2f27f32960c941a4f5ad0ae9876cc5d9a8f4af7c
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-04-08  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Web Inspector: XHRs and Web Worker scripts are not searchable
4         https://bugs.webkit.org/show_bug.cgi?id=154214
5         <rdar://problem/24643587>
6
7         Reviewed by Timothy Hatcher.
8
9         * inspector/protocol/Page.json:
10         Add optional requestId to search results properties and search
11         parameters for when the frameId and url are not enough. XHR
12         resources, and "Other" resources will use this.
13
14 2016-04-08  Guillaume Emont  <guijemont@igalia.com>
15
16         MIPS: support Signed cond in branchTest32()
17         https://bugs.webkit.org/show_bug.cgi?id=156260
18
19         This is needed since r197688 makes use of it.
20
21         Reviewed by Mark Lam.
22
23         * assembler/MacroAssemblerMIPS.h:
24         (JSC::MacroAssemblerMIPS::branchTest32):
25
26 2016-04-08  Alex Christensen  <achristensen@webkit.org>
27
28         Progress towards running CMake WebKit2 on Mac
29         https://bugs.webkit.org/show_bug.cgi?id=156426
30
31         Reviewed by Tim Horton.
32
33         * PlatformMac.cmake:
34
35 2016-04-08  Saam barati  <sbarati@apple.com>
36
37         Debugger may dereference m_currentCallFrame even after the VM has gone idle
38         https://bugs.webkit.org/show_bug.cgi?id=156413
39
40         Reviewed by Mark Lam.
41
42         There is a bug where the debugger may dereference its m_currentCallFrame
43         pointer after that pointer becomes invalid to read from. This happens like so:
44
45         We may step over an instruction which causes the end of execution for the
46         current program. This causes the VM to exit. Then, we perform a GC which
47         causes us to collect the global object. The global object being collected
48         causes us to detach the debugger. In detaching, we think we still have a 
49         valid m_currentCallFrame, we dereference it, and crash. The solution is to
50         make sure we're paused when dereferencing this pointer inside ::detach().
51
52         * debugger/Debugger.cpp:
53         (JSC::Debugger::detach):
54
55 2016-04-08  Brian Burg  <bburg@apple.com>
56
57         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
58         https://bugs.webkit.org/show_bug.cgi?id=156407
59         <rdar://problem/25627659>
60
61         Reviewed by Timothy Hatcher.
62
63         There's no point having these subclasses as they don't save any space.
64         Add m_stringValue to the union and merge some implementations of writeJSON.
65         Move uses of the subclass to InspectorValue and delete redundant methods.
66         Now, most InspectorValue methods are non-virtual so they can be templated.
67
68         * bindings/ScriptValue.cpp:
69         (Deprecated::jsToInspectorValue):
70         * inspector/InjectedScriptBase.cpp:
71         (Inspector::InjectedScriptBase::makeCall):
72         Don't used deleted subclasses.
73
74         * inspector/InspectorValues.cpp:
75         (Inspector::InspectorValue::null):
76         (Inspector::InspectorValue::create):
77         (Inspector::InspectorValue::asValue):
78         (Inspector::InspectorValue::asBoolean):
79         (Inspector::InspectorValue::asDouble):
80         (Inspector::InspectorValue::asInteger):
81         (Inspector::InspectorValue::asString):
82         These only need one implementation now.
83
84         (Inspector::InspectorValue::writeJSON):
85         Still a virtual method since Object and Array need their members.
86
87         (Inspector::InspectorObjectBase::InspectorObjectBase):
88         (Inspector::InspectorBasicValue::asBoolean): Deleted.
89         (Inspector::InspectorBasicValue::asDouble): Deleted.
90         (Inspector::InspectorBasicValue::asInteger): Deleted.
91         (Inspector::InspectorBasicValue::writeJSON): Deleted.
92         (Inspector::InspectorString::asString): Deleted.
93         (Inspector::InspectorString::writeJSON): Deleted.
94         (Inspector::InspectorString::create): Deleted.
95         (Inspector::InspectorBasicValue::create): Deleted.
96
97         * inspector/InspectorValues.h:
98         (Inspector::InspectorObjectBase::setBoolean):
99         (Inspector::InspectorObjectBase::setInteger):
100         (Inspector::InspectorObjectBase::setDouble):
101         (Inspector::InspectorObjectBase::setString):
102         (Inspector::InspectorArrayBase::pushBoolean):
103         (Inspector::InspectorArrayBase::pushInteger):
104         (Inspector::InspectorArrayBase::pushDouble):
105         (Inspector::InspectorArrayBase::pushString):
106         Use new factory methods.
107
108         * replay/EncodedValue.cpp:
109         (JSC::ScalarEncodingTraits<bool>::encodeValue):
110         (JSC::ScalarEncodingTraits<double>::encodeValue):
111         (JSC::ScalarEncodingTraits<float>::encodeValue):
112         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
113         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
114         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
115         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
116         * replay/EncodedValue.h:
117         Use new factory methods.
118
119 2016-04-08  Filip Pizlo  <fpizlo@apple.com>
120
121         Add IC support for arguments.length
122         https://bugs.webkit.org/show_bug.cgi?id=156389
123
124         Reviewed by Geoffrey Garen.
125         
126         This adds support for caching accesses to arguments.length for both DirectArguments and
127         ScopedArguments. In strict mode, we already cached these accesses since they were just
128         normal properties.
129
130         Amazingly, we also already supported caching of overridden arguments.length in both
131         DirectArguments and ScopedArguments. This is because when you override, the property gets
132         materialized as a normal JS property and the structure is changed.
133         
134         This patch painstakingly preserves our previous caching of overridden length while
135         introducing caching of non-overridden length (i.e. the common case). In fact, we even cache
136         the case where it could either be overridden or not, since we just end up with an AccessCase
137         for each and they cascade to each other.
138
139         This is a >3x speed-up on microbenchmarks that do arguments.length in a polymorphic context.
140         Entirely monomorphic accesses were already handled by the DFG.
141
142         * bytecode/PolymorphicAccess.cpp:
143         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
144         (JSC::AccessCase::guardedByStructureCheck):
145         (JSC::AccessCase::generateWithGuard):
146         (JSC::AccessCase::generate):
147         (WTF::printInternal):
148         * bytecode/PolymorphicAccess.h:
149         * jit/ICStats.h:
150         * jit/JITOperations.cpp:
151         * jit/Repatch.cpp:
152         (JSC::tryCacheGetByID):
153         (JSC::tryCachePutByID):
154         (JSC::tryRepatchIn):
155         * tests/stress/direct-arguments-override-length-then-access-normal-length.js: Added.
156         (args):
157         (foo):
158         (result.foo):
159
160 2016-04-08  Benjamin Poulain  <bpoulain@apple.com>
161
162         UInt32ToNumber should have an Int52 path
163         https://bugs.webkit.org/show_bug.cgi?id=125704
164
165         Reviewed by Filip Pizlo.
166
167         When dealing with big numbers, fall back to Int52 instead
168         of double when possible.
169
170         * dfg/DFGAbstractInterpreterInlines.h:
171         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
172         * dfg/DFGFixupPhase.cpp:
173         (JSC::DFG::FixupPhase::fixupNode):
174         * dfg/DFGPredictionPropagationPhase.cpp:
175         (JSC::DFG::PredictionPropagationPhase::propagate):
176         * dfg/DFGSpeculativeJIT.cpp:
177         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
178         * ftl/FTLLowerDFGToB3.cpp:
179         (JSC::FTL::DFG::LowerDFGToB3::compileUInt32ToNumber):
180
181 2016-04-08  Brian Burg  <bburg@apple.com>
182
183         Web Inspector: protocol generator should emit an error when 'type' is used instead of '$ref'
184         https://bugs.webkit.org/show_bug.cgi?id=156275
185         <rdar://problem/25569331>
186
187         Reviewed by Darin Adler.
188
189         * inspector/protocol/Heap.json: Fix a mistake that's now caught by the protocol generator.
190
191         * inspector/scripts/codegen/models.py:
192         (TypeReference.__init__): Check here if type_kind is on a whitelist of primitive types.
193         (TypeReference.referenced_name): Update comment.
194
195         Add a new test specifically for the case when the type would otherwise be resolved. Rebaseline.
196
197         * inspector/scripts/tests/expected/fail-on-type-reference-as-primitive-type.json-error: Added.
198         * inspector/scripts/tests/expected/fail-on-unknown-type-reference-in-type-declaration.json-error:
199         * inspector/scripts/tests/fail-on-type-reference-as-primitive-type.json: Added.
200
201 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
202
203         Remove ENABLE(ENABLE_ES6_CLASS_SYNTAX) guards
204         https://bugs.webkit.org/show_bug.cgi?id=156384
205
206         Reviewed by Ryosuke Niwa.
207
208         * Configurations/FeatureDefines.xcconfig:
209         * features.json: Mark as Done.
210         * parser/Parser.cpp:
211         (JSC::Parser<LexerType>::parseExportDeclaration):
212         (JSC::Parser<LexerType>::parseStatementListItem):
213         (JSC::Parser<LexerType>::parsePrimaryExpression):
214         (JSC::Parser<LexerType>::parseMemberExpression):
215
216 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
217
218         Implementing caching transition puts that need to reallocate with indexing storage
219         https://bugs.webkit.org/show_bug.cgi?id=130914
220
221         Reviewed by Saam Barati.
222
223         This enables the IC's put_by_id path to handle reallocating the out-of-line storage even if
224         the butterfly has indexing storage. Like the DFG, we do this by calling operations that
225         reallocate the butterfly. Those use JSObject API and do all of the nasty work for us, like
226         triggering a barrier.
227
228         This does a bunch of refactoring to how PolymorphicAccess makes calls. It's a lot easier to
229         do it now because the hard work is hidden under AccessGenerationState methods. This means
230         that custom accessors now share logic with put_by_id transitions.
231
232         * bytecode/PolymorphicAccess.cpp:
233         (JSC::AccessGenerationState::succeed):
234         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
235         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
236         (JSC::AccessGenerationState::originalCallSiteIndex):
237         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
238         (JSC::AccessCase::AccessCase):
239         (JSC::AccessCase::transition):
240         (JSC::AccessCase::generate):
241         (JSC::PolymorphicAccess::regenerate):
242         * bytecode/PolymorphicAccess.h:
243         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
244         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
245         * dfg/DFGOperations.cpp:
246         * dfg/DFGOperations.h:
247         * jit/JITOperations.cpp:
248         * jit/JITOperations.h:
249
250 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
251
252         Remote Inspector: When disallowing remote inspection on a debuggable, a listing is still sent to debuggers
253         https://bugs.webkit.org/show_bug.cgi?id=156380
254         <rdar://problem/25323727>
255
256         Reviewed by Timothy Hatcher.
257
258         * inspector/remote/RemoteInspector.mm:
259         (Inspector::RemoteInspector::updateTarget):
260         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
261         When a target has been updated and it no longer generates a listing,
262         we should remove the old listing as that is now stale and should
263         not be sent. Not generating a listing means this target is no
264         longer allowed to be debugged.
265
266 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
267
268         Web Inspector: Not necessary to validate webinspectord connection on iOS
269         https://bugs.webkit.org/show_bug.cgi?id=156377
270         <rdar://problem/25612460>
271
272         Reviewed by Simon Fraser.
273
274         * inspector/remote/RemoteInspectorXPCConnection.h:
275         * inspector/remote/RemoteInspectorXPCConnection.mm:
276         (Inspector::RemoteInspectorXPCConnection::handleEvent):
277
278 2016-04-07  Keith Miller  <keith_miller@apple.com>
279
280         Rename ArrayMode::supportsLength to supportsSelfLength
281         https://bugs.webkit.org/show_bug.cgi?id=156374
282
283         Reviewed by Filip Pizlo.
284
285         The name supportsLength is confusing because TypedArray have a
286         length function however it is on the prototype and not on the
287         instance. supportsSelfLength makes more sense since we use the
288         function during fixup to tell if we can intrinsic the length
289         property lookup on self accesses.
290
291         * dfg/DFGArrayMode.h:
292         (JSC::DFG::ArrayMode::supportsSelfLength):
293         (JSC::DFG::ArrayMode::supportsLength): Deleted.
294         * dfg/DFGFixupPhase.cpp:
295         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
296
297 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
298
299         Web Inspector: ProfileView source links are off by 1 line, worse in pretty printed code
300         https://bugs.webkit.org/show_bug.cgi?id=156371
301
302         Reviewed by Timothy Hatcher.
303
304         * inspector/protocol/ScriptProfiler.json:
305         Clarify that these locations are 1-based.
306
307 2016-04-07  Jon Davis  <jond@apple.com>
308
309         Add Web Animations API to Feature Status Page
310         https://bugs.webkit.org/show_bug.cgi?id=156360
311
312         Reviewed by Timothy Hatcher.
313
314         * features.json:
315
316 2016-04-07  Saam barati  <sbarati@apple.com>
317
318         Invalid assertion inside DebuggerScope::getOwnPropertySlot
319         https://bugs.webkit.org/show_bug.cgi?id=156357
320
321         Reviewed by Keith Miller.
322
323         The Type Profiler might profile JS code that uses DebuggerScope and accesses properties
324         on it. Therefore, it may have a DebuggerScope object in its log. Objects in the log
325         are subject to having their getOwnPropertySlot method called. Therefore, the DebuggerScope
326         might not always be in a valid state when its getOwnPropertySlot method is called.
327         Therefore, the assertion invalid.
328
329         * debugger/DebuggerScope.cpp:
330         (JSC::DebuggerScope::getOwnPropertySlot):
331
332 2016-04-07  Saam barati  <sbarati@apple.com>
333
334         Initial implementation of annex b.3.3 behavior was incorrect
335         https://bugs.webkit.org/show_bug.cgi?id=156276
336
337         Reviewed by Keith Miller.
338
339         I almost got annex B.3.3 correct in my first implementation.
340         There is a subtlety here I got wrong. We always create a local binding for
341         a function at the very beginning of execution of a block scope. So we
342         hoist function declarations to their local binding within a given
343         block scope. When we actually evaluate the function declaration statement
344         itself, we must lookup the binding in the current scope, and bind the
345         value to the binding in the "var" scope. We perform the following
346         abstract operations when executing a function declaration statement.
347
348         f = lookupBindingInCurrentScope("func")
349         store(varScope, "func", f)
350
351         I got this wrong by performing the store to the var binding at the beginning
352         of the block scope instead of when we evaluate the function declaration statement.
353         This behavior is observable. For example, a program could change the value
354         of "func" before the actual function declaration statement executes.
355         Consider the following two functions:
356         ```
357         function foo1() {
358             // func === undefined
359             {
360                 // typeof func === "function"
361                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
362                 func = 20 // This sets the local "func" binding to 20.
363             }
364             // typeof func === "function"
365         }
366
367         function foo2() {
368             // func === undefined
369             {
370                 // typeof func === "function"
371                 func = 20 // This sets the local "func" binding to 20.
372                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
373             }
374             // func === 20
375         }
376         ```
377
378         * bytecompiler/BytecodeGenerator.cpp:
379         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
380         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
381         * bytecompiler/BytecodeGenerator.h:
382         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
383         * bytecompiler/NodesCodegen.cpp:
384         (JSC::FuncDeclNode::emitBytecode):
385         * tests/stress/sloppy-mode-function-hoisting.js:
386         (test.foo):
387         (test):
388         (test.):
389         (test.bar):
390         (test.switch.case.0):
391         (test.capFoo1):
392         (test.switch.capFoo2):
393         (test.outer):
394         (foo):
395
396 2016-04-07  Alex Christensen  <achristensen@webkit.org>
397
398         Build fix after r199170
399
400         * CMakeLists.txt:
401
402 2016-04-07  Keith Miller  <keith_miller@apple.com>
403
404         We should support the ability to do a non-effectful getById
405         https://bugs.webkit.org/show_bug.cgi?id=156116
406
407         Reviewed by Benjamin Poulain.
408
409         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
410         useful because it enables us to take different code paths based on values that we would
411         otherwise not be able to have knowledge of. This patch adds this new feature called
412         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
413         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
414         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
415         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
416         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
417         the global object that indicates we could not get the result.
418
419         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
420         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
421         get_by_id the same way we would for load and return the value at the appropriate offset.
422         Additionally, in order to make sure the we can properly compare the GetterSetter object
423         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
424         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
425         likely to have little to no impact on memory usage as normal accessors are generally rare.
426
427         * JavaScriptCore.xcodeproj/project.pbxproj:
428         * builtins/BuiltinExecutableCreator.cpp: Added.
429         (JSC::createBuiltinExecutable):
430         * builtins/BuiltinExecutableCreator.h: Copied from Source/JavaScriptCore/builtins/BuiltinExecutables.h.
431         * builtins/BuiltinExecutables.cpp:
432         (JSC::BuiltinExecutables::createDefaultConstructor):
433         (JSC::BuiltinExecutables::createBuiltinExecutable):
434         (JSC::createBuiltinExecutable):
435         (JSC::BuiltinExecutables::createExecutable):
436         (JSC::createExecutableInternal): Deleted.
437         * builtins/BuiltinExecutables.h:
438         * bytecode/BytecodeIntrinsicRegistry.h:
439         * bytecode/BytecodeList.json:
440         * bytecode/BytecodeUseDef.h:
441         (JSC::computeUsesForBytecodeOffset):
442         (JSC::computeDefsForBytecodeOffset):
443         * bytecode/CodeBlock.cpp:
444         (JSC::CodeBlock::dumpBytecode):
445         * bytecode/PolymorphicAccess.cpp:
446         (JSC::AccessCase::tryGet):
447         (JSC::AccessCase::generate):
448         (WTF::printInternal):
449         * bytecode/PolymorphicAccess.h:
450         (JSC::AccessCase::isGet): Deleted.
451         (JSC::AccessCase::isPut): Deleted.
452         (JSC::AccessCase::isIn): Deleted.
453         * bytecode/StructureStubInfo.cpp:
454         (JSC::StructureStubInfo::reset):
455         * bytecode/StructureStubInfo.h:
456         * bytecompiler/BytecodeGenerator.cpp:
457         (JSC::BytecodeGenerator::emitTryGetById):
458         * bytecompiler/BytecodeGenerator.h:
459         * bytecompiler/NodesCodegen.cpp:
460         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
461         * dfg/DFGSpeculativeJIT32_64.cpp:
462         (JSC::DFG::SpeculativeJIT::cachedGetById):
463         * dfg/DFGSpeculativeJIT64.cpp:
464         (JSC::DFG::SpeculativeJIT::cachedGetById):
465         * ftl/FTLLowerDFGToB3.cpp:
466         (JSC::FTL::DFG::LowerDFGToB3::getById):
467         * jit/JIT.cpp:
468         (JSC::JIT::privateCompileMainPass):
469         (JSC::JIT::privateCompileSlowCases):
470         * jit/JIT.h:
471         * jit/JITInlineCacheGenerator.cpp:
472         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
473         * jit/JITInlineCacheGenerator.h:
474         * jit/JITInlines.h:
475         (JSC::JIT::callOperation):
476         * jit/JITOperations.cpp:
477         * jit/JITOperations.h:
478         * jit/JITPropertyAccess.cpp:
479         (JSC::JIT::emitGetByValWithCachedId):
480         (JSC::JIT::emit_op_try_get_by_id):
481         (JSC::JIT::emitSlow_op_try_get_by_id):
482         (JSC::JIT::emit_op_get_by_id):
483         * jit/JITPropertyAccess32_64.cpp:
484         (JSC::JIT::emitGetByValWithCachedId):
485         (JSC::JIT::emit_op_try_get_by_id):
486         (JSC::JIT::emitSlow_op_try_get_by_id):
487         (JSC::JIT::emit_op_get_by_id):
488         * jit/Repatch.cpp:
489         (JSC::repatchByIdSelfAccess):
490         (JSC::appropriateOptimizingGetByIdFunction):
491         (JSC::appropriateGenericGetByIdFunction):
492         (JSC::tryCacheGetByID):
493         (JSC::repatchGetByID):
494         (JSC::resetGetByID):
495         * jit/Repatch.h:
496         * jsc.cpp:
497         (GlobalObject::finishCreation):
498         (functionGetGetterSetter):
499         (functionCreateBuiltin):
500         * llint/LLIntData.cpp:
501         (JSC::LLInt::Data::performAssertions):
502         * llint/LLIntSlowPaths.cpp:
503         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
504         * llint/LLIntSlowPaths.h:
505         * llint/LowLevelInterpreter.asm:
506         * runtime/GetterSetter.cpp:
507         * runtime/GetterSetter.h:
508         * runtime/JSType.h:
509         * runtime/PropertySlot.cpp:
510         (JSC::PropertySlot::getPureResult):
511         * runtime/PropertySlot.h:
512         * runtime/ProxyObject.cpp:
513         (JSC::ProxyObject::getOwnPropertySlotCommon):
514         * tests/stress/try-get-by-id.js: Added.
515         (tryGetByIdText):
516         (getCaller.obj.1.throw.new.Error.let.func):
517         (getCaller.obj.1.throw.new.Error):
518         (throw.new.Error.get let):
519         (throw.new.Error.):
520         (throw.new.Error.let.get createBuiltin):
521         (get let):
522         (let.get createBuiltin):
523         (let.func):
524         (get let.func):
525         (get throw):
526
527 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
528
529         Rationalize the makeSpaceForCCall stuff
530         https://bugs.webkit.org/show_bug.cgi?id=156352
531
532         Reviewed by Mark Lam.
533
534         I want to add more code to PolymorphicAccess that makes C calls, so that I can finally fix
535         https://bugs.webkit.org/show_bug.cgi?id=130914 (allow transition caches to handle indexing
536         headers).
537
538         When trying to understand what it takes to make a C call, I came across code that was making
539         room on the stack for spilled arguments. This logic was guarded with some complicated
540         condition. At first, I tried to just refactor the code so that the same ugly condition
541         wouldn't have to be copy-pasted everywhere that we made C calls. But then I started thinking
542         about the condition, and realized that it was probably wrong: if the outer PolymorphicAccess
543         harness decides to reuse a register for the scratchGPR then the top of the stack will store
544         the old value of scratchGPR, but the condition wouldn't necessarily trigger. So if the call
545         then overwrote something on the stack, we'd have a bad time.
546
547         Making room on the stack for a call is a cheap operation. It's orders of magnitude cheaper
548         than the rest of the call. Therefore, I think that it's best to just unconditionally make
549         room on the stack.
550
551         This patch makes us do just that. I also made the relevant helpers not inline, because I
552         think that we have too many inline methods in our assemblers. Now it's much easier to make
553         C calls from PolymorphicAccess because you just call the AssemblyHelper methods for making
554         space. There are no special conditions or anything like that.
555
556         * bytecode/PolymorphicAccess.cpp:
557         (JSC::AccessCase::generate):
558         * jit/AssemblyHelpers.cpp:
559         (JSC::AssemblyHelpers::emitLoadStructure):
560         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall):
561         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall):
562         (JSC::emitRandomThunkImpl):
563         * jit/AssemblyHelpers.h:
564         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall): Deleted.
565         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall): Deleted.
566
567 2016-04-07  Commit Queue  <commit-queue@webkit.org>
568
569         Unreviewed, rolling out r199128 and r199141.
570         https://bugs.webkit.org/show_bug.cgi?id=156348
571
572         Causes crashes on multiple webpages (Requested by keith_mi_ on
573         #webkit).
574
575         Reverted changesets:
576
577         "[ES6] Add support for Symbol.isConcatSpreadable."
578         https://bugs.webkit.org/show_bug.cgi?id=155351
579         http://trac.webkit.org/changeset/199128
580
581         "Unreviewed, uncomment accidentally commented line in test."
582         http://trac.webkit.org/changeset/199141
583
584 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
585
586         Rationalize the handling of PutById transitions a bit
587         https://bugs.webkit.org/show_bug.cgi?id=156330
588
589         Reviewed by Mark Lam.
590
591         * bytecode/PolymorphicAccess.cpp:
592         (JSC::AccessCase::generate): Get rid of the specialized slow calls. We can just use the failAndIgnore jump target. We just need to make sure that we don't make observable effects until we're done with all of the fast path checks.
593         * bytecode/StructureStubInfo.cpp:
594         (JSC::StructureStubInfo::addAccessCase): MadeNoChanges indicates that we should keep trying to repatch. Currently PutById transitions might trigger the case that addAccessCase() sees null, if the transition involves an indexing header. Doing repatching in that case is probably not good. But, we should just fix this the right way eventually.
595
596 2016-04-07  Per Arne Vollan  <peavo@outlook.com>
597
598         [Win] Fix for JSC stress test failures.
599         https://bugs.webkit.org/show_bug.cgi?id=156343
600
601         Reviewed by Filip Pizlo.
602
603         We need to make it clear to MSVC that the method loadPtr(ImplicitAddress address, RegisterID dest)
604         should be used, and not loadPtr(const void* address, RegisterID dest).
605
606         * jit/CCallHelpers.cpp:
607         (JSC::CCallHelpers::setupShadowChickenPacket):
608
609 2016-04-06  Benjamin Poulain  <bpoulain@apple.com>
610
611         [JSC] UInt32ToNumber should be NodeMustGenerate
612         https://bugs.webkit.org/show_bug.cgi?id=156329
613
614         Reviewed by Filip Pizlo.
615
616         It exits on negative numbers on the integer path.
617
618         * dfg/DFGFixupPhase.cpp:
619         (JSC::DFG::FixupPhase::fixupNode):
620         * dfg/DFGNodeType.h:
621
622 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
623
624         Unreviewed, rolling out r199016.
625         https://bugs.webkit.org/show_bug.cgi?id=156140
626
627         "Perf bots are down, so I can't re-land this right now."
628
629         Reverted changeset:
630
631         CopiedBlock should be 16kB
632         https://bugs.webkit.org/show_bug.cgi?id=156168
633         http://trac.webkit.org/changeset/199016
634
635 2016-04-06  Mark Lam  <mark.lam@apple.com>
636
637         String.prototype.match() should be calling internal function RegExpCreate.
638         https://bugs.webkit.org/show_bug.cgi?id=156318
639
640         Reviewed by Filip Pizlo.
641
642         RegExpCreate is not the same as the RegExp constructor.  The current implementation
643         invokes new @RegExp which calls the constructor.  This results in failures in
644         es6/Proxy_internal_get_calls_String.prototype.match.js, and
645         es6/Proxy_internal_get_calls_String.prototype.search.js due to observable side
646         effects.
647
648         This patch fixes this by factoring out the part of the RegExp constructor that
649         makes the RegExpCreate function, and changing String's match and search to call
650         RegExpCreate instead in accordance with the ES6 spec. 
651
652         * builtins/StringPrototype.js:
653         (match):
654         (search):
655         * runtime/CommonIdentifiers.h:
656         * runtime/JSGlobalObject.cpp:
657         (JSC::JSGlobalObject::init):
658         * runtime/RegExpConstructor.cpp:
659         (JSC::toFlags):
660         (JSC::regExpCreate):
661         (JSC::constructRegExp):
662         (JSC::esSpecRegExpCreate):
663         (JSC::constructWithRegExpConstructor):
664         * runtime/RegExpConstructor.h:
665         (JSC::isRegExp):
666
667 2016-04-06  Keith Miller  <keith_miller@apple.com>
668
669         Unreviewed, uncomment accidentally commented line in test.
670
671         * tests/stress/array-concat-spread-object.js:
672
673 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
674
675         JSC should have a simple way of gathering IC statistics
676         https://bugs.webkit.org/show_bug.cgi?id=156317
677
678         Reviewed by Benjamin Poulain.
679
680         This adds a cheap, runtime-enabled way of gathering statistics about why we take the slow
681         paths for inline caches. This is complementary to our existing bytecode profiler. Eventually
682         we may want to combine the two things.
683         
684         This is not a slow-down on anything because we only do extra work on IC slow paths and if
685         it's disabled it's just a load-and-branch to skip the stats gathering code.
686
687         * CMakeLists.txt:
688         * JavaScriptCore.xcodeproj/project.pbxproj:
689         * jit/ICStats.cpp: Added.
690         * jit/ICStats.h: Added.
691         * jit/JITOperations.cpp:
692         * runtime/JSCJSValue.h:
693         * runtime/JSCJSValueInlines.h:
694         (JSC::JSValue::inherits):
695         (JSC::JSValue::classInfoOrNull):
696         (JSC::JSValue::toThis):
697         * runtime/Options.h:
698
699 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
700
701         32-bit JSC stress/multi-put-by-offset-multiple-transitions.js failing
702         https://bugs.webkit.org/show_bug.cgi?id=156292
703
704         Reviewed by Benjamin Poulain.
705
706         Make sure that we stash the callsite index before calling operationReallocateStorageAndFinishPut.
707
708         * bytecode/PolymorphicAccess.cpp:
709         (JSC::AccessCase::generate):
710
711 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
712
713         JSC test stress/arrowfunction-lexical-bind-superproperty.js failing
714         https://bugs.webkit.org/show_bug.cgi?id=156309
715
716         Reviewed by Saam Barati.
717
718         Just be honest about the fact that the ArgumentCount and Callee parts of inline callframe runtime
719         meta-data can be read at any time.
720         
721         We only have to say this for the inline callframe forms of ArgumentCount and Callee because we don't
722         sink any part of the machine prologue. This change just prevents us from sinking the pseudoprologue
723         of inlined varargs or closure calls.
724
725         Shockingly, this is not a regression on anything.
726
727         * dfg/DFGClobberize.h:
728         (JSC::DFG::clobberize):
729
730 2016-03-29  Keith Miller  <keith_miller@apple.com>
731
732         [ES6] Add support for Symbol.isConcatSpreadable.
733         https://bugs.webkit.org/show_bug.cgi?id=155351
734
735         Reviewed by Saam Barati.
736
737         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
738         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
739         a builtin performant. First, four new DFG intrinsics were added.
740
741         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
742            the Array.isArray function.
743         2) IsJSArray: checks the first child is a JSArray object.
744         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
745         4) CallObjectConstructor: an intrinsic of the Object constructor.
746
747         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
748         we are able to prove that the first child is an Array or for ToObject an Object.
749
750         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
751         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
752         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
753         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
754         into a contiguous array).
755
756         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
757         values onto the result array. This works roughly the same as the two array fast path using the same methodology
758         to decide if we can memcpy the other butterfly into the result butterfly.
759
760         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
761         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
762         dataLog function on it.
763
764         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
765         JSValueOperand if the operand's use count is one.
766
767         * JavaScriptCore.xcodeproj/project.pbxproj:
768         * builtins/ArrayPrototype.js:
769         (concatSlowPath):
770         (concat):
771         * bytecode/BytecodeIntrinsicRegistry.cpp:
772         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
773         * bytecode/BytecodeIntrinsicRegistry.h:
774         * dfg/DFGAbstractInterpreterInlines.h:
775         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
776         * dfg/DFGByteCodeParser.cpp:
777         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
778         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
779         * dfg/DFGClobberize.h:
780         (JSC::DFG::clobberize):
781         * dfg/DFGDoesGC.cpp:
782         (JSC::DFG::doesGC):
783         * dfg/DFGFixupPhase.cpp:
784         (JSC::DFG::FixupPhase::fixupNode):
785         * dfg/DFGNodeType.h:
786         * dfg/DFGOperations.cpp:
787         * dfg/DFGOperations.h:
788         * dfg/DFGPredictionPropagationPhase.cpp:
789         (JSC::DFG::PredictionPropagationPhase::propagate):
790         * dfg/DFGSafeToExecute.h:
791         (JSC::DFG::safeToExecute):
792         * dfg/DFGSpeculativeJIT.cpp:
793         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
794         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
795         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
796         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
797         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
798         * dfg/DFGSpeculativeJIT.h:
799         (JSC::DFG::SpeculativeJIT::callOperation):
800         * dfg/DFGSpeculativeJIT32_64.cpp:
801         (JSC::DFG::SpeculativeJIT::compile):
802         * dfg/DFGSpeculativeJIT64.cpp:
803         (JSC::DFG::SpeculativeJIT::compile):
804         * ftl/FTLCapabilities.cpp:
805         (JSC::FTL::canCompile):
806         * ftl/FTLLowerDFGToB3.cpp:
807         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
808         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
809         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
810         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
811         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
812         (JSC::FTL::DFG::LowerDFGToB3::isArray):
813         * jit/JITOperations.h:
814         * jsc.cpp:
815         (WTF::RuntimeArray::createStructure):
816         (GlobalObject::finishCreation):
817         (functionDebug):
818         (functionDataLogValue):
819         * runtime/ArrayConstructor.cpp:
820         (JSC::ArrayConstructor::finishCreation):
821         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
822         * runtime/ArrayConstructor.h:
823         (JSC::isArrayConstructor):
824         * runtime/ArrayPrototype.cpp:
825         (JSC::ArrayPrototype::finishCreation):
826         (JSC::arrayProtoPrivateFuncIsJSArray):
827         (JSC::moveElements):
828         (JSC::arrayProtoPrivateFuncConcatMemcpy):
829         (JSC::arrayProtoPrivateFuncAppendMemcpy):
830         (JSC::arrayProtoFuncConcat): Deleted.
831         * runtime/ArrayPrototype.h:
832         (JSC::ArrayPrototype::createStructure):
833         * runtime/CommonIdentifiers.h:
834         * runtime/Intrinsic.h:
835         * runtime/JSArray.cpp:
836         (JSC::JSArray::appendMemcpy):
837         (JSC::JSArray::fastConcatWith): Deleted.
838         * runtime/JSArray.h:
839         (JSC::JSArray::createStructure):
840         (JSC::JSArray::fastConcatType): Deleted.
841         * runtime/JSArrayInlines.h: Added.
842         (JSC::JSArray::memCopyWithIndexingType):
843         (JSC::JSArray::canFastCopy):
844         * runtime/JSGlobalObject.cpp:
845         (JSC::JSGlobalObject::init):
846         * runtime/JSType.h:
847         * runtime/ObjectConstructor.h:
848         (JSC::constructObject):
849         * tests/es6.yaml:
850         * tests/stress/array-concat-spread-object.js: Added.
851         (arrayEq):
852         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
853         (arrayEq):
854         * tests/stress/array-concat-spread-proxy.js: Added.
855         (arrayEq):
856         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
857         (arrayEq):
858         * tests/stress/array-species-config-array-constructor.js:
859
860 2016-04-06  Commit Queue  <commit-queue@webkit.org>
861
862         Unreviewed, rolling out r199070.
863         https://bugs.webkit.org/show_bug.cgi?id=156324
864
865         "It didn't fix the timeout" (Requested by saamyjoon on
866         #webkit).
867
868         Reverted changeset:
869
870         "jsc-layout-tests.yaml/js/script-tests/regress-141098.js
871         failing on Yosemite Debug after r198989"
872         https://bugs.webkit.org/show_bug.cgi?id=156187
873         http://trac.webkit.org/changeset/199070
874
875 2016-04-06  Geoffrey Garen  <ggaren@apple.com>
876
877         Unreviewed, rolling in r199016.
878         https://bugs.webkit.org/show_bug.cgi?id=156140
879
880         It might work this time without regression because 16kB aligned requests
881         now take the allocation fast path.
882
883         Restored changeset:
884
885         CopiedBlock should be 16kB
886         https://bugs.webkit.org/show_bug.cgi?id=156168
887         http://trac.webkit.org/changeset/199016
888
889 2016-04-06  Mark Lam  <mark.lam@apple.com>
890
891         Update es6.yaml to expect es6/Proxy_internal_get_calls_RegExp_constructor.js to pass.
892         https://bugs.webkit.org/show_bug.cgi?id=156314
893
894         Reviewed by Saam Barati.
895
896         * tests/es6.yaml:
897
898 2016-04-06  Commit Queue  <commit-queue@webkit.org>
899
900         Unreviewed, rolling out r199104.
901         https://bugs.webkit.org/show_bug.cgi?id=156301
902
903         Still breaks internal builds (Requested by keith_miller on
904         #webkit).
905
906         Reverted changeset:
907
908         "We should support the ability to do a non-effectful getById"
909         https://bugs.webkit.org/show_bug.cgi?id=156116
910         http://trac.webkit.org/changeset/199104
911
912 2016-04-06  Keith Miller  <keith_miller@apple.com>
913
914         RegExp constructor should use Symbol.match and other properties
915         https://bugs.webkit.org/show_bug.cgi?id=155873
916
917         Reviewed by Michael Saboff.
918
919         This patch updates the behavior of the RegExp constructor. Now the constructor
920         should get the Symbol.match property and check if it exists to decide if something
921         should be constructed like a regexp object.
922
923         * runtime/RegExpConstructor.cpp:
924         (JSC::toFlags):
925         (JSC::constructRegExp):
926         (JSC::constructWithRegExpConstructor):
927         (JSC::callRegExpConstructor):
928         * runtime/RegExpConstructor.h:
929         * tests/stress/regexp-constructor.js: Added.
930         (assert):
931         (throw.new.Error.get let):
932         (throw.new.Error.):
933         (throw.new.Error.get re):
934
935 2016-04-06  Keith Miller  <keith_miller@apple.com>
936
937         We should support the ability to do a non-effectful getById
938         https://bugs.webkit.org/show_bug.cgi?id=156116
939
940         Reviewed by Benjamin Poulain.
941
942         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
943         useful because it enables us to take different code paths based on values that we would
944         otherwise not be able to have knowledge of. This patch adds this new feature called
945         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
946         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
947         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
948         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
949         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
950         the global object that indicates we could not get the result.
951
952         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
953         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
954         get_by_id the same way we would for load and return the value at the appropriate offset.
955         Additionally, in order to make sure the we can properly compare the GetterSetter object
956         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
957         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
958         likely to have little to no impact on memory usage as normal accessors are generally rare.
959
960         * builtins/BuiltinExecutables.cpp:
961         (JSC::BuiltinExecutables::createDefaultConstructor):
962         (JSC::BuiltinExecutables::createBuiltinExecutable):
963         (JSC::createBuiltinExecutable):
964         (JSC::BuiltinExecutables::createExecutable):
965         (JSC::createExecutableInternal): Deleted.
966         * builtins/BuiltinExecutables.h:
967         * bytecode/BytecodeIntrinsicRegistry.h:
968         * bytecode/BytecodeList.json:
969         * bytecode/BytecodeUseDef.h:
970         (JSC::computeUsesForBytecodeOffset):
971         (JSC::computeDefsForBytecodeOffset):
972         * bytecode/CodeBlock.cpp:
973         (JSC::CodeBlock::dumpBytecode):
974         * bytecode/PolymorphicAccess.cpp:
975         (JSC::AccessCase::tryGet):
976         (JSC::AccessCase::generate):
977         (WTF::printInternal):
978         * bytecode/PolymorphicAccess.h:
979         (JSC::AccessCase::isGet): Deleted.
980         (JSC::AccessCase::isPut): Deleted.
981         (JSC::AccessCase::isIn): Deleted.
982         * bytecode/StructureStubInfo.cpp:
983         (JSC::StructureStubInfo::reset):
984         * bytecode/StructureStubInfo.h:
985         * bytecompiler/BytecodeGenerator.cpp:
986         (JSC::BytecodeGenerator::emitTryGetById):
987         * bytecompiler/BytecodeGenerator.h:
988         * bytecompiler/NodesCodegen.cpp:
989         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
990         * dfg/DFGSpeculativeJIT32_64.cpp:
991         (JSC::DFG::SpeculativeJIT::cachedGetById):
992         * dfg/DFGSpeculativeJIT64.cpp:
993         (JSC::DFG::SpeculativeJIT::cachedGetById):
994         * ftl/FTLLowerDFGToB3.cpp:
995         (JSC::FTL::DFG::LowerDFGToB3::getById):
996         * jit/JIT.cpp:
997         (JSC::JIT::privateCompileMainPass):
998         (JSC::JIT::privateCompileSlowCases):
999         * jit/JIT.h:
1000         * jit/JITInlineCacheGenerator.cpp:
1001         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1002         * jit/JITInlineCacheGenerator.h:
1003         * jit/JITInlines.h:
1004         (JSC::JIT::callOperation):
1005         * jit/JITOperations.cpp:
1006         * jit/JITOperations.h:
1007         * jit/JITPropertyAccess.cpp:
1008         (JSC::JIT::emitGetByValWithCachedId):
1009         (JSC::JIT::emit_op_try_get_by_id):
1010         (JSC::JIT::emitSlow_op_try_get_by_id):
1011         (JSC::JIT::emit_op_get_by_id):
1012         * jit/JITPropertyAccess32_64.cpp:
1013         (JSC::JIT::emitGetByValWithCachedId):
1014         (JSC::JIT::emit_op_try_get_by_id):
1015         (JSC::JIT::emitSlow_op_try_get_by_id):
1016         (JSC::JIT::emit_op_get_by_id):
1017         * jit/Repatch.cpp:
1018         (JSC::repatchByIdSelfAccess):
1019         (JSC::appropriateOptimizingGetByIdFunction):
1020         (JSC::appropriateGenericGetByIdFunction):
1021         (JSC::tryCacheGetByID):
1022         (JSC::repatchGetByID):
1023         (JSC::resetGetByID):
1024         * jit/Repatch.h:
1025         * jsc.cpp:
1026         (GlobalObject::finishCreation):
1027         (functionGetGetterSetter):
1028         (functionCreateBuiltin):
1029         * llint/LLIntData.cpp:
1030         (JSC::LLInt::Data::performAssertions):
1031         * llint/LLIntSlowPaths.cpp:
1032         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1033         * llint/LLIntSlowPaths.h:
1034         * llint/LowLevelInterpreter.asm:
1035         * runtime/GetterSetter.cpp:
1036         * runtime/GetterSetter.h:
1037         * runtime/JSType.h:
1038         * runtime/PropertySlot.cpp:
1039         (JSC::PropertySlot::getPureResult):
1040         * runtime/PropertySlot.h:
1041         * runtime/ProxyObject.cpp:
1042         (JSC::ProxyObject::getOwnPropertySlotCommon):
1043         * tests/stress/try-get-by-id.js: Added.
1044         (tryGetByIdText):
1045         (getCaller.obj.1.throw.new.Error.let.func):
1046         (getCaller.obj.1.throw.new.Error):
1047         (throw.new.Error.get let):
1048         (throw.new.Error.):
1049         (throw.new.Error.let.get createBuiltin):
1050         (get let):
1051         (let.get createBuiltin):
1052         (let.func):
1053         (get let.func):
1054         (get throw):
1055
1056 2016-04-05  Chris Dumez  <cdumez@apple.com>
1057
1058         Add support for [EnabledAtRuntime] operations on DOMWindow
1059         https://bugs.webkit.org/show_bug.cgi?id=156272
1060
1061         Reviewed by Alex Christensen.
1062
1063         Add identifier for 'fetch' so it can be used from the generated
1064         bindings.
1065
1066         * runtime/CommonIdentifiers.h:
1067
1068 2016-04-05  Alex Christensen  <achristensen@webkit.org>
1069
1070         Make CMake-generated binaries on Mac able to run
1071         https://bugs.webkit.org/show_bug.cgi?id=156268
1072
1073         Reviewed by Daniel Bates.
1074
1075         * CMakeLists.txt:
1076
1077 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
1078
1079         Improve some other cases of context-sensitive inlining
1080         https://bugs.webkit.org/show_bug.cgi?id=156277
1081
1082         Reviewed by Benjamin Poulain.
1083         
1084         This implements some improvements for inlining:
1085
1086         - We no longer do guarded inlining when the profiling doesn't come from a stub. Doing so would have
1087           been risky, and according to benchmarks, it wasn't common enough to matter. I think it's better to
1088           err on the side of not inlining.
1089         
1090         - The jneq_ptr pattern for variadic calls no longer breaks the basic block. Not breaking the block
1091           increases the chances of the parser seeing the callee constant. While inlining doesn't require a
1092           callee constant, sometimes it makes a difference. Note that we were previously breaking the block
1093           for no reason at all: if the boundary after jneq_ptr is a jump target from some other jump, then
1094           the parser will automatically break the block for us. There is no reason to add any block breaking
1095           ourselves since we implement jneq_ptr by ignoring the affirmative jump destination and inserting a
1096           check and falling through.
1097         
1098         - get_by_id handling now tries to apply some common sense to its status object. In particular, if
1099           the source is a NewObject and there was no interfering operation that could clobber the structure,
1100           then we know which case of a polymorphic GetByIdStatus we would take. This arises in some
1101           constructor patterns.
1102         
1103         Long term, we should address all of these cases comprehensively by having a late inliner. The inliner
1104         being part of the bytecode parser means that there is a lot of complexity in the parser and it
1105         prevents us from inlining upon learning new information from static analysis. But for now, I think
1106         it's fine to experiment with one-off hacks, if only to learn what the possibilities are.
1107         
1108         This is a 14% speed-up on Octane/raytrace.
1109
1110         * bytecode/CallLinkStatus.cpp:
1111         (JSC::CallLinkStatus::dump):
1112         * bytecode/CallLinkStatus.h:
1113         (JSC::CallLinkStatus::couldTakeSlowPath):
1114         (JSC::CallLinkStatus::setCouldTakeSlowPath):
1115         (JSC::CallLinkStatus::variants):
1116         (JSC::CallLinkStatus::size):
1117         (JSC::CallLinkStatus::at):
1118         * bytecode/GetByIdStatus.cpp:
1119         (JSC::GetByIdStatus::makesCalls):
1120         (JSC::GetByIdStatus::filter):
1121         (JSC::GetByIdStatus::dump):
1122         * bytecode/GetByIdStatus.h:
1123         (JSC::GetByIdStatus::wasSeenInJIT):
1124         * dfg/DFGByteCodeParser.cpp:
1125         (JSC::DFG::ByteCodeParser::handleCall):
1126         (JSC::DFG::ByteCodeParser::refineStatically):
1127         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1128         (JSC::DFG::ByteCodeParser::handleInlining):
1129         (JSC::DFG::ByteCodeParser::handleGetById):
1130         (JSC::DFG::ByteCodeParser::parseBlock):
1131         * runtime/Options.h:
1132
1133 2016-04-05  Saam barati  <sbarati@apple.com>
1134
1135         JSC SamplingProfiler: Use a thread + sleep loop instead of WTF::WorkQueue for taking samples
1136         https://bugs.webkit.org/show_bug.cgi?id=154017
1137
1138         Reviewed by Geoffrey Garen.
1139
1140         By moving to an explicitly created seperate thread + sample-then-sleep
1141         loop, we can remove a lot of the crufty code around WorkQueue.
1142         We're also getting sample rates that are much closer to what we're
1143         asking the OS for. When the sampling handler was built off of WorkQueue,
1144         we'd often get sample rates much higher than the 1ms we asked for. On Kraken,
1145         we would average about 1.7ms sample rates, even though we'd ask for a 1ms rate.
1146         Now, on Kraken, we're getting about 1.2ms rates. Because we're getting
1147         higher rates, this patch is a performance regression. It's slower because
1148         we're sampling more frequently.
1149
1150         Before this patch, the sampling profiler had the following overhead:
1151         - 10% on Kraken
1152         - 12% on octane
1153         - 15% on AsmBench
1154
1155         With this patch, the sampling profiler has the following overhead:
1156         - 16% on Kraken
1157         - 17% on Octane
1158         - 30% on AsmBench
1159
1160         Comparatively, this new patch has the following overhead over the old sampling profiler:
1161         - 5% on Kraken
1162         - 3.5% on Octane
1163         - 13% slower on AsmBench
1164
1165         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1166         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1167         * runtime/SamplingProfiler.cpp:
1168         (JSC::SamplingProfiler::SamplingProfiler):
1169         (JSC::SamplingProfiler::~SamplingProfiler):
1170         (JSC::SamplingProfiler::createThreadIfNecessary):
1171         (JSC::SamplingProfiler::timerLoop):
1172         (JSC::SamplingProfiler::takeSample):
1173         (JSC::tryGetBytecodeIndex):
1174         (JSC::SamplingProfiler::shutdown):
1175         (JSC::SamplingProfiler::start):
1176         (JSC::SamplingProfiler::pause):
1177         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1178         (JSC::SamplingProfiler::noticeJSLockAcquisition):
1179         (JSC::SamplingProfiler::noticeVMEntry):
1180         (JSC::SamplingProfiler::clearData):
1181         (JSC::SamplingProfiler::stop): Deleted.
1182         (JSC::SamplingProfiler::dispatchIfNecessary): Deleted.
1183         (JSC::SamplingProfiler::dispatchFunction): Deleted.
1184         * runtime/SamplingProfiler.h:
1185         (JSC::SamplingProfiler::setTimingInterval):
1186         (JSC::SamplingProfiler::setStopWatch):
1187         * runtime/VM.cpp:
1188         (JSC::VM::VM):
1189
1190 2016-04-05  Commit Queue  <commit-queue@webkit.org>
1191
1192         Unreviewed, rolling out r199073.
1193         https://bugs.webkit.org/show_bug.cgi?id=156261
1194
1195         This change broke internal Mac builds (Requested by ryanhaddad
1196         on #webkit).
1197
1198         Reverted changeset:
1199
1200         "We should support the ability to do a non-effectful getById"
1201         https://bugs.webkit.org/show_bug.cgi?id=156116
1202         http://trac.webkit.org/changeset/199073
1203
1204 2016-04-05  Youenn Fablet  <youenn.fablet@crf.canon.fr>
1205
1206         [Fetch API] Add a runtime flag to fetch API and related constructs
1207         https://bugs.webkit.org/show_bug.cgi?id=156113
1208  
1209         Reviewed by Alex Christensen.
1210
1211         Add a fetch API runtime flag based on preferences.
1212         Disable fetch API by default.
1213  
1214         * runtime/CommonIdentifiers.h:
1215
1216 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
1217
1218         Unreviewed, fix cloop some more.
1219
1220         * runtime/RegExpInlines.h:
1221         (JSC::RegExp::hasCodeFor):
1222         (JSC::RegExp::hasMatchOnlyCodeFor):
1223
1224 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
1225
1226         Unreviewed, fix cloop.
1227
1228         * jit/CCallHelpers.cpp:
1229
1230 2016-03-18  Filip Pizlo  <fpizlo@apple.com>
1231
1232         JSC should use a shadow stack version of CHICKEN so that debuggers have the option of retrieving tail-deleted frames
1233         https://bugs.webkit.org/show_bug.cgi?id=155598
1234
1235         Reviewed by Saam Barati.
1236         
1237         JSC is the first JSVM to have proper tail calls. This means that error.stack and the
1238         debugger will appear to "delete" strict mode stack frames, if the call that this frame made
1239         was in tail position. This is exactly what functional programmers expect - they don't want
1240         the VM to waste resources on tail-deleted frames to ensure that it's legal to loop forever
1241         using tail calls. It's also something that non-functional programmers fear. It's not clear
1242         that tail-deleted frames would actually degrade the debugging experience, but the fear is
1243         real, so it's worthwhile to do something about it.
1244
1245         It turns out that there is at least one tail call implementation that doesn't suffer from
1246         this problem. It implements proper tail calls in the sense that you won't run out of memory
1247         by tail-looping. It also has the power to show you tail-deleted frames in a backtrace, so
1248         long as you haven't yet run out of memory. It's called CHICKEN Scheme, and it's one of my
1249         favorite hacks:
1250         
1251         http://www.more-magic.net/posts/internals-gc.html
1252
1253         CHICKEN does many awesome things. The intuition from CHICKEN that we use here is a simple
1254         one: what if a tail call still kept the tail-deleted frame, and the GC actually deleted that
1255         frame only once we proved that there was insufficient memory to keep it around.
1256         
1257         CHICKEN does this by reshaping the C stack with longjmp/setjmp. We can't do that because we
1258         can have arbitrary native code, and that native code does not have relocatable stack frames.
1259         
1260         But we can do something almost like CHICKEN on a shadow stack. It's a common trick to have a
1261         VM maintain two stacks - the actual execution stack plus a shadow stack that has some extra
1262         information. The shadow stack can be reshaped, moved, etc, since the VM tightly controls its
1263         layout. The main stack can then continue to obey ABI rules.
1264
1265         This patch implements a mechanism for being able to display stack traces that include
1266         tail-deleted frames. It uses a shadow stack that behaves like a CHICKEN stack: it has all
1267         frames all the time, though we will collect the tail-deleted ones if the stack gets too big.
1268         This new mechanism is called ShadowChicken, obviously: it's CHICKEN on a shadow stack.
1269         
1270         ShadowChicken is always on, but individual CodeBlocks may make their own choices about
1271         whether to opt into it. They will do that at bytecompile time based on the debugger mode on
1272         their global object.
1273
1274         When no CodeBlock opts in, there is no overhead, since ShadowChicken ends up doing nothing
1275         in that case. Well, except when exceptions are thrown. Then it might do some work, but it's
1276         minor.
1277
1278         When all CodeBlocks opt in, there is about 6% overhead. That's too much overhead to enable
1279         this all the time, but it's low enough to justify enabling in the Inspector. It's currently
1280         enabled on all CodeBlocks only when you use an Option. Otherwise it will auto-enable if the
1281         debugger is on.
1282
1283         Note that ShadowChicken attempts to gracefully handle the presence of stack frames that have
1284         no logging. This is essential since we *can* have debugging enabled in one GlobalObject and
1285         disabled in another. Also, some frames don't do ShadowChicken because they just haven't been
1286         hacked to do it yet. Native frames fall into this category, as do the VM entry frames.
1287
1288         This doesn't yet wire ShadowChicken into DebuggerCallFrame. That will take more work. It
1289         just makes a ShadowChicken stack walk function available to jsc. It's used from the
1290         shadow-chicken tests.
1291
1292         * API/JSContextRef.cpp:
1293         (BacktraceFunctor::BacktraceFunctor):
1294         (BacktraceFunctor::operator()):
1295         (JSContextCreateBacktrace):
1296         * CMakeLists.txt:
1297         * JavaScriptCore.xcodeproj/project.pbxproj:
1298         * bytecode/BytecodeList.json:
1299         * bytecode/BytecodeUseDef.h:
1300         (JSC::computeUsesForBytecodeOffset):
1301         (JSC::computeDefsForBytecodeOffset):
1302         * bytecode/CodeBlock.cpp:
1303         (JSC::CodeBlock::dumpBytecode):
1304         (JSC::RecursionCheckFunctor::RecursionCheckFunctor):
1305         (JSC::RecursionCheckFunctor::operator()):
1306         (JSC::CodeBlock::noticeIncomingCall):
1307         * bytecompiler/BytecodeGenerator.cpp:
1308         (JSC::BytecodeGenerator::emitEnter):
1309         (JSC::BytecodeGenerator::emitCallInTailPosition):
1310         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
1311         (JSC::BytecodeGenerator::emitCallVarargs):
1312         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
1313         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
1314         (JSC::BytecodeGenerator::emitCallDefineProperty):
1315         * bytecompiler/BytecodeGenerator.h:
1316         * debugger/DebuggerCallFrame.cpp:
1317         (JSC::LineAndColumnFunctor::operator()):
1318         (JSC::LineAndColumnFunctor::column):
1319         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
1320         (JSC::FindCallerMidStackFunctor::operator()):
1321         (JSC::DebuggerCallFrame::DebuggerCallFrame):
1322         * dfg/DFGAbstractInterpreterInlines.h:
1323         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1324         * dfg/DFGByteCodeParser.cpp:
1325         (JSC::DFG::ByteCodeParser::parseBlock):
1326         * dfg/DFGClobberize.h:
1327         (JSC::DFG::clobberize):
1328         * dfg/DFGDoesGC.cpp:
1329         (JSC::DFG::doesGC):
1330         * dfg/DFGFixupPhase.cpp:
1331         (JSC::DFG::FixupPhase::fixupNode):
1332         * dfg/DFGNodeType.h:
1333         * dfg/DFGPredictionPropagationPhase.cpp:
1334         (JSC::DFG::PredictionPropagationPhase::propagate):
1335         * dfg/DFGSafeToExecute.h:
1336         (JSC::DFG::safeToExecute):
1337         * dfg/DFGSpeculativeJIT32_64.cpp:
1338         (JSC::DFG::SpeculativeJIT::compile):
1339         * dfg/DFGSpeculativeJIT64.cpp:
1340         (JSC::DFG::SpeculativeJIT::compile):
1341         * ftl/FTLAbstractHeapRepository.cpp:
1342         * ftl/FTLAbstractHeapRepository.h:
1343         * ftl/FTLCapabilities.cpp:
1344         (JSC::FTL::canCompile):
1345         * ftl/FTLLowerDFGToB3.cpp:
1346         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1347         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
1348         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
1349         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
1350         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
1351         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1352         (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket):
1353         (JSC::FTL::DFG::LowerDFGToB3::boolify):
1354         * heap/Heap.cpp:
1355         (JSC::Heap::markRoots):
1356         (JSC::Heap::visitSamplingProfiler):
1357         (JSC::Heap::visitShadowChicken):
1358         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
1359         (JSC::Heap::collectImpl):
1360         * heap/Heap.h:
1361         * inspector/ScriptCallStackFactory.cpp:
1362         (Inspector::CreateScriptCallStackFunctor::CreateScriptCallStackFunctor):
1363         (Inspector::CreateScriptCallStackFunctor::operator()):
1364         (Inspector::createScriptCallStack):
1365         * interpreter/CallFrame.h:
1366         (JSC::ExecState::iterate):
1367         * interpreter/Interpreter.cpp:
1368         (JSC::DumpRegisterFunctor::DumpRegisterFunctor):
1369         (JSC::DumpRegisterFunctor::operator()):
1370         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
1371         (JSC::GetStackTraceFunctor::operator()):
1372         (JSC::Interpreter::getStackTrace):
1373         (JSC::GetCatchHandlerFunctor::handler):
1374         (JSC::GetCatchHandlerFunctor::operator()):
1375         (JSC::notifyDebuggerOfUnwinding):
1376         (JSC::UnwindFunctor::UnwindFunctor):
1377         (JSC::UnwindFunctor::operator()):
1378         (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer):
1379         * interpreter/ShadowChicken.cpp: Added.
1380         (JSC::ShadowChicken::Packet::dump):
1381         (JSC::ShadowChicken::Frame::dump):
1382         (JSC::ShadowChicken::ShadowChicken):
1383         (JSC::ShadowChicken::~ShadowChicken):
1384         (JSC::ShadowChicken::log):
1385         (JSC::ShadowChicken::update):
1386         (JSC::ShadowChicken::visitChildren):
1387         (JSC::ShadowChicken::reset):
1388         (JSC::ShadowChicken::dump):
1389         (JSC::ShadowChicken::functionsOnStack):
1390         * interpreter/ShadowChicken.h: Added.
1391         (JSC::ShadowChicken::Packet::Packet):
1392         (JSC::ShadowChicken::Packet::tailMarker):
1393         (JSC::ShadowChicken::Packet::throwMarker):
1394         (JSC::ShadowChicken::Packet::prologue):
1395         (JSC::ShadowChicken::Packet::tail):
1396         (JSC::ShadowChicken::Packet::throwPacket):
1397         (JSC::ShadowChicken::Packet::operator bool):
1398         (JSC::ShadowChicken::Packet::isPrologue):
1399         (JSC::ShadowChicken::Packet::isTail):
1400         (JSC::ShadowChicken::Packet::isThrow):
1401         (JSC::ShadowChicken::Frame::Frame):
1402         (JSC::ShadowChicken::Frame::operator==):
1403         (JSC::ShadowChicken::Frame::operator!=):
1404         (JSC::ShadowChicken::log):
1405         (JSC::ShadowChicken::logSize):
1406         (JSC::ShadowChicken::addressOfLogCursor):
1407         (JSC::ShadowChicken::logEnd):
1408         * interpreter/ShadowChickenInlines.h: Added.
1409         (JSC::ShadowChicken::iterate):
1410         * interpreter/StackVisitor.h:
1411         (JSC::StackVisitor::Frame::callee):
1412         (JSC::StackVisitor::Frame::codeBlock):
1413         (JSC::StackVisitor::Frame::bytecodeOffset):
1414         (JSC::StackVisitor::Frame::inlineCallFrame):
1415         (JSC::StackVisitor::Frame::isJSFrame):
1416         (JSC::StackVisitor::Frame::isInlinedFrame):
1417         (JSC::StackVisitor::visit):
1418         * jit/CCallHelpers.cpp: Added.
1419         (JSC::CCallHelpers::logShadowChickenProloguePacket):
1420         (JSC::CCallHelpers::logShadowChickenTailPacket):
1421         (JSC::CCallHelpers::setupShadowChickenPacket):
1422         * jit/CCallHelpers.h:
1423         (JSC::CCallHelpers::prepareForTailCallSlow):
1424         * jit/JIT.cpp:
1425         (JSC::JIT::privateCompileMainPass):
1426         * jit/JIT.h:
1427         * jit/JITExceptions.cpp:
1428         (JSC::genericUnwind):
1429         * jit/JITOpcodes.cpp:
1430         (JSC::JIT::emit_op_resume):
1431         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1432         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1433         * jit/JITOperations.cpp:
1434         * jit/JITOperations.h:
1435         * jsc.cpp:
1436         (GlobalObject::finishCreation):
1437         (FunctionJSCStackFunctor::FunctionJSCStackFunctor):
1438         (FunctionJSCStackFunctor::operator()):
1439         (functionClearSamplingFlags):
1440         (functionShadowChickenFunctionsOnStack):
1441         (functionReadline):
1442         * llint/LLIntOffsetsExtractor.cpp:
1443         * llint/LLIntSlowPaths.cpp:
1444         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1445         (JSC::LLInt::llint_throw_stack_overflow_error):
1446         * llint/LLIntSlowPaths.h:
1447         * llint/LowLevelInterpreter.asm:
1448         * profiler/ProfileGenerator.cpp:
1449         (JSC::AddParentForConsoleStartFunctor::foundParent):
1450         (JSC::AddParentForConsoleStartFunctor::operator()):
1451         * runtime/Error.cpp:
1452         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
1453         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
1454         (JSC::addErrorInfoAndGetBytecodeOffset):
1455         * runtime/JSFunction.cpp:
1456         (JSC::RetrieveArgumentsFunctor::result):
1457         (JSC::RetrieveArgumentsFunctor::operator()):
1458         (JSC::retrieveArguments):
1459         (JSC::RetrieveCallerFunctionFunctor::result):
1460         (JSC::RetrieveCallerFunctionFunctor::operator()):
1461         (JSC::retrieveCallerFunction):
1462         * runtime/JSGlobalObjectFunctions.cpp:
1463         (JSC::GlobalFuncProtoGetterFunctor::result):
1464         (JSC::GlobalFuncProtoGetterFunctor::operator()):
1465         (JSC::globalFuncProtoGetter):
1466         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
1467         (JSC::GlobalFuncProtoSetterFunctor::operator()):
1468         * runtime/NullSetterFunction.cpp:
1469         (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
1470         (JSC::GetCallerStrictnessFunctor::operator()):
1471         (JSC::GetCallerStrictnessFunctor::callerIsStrict):
1472         (JSC::callerIsStrict):
1473         * runtime/ObjectConstructor.cpp:
1474         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
1475         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1476         (JSC::objectConstructorGetPrototypeOf):
1477         * runtime/Options.h:
1478         * runtime/VM.cpp:
1479         (JSC::VM::VM):
1480         (JSC::SetEnabledProfilerFunctor::operator()):
1481         * runtime/VM.h:
1482         (JSC::VM::shouldBuilderPCToCodeOriginMapping):
1483         (JSC::VM::bytecodeIntrinsicRegistry):
1484         (JSC::VM::shadowChicken):
1485         * tests/stress/resources/shadow-chicken-support.js: Added.
1486         (describeFunction):
1487         (describeArray):
1488         (expectStack):
1489         (initialize):
1490         * tests/stress/shadow-chicken-disabled.js: Added.
1491         (test1.foo):
1492         (test1.bar):
1493         (test1.baz):
1494         (test1):
1495         (test2.foo):
1496         (test2.bar):
1497         (test2.baz):
1498         (test2):
1499         (test3.foo):
1500         (test3.bar):
1501         (test3.baz):
1502         (test3):
1503         * tests/stress/shadow-chicken-enabled.js: Added.
1504         (test1.foo):
1505         (test1.bar):
1506         (test1.baz):
1507         (test1):
1508         (test2.foo):
1509         (test2.bar):
1510         (test2.baz):
1511         (test2):
1512         (test3.bob):
1513         (test3.thingy):
1514         (test3.foo):
1515         (test3.bar):
1516         (test3.baz):
1517         (test3):
1518         (test4.bob):
1519         (test4.thingy):
1520         (test4.foo):
1521         (test4.bar):
1522         (test4.baz):
1523         (test4):
1524         (test5.foo):
1525         (test5):
1526         * tools/JSDollarVMPrototype.cpp:
1527         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
1528         (JSC::CallerFrameJITTypeFunctor::operator()):
1529         (JSC::CallerFrameJITTypeFunctor::jitType):
1530         (JSC::functionLLintTrue):
1531         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
1532         (JSC::CellAddressCheckFunctor::operator()):
1533         (JSC::JSDollarVMPrototype::isValidCell):
1534         (JSC::JSDollarVMPrototype::isValidCodeBlock):
1535         (JSC::JSDollarVMPrototype::codeBlockForFrame):
1536         (JSC::PrintFrameFunctor::PrintFrameFunctor):
1537         (JSC::PrintFrameFunctor::operator()):
1538         (JSC::printCallFrame):
1539
1540 2016-03-19  Filip Pizlo  <fpizlo@apple.com>
1541
1542         DFG and FTL should constant-fold RegExpExec, RegExpTest, and StringReplace
1543         https://bugs.webkit.org/show_bug.cgi?id=155270
1544
1545         Reviewed by Saam Barati.
1546
1547         This enables constant-folding of RegExpExec, RegExpTest, and StringReplace.
1548
1549         It's now possible to run Yarr on the JIT threads. Since previous work on constant-folding
1550         strings gave the DFG an API for reasoning about JSString constants in terms of
1551         JIT-thread-local WTF::Strings, it's now super easy to just pass strings to Yarr and build IR
1552         based on the results.
1553
1554         But RegExpExec is hard: the folded version still must allocate a RegExpMatchesArray. We must
1555         use the same Structure that the code would have used or else we'll pollute the program's
1556         inline caches. Also, RegExpMatchesArray.h|cpp will allocate the array and its named
1557         properties in one go - we don't want to lose that optimization. So, this patch enables
1558         MaterializeNewObject to allocate objects or arrays with any number of indexed or named
1559         properties. Previously it could only handle objects (but not arrays) and named properties
1560         (but not indexed ones).
1561
1562         This also adds a few minor things for setting the RegExpConstructor cached result.
1563
1564         This is about a 2x speed-up on microbenchmarks when we fold a match success and about a
1565         8x speed-up when we fold a match failure. It's a 10% speed-up on Octane/regexp.
1566
1567         * JavaScriptCore.xcodeproj/project.pbxproj:
1568         * dfg/DFGAbstractInterpreterInlines.h:
1569         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1570         * dfg/DFGClobberize.h:
1571         (JSC::DFG::clobberize):
1572         * dfg/DFGDoesGC.cpp:
1573         (JSC::DFG::doesGC):
1574         * dfg/DFGFixupPhase.cpp:
1575         (JSC::DFG::FixupPhase::fixupNode):
1576         * dfg/DFGGraph.cpp:
1577         (JSC::DFG::Graph::dump):
1578         * dfg/DFGInsertionSet.cpp:
1579         (JSC::DFG::InsertionSet::insertSlow):
1580         (JSC::DFG::InsertionSet::execute):
1581         * dfg/DFGInsertionSet.h:
1582         (JSC::DFG::InsertionSet::insertCheck):
1583         * dfg/DFGLazyJSValue.cpp:
1584         (JSC::DFG::LazyJSValue::tryGetString):
1585         * dfg/DFGMayExit.cpp:
1586         (JSC::DFG::mayExit):
1587         * dfg/DFGNode.h:
1588         (JSC::DFG::StackAccessData::flushedAt):
1589         (JSC::DFG::OpInfo::OpInfo): Deleted.
1590         * dfg/DFGNodeType.h:
1591         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1592         * dfg/DFGObjectMaterializationData.cpp:
1593         (JSC::DFG::ObjectMaterializationData::dump):
1594         (JSC::DFG::PhantomPropertyValue::dump): Deleted.
1595         (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore): Deleted.
1596         (JSC::DFG::ObjectMaterializationData::similarityScore): Deleted.
1597         * dfg/DFGObjectMaterializationData.h:
1598         (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue): Deleted.
1599         (JSC::DFG::PhantomPropertyValue::operator==): Deleted.
1600         * dfg/DFGOpInfo.h: Added.
1601         (JSC::DFG::OpInfo::OpInfo):
1602         * dfg/DFGOperations.cpp:
1603         * dfg/DFGOperations.h:
1604         * dfg/DFGPredictionPropagationPhase.cpp:
1605         (JSC::DFG::PredictionPropagationPhase::propagate):
1606         * dfg/DFGPromotedHeapLocation.cpp:
1607         (WTF::printInternal):
1608         * dfg/DFGPromotedHeapLocation.h:
1609         * dfg/DFGSafeToExecute.h:
1610         (JSC::DFG::safeToExecute):
1611         * dfg/DFGSpeculativeJIT.cpp:
1612         (JSC::DFG::SpeculativeJIT::~SpeculativeJIT):
1613         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1614         (JSC::DFG::SpeculativeJIT::emitGetLength):
1615         (JSC::DFG::SpeculativeJIT::compileLazyJSConstant):
1616         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
1617         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
1618         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): Deleted.
1619         * dfg/DFGSpeculativeJIT.h:
1620         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
1621         * dfg/DFGSpeculativeJIT32_64.cpp:
1622         (JSC::DFG::SpeculativeJIT::compile):
1623         * dfg/DFGSpeculativeJIT64.cpp:
1624         (JSC::DFG::SpeculativeJIT::compile):
1625         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1626         * dfg/DFGStrengthReductionPhase.cpp:
1627         (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
1628         (JSC::DFG::StrengthReductionPhase::handleNode):
1629         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
1630         (JSC::DFG::StrengthReductionPhase::executeInsertionSet):
1631         * dfg/DFGValidate.cpp:
1632         (JSC::DFG::Validate::validate):
1633         (JSC::DFG::Validate::validateCPS):
1634         * ftl/FTLAbstractHeapRepository.cpp:
1635         * ftl/FTLAbstractHeapRepository.h:
1636         * ftl/FTLCapabilities.cpp:
1637         (JSC::FTL::canCompile):
1638         * ftl/FTLLowerDFGToB3.cpp:
1639         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1640         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1641         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1642         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1643         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
1644         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
1645         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
1646         (JSC::FTL::DFG::LowerDFGToB3::storageForTransition):
1647         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
1648         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
1649         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
1650         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
1651         * ftl/FTLOperations.cpp:
1652         (JSC::FTL::operationPopulateObjectInOSR):
1653         (JSC::FTL::operationNewObjectWithButterfly): Deleted.
1654         * ftl/FTLOperations.h:
1655         * inspector/ContentSearchUtilities.cpp:
1656         * runtime/JSObject.h:
1657         (JSC::JSObject::createRawObject):
1658         (JSC::JSFinalObject::create):
1659         * runtime/RegExp.cpp:
1660         (JSC::RegExp::compile):
1661         (JSC::RegExp::match):
1662         (JSC::RegExp::matchConcurrently):
1663         (JSC::RegExp::compileMatchOnly):
1664         (JSC::RegExp::deleteCode):
1665         * runtime/RegExp.h:
1666         * runtime/RegExpCachedResult.h:
1667         (JSC::RegExpCachedResult::offsetOfLastRegExp):
1668         (JSC::RegExpCachedResult::offsetOfLastInput):
1669         (JSC::RegExpCachedResult::offsetOfResult):
1670         (JSC::RegExpCachedResult::offsetOfReified):
1671         * runtime/RegExpConstructor.h:
1672         (JSC::RegExpConstructor::offsetOfCachedResult):
1673         * runtime/RegExpInlines.h:
1674         (JSC::RegExp::hasCodeFor):
1675         (JSC::RegExp::compileIfNecessary):
1676         (JSC::RegExp::matchInline):
1677         (JSC::RegExp::hasMatchOnlyCodeFor):
1678         (JSC::RegExp::compileIfNecessaryMatchOnly):
1679         * runtime/RegExpObjectInlines.h:
1680         (JSC::RegExpObject::execInline):
1681         * runtime/StringPrototype.cpp:
1682         (JSC::substituteBackreferencesSlow):
1683         (JSC::substituteBackreferencesInline):
1684         (JSC::substituteBackreferences):
1685         (JSC::StringRange::StringRange):
1686         * runtime/StringPrototype.h:
1687         * runtime/VM.h:
1688         * tests/stress/simple-regexp-exec-folding-fail.js: Added.
1689         (foo):
1690         * tests/stress/simple-regexp-exec-folding.js: Added.
1691         (foo):
1692         * tests/stress/simple-regexp-test-folding-fail.js: Added.
1693         (foo):
1694         * tests/stress/simple-regexp-test-folding.js: Added.
1695         (foo):
1696         * yarr/RegularExpression.cpp:
1697         * yarr/Yarr.h:
1698         * yarr/YarrInterpreter.cpp:
1699         (JSC::Yarr::Interpreter::interpret):
1700         (JSC::Yarr::ByteCompiler::ByteCompiler):
1701         (JSC::Yarr::ByteCompiler::compile):
1702         (JSC::Yarr::ByteCompiler::checkInput):
1703         (JSC::Yarr::byteCompile):
1704         (JSC::Yarr::interpret):
1705         * yarr/YarrInterpreter.h:
1706         (JSC::Yarr::BytecodePattern::BytecodePattern):
1707
1708 2016-04-05  Keith Miller  <keith_miller@apple.com>
1709
1710         We should support the ability to do a non-effectful getById
1711         https://bugs.webkit.org/show_bug.cgi?id=156116
1712
1713         Reviewed by Benjamin Poulain.
1714
1715         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
1716         useful because it enables us to take different code paths based on values that we would
1717         otherwise not be able to have knowledge of. This patch adds this new feature called
1718         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
1719         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
1720         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
1721         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
1722         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
1723         the global object that indicates we could not get the result.
1724
1725         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
1726         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
1727         get_by_id the same way we would for load and return the value at the appropriate offset.
1728         Additionally, in order to make sure the we can properly compare the GetterSetter object
1729         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
1730         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
1731         likely to have little to no impact on memory usage as normal accessors are generally rare.
1732
1733         * JavaScriptCore.xcodeproj/project.pbxproj:
1734         * builtins/BuiltinExecutables.cpp:
1735         (JSC::BuiltinExecutables::createDefaultConstructor):
1736         (JSC::BuiltinExecutables::createBuiltinExecutable):
1737         (JSC::createBuiltinExecutable):
1738         (JSC::BuiltinExecutables::createExecutable):
1739         (JSC::createExecutableInternal): Deleted.
1740         * builtins/BuiltinExecutables.h:
1741         * bytecode/BytecodeIntrinsicRegistry.h:
1742         * bytecode/BytecodeList.json:
1743         * bytecode/BytecodeUseDef.h:
1744         (JSC::computeUsesForBytecodeOffset):
1745         (JSC::computeDefsForBytecodeOffset):
1746         * bytecode/CodeBlock.cpp:
1747         (JSC::CodeBlock::dumpBytecode):
1748         * bytecode/PolymorphicAccess.cpp:
1749         (JSC::AccessCase::tryGet):
1750         (JSC::AccessCase::generate):
1751         (WTF::printInternal):
1752         * bytecode/PolymorphicAccess.h:
1753         (JSC::AccessCase::isGet): Deleted.
1754         (JSC::AccessCase::isPut): Deleted.
1755         (JSC::AccessCase::isIn): Deleted.
1756         * bytecode/StructureStubInfo.cpp:
1757         (JSC::StructureStubInfo::reset):
1758         * bytecode/StructureStubInfo.h:
1759         * bytecompiler/BytecodeGenerator.cpp:
1760         (JSC::BytecodeGenerator::emitTryGetById):
1761         * bytecompiler/BytecodeGenerator.h:
1762         * bytecompiler/NodesCodegen.cpp:
1763         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
1764         * dfg/DFGSpeculativeJIT32_64.cpp:
1765         (JSC::DFG::SpeculativeJIT::cachedGetById):
1766         * dfg/DFGSpeculativeJIT64.cpp:
1767         (JSC::DFG::SpeculativeJIT::cachedGetById):
1768         * ftl/FTLLowerDFGToB3.cpp:
1769         (JSC::FTL::DFG::LowerDFGToB3::getById):
1770         * jit/JIT.cpp:
1771         (JSC::JIT::privateCompileMainPass):
1772         (JSC::JIT::privateCompileSlowCases):
1773         * jit/JIT.h:
1774         * jit/JITInlineCacheGenerator.cpp:
1775         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1776         * jit/JITInlineCacheGenerator.h:
1777         * jit/JITInlines.h:
1778         (JSC::JIT::callOperation):
1779         * jit/JITOperations.cpp:
1780         * jit/JITOperations.h:
1781         * jit/JITPropertyAccess.cpp:
1782         (JSC::JIT::emitGetByValWithCachedId):
1783         (JSC::JIT::emit_op_try_get_by_id):
1784         (JSC::JIT::emitSlow_op_try_get_by_id):
1785         (JSC::JIT::emit_op_get_by_id):
1786         * jit/JITPropertyAccess32_64.cpp:
1787         (JSC::JIT::emitGetByValWithCachedId):
1788         (JSC::JIT::emit_op_try_get_by_id):
1789         (JSC::JIT::emitSlow_op_try_get_by_id):
1790         (JSC::JIT::emit_op_get_by_id):
1791         * jit/Repatch.cpp:
1792         (JSC::repatchByIdSelfAccess):
1793         (JSC::appropriateOptimizingGetByIdFunction):
1794         (JSC::appropriateGenericGetByIdFunction):
1795         (JSC::tryCacheGetByID):
1796         (JSC::repatchGetByID):
1797         (JSC::resetGetByID):
1798         * jit/Repatch.h:
1799         * jsc.cpp:
1800         (GlobalObject::finishCreation):
1801         (functionGetGetterSetter):
1802         (functionCreateBuiltin):
1803         * llint/LLIntData.cpp:
1804         (JSC::LLInt::Data::performAssertions):
1805         * llint/LLIntSlowPaths.cpp:
1806         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1807         * llint/LLIntSlowPaths.h:
1808         * llint/LowLevelInterpreter.asm:
1809         * runtime/GetterSetter.cpp:
1810         * runtime/GetterSetter.h:
1811         * runtime/JSType.h:
1812         * runtime/PropertySlot.cpp:
1813         (JSC::PropertySlot::getPureResult):
1814         * runtime/PropertySlot.h:
1815         * runtime/ProxyObject.cpp:
1816         (JSC::ProxyObject::getOwnPropertySlotCommon):
1817         * tests/stress/try-get-by-id.js: Added.
1818         (tryGetByIdText):
1819         (getCaller.obj.1.throw.new.Error.let.func):
1820         (getCaller.obj.1.throw.new.Error):
1821         (throw.new.Error.get let):
1822         (throw.new.Error.):
1823         (throw.new.Error.let.get createBuiltin):
1824         (get let):
1825         (let.get createBuiltin):
1826         (let.func):
1827         (get let.func):
1828         (get throw):
1829
1830 2016-04-05  Saam barati  <sbarati@apple.com>
1831
1832         jsc-layout-tests.yaml/js/script-tests/regress-141098.js failing on Yosemite Debug after r198989
1833         https://bugs.webkit.org/show_bug.cgi?id=156187
1834
1835         Reviewed by Filip Pizlo.
1836
1837         This is a speculative fix. Lets see if the prevents the timeout.
1838
1839         * parser/Parser.cpp:
1840         (JSC::Parser<LexerType>::parseStatementListItem):
1841
1842 2016-04-04  Filip Pizlo  <fpizlo@apple.com>
1843
1844         PolymorphicAccess should have a MegamorphicLoad case
1845         https://bugs.webkit.org/show_bug.cgi?id=156182
1846
1847         Reviewed by Geoffrey Garen and Keith Miller.
1848
1849         This introduces a new case to PolymorphicAccess called MegamorphicLoad. This inlines the lookup in
1850         the PropertyTable. It's cheaper than switching on a huge number of cases and it's cheaper than
1851         calling into C++ to do the same job - particularly since inlining the lookup into an access means
1852         that we can precompute the hash code.
1853
1854         When writing the inline code for the hashtable lookup, I found that our hashing algorithm was not
1855         optimal. It used a double-hashing method for reducing collision pathologies. This is great for
1856         improving the performance of some worst-case scenarios. But this misses the point of a hashtable: we
1857         want to optimize the average-case performance. When optimizing for average-case, we can choose to
1858         either focus on maximizing the likelihood of the fast case happening, or to minimize the cost of the
1859         worst-case, or to minimize the cost of the fast case. Even a very basic hashtable will achieve a high
1860         probability of hitting the fast case. So, doing work to reduce the likelihood of a worst-case
1861         pathology only makes sense if it also preserves the good performance of the fast case, or reduces the
1862         likelihood of the worst-case by so much that it's a win for the average case even with a slow-down in
1863         the fast case.
1864
1865         I don't believe, based on looking at how the double-hashing is implemented, that it's possible that
1866         this preserves the good performance of the fast case. It requires at least one more value to be live
1867         around the loop, and dramatically increases the register pressure at key points inside the loop. The
1868         biggest offender is the doubleHash() method itself. There is no getting around how bad this is: if
1869         the compiler live-range-splits that method to death to avoid degrading register pressure elsewhere
1870         then we will pay a steep price anytime we take the second iteration around the loop; but if the
1871         compiler doesn't split around the call then the hashtable lookup fast path will be full of spills on
1872         some architectures (I performed biological register allocation and found that I needed 9 registers
1873         for complete lookup, while x86-64 has only 6 callee-saves; OTOH ARM64 has 10 callee-saves so it might
1874         be better off).
1875
1876         Hence, this patch changes the hashtable lookup to use simple linear probing. This was not a slow-down
1877         on anything, and it made MegamorphicLoad much more sensible since it is less likely to have to spill.
1878
1879         There are some other small changes in this patch, like rationalizing the IC's choice between giving
1880         up after a repatch (i.e. never trying again) and just pretending that nothing happened (so we can
1881         try to repatch again in the future). It looked like the code in Repatch.cpp was set up to be able to
1882         choose between those options, but we weren't fully taking advantage of it because the
1883         regenerateWithCase() method just returned null for any failure, and didn't say whether it was the
1884         sort of failure that renders the inline cache unrepatchable (like memory allocation failure). Now
1885         this is all made explicit. I wanted to make sure this change happened in this patch since the
1886         MegamorphicLoad code automagically generates a MegamorphicLoad case by coalescing other cases. Since
1887         this is intended to avoid blowing out the cache and making it unrepatchable, I wanted to make sure
1888         that the rules for giving up were something that made sense to me.
1889         
1890         This is a big win on microbenchmarks. It's neutral on traditional JS benchmarks. It's a slight
1891         speed-up for page loading, because many real websites like to have megamorphic property accesses.
1892
1893         * bytecode/PolymorphicAccess.cpp:
1894         (JSC::AccessGenerationResult::dump):
1895         (JSC::AccessGenerationState::addWatchpoint):
1896         (JSC::AccessCase::get):
1897         (JSC::AccessCase::megamorphicLoad):
1898         (JSC::AccessCase::replace):
1899         (JSC::AccessCase::guardedByStructureCheck):
1900         (JSC::AccessCase::couldStillSucceed):
1901         (JSC::AccessCase::canBeReplacedByMegamorphicLoad):
1902         (JSC::AccessCase::canReplace):
1903         (JSC::AccessCase::generateWithGuard):
1904         (JSC::AccessCase::generate):
1905         (JSC::PolymorphicAccess::PolymorphicAccess):
1906         (JSC::PolymorphicAccess::~PolymorphicAccess):
1907         (JSC::PolymorphicAccess::regenerateWithCases):
1908         (JSC::PolymorphicAccess::regenerateWithCase):
1909         (WTF::printInternal):
1910         * bytecode/PolymorphicAccess.h:
1911         (JSC::AccessCase::isGet):
1912         (JSC::AccessCase::isPut):
1913         (JSC::AccessCase::isIn):
1914         (JSC::AccessGenerationResult::AccessGenerationResult):
1915         (JSC::AccessGenerationResult::operator==):
1916         (JSC::AccessGenerationResult::operator!=):
1917         (JSC::AccessGenerationResult::operator bool):
1918         (JSC::AccessGenerationResult::kind):
1919         (JSC::AccessGenerationResult::code):
1920         (JSC::AccessGenerationResult::madeNoChanges):
1921         (JSC::AccessGenerationResult::gaveUp):
1922         (JSC::AccessGenerationResult::generatedNewCode):
1923         (JSC::PolymorphicAccess::isEmpty):
1924         (JSC::AccessGenerationState::AccessGenerationState):
1925         * bytecode/StructureStubInfo.cpp:
1926         (JSC::StructureStubInfo::aboutToDie):
1927         (JSC::StructureStubInfo::addAccessCase):
1928         * bytecode/StructureStubInfo.h:
1929         * jit/AssemblyHelpers.cpp:
1930         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1931         (JSC::AssemblyHelpers::loadProperty):
1932         (JSC::emitRandomThunkImpl):
1933         (JSC::AssemblyHelpers::emitRandomThunk):
1934         (JSC::AssemblyHelpers::emitLoadStructure):
1935         * jit/AssemblyHelpers.h:
1936         (JSC::AssemblyHelpers::loadValue):
1937         (JSC::AssemblyHelpers::moveValueRegs):
1938         (JSC::AssemblyHelpers::argumentsStart):
1939         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1940         (JSC::AssemblyHelpers::emitLoadStructure): Deleted.
1941         * jit/GPRInfo.cpp:
1942         (JSC::JSValueRegs::dump):
1943         * jit/GPRInfo.h:
1944         (JSC::JSValueRegs::uses):
1945         * jit/Repatch.cpp:
1946         (JSC::replaceWithJump):
1947         (JSC::tryCacheGetByID):
1948         (JSC::tryCachePutByID):
1949         (JSC::tryRepatchIn):
1950         * jit/ThunkGenerators.cpp:
1951         (JSC::virtualThunkFor):
1952         * runtime/Options.h:
1953         * runtime/PropertyMapHashTable.h:
1954         (JSC::PropertyTable::begin):
1955         (JSC::PropertyTable::find):
1956         (JSC::PropertyTable::get):
1957         * runtime/Structure.h:
1958
1959 2016-04-05  Antoine Quint  <graouts@apple.com>
1960
1961         [WebGL2] Turn the ENABLE_WEBGL2 flag on
1962         https://bugs.webkit.org/show_bug.cgi?id=156061
1963         <rdar://problem/25463193>
1964
1965         Reviewed by Alex Christensen.
1966
1967         * Configurations/FeatureDefines.xcconfig:
1968         * runtime/CommonIdentifiers.h:
1969
1970         Define the conditionalized classes WebGL2RenderingContext and WebGLVertexArrayObject. 
1971
1972 2016-04-04  Zan Dobersek  <zdobersek@igalia.com>
1973
1974         Add missing EABI_32BIT_DUMMY_ARG arguments for some callOperation(J_JITOperation_EGReoJ, ...) overloads
1975         https://bugs.webkit.org/show_bug.cgi?id=156161
1976
1977         Reviewed by Yusuke Suzuki.
1978
1979         r197641 added a couple of callOperation(J_JITOperation_EGReoJ, ...) overloads
1980         that handle arguments split into the tag and the payload. The two were split
1981         between the last argument register and the stack on 32-bit ARM EABI systems,
1982         causing incorrect behavior.
1983
1984         Adding EABI_32BIT_DUMMY_ARG pushes the tag and payload together onto the
1985         stack, removing the issue.
1986
1987         * dfg/DFGSpeculativeJIT.h:
1988         (JSC::DFG::SpeculativeJIT::callOperation):
1989
1990 2016-04-04  Joseph Pecoraro  <pecoraro@apple.com>
1991
1992         Avoid copying ModuleLoaderObject.js to resources bundle
1993         https://bugs.webkit.org/show_bug.cgi?id=156188
1994         <rdar://problem/25534383>
1995
1996         Reviewed by Alexey Proskuryakov.
1997
1998         * JavaScriptCore.xcodeproj/project.pbxproj:
1999
2000 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
2001
2002         Unreviewed, rolling out r199016.
2003         https://bugs.webkit.org/show_bug.cgi?id=156140
2004
2005         "Regressed Octane and Kraken on the perf bots."
2006
2007         Reverted changeset:
2008
2009         CopiedBlock should be 16kB
2010         https://bugs.webkit.org/show_bug.cgi?id=156168
2011         http://trac.webkit.org/changeset/199016
2012
2013 2016-04-04  Benjamin Poulain  <bpoulain@apple.com>
2014
2015         [JSC][x86] Fix an assertion in MacroAssembler::branch8()
2016         https://bugs.webkit.org/show_bug.cgi?id=156181
2017
2018         Reviewed by Geoffrey Garen.
2019
2020         * assembler/MacroAssemblerX86Common.h:
2021         (JSC::MacroAssemblerX86Common::branch8):
2022         The test was wrong because valid negative numbers have ones
2023         in the top bits.
2024
2025         I replaced the assertion to be explicit about the valid range.
2026
2027 2016-04-04  Chris Dumez  <cdumez@apple.com>
2028
2029         Regression(r196145): Crash in getOwnPropertyDescriptor on http://www.history.com/shows/vikings
2030         https://bugs.webkit.org/show_bug.cgi?id=156136
2031         <rdar://problem/25410767>
2032
2033         Reviewed by Ryosuke Niwa.
2034
2035         Add a few more identifiers for using in the generated bindings.
2036
2037         * runtime/CommonIdentifiers.h:
2038
2039 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
2040
2041         CopiedBlock should be 16kB
2042         https://bugs.webkit.org/show_bug.cgi?id=156168
2043
2044         Reviewed by Mark Lam.
2045
2046         MarkedBlock is 16kB, and bmalloc's largest fast-path allocation is 16kB,
2047         and the largest page size on Apple devices is 16kB -- so this change
2048         should improve sharing and recycling and keep us on the fast path more.
2049
2050         32kB is also super aggro. At 16kB, we support allocations up to 8kB,
2051         which covers 99.3% of allocations on facebook.com. The 32kB block size
2052         only covered an additional 0.2% of allocations.
2053
2054         * heap/CopiedBlock.h:
2055
2056 2016-04-04  Carlos Garcia Campos  <cgarcia@igalia.com>
2057
2058         REGRESSION(r198792): [GTK] Inspector crashes in Inspector::Protocol::getEnumConstantValue since r198792
2059         https://bugs.webkit.org/show_bug.cgi?id=155745
2060         <rdar://problem/25289456>
2061
2062         Reviewed by Brian Burg.
2063
2064         The problem is that we are generating the Inspector::Protocol::getEnumConstantValue() method and the
2065         enum_constant_values array for every framework that has enum values. So, in case of GTK port we have two
2066         implementations, one for the inspector in JavaScriptCore and another one for Web Automation in WebKit2, but when
2067         using the inspector in WebKit2 we always end up using the one in WebKit2. Since the enum_constant_values array
2068         is smaller in WebKit2 than the one in JavaScriptCore, we crash every time we receive an enum value higher than
2069         the array size. We need to disambiguate the getEnumConstantValue() generated and used for every framework, so we
2070         can use a specific namespace for the enum conversion methods.
2071
2072         * inspector/agents/InspectorDebuggerAgent.cpp:
2073         (Inspector::breakpointActionTypeForString): Use Inspector::Protocol::InspectorHelpers.
2074         * inspector/scripts/codegen/cpp_generator.py:
2075         (CppGenerator.helpers_namespace): Return the namespace name that should be used for the helper methods.
2076         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2077         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): Use
2078         CppGenerator.helpers_namespace() to use the right namespace when using getEnumConstantValue().
2079         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Ditto.
2080         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2081         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): Ditto.
2082         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2083         (CppProtocolTypesHeaderGenerator.generate_output): Move declaration of getEnumConstantValue to a helper function.
2084         (_generate_enum_constant_value_conversion_methods): Do not emit any code if there aren't enums and ensure all
2085         conversion methods are declared inside the helpers namespace.
2086         (_generate_builder_setter_for_member): Use CppGenerator.helpers_namespace() to use the right namespace when
2087         using getEnumConstantValue().
2088         (_generate_unchecked_setter_for_member): Ditto.
2089         (_generate_declarations_for_enum_conversion_methods): Return a list instead of a string so that we can return an
2090         empty list in case of not emitting any code. The caller will use extend() that has no effect when an empty list
2091         is passed.
2092         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2093         (CppProtocolTypesImplementationGenerator.generate_output): Use the new helper function to generate both the enum
2094         mapping and conversion methods inside the helpers namespace.
2095         (CppProtocolTypesImplementationGenerator._generate_enum_mapping): Return a list instead of a string so that we
2096         can return an empty list in case of not emitting any code.
2097         (CppProtocolTypesImplementationGenerator._generate_enum_mapping_and_conversion_methods): Ensure we only emit
2098         code when there are enum values, and it's generated inside the helpers namespace.
2099         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2100         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2101         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2102         * inspector/scripts/tests/expected/enum-values.json-result:
2103         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2104         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2105         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2106         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2107         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2108         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2109         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2110         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2111         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2112
2113 2016-04-04  Csaba Osztrogon√°c  <ossy@webkit.org>
2114
2115         Unreviewed ARM buildfix after r198981.
2116
2117         * assembler/MacroAssemblerARM.h:
2118         (JSC::MacroAssemblerARM::roundTowardZeroDouble):
2119
2120 2016-04-03  Saam barati  <sbarati@apple.com>
2121
2122         Implement Annex B.3.3 function hoisting rules for function code
2123         https://bugs.webkit.org/show_bug.cgi?id=155672
2124
2125         Reviewed by Geoffrey Garen.
2126
2127         The spec states that functions declared inside a function
2128         inside a block scope are subject to the rules of Annex B.3.3:
2129         https://tc39.github.io/ecma262/#sec-block-level-function-declarations-web-legacy-compatibility-semantics
2130
2131         The rule states that functions declared in such blocks should
2132         be local bindings of the block. If declaring the function's name
2133         as a "var" in the function would not lead to a syntax error (i.e,
2134         if we don't have a let/const/class variable with the same name)
2135         and if we don't have a parameter with the same name, then we
2136         implictly also declare the funcion name as a "var". When evaluating
2137         the block statement we bind the hoisted "var" to be the value
2138         of the local function binding.
2139
2140         There is one more thing we do for web compatibility. We allow
2141         function declarations inside if/else statements that aren't
2142         blocks. For such statements, we transform the code as if the
2143         function were declared inside a block statement. For example:
2144         ``` function foo() { if (cond) function baz() { } }```
2145         is transformed into:
2146         ``` function foo() { if (cond) { function baz() { } } }```
2147
2148         * bytecompiler/BytecodeGenerator.cpp:
2149         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2150         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
2151         * bytecompiler/BytecodeGenerator.h:
2152         * parser/Nodes.cpp:
2153         (JSC::ScopeNode::ScopeNode):
2154         (JSC::ProgramNode::ProgramNode):
2155         (JSC::ModuleProgramNode::ModuleProgramNode):
2156         (JSC::EvalNode::EvalNode):
2157         (JSC::FunctionNode::FunctionNode):
2158         * parser/Nodes.h:
2159         (JSC::ScopeNode::hasCapturedVariables):
2160         (JSC::ScopeNode::captures):
2161         (JSC::ScopeNode::hasSloppyModeHoistedFunction):
2162         (JSC::ScopeNode::varDeclarations):
2163         (JSC::ProgramNode::startColumn):
2164         (JSC::ProgramNode::endColumn):
2165         (JSC::EvalNode::startColumn):
2166         (JSC::EvalNode::endColumn):
2167         (JSC::ModuleProgramNode::startColumn):
2168         (JSC::ModuleProgramNode::endColumn):
2169         * parser/Parser.cpp:
2170         (JSC::Parser<LexerType>::Parser):
2171         (JSC::Parser<LexerType>::parseInner):
2172         (JSC::Parser<LexerType>::didFinishParsing):
2173         (JSC::Parser<LexerType>::parseStatement):
2174         (JSC::Parser<LexerType>::parseIfStatement):
2175         * parser/Parser.h:
2176         (JSC::Scope::declareVariable):
2177         (JSC::Scope::declareFunction):
2178         (JSC::Scope::addSloppyModeHoistableFunctionCandidate):
2179         (JSC::Scope::appendFunction):
2180         (JSC::Scope::declareParameter):
2181         (JSC::Scope::mergeInnerArrowFunctionFeatures):
2182         (JSC::Scope::getSloppyModeHoistedFunctions):
2183         (JSC::Scope::getCapturedVars):
2184         (JSC::ScopeRef::containingScope):
2185         (JSC::ScopeRef::operator==):
2186         (JSC::ScopeRef::operator!=):
2187         (JSC::Parser::declareFunction):
2188         (JSC::Parser::hasDeclaredVariable):
2189         (JSC::Parser::isFunctionMetadataNode):
2190         (JSC::Parser::DepthManager::DepthManager):
2191         (JSC::Parser<LexerType>::parse):
2192         * parser/VariableEnvironment.h:
2193         (JSC::VariableEnvironmentEntry::isImported):
2194         (JSC::VariableEnvironmentEntry::isImportedNamespace):
2195         (JSC::VariableEnvironmentEntry::isFunction):
2196         (JSC::VariableEnvironmentEntry::isParameter):
2197         (JSC::VariableEnvironmentEntry::isSloppyModeHoistingCandidate):
2198         (JSC::VariableEnvironmentEntry::setIsCaptured):
2199         (JSC::VariableEnvironmentEntry::setIsConst):
2200         (JSC::VariableEnvironmentEntry::setIsImported):
2201         (JSC::VariableEnvironmentEntry::setIsImportedNamespace):
2202         (JSC::VariableEnvironmentEntry::setIsFunction):
2203         (JSC::VariableEnvironmentEntry::setIsParameter):
2204         (JSC::VariableEnvironmentEntry::setIsSloppyModeHoistingCandidate):
2205         (JSC::VariableEnvironmentEntry::clearIsVar):
2206         * runtime/CodeCache.h:
2207         (JSC::SourceCodeValue::SourceCodeValue):
2208         * runtime/JSScope.cpp:
2209         * runtime/JSScope.h:
2210         * tests/es6.yaml:
2211         * tests/stress/sloppy-mode-function-hoisting.js: Added.
2212         (assert):
2213         (test):
2214         (falsey):
2215         (truthy):
2216         (test.):
2217         (test.a):
2218         (test.f):
2219         (test.let.funcs.f):
2220         (test.catch.f):
2221         (test.foo):
2222         (test.bar):
2223         (test.switch.case.0):
2224         (test.else.f):
2225         (test.b):
2226         (test.c):
2227         (test.d):
2228         (test.e):
2229         (test.g):
2230         (test.h):
2231         (test.i):
2232         (test.j):
2233         (test.k):
2234         (test.l):
2235         (test.m):
2236         (test.n):
2237         (test.o):
2238         (test.p):
2239         (test.q):
2240         (test.r):
2241         (test.s):
2242         (test.t):
2243         (test.u):
2244         (test.v):
2245         (test.w):
2246         (test.x):
2247         (test.y):
2248         (test.z):
2249         (foo):
2250         (bar):
2251         (falsey.bar):
2252         (baz):
2253         (falsey.baz):
2254
2255 2016-04-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2256
2257         Unreviewed, turn ES6 for-in loop test success
2258         https://bugs.webkit.org/show_bug.cgi?id=155451
2259
2260         * tests/es6.yaml:
2261
2262 2016-04-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2263
2264         [JSC] Add truncate operation (rounding to zero)
2265         https://bugs.webkit.org/show_bug.cgi?id=156072
2266
2267         Reviewed by Saam Barati.
2268
2269         Add TruncIntrinsic for Math.trunc. DFG handles it as ArithTrunc.
2270         In DFG, ArithTrunc behaves similar to ArithRound, ArithCeil, and ArithFloor.
2271         ArithTrunc rounds the value towards zero.
2272
2273         And we rewrite @toInteger to use @trunc instead of @abs, @floor, negation and branch.
2274         This is completely the same to what we do in JSValue::toInteger.
2275
2276         Since DFG recognize it, DFG can convert ArithTrunc to Identity if the given argument is Int32.
2277         This is useful because almost all the argument is Int32 in @toLength -> @toInteger -> @trunc case.
2278         In such cases, we can eliminate trunc() call.
2279
2280         As a bonus, to speed up Math.trunc operation, we use x86 SSE round and frintz in ARM64 for ArithRound.
2281         In DFG, we emit these instructions. In FTL, we use Patchpoint to emit these instructions to avoid adding a new B3 IR.
2282
2283         * assembler/MacroAssemblerARM64.h:
2284         (JSC::MacroAssemblerARM64::roundTowardZeroDouble):
2285         (JSC::MacroAssemblerARM64::roundTowardZeroFloat):
2286         * assembler/MacroAssemblerARMv7.h:
2287         (JSC::MacroAssemblerARMv7::roundTowardZeroDouble):
2288         * assembler/MacroAssemblerMIPS.h:
2289         (JSC::MacroAssemblerMIPS::roundTowardZeroDouble):
2290         * assembler/MacroAssemblerSH4.h:
2291         (JSC::MacroAssemblerSH4::roundTowardZeroDouble):
2292         * assembler/MacroAssemblerX86Common.h:
2293         (JSC::MacroAssemblerX86Common::roundTowardZeroDouble):
2294         (JSC::MacroAssemblerX86Common::roundTowardZeroFloat):
2295         * builtins/GlobalObject.js:
2296         (toInteger):
2297         * dfg/DFGAbstractInterpreterInlines.h:
2298         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2299         * dfg/DFGByteCodeParser.cpp:
2300         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2301         * dfg/DFGClobberize.h:
2302         (JSC::DFG::clobberize):
2303         * dfg/DFGDoesGC.cpp:
2304         (JSC::DFG::doesGC):
2305         * dfg/DFGFixupPhase.cpp:
2306         (JSC::DFG::FixupPhase::fixupNode):
2307         * dfg/DFGGraph.h:
2308         (JSC::DFG::Graph::roundShouldSpeculateInt32):
2309         * dfg/DFGNode.h:
2310         (JSC::DFG::Node::arithNodeFlags):
2311         (JSC::DFG::Node::hasHeapPrediction):
2312         (JSC::DFG::Node::hasArithRoundingMode):
2313         * dfg/DFGNodeType.h:
2314         * dfg/DFGPredictionPropagationPhase.cpp:
2315         (JSC::DFG::PredictionPropagationPhase::propagate):
2316         * dfg/DFGSafeToExecute.h:
2317         (JSC::DFG::safeToExecute):
2318         * dfg/DFGSpeculativeJIT.cpp:
2319         (JSC::DFG::SpeculativeJIT::compileArithRounding):
2320         * dfg/DFGSpeculativeJIT.h:
2321         * dfg/DFGSpeculativeJIT32_64.cpp:
2322         (JSC::DFG::SpeculativeJIT::compile):
2323         * dfg/DFGSpeculativeJIT64.cpp:
2324         (JSC::DFG::SpeculativeJIT::compile):
2325         * ftl/FTLCapabilities.cpp:
2326         (JSC::FTL::canCompile):
2327         * ftl/FTLLowerDFGToB3.cpp:
2328         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2329         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
2330         * ftl/FTLOutput.cpp:
2331         (JSC::FTL::Output::doubleTrunc):
2332         * ftl/FTLOutput.h:
2333         * jit/ThunkGenerators.cpp:
2334         (JSC::truncThunkGenerator):
2335         * jit/ThunkGenerators.h:
2336         * runtime/CommonIdentifiers.h:
2337         * runtime/Intrinsic.h:
2338         * runtime/JSGlobalObject.cpp:
2339         (JSC::JSGlobalObject::init):
2340         * runtime/MathObject.cpp:
2341         (JSC::MathObject::finishCreation):
2342         * runtime/MathObject.h:
2343         * runtime/VM.cpp:
2344         (JSC::thunkGeneratorForIntrinsic):
2345         * tests/stress/math-rounding-infinity.js:
2346         (testTrunc):
2347         * tests/stress/math-rounding-nan.js:
2348         (testTrunc):
2349         * tests/stress/math-rounding-negative-zero.js:
2350         (testTrunc):
2351         * tests/stress/math-trunc-arith-rounding-mode.js: Added.
2352         (firstCareAboutZeroSecondDoesNot):
2353         (firstDoNotCareAboutZeroSecondDoes):
2354         (warmup):
2355         (verifyNegativeZeroIsPreserved):
2356         * tests/stress/math-trunc-basics.js: Added.
2357         (mathTruncOnIntegers):
2358         (mathTruncOnDoubles):
2359         (mathTruncOnBooleans):
2360         (uselessMathTrunc):
2361         (mathTruncWithOverflow):
2362         (mathTruncConsumedAsDouble):
2363         (mathTruncDoesNotCareAboutMinusZero):
2364         (mathTruncNoArguments):
2365         (mathTruncTooManyArguments):
2366         (testMathTruncOnConstants):
2367         (mathTruncStructTransition):
2368         (Math.trunc):
2369         * tests/stress/math-trunc-should-be-truncate.js: Added.
2370         (mathTrunc):
2371
2372 2016-04-03  Skachkov Oleksandr  <gskachkov@gmail.com>
2373
2374         [ES6] Class syntax. Access to new.target inside of the eval should not lead to SyntaxError
2375         https://bugs.webkit.org/show_bug.cgi?id=155545
2376
2377         Reviewed by Saam Barati.
2378        
2379         Current patch allow to invoke new.target in eval if this eval is executed within function, 
2380         otherwise this will lead to Syntax error 
2381    
2382         * bytecode/EvalCodeCache.h:
2383         (JSC::EvalCodeCache::getSlow):
2384         * bytecode/ExecutableInfo.h:
2385         (JSC::ExecutableInfo::ExecutableInfo):
2386         (JSC::ExecutableInfo::evalContextType):
2387         * bytecode/UnlinkedCodeBlock.cpp:
2388         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2389         * bytecode/UnlinkedCodeBlock.h:
2390         (JSC::UnlinkedCodeBlock::evalContextType):
2391         * bytecode/UnlinkedFunctionExecutable.cpp:
2392         (JSC::generateUnlinkedFunctionCodeBlock):
2393         * debugger/DebuggerCallFrame.cpp:
2394         (JSC::DebuggerCallFrame::evaluate):
2395         * interpreter/Interpreter.cpp:
2396         (JSC::eval):
2397         * parser/Parser.cpp:
2398         (JSC::Parser<LexerType>::Parser):
2399         (JSC::Parser<LexerType>::parseMemberExpression):
2400         * parser/Parser.h:
2401         (JSC::Scope::Scope):
2402         (JSC::Scope::setEvalContextType):
2403         (JSC::Scope::evalContextType):
2404         (JSC::parse):
2405         * runtime/CodeCache.cpp:
2406         (JSC::CodeCache::getGlobalCodeBlock):
2407         (JSC::CodeCache::getProgramCodeBlock):
2408         (JSC::CodeCache::getEvalCodeBlock):
2409         (JSC::CodeCache::getModuleProgramCodeBlock):
2410         * runtime/CodeCache.h:
2411         * runtime/Executable.cpp:
2412         (JSC::ScriptExecutable::ScriptExecutable):
2413         (JSC::EvalExecutable::create):
2414         (JSC::EvalExecutable::EvalExecutable):
2415         (JSC::ProgramExecutable::ProgramExecutable):
2416         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2417         (JSC::FunctionExecutable::FunctionExecutable):
2418         * runtime/Executable.h:
2419         (JSC::ScriptExecutable::evalContextType):
2420         * runtime/JSGlobalObject.cpp:
2421         (JSC::JSGlobalObject::createEvalCodeBlock):
2422         * runtime/JSGlobalObjectFunctions.cpp:
2423         (JSC::globalFuncEval):
2424         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
2425         * tests/stress/new-target.js:
2426
2427 2016-04-02  Commit Queue  <commit-queue@webkit.org>
2428
2429         Unreviewed, rolling out r198976.
2430         https://bugs.webkit.org/show_bug.cgi?id=156140
2431
2432         "Causes js/regress/array-nonarray-polymorhpic-access.html to
2433         crash." (Requested by ddkilzer on #webkit).
2434
2435         Reverted changeset:
2436
2437         "[JSC] Initialize SSA's live values at tail lazily"
2438         https://bugs.webkit.org/show_bug.cgi?id=156126
2439         http://trac.webkit.org/changeset/198976
2440
2441 2016-04-02  Benjamin Poulain  <bpoulain@apple.com>
2442
2443         [JSC] Initialize SSA's live values at tail lazily
2444         https://bugs.webkit.org/show_bug.cgi?id=156126
2445
2446         Reviewed by Mark Lam.
2447
2448         Setting up the clean state early looks harmless but it is
2449         actually quite expensive.
2450
2451         The problem is AbstractValue is gigantic, you really want
2452         to minimize how much you touch that memory.
2453
2454         By removing the initialization, most blocks only
2455         get 2 or 3 accesses. Once to setup the value, and a few
2456         queries for merging the current block with the successors.
2457
2458         * dfg/DFGInPlaceAbstractState.cpp:
2459         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2460         (JSC::DFG::setLiveValues): Deleted.
2461         (JSC::DFG::InPlaceAbstractState::initialize): Deleted.
2462
2463 2016-04-02  Benjamin Poulain  <bpoulain@apple.com>
2464
2465         [JSC] Add an option to avoid disassembling baseline code for the JSC Profiler
2466         https://bugs.webkit.org/show_bug.cgi?id=156127
2467
2468         Reviewed by Mark Lam.
2469
2470         The profiler run out of memory on big programs if you dump
2471         the baseline disassembly.
2472
2473         * jit/JIT.cpp:
2474         (JSC::JIT::privateCompile):
2475         * runtime/Options.h:
2476
2477 2016-04-02  Dan Bernstein  <mitz@apple.com>
2478
2479         jsc binary embedded in relocatable JavaScriptCore.framework links against system JavaScriptCore.framework
2480         https://bugs.webkit.org/show_bug.cgi?id=156134
2481         <rdar://problem/25443824>
2482
2483         Reviewed by Mark Lam.
2484
2485         * Configurations/JSC.xcconfig: Define WK_RELOCATABLE_FRAMEWORKS_LDFLAGS when building
2486           relocatable frameworks to include a -dyld_env option setting DYLD_FRAMEWORK_PATH to point
2487           to the directory containing JavaScript.framework, and add
2488           WK_RELOCATABLE_FRAMEWORKS_LDFLAGS to OTHER_LDFLAGS.
2489
2490 2016-04-01  Benjamin Poulain  <bpoulain@apple.com>
2491
2492         [JSC][x86] Add the 3 operands form of floating point substraction
2493         https://bugs.webkit.org/show_bug.cgi?id=156095
2494
2495         Reviewed by Geoffrey Garen.
2496
2497         Same old, same old. Add the AVX form of subsd and subss.
2498
2499         Unfortunately, we cannot benefit from the 3 register form
2500         in B3 yet because the Air script does not support CPU flags yet.
2501         That can be fixed later.
2502
2503         * assembler/MacroAssemblerX86Common.h:
2504         (JSC::MacroAssemblerX86Common::subDouble):
2505         (JSC::MacroAssemblerX86Common::subFloat):
2506         * assembler/X86Assembler.h:
2507         (JSC::X86Assembler::vsubsd_rr):
2508         (JSC::X86Assembler::subsd_mr):
2509         (JSC::X86Assembler::vsubsd_mr):
2510         (JSC::X86Assembler::vsubss_rr):
2511         (JSC::X86Assembler::subss_mr):
2512         (JSC::X86Assembler::vsubss_mr):
2513         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
2514         * b3/air/AirOpcode.opcodes:
2515
2516 2016-04-01  Alberto Garcia  <berto@igalia.com>
2517
2518         [JSC] Missing PATH_MAX definition
2519         https://bugs.webkit.org/show_bug.cgi?id=156102
2520
2521         Reviewed by Yusuke Suzuki.
2522
2523         Not all systems define PATH_MAX, so add a fallback value that is
2524         long enough.
2525
2526         * jsc.cpp:
2527
2528 2016-03-31  Benjamin Poulain  <bpoulain@apple.com>
2529
2530         [JSC] CFA's valuesAtHead should be a list, not a map
2531         https://bugs.webkit.org/show_bug.cgi?id=156087
2532
2533         Reviewed by Mark Lam.
2534
2535         One more step toward moving to the Air-style of liveness analysis:
2536
2537         Make DFG's valuesAtHead a list of Node*-AbstractValue.
2538         This patch alone is already a speedup because our many CFAs
2539         spend an unreasonable amount of time updating at block boundaries.
2540
2541         * dfg/DFGBasicBlock.h:
2542         * dfg/DFGCFAPhase.cpp:
2543         (JSC::DFG::CFAPhase::performBlockCFA):
2544         * dfg/DFGGraph.cpp:
2545         (JSC::DFG::Graph::dump):
2546         * dfg/DFGInPlaceAbstractState.cpp:
2547         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2548         (JSC::DFG::setLiveValues):
2549         (JSC::DFG::InPlaceAbstractState::merge):
2550         * dfg/DFGNode.h:
2551         (JSC::DFG::nodeValuePairComparator):
2552         (JSC::DFG::nodeValuePairListDump):
2553
2554 2016-03-31  Saam barati  <sbarati@apple.com>
2555
2556         Revert rewrite const as var workaround
2557         https://bugs.webkit.org/show_bug.cgi?id=155393
2558
2559         Reviewed by Mark Lam.
2560
2561         * parser/Parser.h:
2562         (JSC::Parser::next):
2563         (JSC::Parser::nextExpectIdentifier):
2564         * runtime/VM.h:
2565         (JSC::VM::setShouldRewriteConstAsVar): Deleted.
2566         (JSC::VM::shouldRewriteConstAsVar): Deleted.
2567
2568 2016-03-31  Saam barati  <sbarati@apple.com>
2569
2570         [ES6] Disallow var assignments in for-in loops
2571         https://bugs.webkit.org/show_bug.cgi?id=155451
2572
2573         Reviewed by Mark Lam.
2574
2575         We're doing this in its own patch instead of the patch for https://bugs.webkit.org/show_bug.cgi?id=155384
2576         because last time we made this change it broke some websites. Lets try making
2577         it again because it's what the ES6 mandates. If it still breaks things we will
2578         roll it out.
2579
2580         * parser/Parser.cpp:
2581         (JSC::Parser<LexerType>::parseForStatement):
2582
2583 2016-03-31  Saam barati  <sbarati@apple.com>
2584
2585         parsing arrow function expressions slows down the parser by 8% lets recoup some loss
2586         https://bugs.webkit.org/show_bug.cgi?id=155988
2587
2588         Reviewed by Benjamin Poulain.
2589
2590         We used to eagerly check if we're parsing an arrow function.
2591         We did this inside parseAssignmentExpression(), and it was
2592         very costly. The reason it was costly is that arrow functions
2593         might start with an identifier. This means anytime we saw an
2594         identifier we would have to do a lookahead, and then most likely
2595         backtrack because more often than not, we wouldn't see "=>"
2596         as the next token.
2597
2598         In this patch I implement a new approach. We just parse
2599         the lhs of an assignment expression eagerly without doing any
2600         lookahead. Retroactively, if we see that we might have started
2601         with an arrow function, and we don't have a valid lhs or the
2602         next token is a "=>", we try to parse as an arrow function.
2603
2604         Here are a few examples motivating why this is valid:
2605
2606         `x => x`
2607         In this example:
2608         - "x" is a valid arrow function starting point.
2609         - "x" also happens to be a valid lhs
2610         - because we see "=>" as the next token, we parse as an arrow function and succeed.
2611
2612         `(x) => x`
2613         In this example:
2614         - "(" is a valid arrow function starting point.
2615         - "(x)" also happens to be a valid lhs
2616         - because we see "=>" as the next token, we parse as an arrow function and succeed.
2617
2618         `({x = 30}) => x;`
2619         In this example:
2620         - "(" is a valid arrow function starting point.
2621         - "({x = 30})" is NOT a valid lhs. Because of this, we try to parse it as an arrow function and succeed.
2622
2623         There is one interesting implementation detail where we might
2624         parse something that is both a valid LHS but happens
2625         to actually be the arrow function parameters. The valid LHS
2626         parsing might declare such variables as "uses" which would cause 
2627         weird capture analysis. This patch also introduces a mechanism
2628         to backtrack on used variable analysis.
2629
2630         This is a 3.5%-4.5% octane code load speedup.
2631
2632         * parser/Lexer.h:
2633         (JSC::Lexer::sawError):
2634         (JSC::Lexer::setSawError):
2635         (JSC::Lexer::getErrorMessage):
2636         (JSC::Lexer::setErrorMessage):
2637         (JSC::Lexer::sourceURL):
2638         (JSC::Lexer::sourceMappingURL):
2639         * parser/Parser.cpp:
2640         (JSC::Parser<LexerType>::isArrowFunctionParameters):
2641         (JSC::Parser<LexerType>::parseAssignmentExpression):
2642         (JSC::Parser<LexerType>::parsePrimaryExpression):
2643         * parser/Parser.h:
2644         (JSC::Scope::Scope):
2645         (JSC::Scope::startSwitch):
2646         (JSC::Scope::declareParameter):
2647         (JSC::Scope::usedVariablesContains):
2648         (JSC::Scope::useVariable):
2649         (JSC::Scope::pushUsedVariableSet):
2650         (JSC::Scope::currentUsedVariablesSize):
2651         (JSC::Scope::revertToPreviousUsedVariables):
2652         (JSC::Scope::setNeedsFullActivation):
2653         (JSC::Scope::needsFullActivation):
2654         (JSC::Scope::isArrowFunctionBoundary):
2655         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
2656         (JSC::Scope::collectFreeVariables):
2657         (JSC::Scope::fillParametersForSourceProviderCache):
2658         (JSC::Scope::restoreFromSourceProviderCache):
2659         (JSC::Scope::setIsModule):
2660
2661 2016-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2662
2663         Fails to build in Linux / PowerPC due to different ucontext_t definition
2664         https://bugs.webkit.org/show_bug.cgi?id=156015
2665
2666         Reviewed by Michael Catanzaro.
2667
2668         PPC does not have mcontext_t in ucontext_t::uc_mcontext.
2669         So we take the special way to retrieve mcontext_t in PPC.
2670
2671         * heap/MachineStackMarker.cpp:
2672         (pthreadSignalHandlerSuspendResume):
2673
2674 2016-03-31  Benjamin Poulain  <benjamin@webkit.org>
2675
2676         [JSC][x86] Add the indexed forms of floating point addition and multiplication
2677         https://bugs.webkit.org/show_bug.cgi?id=156058
2678
2679         Reviewed by Geoffrey Garen.
2680
2681         B3 supports lowering [base, index] addresses into
2682         arbitrary instructions but we were not using that feature.
2683
2684         This patch adds the missing support for the lowering
2685         of Add and Mul.
2686
2687         * assembler/MacroAssemblerX86Common.h:
2688         (JSC::MacroAssemblerX86Common::addDouble):
2689         (JSC::MacroAssemblerX86Common::addFloat):
2690         (JSC::MacroAssemblerX86Common::mulDouble):
2691         (JSC::MacroAssemblerX86Common::mulFloat):
2692         * assembler/X86Assembler.h:
2693         (JSC::X86Assembler::addsd_mr):
2694         (JSC::X86Assembler::vaddsd_mr):
2695         (JSC::X86Assembler::addss_mr):
2696         (JSC::X86Assembler::vaddss_mr):
2697         (JSC::X86Assembler::mulsd_mr):
2698         (JSC::X86Assembler::vmulsd_mr):
2699         (JSC::X86Assembler::mulss_mr):
2700         (JSC::X86Assembler::vmulss_mr):
2701         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
2702         * b3/B3LowerToAir.cpp:
2703         (JSC::B3::Air::LowerToAir::appendBinOp):
2704         Unlike the Addr form, we never need to transform a Tmp
2705         into an Index for spilling.
2706
2707         Instead of duplicating all the code in MacroAssembler, I can
2708         just have the lowering phase try using addresses for the first
2709         argument when possible.
2710
2711         * b3/air/AirOpcode.opcodes:
2712         * b3/air/testair.cpp:
2713         (JSC::B3::Air::testX86VMULSDBaseNeedsRex):
2714         (JSC::B3::Air::testX86VMULSDIndexNeedsRex):
2715         (JSC::B3::Air::testX86VMULSDBaseIndexNeedRex):
2716         (JSC::B3::Air::run):
2717
2718 2016-03-31  Saam barati  <sbarati@apple.com>
2719
2720         DFG JIT bug in typeof constant folding where the input to typeof is an object or function
2721         https://bugs.webkit.org/show_bug.cgi?id=156034
2722         <rdar://problem/25446785>
2723
2724         Reviewed by Ryosuke Niwa.
2725
2726         AI would constant fold TypeOf to the string "object" if it saw that
2727         its input type didn't expand past the types contained in the set 
2728         "SpecObject - SpecObjectOther". But, SpecObject contains SpecFunction.
2729         And typeof of a function should return "function". This patch fixes
2730         this bug by making sure we constant fold to object iff the type
2731         doesn't expand past the set "SpecObject - SpecObjectOther - SpecFunction".
2732
2733         * dfg/DFGAbstractInterpreterInlines.h:
2734         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2735         * tests/stress/typeof-dfg-function-or-object.js: Added.
2736         (assert):
2737         (foo.else.o):
2738         (foo):
2739
2740 2016-03-31  Mark Lam  <mark.lam@apple.com>
2741
2742         Gardening: Build and logic fix after r198873.
2743         https://bugs.webkit.org/show_bug.cgi?id=156043
2744
2745         Not reviewed.
2746
2747         * assembler/MacroAssemblerX86Common.h:
2748         (JSC::MacroAssemblerX86Common::addFloat):
2749         - 2 args were meant to be ordered differently in order to call the other addFloat.
2750           Instead, there was an infinite recursion bug.  This is now fixed.
2751
2752 2016-03-30  Benjamin Poulain  <benjamin@webkit.org>
2753
2754         [JSC][x86] Add the 3 operands forms of floating point addition and multiplication
2755         https://bugs.webkit.org/show_bug.cgi?id=156043
2756
2757         Reviewed by Geoffrey Garen.
2758
2759         When they are available, VADD and VMUL are better options to lower
2760         floating point addition and multiplication.
2761
2762         In the simple cases when one of the operands is aliased to the destination,
2763         those forms have the same size or 1 byte shorter depending on the registers.
2764
2765         In the more advanced cases, we gain nice advantages with the new forms:
2766         -We can get rid of the MoveDouble in front the instruction when we cannot
2767          alias.
2768         -We can disable aliasing entirely in Air. That is useful for latency
2769          since computing coalescing is not exactly cheap.
2770
2771         * assembler/MacroAssemblerX86Common.cpp:
2772         * assembler/MacroAssemblerX86Common.h:
2773         (JSC::MacroAssemblerX86Common::and32):
2774         (JSC::MacroAssemblerX86Common::mul32):
2775         (JSC::MacroAssemblerX86Common::or32):
2776         (JSC::MacroAssemblerX86Common::xor32):
2777         (JSC::MacroAssemblerX86Common::branchAdd32):
2778         The change in B3LowerToAir exposed a bug in the fake 3 operands
2779         forms of those instructions. If the address is equal to
2780         the destination, we were nuking the address.
2781
2782         For example,
2783             Add32([%r11], %eax, %r11)
2784         would generate:
2785             move %eax, %r11
2786             add32 [%r11], %r11
2787         which crashes.
2788
2789         I updated codegen of those cases to support that case through
2790             load32 [%r11], %r11
2791             add32 %eax, %r11
2792
2793         The weird case were all arguments have the same registers
2794         is handled too.
2795
2796         (JSC::MacroAssemblerX86Common::addDouble):
2797         (JSC::MacroAssemblerX86Common::addFloat):
2798         (JSC::MacroAssemblerX86Common::mulDouble):
2799         (JSC::MacroAssemblerX86Common::mulFloat):
2800         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
2801         (JSC::MacroAssemblerX86Common::supportsAVX):
2802         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
2803         * assembler/MacroAssemblerX86_64.h:
2804         (JSC::MacroAssemblerX86_64::branchAdd64):
2805         * assembler/X86Assembler.h:
2806         (JSC::X86Assembler::vaddsd_rr):
2807         (JSC::X86Assembler::vaddsd_mr):
2808         (JSC::X86Assembler::vaddss_rr):
2809         (JSC::X86Assembler::vaddss_mr):
2810         (JSC::X86Assembler::vmulsd_rr):
2811         (JSC::X86Assembler::vmulsd_mr):
2812         (JSC::X86Assembler::vmulss_rr):
2813         (JSC::X86Assembler::vmulss_mr):
2814         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
2815         * b3/B3LowerToAir.cpp:
2816         (JSC::B3::Air::LowerToAir::appendBinOp):
2817         Add the 3 operand forms so that we lower Add and Mul
2818         to the best form directly.
2819
2820         I will change how we lower the fake 3 operands instructions
2821         but the codegen should end up the same in most cases.
2822         The new codegen is the load32 + op above.
2823
2824         * b3/air/AirInstInlines.h:
2825         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2826         * b3/air/testair.cpp:
2827         (JSC::B3::Air::testX86VMULSD):
2828         (JSC::B3::Air::testX86VMULSDDestRex):
2829         (JSC::B3::Air::testX86VMULSDOp1DestRex):
2830         (JSC::B3::Air::testX86VMULSDOp2DestRex):
2831         (JSC::B3::Air::testX86VMULSDOpsDestRex):
2832         (JSC::B3::Air::testX86VMULSDAddr):
2833         (JSC::B3::Air::testX86VMULSDAddrOpRexAddr):
2834         (JSC::B3::Air::testX86VMULSDDestRexAddr):
2835         (JSC::B3::Air::testX86VMULSDRegOpDestRexAddr):
2836         (JSC::B3::Air::testX86VMULSDAddrOpDestRexAddr):
2837         Make sure we have some coverage for AVX encoding of instructions.
2838
2839 2016-03-30  Saam Barati  <sbarati@apple.com>
2840
2841         Change some release asserts in CodeBlock linking into debug asserts
2842         https://bugs.webkit.org/show_bug.cgi?id=155500
2843
2844         Reviewed by Filip Pizlo.
2845
2846         * bytecode/CodeBlock.cpp:
2847         (JSC::CodeBlock::finishCreation):
2848
2849 2016-03-30  Joseph Pecoraro  <pecoraro@apple.com>
2850
2851         Remove unused ScriptProfiler.Samples.totalTime
2852         https://bugs.webkit.org/show_bug.cgi?id=156002
2853
2854         Reviewed by Saam Barati.
2855
2856         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2857         (Inspector::buildSamples):
2858         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2859         * inspector/protocol/ScriptProfiler.json:
2860         Remove totalTime.
2861
2862         * runtime/SamplingProfiler.cpp:
2863         (JSC::SamplingProfiler::SamplingProfiler): Deleted.
2864         * runtime/SamplingProfiler.h:
2865         (JSC::SamplingProfiler::totalTime): Deleted.
2866         Remove now unused m_totalTime.
2867
2868 2016-03-30  Michael Saboff  <msaboff@apple.com>
2869
2870         [ES6] Quantified unicode regular expressions do not work for counts greater than 1
2871         https://bugs.webkit.org/show_bug.cgi?id=156044
2872
2873         Reviewed by Mark Lam.
2874
2875         Fixed incorrect indexing of non-BMP characters in fixed patterns.  The old code
2876         was indexing by character units, a single JS character, instead of code points
2877         which is 2 JS characters.
2878
2879         * yarr/YarrInterpreter.cpp:
2880         (JSC::Yarr::Interpreter::matchDisjunction):
2881
2882 2016-03-30  Mark Lam  <mark.lam@apple.com>
2883
2884         Make the $vm debugging tools available to builtins as @$vm.
2885         https://bugs.webkit.org/show_bug.cgi?id=156012
2886
2887         Reviewed by Saam Barati.
2888
2889         We also need some debugging tools for builtin development.  The $vm object will
2890         be made available to builtins as @$vm, which gives us, amongst many goodies,
2891         @$vm.print() (which prints the toString() values of its args) and
2892         @$vm.printValue() (which dataLogs its arg as a JSValue).  @$vm will only be
2893         available if we run with JSC_useDollarVM=true.
2894
2895         Also changed @$vm.print() to not automatically insert a space between the
2896         printing of each of its args.  This makes it clearer as to what will be printed
2897         i.e. it will only print what is passed to it.
2898
2899         * builtins/BuiltinNames.h:
2900         (JSC::BuiltinNames::BuiltinNames):
2901         (JSC::BuiltinNames::dollarVMPublicName):
2902         (JSC::BuiltinNames::dollarVMPrivateName):
2903         * runtime/JSGlobalObject.cpp:
2904         (JSC::JSGlobalObject::init):
2905         * tools/JSDollarVMPrototype.cpp:
2906         (JSC::functionPrint):
2907
2908 2016-03-30  Keith Miller  <keith_miller@apple.com>
2909
2910         Unreviewed, buildfix.
2911
2912         * bytecode/BytecodeIntrinsicRegistry.h:
2913
2914 2016-03-30  Keith Miller <keith_miller@apple.com>
2915
2916         Unreviewed, rollout r198808. The patch causes crashes on 32-bit and appears to be a JSBench regression.
2917
2918 2016-03-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2919
2920         [JSC] Implement String.prototype.repeat in builtins JS
2921         https://bugs.webkit.org/show_bug.cgi?id=155974
2922
2923         Reviewed by Darin Adler.
2924
2925         This patch converts C++ String.prototype.repeat implementation into JS builtins.
2926         |this| in strict mode is correctly inferred as String[1]. This fact encourages us
2927         to write PrimitiveTypes.prototype.XXX methods in builtin JS.
2928
2929         LayoutTests/js/string-repeat.html already covers the tests for this change.
2930
2931         Note: String.prototype.repeat functionality is similar to Harmony's
2932         String.prototype.{padStart, padEnd}. It's nice to port them to builtin JS in
2933         the other patch.
2934
2935         The existing C++ code has the fast path for singleCharacterString repeating.
2936         Since this use is important (e.g. generating N length spaces: ' '.repeat(N)),
2937         we keep this fast path as @repeatCharacter().
2938
2939         The performance results show that, while the performance of the single character fast path
2940         is neutral, other string repeating has significant speed up.
2941         There are two reasons.
2942
2943         1. Not resolving string rope.
2944
2945         We added several tests postfixed "not-resolving". In that tests, we do not touch the content
2946         of the generated string. As a result, the generated rope is not resolved.
2947
2948         2. O(log N) intermediate JSRopeStrings.
2949
2950         In the existing C++ implementation, we use JSString::RopeBuilder. We iterate N times and append
2951         the given string to the builder.
2952         In this case, the intermediate rope strings generated in JSString::RopeBuilder is O(N).
2953         In JS builtin implementation, we only iterate log N times. As a result, the number of the
2954         intermediate rope strings becomes O(log N).
2955
2956         [1]: http://trac.webkit.org/changeset/195938
2957
2958         * builtins/StringPrototype.js:
2959         (repeatSlowPath):
2960         (repeat):
2961         * bytecode/BytecodeIntrinsicRegistry.cpp:
2962         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2963         * bytecode/BytecodeIntrinsicRegistry.h:
2964         * runtime/CommonIdentifiers.h:
2965         * runtime/JSGlobalObject.cpp:
2966         (JSC::JSGlobalObject::init):
2967         * runtime/StringPrototype.cpp:
2968         (JSC::stringProtoFuncRepeatCharacter):
2969         (JSC::StringPrototype::finishCreation): Deleted.
2970         (JSC::stringProtoFuncRepeat): Deleted.
2971         * runtime/StringPrototype.h:
2972         * tests/stress/string-repeat-edge-cases.js: Added.
2973         (shouldBe):
2974         (let.object.toString):
2975         (valueOf):
2976         (shouldThrow):
2977
2978 2016-03-30  Benjamin Poulain  <benjamin@webkit.org>
2979
2980         [JSC] Update udis86
2981         https://bugs.webkit.org/show_bug.cgi?id=156005
2982
2983         Reviewed by Geoffrey Garen.
2984
2985         * CMakeLists.txt:
2986         * DerivedSources.make:
2987         * JavaScriptCore.xcodeproj/project.pbxproj:
2988         * disassembler/udis86/differences.txt:
2989         * disassembler/udis86/itab.py: Removed.
2990         * disassembler/udis86/optable.xml:
2991         * disassembler/udis86/ud_itab.py: Added.
2992         * disassembler/udis86/ud_opcode.py:
2993         * disassembler/udis86/ud_optable.py: Removed.
2994         * disassembler/udis86/udis86.c:
2995         * disassembler/udis86/udis86_decode.c:
2996         * disassembler/udis86/udis86_decode.h:
2997         * disassembler/udis86/udis86_extern.h:
2998         * disassembler/udis86/udis86_input.c: Removed.
2999         * disassembler/udis86/udis86_input.h: Removed.
3000         * disassembler/udis86/udis86_syn-att.c:
3001         * disassembler/udis86/udis86_syn.h:
3002         * disassembler/udis86/udis86_types.h:
3003         * disassembler/udis86/udis86_udint.h:
3004
3005 2016-03-30  Benjamin Poulain  <bpoulain@apple.com>
3006
3007         [JSC] Get rid of operationInitGlobalConst(), it is useless
3008         https://bugs.webkit.org/show_bug.cgi?id=156010
3009
3010         Reviewed by Geoffrey Garen.
3011
3012         * jit/JITOperations.cpp:
3013         * jit/JITOperations.h:
3014
3015 2016-03-29  Saam barati  <sbarati@apple.com>
3016
3017         Fix typos in our error messages and remove some trailing periods
3018         https://bugs.webkit.org/show_bug.cgi?id=155985
3019
3020         Reviewed by Mark Lam.
3021
3022         * bytecompiler/BytecodeGenerator.cpp:
3023         (JSC::BytecodeGenerator::BytecodeGenerator):
3024         * runtime/ArrayConstructor.h:
3025         (JSC::isArray):
3026         * runtime/ProxyConstructor.cpp:
3027         (JSC::makeRevocableProxy):
3028         (JSC::proxyRevocableConstructorThrowError):
3029         (JSC::ProxyConstructor::finishCreation):
3030         (JSC::constructProxyObject):
3031         * runtime/ProxyObject.cpp:
3032         (JSC::ProxyObject::finishCreation):
3033         (JSC::performProxyGet):
3034         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3035         (JSC::ProxyObject::performHasProperty):
3036         (JSC::ProxyObject::performPut):
3037         (JSC::performProxyCall):
3038         (JSC::performProxyConstruct):
3039         (JSC::ProxyObject::performDelete):
3040         (JSC::ProxyObject::performPreventExtensions):
3041         (JSC::ProxyObject::performIsExtensible):
3042         (JSC::ProxyObject::performDefineOwnProperty):
3043         (JSC::ProxyObject::performGetOwnPropertyNames):
3044         (JSC::ProxyObject::performSetPrototype):
3045         (JSC::ProxyObject::performGetPrototype):
3046         * runtime/StringPrototype.cpp:
3047         (JSC::stringProtoFuncStartsWith):
3048         (JSC::stringProtoFuncEndsWith):
3049         (JSC::stringProtoFuncIncludes):
3050         * runtime/Structure.cpp:
3051         (JSC::Structure::preventExtensionsTransition):
3052         * tests/stress/proxy-basic.js:
3053         * tests/stress/proxy-construct.js:
3054         (throw.new.Error):
3055         (assert):
3056         * tests/stress/proxy-define-own-property.js:
3057         (assert):
3058         (throw.new.Error):
3059         (i.catch):
3060         (assert.set get catch):
3061         * tests/stress/proxy-delete.js:
3062         (assert):
3063         * tests/stress/proxy-get-own-property.js:
3064         (assert):
3065         (i.catch):
3066         (set get let):
3067         * tests/stress/proxy-get-prototype-of.js:
3068         (assert):
3069         (assert.get let):
3070         (assert.get catch):
3071         * tests/stress/proxy-has-property.js:
3072         (assert):
3073         * tests/stress/proxy-is-array.js:
3074         (test):
3075         * tests/stress/proxy-is-extensible.js:
3076         (assert):
3077         * tests/stress/proxy-json.js:
3078         (assert):
3079         (test):
3080         * tests/stress/proxy-own-keys.js:
3081         (assert):
3082         (i.catch):
3083         * tests/stress/proxy-prevent-extensions.js:
3084         (assert):
3085         * tests/stress/proxy-property-descriptor.js:
3086         * tests/stress/proxy-revoke.js:
3087         (assert):
3088         (throw.new.Error.):
3089         (throw.new.Error):
3090         (shouldThrowNullHandler):
3091         * tests/stress/proxy-set-prototype-of.js:
3092         (assert.set let):
3093         (assert.set catch):
3094         (assert):
3095         (set catch):
3096         * tests/stress/proxy-set.js:
3097         (throw.new.Error.let.handler.set 45):
3098         (throw.new.Error):
3099         * tests/stress/proxy-with-private-symbols.js:
3100         (assert):
3101         * tests/stress/proxy-with-unbalanced-getter-setter.js:
3102         (assert):
3103         * tests/stress/reflect-set-proxy-set.js:
3104         (throw.new.Error.let.handler.set 45):
3105         (throw.new.Error):
3106         * tests/stress/reflect-set-receiver-proxy-set.js:
3107         (let.handler.set 45):
3108         (catch):
3109         * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js:
3110         (test):
3111         (test.get let):
3112
3113 2016-03-29  Keith Miller  <keith_miller@apple.com>
3114
3115         [ES6] Add support for Symbol.isConcatSpreadable.
3116         https://bugs.webkit.org/show_bug.cgi?id=155351
3117
3118         Reviewed by Saam Barati.
3119
3120         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
3121         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
3122         a builtin performant. First, four new DFG intrinsics were added.
3123
3124         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
3125            the Array.isArray function.
3126         2) IsJSArray: checks the first child is a JSArray object.
3127         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
3128         4) CallObjectConstructor: an intrinsic of the Object constructor.
3129
3130         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
3131         we are able to prove that the first child is an Array or for ToObject an Object.
3132
3133         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
3134         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
3135         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
3136         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
3137         into a contiguous array).
3138
3139         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
3140         values onto the result array. This works roughly the same as the two array fast path using the same methodology
3141         to decide if we can memcpy the other butterfly into the result butterfly.
3142
3143         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
3144         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
3145         dataLog function on it.
3146
3147         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
3148         JSValueOperand if the operand's use count is one.
3149
3150         * JavaScriptCore.xcodeproj/project.pbxproj:
3151         * builtins/ArrayPrototype.js:
3152         (concatSlowPath):
3153         (concat):
3154         * bytecode/BytecodeIntrinsicRegistry.cpp:
3155         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3156         * bytecode/BytecodeIntrinsicRegistry.h:
3157         * dfg/DFGAbstractInterpreterInlines.h:
3158         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3159         * dfg/DFGByteCodeParser.cpp:
3160         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3161         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3162         * dfg/DFGClobberize.h:
3163         (JSC::DFG::clobberize):
3164         * dfg/DFGDoesGC.cpp:
3165         (JSC::DFG::doesGC):
3166         * dfg/DFGFixupPhase.cpp:
3167         (JSC::DFG::FixupPhase::fixupNode):
3168         * dfg/DFGNodeType.h:
3169         * dfg/DFGOperations.cpp:
3170         * dfg/DFGOperations.h:
3171         * dfg/DFGPredictionPropagationPhase.cpp:
3172         (JSC::DFG::PredictionPropagationPhase::propagate):
3173         * dfg/DFGSafeToExecute.h:
3174         (JSC::DFG::safeToExecute):
3175         * dfg/DFGSpeculativeJIT.cpp:
3176         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3177         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
3178         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
3179         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
3180         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
3181         * dfg/DFGSpeculativeJIT.h:
3182         (JSC::DFG::SpeculativeJIT::callOperation):
3183         * dfg/DFGSpeculativeJIT32_64.cpp:
3184         (JSC::DFG::SpeculativeJIT::compile):
3185         * dfg/DFGSpeculativeJIT64.cpp:
3186         (JSC::DFG::SpeculativeJIT::compile):
3187         * ftl/FTLCapabilities.cpp:
3188         (JSC::FTL::canCompile):
3189         * ftl/FTLLowerDFGToB3.cpp:
3190         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3191         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
3192         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
3193         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
3194         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
3195         (JSC::FTL::DFG::LowerDFGToB3::isArray):
3196         * jit/JITOperations.h:
3197         * jsc.cpp:
3198         (WTF::RuntimeArray::createStructure):
3199         (GlobalObject::finishCreation):
3200         (functionDebug):
3201         (functionDataLogValue):
3202         * runtime/ArrayConstructor.cpp:
3203         (JSC::ArrayConstructor::finishCreation):
3204         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
3205         * runtime/ArrayConstructor.h:
3206         (JSC::isArrayConstructor):
3207         * runtime/ArrayPrototype.cpp:
3208         (JSC::ArrayPrototype::finishCreation):
3209         (JSC::arrayProtoPrivateFuncIsJSArray):
3210         (JSC::moveElements):
3211         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3212         (JSC::arrayProtoPrivateFuncAppendMemcpy):
3213         (JSC::arrayProtoFuncConcat): Deleted.
3214         * runtime/ArrayPrototype.h:
3215         (JSC::ArrayPrototype::createStructure):
3216         * runtime/CommonIdentifiers.h:
3217         * runtime/Intrinsic.h:
3218         * runtime/JSArray.cpp:
3219         (JSC::JSArray::appendMemcpy):
3220         (JSC::JSArray::fastConcatWith): Deleted.
3221         * runtime/JSArray.h:
3222         (JSC::JSArray::createStructure):
3223         (JSC::JSArray::fastConcatType): Deleted.
3224         * runtime/JSArrayInlines.h: Added.
3225         (JSC::JSArray::memCopyWithIndexingType):
3226         (JSC::JSArray::canFastCopy):
3227         * runtime/JSGlobalObject.cpp:
3228         (JSC::JSGlobalObject::init):
3229         * runtime/JSType.h:
3230         * runtime/ObjectConstructor.h:
3231         (JSC::constructObject):
3232         * tests/es6.yaml:
3233         * tests/stress/array-concat-spread-object.js: Added.
3234         (arrayEq):
3235         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
3236         (arrayEq):
3237         * tests/stress/array-concat-spread-proxy.js: Added.
3238         (arrayEq):
3239         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
3240         (arrayEq):
3241         * tests/stress/array-species-config-array-constructor.js:
3242
3243 2016-03-29  Saam barati  <sbarati@apple.com>
3244
3245         We don't properly optimize TDZ checks when we declare a let variable without an initializer
3246         https://bugs.webkit.org/show_bug.cgi?id=150453
3247
3248         Reviewed by Mark Lam.
3249
3250         * bytecompiler/NodesCodegen.cpp:
3251         (JSC::EmptyLetExpression::emitBytecode):
3252
3253 2016-03-29  Saam barati  <sbarati@apple.com>
3254
3255         Allow builtin JS functions to be intrinsics
3256         https://bugs.webkit.org/show_bug.cgi?id=155960
3257
3258         Reviewed by Mark Lam.
3259
3260         Builtin functions can now be recognized as intrinsics inside
3261         the DFG. This gives us the flexibility to either lower a builtin
3262         as an intrinsic in the DFG or as a normal function call.
3263         Because we may decide to not lower it as an intrinsic, the DFG
3264         inliner could still inline the function call.
3265
3266         You can annotate a builtin function like so to make
3267         it be recognized as an intrinsic.
3268         ```
3269         [intrinsic=FooIntrinsic] function foo() { ... }
3270         ```
3271         where FooIntrinsic is an enum value of the Intrinsic enum.
3272
3273         So in the future if we write RegExp.prototype.test as a builtin, we would do:
3274         ``` RegExpPrototype.js
3275         [intrinsic=RegExpTestIntrinsic] function test() { ... }
3276         ```
3277
3278         * Scripts/builtins/builtins_generate_combined_implementation.py:
3279         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3280         * Scripts/builtins/builtins_generate_separate_implementation.py:
3281         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3282         * Scripts/builtins/builtins_generator.py:
3283         (BuiltinsGenerator.generate_embedded_code_string_section_for_function):
3284         * Scripts/builtins/builtins_model.py:
3285         (BuiltinObject.__init__):
3286         (BuiltinFunction):
3287         (BuiltinFunction.__init__):
3288         (BuiltinFunction.fromString):
3289         (BuiltinFunction.__str__):
3290         * Scripts/builtins/builtins_templates.py:
3291         * bytecode/UnlinkedFunctionExecutable.cpp:
3292         (JSC::UnlinkedFunctionExecutable::visitChildren):
3293         (JSC::UnlinkedFunctionExecutable::link):
3294         * bytecode/UnlinkedFunctionExecutable.h:
3295         * dfg/DFGByteCodeParser.cpp:
3296         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
3297         * runtime/Executable.cpp:
3298         (JSC::ExecutableBase::clearCode):
3299         (JSC::NativeExecutable::destroy):
3300         (JSC::ScriptExecutable::ScriptExecutable):
3301         (JSC::EvalExecutable::create):
3302         (JSC::EvalExecutable::EvalExecutable):
3303         (JSC::ProgramExecutable::ProgramExecutable):
3304         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
3305         (JSC::FunctionExecutable::FunctionExecutable):
3306         (JSC::ExecutableBase::intrinsic): Deleted.
3307         (JSC::NativeExecutable::intrinsic): Deleted.
3308         * runtime/Executable.h:
3309         (JSC::ExecutableBase::ExecutableBase):
3310         (JSC::ExecutableBase::hasJITCodeFor):
3311         (JSC::ExecutableBase::intrinsic):
3312         (JSC::ExecutableBase::intrinsicFor):
3313         (JSC::ScriptExecutable::finishCreation):
3314         * runtime/Intrinsic.h:
3315
3316 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
3317
3318         JSC::Debugger cleanup after recent changes
3319         https://bugs.webkit.org/show_bug.cgi?id=155982
3320
3321         Reviewed by Mark Lam.
3322
3323         * debugger/Debugger.cpp:
3324         (JSC::Debugger::Debugger):
3325         Initialize with breakpoints disabled. Web Inspector always informs
3326         the backend if it should enable or disable breakpoints on startup.
3327
3328         (JSC::Debugger::setProfilingClient):
3329         When using the Sampling profiler we do not need to recompile.
3330
3331 2016-03-29  Saam barati  <sbarati@apple.com>
3332
3333         "Can not" => "cannot" in String.prototype error messages
3334         https://bugs.webkit.org/show_bug.cgi?id=155895
3335
3336         Reviewed by Mark Lam.
3337
3338         * runtime/StringPrototype.cpp:
3339         (JSC::stringProtoFuncStartsWith):
3340         (JSC::stringProtoFuncEndsWith):
3341         (JSC::stringProtoFuncIncludes):
3342         * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js:
3343         (test):
3344         (test.get let):
3345
3346 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
3347
3348         Web Inspector: We should have a way to capture heap snapshots programatically.
3349         https://bugs.webkit.org/show_bug.cgi?id=154407
3350         <rdar://problem/24726292>
3351
3352         Reviewed by Timothy Hatcher.
3353
3354         * inspector/protocol/Console.json:
3355         Add a new Console.heapSnapshot event for when a heap snapshot is taken.
3356
3357         * runtime/ConsolePrototype.cpp:
3358         (JSC::ConsolePrototype::finishCreation):
3359         (JSC::consoleProtoFuncProfile):
3360         (JSC::consoleProtoFuncProfileEnd):
3361         (JSC::consoleProtoFuncTakeHeapSnapshot):
3362         * runtime/ConsoleClient.h:
3363         Add the console.takeHeapSnapshot method and dispatch to the ConsoleClient.
3364
3365         * inspector/JSGlobalObjectConsoleClient.cpp:
3366         (Inspector::JSGlobalObjectConsoleClient::takeHeapSnapshot):
3367         * inspector/JSGlobalObjectConsoleClient.h:
3368         Have the InspectorConsoleAgent handle this.
3369
3370         * inspector/JSGlobalObjectInspectorController.cpp:
3371         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3372         * inspector/agents/InspectorConsoleAgent.cpp:
3373         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
3374         (Inspector::InspectorConsoleAgent::takeHeapSnapshot):
3375         * inspector/agents/InspectorConsoleAgent.h:
3376         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
3377         (Inspector::JSGlobalObjectConsoleAgent::JSGlobalObjectConsoleAgent):
3378         * inspector/agents/JSGlobalObjectConsoleAgent.h:
3379         Give the ConsoleAgent a HeapAgent pointer so that it can have the HeapAgent
3380         perform the snapshot building work like it normally does.
3381
3382 2016-03-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3383
3384         REGRESSION(r192914): 10% regression on Sunspider's date-format-tofte
3385         https://bugs.webkit.org/show_bug.cgi?id=155559
3386
3387         Reviewed by Saam Barati.
3388
3389         The fast path of the eval function is the super hot path in date-format-tofte.
3390         Any performance regression is not allowed here.
3391         Before this patch, we allocated SourceCode in the fast path.
3392         This allocation incurs 10% performance regression.
3393
3394         This patch removes this allocation in the fast path.
3395         And change the key of the EvalCodeCache to EvalCodeCache::CacheKey.
3396         It combines RefPtr<StringImpl> and isArrowFunctionContext.
3397         Since EvalCodeCache does not cache any eval code evaluated under the strict mode,
3398         it is unnecessary to include several options (ThisTDZMode, and DerivedContextType) in the cache map's key.
3399         But isArrowFunctionContext is necessary since the sloppy mode arrow function exists.
3400
3401         To validate this change, we add a new test that evaluates the same code
3402         under the non-arrow function context and the arrow function context.
3403
3404         After introducing CacheKey, we observed 1% regression compared to the RefPtr<StringImpl> keyed case.
3405         This is because HashMap<RefPtr<T>, ...>::get(T*) is specially optimized; this path is inlined while the normal ::get() is not inlined.
3406         To avoid this performance regression, we introduce HashMap::fastGet, that aggressively encourages inlining.
3407         The relationship between fastGet() and get() is similar to fastAdd() and add().
3408         After applying this change, the evaluation shows no performance regression in comparison with the RefPtr<StringImpl> keyed case.
3409
3410         * bytecode/EvalCodeCache.h:
3411         (JSC::EvalCodeCache::CacheKey::CacheKey):
3412         (JSC::EvalCodeCache::CacheKey::hash):
3413         (JSC::EvalCodeCache::CacheKey::isEmptyValue):
3414         (JSC::EvalCodeCache::CacheKey::operator==):
3415         (JSC::EvalCodeCache::CacheKey::isHashTableDeletedValue):
3416         (JSC::EvalCodeCache::CacheKey::Hash::hash):
3417         (JSC::EvalCodeCache::CacheKey::Hash::equal):
3418         (JSC::EvalCodeCache::tryGet):
3419         (JSC::EvalCodeCache::getSlow):
3420         (JSC::EvalCodeCache::isCacheable):
3421         * interpreter/Interpreter.cpp:
3422         (JSC::eval):
3423         * tests/stress/eval-in-arrow-function.js: Added.
3424         (shouldBe):
3425         (i):
3426
3427 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
3428
3429         Audit WebCore builtins for user overridable code
3430         https://bugs.webkit.org/show_bug.cgi?id=155923
3431
3432         Reviewed by Youenn Fablet.
3433
3434         * runtime/CommonIdentifiers.h:
3435         * runtime/ObjectConstructor.cpp:
3436         (JSC::ObjectConstructor::finishCreation):
3437         Expose @Object.@defineProperty to built-ins.
3438
3439 2016-03-28  Benjamin Poulain  <bpoulain@apple.com>
3440
3441         [JSC] ArithSub should not propagate "UsesAsOther"
3442         https://bugs.webkit.org/show_bug.cgi?id=155932
3443
3444         Reviewed by Mark Lam.
3445
3446         The node ArithSub was backpropagating UsesAsOther.
3447         This causes any GetByVal on a Double Array to have an extra
3448         hole check if it flows into an ArithSub.
3449
3450         The definition of ArithSub (12.8.4.1) has both operands go
3451         through ToNumber(). ToNumber() on "undefined" always produces
3452         NaN. It is safe to ignore the NaN marker from hole when
3453         the DAG flows into ArithSub.
3454
3455         This patch also adds this change and test coverage to ArithAdd.
3456         ArithAdd was not a problem in practice because it is only
3457         generated before Fixup if both operands are known to be numerical.
3458         The change to ArithAdd is there to protect us of the ArithSub-like
3459         problems if we ever improve our support of arithmetic operators.
3460
3461         * dfg/DFGBackwardsPropagationPhase.cpp:
3462         (JSC::DFG::BackwardsPropagationPhase::propagate):
3463         * tests/stress/arith-add-on-double-array-with-holes.js: Added.
3464         (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
3465         (let.testCase.of.testCases.observableHoleOnLhs):
3466         (let.testCase.of.testCases.nonObservableHoleOnRhs):
3467         (let.testCase.of.testCases.observableHoleOnRhs):
3468         * tests/stress/arith-sub-on-double-array-with-holes.js: Added.
3469         (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
3470         (let.testCase.of.testCases.observableHoleOnLhs):
3471         (let.testCase.of.testCases.nonObservableHoleOnRhs):
3472         (let.testCase.of.testCases.observableHoleOnRhs):
3473         * tests/stress/value-add-on-double-array-with-holes.js: Added.
3474         (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
3475         (let.testCase.of.testCases.observableHoleOnLhs):
3476         (let.testCase.of.testCases.nonObservableHoleOnRhs):
3477         (let.testCase.of.testCases.observableHoleOnRhs):
3478
3479 2016-03-28  Brian Burg  <bburg@apple.com>
3480
3481         Web Inspector: protocol generator should generate C++ string-to-enum helper functions
3482         https://bugs.webkit.org/show_bug.cgi?id=155691
3483         <rdar://problem/25258078>
3484
3485         Reviewed by Timothy Hatcher.
3486
3487         There's a lot of code throughout the Inspector agents and automation code
3488         that needs to convert a raw string into a typed protocol enum. Generate
3489         some helpers that do this conversion so clients can move over to using it.
3490
3491         These helpers are necessary for when we eventually switch to calling backend
3492         dispatcher handlers with typed arguments instead of untyped JSON objects.
3493
3494         To correctly generate a conversion function for an anonymous enum, the
3495         generator needs to be able to get the containing object type's declaration.
3496         Since the model's Type object each have only one instance, there is a
3497         one-to-one association between type and its declaration.
3498
3499         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3500         (CppProtocolTypesHeaderGenerator.generate_output):
3501         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
3502         Clean up this method to use methodcaller to sort types by raw name.
3503
3504         (_generate_declarations_for_enum_conversion_methods):
3505         (_generate_declarations_for_enum_conversion_methods.return_type_with_export_macro):
3506         (_generate_declarations_for_enum_conversion_methods.type_member_is_anonymous_enum_type):
3507         Added. Generates a new section with an unfilled template and specializations of
3508         the template for every named and anonymous enum in every domain. Guards for
3509         domains wrap the forward declarations. This is added to the end of the header
3510         file so that specializations for both types of enums are in the same place.
3511
3512         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3513         (CppProtocolTypesImplementationGenerator.generate_output):
3514         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
3515         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.type_member_is_anonymous_enum_type):
3516         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body):
3517         Added. Generate a static array of offsets into the enum constant value array.
3518         Then, loop over this array of offsets and do string comparisons against the
3519         provided string and enum constant values at the relevant offsets for this enum.
3520
3521         * inspector/scripts/codegen/generator_templates.py:
3522         (GeneratorTemplates): Update copyright year in generated files.
3523
3524         * inspector/scripts/codegen/models.py:
3525         (AliasedType.__init__):
3526         (EnumType.__init__):
3527         (EnumType.enum_values):
3528         (EnumType.declaration):
3529         (ArrayType.__init__):
3530         (ArrayType.declaration):
3531         (ObjectType.__init__):
3532         (ObjectType.declaration):
3533         (Protocol.resolve_types):
3534         (Protocol.lookup_type_reference):
3535         Pass the type declaration to Type constructors if available. If not,
3536         fill in a placeholder name for the type in the constructor instead of caller.
3537
3538         Rebaseline all the things, mostly for copyright block changes.
3539
3540         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3541         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3542         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3543         * inspector/scripts/tests/expected/enum-values.json-result:
3544         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3545         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3546         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3547         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3548         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3549         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3550         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3551         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3552         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3553
3554 2016-03-25  Joseph Pecoraro  <pecoraro@apple.com>
3555
3556         Misc. JavaScriptCore built-ins cleanups
3557         https://bugs.webkit.org/show_bug.cgi?id=155920
3558
3559         Reviewed by Mark Lam.
3560
3561         * builtins/RegExpPrototype.js:
3562         (match):
3563         No need for an else after an if that always returns.
3564
3565         * builtins/TypedArrayConstructor.js:
3566         (of):
3567         Fix error message to use the correct function name.
3568
3569         (allocateInt8Array):
3570         (allocateInt16Array):
3571         (allocateInt32Array):
3572         (allocateUint32Array):
3573         (allocateUint16Array):
3574         (allocateUint8Array):
3575         (allocateUint8ClampedArray):
3576         (allocateFloat32Array):
3577         (allocateFloat64Array):
3578         Cleanup style to be like all the other code.
3579
3580         * tests/stress/typedarray-of.js:
3581         Test the exception message.
3582
3583 2016-03-25  Joseph Pecoraro  <pecoraro@apple.com>
3584
3585         Date.prototype.toLocaleDateString uses overridable Object.create
3586         https://bugs.webkit.org/show_bug.cgi?id=155917
3587
3588         Reviewed by Mark Lam.
3589
3590         * builtins/DatePrototype.js:
3591         (toLocaleString.toDateTimeOptionsAnyAll):
3592         (toLocaleDateString.toDateTimeOptionsDateDate):
3593         (toLocaleTimeString.toDateTimeOptionsTimeTime):
3594         Switch from @Object.create to @Object.@create to guarentee we are
3595         using the built-in create method and not user defined code.
3596
3597         * runtime/CommonIdentifiers.h:
3598         * runtime/ObjectConstructor.cpp:
3599         (JSC::ObjectConstructor::finishCreation):
3600         Setup the @create private symbol.
3601
3602 2016-03-25  Benjamin Poulain  <bpoulain@apple.com>
3603
3604         [JSC] Put the x86 Assembler on a binary diet
3605         https://bugs.webkit.org/show_bug.cgi?id=155683
3606
3607         Reviewed by Darin Adler.
3608
3609         The MacroAssemblers are heavily inlined. This is unfortunately
3610         important for baseline JIT where many branches can be eliminated
3611         at compile time.
3612
3613         This inlining causes a lot of binary bloat. The phases
3614         lowering to ASM are massively large.
3615
3616         This patch improves the situation a bit for x86 through
3617         many small improvements:
3618
3619         -Every instruction starts with ensureSpace(). The slow
3620          path realloc the buffer.
3621          From that slow path, only fastRealloc() was a function
3622          call. What is around does not need to be fast, I moved
3623          the whole grow() function out of line for those cases.
3624
3625         -When testing multiple registers for REX requirements,
3626          we had something like this:
3627              byteRegRequiresRex(reg) || byteRegRequiresRex(rm)
3628              regRequiresRex(index) || regRequiresRex(base)
3629          Those were producing multiple test-and-branch. Those branches
3630          are effectively random so we don't have to care about individual
3631          branches being predictable.
3632
3633          The new code effectively does:
3634              byteRegRequiresRex(reg | rm)
3635              regRequiresRex(index | base)
3636
3637         -Change "ModRmMode" to have the value we can OR directly
3638          to the generated ModRm.
3639          This is important because some ModRM code is so large
3640          that is goes out of line;
3641
3642         -Finally, a big change on how we write to the AssemblerBuffer.
3643
3644          Previously, instructions were written byte by byte into
3645          the assembler buffer of the MacroAssembler.
3646
3647          The problem with that is the compiler cannot prove that
3648          the buffer pointer and the AssemblerBuffer are not pointing
3649          to the same memory.
3650
3651          Because of that, before any write, all the local register
3652          were pushed back to the AssemblerBuffer memory, then everything
3653          was read back after the write to compute the next write.
3654
3655          I attempted to use the "restrict" keyword and wrapper types
3656          to help Clang with that but nothing worked.
3657
3658          The current solution is to keep a local copy of the index
3659          and the buffer pointer in the scope of each instruction.
3660          That is done by AssemblerBuffer::LocalWriter.
3661
3662          Since LocalWriter only exists locally, it stays in
3663          register and we don't have all the memory churn between
3664          each byte writing. This also allows clang to combine
3665          obvious cases since there are no longer observable side
3666          effects between bytes.
3667
3668         This patch reduces the binary size by 66k. It is a small
3669         speed-up on Sunspider.
3670
3671         * assembler/AssemblerBuffer.h:
3672         (JSC::AssemblerBuffer::ensureSpace):
3673         (JSC::AssemblerBuffer::LocalWriter::LocalWriter):
3674         (JSC::AssemblerBuffer::LocalWriter::~LocalWriter):
3675         (JSC::AssemblerBuffer::LocalWriter::putByteUnchecked):
3676         (JSC::AssemblerBuffer::LocalWriter::putShortUnchecked):
3677         (JSC::AssemblerBuffer::LocalWriter::putIntUnchecked):
3678         (JSC::AssemblerBuffer::LocalWriter::putInt64Unchecked):
3679         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
3680         (JSC::AssemblerBuffer::putIntegral):
3681         (JSC::AssemblerBuffer::outOfLineGrow):
3682         * assembler/MacroAssemblerX86Common.h:
3683         * assembler/X86Assembler.h:
3684         (JSC::X86Assembler::X86InstructionFormatter::byteRegRequiresRex):
3685         (JSC::X86Assembler::X86InstructionFormatter::regRequiresRex):
3686         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::LocalBufferWriter):
3687         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRex):
3688         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexW):
3689         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexIf):
3690         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexIfNeeded):
3691         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::putModRm):
3692         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::putModRmSib):
3693         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::registerModRM):
3694         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::memoryModRM):
3695         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp): Deleted.
3696         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp_disp32): Deleted.
3697         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp_disp8): Deleted.
3698         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp): Deleted.
3699         (JSC::X86Assembler::X86InstructionFormatter::threeByteOp): Deleted.
3700         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64): Deleted.
3701         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64_disp32): Deleted.
3702         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64_disp8): Deleted.
3703         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp64): Deleted.
3704         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8): Deleted.
3705         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp8): Deleted.
3706         (JSC::X86Assembler::X86InstructionFormatter::emitRex): Deleted.
3707         (JSC::X86Assembler::X86InstructionFormatter::emitRexW): Deleted.
3708         (JSC::X86Assembler::X86InstructionFormatter::emitRexIf): Deleted.
3709         (JSC::X86Assembler::X86InstructionFormatter::emitRexIfNeeded): Deleted.
3710         (JSC::X86Assembler::X86InstructionFormatter::putModRm): Deleted.
3711         (JSC::X86Assembler::X86InstructionFormatter::putModRmSib): Deleted.
3712         (JSC::X86Assembler::X86InstructionFormatter::registerModRM): Deleted.
3713         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM): Deleted.
3714
3715 2016-03-25  Saam barati  <sbarati@apple.com>
3716
3717         RegExp.prototype.test should be an intrinsic again
3718         https://bugs.webkit.org/show_bug.cgi?id=155861
3719
3720         Reviewed by Yusuke Suzuki.
3721
3722         * runtime/RegExpPrototype.cpp:
3723         (JSC::RegExpPrototype::finishCreation):
3724
3725 2016-03-25  Mark Lam  <mark.lam@apple.com>
3726
3727         ES6's throwing of TypeErrors on access of RegExp.prototype flag properties breaks websites.
3728         https://bugs.webkit.org/show_bug.cgi?id=155904
3729
3730         Reviewed by Geoffrey Garen.
3731
3732         There exists a JS library XRegExp (see http://xregexp.com) that extends the regexp
3733         implementation.  XRegExp does feature testing by comparing RegExp.prototype.sticky
3734         to undefined.  See:
3735
3736         Example 1. https://github.com/slevithan/xregexp/blob/28a2b033c5951477bed8c7c867ddf7e89c431cd4/tests/perf/index.html
3737             ...
3738             } else if (knownVersion[version]) {
3739                 // Hack around ES6 incompatibility in XRegExp versions prior to 3.0.0
3740                 if (parseInt(version, 10) < 3) {
3741                     delete RegExp.prototype.sticky;
3742             }
3743             ...
3744
3745         Example 2. https://github.com/slevithan/xregexp/blob/d0e665d4068cec4d15919215b098b2373f1f12e9/tests/perf/versions/xregexp-all-v2.0.0.js
3746             ...
3747             // Check for flag y support (Firefox 3+)
3748                 hasNativeY = RegExp.prototype.sticky !== undef,
3749             ...
3750
3751         The ES6 spec states that we should throw a TypeError here because RegExp.prototype
3752         is not a RegExp object, and the sticky getter is only allowed to be called on
3753         RegExp objects.  See https://tc39.github.io/ecma262/2016/#sec-get-regexp.prototype.sticky.
3754         As a result, websites that uses XRegExp can break (e.g. some Atlassian tools).
3755
3756         As a workaround, we'll return undefined instead of throwing on access of these
3757         flag properties that may be used for feature testing.
3758
3759         * runtime/RegExpPrototype.cpp:
3760         (JSC::regExpProtoGetterGlobal):
3761         (JSC::regExpProtoGetterIgnoreCase):
3762         (JSC::regExpProtoGetterMultiline):
3763         (JSC::regExpProtoGetterSticky):
3764         (JSC::regExpProtoGetterUnicode):
3765
3766 2016-03-25  Caitlin Potter  <caitp@igalia.com>
3767
3768         [JSC] fix divide-by-zero in String.prototype.padStart/padEnd
3769         https://bugs.webkit.org/show_bug.cgi?id=155903
3770
3771         Reviewed by Filip Pizlo.
3772
3773         * runtime/StringPrototype.cpp:
3774         (JSC::padString):
3775
3776 2016-03-25  Benjamin Poulain  <benjamin@webkit.org>
3777
3778         [JSC] materialize-past-butterfly-allocation.js time out in debug
3779
3780         * tests/stress/materialize-past-butterfly-allocation.js:
3781         The test times out on the debug bots. We suspect there is nothing
3782         wrong, just overkill loops.
3783
3784 2016-03-25  Brian Burg  <bburg@apple.com>
3785
3786         Web Inspector: protocol generator should prefix C++ filenames with the protocol group
3787         https://bugs.webkit.org/show_bug.cgi?id=155859
3788         <rdar://problem/25349859>
3789
3790         Reviewed by Alex Christensen and Joseph Pecoraro.
3791
3792         Like for generated Objective-C files, we should use the 'protocol group' name
3793         as the prefix for generated C++ files so that headers from different protocol
3794         groups have unambiguous names.
3795
3796         * inspector/scripts/codegen/cpp_generator.py:
3797         (CppGenerator):
3798         (CppGenerator.__init__):
3799         (CppGenerator.protocol_name):
3800         Make all C++ code generators extend the CppGenerator python class and use the
3801         protocol_name() instance method. This matches a recent change to the ObjC generator.
3802
3803         * inspector/scripts/codegen/cpp_generator_templates.py:
3804         (CppGeneratorTemplates):
3805         Drive-by cleanup to use #pragma once instead of header guards.
3806
3807         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
3808         (CppAlternateBackendDispatcherHeaderGenerator):
3809         (CppAlternateBackendDispatcherHeaderGenerator.__init__):
3810         (CppAlternateBackendDispatcherHeaderGenerator.output_filename):
3811         (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
3812         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3813         (CppBackendDispatcherHeaderGenerator):
3814         (CppBackendDispatcherHeaderGenerator.__init__):
3815         (CppBackendDispatcherHeaderGenerator.output_filename):
3816         (CppBackendDispatcherHeaderGenerator.generate_output):
3817         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3818         (CppBackendDispatcherImplementationGenerator):
3819         (CppBackendDispatcherImplementationGenerator.__init__):
3820         (CppBackendDispatcherImplementationGenerator.output_filename):
3821         (CppBackendDispatcherImplementationGenerator.generate_output):
3822         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3823         (CppFrontendDispatcherHeaderGenerator):
3824         (CppFrontendDispatcherHeaderGenerator.__init__):
3825         (CppFrontendDispatcherHeaderGenerator.output_filename):
3826         (CppFrontendDispatcherHeaderGenerator.generate_output):
3827         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3828         (CppFrontendDispatcherImplementationGenerator):
3829         (CppFrontendDispatcherImplementationGenerator.__init__):
3830         (CppFrontendDispatcherImplementationGenerator.output_filename):
3831         (CppFrontendDispatcherImplementationGenerator.generate_output):
3832         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3833         (CppProtocolTypesHeaderGenerator):
3834         (CppProtocolTypesHeaderGenerator.__init__):
3835         (CppProtocolTypesHeaderGenerator.output_filename):
3836         (CppProtocolTypesHeaderGenerator.generate_output):
3837         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3838         (CppProtocolTypesImplementationGenerator):
3839         (CppProtocolTypesImplementationGenerator.__init__):
3840         (CppProtocolTypesImplementationGenerator.output_filename):
3841         (CppProtocolTypesImplementationGenerator.generate_output):
3842         Use the protocol_name() instance method to compute generated protocol file names.
3843
3844         * inspector/scripts/codegen/models.py:
3845         Explicitly set the 'protocol_group' for the Inspector protocol.
3846
3847         Rebaseline generator test results.
3848
3849         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3850         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3851         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3852         * inspector/scripts/tests/expected/enum-values.json-result:
3853         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3854         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3855         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3856         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3857         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3858         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3859         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3860         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3861         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3862
3863 2016-03-25  Keith Miller  <keith_miller@apple.com>
3864
3865         putByIndexBeyondVectorLengthWithoutAttributes should not crash if it can't ensureLength
3866         https://bugs.webkit.org/show_bug.cgi?id=155730
3867
3868         Reviewed by Saam Barati.
3869
3870         This patch makes ensureLength return a boolean indicating if it was able to set the length.
3871         ensureLength also no longer sets the butterfly to null if the allocation of the butterfly
3872         fails. All of ensureLengths callers including putByIndexBeyondVectorLengthWithoutAttributes
3873         have been adapted to throw an out of memory error if ensureLength fails.
3874
3875         * runtime/JSArray.cpp:
3876         (JSC::JSArray::setLength):
3877         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3878         * runtime/JSObject.cpp:
3879         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3880         (JSC::JSObject::ensureLengthSlow):
3881         * runtime/JSObject.h:
3882         (JSC::JSObject::ensureLength):
3883
3884 2016-03-25  Caitlin Potter  <caitp@igalia.com>
3885
3886         [JSC] implement String.prototype.padStart() and String.prototype.padEnd() proposal
3887