Unreviewed, follow up patch for r201964
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         Unreviewed, follow up patch for r201964
4         https://bugs.webkit.org/show_bug.cgi?id=158619
5
6         Fix typo in the comment.
7
8         * runtime/MathCommon.h:
9         (JSC::toInt32):
10
11 2016-06-13  Mark Lam  <mark.lam@apple.com>
12
13         Add a mechanism for collecting LLINT stats.
14         https://bugs.webkit.org/show_bug.cgi?id=158668
15
16         Reviewed by Filip Pizlo.
17
18         This patch will add a mechanism for collecting the stats on LLINT opcode
19         execution counts.  The changes made to enable this are:
20
21         1. Refactored how Options availability work so that we can add a new category:
22            Configurable (in addition to the pre-existing Normal and Restricted
23            availability).
24                Normal options - always available.
25                Restricted options - only available on debug builds.
26                Configurable options - depends on #define flag options.
27
28            This change is necessary so that:
29            a. we won't have to rebuild the world when we want to enable that #define flag
30               to make that Configurable option available.
31            b. when the #define flag is disabled, the option will be invisible to the user.
32
33            With this, we add our first configurable option, JSC_reportLLIntStats, which
34            is dependent on the ENABLE_LLINT_STATS flag.  See next.
35
36         2. Added the ENABLE_LLINT_STATS flag in LLIntCommon.h.  To enable LLINT stats
37            collection, we'll need to set this flag to a non-zero value, and rebuilding
38            the project.  By design, this will only require a minimal set of files to
39            be rebuilt.
40
41            ENABLE_LLINT_STATS is 0 (i.e. disabled) by default.
42
43         3. Added a slow path callback to the LLINT's traceExecution() macro, to call
44            _llint_count_opcode(), which in turns counts the opcode.  This callback will
45            only be built into the LLINT if ENABLE_LLINT_STATS is non-zero.
46
47         4. Added s_opcodeStatsArray to LLInt::Data.  This is where the stats are
48            recorded and stored.
49
50         5. Added calls to LLInt::Data::dumpStats() in jsc.cpp and DumpRenderTree.mm
51            to dump the LLINT stats if enabled.  If enabled, the LLINT stats will be
52            sorted and dumped (via dataLog) before the programs terminate.
53
54         * interpreter/Interpreter.h:
55         * jsc.cpp:
56         (main):
57         * llint/LLIntCommon.h:
58         * llint/LLIntData.cpp:
59         (JSC::LLInt::initialize):
60         (JSC::LLInt::Data::dumpStats):
61         * llint/LLIntData.h:
62         (JSC::LLInt::Data::opcodeStats):
63         * llint/LLIntOfflineAsmConfig.h:
64         * llint/LLIntSlowPaths.cpp:
65         (JSC::LLInt::llint_crash):
66         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
67         * llint/LLIntSlowPaths.h:
68         * llint/LowLevelInterpreter.asm:
69         * runtime/Options.cpp:
70         (JSC::parse):
71         (JSC::Options::isAvailable):
72         (JSC::overrideOptionWithHeuristic):
73         (JSC::scaleJITPolicy):
74         (JSC::Options::initialize):
75         (JSC::Options::setOptionWithoutAlias):
76         (JSC::Options::dumpAllOptions):
77         (JSC::Options::dumpOption):
78         * runtime/Options.h:
79         (JSC::Option::Option):
80         (JSC::Option::operator!=):
81         (JSC::Option::id):
82
83 2016-06-11  Mark Lam  <mark.lam@apple.com>
84
85         Minimize the amount of memcpy done for allocating Error stacks.
86         https://bugs.webkit.org/show_bug.cgi?id=158664
87
88         Reviewed by Darin Adler.
89
90         Currently, Vector<StackFrame> are being copied around multiple times in the
91         process of creating Error stacks.
92
93         This patch avoids this unnecessary copying by:
94         1. Sizing the StackFrame vector correctly to begin with, and skipping
95            undesirable top frames before filling in the vector.
96         2. Using perfect forwarding or passing by reference to pass the vector data around
97            instead of copying the vectors.
98         3. Changing the Exception object to take a Vector<StackFrame> instead of a
99            RefCountedArray<StackFrame>.
100
101         This patch has passed the JSC and layout tests.  Benchmarks show that perf is
102         neutral.
103
104         * API/tests/testapi.mm:
105         (testObjectiveCAPI):
106         * inspector/ScriptCallStackFactory.cpp:
107         (Inspector::createScriptCallStackFromException):
108         * interpreter/Interpreter.cpp:
109         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
110         (JSC::GetStackTraceFunctor::operator()):
111         (JSC::Interpreter::getStackTrace):
112         (JSC::Interpreter::stackTraceAsString):
113         (JSC::findExceptionHandler):
114         * interpreter/Interpreter.h:
115         * runtime/Error.cpp:
116         (JSC::addErrorInfoAndGetBytecodeOffset):
117         * runtime/Exception.cpp:
118         (JSC::Exception::finishCreation):
119         * runtime/Exception.h:
120         (JSC::Exception::valueOffset):
121         (JSC::Exception::value):
122         (JSC::Exception::stack):
123         (JSC::Exception::didNotifyInspectorOfThrow):
124         (JSC::Exception::setDidNotifyInspectorOfThrow):
125
126 2016-06-11  Mark Lam  <mark.lam@apple.com>
127
128         Tests that overflows the stack should not be run with the sampling profiler.
129         https://bugs.webkit.org/show_bug.cgi?id=158663
130
131         Reviewed by Saam Barati.
132
133         The sampling profiler will be sampling the whole stack, and the amount of memory
134         churn will make this tests time out, especially with debug builds.  Hence,
135         let's not run the test with the sampling profiler configuration.
136
137         * tests/stress/mutual-tail-call-no-stack-overflow.js:
138         (shouldThrow):
139
140 2016-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
141
142         Unreviewed, attempt to fix r201964 failure on Apple ports
143         https://bugs.webkit.org/show_bug.cgi?id=158619
144
145         Reviewed by Mark Lam.
146
147         Add Private attributes to MathCommon.h.
148
149         * JavaScriptCore.xcodeproj/project.pbxproj:
150
151 2016-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
152
153         [JSC] Inline JSC::toInt32 to improve kraken
154         https://bugs.webkit.org/show_bug.cgi?id=158619
155
156         Reviewed by Mark Lam.
157
158         Several kraken benchmarks show that JSC::toInt32 is frequently called.
159         For example, stanford-crypto-pbkdf2 reports that the hottest runtime function is JSC::toInt32.
160
161         The data is below (taken by Linux perf tools).
162         5.50%  jsc      libJavaScriptCore.so.1.0.0  [.] _ZN3JSC7toInt32Ed
163         3.96%  jsc      libJavaScriptCore.so.1.0.0  [.] _ZN3JSC20arrayProtoFuncConcatEPNS_9ExecStateE
164         2.48%  jsc      libJavaScriptCore.so.1.0.0  [.] _ZN3JSC19arrayProtoFuncSliceEPNS_9ExecStateE
165         1.69%  jsc      libJavaScriptCore.so.1.0.0  [.] _ZNK3JSC9Structure27holesMustForwardToPrototypeERNS_2VME
166
167         This is because of CommonSlowPaths' bit operations's JSValue::toInt32.
168         Due to the slow path, in `value | 0`, `value` may be a double number value. In that case, JSC::toInt32 is called.
169
170         While JSC::toIn32 is hot, the function itself is very small. It's worth inlining.
171
172         This change offers the following kraken improvements.
173
174                                                          baseline                  patched
175         Kraken:
176            audio-beat-detection                       47.492+-1.701             46.657+-1.232           might be 1.0179x faster
177            stanford-crypto-aes                        43.669+-0.210      ^      42.862+-0.115         ^ definitely 1.0188x faster
178            stanford-crypto-ccm                        45.213+-1.424             44.490+-1.290           might be 1.0162x faster
179            stanford-crypto-pbkdf2                    107.665+-0.581      ^     106.229+-0.807         ^ definitely 1.0135x faster
180
181         This patch only focused on the call to toInt32 from the runtime functions.
182         So JSC::toInt32 calls from the baseline / DFG remain.
183         We ensure that JIT code uses operationToInt32 instead of JSC::toInt32 since JSC::toInt32 is now marked as ALWAYS_INLINE.
184         Linux perf profiler also finds that this `operationToInt32` is frequently called in the above benchmarks.
185         It may be good to introduce asm emit for that instead of calling JSC::toInt32 operation in the separated patch.
186
187         * dfg/DFGSpeculativeJIT.cpp:
188         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
189         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
190         * ftl/FTLLowerDFGToB3.cpp:
191         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
192         (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
193         * runtime/JSCJSValue.cpp:
194         (JSC::toInt32): Deleted.
195         * runtime/JSCJSValueInlines.h:
196         * runtime/MathCommon.cpp:
197         (JSC::operationToInt32):
198         * runtime/MathCommon.h:
199         (JSC::toInt32):
200
201 2016-06-10  Filip Pizlo  <fpizlo@apple.com>
202
203         The backend should be happy to compile Unreachable even if AI didn't prove it to be unreachable
204         https://bugs.webkit.org/show_bug.cgi?id=158631
205
206         Reviewed by Keith Miller.
207         
208         We've been slowly making the DFG Unreachable opcode behave like a grown-up. When we first
209         added it, it was a hack for Throw, and we could always rely on AI proving that Unreachable
210         was not reachable. But then we started using Unreachable as a proper Unreachable opcode,
211         like Oops in B3 for example, which has a more nuanced meaning: you use it whenever you
212         emit code that *you* know will not return, and you need some way of terminating the basic
213         block. The DFG is not a proof-carrying compiler, and it never will be. So, when you have
214         proved that something is not reachable, you should be able to use Unreachable even if
215         there is no guarantee that the compiler will later be able to replicate your proof. This
216         means that the backend may find itself compiling Unreachable because AI did not prove that
217         it was unreachable.
218         
219         Prior to this change, we would crash compiling Unreachable because we would rely on AI
220         preventing us from reaching Unreachable in the backend. But that's silly! We don't want
221         users of Unreachable to have to also convince AI that their Unreachable is really
222         Unreachable.
223         
224         This fixes crashes on real websites. I couldn't work out how to turn them into a reduced
225         test.
226
227         * assembler/AbortReason.h:
228         * dfg/DFGSpeculativeJIT.cpp:
229         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
230         (JSC::DFG::SpeculativeJIT::unreachable):
231         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
232         * dfg/DFGSpeculativeJIT.h:
233         * dfg/DFGSpeculativeJIT32_64.cpp:
234         (JSC::DFG::SpeculativeJIT::compile):
235         * dfg/DFGSpeculativeJIT64.cpp:
236         (JSC::DFG::SpeculativeJIT::compile):
237         * ftl/FTLLowerDFGToB3.cpp:
238         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
239         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
240         (JSC::FTL::DFG::LowerDFGToB3::compileUnreachable):
241         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
242
243 2016-06-09  Alex Christensen  <achristensen@webkit.org>
244
245         Clean up JavaScriptCore.vcxproj directory after switching to CMake.
246
247         * JavaScriptCore.vcxproj/LLInt: Removed.
248         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly: Removed.
249         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make: Removed.
250         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: Removed.
251         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Removed.
252         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets: Removed.
253         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Removed.
254         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Removed.
255         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Removed.
256         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor: Removed.
257         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Removed.
258         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Removed.
259         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Removed.
260         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props: Removed.
261         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Removed.
262         * JavaScriptCore.vcxproj/jsc: Removed.
263         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Removed.
264         * JavaScriptCore.vcxproj/jsc/DLLLauncherWinCairo.props: Removed.
265         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Removed.
266         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Removed.
267         * JavaScriptCore.vcxproj/jsc/jscCommon.props: Removed.
268         * JavaScriptCore.vcxproj/jsc/jscDebug.props: Removed.
269         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Removed.
270         * JavaScriptCore.vcxproj/jsc/jscLauncherPostBuild.cmd: Removed.
271         * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd: Removed.
272         * JavaScriptCore.vcxproj/jsc/jscLauncherPreLink.cmd: Removed.
273         * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: Removed.
274         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: Removed.
275         * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: Removed.
276         * JavaScriptCore.vcxproj/jsc/jscProduction.props: Removed.
277         * JavaScriptCore.vcxproj/jsc/jscRelease.props: Removed.
278         * JavaScriptCore.vcxproj/testRegExp: Removed.
279         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Removed.
280         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: Removed.
281         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Removed.
282         * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: Removed.
283         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Removed.
284         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPostBuild.cmd: Removed.
285         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd: Removed.
286         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreLink.cmd: Removed.
287         * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: Removed.
288         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: Removed.
289         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: Removed.
290         * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props: Removed.
291         * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: Removed.
292         * JavaScriptCore.vcxproj/testapi: Removed.
293         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Removed.
294         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: Removed.
295         * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Removed.
296         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Removed.
297         * JavaScriptCore.vcxproj/testapi/testapiDebug.props: Removed.
298         * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props: Removed.
299         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Removed.
300         * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd: Removed.
301         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd: Removed.
302         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreLink.cmd: Removed.
303         * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd: Removed.
304         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: Removed.
305         * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: Removed.
306         * JavaScriptCore.vcxproj/testapi/testapiProduction.props: Removed.
307         * JavaScriptCore.vcxproj/testapi/testapiRelease.props: Removed.
308         * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props: Removed.
309         * shell/DLLLauncherMain.cpp: Copied from JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp.
310         * shell/PlatformWin.cmake:
311
312 2016-06-09  Filip Pizlo  <fpizlo@apple.com>
313
314         Rare failure in stress/v8-deltablue-strict.js.ftl-eager
315         https://bugs.webkit.org/show_bug.cgi?id=158591
316
317         Reviewed by Saam Barati.
318         
319         This is a simple and sensible fix to an amazing compiler bug that previously only
320         manifested rarely in the v8-deltablue-strict test. It required on average 1000 runs while
321         the system was under load for the bug to manifest. Fortunately, the bug is 100% repro with
322         concurrent JIT disabled in the new "constant-fold-multi-get-by-offset-to-get-by-offset-on-
323         prototype-and-sink-allocation.js" test.
324         
325         The problem here is that we were allowing ourselves to be super sloppy with the meaning of
326         the two children of GetByOffset, and to a lesser extent, PutByOffset. The first two
327         children of these nodes have these meanings:
328         
329         child1: the storage from which to load (or to which to store)
330         child2: the logical object base
331         
332         Normally, child1 == child2, but child1 may point to a node that vends the storage pointer
333         in case we are using multiple indirections to get to the property. That's fairly common.
334         
335         Where this gets nutty is that we don't validate the behavior of child1. Previously, the
336         DFG::Validate phase would accept code that had child1 point to one object and child2 point
337         to another object. That's bad because then, analyses will assume that we're loading from
338         one object while we are actually loading from another. One of the fixes is to make
339         Validate smarter about this, so that future problems with this get caught sooner.
340         
341         The actual bug was in ConstantFoldingPhase. When we first wrote ConstantFoldingPhase's
342         logic for converting GetByIds and MultiGetByOffsets to GetByOffset, we assumed that this
343         was only for non-prototype loads. This was becuase the logic was originally written based
344         on a static GetByIdStatus analysis, which does not handle prototypes. So, as a shortcut,
345         we would convert the GetById (or MultiGetByOffset) to a GetByOffset by doing this
346         shuffling of children:
347         
348         child1 got the storage pointer, which might be a new GetButterfly node that we created.
349         child2 got the old value of child1.
350         
351         The bug was introduced when I later made it possible for a monomorphic prototype
352         MultiGetByOffset to be converted to a GetByOffset. Then this algorithm would mean that:
353         
354         child1 got either a pointer to the prototype or a storage pointer derived from the
355             prototype.
356         child2 got the old value of child1, which was a pointer to the base object (i.e. not the
357             prototype).
358         
359         This happens super rarely because most prototype loads that we can statically reason about
360         also happen to load constants, so we don't convert to GetByOffset at all. You need the
361         strange combination of a MultiGetByOffset (not GetById or GetByOffset) on some prototypes
362         and some static reasoning about the base so that we can convert it to a GetByOffset, but
363         not enough static reasoning that we can convert it to a constant.
364         
365         Even if the bad thing happened, then this is not enough for it to cause symptons. If we
366         did nothing else - like none of the other optimizations succeeded - then this would
367         be OK because the backend will emit code based on child1, which is right. But disaster
368         strikes when the code otherwise looks sane enough for ObjectAllocationSinkingPhase to kick
369         in. This phase operates on child2, as any good phase should: child1 is only interesting
370         for knowing *how* to load, not *what* we are loading. The phase is right to ignore child1.
371
372         So the phase would assume that we are loading the prototype property ("f" in the new test
373         or "addToGraph" in deltablue) from the sunken base object allocation in the inlined
374         constructor. The base object has no such property, but the phase conservatively assumes
375         that it does indeed have such a property. That's just how the phase does things: it is
376         very abstract and general, so it assumes that the set of properties on an allocation is
377         the set of properties that accesses to the allocation speak of. Clearly, this GetByOffset
378         was speaking of the property as being on the allocation. When sinking completed, it would
379         convert the GetByOffset to the sunken (a.k.a. promoted) property. But nobody stored to
380         this property on the allocation, so we'd get the bottom value, which is 1927. Why 1927? I
381         don't remember anymore, but apparently I chose it. It helped here - when I started seeing
382         that value come up, it took a quick grep to realize that this was the object allocation
383         sinking phase's bottom value.
384         
385         The real fix to the bug is to make Node::convertToGetByOffset() take an explicit new base
386         since its clients will use it to potentially create a load on a different object than the
387         base of the original operation, as in the relatively new
388         MultiGetByOffset(prototype)->GetByOffset optimization. As far as I know, the PutByOffset
389         code did not have the same bug because we don't have any optimizations that turn a PutById
390         or MultiPutByOffset into a PutByOffset on anything but the base object. But the logical
391         bug is definitely there: there's code in ConstantFoldingPhase that claims to be able to
392         convert any node to a PutByOffset on any base, but it actually silently reuses the
393         original node's child1 as the logical base (i.e. child2). This patch makes all of this
394         stuff explicit. You can't make this mistake anymore.
395
396         * dfg/DFGConstantFoldingPhase.cpp:
397         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
398         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
399         * dfg/DFGNode.h:
400         (JSC::DFG::Node::convertToGetStack):
401         (JSC::DFG::Node::convertToGetByOffset):
402         (JSC::DFG::Node::convertToMultiGetByOffset):
403         (JSC::DFG::Node::convertToPutByOffset):
404         * dfg/DFGValidate.cpp:
405         * tests/stress/constant-fold-multi-get-by-offset-to-get-by-offset-on-prototype-and-sink-allocation.js: Added.
406         (ThingA):
407         (ThingB):
408         (foo):
409         (bar):
410         * tests/stress/sink-to-impossible-multi-get-by-offset-on-prototypes.js: Added.
411         (ThingA):
412         (ThingB):
413         (ThingC):
414         (bar):
415         (foo):
416
417 2016-06-09  Mark Lam  <mark.lam@apple.com>
418
419         Make some methods const.
420         https://bugs.webkit.org/show_bug.cgi?id=158594
421
422         Reviewed by Benjamin Poulain.
423
424         * bytecode/CodeBlock.cpp:
425         (JSC::CodeBlock::columnNumberForBytecodeOffset):
426         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
427         * bytecode/CodeBlock.h:
428         * bytecode/ExpressionRangeInfo.h:
429         (JSC::ExpressionRangeInfo::encodeFatColumnMode):
430         (JSC::ExpressionRangeInfo::decodeFatLineMode):
431         (JSC::ExpressionRangeInfo::decodeFatColumnMode):
432         * bytecode/UnlinkedCodeBlock.cpp:
433         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
434         (JSC::UnlinkedCodeBlock::getLineAndColumn):
435         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
436         * bytecode/UnlinkedCodeBlock.h:
437         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary):
438         * interpreter/Interpreter.cpp:
439         (JSC::Interpreter::isOpcode):
440         (JSC::StackFrame::computeLineAndColumn):
441         (JSC::StackFrame::toString):
442         * interpreter/Interpreter.h:
443         (JSC::StackFrame::isNative):
444
445 2016-06-09  Michael Saboff  <msaboff@apple.com>
446
447         ES6: Reusing function name as a parameter name shouldn't throw Syntax Error
448         https://bugs.webkit.org/show_bug.cgi?id=158575
449
450         Reviewed by Benjamin Poulain.
451
452         The check for a parameter with a duplicate name doesn't take into account the
453         type of the prior variable.  Added a check that the duplicate is also a
454         parameter.
455
456         See the relevant spec section at:
457         http://www.ecma-international.org/ecma-262/6.0/#sec-function-definitions-static-semantics-early-errors
458
459         * parser/Parser.h:
460         (JSC::Scope::declareParameter):
461
462 2016-06-09  Chris Dumez  <cdumez@apple.com>
463
464         Unreviewed, rolling out r201836, r201845, and r201848.
465
466         Looks like a 1-2% PLT regression on iOS
467
468         Reverted changesets:
469
470         "[JSC] Change some parameters based on a random search"
471         https://bugs.webkit.org/show_bug.cgi?id=158514
472         http://trac.webkit.org/changeset/201836
473
474         "Tempory fix for the debug bots"
475         http://trac.webkit.org/changeset/201845
476
477         "Change thresholdForOptimizeSoon to match
478         thresholdForOptimizeAfterWarmUp"
479         http://trac.webkit.org/changeset/201848
480
481 2016-06-09  Commit Queue  <commit-queue@webkit.org>
482
483         Unreviewed, rolling out r201810.
484         https://bugs.webkit.org/show_bug.cgi?id=158563
485
486         breaks build without ENABLE_WEB_ANIMATION (Requested by
487         mcatanzaro on #webkit).
488
489         Reverted changeset:
490
491         "[web-animations] Add Animatable, AnimationEffect,
492         KeyframeEffect and Animation interface"
493         https://bugs.webkit.org/show_bug.cgi?id=156096
494         http://trac.webkit.org/changeset/201810
495
496 2016-06-08  Gavin & Ellie Barraclough  <barraclough@apple.com>
497
498         JSObject::reifyAllStaticProperties cleanup
499         https://bugs.webkit.org/show_bug.cgi?id=158543
500
501         Reviewed by Mark Lam.
502
503         - JSObject & Structure contain fields labeled 'staticFunctionsReified', however reification now
504           affects all properties, not just functions. Rename to 'staticPropertiesReified'.
505         - reifyAllStaticProperties relies on a 'hasStaticProperties' method on ClassInfo that walks the
506           ClassInfo inheritance chain looking for static property tables. We can now more efficiently
507           get this information from TypeInfo.
508         - reifyAllStaticProperties triggers a 'toUncacheableDictionaryTransition'; this is overzealous,
509           cacheable dictionary is sufficient - this is what we do in the case of DOM prototype property
510           reification (see 'reifyStaticProperties' in Lookup.h). (Changing this with an eye on switching
511           DOM prototype property reification to use JSObject:: reifyAllStaticProperties, rather than
512           having its own special purpose code path.)
513
514         * runtime/ClassInfo.h:
515         (JSC::ClassInfo::hasStaticProperties): Deleted.
516             - deprecated by TypeInfo::hasStaticPropertyTable.
517         * runtime/JSObject.cpp:
518         (JSC::JSObject::putInlineSlow):
519         (JSC::JSObject::deleteProperty):
520         (JSC::JSObject::getOwnNonIndexPropertyNames):
521             - staticFunctionsReified -> staticPropertiesReified
522         (JSC::JSObject::reifyAllStaticProperties):
523             - hasStaticProperties -> TypeInfo::hasStaticPropertyTable
524             - toUncacheableDictionaryTransition -> toCacheableDictionaryTransition
525             - staticFunctionsReified -> staticPropertiesReified
526         * runtime/JSObject.h:
527         (JSC::JSObject::staticPropertiesReified):
528         (JSC::JSObject::staticFunctionsReified): Deleted.
529         * runtime/Lookup.cpp:
530         (JSC::setUpStaticFunctionSlot):
531         * runtime/Lookup.h:
532         (JSC::getStaticPropertySlotFromTable):
533         (JSC::replaceStaticPropertySlot):
534         * runtime/Structure.cpp:
535         (JSC::Structure::Structure):
536         * runtime/Structure.h:
537             - staticFunctionsReified -> staticPropertiesReified
538
539 2016-06-08  Benjamin Poulain  <bpoulain@apple.com>
540
541         Change thresholdForOptimizeSoon to match thresholdForOptimizeAfterWarmUp
542
543         Unreviewed.
544
545         This adds back the assertion removed in r201845.
546         Making those threshold equal is completely perf neutral
547         (on Haswell rMBP with 20 runs).
548
549         * runtime/Options.cpp:
550         (JSC::Options::initialize):
551         * runtime/Options.h:
552
553 2016-06-08  Benjamin Poulain  <bpoulain@apple.com>
554
555         Tempory fix for the debug bots
556
557         Unreviewed.
558
559         * runtime/Options.cpp:
560         (JSC::Options::initialize):
561         Weaken an assertion while I test values for thresholdForOptimizeSoon.
562
563 2016-06-08  Benjamin Poulain  <bpoulain@apple.com>
564
565         [JSC] Change some parameters based on a random search
566         https://bugs.webkit.org/show_bug.cgi?id=158514
567
568         Reviewed by Filip Pizlo.
569
570         Over the weekend, I left an iMac running the JSC benchmarks
571         while changing a bunch of parameters.
572
573         The parameters were changed randomly, with a random deviation
574         from the original value.
575         To converge toward good values, the range was subject
576         to exponential annealing over time.
577
578         The values in this patch is the best outcome my iMac could
579         find over the weekend. It is about 1% better on the Haswell
580         machines I tested.
581
582         * bytecode/CodeBlock.cpp:
583         (JSC::CodeBlock::optimizationThresholdScalingFactor):
584         * runtime/Options.h:
585
586 2016-06-08  Gavin Barraclough  <barraclough@apple.com>
587
588         Remove removeDirect
589         https://bugs.webkit.org/show_bug.cgi?id=158516
590
591         Reviewed by Ryosuke Niwa.
592
593         removeDirect is typically used as a subroutine of deleteProperty, but is also available to
594         call directly. Having this functionality factored out to a separate routine is a bad idea
595         on a couple of fronts:
596
597         - for the main use within deleteProperty there is redundancy (presence of the property
598           was being checked twice) and inconsistency (the two functions returned different results
599           in the case of a nonexistent property; the result from removeDirect was never observed).
600
601         - all uses of removeDirect are in practical terms incorrect. removeDirect had the
602           advantage of ignoring the configurable (DontDelete) attributes, but this is achievable
603           using the DeletePropertyMode setting - and the disadvantage of failing delete static
604           table properties. Last uses were one that was removed in bug #158295 (where failure to
605           delete static properties was a problem), and as addressed in this patch removeDirect is
606           being used to implement runtime enabled features. This only works because we currently
607           force reification of all properties on the DOM prototype objects, so in effect there are
608           no static properties. In order to make the code robust such that runtime enabled
609           features would still work even if we were not reifying static properties (a change we
610           may want to make) we should be calling deleteProperty in this case too.
611
612         * runtime/JSObject.cpp:
613         (JSC::JSObject::deleteProperty):
614             - incorporated removeDirect functionality, added comments & ASSERT.
615         (JSC::JSObject::removeDirect): Deleted.
616             - removed.
617         * runtime/JSObject.h:
618             - removed removeDirect.
619
620 2016-06-08  Mark Lam  <mark.lam@apple.com>
621
622         Simplify Interpreter::StackFrame.
623         https://bugs.webkit.org/show_bug.cgi?id=158498
624
625         Reviewed by Saam Barati.
626
627         Previously, Interpreter::StackFrame (which is used to capture info for
628         Error.stack) eagerly extracts info out of CodeBlock and duplicates the work that
629         CodeBlock does to compute line and column numbers (amongst other things).
630
631         This patch does away with the eager extraction and only stashes the CodeBlock
632         pointer in the Interpreter::StackFrame.  Instead, Interpreter::StackFrame will
633         provide methods for computing the desired values on request later.
634
635         One difference in implementation: the old StackFrame offers a sourceURL and a
636         friendlySourceURL().  The only difference between the 2 is that for native
637         functions, sourceURL returns an empty string, and friendlySourceURL() returns
638         "[native code]".  This is how it affects the clients of StackFrame:
639
640             - In the old code, the Error object's addErrorInfoAndGetBytecodeOffset() and
641               the inspector's createScriptCallStackFromException() would check if
642               sourceURL is empty.  If so, they will use this as an indicator to use
643               alternate source info in the Error object e.g. url and line numbers from
644               the parser that produced a SyntaxError.
645
646             - In the new implementation, StackFrame only has a sourceURL() function that
647               behaves like the old friendlySourceURL().  The client code which were
648               relying on sourceURL being empty, will now explicitly check if the
649               StackFrame is for native code using a new isNative() query in addition to
650               the sourceURL being empty.  This achieve functional parity with the old
651               behavior.
652
653         Also fix Error.cpp's addErrorInfoAndGetBytecodeOffset() to take a bytecodeOffset
654         pointer instead of a reference.  The bytecodeOffset arg is supposed to be
655         optional, but was implemented in a unclear way.  This change clarifies it.
656
657         * inspector/ScriptCallStackFactory.cpp:
658         (Inspector::createScriptCallStackFromException):
659         * interpreter/Interpreter.cpp:
660         (JSC::StackFrame::sourceID):
661         (JSC::StackFrame::sourceURL):
662         (JSC::StackFrame::functionName):
663         (JSC::eval):
664         (JSC::Interpreter::isOpcode):
665         (JSC::StackFrame::computeLineAndColumn):
666         (JSC::StackFrame::toString):
667         (JSC::GetStackTraceFunctor::operator()):
668         (JSC::StackFrame::friendlySourceURL): Deleted.
669         (JSC::StackFrame::friendlyFunctionName): Deleted.
670         (JSC::getStackFrameCodeType): Deleted.
671         (JSC::StackFrame::expressionInfo): Deleted.
672         * interpreter/Interpreter.h:
673         (JSC::StackFrame::isNative):
674         * runtime/Error.cpp:
675         (JSC::addErrorInfoAndGetBytecodeOffset):
676         (JSC::addErrorInfo):
677         * runtime/Error.h:
678         * runtime/ErrorInstance.cpp:
679         (JSC::ErrorInstance::finishCreation):
680
681 2016-06-08  Keith Miller  <keith_miller@apple.com>
682
683         We should be able to lookup symbols by identifier in builtins
684         https://bugs.webkit.org/show_bug.cgi?id=158530
685
686         Reviewed by Mark Lam.
687
688         This patch allows us to lookup the value of a symbol property on a
689         object by identifier in builtins. Before, it was only possible to
690         do so if we were directly emitting the bytecodes, such as in a
691         for-of loop looking for Symbol.iterator. As we tier up we convert
692         the builtin's get_by_val symbol lookups into get_by_id
693         lookups. However, there is still a significant performance
694         difference between get_by_id and get_by_val in the LLInt, where
695         this transformation does not take place.
696
697         In order to make this work we hijack BuiltinNames'
698         m_publicToPrivateMap so that it points the @<symbol>Symbol to the
699         appropriate vm symbol. This way when we lex the identifier it will
700         become the appropriate symbol's identifier.  Currently, if the
701         symbol is used to name a property in an object literal we will not
702         keep a cache of the Symbol objects we have already seen. We could
703         add a map for symbols but since we can only load symbols by
704         identifier in builtins its likely not worth it. Additionally, even
705         in builtins it is extremely rare to use Symbols in object
706         literals.
707
708         * builtins/ArrayConstructor.js:
709         (from):
710         * builtins/ArrayPrototype.js:
711         (filter):
712         (map):
713         * builtins/BuiltinNames.h:
714         (JSC::BuiltinNames::BuiltinNames):
715         * builtins/BuiltinUtils.h:
716         * builtins/GlobalObject.js:
717         (speciesConstructor):
718         * builtins/StringPrototype.js:
719         (match):
720         (intrinsic.StringPrototypeReplaceIntrinsic.replace):
721         (search):
722         (split):
723         * builtins/TypedArrayConstructor.js:
724         (from):
725         * builtins/TypedArrayPrototype.js:
726         (map):
727         (filter):
728         * bytecode/BytecodeIntrinsicRegistry.cpp:
729         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): Deleted.
730         * bytecode/BytecodeIntrinsicRegistry.h:
731         * bytecompiler/BytecodeGenerator.cpp:
732         (JSC::BytecodeGenerator::emitLoad):
733         * parser/Parser.cpp:
734         (JSC::Parser<LexerType>::parseInner):
735
736 2016-06-08  Rawinder Singh  <rawinder.singh-webkit@cisra.canon.com.au>
737
738         [web-animations] Add Animatable, AnimationEffect, KeyframeEffect and Animation interface
739         https://bugs.webkit.org/show_bug.cgi?id=156096
740
741         Reviewed by Dean Jackson.
742
743         Adds:
744         - Animatable interface and implementation of getAnimations in Element
745         - Interface and implementation for Document getAnimations method.
746         - AnimationEffect interface and class stub.
747         - KeyframeEffect interface and constructor implementation.
748         - 'Animation' interface, constructor and query methods for effect and timeline.
749         - Remove runtime condition on Web animation interfaces (compile time flag is specified).
750
751         * runtime/CommonIdentifiers.h:
752
753 2016-06-08  Chris Dumez  <cdumez@apple.com>
754
755         self.hasOwnProperty() does not work inside Web workers
756         https://bugs.webkit.org/show_bug.cgi?id=158446
757         <rdar://problem/26638397>
758
759         Reviewed by Geoffrey Garen.
760
761         Add a factory function to JSProxy to create a JSProxy without a target.
762         Also make the setTarget() method public so that the target can now be
763         set after creation. This is needed so that we can create a proxy for
764         JSWorkerGlobalScope, then create the JSWorkerGlobalScope object,
765         passing it the proxy and finally set the target on the proxy.
766
767         * runtime/JSProxy.h:
768         (JSC::JSProxy::create):
769
770 2016-06-07  Filip Pizlo  <fpizlo@apple.com>
771
772         Add result validation to JSAir
773         https://bugs.webkit.org/show_bug.cgi?id=158493
774
775         Reviewed by Saam Barati.
776         
777         Add a ::jsHash() method to some things, to compute a hash code that is suitable for
778         comparing a C++ Code to a JSAir Code. This is different from existing hashing functionality
779         because it errs on the side of easy reproducibility from JS rather than speed.
780
781         * b3/air/AirArg.cpp:
782         (JSC::B3::Air::Arg::isCompatibleType):
783         (JSC::B3::Air::Arg::jsHash):
784         (JSC::B3::Air::Arg::dump):
785         * b3/air/AirArg.h:
786         (JSC::B3::Air::Arg::asDoubleCondition):
787         (JSC::B3::Air::Arg::isInvertible):
788         (JSC::B3::Air::Arg::isUnsignedCond):
789         (JSC::B3::Air::Arg::Arg):
790         * b3/air/AirCode.cpp:
791         (JSC::B3::Air::Code::addFastTmp):
792         (JSC::B3::Air::Code::jsHash):
793         * b3/air/AirCode.h:
794         (JSC::B3::Air::Code::lastPhaseName):
795         * b3/air/AirDumpAsJS.cpp:
796         (JSC::B3::Air::dumpAsJS):
797         * b3/air/AirGenerate.cpp:
798         (JSC::B3::Air::prepareForGeneration):
799         * b3/air/AirInst.cpp:
800         (JSC::B3::Air::Inst::hasArgEffects):
801         (JSC::B3::Air::Inst::jsHash):
802         (JSC::B3::Air::Inst::dump):
803         * b3/air/AirInst.h:
804         * b3/air/AirStackSlot.cpp:
805         (JSC::B3::Air::StackSlot::setOffsetFromFP):
806         (JSC::B3::Air::StackSlot::jsHash):
807         (JSC::B3::Air::StackSlot::dump):
808         * b3/air/AirStackSlot.h:
809         * b3/air/opcode_generator.rb:
810
811 2016-06-07  Mark Lam  <mark.lam@apple.com>
812
813         Need an exception check after constructEmptyArray().
814         https://bugs.webkit.org/show_bug.cgi?id=158411
815
816         Reviewed by Saam Barati.
817
818         Added an exception check after each call to constructEmptyArray().
819
820         * inspector/JSInjectedScriptHost.cpp:
821         (Inspector::JSInjectedScriptHost::getInternalProperties):
822         (Inspector::JSInjectedScriptHost::weakMapEntries):
823         (Inspector::JSInjectedScriptHost::weakSetEntries):
824         (Inspector::JSInjectedScriptHost::iteratorEntries):
825         * interpreter/ShadowChicken.cpp:
826         (JSC::ShadowChicken::functionsOnStack):
827         * profiler/ProfilerBytecodeSequence.cpp:
828         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
829         * profiler/ProfilerCompilation.cpp:
830         (JSC::Profiler::Compilation::toJS):
831         * profiler/ProfilerDatabase.cpp:
832         (JSC::Profiler::Database::toJS):
833         * profiler/ProfilerOSRExitSite.cpp:
834         (JSC::Profiler::OSRExitSite::toJS):
835         * profiler/ProfilerOriginStack.cpp:
836         (JSC::Profiler::OriginStack::toJS):
837         * runtime/ArrayPrototype.cpp:
838         (JSC::arrayProtoFuncConcat):
839         (JSC::arrayProtoFuncSlice):
840         (JSC::arrayProtoFuncSplice):
841         * runtime/LiteralParser.cpp:
842         (JSC::LiteralParser<CharType>::parse):
843         * runtime/ModuleLoaderObject.cpp:
844         (JSC::moduleLoaderObjectRequestedModules):
845         * runtime/ObjectConstructor.cpp:
846         (JSC::ownPropertyKeys):
847         * runtime/RegExpObject.cpp:
848         (JSC::collectMatches):
849         * runtime/RegExpPrototype.cpp:
850         (JSC::regExpProtoFuncSplitFast):
851         * runtime/StringPrototype.cpp:
852         (JSC::stringProtoFuncSplitFast):
853         * runtime/TemplateRegistry.cpp:
854         (JSC::TemplateRegistry::getTemplateObject):
855
856         * tests/stress/regress-158411.js: Added.
857
858 2016-06-07  Filip Pizlo  <fpizlo@apple.com>
859
860         Implement Air::allocateStack() in ES6 to see how much of a bad idea that is
861         https://bugs.webkit.org/show_bug.cgi?id=158318
862
863         Reviewed by Saam Barati.
864         
865         Most of these changes are to support dumpAsJS(). But I also found some duplicate and dead
866         code while rewriting it to JS.
867
868         * CMakeLists.txt:
869         * JavaScriptCore.xcodeproj/project.pbxproj:
870         * b3/air/AirAllocateStack.cpp:
871         * b3/air/AirArg.h:
872         (JSC::B3::Air::Arg::isSomeImm):
873         (JSC::B3::Air::Arg::isAddr):
874         (JSC::B3::Air::Arg::tmpIndex):
875         (JSC::B3::Air::Arg::isValidImmForm):
876         (JSC::B3::Air::Arg::withOffset): Deleted. This was dead code.
877         * b3/air/AirArgInlines.h: It turns out that Inst has a ForEach thing that duplicated some of the logic of ArgThingHelper, so I just made ArgThingHelper more powerful.
878         (JSC::B3::Air::ArgThingHelper<Arg>::forEach):
879         (JSC::B3::Air::ArgThingHelper<Reg>::is):
880         (JSC::B3::Air::ArgThingHelper<Reg>::as):
881         (JSC::B3::Air::ArgThingHelper<Reg>::forEachFast):
882         (JSC::B3::Air::ArgThingHelper<Reg>::forEach):
883         (JSC::B3::Air::Arg::is):
884         * b3/air/AirDumpAsJS.cpp: Added.
885         (JSC::B3::Air::dumpAsJS):
886         * b3/air/AirDumpAsJS.h: Added.
887         * b3/air/AirFixObviousSpills.cpp:
888         * b3/air/AirGenerate.cpp:
889         (JSC::B3::Air::prepareForGeneration):
890         * b3/air/AirInstInlines.h:
891         (JSC::B3::Air::Inst::forEach):
892         (JSC::B3::Air::Inst::extraClobberedRegs):
893         (JSC::B3::Air::ForEach<Tmp>::forEach): Deleted. This was doing what ArgThingHelper would have done but not as well.
894         (JSC::B3::Air::ForEach<Arg>::forEach): Deleted.
895         (JSC::B3::Air::ForEach<Reg>::forEach): Deleted.
896         * b3/air/AirLogRegisterPressure.cpp:
897         * b3/air/AirReportUsedRegisters.cpp:
898         * b3/air/AirSpillEverything.cpp:
899         * b3/air/opcode_generator.rb: Make this dump opcode.js, which is like what it dumps for C++.
900         * jit/Reg.cpp:
901         (JSC::Reg::debugName):
902         (JSC::Reg::dump):
903         * jit/Reg.h:
904         (JSC::Reg::hash):
905         * jsc.cpp: Fix jsc so that it reports the filename and line number of parser errors.
906         (dumpException):
907         * parser/ParserError.h: Make it easier to debug this code.
908         (WTF::printInternal):
909         * runtime/Options.h:
910
911 2016-06-07  Keith Rollin  <krollin@apple.com>
912
913         Remove all uses of PassRefPtr in WTF
914         https://bugs.webkit.org/show_bug.cgi?id=157596
915         <rdar://problem/26234391>
916
917         Reviewed by Chris Dumez.
918
919         Update calls to interfaces that no longer take or return PassRefPtrs.
920
921         * runtime/JSString.cpp:
922         (JSC::JSRopeString::resolveRope):
923         * runtime/JSString.h:
924         (JSC::JSString::JSString):
925         (JSC::jsSubstring):
926         * runtime/PrivateName.h:
927         (JSC::PrivateName::PrivateName):
928         * runtime/SmallStrings.cpp:
929         (JSC::SmallStringsStorage::SmallStringsStorage):
930         * runtime/StringConstructor.cpp:
931         (JSC::stringFromCharCodeSlowCase):
932         * runtime/StringPrototype.cpp:
933         (JSC::jsSpliceSubstrings):
934         (JSC::jsSpliceSubstringsWithSeparators):
935         (JSC::replaceUsingStringSearch):
936         (JSC::repeatCharacter):
937         (JSC::stringProtoFuncFontsize):
938         (JSC::stringProtoFuncLink):
939         (JSC::normalize):
940
941 2016-06-07  Saam barati  <sbarati@apple.com>
942
943         InvalidationPointInjectionPhase creates bogus InvalidationPoints that may even be inserted when it's not OK to exit
944         https://bugs.webkit.org/show_bug.cgi?id=158499
945         <rdar://problem/26647473>
946
947         Reviewed by Mark Lam and Benjamin Poulain.
948
949         InvalidationPointInjectionPhase forgot to clear m_originThatHadFire 
950         before analyzing the current block it's analyzing. This meant that
951         the phase allowed a residual m_originThatHadFire that was set from the
952         previous block to effect a completely unrelated block. This is usually
953         harmless, but sometimes we would insert an InvalidationPoint at a point
954         in the graph when exiting is invalid. This would cause a crash.
955
956         * dfg/DFGInvalidationPointInjectionPhase.cpp:
957         (JSC::DFG::InvalidationPointInjectionPhase::run):
958         * tests/stress/dont-crash-on-bad-invalidation-point.js: Added.
959         (dontCrash):
960
961 2016-06-07  Saam Barati  <sbarati@apple.com>
962
963         operationProcessTypeProfilerLogDFG doesn't update topCallFrame
964         https://bugs.webkit.org/show_bug.cgi?id=158428
965         <rdar://problem/26571493>
966
967         Reviewed by Mark Lam.
968
969         * dfg/DFGOperations.cpp:
970
971 2016-06-07  Mark Lam  <mark.lam@apple.com>
972
973         calculatedDisplayName() and friends actually need a VM& and not a ExecState/CallFrame.
974         https://bugs.webkit.org/show_bug.cgi?id=158488
975
976         Reviewed by Geoffrey Garen.
977
978         calculatedDisplayName() (and some of its friends) actually just need a VM&.
979         Their work has nothing to do with an ExecState at all.  This patch will make that
980         clear by changing these functions to take a VM& arg instead of an ExecState* or
981         CallFrame*.
982
983         Also removed the JS_EXPORT_PRIVATE attribute from Interpreter::StackFrame::toString().
984         The JS_EXPORT_PRIVATE attribute was a holdover from the days when WebInspector
985         was entirely in WebCore.  It is no longer needed.
986
987         * debugger/DebuggerCallFrame.cpp:
988         (JSC::DebuggerCallFrame::functionName):
989         * inspector/JSInjectedScriptHost.cpp:
990         (Inspector::JSInjectedScriptHost::functionDetails):
991         * inspector/ScriptCallStackFactory.cpp:
992         (Inspector::createScriptCallStackFromException):
993         * interpreter/CallFrame.cpp:
994         (JSC::CallFrame::friendlyFunctionName):
995         * interpreter/Interpreter.cpp:
996         (JSC::StackFrame::friendlySourceURL):
997         (JSC::StackFrame::friendlyFunctionName):
998         (JSC::StackFrame::expressionInfo):
999         (JSC::StackFrame::toString):
1000         (JSC::Interpreter::stackTraceAsString):
1001         * interpreter/Interpreter.h:
1002         * interpreter/StackVisitor.cpp:
1003         (JSC::StackVisitor::Frame::functionName):
1004         * runtime/InternalFunction.cpp:
1005         (JSC::InternalFunction::name):
1006         (JSC::InternalFunction::displayName):
1007         (JSC::InternalFunction::getCallData):
1008         (JSC::InternalFunction::calculatedDisplayName):
1009         * runtime/InternalFunction.h:
1010         (JSC::InternalFunction::createStructure):
1011         * runtime/JSFunction.cpp:
1012         (JSC::JSFunction::name):
1013         (JSC::JSFunction::displayName):
1014         (JSC::JSFunction::calculatedDisplayName):
1015         (JSC::JSFunction::getConstructData):
1016         (JSC::getCalculatedDisplayName):
1017         * runtime/JSFunction.h:
1018         (JSC::JSFunction::executable):
1019         * runtime/JSObject.cpp:
1020         (JSC::JSObject::calculatedClassName):
1021
1022 2016-06-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1023
1024         [JSC] Do not allocate unnecessary UTF-8 string for encodeXXX functions
1025         https://bugs.webkit.org/show_bug.cgi?id=158416
1026
1027         Reviewed by Darin Adler and Geoffrey Garen.
1028
1029         Previously, encodeXXX functions first allocate new UTF-8 string, and generate (& allocate) the results from this UTF-8 string.
1030         It is costly since this UTF-8 string is always wasted. In this patch, we generate the results without this UTF-8 string.
1031         We precisely implement ECMA262's Encode abstract operation[1].
1032
1033         This optimized encodeXXX functions provide great improvement in kraken stanford-crypto-sha256-iterative since it frequently calls
1034         these functions. We can see 6 - 7% improvements.
1035
1036                                                       baseline                  patched
1037
1038         stanford-crypto-sha256-iterative           37.952+-0.155      ^      35.484+-0.265         ^ definitely 1.0695x faster
1039
1040
1041         [1]: https://tc39.github.io/ecma262/#sec-encode
1042
1043         * runtime/JSGlobalObjectFunctions.cpp:
1044         (JSC::toSafeView):
1045         Use this helper function to retrieve JSString::SafeView.
1046
1047         (JSC::makeCharacterBitmap):
1048         (JSC::encode):
1049         In encode, we reserve N length buffer at first. This is important when the length of the given string is long enough,
1050         preventing frequent unnecessary buffer reallocations. This reserving contributes to 1% kraken stanford-crypto-sha256-iterative progression.
1051
1052         (JSC::decode):
1053         Previously, Bitmap accidentally includes \0. And instead of removing this \0, we checked character != 0.
1054         This patch fixes it for the Bitmap not to include \0.
1055
1056         (JSC::globalFuncParseInt):
1057         (JSC::globalFuncEscape):
1058         (JSC::globalFuncUnescape):
1059         * tests/stress/encode-decode-ascii.js: Added.
1060         (shouldBe):
1061         * tests/stress/encode-decode-unicode.js: Added.
1062         (shouldBe):
1063         (isLowSurrogate):
1064         (isHighSurrogate):
1065         (isSurrogate):
1066         * tests/stress/encode-decode-uri-component-surrogates.js: Added.
1067         (shouldBe):
1068         (toHighSurrogate):
1069         (toLowSurrogate):
1070         * tests/stress/encode-decode-uri-surrogates.js: Added.
1071         (shouldBe):
1072         (toHighSurrogate):
1073         (toLowSurrogate):
1074         * tests/stress/encode-decode-zero.js: Added.
1075         (shouldBe):
1076         * tests/stress/escape-unescape-surrogates.js: Added.
1077         (shouldBe):
1078         (toHighSurrogate):
1079         (toLowSurrogate):
1080
1081 2016-06-07  Ting-Wei Lan  <lantw44@gmail.com>
1082
1083         [GTK] Include locale.h before using LC_ALL
1084         https://bugs.webkit.org/show_bug.cgi?id=158470
1085
1086         Reviewed by Darin Adler.
1087
1088         * jsc.cpp:
1089
1090 2016-06-07  Joseph Pecoraro  <pecoraro@apple.com>
1091
1092         Unskip generator related stress tests
1093         https://bugs.webkit.org/show_bug.cgi?id=158461
1094
1095         Reviewed by Darin Adler.
1096
1097         * tests/stress/generator-methods.js:
1098         * tests/stress/generator-syntax.js:
1099         * tests/stress/yield-and-line-terminator.js:
1100         * tests/stress/yield-label-generator.js:
1101         * tests/stress/yield-named-accessors-generator.js:
1102         * tests/stress/yield-named-variable-generator.js:
1103         * tests/stress/yield-out-of-generator.js:
1104
1105 2016-06-06  Joseph Pecoraro  <pecoraro@apple.com>
1106
1107         Fix typo in test name trailing-comma-in-function-paramters.js
1108         https://bugs.webkit.org/show_bug.cgi?id=158462
1109
1110         Reviewed by Mark Lam.
1111
1112         * tests/stress/trailing-comma-in-function-parameters.js: Renamed from Source/JavaScriptCore/tests/stress/trailing-comma-in-function-paramters.js.
1113
1114 2016-06-06  Andreas Kling  <akling@apple.com>
1115
1116         REGRESSION(r197595): 2% JSBench regression on iPhone 5.
1117         <https://webkit.org/b/158459>
1118
1119         Unreviewed rollout.
1120
1121         * runtime/VM.cpp:
1122         (JSC::VM::deleteAllRegExpCode): Deleted.
1123         * runtime/VM.h:
1124
1125 2016-06-06  Michael Saboff  <msaboff@apple.com>
1126
1127         octal and binary parsing is wrong for some programs
1128         https://bugs.webkit.org/show_bug.cgi?id=158437
1129
1130         Reviewed by Saam Barati.
1131
1132         When there is an error parsing an binary or octal literal, we need to clear the returnValue
1133         of any residual value.  This is because the processing of returnValue happens before the
1134         syntax check for the extra character.  Without clearing returnValue, we end trying to
1135         categorize the value as an INTEGER or DOUBLE token.  If the value happens to be an
1136         impure NaN, we ASSERT.
1137
1138         * parser/Lexer.cpp:
1139         (JSC::Lexer<T>::parseBinary):
1140         (JSC::Lexer<T>::parseOctal):
1141         * tests/stress/regress-158437.js: New test.
1142
1143 2016-06-06  Mark Lam  <mark.lam@apple.com>
1144
1145         32-bit JSC stress test failing: stress/recursive-try-catch.js.ftl-no-cjit-validate-sampling-profiler
1146         https://bugs.webkit.org/show_bug.cgi?id=158362
1147
1148         Reviewed by Michael Saboff.
1149
1150         The test does infinite recursion until it overflows the stack.  That means the
1151         sampling profiler will have to capture excessively large samples, which in turn
1152         makes it run very slowly.  This is what causes the test time out.
1153
1154         The fix is to not run the test with the sampling profiler.
1155
1156         * tests/stress/recursive-try-catch.js:
1157
1158 2016-06-06  Andreas Kling  <akling@apple.com>
1159
1160         Don't reportAbandonedObjectGraph() after throwing out linked code or RegExps.
1161         <https://webkit.org/b/158444>
1162
1163         Unreviewed.
1164
1165         This is a speculative change for iOS performance bots. The calls to reportAbandonedObjectGraph
1166         were basically redundant, since mainframe navigation will cause GC acceleration anyway via
1167         ScriptController.
1168
1169         This appears successful at recovering the ~0.7% regression I could reproduce locally on newer
1170         hardware but it's a bit too noisy to say for sure.
1171
1172         * runtime/VM.cpp:
1173         (JSC::VM::deleteAllLinkedCode):
1174         (JSC::VM::deleteAllRegExpCode):
1175
1176 2016-06-06  Skachkov Oleksandr  <gskachkov@gmail.com>
1177         [ESNext] Trailing commas in function parameters.
1178         https://bugs.webkit.org/show_bug.cgi?id=158020
1179
1180         Reviewed by Keith Miller.
1181
1182         ESNext allow to add trailing commas in function parameters and function arguments.
1183         Link to spec - https://jeffmo.github.io/es-trailing-function-commas 
1184         Example of using - (function (a, b,) { return a + b; })(1,2,);
1185
1186         * parser/Parser.cpp:
1187         (JSC::Parser<LexerType>::parseFormalParameters):
1188         (JSC::Parser<LexerType>::parseArguments):
1189         * tests/stress/trailing-comma-in-function-paramters.js: Added.
1190
1191 2016-06-05  Gavin & Ellie Barraclough  <barraclough@apple.com>
1192
1193         Deprecate remaining uses of Lookup getStatic*, use HasStaticPropertyTable instead.
1194         https://bugs.webkit.org/show_bug.cgi?id=158178
1195
1196         Reviewed by Darin Adler.
1197
1198         As of bug #158059 most JSC static table property access no longer requires getOwnPropertySlot to be
1199         overridden. Port remaining calls to the getStatic* functions in Lookup.h over to the new mechanism.
1200
1201         Deprecate getStatic* functions in Lookup.h
1202
1203         * runtime/Lookup.h:
1204         (JSC::getStaticPropertySlot): Deleted.
1205         (JSC::getStaticFunctionSlot): Deleted.
1206         (JSC::getStaticValueSlot): Deleted.
1207             - No longer required. Static table access now via JSObject.
1208
1209 2016-06-06  Guillaume Emont  <guijemont@igalia.com>
1210
1211         [jsc][mips] Implement absDouble()
1212         https://bugs.webkit.org/show_bug.cgi?id=158206
1213
1214         Reviewed by Mark Lam.
1215
1216         Implement absDouble() for MIPS. This is needed because Math.pow() uses
1217         it since r200208.
1218
1219         * assembler/MIPSAssembler.h:
1220         (JSC::MIPSAssembler::absd):
1221         * assembler/MacroAssemblerMIPS.h:
1222         (JSC::MacroAssemblerMIPS::absDouble):
1223
1224 2016-06-03  Oliver Hunt  <oliver@apple.com>
1225
1226         RegExp unicode parsing reads an extra character before failing
1227         https://bugs.webkit.org/show_bug.cgi?id=158376
1228
1229         Reviewed by Saam Barati.
1230
1231         This was a probably harmless bug, but keeps triggering assertions
1232         for me locally. Essentially we'd see a parse error, set the error
1233         type, but then carry on parsing. In debug builds this asserts, in
1234         release builds you are pretty safe unless you're exceptionally
1235         unlucky with where the error occurs.
1236
1237         * yarr/YarrParser.h:
1238         (JSC::Yarr::Parser::parseEscape):
1239
1240 2016-06-06  Guillaume Emont  <guijemont@igalia.com>
1241
1242         [jsc][mips] fix JIT::emit_op_log_shadow_chicken_prologue/_tail
1243         https://bugs.webkit.org/show_bug.cgi?id=158209
1244
1245         Reviewed by Mark Lam.
1246
1247         On MIPS, changes GPRInfo::nonArgGPR0 to be regT4 instead of regT0,
1248         since the code of JIT::emit_op_log_shadow_chicken_prologue/_tail()
1249         expects nonArgGPR0 to be a different register from regT0 and regT2.
1250
1251         * jit/GPRInfo.h:
1252
1253 2016-06-06  Chris Dumez  <cdumez@apple.com>
1254
1255         Crash under JSObject::getOwnPropertyDescriptor()
1256         https://bugs.webkit.org/show_bug.cgi?id=158382
1257         <rdar://problem/26605004>
1258
1259         Reviewed by Mark Lam.
1260
1261         * runtime/JSObject.h:
1262         (JSC::JSObject::putDirectInternal):
1263         We were crashing under getOwnPropertyDescriptor() because the
1264         CustomAccessor was not properly reset on window.statusbar when
1265         setting it to false (which is allowed because the property is
1266         marked as [Replaceable] in the IDL). We now property reset the
1267         CustomAccessor flag in putDirectInternal() when needed. This
1268         fixes the crash.
1269
1270 2016-06-06  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
1271
1272         [EFL] Move efl include paths to JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
1273         https://bugs.webkit.org/show_bug.cgi?id=158418
1274
1275         Reviewed by Csaba Osztrogon√°c.
1276
1277         In Source/JavaScriptCore/PlatformEfl.cmake, we don't use JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
1278         for efl include paths.
1279
1280         * PlatformEfl.cmake:
1281         * tests/stress/encode-decode-ascii.js: Added.
1282         (shouldBe):
1283         * tests/stress/encode-decode-unicode.js: Added.
1284         (shouldBe):
1285         (isLowSurrogate):
1286         (isHighSurrogate):
1287         (isSurrogate):
1288         * tests/stress/encode-decode-uri-component-surrogates.js: Added.
1289         (shouldBe):
1290         (toHighSurrogate):
1291         (toLowSurrogate):
1292         * tests/stress/encode-decode-uri-surrogates.js: Added.
1293         (shouldBe):
1294         (toHighSurrogate):
1295         (toLowSurrogate):
1296         * tests/stress/encode-decode-zero.js: Added.
1297         (shouldBe):
1298         * tests/stress/escape-unescape-surrogates.js: Added.
1299         (shouldBe):
1300         (toHighSurrogate):
1301         (toLowSurrogate):
1302
1303 2016-06-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1304
1305         Change ProxyObject.[[Get]] not to use custom accessor
1306         https://bugs.webkit.org/show_bug.cgi?id=157080
1307
1308         Reviewed by Darin Adler.
1309
1310         This patch focuses on introducing the second part of the followings.
1311         But to do so, first and third parts are necessary.
1312
1313         1. Insert missing exception checks for getPropertySlot.
1314
1315             While getPropertySlot can perform user-observable behavior if the slot is not VMInquiry,
1316             several places miss exeption checks. For example, ProxyObject's hasProperty already can
1317             throw any errors. Looking through the code, we found several missing error checks after
1318             hasProperty, but this will be fixed in the separated patch[1].
1319
1320         2. Do not use custom accessor to implement ProxyObject's [[Get]].
1321
1322             The caller already allows getOwnPropertySlot to throw an exception if the type
1323             is not VMInquiry. So instead of using custom accessor, we simply implement it
1324             directly in the ProxyObject's method.
1325
1326         3. Strip slotBase from custom accessor.
1327
1328             The custom accessor should not be bound to the specific slot base[2], since it
1329             is just an accessor. There is an alternative design: makeing this custom accessor
1330             to custom value accessor and accept both the slot base and the receiver instead
1331             of allowing throwing an error from getOwnPropertySlot. But we take the first design
1332             that allows getPropertySlot to throw an error, since hasProperty (that does not call
1333             getValue of the custom getters) can already throw any errors.
1334
1335             To query the property with the non-user-observable way, we already provided the way for that:
1336             use VMInquiry and isTaintedByProxy() instead.
1337
1338         Tests just ensure that the current semantics works correctly after this patch.
1339         And this patch is performance neutral.
1340
1341         Later, we will attempt to rename "thisValue" to "receiver"[3].
1342
1343         [1]: https://bugs.webkit.org/show_bug.cgi?id=158398
1344         [2]: https://bugs.webkit.org/show_bug.cgi?id=157978
1345         [3]: https://bugs.webkit.org/show_bug.cgi?id=158397
1346
1347         * API/JSCallbackObject.h:
1348         * API/JSCallbackObjectFunctions.h:
1349         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1350         (JSC::JSCallbackObject<Parent>::callbackGetter):
1351         * bytecode/PolymorphicAccess.cpp:
1352         (JSC::AccessCase::generateImpl):
1353         * dfg/DFGOperations.cpp:
1354         * interpreter/Interpreter.cpp:
1355         (JSC::Interpreter::execute):
1356         * jit/JITOperations.cpp:
1357         * jsc.cpp:
1358         (WTF::ImpureGetter::getOwnPropertySlot):
1359         (WTF::CustomGetter::customGetter):
1360         (WTF::RuntimeArray::lengthGetter):
1361         (GlobalObject::finishCreation):
1362         (GlobalObject::moduleLoaderFetch):
1363         (functionGetGetterSetter):
1364         (functionRun):
1365         (functionLoad):
1366         (functionLoadString):
1367         (functionReadFile):
1368         (functionCheckSyntax):
1369         (functionLoadWebAssembly):
1370         (functionLoadModule):
1371         (functionCreateBuiltin):
1372         (functionCheckModuleSyntax):
1373         (dumpException):
1374         (runWithScripts):
1375         (runInteractive):
1376         * llint/LLIntSlowPaths.cpp:
1377         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1378         * runtime/CommonSlowPaths.cpp:
1379         (JSC::SLOW_PATH_DECL):
1380         * runtime/JSBoundSlotBaseFunction.cpp:
1381         (JSC::boundSlotBaseFunctionCall):
1382         * runtime/JSCJSValue.h:
1383         * runtime/JSCJSValueInlines.h:
1384         (JSC::JSValue::getPropertySlot):
1385         * runtime/JSCellInlines.h:
1386         (JSC::ExecState::vm):
1387         This change is super important for performance. We add several `exec->hadException()` calls into the super hot path, like JSC::operationGetByIdOptimize.
1388         Without this change, we call ExecState::vm() and it is not inlined. This causes 1 - 2% performance regression in Octane PDFJS.
1389
1390         * runtime/JSFunction.cpp:
1391         (JSC::JSFunction::argumentsGetter):
1392         (JSC::JSFunction::callerGetter):
1393         * runtime/JSFunction.h:
1394         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1395         (JSC::constructGenericTypedArrayViewWithArguments):
1396         * runtime/JSModuleNamespaceObject.cpp:
1397         (JSC::callbackGetter):
1398         * runtime/JSONObject.cpp:
1399         (JSC::Stringifier::Holder::appendNextProperty):
1400         Here's UNLIKELY is important for Kraken's json-stringify-tinderbox. Without it, we can observe 0.5% regression.
1401
1402         (JSC::Walker::walk):
1403         * runtime/JSObject.h:
1404         (JSC::JSObject::getPropertySlot):
1405         * runtime/ObjectPrototype.cpp:
1406         (JSC::objectProtoFuncToString):
1407         * runtime/PropertySlot.cpp:
1408         (JSC::PropertySlot::customGetter):
1409         * runtime/PropertySlot.h:
1410         (JSC::PropertySlot::thisValue):
1411         * runtime/ProxyObject.cpp:
1412         (JSC::performProxyGet):
1413         (JSC::ProxyObject::performGet):
1414         (JSC::ProxyObject::getOwnPropertySlotCommon):
1415         * runtime/ProxyObject.h:
1416         * runtime/RegExpConstructor.cpp:
1417         (JSC::regExpConstructorDollar):
1418         (JSC::regExpConstructorInput):
1419         (JSC::regExpConstructorMultiline):
1420         (JSC::regExpConstructorLastMatch):
1421         (JSC::regExpConstructorLastParen):
1422         (JSC::regExpConstructorLeftContext):
1423         (JSC::regExpConstructorRightContext):
1424         * tests/stress/get-from-scope-dynamic-onto-proxy.js: Added.
1425         (shouldBe):
1426         (shouldThrow.handler.has):
1427         (handler.has):
1428         (try.handler.has):
1429         * tests/stress/operation-in-throw-error.js: Added.
1430         (testCase.handler.has):
1431         (testCase):
1432         * tests/stress/proxy-and-json-stringify.js: Added.
1433         (shouldThrow):
1434         * tests/stress/proxy-and-typed-array.js: Added.
1435         * tests/stress/proxy-json-path.js: Added.
1436         * tests/stress/proxy-with-statement.js: Added.
1437
1438 2016-06-03  Gavin & Ellie Barraclough  <barraclough@apple.com>
1439
1440         Deprecate remaining uses of Lookup getStatic*, use HasStaticPropertyTable instead.
1441         https://bugs.webkit.org/show_bug.cgi?id=158178
1442
1443         Reviewed by Darin Adler.
1444
1445         As of bug #158059 most JSC static table property access no longer requires getOwnPropertySlot to be
1446         overridden. Port remaining calls to the getStatic* functions in Lookup.h over to the new mechanism.
1447
1448         Part 1: Switch JSGlobalObject & JSDOMWindow to use HasStaticPropertyTable.
1449
1450         * runtime/JSGlobalObject.cpp:
1451         (JSC::JSGlobalObject::getOwnPropertySlot):
1452             - Override is still required for symbol table,
1453               but regular property access is now via Base::getOwnPropertySlot.
1454         * runtime/JSGlobalObject.h:
1455             - add HasStaticPropertyTable to structureFlags.
1456
1457 2016-06-03  Benjamin Poulain  <bpoulain@apple.com>
1458
1459         Eager FTL failure for strict comparison of NaN with number check
1460         https://bugs.webkit.org/show_bug.cgi?id=158368
1461
1462         Reviewed by Darin Adler.
1463
1464         DoupleRep with a RealNumberUse starts by handling double
1465         then falls back to Int32 if the unboxed double is NaN.
1466
1467         Before handling integers, the code is checking if the input
1468         is indeed an int32. The problem was that this check failed
1469         to account for NaN as an original input of the DoubleRep.
1470
1471         The call to isNotInt32() filter the doubles checks because
1472         that was handled by the previous block.
1473         The problem is the previous block handles any double except NaN.
1474         If the original input was NaN, the masking by "~SpecFullDouble"
1475         filter that possibility and isNotInt32() fails to test that case.
1476
1477         This patch fixes the issue by changing the filter to SpecDoubleReal.
1478         The type SpecDoubleReal does not include the NaN types.
1479
1480         * ftl/FTLLowerDFGToB3.cpp:
1481         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
1482         * tests/stress/double-rep-real-number-use-on-nan.js: Added.
1483         To ensure the isNotInt32() does not test anything, we want
1484         proven numbers as input. The (+value) are there to enforce
1485         a ToNumber() which in turn give us a proven Number type.
1486
1487 2016-06-03  Benjamin Poulain  <bpoulain@apple.com>
1488
1489         JSON.stringify replacer function calls with numeric array indices
1490         https://bugs.webkit.org/show_bug.cgi?id=158262
1491         rdar://problem/26613876
1492
1493         Reviewed by Saam Barati.
1494
1495         The spec of SerializeJSONArray is pretty clear that the index
1496         should be transformed into a string before calling SerializeJSONProperty.
1497         See http://www.ecma-international.org/ecma-262/6.0/#sec-serializejsonarray
1498
1499         * runtime/JSONObject.cpp:
1500         (JSC::PropertyNameForFunctionCall::value):
1501
1502 2016-06-03  Saam barati  <sbarati@apple.com>
1503
1504         Proxy.ownKeys should no longer throw an exception when duplicate keys are returned and the target is non-extensible
1505         https://bugs.webkit.org/show_bug.cgi?id=158350
1506         <rdar://problem/26626211>
1507
1508         Reviewed by Michael Saboff.
1509
1510         The spec was recently changes in Proxy [[OwnPropertyKeys]]
1511         to allow for duplicate property names under certain circumstances.
1512         This patch fixes our implementation to match the spec.
1513         See: https://github.com/tc39/ecma262/pull/594
1514
1515         * runtime/ProxyObject.cpp:
1516         (JSC::ProxyObject::performGetOwnPropertyNames):
1517         * tests/stress/proxy-own-keys.js:
1518         (i.catch):
1519         (ownKeys):
1520         (assert):
1521
1522 2016-06-03  Saam barati  <sbarati@apple.com>
1523
1524         Some shadow chicken code is wrong when run on a big endian CPU
1525         https://bugs.webkit.org/show_bug.cgi?id=158361
1526
1527         Reviewed by Mark Lam.
1528
1529         This code was wrong on a big endian CPU, and it was
1530         also an anti-pattern in the file. The code was harmless
1531         on a little endian CPU, but it's better to remove it.
1532
1533         * llint/LowLevelInterpreter64.asm:
1534
1535 2016-06-03  Keith Miller  <keith_miller@apple.com>
1536
1537         Add argument_count bytecode for concat
1538         https://bugs.webkit.org/show_bug.cgi?id=158358
1539
1540         Reviewed by Geoffrey Garen.
1541
1542         This patch adds a new argument count bytecode. Normally, we would
1543         just make sure that the argument.length bytecode was fast enough
1544         that we shouldn't need such an bytecode.  However, for the case of
1545         Array.prototype.concat the overhead of the arguments object
1546         allocation in the LLInt was too high and caused regressions.
1547
1548         * bytecode/BytecodeIntrinsicRegistry.h:
1549         * bytecode/BytecodeList.json:
1550         * bytecode/BytecodeUseDef.h:
1551         (JSC::computeUsesForBytecodeOffset):
1552         (JSC::computeDefsForBytecodeOffset):
1553         * bytecode/CodeBlock.cpp:
1554         (JSC::CodeBlock::dumpBytecode):
1555         * bytecompiler/NodesCodegen.cpp:
1556         (JSC::BytecodeIntrinsicNode::emit_intrinsic_argumentCount):
1557         * dfg/DFGByteCodeParser.cpp:
1558         (JSC::DFG::ByteCodeParser::getArgumentCount):
1559         (JSC::DFG::ByteCodeParser::parseBlock):
1560         * dfg/DFGCapabilities.cpp:
1561         (JSC::DFG::capabilityLevel):
1562         * jit/JIT.cpp:
1563         (JSC::JIT::privateCompileMainPass):
1564         * jit/JIT.h:
1565         * jit/JITOpcodes.cpp:
1566         (JSC::JIT::emit_op_argument_count):
1567         * llint/LowLevelInterpreter32_64.asm:
1568         * llint/LowLevelInterpreter64.asm:
1569         * tests/stress/argument-count-bytecode.js: Added.
1570         (inlineCount):
1571         (inlineCount1):
1572         (inlineCount2):
1573         (inlineCountVarArgs):
1574         (assert):
1575
1576 2016-06-03  Geoffrey Garen  <ggaren@apple.com>
1577
1578         Clients of PolymorphicAccess::addCases shouldn't have to malloc
1579         https://bugs.webkit.org/show_bug.cgi?id=158357
1580
1581         Reviewed by Keith Miller.
1582
1583         We only ever have 1 or 2 cases, so we can use inline Vector capacity.
1584
1585         This shows up a little in the JSBench profile.
1586
1587         * bytecode/PolymorphicAccess.cpp:
1588         (JSC::PolymorphicAccess::addCases):
1589         (JSC::PolymorphicAccess::addCase):
1590         * bytecode/PolymorphicAccess.h:
1591         * bytecode/StructureStubInfo.cpp:
1592         (JSC::StructureStubInfo::addAccessCase):
1593
1594 2016-06-03  Benjamin Poulain  <bpoulain@apple.com>
1595
1596         Fix some more INFINITI->INFINITY typos
1597
1598         Unreviewed.
1599
1600         The tests were not covering the edge cases they were supposed to test.
1601
1602         * tests/stress/math-ceil-basics.js:
1603         (testMathCeilOnConstants):
1604         * tests/stress/math-clz32-basics.js:
1605         (testMathClz32OnDoubles):
1606         (testMathClz32OnConstants):
1607         * tests/stress/math-floor-basics.js:
1608         (testMathFloorOnConstants):
1609         * tests/stress/math-round-basics.js:
1610         (testMathRoundOnConstants):
1611         * tests/stress/math-trunc-basics.js:
1612         (testMathTruncOnConstants):
1613
1614 2016-06-02  Gavin & Ellie Barraclough  <barraclough@apple.com>
1615
1616         JSGlobalObject::addFunction should call deleteProperty rather than removeDirect
1617         https://bugs.webkit.org/show_bug.cgi?id=158295
1618
1619         Reviewed by Saam Barati.
1620
1621         When a function in declared in program code, this replaces any previosly existing
1622         property from the global object. JSGlobalObject::addFunction is currently calling
1623         removeDirect rather than deleteProperty to remove the existing property. This fails
1624         to remove any properties from static tables.
1625
1626         We currently get away with this because (a) JSObject & JSGlobalObject don't currently
1627         have any properties in static tables, and (b) the current quirky property precedence
1628         means that the symbol table properties end up taking precedence over JSDOMWindow's
1629         static table, so window object properties end up being shadowed.
1630
1631         As a part of bug #158178 the precedence of static tables will change, requiring this
1632         to be fixed.
1633
1634         The deleteProperty function does what we want (has the ability to remove properties,
1635         including those from the static tables). Normally deleteProperty will not remove
1636         properties that are non-configurable (DontDelete) - we need to do so. The function
1637         does already support this, through a flag on VM named 'isInDefineOwnProperty', which
1638         causes configurability to be ignored. Generalize this mechanism for use outside of
1639         defineOwnProperty, renaming & moving DefineOwnPropertyScope helper class out to VM.
1640
1641         * runtime/JSFunction.cpp:
1642         (JSC::JSFunction::deleteProperty):
1643             - isInDefineOwnProperty -> deletePropertyMode.
1644         * runtime/JSGlobalObject.cpp:
1645         (JSC::JSGlobalObject::addFunction):
1646             - removeDirect -> deleteProperty.
1647         * runtime/JSObject.cpp:
1648         (JSC::JSObject::deleteProperty):
1649             - isInDefineOwnProperty -> deletePropertyMode.
1650         (JSC::JSObject::defineOwnNonIndexProperty):
1651             - DefineOwnPropertyScope -> VM::DeletePropertyModeScope.
1652         (JSC::DefineOwnPropertyScope::DefineOwnPropertyScope): Deleted.
1653         (JSC::DefineOwnPropertyScope::~DefineOwnPropertyScope): Deleted.
1654             - DefineOwnPropertyScope -> VM::DeletePropertyModeScope.
1655         * runtime/VM.cpp:
1656         (JSC::VM::VM):
1657             - removed m_inDefineOwnProperty.
1658         * runtime/VM.h:
1659         (JSC::VM::deletePropertyMode):
1660             - isInDefineOwnProperty -> deletePropertyMode.
1661         (JSC::VM::DeletePropertyModeScope::DeletePropertyModeScope):
1662         (JSC::VM::DeletePropertyModeScope::~DeletePropertyModeScope):
1663             - DefineOwnPropertyScope -> VM::DeletePropertyModeScope.
1664         (JSC::VM::setInDefineOwnProperty): Deleted.
1665             - Replaced with deletePropertyMode, can now only be set via VM::DeletePropertyModeScope.
1666         (JSC::VM::isInDefineOwnProperty): Deleted.
1667             - isInDefineOwnProperty -> deletePropertyMode.
1668
1669 2016-06-03  Mark Lam  <mark.lam@apple.com>
1670
1671         ARMv7 vstm and vldm instructions can only operate on a maximum of 16 registers.
1672         https://bugs.webkit.org/show_bug.cgi?id=158349
1673
1674         Reviewed by Filip Pizlo.
1675
1676         According to the ARM Assembler Reference, the vstm and vldm instructions can only
1677         operate on a maximum of 16 registers.  See
1678         http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dht0002a/ch01s03s02.html
1679         and http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dht0002a/ch01s03s02.html.
1680
1681         The ARMv7 probe code was wrongly using these instructions to store and load all
1682         32 'd' registers.  This is now fixed.
1683
1684         * assembler/MacroAssemblerARMv7.cpp:
1685
1686 2016-06-03  Mark Lam  <mark.lam@apple.com>
1687
1688         Gardening: CLOOP build fix (needs a #include).
1689
1690         Not reviewed.
1691
1692         * interpreter/StackVisitor.h:
1693
1694 2016-06-03  Andreas Kling  <akling@apple.com>
1695
1696         Eliminate two large sources of temporary StringImpl objects.
1697         <https://webkit.org/b/158336>
1698
1699         Reviewed by Anders Carlsson.
1700
1701         We were jumping through some inefficient hoops when creating Identifiers due to the
1702         convenience of our String(const char*) constructor.
1703
1704         This patch avoids just over 1 million temporary StringImpl objects on the PLUM benchmark.
1705
1706         * runtime/JSObject.h:
1707         (JSC::makeIdentifier): Add an overload for string literals so we can stop creating a temporary
1708         String just for passing to Identifier::fromString().
1709
1710         * runtime/Lookup.h:
1711         (JSC::reifyStaticProperties): Use the Identifier::fromString() that takes an LChar* and a length
1712         instead of creating a temporary String.
1713
1714 2016-06-03  Mark Lam  <mark.lam@apple.com>
1715
1716         Clean up how StackVisitor dumps its frames.
1717         https://bugs.webkit.org/show_bug.cgi?id=158316
1718
1719         Reviewed by Keith Miller.
1720
1721         1. Updated to do dumping to a PrintStream.
1722         2. Added support for printing a prefix for each frame.
1723            This is currently used by JSDollarVMPrototype to print frame numbers.
1724         3. Fix the incrementing of the frame index in StackVisitor.
1725            It was initialized but never incremented before when iterating the frames.
1726
1727         * interpreter/StackVisitor.cpp:
1728         (JSC::StackVisitor::gotoNextFrame):
1729         (JSC::StackVisitor::Frame::codeType):
1730         (JSC::StackVisitor::Frame::functionName):
1731         (JSC::StackVisitor::Frame::sourceURL):
1732         (JSC::StackVisitor::Frame::toString):
1733         (JSC::StackVisitor::Frame::createArguments):
1734         (JSC::StackVisitor::Frame::computeLineAndColumn):
1735         (JSC::StackVisitor::Frame::retrieveExpressionInfo):
1736         (JSC::StackVisitor::Frame::setToEnd):
1737         (JSC::StackVisitor::Frame::dump):
1738         (JSC::StackVisitor::Indent::dump):
1739         (JSC::printIndents): Deleted.
1740         (JSC::log): Deleted.
1741         (JSC::logF): Deleted.
1742         (JSC::StackVisitor::Frame::print): Deleted.
1743         * interpreter/StackVisitor.h:
1744         (JSC::StackVisitor::Indent::Indent):
1745         (JSC::StackVisitor::Indent::operator++):
1746         (JSC::StackVisitor::Indent::operator--):
1747         (JSC::StackVisitor::Frame::isJSFrame):
1748         (JSC::StackVisitor::Frame::isInlinedFrame):
1749         (JSC::StackVisitor::Frame::vmEntryFrame):
1750         (JSC::StackVisitor::Frame::callFrame):
1751         (JSC::StackVisitor::Frame::Frame):
1752         (JSC::StackVisitor::Frame::~Frame):
1753         * tools/JSDollarVMPrototype.cpp:
1754         (JSC::PrintFrameFunctor::operator()):
1755
1756 2016-06-02  Saam Barati  <sbarati@apple.com>
1757
1758         global lexical environment variables are not accessible through functions created using the function constructor
1759         https://bugs.webkit.org/show_bug.cgi?id=158319
1760
1761         Reviewed by Filip Pizlo.
1762
1763         When creating a function using the Function constructor, we were
1764         using the global object instead of the global lexical environment
1765         as the function's scope. We should be using the global lexical environment.
1766
1767         * runtime/FunctionConstructor.cpp:
1768         (JSC::constructFunctionSkippingEvalEnabledCheck):
1769         * tests/stress/function-constructor-reading-from-global-lexical-environment.js: Added.
1770         (assert):
1771         (test):
1772         (ClassTDZ):
1773
1774 2016-06-02  Oliver Hunt  <oliver@apple.com>
1775
1776         JS parser incorrectly handles invalid utf8 in error messages.
1777         https://bugs.webkit.org/show_bug.cgi?id=158128
1778
1779         Reviewed by Saam Barati.
1780
1781         The bug here was caused by us using PrintStream's toString method
1782         to produce the error message for a parse error, even though toString
1783         may produce a null string in the event of invalid utf8 that causes
1784         the error in first case. So when we try to create an error message
1785         containing the invalid character code, we set m_errorMessage to the
1786         null string, as that signals "no error" we don't stop parsing, and
1787         everything goes down hill from there.
1788
1789         Now we use the new toStringWithLatin1Fallback so that we can always
1790         produce an error message, even if it contains invalid unicode. We
1791         also add an additional fallback so that we can guarantee an error
1792         message is set even if we're given a null string. There's a debug
1793         mode assertion to prevent anyone accidentally attempting to clear
1794         the message via setErrorMessage.
1795
1796         * parser/Parser.cpp:
1797         (JSC::Parser<LexerType>::logError):
1798         * parser/Parser.h:
1799         (JSC::Parser::setErrorMessage):
1800
1801 2016-06-02  Saam Barati  <sbarati@apple.com>
1802
1803         Teach bytecode liveness about the debugger
1804         https://bugs.webkit.org/show_bug.cgi?id=158288
1805
1806         Reviewed by Filip Pizlo.
1807
1808         There was a bug where we wouldn't always keep the scope register
1809         on the stack when the debugger is enabled. The debugger always assumes
1810         it can read from the scope. The bug happened in OSR exit from the FTL.
1811         The FTL uses bytecode liveness for OSR exit. Bytecode liveness proved
1812         that the scope register was dead, so the FTL OSR exit wrote `undefined`
1813         into the scope's stack slot when OSR exiting to the baseline.
1814
1815         To fix this, I taught bytecode liveness' computeUsesForBytecodeOffset() that the
1816         scope is used by every instruction except op_enter. This causes the
1817         scope to be live-in at every instruction except op_enter.
1818
1819         * bytecode/BytecodeLivenessAnalysis.cpp:
1820         (JSC::blockContainsBytecodeOffset):
1821         (JSC::addAlwaysLiveLocals):
1822         (JSC::findBasicBlockForBytecodeOffset):
1823         (JSC::stepOverInstruction):
1824         (JSC::computeLocalLivenessForBytecodeOffset):
1825         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
1826         * bytecode/UnlinkedCodeBlock.cpp:
1827         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1828         * tests/stress/shadow-chicken-reading-from-scope-after-ftl-osr-exit-bytecode-liveness.js: Added.
1829         (foo):
1830         (catch):
1831
1832 2016-06-02  Michael Saboff  <msaboff@apple.com>
1833
1834         REGRESSION(r200694): %ThrowTypeError% is not unique
1835         https://bugs.webkit.org/show_bug.cgi?id=158231
1836
1837         Reviewed by Joseph Pecoraro.
1838
1839         The ES6 standard in section 9.2.7.1 states that %ThrowTypeError% is unique.  This
1840         change reverts the handling of TypeError before r200694 and then rolls in
1841         throwTypeErrorGetterSetter() with the renamed throwTypeErrorArgumentsCalleeAndCallerGetterSetter().
1842
1843         * runtime/ClonedArguments.cpp:
1844         (JSC::ClonedArguments::getOwnPropertySlot):
1845         (JSC::ClonedArguments::materializeSpecials):
1846         * runtime/JSBoundFunction.cpp:
1847         (JSC::JSBoundFunction::finishCreation):
1848         (JSC::JSBoundFunction::visitChildren):
1849         * runtime/JSFunction.cpp:
1850         (JSC::getThrowTypeErrorGetterSetter):
1851         (JSC::JSFunction::callerGetter):
1852         (JSC::JSFunction::defineOwnProperty):
1853         * runtime/JSGlobalObject.cpp:
1854         (JSC::JSGlobalObject::init):
1855         (JSC::JSGlobalObject::visitChildren):
1856         * runtime/JSGlobalObject.h:
1857         (JSC::JSGlobalObject::regExpProtoSymbolReplaceFunction):
1858         (JSC::JSGlobalObject::regExpProtoGlobalGetter):
1859         (JSC::JSGlobalObject::regExpProtoUnicodeGetter):
1860         (JSC::JSGlobalObject::throwTypeErrorArgumentsCalleeAndCallerGetterSetter):
1861         (JSC::JSGlobalObject::moduleLoader):
1862         (JSC::JSGlobalObject::throwTypeErrorGetterSetter): Deleted.
1863         (JSC::JSGlobalObject::throwTypeErrorCalleeAndCallerGetterSetter): Deleted.
1864         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInStrictModeGetterSetter): Deleted.
1865         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInClassContextGetterSetter): Deleted.
1866         * runtime/JSGlobalObjectFunctions.cpp:
1867         (JSC::globalFuncThrowTypeError):
1868         (JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller):
1869         (JSC::globalFuncThrowTypeErrorCalleeAndCaller): Deleted.
1870         (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInStrictMode): Deleted.
1871         (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInClassContext): Deleted.
1872         * runtime/JSGlobalObjectFunctions.h:
1873         * tests/stress/reflect-set.js:
1874
1875 2016-06-02  Michael Saboff  <msaboff@apple.com>
1876
1877         [iOS]: Some JSC stress tests fail running out of executable memory when the LLInt is disabled
1878         https://bugs.webkit.org/show_bug.cgi?id=158317
1879
1880         Reviewed by Saam Barati.
1881
1882         Updated these test to not run the "no-llint" variant when running on ARM machines.
1883
1884         * tests/stress/arrowfunction-lexical-bind-superproperty.js: Skip no-llint for ARM
1885         (testCase):
1886         * tests/stress/proxy-revoke.js: Skipp no-lint for ARM and ARM64
1887         (assert):
1888
1889 2016-06-02  Keith Miller  <keith_miller@apple.com>
1890
1891         Unreviewed, reland r201532. The associated regressions have been fixed
1892         by r201584.
1893
1894 2016-06-02  Filip Pizlo  <fpizlo@apple.com>
1895
1896         Use "= delete" for Locker(int) 
1897
1898         Rubber stamped by Saam Barati.
1899
1900         * runtime/ConcurrentJITLock.h:
1901         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
1902
1903 2016-06-02  Keith Miller  <keith_miller@apple.com>
1904
1905         ObjectPropertyCondition should have a isStillValidAssumingImpurePropertyWatchpoint function
1906         https://bugs.webkit.org/show_bug.cgi?id=158308
1907
1908         Reviewed by Filip Pizlo.
1909
1910         Recently, structureEnsuresValidityAssumingImpurePropertyWatchpoint was converted to check
1911         what should be isStillValidAssumingImpurePropertyWatchpoint. This patch fixes the API so
1912         it should work as expected. This patch also changes generateConditions in
1913         ObjectPropertyConditionSet to use isStillValidAssumingImpurePropertyWatchpoint.
1914
1915         * bytecode/ObjectPropertyCondition.cpp:
1916         (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint):
1917         (JSC::ObjectPropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
1918         * bytecode/ObjectPropertyCondition.h:
1919         * bytecode/ObjectPropertyConditionSet.cpp:
1920
1921 2016-06-02  Filip Pizlo  <fpizlo@apple.com>
1922
1923         Make it harder to accidentally pass an integer to a locker.
1924
1925         Rubber stamped by Keith Miller.
1926
1927         * runtime/ConcurrentJITLock.h:
1928         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
1929
1930 2016-06-02  Filip Pizlo  <fpizlo@apple.com>
1931
1932         Make it easier to use NoLockingNecessary
1933         https://bugs.webkit.org/show_bug.cgi?id=158306
1934
1935         Reviewed by Keith Miller.
1936         
1937         Adapt to the new NoLockingNecessary API. More details in the WTF ChangeLog.
1938
1939         * bytecompiler/BytecodeGenerator.cpp:
1940         (JSC::BytecodeGenerator::BytecodeGenerator):
1941         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1942         (JSC::BytecodeGenerator::instantiateLexicalVariables):
1943         (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
1944         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
1945         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
1946         (JSC::BytecodeGenerator::popLexicalScopeInternal):
1947         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1948         (JSC::BytecodeGenerator::variable):
1949         (JSC::BytecodeGenerator::createVariable):
1950         (JSC::BytecodeGenerator::emitResolveScope):
1951         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1952         * runtime/ConcurrentJITLock.h:
1953         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
1954         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
1955
1956 2016-06-01  Filip Pizlo  <fpizlo@apple.com>
1957
1958         Structure::previousID() races with Structure::allocateRareData()
1959         https://bugs.webkit.org/show_bug.cgi?id=158280
1960
1961         Reviewed by Mark Lam.
1962         
1963         The problem is that previousID() would test hasRareData() and then either load the
1964         previous Structure from the rare data, or load it directly. allocateRareData() would set
1965         the hasRareData() bit separately from moving the Structure pointer into the rare data. So
1966         we'd have a race that would cause previousID() to sometimes return the rarae data instead
1967         of the previous Structure.
1968
1969         The fix is to get rid of the hasRareData bit. We can use the structureID of the
1970         previousOrRareData cell to determine if it's the previousID or the RareData. This fixes the
1971         race and it's probably not any slower.
1972
1973         * runtime/Structure.cpp:
1974         (JSC::Structure::Structure):
1975         (JSC::Structure::allocateRareData):
1976         * runtime/Structure.h:
1977
1978 2016-06-01  Michael Saboff  <msaboff@apple.com>
1979
1980         Runaway WebContent process CPU & memory @ foxnews.com
1981         https://bugs.webkit.org/show_bug.cgi?id=158290
1982
1983         Reviewed by Mark Lam.
1984
1985         Clear the thrown value at the end of the catch block so that the stack scanner won't
1986         find the value during GC.
1987
1988         Added a new stress test.
1989
1990         * bytecompiler/NodesCodegen.cpp:
1991         (JSC::TryNode::emitBytecode):
1992         * tests/stress/recursive-try-catch.js: Added.
1993         (logError):
1994         (tryCallingBadFunction):
1995         (recurse):
1996         (test):
1997
1998 2016-06-01  Benjamin Poulain  <bpoulain@apple.com>
1999
2000         [JSC] Some setters for components of Date do not timeClip() their result
2001         https://bugs.webkit.org/show_bug.cgi?id=158278
2002         rdar://problem/25131426
2003
2004         Reviewed by Geoffrey Garen.
2005
2006         Many of the setters where not doing timeClip() on the computed UTC
2007         time since Epoch.
2008
2009         See http://www.ecma-international.org/ecma-262/6.0/#sec-date.prototype.setdate
2010         and the following sections for the definition.
2011
2012         * runtime/DatePrototype.cpp:
2013         (JSC::setNewValueFromTimeArgs):
2014         (JSC::setNewValueFromDateArgs):
2015
2016 2016-06-01  Keith Miller  <keith_miller@apple.com>
2017
2018         canOptimizeStringObjectAccess should use ObjectPropertyConditions rather than structure watchpoints
2019         https://bugs.webkit.org/show_bug.cgi?id=158291
2020
2021         Reviewed by Benjamin Poulain.
2022
2023         The old StringObject primitive access code used structure watchpoints. This meant that
2024         if you set a watchpoint on String.prototype prior to tiering up to the DFG then added
2025         a new property to String.prototype then we would never use StringObject optimizations.
2026         This made property caching in the LLInt bad because it meant we would watchpoint
2027         String.prototype very early in the program, which hurt date-format-xpab.js since that
2028         benchmark relies on the StringObject optimizations.
2029
2030         This patch also extends ObjectPropertyConditionSet to be able to handle a slotBase
2031         equivalence condition. Since that makes the code for generating the DFG watchpoints
2032         significantly cleaner.
2033
2034         * bytecode/ObjectPropertyCondition.cpp:
2035         (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint):
2036         * bytecode/ObjectPropertyConditionSet.cpp:
2037         (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition):
2038         (JSC::ObjectPropertyConditionSet::slotBaseCondition):
2039         (JSC::generateConditionsForPrototypeEquivalenceConcurrently):
2040         * bytecode/ObjectPropertyConditionSet.h:
2041         * dfg/DFGGraph.cpp:
2042         (JSC::DFG::Graph::isStringPrototypeMethodSane):
2043         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
2044         * dfg/DFGGraph.h:
2045
2046 2016-06-01  Geoffrey Garen  <ggaren@apple.com>
2047
2048         Unreviewed, rolling in r201436.
2049         https://bugs.webkit.org/show_bug.cgi?id=158143
2050
2051         r201562 should haved fixed the Dromaeo DOM core regression.
2052
2053         Restored changeset:
2054
2055         "REGRESSION: JSBench spends a lot of time transitioning
2056         to/from dictionary"
2057         https://bugs.webkit.org/show_bug.cgi?id=158045
2058         http://trac.webkit.org/changeset/201436
2059
2060
2061 2016-06-01  Commit Queue  <commit-queue@webkit.org>
2062
2063         Unreviewed, rolling out r201488.
2064         https://bugs.webkit.org/show_bug.cgi?id=158268
2065
2066         Caused 23% regression on JetStream's crypto-md5 (Requested by
2067         rniwa on #webkit).
2068
2069         Reverted changeset:
2070
2071         "[ESNext] Support trailing commas in function param lists"
2072         https://bugs.webkit.org/show_bug.cgi?id=158020
2073         http://trac.webkit.org/changeset/201488
2074
2075 2016-05-31  Geoffrey Garen  <ggaren@apple.com>
2076
2077         Dictionary property access should be fast
2078         https://bugs.webkit.org/show_bug.cgi?id=158250
2079
2080         Reviewed by Keith Miller.
2081
2082         We have some remnant code that unnecessarily takes a slow path for
2083         dictionaries. This caused the Dromaeo regression in r201436. Let's fix
2084         that.
2085
2086         * jit/Repatch.cpp:
2087         (JSC::tryCacheGetByID): Attempt to flatten a dictionary if necessary, but
2088         not too much. This is our idiom in other places.
2089
2090         (JSC::tryCachePutByID): See tryCacheGetByID.
2091
2092         * llint/LLIntSlowPaths.cpp:
2093         (JSC::LLInt::setupGetByIdPrototypeCache): See tryCacheGetByID.
2094
2095         * runtime/JSObject.cpp:
2096         (JSC::JSObject::fillGetterPropertySlot):
2097         * runtime/JSObject.h:
2098         (JSC::JSObject::fillCustomGetterPropertySlot): The rules for caching a
2099         getter are the same as the rules for caching anything else: We're
2100         allowed to cache even in dictionaries, as long as they're cacheable
2101         dictionaries. Any transition that would change to/from getter/setter
2102         or change other attributes requires a structure transition.
2103
2104 2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2105
2106         [JSC] Drop "replace" from JSC_COMMON_PRIVATE_IDENTIFIERS_EACH_WELL_KNOWN_SYMBOL_NOT_IMPLEMENTED_YET
2107         https://bugs.webkit.org/show_bug.cgi?id=158223
2108
2109         Reviewed by Darin Adler.
2110
2111         This list maintains "not implemented yet" well-known symbols.
2112         `Symbol.replace` is already implemented.
2113
2114         * runtime/CommonIdentifiers.h:
2115
2116 2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2117
2118         Unreviewed, roll out r201481, r201523: 0.3% regression in Octane code-load
2119         https://bugs.webkit.org/show_bug.cgi?id=158249
2120
2121         * API/JSScriptRef.cpp:
2122         (parseScript):
2123         * CMakeLists.txt:
2124         * DerivedSources.make:
2125         * JavaScriptCore.xcodeproj/project.pbxproj:
2126         * builtins/AsyncFunctionPrototype.js: Removed.
2127         (asyncFunctionResume): Deleted.
2128         * builtins/BuiltinExecutables.cpp:
2129         (JSC::BuiltinExecutables::createExecutable):
2130         * bytecode/BytecodeList.json:
2131         * bytecode/BytecodeUseDef.h:
2132         (JSC::computeUsesForBytecodeOffset): Deleted.
2133         (JSC::computeDefsForBytecodeOffset): Deleted.
2134         * bytecode/CodeBlock.cpp:
2135         (JSC::CodeBlock::finishCreation):
2136         (JSC::CodeBlock::dumpBytecode): Deleted.
2137         * bytecode/UnlinkedCodeBlock.h:
2138         (JSC::UnlinkedCodeBlock::isArrowFunction):
2139         (JSC::UnlinkedCodeBlock::isOrdinaryArrowFunction): Deleted.
2140         (JSC::UnlinkedCodeBlock::isAsyncArrowFunction): Deleted.
2141         * bytecode/UnlinkedFunctionExecutable.cpp:
2142         (JSC::generateUnlinkedFunctionCodeBlock):
2143         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2144         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2145         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2146         * bytecode/UnlinkedFunctionExecutable.h:
2147         * bytecompiler/BytecodeGenerator.cpp:
2148         (JSC::BytecodeGenerator::BytecodeGenerator):
2149         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
2150         (JSC::BytecodeGenerator::emitNewMethodDefinition):
2151         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
2152         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon): Deleted.
2153         (JSC::BytecodeGenerator::emitNewFunction): Deleted.
2154         * bytecompiler/BytecodeGenerator.h:
2155         (JSC::BytecodeGenerator::makeFunction):
2156         * bytecompiler/NodesCodegen.cpp:
2157         (JSC::FunctionNode::emitBytecode): Deleted.
2158         * inspector/agents/InspectorRuntimeAgent.cpp:
2159         (Inspector::InspectorRuntimeAgent::parse):
2160         * jit/JIT.cpp:
2161         (JSC::JIT::privateCompileMainPass): Deleted.
2162         * jit/JIT.h:
2163         * jit/JITOpcodes.cpp:
2164         (JSC::JIT::emitNewFuncCommon): Deleted.
2165         (JSC::JIT::emit_op_new_async_func): Deleted.
2166         (JSC::JIT::emitNewFuncExprCommon): Deleted.
2167         (JSC::JIT::emit_op_new_async_func_exp): Deleted.
2168         * jit/JITOperations.cpp:
2169         * jit/JITOperations.h:
2170         * jsc.cpp:
2171         (runInteractive):
2172         (printUsageStatement): Deleted.
2173         * llint/LLIntSlowPaths.cpp:
2174         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
2175         * llint/LLIntSlowPaths.h:
2176         * llint/LowLevelInterpreter.asm:
2177         * parser/ASTBuilder.h:
2178         (JSC::ASTBuilder::createAsyncFunctionBody): Deleted.
2179         * parser/Keywords.table:
2180         * parser/Parser.cpp:
2181         (JSC::Parser<LexerType>::Parser):
2182         (JSC::Parser<LexerType>::parseInner):
2183         (JSC::Parser<LexerType>::isArrowFunctionParameters):
2184         (JSC::Parser<LexerType>::parseStatementListItem):
2185         (JSC::Parser<LexerType>::parseStatement):
2186         (JSC::Parser<LexerType>::parseFunctionParameters):
2187         (JSC::Parser<LexerType>::parseFunctionInfo):
2188         (JSC::Parser<LexerType>::parseClass):
2189         (JSC::Parser<LexerType>::parseImportClauseItem):
2190         (JSC::Parser<LexerType>::parseImportDeclaration):
2191         (JSC::Parser<LexerType>::parseExportDeclaration):
2192         (JSC::Parser<LexerType>::parseAssignmentExpression):
2193         (JSC::Parser<LexerType>::parseProperty):
2194         (JSC::Parser<LexerType>::parsePropertyMethod):
2195         (JSC::Parser<LexerType>::parsePrimaryExpression):
2196         (JSC::Parser<LexerType>::parseMemberExpression):
2197         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
2198         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2199         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements): Deleted.
2200         (JSC::Parser<LexerType>::parseVariableDeclarationList): Deleted.
2201         (JSC::Parser<LexerType>::parseDestructuringPattern): Deleted.
2202         (JSC::Parser<LexerType>::parseFunctionDeclarationStatement): Deleted.
2203         (JSC::Parser<LexerType>::parseFormalParameters): Deleted.
2204         (JSC::stringForFunctionMode): Deleted.
2205         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration): Deleted.
2206         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement): Deleted.
2207         (JSC::Parser<LexerType>::parseAwaitExpression): Deleted.
2208         (JSC::Parser<LexerType>::parseAsyncFunctionExpression): Deleted.
2209         (JSC::Parser<LexerType>::parseUnaryExpression): Deleted.
2210         * parser/Parser.h:
2211         (JSC::Scope::Scope):
2212         (JSC::Parser::ExpressionErrorClassifier::propagateExpressionErrorClass):
2213         (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
2214         (JSC::Parser::pushScope):
2215         (JSC::Parser::popScopeInternal):
2216         (JSC::Parser::matchSpecIdentifier):
2217         (JSC::parse):
2218         (JSC::Scope::setSourceParseMode): Deleted.
2219         (JSC::Scope::isAsyncFunction): Deleted.
2220         (JSC::Scope::isAsyncFunctionBoundary): Deleted.
2221         (JSC::Scope::isModule): Deleted.
2222         (JSC::Scope::setIsFunction): Deleted.
2223         (JSC::Scope::setIsAsyncArrowFunction): Deleted.
2224         (JSC::Scope::setIsAsyncFunction): Deleted.
2225         (JSC::Scope::setIsAsyncFunctionBody): Deleted.
2226         (JSC::Scope::setIsAsyncArrowFunctionBody): Deleted.
2227         (JSC::Parser::ExpressionErrorClassifier::forceClassifyExpressionError): Deleted.
2228         (JSC::Parser::ExpressionErrorClassifier::indicatesPossibleAsyncArrowFunction): Deleted.
2229         (JSC::Parser::forceClassifyExpressionError): Deleted.
2230         (JSC::Parser::declarationTypeToVariableKind): Deleted.
2231         (JSC::Parser::upperScope): Deleted.
2232         (JSC::Parser::isDisallowedIdentifierAwait): Deleted.
2233         (JSC::Parser::disallowedIdentifierAwaitReason): Deleted.
2234         * parser/ParserModes.h:
2235         (JSC::isFunctionParseMode):
2236         (JSC::isModuleParseMode):
2237         (JSC::isProgramParseMode):
2238         (JSC::SourceParseModeSet::SourceParseModeSet): Deleted.
2239         (JSC::SourceParseModeSet::contains): Deleted.
2240         (JSC::SourceParseModeSet::mergeSourceParseModes): Deleted.
2241         (JSC::isAsyncFunctionParseMode): Deleted.
2242         (JSC::isAsyncArrowFunctionParseMode): Deleted.
2243         (JSC::isAsyncFunctionWrapperParseMode): Deleted.
2244         (JSC::isAsyncFunctionBodyParseMode): Deleted.
2245         (JSC::constructAbilityForParseMode): Deleted.
2246         * parser/ParserTokens.h:
2247         * parser/SourceCodeKey.h:
2248         (JSC::SourceCodeKey::SourceCodeKey):
2249         (JSC::SourceCodeKey::operator==):
2250         (JSC::SourceCodeKey::runtimeFlags): Deleted.
2251         * parser/SyntaxChecker.h:
2252         (JSC::SyntaxChecker::createAsyncFunctionBody): Deleted.
2253         * runtime/AsyncFunctionConstructor.cpp: Removed.
2254         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor): Deleted.
2255         (JSC::AsyncFunctionConstructor::finishCreation): Deleted.
2256         (JSC::callAsyncFunctionConstructor): Deleted.
2257         (JSC::constructAsyncFunctionConstructor): Deleted.
2258         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
2259         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
2260         * runtime/AsyncFunctionConstructor.h: Removed.
2261         (JSC::AsyncFunctionConstructor::create): Deleted.
2262         (JSC::AsyncFunctionConstructor::createStructure): Deleted.
2263         * runtime/AsyncFunctionPrototype.cpp: Removed.
2264         (JSC::AsyncFunctionPrototype::AsyncFunctionPrototype): Deleted.
2265         (JSC::AsyncFunctionPrototype::finishCreation): Deleted.
2266         * runtime/AsyncFunctionPrototype.h: Removed.
2267         (JSC::AsyncFunctionPrototype::create): Deleted.
2268         (JSC::AsyncFunctionPrototype::createStructure): Deleted.
2269         * runtime/CodeCache.cpp:
2270         (JSC::CodeCache::getGlobalCodeBlock):
2271         (JSC::CodeCache::getProgramCodeBlock):
2272         (JSC::CodeCache::getEvalCodeBlock):
2273         (JSC::CodeCache::getModuleProgramCodeBlock):
2274         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2275         * runtime/CodeCache.h:
2276         * runtime/CommonIdentifiers.h:
2277         * runtime/Completion.cpp:
2278         (JSC::checkSyntax):
2279         (JSC::checkModuleSyntax):
2280         * runtime/Completion.h:
2281         * runtime/Executable.cpp:
2282         (JSC::ScriptExecutable::newCodeBlockFor):
2283         (JSC::ProgramExecutable::checkSyntax):
2284         * runtime/Executable.h:
2285         * runtime/FunctionConstructor.cpp:
2286         (JSC::constructFunctionSkippingEvalEnabledCheck):
2287         * runtime/FunctionConstructor.h:
2288         * runtime/JSAsyncFunction.cpp: Removed.
2289         (JSC::JSAsyncFunction::JSAsyncFunction): Deleted.
2290         (JSC::JSAsyncFunction::createImpl): Deleted.
2291         (JSC::JSAsyncFunction::create): Deleted.
2292         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint): Deleted.
2293         * runtime/JSAsyncFunction.h: Removed.
2294         (JSC::JSAsyncFunction::allocationSize): Deleted.
2295         (JSC::JSAsyncFunction::createStructure): Deleted.
2296         * runtime/JSFunction.cpp:
2297         (JSC::JSFunction::getOwnPropertySlot):
2298         * runtime/JSGlobalObject.cpp:
2299         (JSC::JSGlobalObject::createProgramCodeBlock):
2300         (JSC::JSGlobalObject::createEvalCodeBlock):
2301         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2302         (JSC::JSGlobalObject::init): Deleted.
2303         * runtime/JSGlobalObject.h:
2304         (JSC::JSGlobalObject::asyncFunctionPrototype): Deleted.
2305         (JSC::JSGlobalObject::asyncFunctionStructure): Deleted.
2306         * runtime/ModuleLoaderObject.cpp:
2307         (JSC::moduleLoaderObjectParseModule):
2308         * runtime/RuntimeFlags.h:
2309         (JSC::RuntimeFlags::operator==): Deleted.
2310         (JSC::RuntimeFlags::operator!=): Deleted.
2311         * tests/stress/async-await-basic.js: Removed.
2312         (shouldBe): Deleted.
2313         (shouldBeAsync): Deleted.
2314         (shouldThrow): Deleted.
2315         (shouldThrowAsync): Deleted.
2316         (shouldThrowSyntaxError): Deleted.
2317         (let.AsyncFunction.async): Deleted.
2318         (async.asyncFunctionForProto): Deleted.
2319         (Object.getPrototypeOf.async): Deleted.
2320         (Object.getPrototypeOf.async.method): Deleted.
2321         (async): Deleted.
2322         (async.method): Deleted.
2323         (async.asyncNonConstructorDecl): Deleted.
2324         (shouldThrow.new.async): Deleted.
2325         (shouldThrow.new.async.nonConstructor): Deleted.
2326         (async.asyncDecl): Deleted.
2327         (async.f): Deleted.
2328         (MyError): Deleted.
2329         (async.asyncDeclThrower): Deleted.
2330         (shouldThrowAsync.async): Deleted.
2331         (resolveLater): Deleted.
2332         (rejectLater): Deleted.
2333         (async.resumeAfterNormal): Deleted.
2334         (O.async.resumeAfterNormal): Deleted.
2335         (resumeAfterNormalArrow.async): Deleted.
2336         (async.resumeAfterThrow): Deleted.
2337         (O.async.resumeAfterThrow): Deleted.
2338         (resumeAfterThrowArrow.async): Deleted.
2339         (catch): Deleted.
2340         * tests/stress/async-await-module-reserved-word.js: Removed.
2341         (shouldThrow): Deleted.
2342         (SyntaxError.Canstring_appeared_hereawait.checkModuleSyntaxError.String.raw.await): Deleted.
2343         (checkModuleSyntaxError.String.raw.await): Deleted.
2344         (checkModuleSyntaxError.String.raw.async.await): Deleted.
2345         (SyntaxError.Cannot.declare.named): Deleted.
2346         * tests/stress/async-await-mozilla.js: Removed.
2347         (shouldBe): Deleted.
2348         (shouldBeAsync): Deleted.
2349         (shouldThrow): Deleted.
2350         (shouldThrowAsync): Deleted.
2351         (assert): Deleted.
2352         (shouldThrowSyntaxError): Deleted.
2353         (mozSemantics.async.empty): Deleted.
2354         (mozSemantics.async.simpleReturn): Deleted.
2355         (mozSemantics.async.simpleAwait): Deleted.
2356         (mozSemantics.async.simpleAwaitAsync): Deleted.
2357         (mozSemantics.async.returnOtherAsync): Deleted.
2358         (mozSemantics.async.simpleThrower): Deleted.
2359         (mozSemantics.async.delegatedThrower): Deleted.
2360         (mozSemantics.async.tryCatch): Deleted.
2361         (mozSemantics.async.tryCatchThrow): Deleted.
2362         (mozSemantics.async.wellFinally): Deleted.
2363         (mozSemantics.async.finallyMayFail): Deleted.
2364         (mozSemantics.async.embedded.async.inner): Deleted.
2365         (mozSemantics.async.embedded): Deleted.
2366         (mozSemantics.async.fib): Deleted.
2367         (mozSemantics.async.isOdd.async.isEven): Deleted.
2368         (mozSemantics.async.isOdd): Deleted.
2369         (mozSemantics.hardcoreFib.async.fib2): Deleted.
2370         (mozSemantics.namedAsyncExpr.async.simple): Deleted.
2371         (mozSemantics.async.executionOrder.async.first): Deleted.
2372         (mozSemantics.async.executionOrder.async.second): Deleted.
2373         (mozSemantics.async.executionOrder.async.third): Deleted.
2374         (mozSemantics.async.executionOrder): Deleted.
2375         (mozSemantics.async.miscellaneous): Deleted.
2376         (mozSemantics.thrower): Deleted.
2377         (mozSemantics.async.defaultArgs): Deleted.
2378         (mozSemantics.shouldThrow): Deleted.
2379         (mozSemantics): Deleted.
2380         (mozMethods.X): Deleted.
2381         (mozMethods.X.prototype.async.getValue): Deleted.
2382         (mozMethods.X.prototype.setValue): Deleted.
2383         (mozMethods.X.prototype.async.increment): Deleted.
2384         (mozMethods.X.prototype.async.getBaseClassName): Deleted.
2385         (mozMethods.X.async.getStaticValue): Deleted.
2386         (mozMethods.Y.prototype.async.getBaseClassName): Deleted.
2387         (mozMethods.Y): Deleted.
2388         (mozFunctionNameInferrence.async.test): Deleted.
2389         (mozSyntaxErrors): Deleted.
2390         * tests/stress/async-await-reserved-word.js: Removed.
2391         (assert): Deleted.
2392         (shouldThrowSyntaxError): Deleted.
2393         (AsyncFunction.async): Deleted.
2394         * tests/stress/async_arrow_functions_lexical_arguments_binding.js: Removed.
2395         (shouldBe): Deleted.
2396         (shouldBeAsync): Deleted.
2397         (shouldThrowAsync): Deleted.
2398         (noArgumentsArrow2.async): Deleted.
2399         * tests/stress/async_arrow_functions_lexical_new.target_binding.js: Removed.
2400         (shouldBe): Deleted.
2401         (shouldBeAsync): Deleted.
2402         (shouldThrowAsync): Deleted.
2403         (C1): Deleted.
2404         (C2): Deleted.
2405         (shouldThrowAsync.async): Deleted.
2406         * tests/stress/async_arrow_functions_lexical_super_binding.js: Removed.
2407         (shouldBe): Deleted.
2408         (shouldBeAsync): Deleted.
2409         (BaseClass.prototype.baseClassValue): Deleted.
2410         (BaseClass.prototype.get property): Deleted.
2411         (BaseClass): Deleted.
2412         (ChildClass.prototype.asyncSuperProp): Deleted.
2413         (ChildClass.prototype.asyncSuperProp2): Deleted.
2414         (ChildClass): Deleted.
2415         (ChildClass2): Deleted.
2416         * tests/stress/async_arrow_functions_lexical_this_binding.js: Removed.
2417         (shouldBe): Deleted.
2418         (shouldBeAsync): Deleted.
2419         (d.y): Deleted.
2420
2421 2016-05-31  Commit Queue  <commit-queue@webkit.org>
2422
2423         Unreviewed, rolling out r201363 and r201456.
2424         https://bugs.webkit.org/show_bug.cgi?id=158240
2425
2426         "40% regression on date-format-xparb" (Requested by
2427         keith_miller on #webkit).
2428
2429         Reverted changesets:
2430
2431         "LLInt should be able to cache prototype loads for values in
2432         GetById"
2433         https://bugs.webkit.org/show_bug.cgi?id=158032
2434         http://trac.webkit.org/changeset/201363
2435
2436         "get_by_id should support caching unset properties in the
2437         LLInt"
2438         https://bugs.webkit.org/show_bug.cgi?id=158136
2439         http://trac.webkit.org/changeset/201456
2440
2441 2016-05-31  Commit Queue  <commit-queue@webkit.org>
2442
2443         Unreviewed, rolling out r201359.
2444         https://bugs.webkit.org/show_bug.cgi?id=158238
2445
2446         "It was not a speedup on anything" (Requested by saamyjoon on
2447         #webkit).
2448
2449         Reverted changeset:
2450
2451         "We can cache lookups to JSScope::abstractResolve inside
2452         CodeBlock::finishCreation"
2453         https://bugs.webkit.org/show_bug.cgi?id=158036
2454         http://trac.webkit.org/changeset/201359
2455
2456 2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2457
2458         [JSC] Recover parser performance regression by async support
2459         https://bugs.webkit.org/show_bug.cgi?id=158228
2460
2461         Reviewed by Saam Barati.
2462
2463         This patch recovers parser performance regression caused in r201481.
2464
2465         Compared to the version that reverts r201481, still ~1% regression remains.
2466         But compared to ToT, this patch significantly improves the code-load performance.
2467
2468         In Linux x64 JSCOnly port, with GCC 5.3.1.
2469
2470         reverted v.s. patched.
2471                                  reverted                  patched
2472
2473         closure              0.61805+-0.00376    ?     0.62280+-0.00525       ?
2474         jquery               8.03778+-0.02114          8.03453+-0.04646
2475
2476         <geometric>          2.22883+-0.00836    ?     2.23688+-0.00995       ? might be 1.0036x slower
2477
2478         ToT v.s. patched.
2479                                  baseline                  patched
2480
2481         closure              0.65490+-0.00351    ^     0.62473+-0.00363       ^ definitely 1.0483x faster
2482         jquery               8.25373+-0.06256    ^     8.04701+-0.03455       ^ definitely 1.0257x faster
2483
2484         <geometric>          2.32488+-0.00921    ^     2.24210+-0.00592       ^ definitely 1.0369x faster
2485
2486         * bytecode/UnlinkedFunctionExecutable.cpp:
2487         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2488         * bytecode/UnlinkedFunctionExecutable.h:
2489         Extend SourceParseMode.
2490
2491         * parser/Parser.cpp:
2492         (JSC::Parser<LexerType>::parseInner):
2493         (JSC::Parser<LexerType>::isArrowFunctionParameters):
2494         Do not call `matchSpecIdentifier()` as much as we can. This greatly improves the performance.
2495
2496         (JSC::Parser<LexerType>::parseStatementListItem):
2497         (JSC::Parser<LexerType>::parseStatement):
2498         (JSC::Parser<LexerType>::parseFunctionParameters):
2499         (JSC::Parser<LexerType>::parseFunctionInfo):
2500         Do not touch `currentScope()->isGenerator()` even if it is unnecessary in parseFunctionInfo.
2501         And accidental `syntaxChecker => context` changes are fixed.
2502
2503         (JSC::Parser<LexerType>::parseClass):
2504         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
2505         (JSC::Parser<LexerType>::parseImportClauseItem):
2506         (JSC::Parser<LexerType>::parseExportDeclaration):
2507         (JSC::Parser<LexerType>::parseAssignmentExpression):
2508         Do not use matchSpecIdentifier() in the hot paths.
2509
2510         (JSC::Parser<LexerType>::parseProperty):
2511         (JSC::Parser<LexerType>::parsePrimaryExpression):
2512         (JSC::Parser<LexerType>::parseMemberExpression):
2513         (JSC::Parser<LexerType>::parseUnaryExpression):
2514         (JSC::Parser<LexerType>::printUnexpectedTokenText): Deleted.
2515         * parser/Parser.h:
2516         (JSC::isIdentifierOrKeyword):
2517         AWAIT shoud be one of the keywords. This AWAIT check is unnecessary.
2518
2519         (JSC::Parser::upperScope):
2520         (JSC::Parser::matchSpecIdentifier):
2521         Touching currentScope() and its member causes significant performance degradation.
2522         We carefully remove the above access in the hot paths.
2523
2524         (JSC::Parser::isDisallowedIdentifierAwait):
2525         * parser/ParserModes.h:
2526         (JSC::SourceParseModeSet::SourceParseModeSet):
2527         (JSC::SourceParseModeSet::contains):
2528         (JSC::SourceParseModeSet::mergeSourceParseModes):
2529         (JSC::isFunctionParseMode):
2530         (JSC::isAsyncFunctionParseMode):
2531         (JSC::isAsyncArrowFunctionParseMode):
2532         (JSC::isAsyncFunctionWrapperParseMode):
2533         (JSC::isAsyncFunctionBodyParseMode):
2534         (JSC::isModuleParseMode):
2535         (JSC::isProgramParseMode):
2536         (JSC::constructAbilityForParseMode):
2537         The parser frequently checks SourceParseMode. And variety of SourceParseMode becomes many.
2538         So using switch onto SourceParseMode degrades the performance. Instead, we use bit tests to guard against
2539         many SourceParseModes. We expect that this will be efficiently compiled into test & jmp.
2540
2541         * parser/ParserTokens.h:
2542         Change AWAIT to one of the keywords, as the same to YIELD / LET.
2543
2544 2016-05-31  Saam Barati  <sbarati@apple.com>
2545
2546         Web Inspector: capturing with Allocations timeline causes GC to take 100x longer and cause frame drops
2547         https://bugs.webkit.org/show_bug.cgi?id=158054
2548         <rdar://problem/25280762>
2549
2550         Reviewed by Joseph Pecoraro.
2551
2552         HeapSnapshot::sweepCell was taking a long time on 
2553         http://bl.ocks.org/syntagmatic/6c149c08fc9cde682635
2554         because it has to do a binary search to find if
2555         an item is or is not in the list. 90% of the binary searches
2556         would not find anything. This resulted in a lot of wasted time.
2557
2558         This patch adds a TinyBloomFilter member variable to HeapSnapshot.
2559         We use this filter to try to bypass doing a binary search when the
2560         filter tells us that a particular JSCell is definitely not in our
2561         list. This is a 2x speedup on the steady state GC of the above
2562         website.
2563
2564         * heap/HeapSnapshot.cpp:
2565         (JSC::HeapSnapshot::appendNode):
2566         (JSC::HeapSnapshot::sweepCell):
2567         (JSC::HeapSnapshot::shrinkToFit):
2568         (JSC::HeapSnapshot::nodeForCell):
2569         * heap/HeapSnapshot.h:
2570
2571 2016-05-29  Saam barati  <sbarati@apple.com>
2572
2573         Stack overflow crashes with deep or cyclic proxy prototype chains
2574         https://bugs.webkit.org/show_bug.cgi?id=157087
2575
2576         Reviewed by Filip Pizlo and Mark Lam.
2577
2578         Because a Proxy can call back into the JS runtime in arbitrary
2579         ways, we may have effectively cyclic prototype chains and property lookups
2580         by using a Proxy. We may also have arbitrarily long Proxy chains
2581         where we call into a C frame for each link in the Proxy chain.
2582         This means that every Proxy hook must be aware that it can stack overflow.
2583         Before, only certain hooks were aware of this fact. That was a bug,
2584         all hooks must assume they can stack overflow.
2585
2586         Also, because we may have effectively cyclic prototype chains, we
2587         compile ProxyObject.cpp with -fno-optimize-sibling-calls. This prevents
2588         tail call optimization from happening on any of the calls from
2589         ProxyObject.cpp. We do this because we rely on the machine stack
2590         growing for throwing a stack overflow error. It's better for developers
2591         to be able to see a stack overflow error than to have their program
2592         infinite loop because the compiler performed TCO.
2593
2594         This patch also fixes a couple call sites of various methods
2595         where we didn't check for an exception.
2596
2597         * CMakeLists.txt:
2598         * JavaScriptCore.xcodeproj/project.pbxproj:
2599         * interpreter/Interpreter.cpp:
2600         (JSC::sizeOfVarargs):
2601         * runtime/InternalFunction.cpp:
2602         (JSC::InternalFunction::createSubclassStructure):
2603         * runtime/JSArray.h:
2604         (JSC::getLength):
2605         * runtime/ObjectPrototype.cpp:
2606         (JSC::objectProtoFuncToString):
2607         * runtime/ProxyObject.cpp:
2608         (JSC::performProxyGet):
2609         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2610         (JSC::ProxyObject::performHasProperty):
2611         (JSC::ProxyObject::getOwnPropertySlotCommon):
2612         (JSC::ProxyObject::performPut):
2613         (JSC::performProxyCall):
2614         (JSC::performProxyConstruct):
2615         (JSC::ProxyObject::performDelete):
2616         (JSC::ProxyObject::performPreventExtensions):
2617         (JSC::ProxyObject::performIsExtensible):
2618         (JSC::ProxyObject::performDefineOwnProperty):
2619         (JSC::ProxyObject::performGetOwnPropertyNames):
2620         (JSC::ProxyObject::getOwnPropertyNames):
2621         (JSC::ProxyObject::getPropertyNames):
2622         (JSC::ProxyObject::getOwnNonIndexPropertyNames):
2623         (JSC::ProxyObject::performSetPrototype):
2624         (JSC::ProxyObject::performGetPrototype):
2625         * runtime/ProxyObject.h:
2626         (JSC::ProxyObject::create):
2627         * tests/stress/proxy-stack-overflow-exceptions.js: Added.
2628         (shouldThrowStackOverflow):
2629         (const.emptyFunction):
2630         (makeLongProxyChain):
2631         (shouldThrowStackOverflow.longProxyChain):
2632         (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain1):
2633         (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain2):
2634         (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain3):
2635         (shouldThrowStackOverflow.longProxyChainBind):
2636         (shouldThrowStackOverflow.longProxyChainPropertyAccess):
2637         (shouldThrowStackOverflow.longProxyChainReflectConstruct):
2638         (shouldThrowStackOverflow.longProxyChainReflectSet):
2639         (shouldThrowStackOverflow.longProxyChainReflectOwnKeys):
2640         (shouldThrowStackOverflow.longProxyChainGetPrototypeOf):
2641         (shouldThrowStackOverflow.longProxyChainSetPrototypeOf):
2642         (shouldThrowStackOverflow.longProxyChainGetOwnPropertyDescriptor):
2643         (shouldThrowStackOverflow.longProxyChainDefineProperty):
2644         (shouldThrowStackOverflow.longProxyChainIsExtensible):
2645         (shouldThrowStackOverflow.longProxyChainPreventExtensions):
2646         (shouldThrowStackOverflow.longProxyChainDeleteProperty):
2647         (shouldThrowStackOverflow.longProxyChainWithScope):
2648         (shouldThrowStackOverflow.longProxyChainWithScope2):
2649         (shouldThrowStackOverflow.longProxyChainWithScope3):
2650         (shouldThrowStackOverflow.longProxyChainArrayPrototypePush):
2651         (shouldThrowStackOverflow.longProxyChainWithScope4):
2652         (shouldThrowStackOverflow.longProxyChainCall):
2653         (shouldThrowStackOverflow.longProxyChainConstruct):
2654         (shouldThrowStackOverflow.longProxyChainHas):
2655
2656 2016-05-28  Andreas Kling  <akling@apple.com>
2657
2658         JSGlobalLexicalEnvironment leaks SegmentedVector due to lack of destructor.
2659         <https://webkit.org/b/158186>
2660
2661         Reviewed by Saam Barati.
2662
2663         Give JSGlobalLexicalEnvironment a destroy() and set up a finalizer for it
2664         like we do with JSGlobalObject. (This is needed because they don't inherit
2665         from JSDestructibleObjects and thus can't use JSCell::needsDestruction to
2666         ask for allocation in destructor space.)
2667
2668         This stops us from leaking all the SegmentedVector backing stores.
2669
2670         * runtime/JSGlobalLexicalEnvironment.cpp:
2671         (JSC::JSGlobalLexicalEnvironment::destroy):
2672         * runtime/JSGlobalLexicalEnvironment.h:
2673         (JSC::JSGlobalLexicalEnvironment::create):
2674
2675 2016-05-28  Skachkov Oleksandr  <gskachkov@gmail.com>
2676         [ESNext] Trailing commas in function parameters.
2677         https://bugs.webkit.org/show_bug.cgi?id=158020
2678
2679         Reviewed by Keith Miller.
2680
2681         ESNext allow to add trailing commas in function parameters and function arguments.
2682         Link to spec - https://jeffmo.github.io/es-trailing-function-commas 
2683         Example of using - (function (a, b,) { return a + b; })(1,2,);
2684
2685         * parser/Parser.cpp:
2686         (JSC::Parser<LexerType>::parseFormalParameters):
2687         (JSC::Parser<LexerType>::parseArguments):
2688         * tests/stress/trailing-comma-in-function-paramters.js: Added.
2689
2690 2016-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2691
2692         [JSC] op_new_arrow_func_exp is no longer necessary
2693         https://bugs.webkit.org/show_bug.cgi?id=158180
2694
2695         Reviewed by Saam Barati.
2696
2697         This patch removes op_new_arrow_func_exp bytecode since
2698         what op_new_arrow_func_exp is doing is completely the same to op_new_func_exp.
2699
2700         * bytecode/BytecodeList.json:
2701         * bytecode/BytecodeUseDef.h:
2702         (JSC::computeUsesForBytecodeOffset): Deleted.
2703         (JSC::computeDefsForBytecodeOffset): Deleted.
2704         * bytecode/CodeBlock.cpp:
2705         (JSC::CodeBlock::dumpBytecode): Deleted.
2706         * bytecompiler/BytecodeGenerator.cpp:
2707         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
2708         * dfg/DFGByteCodeParser.cpp:
2709         (JSC::DFG::ByteCodeParser::parseBlock):
2710         * dfg/DFGCapabilities.cpp:
2711         (JSC::DFG::capabilityLevel): Deleted.
2712         * jit/JIT.cpp:
2713         (JSC::JIT::privateCompileMainPass): Deleted.
2714         * jit/JIT.h:
2715         * jit/JITOpcodes.cpp:
2716         (JSC::JIT::emitNewFuncExprCommon):
2717         (JSC::JIT::emit_op_new_arrow_func_exp): Deleted.
2718         * llint/LLIntSlowPaths.cpp:
2719         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
2720         * llint/LLIntSlowPaths.h:
2721         * llint/LowLevelInterpreter.asm:
2722
2723 2016-05-27  Caitlin Potter  <caitp@igalia.com>
2724
2725         [JSC] implement async functions proposal
2726         https://bugs.webkit.org/show_bug.cgi?id=156147
2727
2728         Reviewed by Yusuke Suzuki.
2729
2730         Adds support for `async` functions, proposed in https://tc39.github.io/ecmascript-asyncawait/.
2731
2732         On the front-end side, "await" becomes a contextual keyword when used within an async function,
2733         which triggers parsing an AwaitExpression. "await" becomes an illegal identifier name within
2734         these contexts. The bytecode generated from an "await" expression is identical to that generated
2735         in a "yield" expression in a Generator, as AsyncFunction reuses generator's state machine mechanism.
2736
2737         There are numerous syntactic forms for language features, including a variation on ArrowFunctions,
2738         requiring the keyword `async` to precede ArrowFormalParameters, and similarly, MethodDefinitions,
2739         which are ordinary MethodDefinitions preceded by the keyword `async`.
2740
2741         An async function desugars to the following:
2742
2743         ```
2744         async function asyncFn() {
2745         }
2746
2747         becomes:
2748
2749         function asyncFn() {
2750             let generator = {
2751                 @generatorNext: function(@generator, @generatorState, @generatorValue, @generatorResumeMode) {
2752                   // generator state machine stuff here
2753                 },
2754                 @generatorState: 0,
2755                 @generatorThis: this,
2756                 @generatorFrame: null
2757             };
2758             return @asyncFunctionResume(generator, undefined, GeneratorResumeMode::NormalMode);
2759         }
2760         ```
2761
2762         `@asyncFunctionResume()` is similar to `@generatorResume`, with the exception that it will wrap the
2763         result of invoking `@generatorNext()` in a Promise, and will avoid allocating an iterator result
2764         object.
2765
2766         If the generator has yielded (an AwaitExpression has occurred), resumption will occur automatically
2767         once the await-expression operand is finished, via Promise chaining.
2768
2769         * API/JSScriptRef.cpp:
2770         (parseScript):
2771         * CMakeLists.txt:
2772         * DerivedSources.make:
2773         * JavaScriptCore.xcodeproj/project.pbxproj:
2774         * builtins/AsyncFunctionPrototype.js: Added.
2775         (asyncFunctionResume):
2776         * builtins/BuiltinExecutables.cpp:
2777         (JSC::BuiltinExecutables::createExecutable):
2778         * bytecode/BytecodeList.json:
2779         * bytecode/BytecodeUseDef.h:
2780         (JSC::computeUsesForBytecodeOffset):
2781         (JSC::computeDefsForBytecodeOffset):
2782         * bytecode/CodeBlock.cpp:
2783         (JSC::CodeBlock::dumpBytecode):
2784         (JSC::CodeBlock::finishCreation):
2785         * bytecode/UnlinkedCodeBlock.h:
2786         (JSC::UnlinkedCodeBlock::isArrowFunction):
2787         (JSC::UnlinkedCodeBlock::isOrdinaryArrowFunction):
2788         (JSC::UnlinkedCodeBlock::isAsyncArrowFunction):
2789         * bytecode/UnlinkedFunctionExecutable.cpp:
2790         (JSC::generateUnlinkedFunctionCodeBlock):
2791         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2792         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2793         * bytecode/UnlinkedFunctionExecutable.h:
2794         * bytecompiler/BytecodeGenerator.cpp:
2795         (JSC::BytecodeGenerator::BytecodeGenerator):
2796         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
2797         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
2798         (JSC::BytecodeGenerator::emitNewMethodDefinition):
2799         (JSC::BytecodeGenerator::emitNewFunction):
2800         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
2801         * bytecompiler/BytecodeGenerator.h:
2802         (JSC::BytecodeGenerator::makeFunction):
2803         * bytecompiler/NodesCodegen.cpp:
2804         (JSC::FunctionNode::emitBytecode):
2805         * inspector/agents/InspectorRuntimeAgent.cpp:
2806         (Inspector::InspectorRuntimeAgent::parse):
2807         * jit/JIT.cpp:
2808         (JSC::JIT::privateCompileMainPass):
2809         * jit/JIT.h:
2810         * jit/JITOpcodes.cpp:
2811         (JSC::JIT::emitNewFuncCommon):
2812         (JSC::JIT::emit_op_new_async_func):
2813         (JSC::JIT::emitNewFuncExprCommon):
2814         (JSC::JIT::emit_op_new_async_func_exp):
2815         * jit/JITOperations.cpp:
2816         * jit/JITOperations.h:
2817         * jsc.cpp:
2818         (runInteractive):
2819         (printUsageStatement):
2820         * llint/LLIntSlowPaths.cpp:
2821         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2822         * llint/LLIntSlowPaths.h:
2823         * llint/LowLevelInterpreter.asm:
2824         * parser/ASTBuilder.h:
2825         (JSC::ASTBuilder::createAsyncFunctionBody):
2826         * parser/Keywords.table:
2827         * parser/Parser.cpp:
2828         (JSC::Parser<LexerType>::Parser):
2829         (JSC::Parser<LexerType>::parseInner):
2830         (JSC::Parser<LexerType>::isArrowFunctionParameters):
2831         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
2832         (JSC::Parser<LexerType>::parseStatementListItem):
2833         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2834         (JSC::Parser<LexerType>::parseDestructuringPattern):
2835         (JSC::Parser<LexerType>::parseStatement):
2836         (JSC::Parser<LexerType>::parseFunctionDeclarationStatement):
2837         (JSC::Parser<LexerType>::parseFormalParameters):
2838         (JSC::stringForFunctionMode):
2839         (JSC::Parser<LexerType>::parseFunctionParameters):
2840         (JSC::Parser<LexerType>::parseFunctionInfo):
2841         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2842         (JSC::Parser<LexerType>::parseClass):
2843         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
2844         (JSC::Parser<LexerType>::parseImportClauseItem):
2845         (JSC::Parser<LexerType>::parseImportDeclaration):
2846         (JSC::Parser<LexerType>::parseExportDeclaration):
2847         (JSC::Parser<LexerType>::parseAssignmentExpression):
2848         (JSC::Parser<LexerType>::parseAwaitExpression):
2849         (JSC::Parser<LexerType>::parseProperty):
2850         (JSC::Parser<LexerType>::parsePropertyMethod):
2851         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
2852         (JSC::Parser<LexerType>::parsePrimaryExpression):
2853         (JSC::Parser<LexerType>::parseMemberExpression):
2854         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
2855         (JSC::Parser<LexerType>::parseUnaryExpression):
2856         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2857         * parser/Parser.h:
2858         (JSC::isIdentifierOrKeyword):
2859         (JSC::Scope::Scope):
2860         (JSC::Scope::setSourceParseMode):
2861         (JSC::Scope::isAsyncFunction):
2862         (JSC::Scope::isAsyncFunctionBoundary):
2863         (JSC::Scope::isModule):
2864         (JSC::Scope::setIsFunction):
2865         (JSC::Scope::setIsAsyncArrowFunction):
2866         (JSC::Scope::setIsAsyncFunction):
2867         (JSC::Scope::setIsAsyncFunctionBody):
2868         (JSC::Scope::setIsAsyncArrowFunctionBody):
2869         (JSC::Parser::ExpressionErrorClassifier::forceClassifyExpressionError):
2870         (JSC::Parser::ExpressionErrorClassifier::propagateExpressionErrorClass):
2871         (JSC::Parser::ExpressionErrorClassifier::indicatesPossibleAsyncArrowFunction):
2872         (JSC::Parser::forceClassifyExpressionError):
2873         (JSC::Parser::declarationTypeToVariableKind):
2874         (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
2875         (JSC::Parser::pushScope):
2876         (JSC::Parser::popScopeInternal):
2877         (JSC::Parser::matchSpecIdentifier):
2878         (JSC::Parser::isDisallowedIdentifierAwait):
2879         (JSC::Parser::disallowedIdentifierAwaitReason):
2880         (JSC::parse):
2881         * parser/ParserModes.h:
2882         (JSC::isFunctionParseMode):
2883         (JSC::isAsyncFunctionParseMode):
2884         (JSC::isAsyncArrowFunctionParseMode):
2885         (JSC::isAsyncFunctionWrapperParseMode):
2886         (JSC::isAsyncFunctionBodyParseMode):
2887         (JSC::isModuleParseMode):
2888         (JSC::isProgramParseMode):
2889         (JSC::constructAbilityForParseMode):
2890         * parser/ParserTokens.h:
2891         * parser/SourceCodeKey.h:
2892         (JSC::SourceCodeKey::SourceCodeKey):
2893         (JSC::SourceCodeKey::runtimeFlags):
2894         (JSC::SourceCodeKey::operator==):
2895         * parser/SyntaxChecker.h:
2896         (JSC::SyntaxChecker::createAsyncFunctionBody):
2897         * runtime/AsyncFunctionConstructor.cpp: Added.
2898         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
2899         (JSC::AsyncFunctionConstructor::finishCreation):
2900         (JSC::callAsyncFunctionConstructor):
2901         (JSC::constructAsyncFunctionConstructor):
2902         (JSC::AsyncFunctionConstructor::getCallData):
2903         (JSC::AsyncFunctionConstructor::getConstructData):
2904         * runtime/AsyncFunctionConstructor.h: Added.
2905         (JSC::AsyncFunctionConstructor::create):
2906         (JSC::AsyncFunctionConstructor::createStructure):
2907         * runtime/AsyncFunctionPrototype.cpp: Added.
2908         (JSC::AsyncFunctionPrototype::AsyncFunctionPrototype):
2909         (JSC::AsyncFunctionPrototype::finishCreation):
2910         * runtime/AsyncFunctionPrototype.h: Added.
2911         (JSC::AsyncFunctionPrototype::create):
2912         (JSC::AsyncFunctionPrototype::createStructure):
2913         * runtime/CodeCache.cpp:
2914         (JSC::CodeCache::getGlobalCodeBlock):
2915         (JSC::CodeCache::getProgramCodeBlock):
2916         (JSC::CodeCache::getEvalCodeBlock):
2917         (JSC::CodeCache::getModuleProgramCodeBlock):
2918         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2919         * runtime/CodeCache.h:
2920         * runtime/CommonIdentifiers.h:
2921         * runtime/Completion.cpp:
2922         (JSC::checkSyntax):
2923         (JSC::checkModuleSyntax):
2924         * runtime/Completion.h:
2925         * runtime/Executable.cpp:
2926         (JSC::ScriptExecutable::newCodeBlockFor):
2927         (JSC::ProgramExecutable::checkSyntax):
2928         * runtime/Executable.h:
2929         * runtime/FunctionConstructor.cpp:
2930         (JSC::constructFunctionSkippingEvalEnabledCheck):
2931         * runtime/FunctionConstructor.h:
2932         * runtime/JSAsyncFunction.cpp: Added.
2933         (JSC::JSAsyncFunction::JSAsyncFunction):
2934         (JSC::JSAsyncFunction::createImpl):
2935         (JSC::JSAsyncFunction::create):
2936         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
2937         * runtime/JSAsyncFunction.h: Added.
2938         (JSC::JSAsyncFunction::allocationSize):
2939         (JSC::JSAsyncFunction::createStructure):
2940         * runtime/JSFunction.cpp:
2941         (JSC::JSFunction::getOwnPropertySlot):
2942         * runtime/JSGlobalObject.cpp:
2943         (JSC::JSGlobalObject::init):
2944         (JSC::JSGlobalObject::createProgramCodeBlock):
2945         (JSC::JSGlobalObject::createEvalCodeBlock):
2946         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2947         * runtime/JSGlobalObject.h:
2948         (JSC::JSGlobalObject::asyncFunctionPrototype):
2949         (JSC::JSGlobalObject::asyncFunctionStructure):
2950         * runtime/ModuleLoaderObject.cpp:
2951         (JSC::moduleLoaderObjectParseModule):
2952         * runtime/RuntimeFlags.h:
2953         (JSC::RuntimeFlags::operator==):
2954         (JSC::RuntimeFlags::operator!=):
2955         * tests/stress/async-await-basic.js: Added.
2956         (shouldBe):
2957         (shouldBeAsync):
2958         (shouldThrow):
2959         (shouldThrowAsync):
2960         (let.AsyncFunction.async):
2961         (async.asyncFunctionForProto):
2962         (Object.getPrototypeOf.async):
2963         (Object.getPrototypeOf.async.method):
2964         (async):
2965         (async.method):
2966         (async.asyncNonConstructorDecl):
2967         (shouldThrow.new.async):
2968         (shouldThrow.new.async.nonConstructor):
2969         (async.asyncDecl):
2970         (async.f):
2971         (MyError):
2972         (async.asyncDeclThrower):
2973         (shouldThrowAsync.async):
2974         (resolveLater):
2975         (rejectLater):
2976         (async.resumeAfterNormal):
2977         (O.async.resumeAfterNormal):
2978         (resumeAfterNormalArrow.async):
2979         (async.resumeAfterThrow):
2980         (O.async.resumeAfterThrow):
2981         (resumeAfterThrowArrow.async):
2982         (catch):
2983         * tests/stress/async-await-module-reserved-word.js: Added.
2984         (shouldThrow):
2985         (SyntaxError.Canstring_appeared_hereawait.checkModuleSyntaxError.String.raw.await):
2986         (checkModuleSyntaxError.String.raw.await):
2987         (checkModuleSyntaxError.String.raw.async.await):
2988         (SyntaxError.Cannot.declare.named):
2989         * tests/stress/async-await-mozilla.js: Added.
2990         (shouldBe):
2991         (shouldBeAsync):
2992         (shouldThrow):
2993         (shouldThrowAsync):
2994         (assert):
2995         (shouldThrowSyntaxError):
2996         (mozSemantics.async.empty):
2997         (mozSemantics.async.simpleReturn):
2998         (mozSemantics.async.simpleAwait):
2999         (mozSemantics.async.simpleAwaitAsync):
3000         (mozSemantics.async.returnOtherAsync):
3001         (mozSemantics.async.simpleThrower):
3002         (mozSemantics.async.delegatedThrower):
3003         (mozSemantics.async.tryCatch):
3004         (mozSemantics.async.tryCatchThrow):
3005         (mozSemantics.async.wellFinally):
3006         (mozSemantics.async.finallyMayFail):
3007         (mozSemantics.async.embedded.async.inner):
3008         (mozSemantics.async.embedded):
3009         (mozSemantics.async.fib):
3010         (mozSemantics.async.isOdd.async.isEven):
3011         (mozSemantics.async.isOdd):
3012         (mozSemantics.hardcoreFib.async.fib2):
3013         (mozSemantics.namedAsyncExpr.async.simple):
3014         (mozSemantics.async.executionOrder.async.first):
3015         (mozSemantics.async.executionOrder.async.second):
3016         (mozSemantics.async.executionOrder.async.third):
3017         (mozSemantics.async.executionOrder):
3018         (mozSemantics.async.miscellaneous):
3019         (mozSemantics.thrower):
3020         (mozSemantics.async.defaultArgs):
3021         (mozSemantics.shouldThrow):
3022         (mozSemantics):
3023         (mozMethods.X):
3024         (mozMethods.X.prototype.async.getValue):
3025         (mozMethods.X.prototype.setValue):
3026         (mozMethods.X.prototype.async.increment):
3027         (mozMethods.X.prototype.async.getBaseClassName):
3028         (mozMethods.X.async.getStaticValue):
3029         (mozMethods.Y.prototype.async.getBaseClassName):
3030         (mozMethods.Y):
3031         (mozFunctionNameInferrence.async.test):
3032         (mozSyntaxErrors):
3033         * tests/stress/async-await-reserved-word.js: Added.
3034         (assert):
3035         (shouldThrowSyntaxError):
3036         (AsyncFunction.async):
3037         * tests/stress/async_arrow_functions_lexical_arguments_binding.js: Added.
3038         (shouldBe):
3039         (shouldBeAsync):
3040         (shouldThrowAsync):
3041         (noArgumentsArrow2.async):
3042         * tests/stress/async_arrow_functions_lexical_new.target_binding.js: Added.
3043         (shouldBe):
3044         (shouldBeAsync):
3045         (shouldThrowAsync):
3046         (C1):
3047         (C2):
3048         (shouldThrowAsync.async):
3049         * tests/stress/async_arrow_functions_lexical_super_binding.js: Added.
3050         (shouldBe):
3051         (shouldBeAsync):
3052         (BaseClass.prototype.baseClassValue):
3053         (BaseClass):
3054         (ChildClass.prototype.asyncSuperProp):
3055         (ChildClass.prototype.asyncSuperProp2):
3056         (ChildClass):
3057         * tests/stress/async_arrow_functions_lexical_this_binding.js: Added.
3058         (shouldBe):
3059         (shouldBeAsync):
3060         (d.y):
3061
3062 2016-05-27  Saam barati  <sbarati@apple.com>
3063
3064         DebuggerCallFrame crashes when updated with the globalExec because neither ShadowChicken's algorithm nor StackVisitor's algorithm reasons about the globalExec
3065         https://bugs.webkit.org/show_bug.cgi?id=158104
3066
3067         Reviewed by Filip Pizlo.
3068
3069         I think globalExec is a special enough case that it should be handled
3070         at the layers above ShadowChicken and StackVisitor. Those APIs should
3071         deal with real stack frames on the machine stack, not a heap constructed frame.
3072
3073         This patch makes DebuggerCallFrame::create aware that it may be
3074         created with the globalObject->globalExec() by having it construct
3075         a single DebuggerCallFrame that wraps the globalExec.
3076
3077         This fixes a crasher because we will construct a DebuggerCallFrame
3078         with the globalExec when the Inspector is set to pause on all uncaught
3079         exceptions and the JS program has a syntax error. Because the program
3080         hasn't begun execution, there is no machine JS stack frame yet. So
3081         DebuggerCallFrame is created with globalExec, which will cause it
3082         to hit an assertion that dictates that the stack have size greater
3083         than zero.
3084
3085         * debugger/DebuggerCallFrame.cpp:
3086         (JSC::DebuggerCallFrame::create):
3087
3088 2016-05-27  Filip Pizlo  <fpizlo@apple.com>
3089
3090         DFG::LazyJSValue::tryGetStringImpl() crashes for empty values
3091         https://bugs.webkit.org/show_bug.cgi?id=158170
3092
3093         Reviewed by Michael Saboff.
3094
3095         The problem here is that jsDynamicCast<>() is evil! It avoids checking for the empty
3096         value, presumably because this makes it soooper fast. In DFG IR, empty values can appear
3097         anywhere because of TDZ.
3098         
3099         This patch doesn't change jsDynamicCast<>(), but it hardens our wrappers for it in the DFG
3100         and it has the affected code use one of those wrappers.
3101         
3102         * dfg/DFGFrozenValue.h:
3103         (JSC::DFG::FrozenValue::dynamicCast): Harden this.
3104         (JSC::DFG::FrozenValue::cast):
3105         * dfg/DFGLazyJSValue.cpp:
3106         (JSC::DFG::LazyJSValue::tryGetStringImpl): Use the hardened wrapper.
3107         * tests/stress/strcat-emtpy.js: Added. This used to crash every time.
3108         (foo):
3109         (i.catch):
3110
3111 2016-05-27  Filip Pizlo  <fpizlo@apple.com>
3112
3113         regExpProtoFuncSplitFast should OOM before it swaps
3114         https://bugs.webkit.org/show_bug.cgi?id=158157
3115
3116         Reviewed by Mark Lam.
3117         
3118         This is a huge speed-up on some jsfunfuzz test cases because it makes us realize much
3119         sooner that running a regexp split will result in swapping. It uses the same basic
3120         approach as http://trac.webkit.org/changeset/201451: if the result array crosses a certain
3121         size threshold, we proceed with a dry run to see how big the array will get before
3122         allocating anything else. This way, bogus uses of split that would have OOMed only after
3123         killing the user's machine will now OOM before killing the user's machine.
3124         
3125         This is an enormous speed-up on some jsfunfuzz tests: they go from running for a long
3126         time to running instantly.
3127
3128         * runtime/RegExpPrototype.cpp:
3129         (JSC::advanceStringIndex):
3130         (JSC::genericSplit):
3131         (JSC::regExpProtoFuncSplitFast):
3132         * runtime/StringObject.h:
3133         (JSC::jsStringWithReuse):
3134         (JSC::jsSubstring):
3135         * tests/stress/big-split-captures.js: Added.
3136         * tests/stress/big-split.js: Added.
3137
3138 2016-05-27  Saam barati  <sbarati@apple.com>
3139
3140         ShadowChicken/DebuggerCallFrame don't properly handle when the entry stack frame is a tail deleted frame
3141         https://bugs.webkit.org/show_bug.cgi?id=158131
3142
3143         Reviewed by Yusuke Suzuki.
3144
3145         There were bugs both in DebuggerCallFrame and ShadowChicken when the entry stack
3146         frame(s) are tail deleted.
3147
3148         DebuggerCallFrame had an assertion saying that the entry frame shouldn't be
3149         tail deleted. This is clearly wrong. The following program proves that this assertion
3150         was misguided:
3151         ```
3152         "use strict";
3153         setTimeout(function foo() { return bar(); }, 0);
3154         ```
3155
3156         ShadowChicken had a very subtle bug when creating the shadow stack when 
3157         the entry frames of the stack were tail deleted. Because it places frames into its shadow
3158         stack by walking the machine frame and looking up entries in the log,
3159         the machine frame doesn't have any notion of those tail deleted frames
3160         at the entry of execution. ShadowChicken would never find those frames
3161         because it would look for tail deleted frames *before* consulting the
3162         current machine frame. This is wrong because if the entry frames
3163         are tail deleted, then there is no machine frame for them because there
3164         is no machine frame before them! Therefore, we must search for tail deleted
3165         frames *after* consulting a machine frame. This is sound because we will always
3166         have at least one machine frame on the stack (when we are using StackVisitor on a valid ExecState).
3167         So when we consult the machine frame that is the entry frame on the machine stack,
3168         we will search for tail deleted frames that come before it in the shadow stack.
3169         This will allow us to find those tail deleted frames that are the entry frames
3170         for the shadow stack.
3171
3172         * debugger/DebuggerCallFrame.cpp:
3173         (JSC::DebuggerCallFrame::create):
3174         * interpreter/ShadowChicken.cpp:
3175         (JSC::ShadowChicken::Packet::dump):
3176         (JSC::ShadowChicken::update):
3177         (JSC::ShadowChicken::dump):
3178
3179 2016-05-27  Chris Dumez  <cdumez@apple.com>
3180
3181         WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables
3182         https://bugs.webkit.org/show_bug.cgi?id=158111
3183
3184         Reviewed by Darin Adler.
3185
3186         WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables.
3187         These are often used cross-thread and copying the captured lambda variables can be
3188         dangerous (e.g. we do not want to copy a String after calling isolatedCopy() upon
3189         capture).
3190
3191         * runtime/Watchdog.cpp:
3192         (JSC::Watchdog::startTimer):
3193         (JSC::Watchdog::Watchdog): Deleted.
3194         (JSC::Watchdog::setTimeLimit): Deleted.
3195         * runtime/Watchdog.h:
3196
3197 2016-05-27  Konstantin Tokarev  <annulen@yandex.ru>
3198
3199         Removed unused headers from ExecutableAllocatorFixedVMPool.cpp.
3200         https://bugs.webkit.org/show_bug.cgi?id=158159
3201
3202         Reviewed by Darin Adler.
3203
3204         * jit/ExecutableAllocatorFixedVMPool.cpp:
3205
3206 2016-05-27  Keith Miller  <keith_miller@apple.com>
3207
3208         get_by_id should support caching unset properties in the LLInt
3209         https://bugs.webkit.org/show_bug.cgi?id=158136
3210
3211         Reviewed by Benjamin Poulain.
3212
3213         Recently, we started supporting prototype load caching for get_by_id
3214         in the LLInt. This patch extends that to caching unset properties.
3215         While it is uncommon in general for a program to see a single structure
3216         without a given property, the Array.prototype.concat function needs to
3217         lookup the Symbol.isConcatSpreadable property. For any existing code
3218         That property will never be set as it did not exist prior to ES6.
3219
3220         Similarly to the get_by_id_proto_load bytecode, this patch adds a new
3221         bytecode, get_by_id_unset that checks the structureID of the base and
3222         assigns undefined to the result.
3223
3224         There are no new tests here since we already have many tests that
3225         incidentally cover this change.
3226
3227         * bytecode/BytecodeList.json:
3228         * bytecode/BytecodeUseDef.h:
3229         (JSC::computeUsesForBytecodeOffset):
3230         (JSC::computeDefsForBytecodeOffset):
3231         * bytecode/CodeBlock.cpp:
3232         (JSC::CodeBlock::printGetByIdOp):
3233         (JSC::CodeBlock::dumpBytecode):
3234         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3235         * bytecode/GetByIdStatus.cpp:
3236         (JSC::GetByIdStatus::computeFromLLInt):
3237         * dfg/DFGByteCodeParser.cpp:
3238         (JSC::DFG::ByteCodeParser::parseBlock):
3239         * dfg/DFGCapabilities.cpp:
3240         (JSC::DFG::capabilityLevel):
3241         * jit/JIT.cpp:
3242         (JSC::JIT::privateCompileMainPass):
3243         (JSC::JIT::privateCompileSlowCases):
3244         * llint/LLIntSlowPaths.cpp:
3245         (JSC::LLInt::setupGetByIdPrototypeCache):
3246         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3247         * llint/LLIntSlowPaths.h:
3248         * llint/LowLevelInterpreter32_64.asm:
3249         * llint/LowLevelInterpreter64.asm:
3250
3251 2016-05-26  Filip Pizlo  <fpizlo@apple.com>
3252
3253         Bogus uses of regexp matching should realize that they will OOM before they start swapping
3254         https://bugs.webkit.org/show_bug.cgi?id=158142
3255
3256         Reviewed by Michael Saboff.
3257         
3258         Refactored the RegExpObject::matchGlobal() code so that there is less duplication. Took
3259         advantage of this to make the code more resilient in case of absurd situations: if the
3260         result array gets large, it proceeds with a dry run to detect how many matches there will
3261         be. This allows it to OOM before it starts swapping.
3262         
3263         This also improves the overall performance of the code by using lightweight substrings and
3264         skipping the whole intermediate argument array.
3265         
3266         This makes some jsfunfuzz tests run a lot faster and use a lot less memory.
3267         
3268         * builtins/RegExpPrototype.js:
3269         * CMakeLists.txt:
3270         * JavaScriptCore.xcodeproj/project.pbxproj:
3271         * runtime/MatchResult.cpp: Added.
3272         (JSC::MatchResult::dump):
3273         * runtime/MatchResult.h:
3274         (JSC::MatchResult::empty):
3275         (MatchResult::empty): Deleted.
3276         * runtime/RegExpObject.cpp:
3277         (JSC::RegExpObject::match):
3278         (JSC::collectMatches):
3279         (JSC::RegExpObject::matchGlobal):
3280         * runtime/StringObject.h:
3281         (JSC::jsStringWithReuse):
3282         (JSC::jsSubstring):
3283         * tests/stress/big-match.js: Added. Make sure that this optimization doesn't break big matches.
3284
3285 2016-05-26  Gavin & Ellie Barraclough  <barraclough@apple.com>
3286
3287         Static table property lookup should not require getOwnPropertySlot override.
3288         https://bugs.webkit.org/show_bug.cgi?id=158059
3289
3290         Reviewed by Darin Adler.
3291
3292         Currently JSObject does not handle property lookup of entries in the static
3293         table. Each subclass with static properties mut override getOwnPropertySlot,
3294         and explicitly call the lookup functions. This has the following drawbacks:
3295
3296         - Performance: for any class with static properties, property acces becomes
3297           virtual (via method table).
3298         - Poor encapsulation: implementation detail of static property access is
3299           spread throughout & cross projects, rather than being contained in JSObject.
3300         - Code size: this results in a great many additional functions.
3301         - Inconsistency: static table presence has to be be taken into account in many
3302           other operations, e.g. presence of read-only properties for put.
3303         - Memory: in order to avoid the virtual lookup, DOM prototypes eagerly reify
3304           all properties. This is likely suboptimal.
3305
3306         Instead, JSObject::getPropertySlot / JSObject::getOwnPropertySlot should be
3307         able to handle static properties.
3308
3309         This is actually a fairly small & simple change.
3310
3311         The common pattern is for subclasses of JObject to override getOwnPropertySlot
3312         to first defer to JSObject for property storage lookup, and only if this fails
3313         consult the static table. They just want the static tables to be consulted after
3314         regular property storgae lookup. So just add a fast flag in TypeInfo for JSObject
3315         to check, and where it is set, do so. Then it's just a question of switching
3316         classes over to start setting this flag, and drop the override.
3317
3318         The new mechanism does change st