JSC::JSArray::memCopyWithIndexingType):
2003         (JSC::JSArray::canFastCopy):
2004         * runtime/JSGlobalObject.cpp:
2005         (JSC::JSGlobalObject::init):
2006         * runtime/JSType.h:
2007         * runtime/ObjectConstructor.h:
2008         (JSC::constructObject):
2009         * tests/es6.yaml:
2010         * tests/stress/array-concat-spread-object.js: Added.
2011         (arrayEq):
2012         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
2013         (arrayEq):
2014         * tests/stress/array-concat-spread-proxy.js: Added.
2015         (arrayEq):
2016         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
2017         (arrayEq):
2018         * tests/stress/array-species-config-array-constructor.js:
2019
2020 2016-03-29  Saam barati  <sbarati@apple.com>
2021
2022         We don't properly optimize TDZ checks when we declare a let variable without an initializer
2023         https://bugs.webkit.org/show_bug.cgi?id=150453
2024
2025         Reviewed by Mark Lam.
2026
2027         * bytecompiler/NodesCodegen.cpp:
2028         (JSC::EmptyLetExpression::emitBytecode):
2029
2030 2016-03-29  Saam barati  <sbarati@apple.com>
2031
2032         Allow builtin JS functions to be intrinsics
2033         https://bugs.webkit.org/show_bug.cgi?id=155960
2034
2035         Reviewed by Mark Lam.
2036
2037         Builtin functions can now be recognized as intrinsics inside
2038         the DFG. This gives us the flexibility to either lower a builtin
2039         as an intrinsic in the DFG or as a normal function call.
2040         Because we may decide to not lower it as an intrinsic, the DFG
2041         inliner could still inline the function call.
2042
2043         You can annotate a builtin function like so to make
2044         it be recognized as an intrinsic.
2045         ```
2046         [intrinsic=FooIntrinsic] function foo() { ... }
2047         ```
2048         where FooIntrinsic is an enum value of the Intrinsic enum.
2049
2050         So in the future if we write RegExp.prototype.test as a builtin, we would do:
2051         ``` RegExpPrototype.js
2052         [intrinsic=RegExpTestIntrinsic] function test() { ... }
2053         ```
2054
2055         * Scripts/builtins/builtins_generate_combined_implementation.py:
2056         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2057         * Scripts/builtins/builtins_generate_separate_implementation.py:
2058         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2059         * Scripts/builtins/builtins_generator.py:
2060         (BuiltinsGenerator.generate_embedded_code_string_section_for_function):
2061         * Scripts/builtins/builtins_model.py:
2062         (BuiltinObject.__init__):
2063         (BuiltinFunction):
2064         (BuiltinFunction.__init__):
2065         (BuiltinFunction.fromString):
2066         (BuiltinFunction.__str__):
2067         * Scripts/builtins/builtins_templates.py:
2068         * bytecode/UnlinkedFunctionExecutable.cpp:
2069         (JSC::UnlinkedFunctionExecutable::visitChildren):
2070         (JSC::UnlinkedFunctionExecutable::link):
2071         * bytecode/UnlinkedFunctionExecutable.h:
2072         * dfg/DFGByteCodeParser.cpp:
2073         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2074         * runtime/Executable.cpp:
2075         (JSC::ExecutableBase::clearCode):
2076         (JSC::NativeExecutable::destroy):
2077         (JSC::ScriptExecutable::ScriptExecutable):
2078         (JSC::EvalExecutable::create):
2079         (JSC::EvalExecutable::EvalExecutable):
2080         (JSC::ProgramExecutable::ProgramExecutable):
2081         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2082         (JSC::FunctionExecutable::FunctionExecutable):
2083         (JSC::ExecutableBase::intrinsic): Deleted.
2084         (JSC::NativeExecutable::intrinsic): Deleted.
2085         * runtime/Executable.h:
2086         (JSC::ExecutableBase::ExecutableBase):
2087         (JSC::ExecutableBase::hasJITCodeFor):
2088         (JSC::ExecutableBase::intrinsic):
2089         (JSC::ExecutableBase::intrinsicFor):
2090         (JSC::ScriptExecutable::finishCreation):
2091         * runtime/Intrinsic.h:
2092
2093 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
2094
2095         JSC::Debugger cleanup after recent changes
2096         https://bugs.webkit.org/show_bug.cgi?id=155982
2097
2098         Reviewed by Mark Lam.
2099
2100         * debugger/Debugger.cpp:
2101         (JSC::Debugger::Debugger):
2102         Initialize with breakpoints disabled. Web Inspector always informs
2103         the backend if it should enable or disable breakpoints on startup.
2104
2105         (JSC::Debugger::setProfilingClient):
2106         When using the Sampling profiler we do not need to recompile.
2107
2108 2016-03-29  Saam barati  <sbarati@apple.com>
2109
2110         "Can not" => "cannot" in String.prototype error messages
2111         https://bugs.webkit.org/show_bug.cgi?id=155895
2112
2113         Reviewed by Mark Lam.
2114
2115         * runtime/StringPrototype.cpp:
2116         (JSC::stringProtoFuncStartsWith):
2117         (JSC::stringProtoFuncEndsWith):
2118         (JSC::stringProtoFuncIncludes):
2119         * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js:
2120         (test):
2121         (test.get let):
2122
2123 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
2124
2125         Web Inspector: We should have a way to capture heap snapshots programatically.
2126         https://bugs.webkit.org/show_bug.cgi?id=154407
2127         <rdar://problem/24726292>
2128
2129         Reviewed by Timothy Hatcher.
2130
2131         * inspector/protocol/Console.json:
2132         Add a new Console.heapSnapshot event for when a heap snapshot is taken.
2133
2134         * runtime/ConsolePrototype.cpp:
2135         (JSC::ConsolePrototype::finishCreation):
2136         (JSC::consoleProtoFuncProfile):
2137         (JSC::consoleProtoFuncProfileEnd):
2138         (JSC::consoleProtoFuncTakeHeapSnapshot):
2139         * runtime/ConsoleClient.h:
2140         Add the console.takeHeapSnapshot method and dispatch to the ConsoleClient.
2141
2142         * inspector/JSGlobalObjectConsoleClient.cpp:
2143         (Inspector::JSGlobalObjectConsoleClient::takeHeapSnapshot):
2144         * inspector/JSGlobalObjectConsoleClient.h:
2145         Have the InspectorConsoleAgent handle this.
2146
2147         * inspector/JSGlobalObjectInspectorController.cpp:
2148         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2149         * inspector/agents/InspectorConsoleAgent.cpp:
2150         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
2151         (Inspector::InspectorConsoleAgent::takeHeapSnapshot):
2152         * inspector/agents/InspectorConsoleAgent.h:
2153         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
2154         (Inspector::JSGlobalObjectConsoleAgent::JSGlobalObjectConsoleAgent):
2155         * inspector/agents/JSGlobalObjectConsoleAgent.h:
2156         Give the ConsoleAgent a HeapAgent pointer so that it can have the HeapAgent
2157         perform the snapshot building work like it normally does.
2158
2159 2016-03-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2160
2161         REGRESSION(r192914): 10% regression on Sunspider's date-format-tofte
2162         https://bugs.webkit.org/show_bug.cgi?id=155559
2163
2164         Reviewed by Saam Barati.
2165
2166         The fast path of the eval function is the super hot path in date-format-tofte.
2167         Any performance regression is not allowed here.
2168         Before this patch, we allocated SourceCode in the fast path.
2169         This allocation incurs 10% performance regression.
2170
2171         This patch removes this allocation in the fast path.
2172         And change the key of the EvalCodeCache to EvalCodeCache::CacheKey.
2173         It combines RefPtr<StringImpl> and isArrowFunctionContext.
2174         Since EvalCodeCache does not cache any eval code evaluated under the strict mode,
2175         it is unnecessary to include several options (ThisTDZMode, and DerivedContextType) in the cache map's key.
2176         But isArrowFunctionContext is necessary since the sloppy mode arrow function exists.
2177
2178         To validate this change, we add a new test that evaluates the same code
2179         under the non-arrow function context and the arrow function context.
2180
2181         After introducing CacheKey, we observed 1% regression compared to the RefPtr<StringImpl> keyed case.
2182         This is because HashMap<RefPtr<T>, ...>::get(T*) is specially optimized; this path is inlined while the normal ::get() is not inlined.
2183         To avoid this performance regression, we introduce HashMap::fastGet, that aggressively encourages inlining.
2184         The relationship between fastGet() and get() is similar to fastAdd() and add().
2185         After applying this change, the evaluation shows no performance regression in comparison with the RefPtr<StringImpl> keyed case.
2186
2187         * bytecode/EvalCodeCache.h:
2188         (JSC::EvalCodeCache::CacheKey::CacheKey):
2189         (JSC::EvalCodeCache::CacheKey::hash):
2190         (JSC::EvalCodeCache::CacheKey::isEmptyValue):
2191         (JSC::EvalCodeCache::CacheKey::operator==):
2192         (JSC::EvalCodeCache::CacheKey::isHashTableDeletedValue):
2193         (JSC::EvalCodeCache::CacheKey::Hash::hash):
2194         (JSC::EvalCodeCache::CacheKey::Hash::equal):
2195         (JSC::EvalCodeCache::tryGet):
2196         (JSC::EvalCodeCache::getSlow):
2197         (JSC::EvalCodeCache::isCacheable):
2198         * interpreter/Interpreter.cpp:
2199         (JSC::eval):
2200         * tests/stress/eval-in-arrow-function.js: Added.
2201         (shouldBe):
2202         (i):
2203
2204 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
2205
2206         Audit WebCore builtins for user overridable code
2207         https://bugs.webkit.org/show_bug.cgi?id=155923
2208
2209         Reviewed by Youenn Fablet.
2210
2211         * runtime/CommonIdentifiers.h:
2212         * runtime/ObjectConstructor.cpp:
2213         (JSC::ObjectConstructor::finishCreation):
2214         Expose @Object.@defineProperty to built-ins.
2215
2216 2016-03-28  Benjamin Poulain  <bpoulain@apple.com>
2217
2218         [JSC] ArithSub should not propagate "UsesAsOther"
2219         https://bugs.webkit.org/show_bug.cgi?id=155932
2220
2221         Reviewed by Mark Lam.
2222
2223         The node ArithSub was backpropagating UsesAsOther.
2224         This causes any GetByVal on a Double Array to have an extra
2225         hole check if it flows into an ArithSub.
2226
2227         The definition of ArithSub (12.8.4.1) has both operands go
2228         through ToNumber(). ToNumber() on "undefined" always produces
2229         NaN. It is safe to ignore the NaN marker from hole when
2230         the DAG flows into ArithSub.
2231
2232         This patch also adds this change and test coverage to ArithAdd.
2233         ArithAdd was not a problem in practice because it is only
2234         generated before Fixup if both operands are known to be numerical.
2235         The change to ArithAdd is there to protect us of the ArithSub-like
2236         problems if we ever improve our support of arithmetic operators.
2237
2238         * dfg/DFGBackwardsPropagationPhase.cpp:
2239         (JSC::DFG::BackwardsPropagationPhase::propagate):
2240         * tests/stress/arith-add-on-double-array-with-holes.js: Added.
2241         (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
2242         (let.testCase.of.testCases.observableHoleOnLhs):
2243         (let.testCase.of.testCases.nonObservableHoleOnRhs):
2244         (let.testCase.of.testCases.observableHoleOnRhs):
2245         * tests/stress/arith-sub-on-double-array-with-holes.js: Added.
2246         (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
2247         (let.testCase.of.testCases.observableHoleOnLhs):
2248         (let.testCase.of.testCases.nonObservableHoleOnRhs):
2249         (let.testCase.of.testCases.observableHoleOnRhs):
2250         * tests/stress/value-add-on-double-array-with-holes.js: Added.
2251         (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
2252         (let.testCase.of.testCases.observableHoleOnLhs):
2253         (let.testCase.of.testCases.nonObservableHoleOnRhs):
2254         (let.testCase.of.testCases.observableHoleOnRhs):
2255
2256 2016-03-28  Brian Burg  <bburg@apple.com>
2257
2258         Web Inspector: protocol generator should generate C++ string-to-enum helper functions
2259         https://bugs.webkit.org/show_bug.cgi?id=155691
2260         <rdar://problem/25258078>
2261
2262         Reviewed by Timothy Hatcher.
2263
2264         There's a lot of code throughout the Inspector agents and automation code
2265         that needs to convert a raw string into a typed protocol enum. Generate
2266         some helpers that do this conversion so clients can move over to using it.
2267
2268         These helpers are necessary for when we eventually switch to calling backend
2269         dispatcher handlers with typed arguments instead of untyped JSON objects.
2270
2271         To correctly generate a conversion function for an anonymous enum, the
2272         generator needs to be able to get the containing object type's declaration.
2273         Since the model's Type object each have only one instance, there is a
2274         one-to-one association between type and its declaration.
2275
2276         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2277         (CppProtocolTypesHeaderGenerator.generate_output):
2278         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
2279         Clean up this method to use methodcaller to sort types by raw name.
2280
2281         (_generate_declarations_for_enum_conversion_methods):
2282         (_generate_declarations_for_enum_conversion_methods.return_type_with_export_macro):
2283         (_generate_declarations_for_enum_conversion_methods.type_member_is_anonymous_enum_type):
2284         Added. Generates a new section with an unfilled template and specializations of
2285         the template for every named and anonymous enum in every domain. Guards for
2286         domains wrap the forward declarations. This is added to the end of the header
2287         file so that specializations for both types of enums are in the same place.
2288
2289         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2290         (CppProtocolTypesImplementationGenerator.generate_output):
2291         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
2292         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.type_member_is_anonymous_enum_type):
2293         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body):
2294         Added. Generate a static array of offsets into the enum constant value array.
2295         Then, loop over this array of offsets and do string comparisons against the
2296         provided string and enum constant values at the relevant offsets for this enum.
2297
2298         * inspector/scripts/codegen/generator_templates.py:
2299         (GeneratorTemplates): Update copyright year in generated files.
2300
2301         * inspector/scripts/codegen/models.py:
2302         (AliasedType.__init__):
2303         (EnumType.__init__):
2304         (EnumType.enum_values):
2305         (EnumType.declaration):
2306         (ArrayType.__init__):
2307         (ArrayType.declaration):
2308         (ObjectType.__init__):
2309         (ObjectType.declaration):
2310         (Protocol.resolve_types):
2311         (Protocol.lookup_type_reference):
2312         Pass the type declaration to Type constructors if available. If not,
2313         fill in a placeholder name for the type in the constructor instead of caller.
2314
2315         Rebaseline all the things, mostly for copyright block changes.
2316
2317         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2318         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2319         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2320         * inspector/scripts/tests/expected/enum-values.json-result:
2321         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2322         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2323         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2324         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2325         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2326         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2327         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2328         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2329         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2330
2331 2016-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2332
2333         Misc. JavaScriptCore built-ins cleanups
2334         https://bugs.webkit.org/show_bug.cgi?id=155920
2335
2336         Reviewed by Mark Lam.
2337
2338         * builtins/RegExpPrototype.js:
2339         (match):
2340         No need for an else after an if that always returns.
2341
2342         * builtins/TypedArrayConstructor.js:
2343         (of):
2344         Fix error message to use the correct function name.
2345
2346         (allocateInt8Array):
2347         (allocateInt16Array):
2348         (allocateInt32Array):
2349         (allocateUint32Array):
2350         (allocateUint16Array):
2351         (allocateUint8Array):
2352         (allocateUint8ClampedArray):
2353         (allocateFloat32Array):
2354         (allocateFloat64Array):
2355         Cleanup style to be like all the other code.
2356
2357         * tests/stress/typedarray-of.js:
2358         Test the exception message.
2359
2360 2016-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2361
2362         Date.prototype.toLocaleDateString uses overridable Object.create
2363         https://bugs.webkit.org/show_bug.cgi?id=155917
2364
2365         Reviewed by Mark Lam.
2366
2367         * builtins/DatePrototype.js:
2368         (toLocaleString.toDateTimeOptionsAnyAll):
2369         (toLocaleDateString.toDateTimeOptionsDateDate):
2370         (toLocaleTimeString.toDateTimeOptionsTimeTime):
2371         Switch from @Object.create to @Object.@create to guarentee we are
2372         using the built-in create method and not user defined code.
2373
2374         * runtime/CommonIdentifiers.h:
2375         * runtime/ObjectConstructor.cpp:
2376         (JSC::ObjectConstructor::finishCreation):
2377         Setup the @create private symbol.
2378
2379 2016-03-25  Benjamin Poulain  <bpoulain@apple.com>
2380
2381         [JSC] Put the x86 Assembler on a binary diet
2382         https://bugs.webkit.org/show_bug.cgi?id=155683
2383
2384         Reviewed by Darin Adler.
2385
2386         The MacroAssemblers are heavily inlined. This is unfortunately
2387         important for baseline JIT where many branches can be eliminated
2388         at compile time.
2389
2390         This inlining causes a lot of binary bloat. The phases
2391         lowering to ASM are massively large.
2392
2393         This patch improves the situation a bit for x86 through
2394         many small improvements:
2395
2396         -Every instruction starts with ensureSpace(). The slow
2397          path realloc the buffer.
2398          From that slow path, only fastRealloc() was a function
2399          call. What is around does not need to be fast, I moved
2400          the whole grow() function out of line for those cases.
2401
2402         -When testing multiple registers for REX requirements,
2403          we had something like this:
2404              byteRegRequiresRex(reg) || byteRegRequiresRex(rm)
2405              regRequiresRex(index) || regRequiresRex(base)
2406          Those were producing multiple test-and-branch. Those branches
2407          are effectively random so we don't have to care about individual
2408          branches being predictable.
2409
2410          The new code effectively does:
2411              byteRegRequiresRex(reg | rm)
2412              regRequiresRex(index | base)
2413
2414         -Change "ModRmMode" to have the value we can OR directly
2415          to the generated ModRm.
2416          This is important because some ModRM code is so large
2417          that is goes out of line;
2418
2419         -Finally, a big change on how we write to the AssemblerBuffer.
2420
2421          Previously, instructions were written byte by byte into
2422          the assembler buffer of the MacroAssembler.
2423
2424          The problem with that is the compiler cannot prove that
2425          the buffer pointer and the AssemblerBuffer are not pointing
2426          to the same memory.
2427
2428          Because of that, before any write, all the local register
2429          were pushed back to the AssemblerBuffer memory, then everything
2430          was read back after the write to compute the next write.
2431
2432          I attempted to use the "restrict" keyword and wrapper types
2433          to help Clang with that but nothing worked.
2434
2435          The current solution is to keep a local copy of the index
2436          and the buffer pointer in the scope of each instruction.
2437          That is done by AssemblerBuffer::LocalWriter.
2438
2439          Since LocalWriter only exists locally, it stays in
2440          register and we don't have all the memory churn between
2441          each byte writing. This also allows clang to combine
2442          obvious cases since there are no longer observable side
2443          effects between bytes.
2444
2445         This patch reduces the binary size by 66k. It is a small
2446         speed-up on Sunspider.
2447
2448         * assembler/AssemblerBuffer.h:
2449         (JSC::AssemblerBuffer::ensureSpace):
2450         (JSC::AssemblerBuffer::LocalWriter::LocalWriter):
2451         (JSC::AssemblerBuffer::LocalWriter::~LocalWriter):
2452         (JSC::AssemblerBuffer::LocalWriter::putByteUnchecked):
2453         (JSC::AssemblerBuffer::LocalWriter::putShortUnchecked):
2454         (JSC::AssemblerBuffer::LocalWriter::putIntUnchecked):
2455         (JSC::AssemblerBuffer::LocalWriter::putInt64Unchecked):
2456         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
2457         (JSC::AssemblerBuffer::putIntegral):
2458         (JSC::AssemblerBuffer::outOfLineGrow):
2459         * assembler/MacroAssemblerX86Common.h:
2460         * assembler/X86Assembler.h:
2461         (JSC::X86Assembler::X86InstructionFormatter::byteRegRequiresRex):
2462         (JSC::X86Assembler::X86InstructionFormatter::regRequiresRex):
2463         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::LocalBufferWriter):
2464         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRex):
2465         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexW):
2466         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexIf):
2467         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexIfNeeded):
2468         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::putModRm):
2469         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::putModRmSib):
2470         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::registerModRM):
2471         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::memoryModRM):
2472         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp): Deleted.
2473         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp_disp32): Deleted.
2474         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp_disp8): Deleted.
2475         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp): Deleted.
2476         (JSC::X86Assembler::X86InstructionFormatter::threeByteOp): Deleted.
2477         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64): Deleted.
2478         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64_disp32): Deleted.
2479         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64_disp8): Deleted.
2480         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp64): Deleted.
2481         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8): Deleted.
2482         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp8): Deleted.
2483         (JSC::X86Assembler::X86InstructionFormatter::emitRex): Deleted.
2484         (JSC::X86Assembler::X86InstructionFormatter::emitRexW): Deleted.
2485         (JSC::X86Assembler::X86InstructionFormatter::emitRexIf): Deleted.
2486         (JSC::X86Assembler::X86InstructionFormatter::emitRexIfNeeded): Deleted.
2487         (JSC::X86Assembler::X86InstructionFormatter::putModRm): Deleted.
2488         (JSC::X86Assembler::X86InstructionFormatter::putModRmSib): Deleted.
2489         (JSC::X86Assembler::X86InstructionFormatter::registerModRM): Deleted.
2490         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM): Deleted.
2491
2492 2016-03-25  Saam barati  <sbarati@apple.com>
2493
2494         RegExp.prototype.test should be an intrinsic again
2495         https://bugs.webkit.org/show_bug.cgi?id=155861
2496
2497         Reviewed by Yusuke Suzuki.
2498
2499         * runtime/RegExpPrototype.cpp:
2500         (JSC::RegExpPrototype::finishCreation):
2501
2502 2016-03-25  Mark Lam  <mark.lam@apple.com>
2503
2504         ES6's throwing of TypeErrors on access of RegExp.prototype flag properties breaks websites.
2505         https://bugs.webkit.org/show_bug.cgi?id=155904
2506
2507         Reviewed by Geoffrey Garen.
2508
2509         There exists a JS library XRegExp (see http://xregexp.com) that extends the regexp
2510         implementation.  XRegExp does feature testing by comparing RegExp.prototype.sticky
2511         to undefined.  See:
2512
2513         Example 1. https://github.com/slevithan/xregexp/blob/28a2b033c5951477bed8c7c867ddf7e89c431cd4/tests/perf/index.html
2514             ...
2515             } else if (knownVersion[version]) {
2516                 // Hack around ES6 incompatibility in XRegExp versions prior to 3.0.0
2517                 if (parseInt(version, 10) < 3) {
2518                     delete RegExp.prototype.sticky;
2519             }
2520             ...
2521
2522         Example 2. https://github.com/slevithan/xregexp/blob/d0e665d4068cec4d15919215b098b2373f1f12e9/tests/perf/versions/xregexp-all-v2.0.0.js
2523             ...
2524             // Check for flag y support (Firefox 3+)
2525                 hasNativeY = RegExp.prototype.sticky !== undef,
2526             ...
2527
2528         The ES6 spec states that we should throw a TypeError here because RegExp.prototype
2529         is not a RegExp object, and the sticky getter is only allowed to be called on
2530         RegExp objects.  See https://tc39.github.io/ecma262/2016/#sec-get-regexp.prototype.sticky.
2531         As a result, websites that uses XRegExp can break (e.g. some Atlassian tools).
2532
2533         As a workaround, we'll return undefined instead of throwing on access of these
2534         flag properties that may be used for feature testing.
2535
2536         * runtime/RegExpPrototype.cpp:
2537         (JSC::regExpProtoGetterGlobal):
2538         (JSC::regExpProtoGetterIgnoreCase):
2539         (JSC::regExpProtoGetterMultiline):
2540         (JSC::regExpProtoGetterSticky):
2541         (JSC::regExpProtoGetterUnicode):
2542
2543 2016-03-25  Caitlin Potter  <caitp@igalia.com>
2544
2545         [JSC] fix divide-by-zero in String.prototype.padStart/padEnd
2546         https://bugs.webkit.org/show_bug.cgi?id=155903
2547
2548         Reviewed by Filip Pizlo.
2549
2550         * runtime/StringPrototype.cpp:
2551         (JSC::padString):
2552
2553 2016-03-25  Benjamin Poulain  <benjamin@webkit.org>
2554
2555         [JSC] materialize-past-butterfly-allocation.js time out in debug
2556
2557         * tests/stress/materialize-past-butterfly-allocation.js:
2558         The test times out on the debug bots. We suspect there is nothing
2559         wrong, just overkill loops.
2560
2561 2016-03-25  Brian Burg  <bburg@apple.com>
2562
2563         Web Inspector: protocol generator should prefix C++ filenames with the protocol group
2564         https://bugs.webkit.org/show_bug.cgi?id=155859
2565         <rdar://problem/25349859>
2566
2567         Reviewed by Alex Christensen and Joseph Pecoraro.
2568
2569         Like for generated Objective-C files, we should use the 'protocol group' name
2570         as the prefix for generated C++ files so that headers from different protocol
2571         groups have unambiguous names.
2572
2573         * inspector/scripts/codegen/cpp_generator.py:
2574         (CppGenerator):
2575         (CppGenerator.__init__):
2576         (CppGenerator.protocol_name):
2577         Make all C++ code generators extend the CppGenerator python class and use the
2578         protocol_name() instance method. This matches a recent change to the ObjC generator.
2579
2580         * inspector/scripts/codegen/cpp_generator_templates.py:
2581         (CppGeneratorTemplates):
2582         Drive-by cleanup to use #pragma once instead of header guards.
2583
2584         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2585         (CppAlternateBackendDispatcherHeaderGenerator):
2586         (CppAlternateBackendDispatcherHeaderGenerator.__init__):
2587         (CppAlternateBackendDispatcherHeaderGenerator.output_filename):
2588         (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
2589         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2590         (CppBackendDispatcherHeaderGenerator):
2591         (CppBackendDispatcherHeaderGenerator.__init__):
2592         (CppBackendDispatcherHeaderGenerator.output_filename):
2593         (CppBackendDispatcherHeaderGenerator.generate_output):
2594         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2595         (CppBackendDispatcherImplementationGenerator):
2596         (CppBackendDispatcherImplementationGenerator.__init__):
2597         (CppBackendDispatcherImplementationGenerator.output_filename):
2598         (CppBackendDispatcherImplementationGenerator.generate_output):
2599         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2600         (CppFrontendDispatcherHeaderGenerator):
2601         (CppFrontendDispatcherHeaderGenerator.__init__):
2602         (CppFrontendDispatcherHeaderGenerator.output_filename):
2603         (CppFrontendDispatcherHeaderGenerator.generate_output):
2604         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2605         (CppFrontendDispatcherImplementationGenerator):
2606         (CppFrontendDispatcherImplementationGenerator.__init__):
2607         (CppFrontendDispatcherImplementationGenerator.output_filename):
2608         (CppFrontendDispatcherImplementationGenerator.generate_output):
2609         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2610         (CppProtocolTypesHeaderGenerator):
2611         (CppProtocolTypesHeaderGenerator.__init__):
2612         (CppProtocolTypesHeaderGenerator.output_filename):
2613         (CppProtocolTypesHeaderGenerator.generate_output):
2614         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2615         (CppProtocolTypesImplementationGenerator):
2616         (CppProtocolTypesImplementationGenerator.__init__):
2617         (CppProtocolTypesImplementationGenerator.output_filename):
2618         (CppProtocolTypesImplementationGenerator.generate_output):
2619         Use the protocol_name() instance method to compute generated protocol file names.
2620
2621         * inspector/scripts/codegen/models.py:
2622         Explicitly set the 'protocol_group' for the Inspector protocol.
2623
2624         Rebaseline generator test results.
2625
2626         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2627         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2628         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2629         * inspector/scripts/tests/expected/enum-values.json-result:
2630         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2631         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2632         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2633         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2634         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2635         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2636         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2637         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2638         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2639
2640 2016-03-25  Keith Miller  <keith_miller@apple.com>
2641
2642         putByIndexBeyondVectorLengthWithoutAttributes should not crash if it can't ensureLength
2643         https://bugs.webkit.org/show_bug.cgi?id=155730
2644
2645         Reviewed by Saam Barati.
2646
2647         This patch makes ensureLength return a boolean indicating if it was able to set the length.
2648         ensureLength also no longer sets the butterfly to null if the allocation of the butterfly
2649         fails. All of ensureLengths callers including putByIndexBeyondVectorLengthWithoutAttributes
2650         have been adapted to throw an out of memory error if ensureLength fails.
2651
2652         * runtime/JSArray.cpp:
2653         (JSC::JSArray::setLength):
2654         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2655         * runtime/JSObject.cpp:
2656         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2657         (JSC::JSObject::ensureLengthSlow):
2658         * runtime/JSObject.h:
2659         (JSC::JSObject::ensureLength):
2660
2661 2016-03-25  Caitlin Potter  <caitp@igalia.com>
2662
2663         [JSC] implement String.prototype.padStart() and String.prototype.padEnd() proposal
2664         https://bugs.webkit.org/show_bug.cgi?id=155795
2665
2666         Reviewed by Darin Adler.
2667
2668         Implements ECMAScript proposal http://tc39.github.io/proposal-string-pad-start-end/
2669         Currently at Stage 3.
2670
2671         * runtime/JSString.h:
2672         * runtime/StringPrototype.cpp:
2673         (JSC::StringPrototype::finishCreation):
2674         (JSC::repeatCharacter):
2675         (JSC::repeatStringPattern):
2676         (JSC::padString):
2677         (JSC::stringProtoFuncPadEnd):
2678         (JSC::stringProtoFuncPadStart):
2679         * tests/es6.yaml:
2680         * tests/es6/String.prototype_methods_String.prototype.padEnd.js: Added.
2681         * tests/es6/String.prototype_methods_String.prototype.padStart.js: Added.
2682
2683 2016-03-24  Alex Christensen  <achristensen@webkit.org>
2684
2685         Fix Mac CMake build.
2686
2687         * PlatformMac.cmake:
2688         Link to Security framework.
2689
2690 2016-03-24  Saam barati  <sbarati@apple.com>
2691
2692         ES6: Implement IsRegExp function and use where needed in String.prototype.* methods
2693         https://bugs.webkit.org/show_bug.cgi?id=155854
2694
2695         Reviewed by Mark Lam.
2696
2697         This patch is a straight forward implementation of IsRegExp
2698         in the ES6 spec:
2699         https://tc39.github.io/ecma262/#sec-isregexp
2700         We now use this IsRegExp function inside String.prototype.(startsWith | endsWith | includes)
2701         as is dictated by the spec.
2702
2703         * runtime/RegExpConstructor.h:
2704         (JSC::RegExpConstructor::recordMatch):
2705         (JSC::isRegExp):
2706         * runtime/StringPrototype.cpp:
2707         (JSC::stringProtoFuncStartsWith):
2708         (JSC::stringProtoFuncEndsWith):
2709         (JSC::stringProtoFuncIncludes):
2710         * tests/es6.yaml:
2711         * tests/es6/well-known_symbols_Symbol.match_String.prototype.endsWith.js: Added.
2712         (test):
2713         * tests/es6/well-known_symbols_Symbol.match_String.prototype.includes.js: Added.
2714         (test):
2715         * tests/es6/well-known_symbols_Symbol.match_String.prototype.startsWith.js: Added.
2716         (test):
2717         * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js: Added.
2718         (assert):
2719         (test):
2720         (test.get let):
2721         (get let):
2722
2723 2016-03-24  Saam barati  <sbarati@apple.com>
2724
2725         Web Inspector: Separate Debugger enable state from the debugger breakpoints enabled state
2726         https://bugs.webkit.org/show_bug.cgi?id=152193
2727         <rdar://problem/23867520>
2728
2729         Reviewed by Joseph Pecoraro.
2730
2731         When all breakpoints are disabled, we can recompile all JS
2732         code and remove the necessary debugging code that is emitted.
2733         This allows for the code that is executing to be almost as fast
2734         as it is with the debugger completely disabled. This is in preparation for:
2735         https://bugs.webkit.org/show_bug.cgi?id=155809
2736         which will introduce a high fidelity profiler. That profiler
2737         could be built off the principle that breakpoints are disabled
2738         when we're performing a high fidelity profile. Doing so, for example,
2739         allows the sampling profiler to better measure the real performance
2740         of the JS of a particular application.
2741
2742         * debugger/Debugger.cpp:
2743         (JSC::Debugger::setBreakpointsActivated):
2744         (JSC::Debugger::setPauseOnExceptionsState):
2745         * debugger/Debugger.h:
2746         * dfg/DFGGraph.cpp:
2747         (JSC::DFG::Graph::Graph):
2748         * inspector/JSGlobalObjectScriptDebugServer.cpp:
2749         (Inspector::JSGlobalObjectScriptDebugServer::attachDebugger):
2750         (Inspector::JSGlobalObjectScriptDebugServer::detachDebugger):
2751         * inspector/agents/InspectorDebuggerAgent.cpp:
2752         (Inspector::InspectorDebuggerAgent::enable):
2753         * runtime/Executable.cpp:
2754         (JSC::ScriptExecutable::newCodeBlockFor):
2755         * runtime/JSGlobalObject.cpp:
2756         (JSC::JSGlobalObject::createProgramCodeBlock):
2757         (JSC::JSGlobalObject::createEvalCodeBlock):
2758         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2759         (JSC::JSGlobalObject::queueMicrotask):
2760         (JSC::JSGlobalObject::hasDebugger):
2761         (JSC::JSGlobalObject::hasInteractiveDebugger):
2762         * runtime/JSGlobalObject.h:
2763         (JSC::JSGlobalObject::runtimeFlags):
2764         (JSC::JSGlobalObject::hasDebugger): Deleted.
2765
2766 2016-03-24  Michael Saboff  <msaboff@apple.com>
2767
2768         Create private builtin helper advanceStringIndexUnicode() for use by RegExp builtins
2769         https://bugs.webkit.org/show_bug.cgi?id=155855
2770
2771         Reviewed by Mark Lam.
2772
2773         Moved advanceStringIndexUnicode() as a separate helper.  Added it as a private builtin
2774         to the GlobalObject like other private builtins.
2775
2776         * builtins/RegExpPrototype.js:
2777         (advanceStringIndexUnicode):
2778         (match):
2779         (match.advanceStringIndexUnicode): Deleted.
2780         * runtime/JSGlobalObject.cpp:
2781         (JSC::JSGlobalObject::init):
2782
2783 2016-03-24  Michael Saboff  <msaboff@apple.com>
2784
2785         [ES6] Add Proxy based tests for RegExp.prototype[@@match]
2786         https://bugs.webkit.org/show_bug.cgi?id=155807
2787
2788         Reviewed by Saam Barati.
2789
2790         Added new test that uses Proxy to verify RegExp.prototype[@@match] processing
2791         conforms to the ES6 standard
2792
2793         Modified builtin RegExp.prototype[@@match] to be ES6 spec conformant.
2794
2795         Updated es6.yaml as Proxy_internal_get_calls_RegExp.prototype[Symbol.match].js now passes.
2796
2797         * builtins/RegExpPrototype.js:
2798         (match):
2799         * tests/es6.yaml: Updated.
2800         * tests/stress/regexp-match-proxy.js: Added.
2801         (assert):
2802         (let.getProxyNullExec.new.Proxy):
2803         (let.getSetProxyNullExec.new.Proxy):
2804         (get resetTracking):
2805         (let.getSetProxyMatches_s.new.Proxy):
2806         (set get getSetProxyNullExec):
2807         (let.getSetProxyMatches_tx_Greedy.new.Proxy):
2808         (set get getSetProxyMatches_s):
2809         (let.getSetProxyMatchesUnicode_digit_nonGreedy.new.Proxy):
2810         (set get getSetProxyMatches_tx_Greedy):
2811
2812 2016-03-24  Michael Saboff  <msaboff@apple.com>
2813
2814         [ES6] Greedy unicode RegExp's don't properly backtrack past non BMP characters
2815         https://bugs.webkit.org/show_bug.cgi?id=155829
2816
2817         Reviewed by Saam Barati.
2818
2819         When we backup when matching part of a unicode pattern, we can't just backup one character.
2820         Instead we need to save our start position before trying to match a character and
2821         restore the position if the match fails.  This was done in other places, but wasn't
2822         done for all greedy types.
2823
2824         Fixed matchGlobal() to properly handle advancing past non BMP characters.
2825
2826         * runtime/RegExpObject.cpp:
2827         (JSC::RegExpObject::matchGlobal):
2828         * runtime/RegExpObjectInlines.h:
2829         (JSC::RegExpObject::advanceStringUnicode):
2830         * yarr/YarrInterpreter.cpp:
2831         (JSC::Yarr::Interpreter::matchCharacterClass):
2832         (JSC::Yarr::Interpreter::matchDisjunction):
2833
2834 2016-03-24  Benjamin Poulain  <bpoulain@apple.com>
2835
2836         [JSC] In some cases, the integer range optimization phase never converges
2837         https://bugs.webkit.org/show_bug.cgi?id=155828
2838         rdar://problem/25155460
2839
2840         Reviewed by Filip Pizlo.
2841
2842         In certain conditions, the integer range optimization phase continuously
2843         changes the representation of the same truth, preventing it from
2844         converging to a stable state.
2845
2846         The bug starts by having the same ground truth incomming into a block
2847         in different valid forms. For example, you can have x < 42 coming as:
2848             1) x < 42
2849             2) x < 41 + 1
2850             3) x < 43 - 1
2851
2852         Having those 3 alone coming from predecessors would be okay, we would
2853         just accumulate them. The problem is when you have a combination
2854         of rule that filter out the previously obtained truth, then add a new
2855         form of the same truth.
2856
2857         Let's use the test case as an example. We have two incoming blocks:
2858             Block #1:
2859               -i < 42
2860               -i != 41
2861             Block #2:
2862               -i < 41
2863               -i == 42 - 42 (i == 0 refining the rule above).
2864
2865         Let say that our conditions at head are now [i < 41, i < 42 - 1].
2866
2867         If we merge block #2:
2868               -i < 42 and i < 41      -> i < 42
2869               -i < 42 and i < 42 - 1  -> i < 42
2870               -i != 41 and i < 41     -> i < 41
2871               -i != 41 and i < 42 - 1 -> nothing
2872
2873         The new head is: [i < 41, i < 42]
2874
2875         If we merge block #1:
2876               -i < 41 and i < 41       -> i < 41
2877               -i < 41 and i < 42       -> i < 42
2878               -i == 42 - 42 and i < 41 -> (i < 41 and i < 42 - 1)
2879               -i == 42 - 42 and i < 42 -> i < 42
2880
2881         After filter, we are back to [i < 41, i < 42 - 1].
2882
2883         There are several variations of this idea where the same truth
2884         rotate different forms with each merge().
2885
2886         One possible solution is to make filter() more aggressive
2887         to avoid the better form occuring at merge(). I'll probably
2888         do that at some point but that seems fragile since the same
2889         problem could reappear if merge() is later improved.
2890
2891         For this patch, I went with a more generic solution after
2892         merge(): if the generated form is equivalent to one that
2893         previously existed at head, pick the existing form.
2894
2895         In the previous example, what happens is we only have
2896         either [i < 41] or [i < 42 - 1] but never both simultaneously.
2897
2898         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2899         * tests/stress/integer-range-optimization-constant-representation-1.js: Added.
2900         * tests/stress/integer-range-optimization-constant-representation-2.js: Added.
2901         Two variation. One timeout in release because of the additional flags.
2902         The other is gets more type of run but only assert in debug.
2903
2904 2016-03-23  Commit Queue  <commit-queue@webkit.org>
2905
2906         Unreviewed, rolling out r198582.
2907         https://bugs.webkit.org/show_bug.cgi?id=155812
2908
2909         "It broke debugging in the web inspector" (Requested by
2910         saamyjoon on #webkit).
2911
2912         Reverted changeset:
2913
2914         "We should not disable inlining when the debugger is enabled"
2915         https://bugs.webkit.org/show_bug.cgi?id=155741
2916         http://trac.webkit.org/changeset/198582
2917
2918 2016-03-23  Michael Saboff  <msaboff@apple.com>
2919
2920         JavaScriptCore ArrayPrototype::join shouldn't cache butterfly when it makes effectful calls
2921         https://bugs.webkit.org/show_bug.cgi?id=155776
2922
2923         Reviewed by Saam Barati.
2924
2925         Array.join ends up calling toString, possibly on some object.  Since these calls
2926         could be effectful and could change the array itself, we can't hold the butterfly
2927         pointer while making effectful calls.  Changed the code to fall back to the general
2928         case when an effectful toString() call might be made.
2929
2930         * runtime/ArrayPrototype.cpp:
2931         (JSC::join):
2932         * runtime/JSStringJoiner.h:
2933         (JSC::JSStringJoiner::appendWithoutSideEffects): New helper that doesn't make effectful
2934         toString() calls.
2935         (JSC::JSStringJoiner::append): Built upon appendWithoutSideEffects.
2936
2937 2016-03-23  Keith Miller  <keith_miller@apple.com>
2938
2939         Array.prototype native functions' species constructors should work with proxies
2940         https://bugs.webkit.org/show_bug.cgi?id=155798
2941
2942         Reviewed by Mark Lam.
2943
2944         Before native the species constructors were checking if the this value was a JSArray.
2945         Instead they should look check that the this value returns true on Array.isArray.
2946
2947         * runtime/ArrayPrototype.cpp:
2948         (JSC::speciesConstructArray):
2949         * tests/es6.yaml:
2950         * tests/stress/proxy-array-prototype-methods.js:
2951
2952 2016-03-23  Saam barati  <sbarati@apple.com>
2953
2954         We should not disable inlining when the debugger is enabled
2955         https://bugs.webkit.org/show_bug.cgi?id=155741
2956
2957         Reviewed by Oliver Hunt.
2958
2959         We can enable inlining when the debugger is enabled as long
2960         as we make sure we still jettison the proper CodeBlocks when
2961         a breakpoint is set. This means that for any optimized CodeBlock,
2962         we must ask if any of its inlinees contain the breakpoint that
2963         is being set. If any inlinees do contain the breakpoint, we must
2964         jettison the machine code block that they are a part of.
2965
2966         * debugger/Debugger.cpp:
2967         (JSC::Debugger::toggleBreakpoint):
2968         (JSC::Debugger::applyBreakpoints):
2969         * dfg/DFGByteCodeParser.cpp:
2970         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2971         (JSC::DFG::ByteCodeParser::setLocal):
2972         (JSC::DFG::ByteCodeParser::flush):
2973         (JSC::DFG::ByteCodeParser::flushForTerminal):
2974         (JSC::DFG::ByteCodeParser::inliningCost):
2975         * dfg/DFGGraph.cpp:
2976         (JSC::DFG::Graph::Graph):
2977         (JSC::DFG::Graph::~Graph):
2978         * dfg/DFGGraph.h:
2979         (JSC::DFG::Graph::hasDebuggerEnabled): Deleted.
2980         * dfg/DFGStackLayoutPhase.cpp:
2981         (JSC::DFG::StackLayoutPhase::run):
2982         * ftl/FTLCompile.cpp:
2983         (JSC::FTL::compile):
2984
2985 2016-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2986
2987         [ES6] Allow undefined/null for Symbol.search and Symbol.match
2988         https://bugs.webkit.org/show_bug.cgi?id=155785
2989
2990         Reviewed by Saam Barati.
2991
2992         Undefined and null for Symbol.search and Symbol.match properties of the given RegExp (like) object are allowed.
2993         When they are specified, we go to the fallback path; creating the RegExp with the given object and matching.
2994
2995         * builtins/StringPrototype.js:
2996         (match):
2997         (search):
2998         * tests/stress/string-symbol-customization.js: Added.
2999         (shouldBe):
3000         (shouldThrow):
3001
3002 2016-03-22  Caitlin Potter  <caitp@igalia.com>
3003
3004         [JSC] correctly handle indexed properties in Object.getOwnPropertyDescriptors
3005         https://bugs.webkit.org/show_bug.cgi?id=155563
3006
3007         Reviewed by Saam Barati.
3008
3009         * runtime/JSObject.h:
3010         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
3011         * runtime/ObjectConstructor.cpp:
3012         (JSC::objectConstructorGetOwnPropertyDescriptors):
3013
3014 2016-03-22  Saam Barati  <sbarati@apple.com>
3015
3016         We should FTL compile code when the debugger is enabled
3017         https://bugs.webkit.org/show_bug.cgi?id=155740
3018
3019         Reviewed by Oliver Hunt.
3020
3021         There was no fundamental reason why we didn't support debugging
3022         with the FTL. It looks like this was just an oversight. We had
3023         a Breakpoint node in the DFG that amounted to a nop. By removing
3024         this node, we now support debugging in the FTL. Anytime a breakpoint
3025         is set, we will jettison any DFG/FTL CodeBlocks that contain the breakpoint
3026         that was set.
3027
3028         * dfg/DFGAbstractInterpreterInlines.h:
3029         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3030         * dfg/DFGByteCodeParser.cpp:
3031         (JSC::DFG::ByteCodeParser::parseBlock):
3032         * dfg/DFGClobberize.h:
3033         (JSC::DFG::clobberize):
3034         * dfg/DFGDoesGC.cpp:
3035         (JSC::DFG::doesGC):
3036         * dfg/DFGFixupPhase.cpp:
3037         (JSC::DFG::FixupPhase::fixupNode):
3038         * dfg/DFGNodeType.h:
3039         * dfg/DFGPredictionPropagationPhase.cpp:
3040         (JSC::DFG::PredictionPropagationPhase::propagate):
3041         * dfg/DFGSafeToExecute.h:
3042         (JSC::DFG::safeToExecute):
3043         * dfg/DFGSpeculativeJIT32_64.cpp:
3044         (JSC::DFG::SpeculativeJIT::compile):
3045         * dfg/DFGSpeculativeJIT64.cpp:
3046         (JSC::DFG::SpeculativeJIT::compile):
3047
3048 2016-03-22  Keith Miller  <keith_miller@apple.com>
3049
3050         REGRESSION(r197543): Use-after-free on storage/indexeddb/transaction-abort-private.html
3051         https://bugs.webkit.org/show_bug.cgi?id=155067
3052
3053         Reviewed by Filip Pizlo.
3054
3055         GCIncommingRefCountedSets need to be finalized before we start
3056         destructing members of the Heap object. Previously, we would
3057         clear all our ArrayBuffer objects when the GCIncommingRefCountedSet
3058         holding them was destroyed. However, ArrayBuffers have a weak
3059         reference to their wrappers. When we would attempt to destroy the
3060         ArrayBuffer object we would end up accessing the WeakImpl for
3061         the weak reference, which had already been freed as we destroyed
3062         our weak block. The solution to this is to move the old
3063         GCIncommingRefCountedSet destructor functionality to a new
3064         function lastChanceToFinalize. This function is called when
3065         we finalize our other objects on Heap destruction.
3066
3067         * heap/GCIncomingRefCountedSet.h:
3068         * heap/GCIncomingRefCountedSetInlines.h:
3069         (JSC::GCIncomingRefCountedSet<T>::lastChanceToFinalize):
3070         (JSC::GCIncomingRefCountedSet<T>::~GCIncomingRefCountedSet): Deleted.
3071         * heap/Heap.cpp:
3072         (JSC::Heap::lastChanceToFinalize):
3073
3074 2016-03-22  Per Arne Vollan  <peavo@outlook.com>
3075
3076         [Win] [64-bit] Remove MSVC 2013 FMA3 Bug Workaround
3077         https://bugs.webkit.org/show_bug.cgi?id=141499
3078
3079         Reviewed by Brent Fulgham.
3080
3081         As we have moved on to VS2015, this workaround is no longer needed.
3082
3083         * API/tests/testapi.c:
3084         (main):
3085         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp:
3086         (wWinMain):
3087         * jsc.cpp:
3088         (main):
3089         * testRegExp.cpp:
3090         (main):
3091
3092 2016-03-22  Michael Saboff  <msaboff@apple.com>
3093
3094         [ES6] Implement RegExp.prototype[@@match]
3095         https://bugs.webkit.org/show_bug.cgi?id=155711
3096
3097         Reviewed by Filip Pizlo.
3098
3099         Implemented ES6 spec for String.prototype.match and RegExp.prototype[@@match].
3100         Implemented both as builtins, with String.prototype.match calling 
3101         RegExp.prototype[@@match].
3102
3103         For performance reasons, RegExp.prototype[@@match] has a C++ fast path when
3104         RegExp.prototype.exec has not been overridden.  This fast path,
3105         RegExpObject::matchGlobal, was taken from the prior StringPrototype::match.
3106         It only handles global matches.
3107
3108         Added new test, stress/regexp-match.js.
3109
3110         Updated various tests for changes exception string and now passing ES6 behavior.
3111
3112         * CMakeLists.txt: 
3113         * DerivedSources.make:
3114         * JavaScriptCore.xcodeproj/project.pbxproj:
3115         Added builtins/RegExpPrototype.js and eliminated RegExpPrototype.lut.h.
3116
3117         * builtins/RegExpPrototype.js: Added.
3118         (match.advanceStringIndexUnicode): Helper.
3119         (match): Implements RegExp.prototype[@@match].
3120         * builtins/StringPrototype.js:
3121         (match): Implements String.prototype.match.
3122
3123         * bytecode/BytecodeIntrinsicRegistry.cpp:
3124         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3125         (JSC::BytecodeIntrinsicRegistry::lookup):
3126         * bytecode/BytecodeIntrinsicRegistry.h:
3127         * runtime/CommonIdentifiers.h:
3128         Added Symbol.match and builtins @match and @exec.
3129
3130         * runtime/RegExpObject.cpp:
3131         * runtime/RegExpObject.h:
3132         * runtime/RegExpObjectInlines.h:
3133         (JSC::RegExpObject::matchGlobal): Added.
3134         (JSC::RegExpObject::advanceStringUnicode): Added helper.
3135
3136         * runtime/RegExpPrototype.cpp:
3137         * runtime/RegExpPrototype.h:
3138         (JSC::RegExpPrototype::RegExpPrototype):
3139         (JSC::RegExpPrototype::finishCreation):
3140         (JSC::RegExpPrototype::visitChildren):
3141         (JSC::regExpProtoFuncMatchPrivate):
3142         (JSC::RegExpPrototype::getOwnPropertySlot): Deleted.
3143         (JSC::RegExpPrototype::create):
3144         Restructured to create properties explicitly due to having two names for native regExpProtoFuncExec.
3145
3146         * runtime/StringPrototype.cpp:
3147         (JSC::StringPrototype::finishCreation):
3148         Made match a builtin.
3149         Removed unused declaration of stringProtoFuncSearch() since it was made a builtin.
3150
3151         * tests/es6.yaml:
3152         * tests/stress/regexp-match.js: Added.
3153         (shouldBe):
3154         (shouldThrow):
3155         (errorKey.toString):
3156         (primitive.of.primitives.shouldThrow):
3157         (testRegExpMatch):
3158         (testMatch):
3159         (testBoth):
3160         (alwaysUnmatch):
3161
3162 2016-03-22  Caitlin Potter  <caitp@igalia.com>
3163
3164         [JSC] allow duplicate property names returned from Proxy ownKeys() trap
3165         https://bugs.webkit.org/show_bug.cgi?id=155560
3166
3167         Reviewed by Darin Adler.
3168
3169         Specification allows duplicate property names to be reported by the
3170         Proxy ownKeys() trap --- and this is observable in any API which
3171         operates on the returned list, such as Object.keys(),
3172         Object.getOwnPropertyNames(), Object.getOwnPropertySymbols(), or
3173         Object.getOwnPropertyDescriptors().
3174
3175         * runtime/PropertyNameArray.h:
3176         (JSC::PropertyNameArray::addUnchecked):
3177         (JSC::PropertyNameArray::add):
3178         (JSC::PropertyNameArray::addKnownUnique): Deleted.
3179         * runtime/ProxyObject.cpp:
3180         (JSC::ProxyObject::performGetOwnPropertyNames):
3181         * runtime/Structure.cpp:
3182         (JSC::Structure::getPropertyNamesFromStructure):
3183
3184 2016-03-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3185
3186         [JSC] Clean up Math.floor thunk and use SSE round instruction
3187         https://bugs.webkit.org/show_bug.cgi?id=155705
3188
3189         Reviewed by Geoffrey Garen.
3190
3191         SSE now allow us to use round instruction to implement Math.floor.
3192         MacroAssembler's floorDouble is now only used in ARM64, but it can be allowed in x86 SSE.
3193
3194         * jit/ThunkGenerators.cpp:
3195         (JSC::floorThunkGenerator):
3196
3197 2016-03-21  Konstantin Tokarev  <annulen@yandex.ru>
3198
3199         Fixed compilation with GCC 4.8.
3200         https://bugs.webkit.org/show_bug.cgi?id=155698
3201
3202         Reviewed by Alexey Proskuryakov.
3203
3204         GCC 4.8 does not allow aggregate initialization for type with deleted
3205         constructor, see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=52707.
3206
3207         * dfg/DFGCSEPhase.cpp: Added ctor for ImpureDataSlot.
3208
3209 2016-03-21  Joonghun Park  <jh718.park@samsung.com>
3210
3211         [JSC] Add ArrayBuffer::tryCreate and change the callsites where it is needed
3212         https://bugs.webkit.org/show_bug.cgi?id=155328
3213
3214         Reviewed by Darin Adler.
3215
3216         * API/JSTypedArray.cpp:
3217         (JSObjectMakeTypedArray):
3218         (JSObjectMakeArrayBufferWithBytesNoCopy):
3219         * runtime/ArrayBuffer.h:
3220         (JSC::ArrayBuffer::create):
3221         (JSC::ArrayBuffer::tryCreate):
3222         (JSC::ArrayBuffer::createUninitialized):
3223         (JSC::ArrayBuffer::tryCreateUninitialized):
3224         (JSC::ArrayBuffer::createInternal):
3225         * runtime/GenericTypedArrayViewInlines.h:
3226         (JSC::GenericTypedArrayView<Adaptor>::create):
3227         (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
3228         * runtime/JSArrayBufferConstructor.cpp:
3229         (JSC::constructArrayBuffer):
3230
3231 2016-03-20  Dan Bernstein  <mitz@apple.com>
3232
3233         [Mac] Determine TARGET_MAC_OS_X_VERSION_MAJOR from MACOSX_DEPLOYMENT_TARGET rather than from MAC_OS_X_VERSION_MAJOR
3234         https://bugs.webkit.org/show_bug.cgi?id=155707
3235         <rdar://problem/24980691>
3236
3237         Reviewed by Darin Adler.
3238
3239         * Configurations/Base.xcconfig: Set TARGET_MAC_OS_X_VERSION_MAJOR based on the last
3240           component of MACOSX_DEPLOYMENT_TARGET.
3241         * Configurations/DebugRelease.xcconfig: For engineering builds, preserve the behavior of
3242           TARGET_MAC_OS_X_VERSION_MAJOR being the host’s OS version.
3243
3244 2016-03-20  Michael Saboff  <msaboff@apple.com>
3245
3246         Crash in stress/regexp-matches-array-slow-put.js due to stomping on memory when having bad time
3247         https://bugs.webkit.org/show_bug.cgi?id=155679
3248
3249         Reviewed by Saam Barati.
3250
3251         Allocate out of line storage based on what the structure says it needs
3252         in JSArray::tryCreateUninitialized.
3253
3254         * runtime/JSArray.h:
3255         (JSC::JSArray::tryCreateUninitialized):
3256
3257 2016-03-20  Joseph Pecoraro  <pecoraro@apple.com>
3258
3259         Crash on DFG::WorkList thread in JSC::Heap::isCollecting for destroyed Web Worker
3260         https://bugs.webkit.org/show_bug.cgi?id=155678
3261         <rdar://problem/25251439>
3262
3263         Reviewed by Filip Pizlo.
3264
3265         This fixes a crash that we saw with GuardMalloc. If the Plan was
3266         Cancelled it may not be safe to access the VM. If the Plan was
3267         cancelled we are just going to bail anyways, so keep the ASSERT but
3268         short-circuit if the plan was Cancelled.
3269
3270         * dfg/DFGWorklist.cpp:
3271         (JSC::DFG::Worklist::runThread):
3272
3273 2016-03-20  Dan Bernstein  <mitz@apple.com>
3274
3275         Update build settings
3276
3277         Rubber-stamped by Andy Estes.
3278
3279         * Configurations/DebugRelease.xcconfig:
3280         * Configurations/FeatureDefines.xcconfig:
3281         * Configurations/Version.xcconfig:
3282
3283 2016-03-19  Skachkov Oleksandr  <gskachkov@gmail.com>
3284
3285         [ES6] Arrow function syntax. Update syntax error text 'super is only valid inside functions' to more suitable
3286         https://bugs.webkit.org/show_bug.cgi?id=155491
3287
3288         Reviewed by Saam Barati.
3289
3290         Current message 'super is only valid inside of funcitons' is not correct 
3291         after patch for https://bugs.webkit.org/show_bug.cgi?id=153864 because 
3292         it is allow to use 'super' in eval. Current patch replace old message by
3293         'Super is only valid inside functions or 'eval' inside a function' and 
3294         fix tests that rely on this message.
3295
3296         * parser/Parser.cpp:
3297         (JSC::Parser<LexerType>::parseMemberExpression):
3298         * tests/stress/generator-with-super.js:
3299         (shouldThrow):
3300         * tests/stress/modules-syntax-error.js:
3301         * tests/stress/super-in-lexical-scope.js:
3302         * tests/stress/tagged-templates-syntax.js:
3303
3304 2016-03-19  Mark Lam  <mark.lam@apple.com>
3305
3306         ES6 spec requires that ErrorPrototype not be an Error object.
3307         https://bugs.webkit.org/show_bug.cgi?id=155680
3308
3309         Reviewed by Michael Saboff.
3310
3311         The ES6 spec states that Error.prototype should not be an instance of Error:
3312         https://tc39.github.io/ecma262/#sec-properties-of-the-error-prototype-object
3313
3314         "The Error prototype object is an ordinary object. It is not an Error instance
3315         and does not have an [[ErrorData]] internal slot."
3316
3317         This patch changes ErrorPrototype to conform to the above specification.
3318
3319         * runtime/ErrorConstructor.cpp:
3320         (JSC::ErrorConstructor::finishCreation):
3321         * runtime/ErrorPrototype.cpp:
3322         (JSC::ErrorPrototype::ErrorPrototype):
3323         (JSC::ErrorPrototype::finishCreation):
3324         (JSC::ErrorPrototype::getOwnPropertySlot):
3325         * runtime/ErrorPrototype.h:
3326         (JSC::ErrorPrototype::create):
3327
3328         * runtime/NativeErrorConstructor.cpp:
3329         (JSC::NativeErrorConstructor::finishCreation):
3330         * runtime/NativeErrorPrototype.cpp:
3331         (JSC::NativeErrorPrototype::NativeErrorPrototype):
3332         (JSC::NativeErrorPrototype::finishCreation):
3333         * runtime/NativeErrorPrototype.h:
3334         (JSC::NativeErrorPrototype::create):
3335         - updated to no longer need a JSGlobalObject argument.
3336
3337         * tests/es6/miscellaneous_built-in_prototypes_are_not_instances.js:
3338         - updated to match the kangax version of this test.
3339
3340 2016-03-18  Benjamin Poulain  <bpoulain@apple.com>
3341
3342         [JSC] Limit DFG's Validate symbols to its compilation unit
3343         https://bugs.webkit.org/show_bug.cgi?id=155670
3344
3345         Reviewed by Filip Pizlo.
3346
3347         * dfg/DFGValidate.cpp:
3348
3349 2016-03-18  Mark Lam  <mark.lam@apple.com>
3350
3351         ES6 spec requires that RegExpPrototype not be a RegExp object.
3352         https://bugs.webkit.org/show_bug.cgi?id=155654
3353
3354         Reviewed by Filip Pizlo.
3355
3356         The ES6 spec states that RegExp.prototype should not be an instance of RegExp:
3357         https://tc39.github.io/ecma262/#sec-properties-of-the-regexp-prototype-object
3358
3359         "The RegExp prototype object is an ordinary object. It is not a RegExp instance
3360         and does not have a [[RegExpMatcher]] internal slot or any of the other internal
3361         slots of RegExp instance objects."
3362
3363         This patch changes RegExpPrototype to conform to the above specifications.
3364
3365         * runtime/JSGlobalObject.cpp:
3366         (JSC::JSGlobalObject::init):
3367         * runtime/RegExpConstructor.cpp:
3368         (JSC::RegExpConstructor::RegExpConstructor):
3369         (JSC::RegExpConstructor::finishCreation):
3370         * runtime/RegExpPrototype.cpp:
3371         (JSC::RegExpPrototype::RegExpPrototype):
3372         (JSC::RegExpPrototype::finishCreation):
3373         (JSC::RegExpPrototype::getOwnPropertySlot):
3374         (JSC::RegExpPrototype::visitChildren):
3375         (JSC::regExpProtoFuncTest):
3376         * runtime/RegExpPrototype.h:
3377         (JSC::RegExpPrototype::create):
3378         (JSC::RegExpPrototype::createStructure):
3379         (JSC::RegExpPrototype::emptyRegExp):
3380
3381         * tests/es6.yaml:
3382         - This patch makes the es6/miscellaneous_built-in_prototypes_are_not_instances.js
3383           test now pass.  However, the kangax version of this test still fails because
3384           it also checks Error objects (which will be fixed in a subsequent patch).
3385
3386         * tests/mozilla/ecma_2/shell.js:
3387         (stringify):
3388         (test):
3389         (getFailedCases):
3390         (err):
3391         * tests/stress/static-getter-in-names.js:
3392         (shouldBe):
3393
3394 2016-03-18  Keith Miller  <keith_miller@apple.com>
3395
3396         DataView should use an accessor for its length and buffer properties
3397         https://bugs.webkit.org/show_bug.cgi?id=155625
3398
3399         Reviewed by Michael Saboff.
3400
3401         The DataView object should use an accessor on DataView.prototype for its
3402         byteLength, byteOffset, and buffer properties. This patch also, moves the
3403         buffer property off the TypedArray object itself and onto the prototype
3404         along with the other accessors. Since the .buffer property is no longer on
3405         the object, JSArrayBufferView no longer needs to intercept accesses to
3406         properties. Finally, this patch also fixes the length property on all the
3407         existing DataView.prototype functions.
3408
3409         * runtime/JSArrayBufferView.cpp:
3410         (JSC::JSArrayBufferView::getOwnPropertySlot): Deleted.
3411         (JSC::JSArrayBufferView::put): Deleted.
3412         (JSC::JSArrayBufferView::defineOwnProperty): Deleted.
3413         (JSC::JSArrayBufferView::deleteProperty): Deleted.
3414         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames): Deleted.
3415         * runtime/JSArrayBufferView.h:
3416         (JSC::JSArrayBufferView::jsBuffer):
3417         * runtime/JSDataViewPrototype.cpp:
3418         (JSC::dataViewProtoGetterBuffer):
3419         (JSC::dataViewProtoGetterByteLength):
3420         (JSC::dataViewProtoGetterByteOffset):
3421         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3422         (JSC::genericTypedArrayViewProtoGetterFuncBuffer):
3423         * runtime/JSTypedArrayViewPrototype.cpp:
3424         (JSC::typedArrayViewProtoGetterFuncBuffer):
3425         (JSC::JSTypedArrayViewPrototype::finishCreation):
3426
3427 2016-03-18  Csaba Osztrogonác  <ossy@webkit.org>
3428
3429         Unreviewed speculative cloop buildfix after r198364.
3430
3431         * bytecode/SuperSampler.cpp:
3432
3433 2016-03-17  Benjamin Poulain  <bpoulain@apple.com>
3434
3435         [JSC] Make CSE's ImpureData faster when dealing with large blocks
3436         https://bugs.webkit.org/show_bug.cgi?id=155594
3437
3438         Reviewed by Filip Pizlo.
3439
3440         In some tests with large blocks, the time spent in DFG's LocalCSE
3441         can be over 10% of the total compile time.
3442         In those cases, LocalCSE is completely dominated by handling large
3443         blocks.
3444
3445         This patch addresses the most obvious hot spots ImpureData's handling.
3446
3447         Initially, most of the time was going into HashTable::rehash().
3448         The reason is the buckets are <HeapLocation, LazyNode> gigantic.
3449         The hash table would easily get into several kilobytes and the CPU
3450         was spending more time dealing with memory than anything.
3451
3452         To solve that, I moved the pairs lazily to the heap. The table itself
3453         just contains the unique_ptr to those values. This makes the table
3454         reasonably small and the alloc/dealloc are paid for by the fast rehash().
3455
3456         Once addImpure() was better, the next big bottleneck was clobber().
3457         For each clobber(), we need to go over the entire map and test each value.
3458         That loop was where most of the time was going.
3459
3460         Most calls to clobber() come from two kinds: SideState and Stack.
3461
3462         SideState is easy: it is never def'ed so we can always skip it.
3463
3464         Stack is disjoint from Heap too so we can also put it separately.
3465
3466         Splitting the map into 2 helped reduce the overhead. The maps are:
3467         -Stack
3468         -Heap
3469
3470         Having Stack alone was not enough for many blocks. In some cases,
3471         you have a ton of SetLocal/GetLocal and having Stack separately
3472         makes no difference.
3473
3474         To solve that, I split Stack in two: a map addressed by AbstractHeap
3475         + unique HeapLocation and a fallback map for everything else.
3476         Since most Stack are not TOP and are unique per AbstractHeap,
3477         I get O(1) clobber in most cases.
3478
3479         I could achieve the same result with a custom hash structure.
3480         I don't think it is worth the effort, in most cases, m_fallbackStackMap
3481         has a size of zero or one.
3482
3483         This patch introduces a lot of coupling between CSE and AbstractHeap.
3484         To reduce the risk of bugs, the old map is still maintained in debug
3485         and each step checks that the results are the same as the new implementation.
3486
3487         A new validation step also verify the strong assumptions made by CSE:
3488         -SideState and World are never def().
3489         -We never write HEAP TOP, we only write specific heap location.
3490
3491         * dfg/DFGCSEPhase.cpp:
3492         * dfg/DFGHeapLocation.h:
3493         * dfg/DFGLazyNode.h:
3494         (JSC::DFG::LazyNode::hash):
3495
3496 2016-03-17  Saam barati  <sbarati@apple.com>
3497
3498         Implement SmallPtrSet and integrate it into the Parser
3499         https://bugs.webkit.org/show_bug.cgi?id=155552
3500
3501         Reviewed by Filip Pizlo.
3502
3503         Using SmallPtrSet instead of HashSet really helps speed
3504         up the parser. What saves us most is not needing to always
3505         malloc/free memory in the HashSet.
3506
3507         * parser/Parser.cpp:
3508         (JSC::Parser<LexerType>::parseInner):
3509         * parser/Parser.h:
3510         (JSC::Scope::Scope):
3511         (JSC::Scope::startSwitch):
3512         (JSC::Scope::endSwitch):
3513         (JSC::Scope::startLoop):
3514         (JSC::Scope::hasDeclaredParameter):
3515         (JSC::Scope::declareWrite):
3516         (JSC::Scope::declareParameter):
3517         (JSC::Scope::usedVariablesContains):
3518         (JSC::Scope::useVariable):
3519         (JSC::Scope::collectFreeVariables):
3520         (JSC::Scope::getCapturedVars):
3521         (JSC::Scope::isValidStrictMode):
3522         (JSC::Scope::shadowsArguments):
3523         (JSC::Scope::copyCapturedVariablesToVector):
3524         (JSC::Scope::setIsModule):
3525         (JSC::Parser::pushScope):
3526         (JSC::Scope::getUsedVariables): Deleted.
3527
3528 2016-03-17  Brian Burg  <bburg@apple.com>
3529
3530         Web Inspector: protocol generator shouldn't generate enums for parameters with non-anonymous enum types
3531         https://bugs.webkit.org/show_bug.cgi?id=155610
3532         <rdar://problem/25229878>
3533
3534         Reviewed by Joseph Pecoraro.
3535
3536         If a command parameter has an anonymous enum type, the backend dispatcher generator
3537         makes a C++ enum for the parameter. However, if the parameter references a named enum
3538         type specified in a domain's 'type' section, then there's no need to generate an enum.
3539
3540         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3541         (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
3542         Add a missing check for the is_anonymous flag. Type references to named enums are resolved
3543         to the underlying aliased EnumType instead of an AliasedType, so we have to check the flag.
3544
3545         Rebaseline tests.
3546
3547         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3548         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3549
3550 2016-03-17  Filip Pizlo  <fpizlo@apple.com>
3551
3552         Replace all of the various non-working and non-compiling sampling profiler hacks with a single super hack
3553         https://bugs.webkit.org/show_bug.cgi?id=155561
3554
3555         Reviewed by Saam Barati.
3556
3557         A VM needs some internal profiling hacks in addition to the profiler(s) that the user sees, because
3558         you can squeeze out more fidelity if you're willing to make some kind of deal with the devil. Prior
3559         to this change JSC had a bunch of these:
3560
3561         - CodeBlock sampling profiler
3562         - Bytecode sampling profiler
3563         - Sampling flags
3564         - Sampling regions
3565         - Some other stuff
3566
3567         I tried using these recently. They didn't even build. Initially I fixed that, but then I found that
3568         these profilers had some serious bugs that made them report bogus results - like underreporting the
3569         time spent in regions of code by more than 2x.
3570
3571         Part of the problem here is that a profiler loses fidelity as it gains power. The more general it
3572         tries to be, the more code gets executed on the hot path for the profiler, which increasingly
3573         perturbs the results. I believe that's the reason for the underreporting - code ran sufficiently
3574         slower, and in a sufficiently different way when profiling, that the results were just wrong.
3575
3576         This change attacks this problem directly by replacing all of the diverse profiling hacks with just
3577         one, which I call the SuperSampler. It consists of exactly one counter. When enabled, the sampler
3578         will periodically print (via dataLog()) the percentage of samples that saw a non-zero count. Because
3579         it's so simple, it gives better accuracy. This comes about in two ways:
3580
3581         - It runs at a lower rate. That's fine since it's only checking one flag. You don't need a high rate
3582           for just one flag.
3583         
3584         - The fact that there is only *one* flag means that the user must choose a hypothesis about what is
3585           slow. This turns the problem of profiling into a hypothesis testing problem, which is an inherently
3586           less flaky kind of experiment to run.
3587         
3588         The SuperSampler is enabled with a runtime flag rather than a compile-time flag, so it's much less
3589         likely to break. That also means that you can enable it without rebuilding the universe. The old
3590         samplers all had ENABLE flags in Platform.h, which was rather unfortunate for compile times.
3591
3592         SuperSampler supports both JIT and C++ users. C++ users should use SuperSamplerScope. The default
3593         idiom is to create one and pass "true" to it. You can disable a scope by passing "false" instead.
3594         This patch puts a bunch of scopes in places I care about. I think it's probably OK if people check in
3595         these deactivated scopes. That makes it convenient to retest things we've tested previously.
3596
3597         * CMakeLists.txt:
3598         * JavaScriptCore.xcodeproj/project.pbxproj:
3599         * bytecode/SamplingTool.cpp: Removed.
3600         * bytecode/SamplingTool.h: Removed.
3601         * bytecode/SuperSampler.cpp: Added.
3602         (JSC::initializeSuperSampler):
3603         (JSC::printSuperSamplerState):
3604         * bytecode/SuperSampler.h: Added.
3605         (JSC::SuperSamplerScope::SuperSamplerScope):
3606         (JSC::SuperSamplerScope::~SuperSamplerScope):
3607         * bytecompiler/BytecodeGenerator.cpp:
3608         (JSC::BytecodeGenerator::generate):
3609         * bytecompiler/NodesCodegen.cpp:
3610         * dfg/DFGAbstractInterpreterInlines.h:
3611         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
3612         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
3613         * dfg/DFGArgumentsEliminationPhase.cpp:
3614         (JSC::DFG::performArgumentsElimination):
3615         * dfg/DFGBackwardsPropagationPhase.cpp:
3616         (JSC::DFG::performBackwardsPropagation):
3617         * dfg/DFGByteCodeParser.cpp:
3618         (JSC::DFG::parse):
3619         * dfg/DFGCFAPhase.cpp:
3620         (JSC::DFG::performCFA):
3621         * dfg/DFGCFGSimplificationPhase.cpp:
3622         (JSC::DFG::performCFGSimplification):
3623         * dfg/DFGCPSRethreadingPhase.cpp:
3624         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3625         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
3626         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
3627         (JSC::DFG::performCPSRethreading):
3628         * dfg/DFGCSEPhase.cpp:
3629         (JSC::DFG::performLocalCSE):
3630         (JSC::DFG::performGlobalCSE):
3631         * dfg/DFGCleanUpPhase.cpp:
3632         (JSC::DFG::performCleanUp):
3633         * dfg/DFGConstantFoldingPhase.cpp:
3634         (JSC::DFG::performConstantFolding):
3635         * dfg/DFGConstantHoistingPhase.cpp:
3636         (JSC::DFG::performConstantHoisting):
3637         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3638         (JSC::DFG::performCriticalEdgeBreaking):
3639         * dfg/DFGDCEPhase.cpp:
3640         (JSC::DFG::performDCE):
3641         * dfg/DFGDriver.cpp:
3642         (JSC::DFG::compileImpl):
3643         * dfg/DFGFixupPhase.cpp:
3644         (JSC::DFG::performFixup):
3645         * dfg/DFGGraph.cpp:
3646         (JSC::DFG::Graph::dethread):
3647         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3648         (JSC::DFG::performIntegerCheckCombining):
3649         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
3650         (JSC::DFG::performIntegerRangeOptimization):
3651         * dfg/DFGInvalidationPointInjectionPhase.cpp:
3652         (JSC::DFG::performInvalidationPointInjection):
3653         * dfg/DFGJITCompiler.cpp:
3654         (JSC::DFG::JITCompiler::compile):
3655         (JSC::DFG::JITCompiler::compileFunction):
3656         * dfg/DFGLICMPhase.cpp:
3657         (JSC::DFG::performLICM):
3658         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
3659         (JSC::DFG::performLiveCatchVariablePreservationPhase):
3660         * dfg/DFGLivenessAnalysisPhase.cpp:
3661         (JSC::DFG::performLivenessAnalysis):
3662         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3663         (JSC::DFG::performLoopPreHeaderCreation):
3664         * dfg/DFGMaximalFlushInsertionPhase.cpp:
3665         (JSC::DFG::performMaximalFlushInsertion):
3666         * dfg/DFGMovHintRemovalPhase.cpp:
3667         (JSC::DFG::performMovHintRemoval):
3668         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3669         (JSC::DFG::performOSRAvailabilityAnalysis):
3670         * dfg/DFGOSREntrypointCreationPhase.cpp:
3671         (JSC::DFG::performOSREntrypointCreation):
3672         * dfg/DFGOSRExitCompiler.cpp:
3673         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3674         (JSC::DFG::performObjectAllocationSinking):
3675         * dfg/DFGOperations.cpp:
3676         * dfg/DFGPhantomInsertionPhase.cpp:
3677         (JSC::DFG::performPhantomInsertion):
3678         * dfg/DFGPlan.cpp:
3679         (JSC::DFG::Plan::compileInThread):
3680         * dfg/DFGPredictionInjectionPhase.cpp:
3681         (JSC::DFG::performPredictionInjection):
3682         * dfg/DFGPredictionPropagationPhase.cpp:
3683         (JSC::DFG::performPredictionPropagation):
3684         * dfg/DFGPutStackSinkingPhase.cpp:
3685         (JSC::DFG::performPutStackSinking):
3686         * dfg/DFGSSAConversionPhase.cpp:
3687         (JSC::DFG::performSSAConversion):
3688         * dfg/DFGSSALoweringPhase.cpp:
3689         (JSC::DFG::performSSALowering):
3690         * dfg/DFGSpeculativeJIT64.cpp:
3691         (JSC::DFG::SpeculativeJIT::compile):
3692         * dfg/DFGStackLayoutPhase.cpp:
3693         (JSC::DFG::performStackLayout):
3694         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
3695         (JSC::DFG::performStaticExecutionCountEstimation):
3696         * dfg/DFGStoreBarrierInsertionPhase.cpp:
3697         (JSC::DFG::performFastStoreBarrierInsertion):
3698         (JSC::DFG::performGlobalStoreBarrierInsertion):
3699         * dfg/DFGStrengthReductionPhase.cpp:
3700         (JSC::DFG::performStrengthReduction):
3701         * dfg/DFGStructureAbstractValue.cpp:
3702         (JSC::DFG::StructureAbstractValue::assertIsRegistered):
3703         (JSC::DFG::StructureAbstractValue::clobber):
3704         (JSC::DFG::StructureAbstractValue::observeTransition):
3705         (JSC::DFG::StructureAbstractValue::observeTransitions):
3706         (JSC::DFG::StructureAbstractValue::add):
3707         (JSC::DFG::StructureAbstractValue::merge):
3708         (JSC::DFG::StructureAbstractValue::mergeSlow):
3709         (JSC::DFG::StructureAbstractValue::mergeNotTop):
3710         (JSC::DFG::StructureAbstractValue::filter):
3711         (JSC::DFG::StructureAbstractValue::filterSlow):
3712         (JSC::DFG::StructureAbstractValue::contains):
3713         (JSC::DFG::StructureAbstractValue::isSubsetOf):
3714         (JSC::DFG::StructureAbstractValue::isSupersetOf):
3715         (JSC::DFG::StructureAbstractValue::overlaps):
3716         (JSC::DFG::StructureAbstractValue::equalsSlow):
3717         * dfg/DFGStructureRegistrationPhase.cpp:
3718         (JSC::DFG::performStructureRegistration):
3719         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3720         (JSC::DFG::performTierUpCheckInjection):
3721         * dfg/DFGTypeCheckHoistingPhase.cpp:
3722         (JSC::DFG::performTypeCheckHoisting):
3723         * dfg/DFGUnificationPhase.cpp:
3724         (JSC::DFG::performUnification):
3725         * dfg/DFGVarargsForwardingPhase.cpp:
3726         (JSC::DFG::performVarargsForwarding):
3727         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3728         (JSC::DFG::performVirtualRegisterAllocation):
3729         * dfg/DFGWatchpointCollectionPhase.cpp:
3730         (JSC::DFG::performWatchpointCollection):
3731         * dynbench.cpp:
3732         * ftl/FTLLowerDFGToB3.cpp:
3733         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
3734         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
3735         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
3736         (JSC::FTL::DFG::LowerDFGToB3::compileGetRegExpObjectLastIndex):
3737         * ftl/FTLOSRExitCompiler.cpp:
3738         (JSC::FTL::compileFTLOSRExit):
3739         * ftl/FTLOutput.cpp:
3740         (JSC::FTL::Output::store):
3741         (JSC::FTL::Output::absolute):
3742         (JSC::FTL::Output::incrementSuperSamplerCount):
3743         (JSC::FTL::Output::decrementSuperSamplerCount):
3744         * ftl/FTLOutput.h:
3745         (JSC::FTL::Output::baseIndex):
3746         (JSC::FTL::Output::load8SignExt32):
3747         (JSC::FTL::Output::load8ZeroExt32):
3748         (JSC::FTL::Output::anchor):
3749         (JSC::FTL::Output::absolute): Deleted.
3750         * heap/Heap.cpp:
3751         (JSC::Heap::markRoots):
3752         (JSC::Heap::collectAndSweep):
3753         (JSC::Heap::collectImpl):
3754         (JSC::Heap::zombifyDeadObjects):
3755         * heap/MarkedBlock.cpp:
3756         (JSC::MarkedBlock::specializedSweep):
3757         * interpreter/Interpreter.cpp:
3758         (JSC::setupVarargsFrameAndSetThis):
3759         (JSC::Interpreter::Interpreter):
3760         (JSC::Interpreter::initialize):
3761         (JSC::checkedReturn):
3762         (JSC::Interpreter::execute):
3763         (JSC::Interpreter::executeCall):
3764         (JSC::Interpreter::executeConstruct):
3765         (JSC::Interpreter::debug):
3766         (JSC::SamplingScope::SamplingScope): Deleted.
3767         (JSC::SamplingScope::~SamplingScope): Deleted.
3768         (JSC::Interpreter::enableSampler): Deleted.
3769         (JSC::Interpreter::dumpSampleData): Deleted.
3770         (JSC::Interpreter::startSampling): Deleted.
3771         (JSC::Interpreter::stopSampling): Deleted.
3772         * interpreter/Interpreter.h:
3773         (JSC::Interpreter::isCallBytecode):
3774         (JSC::Interpreter::sampler): Deleted.
3775         * jit/AssemblyHelpers.cpp:
3776         (JSC::AssemblyHelpers::branchIfNotFastTypedArray):
3777         (JSC::AssemblyHelpers::incrementSuperSamplerCount):
3778         (JSC::AssemblyHelpers::decrementSuperSamplerCount):
3779         (JSC::AssemblyHelpers::purifyNaN):
3780         * jit/AssemblyHelpers.h:
3781         * jit/JIT.cpp:
3782         * jit/JIT.h:
3783         * jit/JITArithmetic.cpp:
3784         * jit/JITArithmetic32_64.cpp:
3785         * jit/JITCall.cpp:
3786         * jit/JITCall32_64.cpp:
3787         * jit/JITOperations.cpp:
3788         * jit/JITPropertyAccess.cpp:
3789         * jit/JITPropertyAccess32_64.cpp:
3790         * jsc.cpp:
3791         (runWithScripts):
3792         (jscmain):
3793         * parser/Nodes.cpp:
3794         * parser/Parser.h:
3795         (JSC::parse):
3796         * runtime/Executable.h:
3797         * runtime/InitializeThreading.cpp:
3798         (JSC::initializeThreading):
3799         * runtime/Options.h:
3800         * runtime/RegExpCachedResult.h:
3801         * runtime/RegExpMatchesArray.h:
3802         (JSC::createRegExpMatchesArray):
3803         * runtime/StringPrototype.cpp:
3804         (JSC::removeUsingRegExpSearch):
3805         (JSC::stringProtoFuncSubstring):
3806         * runtime/VM.cpp:
3807         (JSC::VM::resetDateCache):
3808         (JSC::VM::whenIdle):
3809         (JSC::VM::deleteAllCode):
3810         (JSC::VM::addSourceProviderCache):
3811         (JSC::VM::startSampling): Deleted.
3812         (JSC::VM::stopSampling): Deleted.
3813         (JSC::VM::dumpSampleData): Deleted.
3814         * runtime/VM.h:
3815         (JSC::VM::regExpCache):
3816         * testRegExp.cpp:
3817         (runFromFiles):
3818         * yarr/YarrInterpreter.cpp:
3819         (JSC::Yarr::interpret):
3820
3821 2016-03-17  Saam barati  <sbarati@apple.com>
3822
3823         [ES6] Make GetProperty(.) inside ArrayPrototype.cpp spec compatible.
3824         https://bugs.webkit.org/show_bug.cgi?id=155575
3825
3826         Reviewed by Filip Pizlo and Mark Lam.
3827
3828         This patch makes various Array.prototype.(shift | unshift | splice)
3829         spec compliant. Before, they were performing Get and HasProperty as one 
3830         operation. Instead, they need to be performed as two distinct operations
3831         when it would be observable.
3832
3833         * runtime/ArrayPrototype.cpp:
3834         (JSC::getProperty):
3835         * runtime/PropertySlot.h:
3836         (JSC::PropertySlot::PropertySlot):
3837         (JSC::PropertySlot::isCacheableValue):
3838         (JSC::PropertySlot::isCacheableGetter):
3839         (JSC::PropertySlot::isCacheableCustom):
3840         (JSC::PropertySlot::setIsTaintedByProxy):
3841         (JSC::PropertySlot::isTaintedByProxy):
3842         (JSC::PropertySlot::internalMethodType):
3843         (JSC::PropertySlot::getValue):
3844         * runtime/ProxyObject.cpp:
3845         (JSC::ProxyObject::getOwnPropertySlotCommon):
3846         * tests/es6.yaml:
3847         * tests/stress/proxy-array-prototype-methods.js: Added.
3848         (assert):
3849         (test):
3850         (shallowEq):
3851
3852 2016-03-17  Mark Lam  <mark.lam@apple.com>
3853
3854         Make FunctionMode an enum class.
3855         https://bugs.webkit.org/show_bug.cgi?id=155587
3856
3857         Reviewed by Saam Barati.
3858
3859         * bytecode/UnlinkedFunctionExecutable.cpp:
3860         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3861         * parser/NodeConstructors.h:
3862         (JSC::BaseFuncExprNode::BaseFuncExprNode):
3863         (JSC::FuncExprNode::FuncExprNode):
3864         (JSC::FuncDeclNode::FuncDeclNode):
3865         (JSC::ArrowFuncExprNode::ArrowFuncExprNode):
3866         (JSC::MethodDefinitionNode::MethodDefinitionNode):
3867         * parser/ParserModes.h:
3868         (JSC::functionNameIsInScope):
3869
3870 2016-03-17  Michael Saboff  <msaboff@apple.com>
3871
3872         [ES6] Getters and Setters should be prefixed appropriately
3873         https://bugs.webkit.org/show_bug.cgi?id=155593
3874
3875         Reviewed by Mark Lam.
3876
3877         Changed the putDirectNativeIntrinsicGetter() to prepend "get " to the funtion name.
3878
3879         Updated places that had their own macro or hand constructed a getter function to use
3880         the JSC_NATIVE_GETTER macro which will properly append "get ".
3881
3882         Prepended "get " and "set " to the __proto__ accessor created on the Object prototype.
3883
3884         When we create the Symbol.species getter, added an explicit function name of "get [Symbol.species]".
3885
3886         * inspector/JSInjectedScriptHostPrototype.cpp:
3887         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
3888         (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
3889         * inspector/JSJavaScriptCallFramePrototype.cpp:
3890         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
3891         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate):
3892         * runtime/JSGlobalObject.cpp:
3893         (JSC::JSGlobalObject::init):
3894         * runtime/JSObject.cpp:
3895         (JSC::JSObject::putDirectNativeIntrinsicGetter):
3896         * runtime/MapPrototype.cpp:
3897         (JSC::MapPrototype::finishCreation):