317f898de59c931b3d2a44830746c5548b92711e
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-03-01  Saam barati  <sbarati@apple.com>
2
3         [[IsExtensible]] should be a virtual method in the method table
4         https://bugs.webkit.org/show_bug.cgi?id=154799
5
6         Reviewed by Mark Lam.
7
8         This patch makes us more consistent with how the ES6 specification models the
9         [[IsExtensible]] trap. Moving this method into ClassInfo::methodTable 
10         is a prerequisite for implementing Proxy.[[IsExtensible]].
11
12         * runtime/ClassInfo.h:
13         * runtime/JSCell.cpp:
14         (JSC::JSCell::preventExtensions):
15         (JSC::JSCell::isExtensible):
16         * runtime/JSCell.h:
17         * runtime/JSGlobalObjectFunctions.cpp:
18         (JSC::globalFuncProtoSetter):
19         * runtime/JSObject.cpp:
20         (JSC::JSObject::preventExtensions):
21         (JSC::JSObject::isExtensible):
22         (JSC::JSObject::reifyAllStaticProperties):
23         (JSC::JSObject::defineOwnIndexedProperty):
24         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
25         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
26         (JSC::JSObject::defineOwnNonIndexProperty):
27         (JSC::JSObject::defineOwnProperty):
28         * runtime/JSObject.h:
29         (JSC::JSObject::isSealed):
30         (JSC::JSObject::isFrozen):
31         (JSC::JSObject::isExtensibleImpl):
32         (JSC::JSObject::isStructureExtensible):
33         (JSC::JSObject::isExtensibleInline):
34         (JSC::JSObject::indexingShouldBeSparse):
35         (JSC::JSObject::putDirectInternal):
36         (JSC::JSObject::isExtensible): Deleted.
37         * runtime/ObjectConstructor.cpp:
38         (JSC::objectConstructorSetPrototypeOf):
39         (JSC::objectConstructorIsSealed):
40         (JSC::objectConstructorIsFrozen):
41         (JSC::objectConstructorIsExtensible):
42         (JSC::objectConstructorIs):
43         * runtime/ProxyObject.cpp:
44         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
45         (JSC::ProxyObject::performHasProperty):
46         * runtime/ReflectObject.cpp:
47         (JSC::reflectObjectIsExtensible):
48         (JSC::reflectObjectSetPrototypeOf):
49         * runtime/SparseArrayValueMap.cpp:
50         (JSC::SparseArrayValueMap::putEntry):
51         (JSC::SparseArrayValueMap::putDirect):
52         * runtime/StringObject.cpp:
53         (JSC::StringObject::defineOwnProperty):
54         * runtime/Structure.cpp:
55         (JSC::Structure::isSealed):
56         (JSC::Structure::isFrozen):
57         * runtime/Structure.h:
58
59 2016-03-01  Filip Pizlo  <fpizlo@apple.com>
60
61         Unreviewed, fix CLOOP build.
62
63         * jit/JITOperations.h:
64
65 2016-03-01  Skachkov Oleksandr  <gskachkov@gmail.com>
66
67         [ES6] Arrow function. Some not used byte code is emited
68         https://bugs.webkit.org/show_bug.cgi?id=154639
69
70         Reviewed by Saam Barati.
71
72         Currently bytecode that is generated for arrow function is not optimal. 
73         Current fix removed following unnecessary bytecode:
74         1.create_lexical_environment not emited always for arrow function, only if some of 
75         features(this/super/arguments/eval) is used inside of the arrow function. 
76         2.load 'this' from arrow function scope in constructor is done only if super 
77         contains in arrow function 
78
79         * bytecompiler/BytecodeGenerator.cpp:
80         (JSC::BytecodeGenerator::BytecodeGenerator):
81         (JSC::BytecodeGenerator::isSuperCallUsedInInnerArrowFunction):
82         * bytecompiler/BytecodeGenerator.h:
83         * bytecompiler/NodesCodegen.cpp:
84         (JSC::ThisNode::emitBytecode):
85         (JSC::FunctionNode::emitBytecode):
86         * parser/Nodes.h:
87         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseAnyFeature):
88         * tests/stress/arrowfunction-lexical-bind-supercall-4.js:
89
90 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
91
92         Turn String.prototype.replace into an intrinsic
93         https://bugs.webkit.org/show_bug.cgi?id=154835
94
95         Reviewed by Michael Saboff.
96
97         Octane/regexp spends a lot of time in String.prototype.replace(). That function does a lot
98         of checks to see if the parameters are what they are likely to often be (a string, a
99         regexp, and a string). The intuition of this patch is that it's good to remove those checks
100         and it's good to call the native function as directly as possible.
101
102         This yields a 10% speed-up on a replace microbenchmark and a 3% speed-up on Octane/regexp.
103         It also improves Octane/jquery.
104
105         This is only the beginning of what I want to do with replace optimizations. The other
106         optimizations will rely on StringReplace being revealed as a construct in DFG IR.
107
108         * JavaScriptCore.xcodeproj/project.pbxproj:
109         * bytecode/SpeculatedType.cpp:
110         (JSC::dumpSpeculation):
111         (JSC::speculationToAbbreviatedString):
112         (JSC::speculationFromClassInfo):
113         * bytecode/SpeculatedType.h:
114         (JSC::isStringOrStringObjectSpeculation):
115         (JSC::isRegExpObjectSpeculation):
116         (JSC::isBoolInt32Speculation):
117         * dfg/DFGAbstractInterpreterInlines.h:
118         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
119         * dfg/DFGByteCodeParser.cpp:
120         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
121         * dfg/DFGClobberize.h:
122         (JSC::DFG::clobberize):
123         * dfg/DFGDoesGC.cpp:
124         (JSC::DFG::doesGC):
125         * dfg/DFGFixupPhase.cpp:
126         (JSC::DFG::FixupPhase::fixupNode):
127         * dfg/DFGNode.h:
128         (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
129         (JSC::DFG::Node::shouldSpeculateRegExpObject):
130         (JSC::DFG::Node::shouldSpeculateSymbol):
131         * dfg/DFGNodeType.h:
132         * dfg/DFGPredictionPropagationPhase.cpp:
133         (JSC::DFG::PredictionPropagationPhase::propagate):
134         * dfg/DFGSafeToExecute.h:
135         (JSC::DFG::SafeToExecuteEdge::operator()):
136         (JSC::DFG::safeToExecute):
137         * dfg/DFGSpeculativeJIT.cpp:
138         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
139         (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
140         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
141         (JSC::DFG::SpeculativeJIT::speculate):
142         * dfg/DFGSpeculativeJIT.h:
143         * dfg/DFGSpeculativeJIT32_64.cpp:
144         (JSC::DFG::SpeculativeJIT::compile):
145         * dfg/DFGSpeculativeJIT64.cpp:
146         (JSC::DFG::SpeculativeJIT::compile):
147         * dfg/DFGUseKind.cpp:
148         (WTF::printInternal):
149         * dfg/DFGUseKind.h:
150         (JSC::DFG::typeFilterFor):
151         (JSC::DFG::isCell):
152         * ftl/FTLCapabilities.cpp:
153         (JSC::FTL::canCompile):
154         * ftl/FTLLowerDFGToB3.cpp:
155         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
156         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
157         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
158         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
159         (JSC::FTL::DFG::LowerDFGToB3::speculate):
160         (JSC::FTL::DFG::LowerDFGToB3::speculateFinalObject):
161         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject):
162         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
163         * jit/JITOperations.h:
164         * runtime/Intrinsic.h:
165         * runtime/JSType.h:
166         * runtime/RegExpObject.h:
167         (JSC::RegExpObject::createStructure):
168         * runtime/StringPrototype.cpp:
169         (JSC::StringPrototype::finishCreation):
170         (JSC::removeUsingRegExpSearch):
171         (JSC::replaceUsingRegExpSearch):
172         (JSC::operationStringProtoFuncReplaceRegExpString):
173         (JSC::replaceUsingStringSearch):
174         (JSC::stringProtoFuncRepeat):
175         (JSC::replace):
176         (JSC::stringProtoFuncReplace):
177         (JSC::operationStringProtoFuncReplaceGeneric):
178         (JSC::stringProtoFuncToString):
179         * runtime/StringPrototype.h:
180
181 2016-03-01  Commit Queue  <commit-queue@webkit.org>
182
183         Unreviewed, rolling out r197056.
184         https://bugs.webkit.org/show_bug.cgi?id=154870
185
186         broke win ews (Requested by alexchristensen on #webkit).
187
188         Reverted changeset:
189
190         "[cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK."
191         https://bugs.webkit.org/show_bug.cgi?id=154651
192         http://trac.webkit.org/changeset/197056
193
194 2016-02-29  Saam barati  <sbarati@apple.com>
195
196         [[PreventExtensions]] should be a virtual method in the method table.
197         https://bugs.webkit.org/show_bug.cgi?id=154800
198
199         Reviewed by Yusuke Suzuki.
200
201         This patch makes us more consistent with how the ES6 specification models the
202         [[PreventExtensions]] trap. Moving this method into ClassInfo::methodTable 
203         is a prerequisite for implementing Proxy.[[PreventExtensions]].
204
205         * runtime/ClassInfo.h:
206         * runtime/JSCell.cpp:
207         (JSC::JSCell::getGenericPropertyNames):
208         (JSC::JSCell::preventExtensions):
209         * runtime/JSCell.h:
210         * runtime/JSModuleNamespaceObject.cpp:
211         (JSC::JSModuleNamespaceObject::JSModuleNamespaceObject):
212         (JSC::JSModuleNamespaceObject::finishCreation):
213         (JSC::JSModuleNamespaceObject::destroy):
214         * runtime/JSModuleNamespaceObject.h:
215         (JSC::JSModuleNamespaceObject::create):
216         (JSC::JSModuleNamespaceObject::moduleRecord):
217         * runtime/JSObject.cpp:
218         (JSC::JSObject::freeze):
219         (JSC::JSObject::preventExtensions):
220         (JSC::JSObject::reifyAllStaticProperties):
221         * runtime/JSObject.h:
222         (JSC::JSObject::isSealed):
223         (JSC::JSObject::isFrozen):
224         (JSC::JSObject::isExtensible):
225         * runtime/ObjectConstructor.cpp:
226         (JSC::objectConstructorSeal):
227         (JSC::objectConstructorFreeze):
228         (JSC::objectConstructorPreventExtensions):
229         (JSC::objectConstructorIsSealed):
230         * runtime/ReflectObject.cpp:
231         (JSC::reflectObjectPreventExtensions):
232         * runtime/Structure.cpp:
233         (JSC::Structure::Structure):
234         (JSC::Structure::preventExtensionsTransition):
235         * runtime/Structure.h:
236
237 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
238
239         [JSC] Private symbols should not be trapped by proxy handler
240         https://bugs.webkit.org/show_bug.cgi?id=154817
241
242         Reviewed by Mark Lam.
243
244         Since the runtime has some assumptions on the properties associated with the private symbols, ES6 Proxy should not trap these property operations.
245         For example, in ArrayIteratorPrototype.js
246
247             var itemKind = this.@arrayIterationKind;
248             if (itemKind === @undefined)
249                 throw new @TypeError("%ArrayIteratorPrototype%.next requires that |this| be an Array Iterator instance");
250
251         Here, we assume that only the array iterator has the @arrayIterationKind property that value is non-undefined.
252         But If we implement Proxy with the get handler, that returns a non-undefined value for every operations, we accidentally assumes that the given value is an array iterator.
253
254         To avoid these situation, we perform the default operations onto property operations with private symbols.
255
256         * runtime/ProxyObject.cpp:
257         (JSC::performProxyGet):
258         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
259         (JSC::ProxyObject::performHasProperty):
260         (JSC::ProxyObject::performPut):
261         (JSC::ProxyObject::performDelete):
262         (JSC::ProxyObject::deleteProperty):
263         (JSC::ProxyObject::deletePropertyByIndex):
264         * tests/stress/proxy-basic.js:
265         * tests/stress/proxy-with-private-symbols.js: Added.
266         (assert):
267         (let.handler.getOwnPropertyDescriptor):
268
269 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
270
271         regress/script-tests/double-pollution-putbyoffset.js.ftl-eager timed out because of a lock ordering deadlock involving InferredType and CodeBlock
272         https://bugs.webkit.org/show_bug.cgi?id=154841
273
274         Reviewed by Benjamin Poulain.
275
276         Here's the deadlock:
277
278         Main thread:
279             1) Change an InferredType.  This acquires InferredType::m_lock.
280             2) Fire watchpoint set.  This triggers CodeBlock invalidation, which acquires
281                CodeBlock::m_lock.
282
283         DFG thread:
284             1) Iterate over the information in a CodeBlock.  This acquires CodeBlock::m_lock.
285             2) Ask an InferredType for its descriptor().  This acquires InferredType::m_lock.
286
287         I think that the DFG thread's ordering should be legal, because the best logic for lock
288         hierarchies is that locks that protect the largest set of stuff should be acquired first.
289
290         This means that the main thread shouldn't be holding the InferredType::m_lock when firing
291         watchpoint sets.  That's what this patch ensures.
292
293         At the time of writing, this test was deadlocking for me on trunk 100% of the time.  With
294         this change I cannot get it to deadlock.
295
296         * runtime/InferredType.cpp:
297         (JSC::InferredType::willStoreValueSlow):
298         (JSC::InferredType::makeTopSlow):
299         (JSC::InferredType::set):
300         (JSC::InferredType::removeStructure):
301         (JSC::InferredType::InferredStructureWatchpoint::fireInternal):
302         * runtime/InferredType.h:
303
304 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
305
306         [DFG][FTL][B3] Support floor and ceil
307         https://bugs.webkit.org/show_bug.cgi?id=154683
308
309         Reviewed by Filip Pizlo.
310
311         This patch implements and fixes the following things.
312
313         1. Implement Ceil and Floor in DFG, FTL and B3
314
315         x86 SSE 4.2 and ARM64 have round instructions that can directly perform Ceil or Floor.
316         This patch leverages this functionality. We introduce ArithFloor and ArithCeil.
317         During DFG phase, these nodes attempt to convert itself to Identity (in Fixup phase).
318         As the same to ArithRound, it tracks arith rounding mode.
319         And if these nodes are required to emit machine codes, we emit rounding machine code
320         if it is supported in the current machine. For example, in x86, we emit `round`.
321
322         This `Floor` functionality is nice for @toInteger in builtin.
323         That is used for Array.prototype.{forEach, map, every, some, reduce...}
324         And according to the benchmark results, Kraken audio-oscillator is slightly improved
325         due to its frequent Math.round and Math.floor calls.
326
327         2. Implement Floor in B3 and Air
328
329         As the same to Ceil in B3, we add a new B3 IR and Air opcode, Floor.
330         This Floor is leveraged to implement ArithFloor in DFG.
331
332         3. Fix ArithRound operation
333
334         Currently, we used cvtsd2si (in x86) to convert double value to int32.
335         And we also used this to implement Math.round, like, cvtsd2si(value + 0.5).
336         However, this implementation is not correct. Because cvtsd2si is not floor operation.
337         It is trucate operation. This is OK for positive numbers. But NG for negative numbers.
338         For example, the current implementation accidentally rounds `-0.6` to `-0.0`. This should be `-1.0`.
339         Using Ceil and Floor instructions, we implement correct ArithRound.
340
341         * assembler/MacroAssemblerARM.h:
342         (JSC::MacroAssemblerARM::supportsFloatingPointRounding):
343         (JSC::MacroAssemblerARM::ceilDouble):
344         (JSC::MacroAssemblerARM::floorDouble):
345         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Deleted.
346         * assembler/MacroAssemblerARM64.h:
347         (JSC::MacroAssemblerARM64::supportsFloatingPointRounding):
348         (JSC::MacroAssemblerARM64::floorFloat):
349         (JSC::MacroAssemblerARM64::supportsFloatingPointCeil): Deleted.
350         * assembler/MacroAssemblerARMv7.h:
351         (JSC::MacroAssemblerARMv7::supportsFloatingPointRounding):
352         (JSC::MacroAssemblerARMv7::ceilDouble):
353         (JSC::MacroAssemblerARMv7::floorDouble):
354         (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil): Deleted.
355         * assembler/MacroAssemblerMIPS.h:
356         (JSC::MacroAssemblerMIPS::ceilDouble):
357         (JSC::MacroAssemblerMIPS::floorDouble):
358         (JSC::MacroAssemblerMIPS::supportsFloatingPointRounding):
359         (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil): Deleted.
360         * assembler/MacroAssemblerSH4.h:
361         (JSC::MacroAssemblerSH4::supportsFloatingPointRounding):
362         (JSC::MacroAssemblerSH4::ceilDouble):
363         (JSC::MacroAssemblerSH4::floorDouble):
364         (JSC::MacroAssemblerSH4::supportsFloatingPointCeil): Deleted.
365         * assembler/MacroAssemblerX86Common.h:
366         (JSC::MacroAssemblerX86Common::floorDouble):
367         (JSC::MacroAssemblerX86Common::floorFloat):
368         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
369         (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil): Deleted.
370         * b3/B3ConstDoubleValue.cpp:
371         (JSC::B3::ConstDoubleValue::floorConstant):
372         * b3/B3ConstDoubleValue.h:
373         * b3/B3ConstFloatValue.cpp:
374         (JSC::B3::ConstFloatValue::floorConstant):
375         * b3/B3ConstFloatValue.h:
376         * b3/B3LowerMacrosAfterOptimizations.cpp:
377         * b3/B3LowerToAir.cpp:
378         (JSC::B3::Air::LowerToAir::lower):
379         * b3/B3Opcode.cpp:
380         (WTF::printInternal):
381         * b3/B3Opcode.h:
382         * b3/B3ReduceDoubleToFloat.cpp:
383         * b3/B3ReduceStrength.cpp:
384         * b3/B3Validate.cpp:
385         * b3/B3Value.cpp:
386         (JSC::B3::Value::floorConstant):
387         (JSC::B3::Value::isRounded):
388         (JSC::B3::Value::effects):
389         (JSC::B3::Value::key):
390         (JSC::B3::Value::typeFor):
391         * b3/B3Value.h:
392         * b3/air/AirFixPartialRegisterStalls.cpp:
393         * b3/air/AirOpcode.opcodes:
394         * b3/testb3.cpp:
395         (JSC::B3::testFloorCeilArg):
396         (JSC::B3::testFloorArg):
397         (JSC::B3::testFloorImm):
398         (JSC::B3::testFloorMem):
399         (JSC::B3::testFloorFloorArg):
400         (JSC::B3::testCeilFloorArg):
401         (JSC::B3::testFloorIToD64):
402         (JSC::B3::testFloorIToD32):
403         (JSC::B3::testFloorArgWithUselessDoubleConversion):
404         (JSC::B3::testFloorArgWithEffectfulDoubleConversion):
405         (JSC::B3::run):
406         * dfg/DFGAbstractInterpreterInlines.h:
407         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
408         * dfg/DFGArithMode.cpp:
409         (WTF::printInternal):
410         * dfg/DFGArithMode.h:
411         * dfg/DFGByteCodeParser.cpp:
412         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
413         * dfg/DFGClobberize.h:
414         (JSC::DFG::clobberize):
415         * dfg/DFGDoesGC.cpp:
416         (JSC::DFG::doesGC):
417         * dfg/DFGFixupPhase.cpp:
418         (JSC::DFG::FixupPhase::fixupNode):
419         * dfg/DFGGraph.cpp:
420         (JSC::DFG::Graph::dump):
421         * dfg/DFGGraph.h:
422         (JSC::DFG::Graph::roundShouldSpeculateInt32):
423         * dfg/DFGNode.h:
424         (JSC::DFG::Node::arithNodeFlags):
425         (JSC::DFG::Node::hasHeapPrediction):
426         (JSC::DFG::Node::hasArithRoundingMode):
427         * dfg/DFGNodeType.h:
428         * dfg/DFGPredictionPropagationPhase.cpp:
429         (JSC::DFG::PredictionPropagationPhase::propagate):
430         * dfg/DFGSafeToExecute.h:
431         (JSC::DFG::safeToExecute):
432         * dfg/DFGSpeculativeJIT.cpp:
433         (JSC::DFG::SpeculativeJIT::compileArithRounding):
434         (JSC::DFG::SpeculativeJIT::compileArithRound): Deleted.
435         * dfg/DFGSpeculativeJIT.h:
436         * dfg/DFGSpeculativeJIT32_64.cpp:
437         (JSC::DFG::SpeculativeJIT::compile):
438         * dfg/DFGSpeculativeJIT64.cpp:
439         (JSC::DFG::SpeculativeJIT::compile):
440         * ftl/FTLCapabilities.cpp:
441         (JSC::FTL::canCompile):
442         * ftl/FTLLowerDFGToB3.cpp:
443         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
444         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
445         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
446         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
447         * ftl/FTLOutput.h:
448         (JSC::FTL::Output::doubleFloor):
449         * jit/ThunkGenerators.cpp:
450         (JSC::ceilThunkGenerator):
451         * tests/stress/math-ceil-arith-rounding-mode.js: Added.
452         (firstCareAboutZeroSecondDoesNot):
453         (firstDoNotCareAboutZeroSecondDoes):
454         (warmup):
455         (verifyNegativeZeroIsPreserved):
456         * tests/stress/math-ceil-basics.js: Added.
457         (mathCeilOnIntegers):
458         (mathCeilOnDoubles):
459         (mathCeilOnBooleans):
460         (uselessMathCeil):
461         (mathCeilWithOverflow):
462         (mathCeilConsumedAsDouble):
463         (mathCeilDoesNotCareAboutMinusZero):
464         (mathCeilNoArguments):
465         (mathCeilTooManyArguments):
466         (testMathCeilOnConstants):
467         (mathCeilStructTransition):
468         (Math.ceil):
469         * tests/stress/math-floor-arith-rounding-mode.js: Added.
470         (firstCareAboutZeroSecondDoesNot):
471         (firstDoNotCareAboutZeroSecondDoes):
472         (warmup):
473         (verifyNegativeZeroIsPreserved):
474         * tests/stress/math-floor-basics.js: Added.
475         (mathFloorOnIntegers):
476         (mathFloorOnDoubles):
477         (mathFloorOnBooleans):
478         (uselessMathFloor):
479         (mathFloorWithOverflow):
480         (mathFloorConsumedAsDouble):
481         (mathFloorDoesNotCareAboutMinusZero):
482         (mathFloorNoArguments):
483         (mathFloorTooManyArguments):
484         (testMathFloorOnConstants):
485         (mathFloorStructTransition):
486         (Math.floor):
487         * tests/stress/math-round-should-not-use-truncate.js: Added.
488         (mathRoundDoesNotCareAboutMinusZero):
489         * tests/stress/math-rounding-infinity.js: Added.
490         (shouldBe):
491         (testRound):
492         (testFloor):
493         (testCeil):
494         * tests/stress/math-rounding-nan.js: Added.
495         (shouldBe):
496         (testRound):
497         (testFloor):
498         (testCeil):
499         * tests/stress/math-rounding-negative-zero.js: Added.
500         (shouldBe):
501         (testRound):
502         (testFloor):
503         (testCeil):
504         (testRoundNonNegativeZero):
505         (testRoundNonNegativeZero2):
506
507 2016-02-29  Joseph Pecoraro  <pecoraro@apple.com>
508
509         Add new MethodTable method to get an estimated size for a cell
510         https://bugs.webkit.org/show_bug.cgi?id=154838
511
512         Reviewed by Filip Pizlo.
513
514         The new class method estimatedSize(JSCell*) estimates the size for a single cell.
515         As the name implies, this is meant to be an approximation. It is more important
516         that big objects report a large size, then to get perfect size information for
517         all objects in the heap.
518
519             Base implementation (JSCell):
520               - returns the MarkedBlock bucket size for this cell.
521               - This gets us the object size include inline storage. Basically a better sizeof.
522
523             Subclasses with "Extra Memory Cost":
524               - Any class that reports extra memory (reportExtraMemoryVisited) should include that in the estimated size.
525               - E.g. CodeBlock, JSGenericTypedArrayView, WeakMapData, etc.
526
527             Subclasses with "Copied Space" storage:
528               - Any class with data in copied space (copyBackingStore) should include that in the estimated size.
529               - E.g. JSObject, JSGenericTypedArrayView, JSMap, JSSet, DirectArguments, etc.
530
531         Add reportExtraMemoryVisited for UnlinkedCodeBlock's compressed unlinked
532         instructions because this can be larger than 1kb, which is significant.
533
534         This has one special case for RegExp generated bytecode / JIT code, which
535         does not currently fall into the extra memory cost or copied space storage.
536         In practice I haven't seen this grow to a significant cost.
537
538         * runtime/ClassInfo.h:
539         Add the new estimatedSize method to the table.
540
541         * bytecode/UnlinkedCodeBlock.cpp:
542         (JSC::UnlinkedCodeBlock::visitChildren):
543         (JSC::UnlinkedCodeBlock::estimatedSize):
544         (JSC::UnlinkedCodeBlock::setInstructions):
545         * bytecode/UnlinkedCodeBlock.h:
546         Report an extra memory cost for unlinked code blocks like
547         we do for linked code blocks.
548
549         * bytecode/CodeBlock.cpp:
550         (JSC::CodeBlock::estimatedSize):
551         * bytecode/CodeBlock.h:
552         * bytecode/UnlinkedInstructionStream.cpp:
553         (JSC::UnlinkedInstructionStream::sizeInBytes):
554         * bytecode/UnlinkedInstructionStream.h:
555         * runtime/DirectArguments.cpp:
556         (JSC::DirectArguments::estimatedSize):
557         * runtime/DirectArguments.h:
558         * runtime/JSCell.cpp:
559         (JSC::JSCell::estimatedSizeInBytes):
560         (JSC::JSCell::estimatedSize):
561         * runtime/JSCell.h:
562         * runtime/JSGenericTypedArrayView.h:
563         * runtime/JSGenericTypedArrayViewInlines.h:
564         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
565         * runtime/JSMap.cpp:
566         (JSC::JSMap::estimatedSize):
567         * runtime/JSMap.h:
568         * runtime/JSObject.cpp:
569         (JSC::JSObject::visitButterfly):
570         * runtime/JSObject.h:
571         * runtime/JSSet.cpp:
572         (JSC::JSSet::estimatedSize):
573         * runtime/JSSet.h:
574         * runtime/JSString.cpp:
575         (JSC::JSString::estimatedSize):
576         * runtime/JSString.h:
577         * runtime/MapData.h:
578         (JSC::MapDataImpl::capacityInBytes):
579         * runtime/WeakMapData.cpp:
580         (JSC::WeakMapData::estimatedSize):
581         (JSC::WeakMapData::visitChildren):
582         * runtime/WeakMapData.h:
583         Implement estimated size following the pattern of reporting
584         extra visited size, or copy space memory.
585
586         * runtime/RegExp.cpp:
587         (JSC::RegExp::estimatedSize):
588         * runtime/RegExp.h:
589         * yarr/YarrInterpreter.h:
590         (JSC::Yarr::ByteDisjunction::estimatedSizeInBytes):
591         (JSC::Yarr::BytecodePattern::estimatedSizeInBytes):
592         * yarr/YarrJIT.h:
593         (JSC::Yarr::YarrCodeBlock::size):
594         Include generated bytecode / JITCode to a RegExp's size.
595
596 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
597
598         SpeculatedType should be easier to edit
599         https://bugs.webkit.org/show_bug.cgi?id=154840
600
601         Reviewed by Mark Lam.
602
603         We used to specify the bitmasks in SpeculatedType.h using hex codes. This used to work
604         great because we didn't have so many masks and you could use the mask to visually see
605         which ones overlapped. It also made it easy to visualize subset relationships.
606
607         But now we have a lot of masks with a lot of confusing overlaps, and it's no longer
608         possible to just see their relationship by looking at hex codes. Worse, the use of hex
609         codes makes it super annoying to move the bits around. For example, right now we have two
610         bits free, but if we wanted to reclaim them by editing the old hex masks, it would be a
611         nightmare.
612
613         So this patch replaces the hex masks with shift expressions (1u << 15 for example) and it
614         makes any derived masks (i.e. masks that are the bit-or of other masks) be expressed using
615         an or expression (SpecFoo | SpecBar | SpecBaz for example).
616
617         This makes it easier to see the relationships and it makes it easier to take bits for new
618         types.
619
620         * bytecode/SpeculatedType.h:
621
622 2016-02-29  Keith Miller  <keith_miller@apple.com>
623
624         OverridesHasInstance constant folding is wrong
625         https://bugs.webkit.org/show_bug.cgi?id=154833
626
627         Reviewed by Filip Pizlo.
628
629         The current implementation of OverridesHasInstance constant folding
630         is incorrect. Since it relies on OSR exit information it has been
631         moved to the StrengthReductionPhase. Normally, such an optimazation would be
632         put in FixupPhase, however, there are a number of cases where we don't
633         determine an edge of OverridesHasInstance is a constant until after fixup.
634         Performing the optimization during StrengthReductionPhase means we can defer
635         our decision until later.
636
637         In the future we should consider creating a version of this optimization
638         that does not depend on OSR exit information and move the optimization back
639         to ConstantFoldingPhase.
640
641         * dfg/DFGConstantFoldingPhase.cpp:
642         (JSC::DFG::ConstantFoldingPhase::foldConstants): Deleted.
643         * dfg/DFGStrengthReductionPhase.cpp:
644         (JSC::DFG::StrengthReductionPhase::handleNode):
645
646 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
647
648         B3 should have global store elimination
649         https://bugs.webkit.org/show_bug.cgi?id=154658
650
651         Reviewed by Benjamin Poulain.
652
653         Implements fairly comprehensive global store elimination:
654
655         1) If you store the result of a load with no interference in between, remove the store.
656
657         2) If you store the same thing you stored previously, remove the store.
658
659         3) If you store something that you either loaded previously or stored previously along
660            arbitrarily many paths, remove the store.
661
662         4) If you store to something that is stored to again in the future with no interference in
663            between, remove the store.
664
665         Rule (4) is super relevant to FTL since the DFG does not eliminate redundant PutStructures.
666         A constructor that produces a large object will have many redundant stores to the same base
667         pointer, offset, and heap range, with no code to observe that heap raneg in between.
668
669         This doesn't have a decisive effect on major benchmarks, but it's an enormous win for
670         microbenchmarks:
671
672         - 30% faster to construct an object with many fields.
673
674         - 5x faster to do many stores to a global variable.
675
676         The compile time cost should be very small. Although the optimization is global, it aborts as
677         soon as it sees anything that would confound store elimination. For rules (1)-(3), we
678         piggy-back the existing load elimination, which gives up on interfering stores. For rule (4),
679         we search forward through the current block and then globally a block at a time (skipping
680         block contents thanks to summary data), which could be expensive. But rule (4) aborts as soon
681         as it sees a read, write, or end block (Return or Oops). Any Check will claim to read TOP. Any
682         Patchpoint that results from an InvalidationPoint will claim to read TOP, as will any
683         Patchpoints for ICs. Those are usually sprinkled all over the program.
684
685         In other words, this optimization rarely kicks in. When it does kick in, it makes programs run
686         faster. When it doesn't kick in, it's usually O(1) because there are reasons for aborting all
687         over a "normal" program so the search will halt almost immediately. This of course raises the
688         question: how much more in compile time do we pay when the optimization does kick in? The
689         optimization kicks in the most for the microbenchmarks I wrote for this patch. Amazingly, the
690         effect of the optimization a wash for compile time: whatever cost we pay doing the O(n^2)
691         searches is balanced by the massive reduction in work in the backend. On one of the two
692         microbenchmarks, overall compile time actually shrank with this optimization even though CSE
693         itself cost more. That's not too surprising - the backend costs much more per instruction, so
694         things that remove instructions before we get to the backend tend to be a good idea.
695
696         We could consider adding a more aggressive version of this in the future, which could sink
697         stores into checks. That could be crazy fun: https://bugs.webkit.org/show_bug.cgi?id=152162#c3
698
699         But mainly, I'm adding this optimization because it was super fun to implement during the
700         WebAssembly CG summit.
701
702         * b3/B3EliminateCommonSubexpressions.cpp:
703         * b3/B3MemoryValue.h:
704         * b3/B3SuccessorCollection.h:
705         (JSC::B3::SuccessorCollection::begin):
706         (JSC::B3::SuccessorCollection::end):
707         (JSC::B3::SuccessorCollection::const_iterator::const_iterator):
708         (JSC::B3::SuccessorCollection::const_iterator::operator*):
709         (JSC::B3::SuccessorCollection::const_iterator::operator++):
710         (JSC::B3::SuccessorCollection::const_iterator::operator==):
711         (JSC::B3::SuccessorCollection::const_iterator::operator!=):
712
713 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
714
715         Make it cheap to #include "JITOperations.h"
716         https://bugs.webkit.org/show_bug.cgi?id=154836
717
718         Reviewed by Mark Lam.
719
720         Prior to this change, this header included the whole world even though it did't have any
721         definitions. This patch turns almost all of the includes into forward declarations. Right
722         now this header is very cheap to include.
723
724         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
725         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
726         * JavaScriptCore.xcodeproj/project.pbxproj:
727         * dfg/DFGSpeculativeJIT.h:
728         * jit/JITOperations.cpp:
729         * jit/JITOperations.h:
730         * jit/Repatch.h:
731         * runtime/CommonSlowPaths.h:
732         (JSC::encodeResult): Deleted.
733         (JSC::decodeResult): Deleted.
734         * runtime/SlowPathReturnType.h: Added.
735         (JSC::encodeResult):
736         (JSC::decodeResult):
737
738 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
739
740         FTL should be able to run everything in Octane/regexp
741         https://bugs.webkit.org/show_bug.cgi?id=154266
742
743         Reviewed by Saam Barati.
744
745         Adds FTL support for NewRegexp, RegExpTest, and RegExpExec. I couldn't figure out how to
746         make the RegExpExec peephole optimization work in FTL. This optimizations shouldn't be a
747         DFG backend optimization anyway - if we need this optimization then it should be a
748         strength reduction rule over IR. That way, it can be shared by all backends.
749
750         I measured whether removing that optimization had any effect on performance separately
751         from measuring the performance of this patch. Removing that optimization did not change
752         our score on any benchmarks.
753
754         This patch does have an overall negative effect on the Octane/regexp score. This is
755         presumably because tiering up to the FTL has no value to the code in the regexp test. Or
756         maybe it's something else. No matter - the overall effect on the Octane score is not
757         statistically significant and we don't want this kind of coverage blocked by the fact
758         that adding coverage hurts a benchmark.
759
760         * dfg/DFGByteCodeParser.cpp:
761         (JSC::DFG::ByteCodeParser::parseBlock):
762         * dfg/DFGNode.h:
763         (JSC::DFG::Node::setIndexingType):
764         (JSC::DFG::Node::hasRegexpIndex):
765         * dfg/DFGSpeculativeJIT.cpp:
766         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
767         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
768         (JSC::DFG::SpeculativeJIT::compileRegExpExec): Deleted.
769         * dfg/DFGSpeculativeJIT32_64.cpp:
770         (JSC::DFG::SpeculativeJIT::compile):
771         * dfg/DFGSpeculativeJIT64.cpp:
772         (JSC::DFG::SpeculativeJIT::compile):
773         * ftl/FTLCapabilities.cpp:
774         (JSC::FTL::canCompile):
775         * ftl/FTLLowerDFGToB3.cpp:
776         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
777         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
778         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
779         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
780         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
781         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
782         * tests/stress/ftl-regexp-exec.js: Added.
783         * tests/stress/ftl-regexp-test.js: Added.
784
785 2016-02-28  Andreas Kling  <akling@apple.com>
786
787         Make JSFunction.name allocation fully lazy.
788         <https://webkit.org/b/154806>
789
790         Reviewed by Saam Barati.
791
792         We were reifying the "name" field on functions lazily, but created the string
793         value itself up front. This patch gets rid of the up-front allocation,
794         saving us a JSString allocation per function in most cases.
795
796         * builtins/BuiltinExecutables.cpp:
797         (JSC::createExecutableInternal):
798         * bytecode/UnlinkedFunctionExecutable.cpp:
799         (JSC::UnlinkedFunctionExecutable::visitChildren):
800         * bytecode/UnlinkedFunctionExecutable.h:
801         * runtime/CodeCache.cpp:
802         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
803         * runtime/Executable.h:
804         * runtime/JSFunction.cpp:
805         (JSC::JSFunction::reifyName):
806
807 2016-02-28  Andreas Kling  <akling@apple.com>
808
809         REGRESSION(r197303): 4 jsc tests failing on bots.
810
811         Unreviewed follow-up fix.
812
813         * bytecode/UnlinkedCodeBlock.cpp:
814         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): This function
815         can still get called with !m_rareData, in case the type profiler is active but this
816         particular code block doesn't have type profiler data. Handle it gracefully.
817
818 2016-02-28  Andreas Kling  <akling@apple.com>
819
820         Shrink UnlinkedCodeBlock a bit.
821         <https://webkit.org/b/154797>
822
823         Reviewed by Anders Carlsson.
824
825         Move profiler-related members of UnlinkedCodeBlock into its RareData
826         structure, saving 40 bytes, and then reorder the other members of
827         UnlinkedCodeBlock to save another 24 bytes, netting a nice total 64.
828
829         The VM member was removed entirely since UnlinkedCodeBlock is a cell
830         and can retrieve its VM through MarkedBlock header lookup.
831
832         * bytecode/UnlinkedCodeBlock.cpp:
833         (JSC::UnlinkedCodeBlock::vm):
834         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
835         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
836         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
837         * bytecode/UnlinkedCodeBlock.h:
838         (JSC::UnlinkedCodeBlock::addRegExp):
839         (JSC::UnlinkedCodeBlock::addConstant):
840         (JSC::UnlinkedCodeBlock::addFunctionDecl):
841         (JSC::UnlinkedCodeBlock::addFunctionExpr):
842         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
843         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
844         (JSC::UnlinkedCodeBlock::vm): Deleted.
845
846 2016-02-27  Filip Pizlo  <fpizlo@apple.com>
847
848         FTL should lower its abstract heaps to B3 heap ranges
849         https://bugs.webkit.org/show_bug.cgi?id=154782
850
851         Reviewed by Saam Barati.
852
853         The FTL can describe the abstract heaps (points-to sets) that a memory operation will
854         affect. The abstract heaps are arranged as a hierarchy. We used to transform this into
855         TBAA hierarchies in LLVM, but we never got around to wiring this up to B3's equivalent
856         notion - the HeapRange. That's what this patch fixes.
857
858         B3 has a minimalistic alias analysis. It represents abstract heaps using unsigned 32-bit
859         integers. There are 1<<32 abstract heaps. The B3 client can describe what an operation
860         affects by specifying a heap range: a begin...end pair that says that the operation
861         affects all abstract heaps H such that begin <= H < end.
862
863         This peculiar scheme was a deliberate attempt to distill what the abstract heap
864         hierarchy is all about. We can assign begin...end numbers to abstract heaps so that:
865
866         - A heap's end is greater than its begin.
867         - A heap's begin is greater than or equal to its parent's begin.
868         - A heap's end is less than or equal to its parent's end.
869
870         This is easy to do using a recursive traversal of the abstract heap hierarchy. I almost
871         went for the iterative traversal, which is a splendid algorithm, but it's totally
872         unnecessary here since we tightly control the height of the heap hierarchy.
873
874         Because abstract heaps are produced on-the-fly by FTL lowering, due to the fact that we
875         generate new ones for field names and constant indices we encounter, we can't actually
876         decorate the B3 instructions we create in lowering until all lowering is done. Adding a
877         new abstract heap to the hierarchy after ranges were already computed would require
878         updating the ranges of any heaps "to the right" of that heap in the hierarchy. This
879         patch solves that problem by recording the associations between abstract heaps and their
880         intended roles in the generated IR, and then decorating all of the relevant B3 values
881         after we compute the ranges of the hierarchy after lowering.
882
883         This is perf-neutral. I was hoping for a small speed-up, but I could not detect a
884         speed-up on any benchmark. That's not too surprising. We already have very precise CSE
885         in the DFG, so there aren't many opportunities left for the B3 CSE and it may have
886         already been getting the big ones even without alias analysis.
887
888         Even without a speed-up, this patch is valuable because it makes it easier to implement
889         other optimizations, like store elimination.
890
891         * b3/B3HeapRange.h:
892         (JSC::B3::HeapRange::HeapRange):
893         * ftl/FTLAbstractHeap.cpp:
894         (JSC::FTL::AbstractHeap::AbstractHeap):
895         (JSC::FTL::AbstractHeap::changeParent):
896         (JSC::FTL::AbstractHeap::compute):
897         (JSC::FTL::AbstractHeap::shallowDump):
898         (JSC::FTL::AbstractHeap::dump):
899         (JSC::FTL::AbstractHeap::deepDump):
900         (JSC::FTL::AbstractHeap::badRangeError):
901         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
902         (JSC::FTL::IndexedAbstractHeap::baseIndex):
903         (JSC::FTL::IndexedAbstractHeap::atSlow):
904         (JSC::FTL::IndexedAbstractHeap::initialize):
905         (JSC::FTL::AbstractHeap::decorateInstruction): Deleted.
906         (JSC::FTL::AbstractField::dump): Deleted.
907         * ftl/FTLAbstractHeap.h:
908         (JSC::FTL::AbstractHeap::AbstractHeap):
909         (JSC::FTL::AbstractHeap::isInitialized):
910         (JSC::FTL::AbstractHeap::initialize):
911         (JSC::FTL::AbstractHeap::parent):
912         (JSC::FTL::AbstractHeap::heapName):
913         (JSC::FTL::AbstractHeap::range):
914         (JSC::FTL::AbstractHeap::offset):
915         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
916         (JSC::FTL::IndexedAbstractHeap::at):
917         (JSC::FTL::IndexedAbstractHeap::operator[]):
918         (JSC::FTL::IndexedAbstractHeap::returnInitialized):
919         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::constructDeletedValue):
920         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::isDeletedValue):
921         (JSC::FTL::AbstractHeap::changeParent): Deleted.
922         (JSC::FTL::AbstractField::AbstractField): Deleted.
923         (JSC::FTL::AbstractField::initialize): Deleted.
924         (JSC::FTL::AbstractField::offset): Deleted.
925         * ftl/FTLAbstractHeapRepository.cpp:
926         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
927         (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
928         (JSC::FTL::AbstractHeapRepository::decorateMemory):
929         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
930         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
931         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
932         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
933         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
934         * ftl/FTLAbstractHeapRepository.h:
935         (JSC::FTL::AbstractHeapRepository::forArrayType):
936         (JSC::FTL::AbstractHeapRepository::HeapForValue::HeapForValue):
937         * ftl/FTLLowerDFGToB3.cpp:
938         (JSC::FTL::DFG::LowerDFGToB3::lower):
939         * ftl/FTLOutput.cpp:
940         (JSC::FTL::Output::load):
941         (JSC::FTL::Output::load8SignExt32):
942         (JSC::FTL::Output::load8ZeroExt32):
943         (JSC::FTL::Output::load16SignExt32):
944         (JSC::FTL::Output::load16ZeroExt32):
945         (JSC::FTL::Output::store):
946         (JSC::FTL::Output::store32As8):
947         (JSC::FTL::Output::store32As16):
948         (JSC::FTL::Output::baseIndex):
949         * ftl/FTLOutput.h:
950         (JSC::FTL::Output::address):
951         (JSC::FTL::Output::absolute):
952         (JSC::FTL::Output::load8SignExt32):
953         (JSC::FTL::Output::load8ZeroExt32):
954         (JSC::FTL::Output::load16SignExt32):
955         (JSC::FTL::Output::load16ZeroExt32):
956         (JSC::FTL::Output::load32):
957         (JSC::FTL::Output::load64):
958         (JSC::FTL::Output::loadPtr):
959         (JSC::FTL::Output::loadDouble):
960         (JSC::FTL::Output::store32):
961         (JSC::FTL::Output::store64):
962         (JSC::FTL::Output::storePtr):
963         (JSC::FTL::Output::storeDouble):
964         (JSC::FTL::Output::ascribeRange):
965         (JSC::FTL::Output::nonNegative32):
966         (JSC::FTL::Output::load32NonNegative):
967         (JSC::FTL::Output::equal):
968         (JSC::FTL::Output::notEqual):
969         * ftl/FTLTypedPointer.h:
970         (JSC::FTL::TypedPointer::operator!):
971         (JSC::FTL::TypedPointer::heap):
972         (JSC::FTL::TypedPointer::value):
973
974 2016-02-28  Skachkov Oleksandr  <gskachkov@gmail.com>
975
976         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
977         https://bugs.webkit.org/show_bug.cgi?id=153981
978
979         Reviewed by Saam Barati.
980        
981         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
982         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
983         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
984         During syntax analyze parser store information about using variables in arrow function inside of 
985         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
986
987         * bytecompiler/BytecodeGenerator.cpp:
988         (JSC::BytecodeGenerator::BytecodeGenerator):
989         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
990         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
991         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
992         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
993         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
994         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
995         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
996         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
997         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
998         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
999         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
1000         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
1001         * bytecompiler/BytecodeGenerator.h:
1002         * bytecompiler/NodesCodegen.cpp:
1003         (JSC::ThisNode::emitBytecode):
1004         (JSC::EvalFunctionCallNode::emitBytecode):
1005         (JSC::FunctionNode::emitBytecode):
1006         * parser/ASTBuilder.h:
1007         (JSC::ASTBuilder::createBracketAccess):
1008         (JSC::ASTBuilder::createDotAccess):
1009         (JSC::ASTBuilder::usesSuperCall):
1010         (JSC::ASTBuilder::usesSuperProperty):
1011         (JSC::ASTBuilder::makeFunctionCallNode):
1012         * parser/Nodes.cpp:
1013         (JSC::ScopeNode::ScopeNode):
1014         (JSC::ProgramNode::ProgramNode):
1015         (JSC::ModuleProgramNode::ModuleProgramNode):
1016         (JSC::EvalNode::EvalNode):
1017         (JSC::FunctionNode::FunctionNode):
1018         * parser/Nodes.h:
1019         (JSC::ScopeNode::innerArrowFunctionCodeFeatures):
1020         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseArguments):
1021         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperCall):
1022         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperProperty):
1023         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseEval):
1024         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseThis):
1025         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseNewTarget):
1026         (JSC::ScopeNode::doAnyInnerArrowFunctionUseAnyFeature):
1027         (JSC::ScopeNode::usesSuperCall):
1028         (JSC::ScopeNode::usesSuperProperty):
1029         * parser/Parser.cpp:
1030         (JSC::Parser<LexerType>::parseProperty):
1031         (JSC::Parser<LexerType>::parsePrimaryExpression):
1032         (JSC::Parser<LexerType>::parseMemberExpression):
1033         * parser/Parser.h:
1034         (JSC::Scope::Scope):
1035         (JSC::Scope::isArrowFunctionBoundary):
1036         (JSC::Scope::innerArrowFunctionFeatures):
1037         (JSC::Scope::setInnerArrowFunctionUsesSuperCall):
1038         (JSC::Scope::setInnerArrowFunctionUsesSuperProperty):
1039         (JSC::Scope::setInnerArrowFunctionUsesEval):
1040         (JSC::Scope::setInnerArrowFunctionUsesThis):
1041         (JSC::Scope::setInnerArrowFunctionUsesNewTarget):
1042         (JSC::Scope::setInnerArrowFunctionUsesArguments):
1043         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1044         (JSC::Scope::collectFreeVariables):
1045         (JSC::Scope::mergeInnerArrowFunctionFeatures):
1046         (JSC::Scope::fillParametersForSourceProviderCache):
1047         (JSC::Scope::restoreFromSourceProviderCache):
1048         (JSC::Scope::setIsFunction):
1049         (JSC::Scope::setIsArrowFunction):
1050         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
1051         (JSC::Parser::pushScope):
1052         (JSC::Parser::popScopeInternal):
1053         (JSC::Parser<LexerType>::parse):
1054         * parser/ParserModes.h:
1055         * parser/SourceProviderCacheItem.h:
1056         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1057         * parser/SyntaxChecker.h:
1058         (JSC::SyntaxChecker::createFunctionMetadata):
1059         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1060         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1061         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1062         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1063         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1064
1065 2016-02-28  Saam barati  <sbarati@apple.com>
1066
1067         ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot
1068         https://bugs.webkit.org/show_bug.cgi?id=154768
1069
1070         Reviewed by Ryosuke Niwa.
1071
1072         This fixes a big bug with ProxyObject.[[GetOwnProperty]]:
1073         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
1074         We weren't correctly propagating the result of this operation to the
1075         out PropertySlot& parameter. This patch fixes that and adds tests.
1076
1077         * runtime/ObjectConstructor.cpp:
1078         (JSC::objectConstructorGetOwnPropertyDescriptor):
1079         I added a missing exception check after object allocation
1080         because I saw that it was missing while reading the code.
1081
1082         * runtime/PropertyDescriptor.cpp:
1083         (JSC::PropertyDescriptor::setUndefined):
1084         (JSC::PropertyDescriptor::slowGetterSetter):
1085         (JSC::PropertyDescriptor::getter):
1086         * runtime/PropertyDescriptor.h:
1087         (JSC::PropertyDescriptor::attributes):
1088         (JSC::PropertyDescriptor::value):
1089         * runtime/ProxyObject.cpp:
1090         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1091         * tests/es6.yaml:
1092         * tests/stress/proxy-get-own-property.js:
1093         (let.handler.getOwnPropertyDescriptor):
1094         (set get let.handler.return):
1095         (set get let.handler.getOwnPropertyDescriptor):
1096         (set get let):
1097         (set get let.a):
1098         (let.b):
1099         (let.setter):
1100         (let.getter):
1101
1102 2016-02-27  Andy VanWagoner  <thetalecrafter@gmail.com>
1103
1104         Intl.Collator uses POSIX locale (detected by js/intl-collator.html on iOS Simulator)
1105         https://bugs.webkit.org/show_bug.cgi?id=152448
1106
1107         Reviewed by Darin Adler.
1108
1109         Add defaultLanguage to the globalObjectMethodTable and use it for the
1110         default locale in Intl object initializations. Fall back to ICU default
1111         locale only if the defaultLanguage function is null, or returns an
1112         empty string.
1113
1114         * jsc.cpp:
1115         * runtime/IntlCollator.cpp:
1116         (JSC::IntlCollator::initializeCollator):
1117         * runtime/IntlDateTimeFormat.cpp:
1118         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1119         * runtime/IntlNumberFormat.cpp:
1120         (JSC::IntlNumberFormat::initializeNumberFormat):
1121         * runtime/IntlObject.cpp:
1122         (JSC::defaultLocale):
1123         (JSC::lookupMatcher):
1124         (JSC::bestFitMatcher):
1125         (JSC::resolveLocale):
1126         * runtime/IntlObject.h:
1127         * runtime/JSGlobalObject.cpp:
1128         * runtime/JSGlobalObject.h:
1129         * runtime/StringPrototype.cpp:
1130         (JSC::toLocaleCase):
1131
1132 2016-02-27  Oliver Hunt  <oliver@apple.com>
1133
1134         CLoop build fix.
1135
1136         * jit/ExecutableAllocatorFixedVMPool.cpp:
1137
1138 2016-02-26  Oliver Hunt  <oliver@apple.com>
1139
1140         Remove the on demand executable allocator
1141         https://bugs.webkit.org/show_bug.cgi?id=154749
1142
1143         Reviewed by Geoffrey Garen.
1144
1145         Remove all the DemandExecutable code and executable allocator ifdefs.
1146
1147         * CMakeLists.txt:
1148         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1149         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1150         * JavaScriptCore.xcodeproj/project.pbxproj:
1151         * jit/ExecutableAllocator.cpp: Removed.
1152         (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
1153         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
1154         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
1155         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
1156         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
1157         (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
1158         (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
1159         (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
1160         (JSC::DemandExecutableAllocator::allocators): Deleted.
1161         (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
1162         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
1163         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
1164         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
1165         (JSC::ExecutableAllocator::isValid): Deleted.
1166         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
1167         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
1168         (JSC::ExecutableAllocator::allocate): Deleted.
1169         (JSC::ExecutableAllocator::committedByteCount): Deleted.
1170         (JSC::ExecutableAllocator::dumpProfile): Deleted.
1171         (JSC::ExecutableAllocator::getLock): Deleted.
1172         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
1173         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
1174         * jit/ExecutableAllocator.h:
1175         * jit/ExecutableAllocatorFixedVMPool.cpp:
1176         * jit/JITStubRoutine.h:
1177         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
1178         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
1179         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
1180
1181 2016-02-26  Joseph Pecoraro  <pecoraro@apple.com>
1182
1183         Reduce direct callers of Structure::findStructuresAndMapForMaterialization
1184         https://bugs.webkit.org/show_bug.cgi?id=154751
1185
1186         Reviewed by Mark Lam.
1187
1188         * runtime/Structure.cpp:
1189         (JSC::Structure::toStructureShape):
1190         This property name iteration is identical to Structure::forEachPropertyConcurrently.
1191         Share the code and reduce callers to the subtle findStructuresAndMapForMaterialization.
1192
1193 2016-02-26  Mark Lam  <mark.lam@apple.com>
1194
1195         Function.name and Function.length should be configurable.
1196         https://bugs.webkit.org/show_bug.cgi?id=154604
1197
1198         Reviewed by Saam Barati.
1199
1200         According to https://tc39.github.io/ecma262/#sec-ecmascript-language-functions-and-classes,
1201         "Unless otherwise specified, the name property of a built-in Function object,
1202         if it exists, has the attributes { [[Writable]]: false, [[Enumerable]]: false,
1203         [[Configurable]]: true }."
1204
1205         Similarly, "the length property of a built-in Function object has the attributes
1206         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }."
1207
1208         This patch makes Function.name and Function.length configurable.
1209
1210         We do this by lazily reifying the JSFunction name and length properties on first
1211         access.  We track whether each of these properties have been reified using flags
1212         in the FunctionRareData.  On first access, if not already reified, we will put
1213         the property into the object with its default value and attributes and set the
1214         reified flag.  Thereafter, we rely on the base JSObject to handle access to the
1215         property.
1216
1217         Also, lots of test results have to be re-baselined because the old Function.length
1218         has attribute DontDelete, which is in conflict with the ES6 requirement that it
1219         is configurable.
1220
1221         * runtime/FunctionRareData.h:
1222         (JSC::FunctionRareData::hasReifiedLength):
1223         (JSC::FunctionRareData::setHasReifiedLength):
1224         (JSC::FunctionRareData::hasReifiedName):
1225         (JSC::FunctionRareData::setHasReifiedName):
1226         - Flags for tracking whether each property has been reified.
1227
1228         * runtime/JSFunction.cpp:
1229         (JSC::JSFunction::finishCreation):
1230         (JSC::JSFunction::createBuiltinFunction):
1231         - Host and builtin functions currently always reify their name and length
1232           properties.  Currently, for builtins, the default names that are used may
1233           differ from the executable name.  For now, we'll stay with keeping this
1234           alternate approach to getting the name and length properties for host and
1235           builtin functions.
1236           However, we need their default attribute to be configurable as well.
1237
1238         (JSC::JSFunction::getOwnPropertySlot):
1239         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1240         (JSC::JSFunction::put):
1241         (JSC::JSFunction::deleteProperty):
1242         (JSC::JSFunction::defineOwnProperty):
1243         (JSC::JSFunction::reifyLength):
1244         (JSC::JSFunction::reifyName):
1245         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1246         (JSC::JSFunction::lengthGetter): Deleted.
1247         (JSC::JSFunction::nameGetter): Deleted.
1248         * runtime/JSFunction.h:
1249         * runtime/JSFunctionInlines.h:
1250         (JSC::JSFunction::hasReifiedLength):
1251         (JSC::JSFunction::hasReifiedName):
1252
1253         * tests/es6.yaml:
1254         - 4 new passing tests.
1255
1256         * tests/mozilla/ecma/Array/15.4.4.3-1.js:
1257         * tests/mozilla/ecma/Array/15.4.4.4-1.js:
1258         * tests/mozilla/ecma/Array/15.4.4.4-2.js:
1259         * tests/mozilla/ecma/GlobalObject/15.1.2.1-1.js:
1260         * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
1261         * tests/mozilla/ecma/GlobalObject/15.1.2.3-1.js:
1262         * tests/mozilla/ecma/GlobalObject/15.1.2.4.js:
1263         * tests/mozilla/ecma/GlobalObject/15.1.2.5-1.js:
1264         * tests/mozilla/ecma/GlobalObject/15.1.2.6.js:
1265         * tests/mozilla/ecma/GlobalObject/15.1.2.7.js:
1266         * tests/mozilla/ecma/String/15.5.4.10-1.js:
1267         * tests/mozilla/ecma/String/15.5.4.11-1.js:
1268         * tests/mozilla/ecma/String/15.5.4.11-5.js:
1269         * tests/mozilla/ecma/String/15.5.4.12-1.js:
1270         * tests/mozilla/ecma/String/15.5.4.6-2.js:
1271         * tests/mozilla/ecma/String/15.5.4.7-2.js:
1272         * tests/mozilla/ecma/String/15.5.4.8-1.js:
1273         * tests/mozilla/ecma/String/15.5.4.9-1.js:
1274         - Rebase expected test results.
1275
1276         * tests/stress/function-configurable-properties.js: Added.
1277
1278 2016-02-26  Keith Miller  <keith_miller@apple.com>
1279
1280         Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup
1281         https://bugs.webkit.org/show_bug.cgi?id=154743
1282
1283         Reviewed by Mark Lam.
1284
1285         * dfg/DFGConstantFoldingPhase.cpp:
1286         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1287         * dfg/DFGFixupPhase.cpp:
1288         (JSC::DFG::FixupPhase::fixupNode):
1289
1290 2016-02-26  Keith Miller  <keith_miller@apple.com>
1291
1292         Native Typed Array functions should use Symbol.species
1293         https://bugs.webkit.org/show_bug.cgi?id=154569
1294
1295         Reviewed by Michael Saboff.
1296
1297         This patch adds support for Symbol.species in the native Typed Array prototype
1298         functions. Additionally, now that other types of typedarrays are creatable inside
1299         the slice we use the JSGenericTypedArrayView::set function, which has been beefed
1300         up, to put everything into the correct place.
1301
1302         * runtime/JSDataView.cpp:
1303         (JSC::JSDataView::set):
1304         * runtime/JSDataView.h:
1305         * runtime/JSGenericTypedArrayView.h:
1306         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1307         (JSC::constructGenericTypedArrayViewFromIterator):
1308         (JSC::constructGenericTypedArrayViewWithArguments):
1309         (JSC::constructGenericTypedArrayView):
1310         * runtime/JSGenericTypedArrayViewInlines.h:
1311         (JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
1312         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1313         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1314         (JSC::speciesConstruct):
1315         (JSC::genericTypedArrayViewProtoFuncSet):
1316         (JSC::genericTypedArrayViewProtoFuncSlice):
1317         (JSC::genericTypedArrayViewProtoFuncSubarray):
1318         * tests/stress/typedarray-slice.js:
1319         (subclasses.typedArrays.map):
1320         (testSpecies):
1321         (forEach):
1322         (subclasses.forEach):
1323         (testSpeciesRemoveConstructor):
1324         (testSpeciesWithSameBuffer):
1325         * tests/stress/typedarray-subarray.js: Added.
1326         (subclasses.typedArrays.map):
1327         (testSpecies):
1328         (forEach):
1329         (subclasses.forEach):
1330         (testSpeciesRemoveConstructor):
1331
1332 2016-02-26  Benjamin Poulain  <bpoulain@apple.com>
1333
1334         [JSC] Add32(Imm, Tmp, Tmp) does not ZDef the destination if Imm is zero
1335         https://bugs.webkit.org/show_bug.cgi?id=154704
1336
1337         Reviewed by Geoffrey Garen.
1338
1339         If the Imm is zero, we should still zero the top bits
1340         to match the definition in AirOpcodes.
1341
1342         * assembler/MacroAssemblerX86Common.h:
1343         (JSC::MacroAssemblerX86Common::add32):
1344         * b3/testb3.cpp:
1345
1346 2016-02-26  Oliver Hunt  <oliver@apple.com>
1347
1348         Make testRegExp not crash when given an invalid regexp
1349         https://bugs.webkit.org/show_bug.cgi?id=154732
1350
1351         Reviewed by Mark Lam.
1352
1353         * testRegExp.cpp:
1354         (parseRegExpLine):
1355
1356 2016-02-26  Benjamin Poulain  <benjamin@webkit.org>
1357
1358         [JSC] Add the test for r197155
1359         https://bugs.webkit.org/show_bug.cgi?id=154715
1360
1361         Reviewed by Mark Lam.
1362
1363         Silly me. I forgot the test in the latest patch update.
1364
1365         * tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.
1366
1367 2016-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1368
1369         [DFG] Drop unnecessary proved type branch in ToPrimitive
1370         https://bugs.webkit.org/show_bug.cgi?id=154716
1371
1372         Reviewed by Geoffrey Garen.
1373
1374         This branching based on the proved types is unnecessary because this is already handled in constant folding phase.
1375         In fact, the DFGSpeculativeJIT64.cpp case is already removed in r164243.
1376         This patch removes the remaining JIT32_64 case.
1377
1378         * dfg/DFGSpeculativeJIT32_64.cpp:
1379         (JSC::DFG::SpeculativeJIT::compile):
1380
1381 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
1382
1383         [JSC] Be aggressive with OSR Entry to FTL if the DFG function was only used for OSR Entry itself
1384         https://bugs.webkit.org/show_bug.cgi?id=154575
1385
1386         Reviewed by Filip Pizlo.
1387
1388         I noticed that imaging-gaussian-blur spends most of its
1389         samples in DFG code despite executing most of the loop
1390         iterations in FTL.
1391
1392         On this particular test, the main function is only entered
1393         once and have a very heavy loop there. What happens is DFG
1394         starts by compiling the full function in FTL. That takes about
1395         8 to 10 milliseconds during which the DFG code makes very little
1396         progress. The calls to triggerOSREntryNow() try to OSR Enter
1397         for a while then finally start compiling something. By the time
1398         the function is ready, we have wasted a lot of time in DFG code.
1399
1400         What this patch does is set a flag when a DFG function is entered.
1401         If we try to triggerOSREntryNow() and the flag was never set,
1402         we start compiling both the full function and the one for OSR Entry.
1403
1404         * dfg/DFGJITCode.h:
1405         * dfg/DFGJITCompiler.cpp:
1406         (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
1407         (JSC::DFG::JITCompiler::compile):
1408         (JSC::DFG::JITCompiler::compileFunction):
1409         * dfg/DFGJITCompiler.h:
1410         * dfg/DFGOperations.cpp:
1411         * dfg/DFGPlan.cpp:
1412         (JSC::DFG::Plan::Plan): Deleted.
1413         * dfg/DFGPlan.h:
1414         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1415         (JSC::DFG::TierUpCheckInjectionPhase::run):
1416
1417 2016-02-25  Benjamin Poulain  <benjamin@webkit.org>
1418
1419         [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
1420         https://bugs.webkit.org/show_bug.cgi?id=154664
1421
1422         Reviewed by Saam Barati.
1423
1424         When doing OSR Enter into a constructor, we lose the information
1425         that this may have been set to empty by a previously executed block.
1426
1427         All the code just assumed the type for a FlushedJS value and thus
1428         not an empty value. It was then okay to eliminate the TDZ checks.
1429
1430         In this patch, the values on root entry now assume they may be empty.
1431         As a result, the SetArgument() for "this" has "empty" as possible
1432         type and the TDZ checks are no longer eliminated.
1433
1434         * dfg/DFGInPlaceAbstractState.cpp:
1435         (JSC::DFG::InPlaceAbstractState::initialize):
1436
1437 2016-02-25  Ada Chan  <adachan@apple.com>
1438
1439         Update the definition of ENABLE_VIDEO_PRESENTATION_MODE for Mac platform
1440         https://bugs.webkit.org/show_bug.cgi?id=154702
1441
1442         Reviewed by Dan Bernstein.
1443
1444         * Configurations/FeatureDefines.xcconfig:
1445
1446 2016-02-25  Saam barati  <sbarati@apple.com>
1447
1448         [ES6] for...in iteration doesn't comply with the specification
1449         https://bugs.webkit.org/show_bug.cgi?id=154665
1450
1451         Reviewed by Michael Saboff.
1452
1453         If you read ForIn/OfHeadEvaluation inside the spec:
1454         https://tc39.github.io/ecma262/#sec-runtime-semantics-forin-div-ofheadevaluation-tdznames-expr-iterationkind
1455         It calls EnumerateObjectProperties(obj) to get a set of properties
1456         to enumerate over (it models this "set" as en ES6 generator function).
1457         EnumerateObjectProperties is defined in section 13.7.5.15:
1458         https://tc39.github.io/ecma262/#sec-enumerate-object-properties
1459         The implementation calls Reflect.getOwnPropertyDescriptor(.) on the
1460         properties it sees. We must do the same by modeling the operation as
1461         a [[GetOwnProperty]] instead of a [[HasProperty]] internal method call.
1462
1463         * jit/JITOperations.cpp:
1464         * jit/JITOperations.h:
1465         * runtime/CommonSlowPaths.cpp:
1466         (JSC::SLOW_PATH_DECL):
1467         * runtime/JSObject.cpp:
1468         (JSC::JSObject::hasProperty):
1469         (JSC::JSObject::hasPropertyGeneric):
1470         * runtime/JSObject.h:
1471         * tests/stress/proxy-get-own-property.js:
1472         (assert):
1473         (let.handler.getOwnPropertyDescriptor):
1474         (i.set assert):
1475
1476 2016-02-25  Saam barati  <sbarati@apple.com>
1477
1478         [ES6] Implement Proxy.[[Set]]
1479         https://bugs.webkit.org/show_bug.cgi?id=154511
1480
1481         Reviewed by Filip Pizlo.
1482
1483         This patch is mostly an implementation of
1484         Proxy.[[Set]] with respect to section 9.5.9
1485         of the ECMAScript spec.
1486         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-set-p-v-receiver
1487
1488         This patch also changes JSObject::putInline and JSObject::putByIndex
1489         to be aware that a Proxy in the prototype chain will intercept
1490         property accesses.
1491
1492         * runtime/JSObject.cpp:
1493         (JSC::JSObject::putInlineSlow):
1494         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
1495         * runtime/JSObject.h:
1496         * runtime/JSObjectInlines.h:
1497         (JSC::JSObject::canPerformFastPutInline):
1498         (JSC::JSObject::putInline):
1499         * runtime/JSType.h:
1500         * runtime/ProxyObject.cpp:
1501         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1502         (JSC::ProxyObject::performPut):
1503         (JSC::ProxyObject::put):
1504         (JSC::ProxyObject::putByIndexCommon):
1505         (JSC::ProxyObject::putByIndex):
1506         (JSC::performProxyCall):
1507         (JSC::ProxyObject::getCallData):
1508         (JSC::performProxyConstruct):
1509         (JSC::ProxyObject::deletePropertyByIndex):
1510         (JSC::ProxyObject::visitChildren):
1511         * runtime/ProxyObject.h:
1512         (JSC::ProxyObject::create):
1513         (JSC::ProxyObject::createStructure):
1514         (JSC::ProxyObject::target):
1515         (JSC::ProxyObject::handler):
1516         * tests/es6.yaml:
1517         * tests/stress/proxy-set.js: Added.
1518         (assert):
1519         (throw.new.Error.let.handler.set 45):
1520         (throw.new.Error):
1521         (let.target.set x):
1522         (let.target.get x):
1523         (set let):
1524
1525 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
1526
1527         [JSC] Remove a useless "Move" in the lowering of Select
1528         https://bugs.webkit.org/show_bug.cgi?id=154670
1529
1530         Reviewed by Geoffrey Garen.
1531
1532         I left the Move instruction when creating the aliasing form
1533         of Select.
1534
1535         On ARM64, that meant a useless move for any case that can't
1536         be coalesced.
1537
1538         On x86, that meant an extra constraint on child2, making it
1539         stupidly hard to alias child1.
1540
1541         * b3/B3LowerToAir.cpp:
1542         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
1543
1544 2016-02-24  Joseph Pecoraro  <pecoraro@apple.com>
1545
1546         Web Inspector: Expose Proxy target and handler internal properties to Inspector
1547         https://bugs.webkit.org/show_bug.cgi?id=154663
1548
1549         Reviewed by Timothy Hatcher.
1550
1551         * inspector/JSInjectedScriptHost.cpp:
1552         (Inspector::JSInjectedScriptHost::getInternalProperties):
1553         Expose the ProxyObject's target and handler.
1554
1555 2016-02-24  Nikos Andronikos  <nikos.andronikos-webkit@cisra.canon.com.au>
1556
1557         [web-animations] Add AnimationTimeline, DocumentTimeline and add extensions to Document interface
1558         https://bugs.webkit.org/show_bug.cgi?id=151688
1559
1560         Reviewed by Dean Jackson.
1561
1562         Enables the WEB_ANIMATIONS compiler switch.
1563
1564         * Configurations/FeatureDefines.xcconfig:
1565
1566 2016-02-24  Konstantin Tokarev  <annulen@yandex.ru>
1567
1568         [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
1569         https://bugs.webkit.org/show_bug.cgi?id=154651
1570
1571         Reviewed by Alex Christensen.
1572
1573         * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
1574
1575 2016-02-24  Commit Queue  <commit-queue@webkit.org>
1576
1577         Unreviewed, rolling out r197033.
1578         https://bugs.webkit.org/show_bug.cgi?id=154649
1579
1580         "It broke JSC tests when 'this' was loaded from global scope"
1581         (Requested by saamyjoon on #webkit).
1582
1583         Reverted changeset:
1584
1585         "[ES6] Arrow function syntax. Emit loading&putting this/super
1586         only if they are used in arrow function"
1587         https://bugs.webkit.org/show_bug.cgi?id=153981
1588         http://trac.webkit.org/changeset/197033
1589
1590 2016-02-24  Saam Barati  <sbarati@apple.com>
1591
1592         [ES6] Implement Proxy.[[Delete]]
1593         https://bugs.webkit.org/show_bug.cgi?id=154607
1594
1595         Reviewed by Mark Lam.
1596
1597         This patch implements Proxy.[[Delete]] with respect to section 9.5.10 of the ECMAScript spec.
1598         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-delete-p
1599
1600         * runtime/ProxyObject.cpp:
1601         (JSC::ProxyObject::getConstructData):
1602         (JSC::ProxyObject::performDelete):
1603         (JSC::ProxyObject::deleteProperty):
1604         (JSC::ProxyObject::deletePropertyByIndex):
1605         * runtime/ProxyObject.h:
1606         * tests/es6.yaml:
1607         * tests/stress/proxy-delete.js: Added.
1608         (assert):
1609         (throw.new.Error.let.handler.get deleteProperty):
1610         (throw.new.Error):
1611         (assert.let.handler.deleteProperty):
1612         (let.handler.deleteProperty):
1613
1614 2016-02-24  Filip Pizlo  <fpizlo@apple.com>
1615
1616         Stackmaps have problems with double register constraints
1617         https://bugs.webkit.org/show_bug.cgi?id=154643
1618
1619         Reviewed by Geoffrey Garen.
1620
1621         This is currently a benign bug. I found it while playing.
1622
1623         * b3/B3LowerToAir.cpp:
1624         (JSC::B3::Air::LowerToAir::fillStackmap):
1625         * b3/testb3.cpp:
1626         (JSC::B3::testURShiftSelf64):
1627         (JSC::B3::testPatchpointDoubleRegs):
1628         (JSC::B3::zero):
1629         (JSC::B3::run):
1630
1631 2016-02-24  Skachkov Oleksandr  <gskachkov@gmail.com>
1632
1633         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
1634         https://bugs.webkit.org/show_bug.cgi?id=153981
1635
1636         Reviewed by Saam Barati.
1637        
1638         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
1639         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
1640         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
1641         During syntax analyze parser store information about using variables in arrow function inside of 
1642         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
1643
1644         * bytecode/ExecutableInfo.h:
1645         (JSC::ExecutableInfo::ExecutableInfo):
1646         (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
1647         * bytecode/UnlinkedCodeBlock.cpp:
1648         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1649         * bytecode/UnlinkedCodeBlock.h:
1650         (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
1651         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
1652         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
1653         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
1654         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
1655         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
1656         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
1657         * bytecode/UnlinkedFunctionExecutable.cpp:
1658         (JSC::generateUnlinkedFunctionCodeBlock):
1659         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1660         * bytecode/UnlinkedFunctionExecutable.h:
1661         * bytecompiler/BytecodeGenerator.cpp:
1662         (JSC::BytecodeGenerator::BytecodeGenerator):
1663         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1664         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
1665         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
1666         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
1667         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
1668         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
1669         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
1670         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
1671         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
1672         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
1673         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
1674         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
1675         * bytecompiler/BytecodeGenerator.h:
1676         * bytecompiler/NodesCodegen.cpp:
1677         (JSC::ThisNode::emitBytecode):
1678         (JSC::EvalFunctionCallNode::emitBytecode):
1679         (JSC::FunctionCallValueNode::emitBytecode):
1680         (JSC::FunctionNode::emitBytecode):
1681         * parser/ASTBuilder.h:
1682         (JSC::ASTBuilder::createFunctionMetadata):
1683         * parser/Nodes.cpp:
1684         (JSC::FunctionMetadataNode::FunctionMetadataNode):
1685         * parser/Nodes.h:
1686         * parser/Parser.cpp:
1687         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
1688         (JSC::Parser<LexerType>::parseFunctionBody):
1689         (JSC::Parser<LexerType>::parseFunctionInfo):
1690         (JSC::Parser<LexerType>::parseProperty):
1691         (JSC::Parser<LexerType>::parsePrimaryExpression):
1692         (JSC::Parser<LexerType>::parseMemberExpression):
1693         * parser/Parser.h:
1694         (JSC::Scope::Scope):
1695         (JSC::Scope::isArrowFunctionBoundary):
1696         (JSC::Scope::innerArrowFunctionFeatures):
1697         (JSC::Scope::setInnerArrowFunctionUseSuperCall):
1698         (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
1699         (JSC::Scope::setInnerArrowFunctionUseEval):
1700         (JSC::Scope::setInnerArrowFunctionUseThis):
1701         (JSC::Scope::setInnerArrowFunctionUseNewTarget):
1702         (JSC::Scope::setInnerArrowFunctionUseArguments):
1703         (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
1704         (JSC::Scope::collectFreeVariables):
1705         (JSC::Scope::mergeInnerArrowFunctionFeatures):
1706         (JSC::Scope::fillParametersForSourceProviderCache):
1707         (JSC::Scope::restoreFromSourceProviderCache):
1708         (JSC::Scope::setIsFunction):
1709         (JSC::Scope::setIsArrowFunction):
1710         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
1711         (JSC::Parser::pushScope):
1712         (JSC::Parser::popScopeInternal):
1713         * parser/ParserModes.h:
1714         * parser/SourceProviderCacheItem.h:
1715         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1716         * parser/SyntaxChecker.h:
1717         (JSC::SyntaxChecker::createFunctionMetadata):
1718         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1719         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1720         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1721         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1722         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1723
1724 2016-02-23  Brian Burg  <bburg@apple.com>
1725
1726         Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
1727         https://bugs.webkit.org/show_bug.cgi?id=154615
1728         <rdar://problem/24804330>
1729
1730         Reviewed by Timothy Hatcher.
1731
1732         Some of the generated Objective-C bindings are only relevant to code acting as the
1733         protocol backend. Add a per-generator setting mechanism and propagate --frontend and
1734         --backend to all generators. Use the setting in a few generators to omit code that's
1735         not needed.
1736
1737         Also fix a few places where the code emits the wrong Objective-C class prefix.
1738         There is some common non-generated code that must always have the RWIProtocol prefix.
1739
1740         Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
1741         macros defined in the internal header now need to be used outside of the framework.
1742
1743         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1744         Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
1745         depending on the target framework.
1746
1747         * inspector/scripts/codegen/generate_objc_header.py:
1748         (ObjCHeaderGenerator.generate_output):
1749         For now, omit generating command protocol and event dispatchers when generating for --frontend.
1750
1751         (ObjCHeaderGenerator._generate_type_interface):
1752         Use OBJC_STATIC_PREFIX along with the unprefixed file name.
1753
1754         * inspector/scripts/codegen/generate_objc_internal_header.py:
1755         Use RWIProtocolJSONObjectPrivate.h instead.
1756
1757         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1758         (ObjCProtocolTypesImplementationGenerator.generate_output):
1759         Include the Internal header if it's being generated (only for --backend).
1760
1761         * inspector/scripts/codegen/generator.py:
1762         (Generator.__init__):
1763         (Generator.set_generator_setting):
1764         (Generator):
1765         (Generator.get_generator_setting):
1766         Crib a simple setting system from the Framework class. Make the names more obnoxious.
1767
1768         (Generator.string_for_file_include):
1769         Inspired by the replay input generator, this is a function that uses the proper syntax
1770         for a file include depending on the file's framework and target framework.
1771
1772         * inspector/scripts/codegen/objc_generator.py:
1773         (ObjCGenerator.and):
1774         (ObjCGenerator.and.objc_prefix):
1775         (ObjCGenerator):
1776         (ObjCGenerator.objc_type_for_raw_name):
1777         (ObjCGenerator.objc_class_for_raw_name):
1778         Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
1779
1780         * inspector/scripts/generate-inspector-protocol-bindings.py:
1781         (generate_from_specification):
1782         Change the generators to use for the frontend. Propagate --frontend and --backend.
1783
1784         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1785         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1786         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1787         * inspector/scripts/tests/expected/enum-values.json-result:
1788         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1789         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1790         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1791         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1792         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1793         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1794         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1795         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1796         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1797         Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
1798
1799 2016-02-23  Saam barati  <sbarati@apple.com>
1800
1801         arrayProtoFuncConcat doesn't check for an exception after allocating an array
1802         https://bugs.webkit.org/show_bug.cgi?id=154621
1803
1804         Reviewed by Michael Saboff.
1805
1806         * runtime/ArrayPrototype.cpp:
1807         (JSC::arrayProtoFuncConcat):
1808
1809 2016-02-23  Dan Bernstein  <mitz@apple.com>
1810
1811         [Xcode] Linker errors display mangled names, but no longer should
1812         https://bugs.webkit.org/show_bug.cgi?id=154632
1813
1814         Reviewed by Sam Weinig.
1815
1816         * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
1817
1818 2016-02-23  Gavin Barraclough  <barraclough@apple.com>
1819
1820         Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
1821         https://bugs.webkit.org/show_bug.cgi?id=112323
1822
1823         Reviewed by Chris Dumez.
1824
1825         This feature is controlled by a runtime switch, and defaults off.
1826
1827         * Configurations/FeatureDefines.xcconfig:
1828
1829 2016-02-23  Keith Miller  <keith_miller@apple.com>
1830
1831         JSC stress tests' standalone-pre.js should exit on the first failure by default
1832         https://bugs.webkit.org/show_bug.cgi?id=154565
1833
1834         Reviewed by Mark Lam.
1835
1836         Currently, if a test writer does not call finishJSTest() at the end of
1837         any test using stress/resources/standalone-pre.js then the test can fail
1838         without actually reporting an error to the harness. By default, we
1839         should throw on the first error so, in the event someone does not call
1840         finishJSTest() the harness will still notice the error.
1841
1842         * tests/stress/regress-151324.js:
1843         * tests/stress/resources/standalone-pre.js:
1844         (testFailed):
1845
1846 2016-02-23  Saam barati  <sbarati@apple.com>
1847
1848         Make JSObject::getMethod have fewer branches
1849         https://bugs.webkit.org/show_bug.cgi?id=154603
1850
1851         Reviewed by Mark Lam.
1852
1853         Writing code with fewer branches is almost always better.
1854
1855         * runtime/JSObject.cpp:
1856         (JSC::JSObject::getMethod):
1857
1858 2016-02-23  Filip Pizlo  <fpizlo@apple.com>
1859
1860         B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
1861         https://bugs.webkit.org/show_bug.cgi?id=154592
1862
1863         Reviewed by Saam Barati.
1864
1865         If Foo has a virtual destructor, then:
1866
1867         foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
1868         subclass of Foo that overrides the destructor, this syntax will not call that override.
1869
1870         foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
1871         get the subclass's override.
1872
1873         In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
1874         This caused leaks because this didn't actually call the subclass's override. This fixes the
1875         problem by using this->~Value() instead.
1876
1877         * b3/B3ControlValue.cpp:
1878         (JSC::B3::ControlValue::convertToJump):
1879         (JSC::B3::ControlValue::convertToOops):
1880         * b3/B3Value.cpp:
1881         (JSC::B3::Value::replaceWithIdentity):
1882         (JSC::B3::Value::replaceWithNop):
1883         (JSC::B3::Value::replaceWithPhi):
1884
1885 2016-02-23  Brian Burg  <bburg@apple.com>
1886
1887         Web Inspector: the protocol generator's Objective-C name prefix should be configurable
1888         https://bugs.webkit.org/show_bug.cgi?id=154596
1889         <rdar://problem/24794962>
1890
1891         Reviewed by Timothy Hatcher.
1892
1893         In order to support different generated protocol sets that don't have conflicting
1894         file and type names, allow the Objective-C prefix to be configurable based on the
1895         target framework. Each name also has the implicit prefix 'Protocol' appended to the
1896         per-target framework prefix.
1897
1898         For example, the existing protocol for remote inspection has the prefix 'RWI'
1899         and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
1900         and is generated as 'AutomationProtocol'.
1901
1902         To make this change, convert ObjCGenerator to be a subclass of Generator and use
1903         the instance method model() to find the target framework and its setting for
1904         'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
1905         these instance methods that used to be static methods. This is a large but
1906         mechanical change to use self instead of ObjCGenerator.
1907
1908         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1909         (ObjCBackendDispatcherHeaderGenerator):
1910         (ObjCBackendDispatcherHeaderGenerator.__init__):
1911         (ObjCBackendDispatcherHeaderGenerator.output_filename):
1912         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
1913         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
1914         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1915         (ObjCConfigurationImplementationGenerator):
1916         (ObjCConfigurationImplementationGenerator.__init__):
1917         (ObjCConfigurationImplementationGenerator.output_filename):
1918         (ObjCConfigurationImplementationGenerator.generate_output):
1919         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
1920         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
1921         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
1922         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1923         (ObjCConfigurationHeaderGenerator):
1924         (ObjCConfigurationHeaderGenerator.__init__):
1925         (ObjCConfigurationHeaderGenerator.output_filename):
1926         (ObjCConfigurationHeaderGenerator.generate_output):
1927         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1928         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
1929         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1930         (ObjCBackendDispatcherImplementationGenerator):
1931         (ObjCBackendDispatcherImplementationGenerator.__init__):
1932         (ObjCBackendDispatcherImplementationGenerator.output_filename):
1933         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1934         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1935         (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
1936         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
1937         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
1938         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1939         (ObjCConversionHelpersGenerator):
1940         (ObjCConversionHelpersGenerator.__init__):
1941         (ObjCConversionHelpersGenerator.output_filename):
1942         (ObjCConversionHelpersGenerator.generate_output):
1943         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
1944         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
1945         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
1946         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1947         (ObjCFrontendDispatcherImplementationGenerator):
1948         (ObjCFrontendDispatcherImplementationGenerator.__init__):
1949         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
1950         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1951         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
1952         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1953         (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
1954         (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
1955         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1956         * inspector/scripts/codegen/generate_objc_header.py:
1957         (ObjCHeaderGenerator):
1958         (ObjCHeaderGenerator.__init__):
1959         (ObjCHeaderGenerator.output_filename):
1960         (ObjCHeaderGenerator.generate_output):
1961         (ObjCHeaderGenerator._generate_forward_declarations):
1962         (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
1963         (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
1964         (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
1965         (ObjCHeaderGenerator._generate_type_interface):
1966         (ObjCHeaderGenerator._generate_init_method_for_required_members):
1967         (ObjCHeaderGenerator._generate_member_property):
1968         (ObjCHeaderGenerator._generate_command_protocols):
1969         (ObjCHeaderGenerator._generate_single_command_protocol):
1970         (ObjCHeaderGenerator._callback_block_for_command):
1971         (ObjCHeaderGenerator._generate_event_interfaces):
1972         (ObjCHeaderGenerator._generate_single_event_interface):
1973         * inspector/scripts/codegen/generate_objc_internal_header.py:
1974         (ObjCInternalHeaderGenerator):
1975         (ObjCInternalHeaderGenerator.__init__):
1976         (ObjCInternalHeaderGenerator.output_filename):
1977         (ObjCInternalHeaderGenerator.generate_output):
1978         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
1979         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1980         (ObjCProtocolTypesImplementationGenerator):
1981         (ObjCProtocolTypesImplementationGenerator.__init__):
1982         (ObjCProtocolTypesImplementationGenerator.output_filename):
1983         (ObjCProtocolTypesImplementationGenerator.generate_output):
1984         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1985         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
1986         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
1987         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
1988         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
1989         (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
1990         * inspector/scripts/codegen/models.py:
1991         * inspector/scripts/codegen/objc_generator.py:
1992         (ObjCTypeCategory.category_for_type):
1993         (ObjCGenerator):
1994         (ObjCGenerator.__init__):
1995         (ObjCGenerator.objc_prefix):
1996         (ObjCGenerator.objc_name_for_type):
1997         (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
1998         (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
1999         (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
2000         (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
2001         (ObjCGenerator.objc_class_for_type):
2002         (ObjCGenerator.objc_class_for_array_type):
2003         (ObjCGenerator.objc_accessor_type_for_member):
2004         (ObjCGenerator.objc_accessor_type_for_member_internal):
2005         (ObjCGenerator.objc_type_for_member):
2006         (ObjCGenerator.objc_type_for_member_internal):
2007         (ObjCGenerator.objc_type_for_param):
2008         (ObjCGenerator.objc_type_for_param_internal):
2009         (ObjCGenerator.objc_protocol_export_expression_for_variable):
2010         (ObjCGenerator.objc_protocol_import_expression_for_member):
2011         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
2012         (ObjCGenerator.objc_protocol_import_expression_for_variable):
2013         (ObjCGenerator.objc_to_protocol_expression_for_member):
2014         (ObjCGenerator.protocol_to_objc_expression_for_member):
2015
2016         Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
2017
2018         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2019         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2020         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2021         * inspector/scripts/tests/expected/enum-values.json-result:
2022         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2023         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2024         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2025         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2026         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2027         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2028         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2029         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2030         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2031
2032 2016-02-23  Mark Lam  <mark.lam@apple.com>
2033
2034         Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
2035         https://bugs.webkit.org/show_bug.cgi?id=154542
2036
2037         Reviewed by Saam Barati.
2038
2039         According to the spec, the constructors of the following types "are not intended
2040         to be called as a function and will throw an exception".  These types are:
2041             TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
2042             Map - https://tc39.github.io/ecma262/#sec-map-constructor
2043             Set - https://tc39.github.io/ecma262/#sec-set-constructor
2044             WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
2045             WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
2046             ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
2047             DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
2048             Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
2049             Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
2050
2051         This patch does the foillowing:
2052         1. Ensures that these constructors can be called but will throw a TypeError
2053            when called.
2054         2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
2055            in their implementation to be consistent.
2056         3. Change the error message to "calling XXX constructor without new is invalid".
2057            This is clearer because the error is likely due to the user forgetting to use
2058            the new operator on these constructors.
2059
2060         * runtime/Error.h:
2061         * runtime/Error.cpp:
2062         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
2063         - Added a convenience function to throw the TypeError.
2064
2065         * runtime/JSArrayBufferConstructor.cpp:
2066         (JSC::constructArrayBuffer):
2067         (JSC::callArrayBuffer):
2068         (JSC::JSArrayBufferConstructor::getCallData):
2069         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2070         (JSC::callGenericTypedArrayView):
2071         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
2072         * runtime/JSPromiseConstructor.cpp:
2073         (JSC::callPromise):
2074         * runtime/MapConstructor.cpp:
2075         (JSC::callMap):
2076         * runtime/ProxyConstructor.cpp:
2077         (JSC::callProxy):
2078         (JSC::ProxyConstructor::getCallData):
2079         * runtime/SetConstructor.cpp:
2080         (JSC::callSet):
2081         * runtime/WeakMapConstructor.cpp:
2082         (JSC::callWeakMap):
2083         * runtime/WeakSetConstructor.cpp:
2084         (JSC::callWeakSet):
2085
2086         * tests/es6.yaml:
2087         - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
2088
2089         * tests/stress/call-non-calleable-constructors-as-function.js: Added.
2090         (test):
2091
2092         * tests/stress/map-constructor.js:
2093         (testCallTypeError):
2094         * tests/stress/promise-cannot-be-called.js:
2095         (shouldThrow):
2096         * tests/stress/proxy-basic.js:
2097         * tests/stress/set-constructor.js:
2098         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
2099         (i.catch):
2100         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
2101         (i.catch):
2102         * tests/stress/throw-from-ftl-call-ic-slow-path.js:
2103         (i.catch):
2104         * tests/stress/weak-map-constructor.js:
2105         (testCallTypeError):
2106         * tests/stress/weak-set-constructor.js:
2107         - Updated error message string.
2108
2109 2016-02-23  Alexey Proskuryakov  <ap@apple.com>
2110
2111         ASan build fix.
2112
2113         Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
2114
2115         * inspector/InspectorBackendDispatcher.h:
2116
2117 2016-02-23  Brian Burg  <bburg@apple.com>
2118
2119         Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
2120         https://bugs.webkit.org/show_bug.cgi?id=154518
2121         <rdar://problem/24761096>
2122
2123         Reviewed by Timothy Hatcher.
2124
2125         * inspector/InspectorBackendDispatcher.h:
2126         Export all the classes since they are used by WebKit::WebAutomationSession.
2127
2128 2016-02-22  Brian Burg  <bburg@apple.com>
2129
2130         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
2131         https://bugs.webkit.org/show_bug.cgi?id=154509
2132         <rdar://problem/24759098>
2133
2134         Reviewed by Timothy Hatcher.
2135
2136         Add a new 'WebKit' framework, which is used to generate protocol code
2137         in WebKit2.
2138
2139         Add --backend and --frontend flags to the main generator script.
2140         These allow a framework to trigger two different sets of generators
2141         so they can be separately generated and compiled.
2142
2143         * inspector/scripts/codegen/models.py:
2144         (Framework.fromString):
2145         (Frameworks): Add new framework.
2146
2147         * inspector/scripts/generate-inspector-protocol-bindings.py:
2148         If neither --backend or --frontend is specified, assume both are wanted.
2149         This matches the behavior for JavaScriptCore and WebInspector frameworks.
2150
2151         (generate_from_specification):
2152         Generate C++ files for the backend and Objective-C files for the frontend.
2153
2154 2016-02-22  Saam barati  <sbarati@apple.com>
2155
2156         JSGlobalObject doesn't visit ProxyObjectStructure during GC
2157         https://bugs.webkit.org/show_bug.cgi?id=154564
2158
2159         Rubber stamped by Mark Lam.
2160
2161         * runtime/JSGlobalObject.cpp:
2162         (JSC::JSGlobalObject::visitChildren):
2163
2164 2016-02-22  Saam barati  <sbarati@apple.com>
2165
2166         InternalFunction::createSubclassStructure doesn't take into account that get() might throw
2167         https://bugs.webkit.org/show_bug.cgi?id=154548
2168
2169         Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
2170
2171         InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw 
2172         an exception. Neither the function nor the call sites of the function took this into
2173         account. This patch audits the call sites of the function to make it work in
2174         the event that an exception is thrown.
2175
2176         * runtime/BooleanConstructor.cpp:
2177         (JSC::constructWithBooleanConstructor):
2178         * runtime/DateConstructor.cpp:
2179         (JSC::constructDate):
2180         * runtime/ErrorConstructor.cpp:
2181         (JSC::Interpreter::constructWithErrorConstructor):
2182         * runtime/FunctionConstructor.cpp:
2183         (JSC::constructFunctionSkippingEvalEnabledCheck):
2184         * runtime/InternalFunction.cpp:
2185         (JSC::InternalFunction::createSubclassStructure):
2186         * runtime/JSArrayBufferConstructor.cpp:
2187         (JSC::constructArrayBuffer):
2188         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2189         (JSC::constructGenericTypedArrayView):
2190         * runtime/JSGlobalObject.h:
2191         (JSC::constructEmptyArray):
2192         (JSC::constructArray):
2193         (JSC::constructArrayNegativeIndexed):
2194         * runtime/JSPromiseConstructor.cpp:
2195         (JSC::constructPromise):
2196         * runtime/MapConstructor.cpp:
2197         (JSC::constructMap):
2198         * runtime/NativeErrorConstructor.cpp:
2199         (JSC::Interpreter::constructWithNativeErrorConstructor):
2200         * runtime/NumberConstructor.cpp:
2201         (JSC::constructWithNumberConstructor):
2202         * runtime/RegExpConstructor.cpp:
2203         (JSC::getRegExpStructure):
2204         (JSC::constructRegExp):
2205         (JSC::constructWithRegExpConstructor):
2206         * runtime/SetConstructor.cpp:
2207         (JSC::constructSet):
2208         * runtime/StringConstructor.cpp:
2209         (JSC::constructWithStringConstructor):
2210         (JSC::StringConstructor::getConstructData):
2211         * runtime/WeakMapConstructor.cpp:
2212         (JSC::constructWeakMap):
2213         * runtime/WeakSetConstructor.cpp:
2214         (JSC::constructWeakSet):
2215         * tests/stress/create-subclass-structure-might-throw.js: Added.
2216         (assert):
2217
2218 2016-02-22  Ting-Wei Lan  <lantw44@gmail.com>
2219
2220         Fix build and implement functions to retrieve registers on FreeBSD
2221         https://bugs.webkit.org/show_bug.cgi?id=152258
2222
2223         Reviewed by Michael Catanzaro.
2224
2225         * heap/MachineStackMarker.cpp:
2226         (pthreadSignalHandlerSuspendResume):
2227         struct ucontext is not specified in POSIX and it is not available on
2228         FreeBSD. Replacing it with ucontext_t fixes the build problem.
2229         (JSC::MachineThreads::Thread::Registers::stackPointer):
2230         (JSC::MachineThreads::Thread::Registers::framePointer):
2231         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2232         (JSC::MachineThreads::Thread::Registers::llintPC):
2233         * heap/MachineStackMarker.h:
2234
2235 2016-02-22  Saam barati  <sbarati@apple.com>
2236
2237         JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
2238         https://bugs.webkit.org/show_bug.cgi?id=154552
2239
2240         Reviewed by Mark Lam.
2241
2242         ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
2243         They return false on a Proxy with internal [[Call]] and [[Construct]]
2244         properties. It seems safest, most forward looking, and most adherent
2245         to the specification to check getCallData() and getConstructData() to
2246         implement these functions.
2247
2248         * runtime/InternalFunction.cpp:
2249         (JSC::InternalFunction::createSubclassStructure):
2250         * runtime/JSCJSValueInlines.h:
2251         (JSC::JSValue::isFunction):
2252         (JSC::JSValue::isConstructor):
2253
2254 2016-02-22  Keith Miller  <keith_miller@apple.com>
2255
2256         Bound functions should use the prototype of the function being bound
2257         https://bugs.webkit.org/show_bug.cgi?id=154195
2258
2259         Reviewed by Geoffrey Garen.
2260
2261         Per ES6, the result of Function.prototype.bind should have the same
2262         prototype as the the function being bound. In order to avoid creating
2263         a new structure each time a function is bound we store the new
2264         structure in our structure map. However, we cannot currently store
2265         structures that have a different GlobalObject than their prototype.
2266         In the rare case that the GlobalObject differs or the prototype of
2267         the bindee is null we create a new structure each time. To further
2268         minimize new structures, as well as making structure lookup faster,
2269         we also store the structure in the RareData of the function we
2270         are binding.
2271
2272         * runtime/FunctionRareData.cpp:
2273         (JSC::FunctionRareData::visitChildren):
2274         * runtime/FunctionRareData.h:
2275         (JSC::FunctionRareData::getBoundFunctionStructure):
2276         (JSC::FunctionRareData::setBoundFunctionStructure):
2277         * runtime/JSBoundFunction.cpp:
2278         (JSC::getBoundFunctionStructure):
2279         (JSC::JSBoundFunction::create):
2280         * tests/es6.yaml:
2281         * tests/stress/bound-function-uses-prototype.js: Added.
2282         (testChangeProto.foo):
2283         (testChangeProto):
2284         (testBuiltins):
2285         * tests/stress/class-subclassing-function.js:
2286
2287 2016-02-22  Keith Miller  <keith_miller@apple.com>
2288
2289         Unreviewed, fix stress test to not print on success.
2290
2291         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
2292         (catch): Deleted.
2293
2294 2016-02-22  Keith Miller  <keith_miller@apple.com>
2295
2296         Use Symbol.species in the builtin TypedArray.prototype functions
2297         https://bugs.webkit.org/show_bug.cgi?id=153384
2298
2299         Reviewed by Geoffrey Garen.
2300
2301         This patch adds the use of species constructors to the TypedArray.prototype map and filter
2302         functions. It also adds a new private function typedArrayGetOriginalConstructor that
2303         returns the TypedArray constructor used to originally create a TypedArray instance.
2304
2305         There are no ES6 tests to update for this patch as species creation for these functions is
2306         not tested in the compatibility table.
2307
2308         * builtins/TypedArrayPrototype.js:
2309         (map):
2310         (filter):
2311         * bytecode/BytecodeIntrinsicRegistry.cpp:
2312         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2313         * bytecode/BytecodeIntrinsicRegistry.h:
2314         * runtime/CommonIdentifiers.h:
2315         * runtime/JSGlobalObject.cpp:
2316         (JSC::JSGlobalObject::init):
2317         (JSC::JSGlobalObject::visitChildren):
2318         * runtime/JSGlobalObject.h:
2319         (JSC::JSGlobalObject::typedArrayConstructor):
2320         * runtime/JSTypedArrayViewPrototype.cpp:
2321         (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
2322         * runtime/JSTypedArrayViewPrototype.h:
2323         * tests/stress/typedarray-filter.js:
2324         (subclasses.typedArrays.map):
2325         (prototype.accept):
2326         (testSpecies):
2327         (accept):
2328         (forEach):
2329         (subclasses.forEach):
2330         (testSpeciesRemoveConstructor):
2331         * tests/stress/typedarray-map.js:
2332         (subclasses.typedArrays.map):
2333         (prototype.id):
2334         (testSpecies):
2335         (id):
2336         (forEach):
2337         (subclasses.forEach):
2338         (testSpeciesRemoveConstructor):
2339
2340 2016-02-22  Keith Miller  <keith_miller@apple.com>
2341
2342         Builtins that should not rely on iteration do.
2343         https://bugs.webkit.org/show_bug.cgi?id=154475
2344
2345         Reviewed by Geoffrey Garen.
2346
2347         When changing the behavior of varargs calls to use ES6 iterators the
2348         call builtin function's use of a varargs call was overlooked. The use
2349         of iterators is observable outside the scope of the the call function,
2350         thus it must be reimplemented.
2351
2352         * builtins/FunctionPrototype.js:
2353         (call):
2354         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
2355         (test):
2356         (addAll):
2357         (catch):
2358
2359 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
2360
2361         [JSC shell] Don't put empty arguments array to VM.
2362         https://bugs.webkit.org/show_bug.cgi?id=154516
2363
2364         Reviewed by Geoffrey Garen.
2365
2366         This allows arrowfunction-lexical-bind-arguments-top-level test to pass
2367         in jsc as well as in browser.
2368
2369         * jsc.cpp:
2370         (GlobalObject::finishCreation):
2371
2372 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
2373
2374         [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
2375         https://bugs.webkit.org/show_bug.cgi?id=154450
2376
2377         Reviewed by Alex Christensen.
2378
2379         * CMakeLists.txt:
2380
2381 2016-02-22  Commit Queue  <commit-queue@webkit.org>
2382
2383         Unreviewed, rolling out r196891.
2384         https://bugs.webkit.org/show_bug.cgi?id=154539
2385
2386         it broke Production builds (Requested by brrian on #webkit).
2387
2388         Reverted changeset:
2389
2390         "Web Inspector: add 'Automation' protocol domain and generate
2391         its backend classes separately in WebKit2"
2392         https://bugs.webkit.org/show_bug.cgi?id=154509
2393         http://trac.webkit.org/changeset/196891
2394
2395 2016-02-21  Joseph Pecoraro  <pecoraro@apple.com>
2396
2397         CodeBlock always visits its unlinked code twice
2398         https://bugs.webkit.org/show_bug.cgi?id=154494
2399
2400         Reviewed by Saam Barati.
2401
2402         * bytecode/CodeBlock.cpp:
2403         (JSC::CodeBlock::visitChildren):
2404         The unlinked code is always visited in stronglyVisitStrongReferences.
2405
2406 2016-02-21  Brian Burg  <bburg@apple.com>
2407
2408         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
2409         https://bugs.webkit.org/show_bug.cgi?id=154509
2410         <rdar://problem/24759098>
2411
2412         Reviewed by Timothy Hatcher.
2413
2414         Add a new 'WebKit' framework, which is used to generate protocol code
2415         in WebKit2.
2416
2417         Add --backend and --frontend flags to the main generator script.
2418         These allow a framework to trigger two different sets of generators
2419         so they can be separately generated and compiled.
2420
2421         * inspector/scripts/codegen/models.py:
2422         (Framework.fromString):
2423         (Frameworks): Add new framework.
2424
2425         * inspector/scripts/generate-inspector-protocol-bindings.py:
2426         If neither --backend or --frontend is specified, assume both are wanted.
2427         This matches the behavior for JavaScriptCore and WebInspector frameworks.
2428
2429         (generate_from_specification):
2430         Generate C++ files for the backend and Objective-C files for the frontend.
2431
2432 2016-02-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2433
2434         Improvements to Intl code
2435         https://bugs.webkit.org/show_bug.cgi?id=154486
2436
2437         Reviewed by Darin Adler.
2438
2439         This patch does several things:
2440         - Use std::unique_ptr to store ICU objects.
2441         - Pass Vector::size() to ICU functions that take a buffer size instead
2442           of Vector::capacity().
2443         - If U_SUCCESS(status) is true, it means there is no error, but there
2444           could be warnings. ICU functions ignore warnings. So, there is no need
2445           to reset status to U_ZERO_ERROR.
2446         - Remove the initialization of the String instance variables of
2447           IntlDateTimeFormat. These values are never read and cause unnecessary
2448           memory allocation.
2449         - Fix coding style.
2450         - Some small optimization.
2451
2452         * runtime/IntlCollator.cpp:
2453         (JSC::IntlCollator::UCollatorDeleter::operator()):
2454         (JSC::IntlCollator::createCollator):
2455         (JSC::IntlCollator::compareStrings):
2456         (JSC::IntlCollator::~IntlCollator): Deleted.
2457         * runtime/IntlCollator.h:
2458         * runtime/IntlDateTimeFormat.cpp:
2459         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
2460         (JSC::defaultTimeZone):
2461         (JSC::canonicalizeTimeZoneName):
2462         (JSC::toDateTimeOptionsAnyDate):
2463         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2464         (JSC::IntlDateTimeFormat::weekdayString):
2465         (JSC::IntlDateTimeFormat::format):
2466         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
2467         (JSC::localeData): Deleted.
2468         * runtime/IntlDateTimeFormat.h:
2469         * runtime/IntlDateTimeFormatConstructor.cpp:
2470         * runtime/IntlNumberFormatConstructor.cpp:
2471         * runtime/IntlObject.cpp:
2472         (JSC::numberingSystemsForLocale):
2473
2474 2016-02-21  Skachkov Oleksandr  <gskachkov@gmail.com>
2475
2476         Remove arrowfunction test cases that rely on arguments variable in jsc
2477         https://bugs.webkit.org/show_bug.cgi?id=154517
2478
2479         Reviewed by Yusuke Suzuki.
2480
2481         Allow to jsc has the same behavior in javascript as browser has
2482
2483         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
2484         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
2485
2486 2016-02-21  Brian Burg  <bburg@apple.com>
2487
2488         Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
2489         https://bugs.webkit.org/show_bug.cgi?id=154508
2490         <rdar://problem/24759077>
2491
2492         Reviewed by Timothy Hatcher.
2493
2494         In preparation for being able to generate protocol files for WebKit2,
2495         make it possible to not emit generated code that's guarded by
2496         ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
2497         backend dispatchers generated outside of JavaScriptCore. We can't just
2498         define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
2499         in the configurations where the code is actually used.
2500
2501         Add a new opt-in Framework configuration option that turns on generating
2502         this code. Adjust how the code is generated so that it can be easily excluded.
2503
2504         * inspector/scripts/codegen/cpp_generator_templates.py:
2505         Make a separate template for the declarations that are guarded.
2506         Add an initializer expression so the order of initalizers doesn't matter.
2507
2508         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2509         (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
2510         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2511         If the declarations are needed, they will be appended to the end of the
2512         declarations list.
2513
2514         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2515         (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
2516         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
2517
2518         * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
2519         to True for Framework.JavaScriptCore only. It's not needed elsewhere.
2520
2521         Rebaseline affected tests.
2522
2523         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2524         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2525         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2526         * inspector/scripts/tests/expected/enum-values.json-result:
2527         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2528
2529 2016-02-21  Brian Burg  <bburg@apple.com>
2530
2531         Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
2532         https://bugs.webkit.org/show_bug.cgi?id=154505
2533         <rdar://problem/24758042>
2534
2535         Reviewed by Timothy Hatcher.
2536
2537         It should be possible to generate code for a framework using some generators
2538         that other frameworks also use. Right now the generator selection code assumes
2539         that use of a generator is mutually exclusive among non-test frameworks.
2540
2541         Make this code explicitly switch on the framework. Reorder generators
2542         alpabetically within each case.
2543
2544         * inspector/scripts/generate-inspector-protocol-bindings.py:
2545         (generate_from_specification):
2546
2547         Rebaseline tests that are affected by generator reorderings.
2548
2549         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2550         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2551         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2552         * inspector/scripts/tests/expected/enum-values.json-result:
2553         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2554         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2555         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2556         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2557         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2558         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2559         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2560         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2561         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2562
2563 2016-02-19  Saam Barati  <sbarati@apple.com>
2564
2565         [ES6] Implement Proxy.[[Construct]]
2566         https://bugs.webkit.org/show_bug.cgi?id=154440
2567
2568         Reviewed by Oliver Hunt.
2569
2570         This patch is mostly an implementation of
2571         Proxy.[[Construct]] with respect to section 9.5.13
2572         of the ECMAScript spec.
2573         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
2574
2575         This patch also changes op_create_this to accept new.target's
2576         that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]] 
2577         because we might construct a JSFunction with a new.target being
2578         a Proxy. This will also be needed when we implement Reflect.construct.
2579
2580         * dfg/DFGOperations.cpp:
2581         * dfg/DFGSpeculativeJIT32_64.cpp:
2582         (JSC::DFG::SpeculativeJIT::compile):
2583         * dfg/DFGSpeculativeJIT64.cpp:
2584         (JSC::DFG::SpeculativeJIT::compile):
2585         * jit/JITOpcodes.cpp:
2586         (JSC::JIT::emit_op_create_this):
2587         (JSC::JIT::emitSlow_op_create_this):
2588         * jit/JITOpcodes32_64.cpp:
2589         (JSC::JIT::emit_op_create_this):
2590         (JSC::JIT::emitSlow_op_create_this):
2591         * llint/LLIntData.cpp:
2592         (JSC::LLInt::Data::performAssertions):
2593         * llint/LowLevelInterpreter.asm:
2594         * llint/LowLevelInterpreter32_64.asm:
2595         * llint/LowLevelInterpreter64.asm:
2596         * runtime/CommonSlowPaths.cpp:
2597         (JSC::SLOW_PATH_DECL):
2598         * runtime/ProxyObject.cpp:
2599         (JSC::ProxyObject::finishCreation):
2600         (JSC::ProxyObject::visitChildren):
2601         (JSC::performProxyConstruct):
2602         (JSC::ProxyObject::getConstructData):
2603         * runtime/ProxyObject.h:
2604         * tests/es6.yaml:
2605         * tests/stress/proxy-construct.js: Added.
2606         (assert):
2607         (throw.new.Error.let.target):
2608         (throw.new.Error):
2609         (assert.let.target):
2610         (assert.let.handler.get construct):
2611         (let.target):
2612         (let.handler.construct):
2613         (i.catch):
2614         (assert.let.handler.construct):
2615         (assert.let.construct):
2616         (assert.else.assert.let.target):
2617         (assert.else.assert.let.construct):
2618         (assert.else.assert):
2619         (new.proxy.let.target):
2620         (new.proxy.let.construct):
2621         (new.proxy):
2622
2623 2016-02-19  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2624
2625         [INTL] Implement Number Format Functions
2626         https://bugs.webkit.org/show_bug.cgi?id=147605
2627
2628         Reviewed by Darin Adler.
2629
2630         This patch implements Intl.NumberFormat.prototype.format() according
2631         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
2632
2633         * runtime/IntlNumberFormat.cpp:
2634         (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
2635         (JSC::IntlNumberFormat::initializeNumberFormat):
2636         (JSC::IntlNumberFormat::createNumberFormat):
2637         (JSC::IntlNumberFormat::formatNumber):
2638         (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
2639         * runtime/IntlNumberFormat.h:
2640         * runtime/IntlNumberFormatPrototype.cpp:
2641         (JSC::IntlNumberFormatFuncFormatNumber):
2642
2643 2016-02-18  Gavin Barraclough  <barraclough@apple.com>
2644
2645         JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
2646         https://bugs.webkit.org/show_bug.cgi?id=154416
2647
2648         Reviewed by Geoff Garen.
2649
2650         Here's the bug. Suppose you call JSObject::getOwnProperty and -
2651           - PropertyName contains an index,
2652           - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
2653           - The base of the access (or another object on the prototype chain) shadows that property.
2654
2655         JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
2656         index, and as such walks up the prototype chain looking for non-index properties before it
2657         tries calling parseIndex.
2658
2659         At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
2660         would potentially return the property) we may have already skipped over non-overriding
2661         objects that contain the property in index storage.
2662
2663         * runtime/JSObject.h:
2664         (JSC::JSObject::getOwnNonIndexPropertySlot):
2665             - renamed from inlineGetOwnPropertySlot to better describe behaviour;
2666               added ASSERT guarding that this method never returns index properties -
2667               if it ever does, this is unsafe for getPropertySlot.
2668         (JSC::JSObject::getOwnPropertySlot):
2669             - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
2670         (JSC::JSObject::getPropertySlot):
2671             - In case of object overriding getOwnPropertySlot check if propertyName is an index.
2672         (JSC::JSObject::getNonIndexPropertySlot):
2673             - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
2674               in order to avoid repeated calls to parseIndex.
2675         (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
2676             - this was renamed to getOwnNonIndexPropertySlot.
2677         (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
2678             - this was folded back in to getPropertySlot.
2679
2680 2016-02-19  Saam Barati  <sbarati@apple.com>
2681
2682         [ES6] Implement Proxy.[[Call]]
2683         https://bugs.webkit.org/show_bug.cgi?id=154425
2684
2685         Reviewed by Mark Lam.
2686
2687         This patch is a straight forward implementation of
2688         Proxy.[[Call]] with respect to section 9.5.12
2689         of the ECMAScript spec.
2690         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
2691
2692         * runtime/ProxyObject.cpp:
2693         (JSC::ProxyObject::finishCreation):
2694         (JSC::performProxyGet):
2695         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2696         (JSC::ProxyObject::performHasProperty):
2697         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2698         (JSC::performProxyCall):
2699         (JSC::ProxyObject::getCallData):
2700         (JSC::ProxyObject::visitChildren):
2701         * runtime/ProxyObject.h:
2702         (JSC::ProxyObject::create):
2703         * tests/es6.yaml:
2704         * tests/stress/proxy-call.js: Added.
2705         (assert):
2706         (throw.new.Error.let.target):
2707         (throw.new.Error.let.handler.apply):
2708         (throw.new.Error):
2709         (assert.let.target):
2710         (assert.let.handler.get apply):
2711         (let.target):
2712         (let.handler.apply):
2713         (i.catch):
2714         (assert.let.handler.apply):
2715
2716 2016-02-19  Csaba Osztrogonác  <ossy@webkit.org>
2717
2718         Remove more LLVM related dead code after r196729
2719         https://bugs.webkit.org/show_bug.cgi?id=154387
2720
2721         Reviewed by Filip Pizlo.
2722
2723         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
2724         * Configurations/LLVMForJSC.xcconfig: Removed.
2725         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
2726         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
2727         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
2728         * JavaScriptCore.xcodeproj/project.pbxproj:
2729         * disassembler/X86Disassembler.cpp:
2730
2731 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2732
2733         Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
2734         https://bugs.webkit.org/show_bug.cgi?id=154442
2735
2736         Reviewed by Saam Barati.
2737
2738         * runtime/JSString.h:
2739         (JSC::isJSString):
2740
2741 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2742
2743         Remove unused SymbolTable::createNameScopeTable
2744         https://bugs.webkit.org/show_bug.cgi?id=154443
2745
2746         Reviewed by Saam Barati.
2747
2748         * runtime/SymbolTable.h:
2749
2750 2016-02-18  Benjamin Poulain  <bpoulain@apple.com>
2751
2752         [JSC] Improve the instruction selection of Select
2753         https://bugs.webkit.org/show_bug.cgi?id=154432
2754
2755         Reviewed by Filip Pizlo.
2756
2757         Plenty of code but this patch is pretty dumb:
2758         -On ARM64: use the 3 operand form of CSEL instead of forcing a source
2759          to be alised to the destination. This gives more freedom to the register
2760          allocator and it is one less Move to process per Select.
2761         -On x86, introduce a fake 3 operands form and use aggressive aliasing
2762          to try to alias both sources to the destination.
2763
2764          If aliasing succeed on the "elseCase", the condition of the Select
2765          is reverted in the MacroAssembler.
2766
2767          If no aliasing is possible and we end up with 3 registers, the missing
2768          move instruction is generated by the MacroAssembler.
2769
2770          The missing move is generated after testing the values because the destination
2771          can use the same register as one of the test operand.
2772          Experimental testing seems to indicate there is no macro-fusion on CMOV,
2773          there is no measurable cost to having the move there.
2774
2775         * assembler/MacroAssembler.h:
2776         (JSC::MacroAssembler::isInvertible):
2777         (JSC::MacroAssembler::invert):
2778         * assembler/MacroAssemblerARM64.h:
2779         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
2780         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
2781         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
2782         (JSC::MacroAssemblerARM64::moveConditionally32):
2783         (JSC::MacroAssemblerARM64::moveConditionally64):
2784         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
2785         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
2786         * assembler/MacroAssemblerX86Common.h:
2787         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2788         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2789         (JSC::MacroAssemblerX86Common::moveConditionally32):
2790         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
2791         (JSC::MacroAssemblerX86Common::invert):
2792         (JSC::MacroAssemblerX86Common::isInvertible):
2793         * assembler/MacroAssemblerX86_64.h:
2794         (JSC::MacroAssemblerX86_64::moveConditionally64):
2795         (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
2796         * b3/B3LowerToAir.cpp:
2797         (JSC::B3::Air::LowerToAir::createSelect):
2798         (JSC::B3::Air::LowerToAir::lower):
2799         * b3/air/AirInstInlines.h:
2800         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2801         * b3/air/AirOpcode.opcodes:
2802
2803 2016-02-18  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2804
2805         [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
2806         https://bugs.webkit.org/show_bug.cgi?id=154430
2807
2808         Reviewed by Saam Barati.
2809
2810         llvm isn't used anymore.
2811
2812         * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
2813
2814 2016-02-18  Saam Barati  <sbarati@apple.com>
2815
2816         Implement Proxy.[[HasProperty]]
2817         https://bugs.webkit.org/show_bug.cgi?id=154313
2818
2819         Reviewed by Filip Pizlo.
2820
2821         This patch is a straight forward implementation of
2822         Proxy.[[HasProperty]] with respect to section 9.5.7
2823         of the ECMAScript spec.
2824         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
2825
2826         * runtime/ProxyObject.cpp:
2827         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2828         (JSC::ProxyObject::performHasProperty):
2829         (JSC::ProxyObject::getOwnPropertySlotCommon):
2830         * runtime/ProxyObject.h:
2831         * tests/es6.yaml:
2832         * tests/stress/proxy-basic.js:
2833         (assert):
2834         (let.handler.has):
2835         * tests/stress/proxy-has-property.js: Added.
2836         (assert):
2837         (throw.new.Error.let.handler.get has):
2838         (throw.new.Error):
2839         (assert.let.handler.has):
2840         (let.handler.has):
2841         (getOwnPropertyDescriptor):
2842         (i.catch):
2843
2844 2016-02-18  Saam Barati  <sbarati@apple.com>
2845
2846         Proxy's don't properly handle Symbols as PropertyKeys.
2847         https://bugs.webkit.org/show_bug.cgi?id=154385
2848
2849         Reviewed by Mark Lam and Yusuke Suzuki.
2850
2851         We were converting all PropertyKeys to strings, even when
2852         the PropertyName was a Symbol. In the spec, PropertyKeys are
2853         either a Symbol or a String. We now respect that in Proxy.[[Get]] and
2854         Proxy.[[GetOwnProperty]].
2855
2856         * runtime/Completion.cpp:
2857         (JSC::profiledEvaluate):
2858         (JSC::createSymbolForEntryPointModule):
2859         (JSC::identifierToJSValue): Deleted.
2860         * runtime/Identifier.h:
2861         (JSC::parseIndex):
2862         * runtime/IdentifierInlines.h:
2863         (JSC::Identifier::fromString):
2864         (JSC::identifierToJSValue):
2865         (JSC::identifierToSafePublicJSValue):
2866         * runtime/ProxyObject.cpp:
2867         (JSC::performProxyGet):
2868         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2869         * tests/es6.yaml:
2870         * tests/stress/proxy-basic.js:
2871         (let.handler.getOwnPropertyDescriptor):
2872
2873 2016-02-18  Saam Barati  <sbarati@apple.com>
2874
2875         Follow up fix to Implement Proxy.[[GetOwnProperty]]
2876         https://bugs.webkit.org/show_bug.cgi?id=154314
2877
2878         Reviewed by Filip Pizlo.
2879
2880         Part of the implementation was broken because
2881         of how JSObject::getOwnPropertyDescriptor worked.
2882         I've fixed JSObject::getOwnPropertyDescriptor to
2883         be able to handle ProxyObject.
2884
2885         * runtime/JSObject.cpp:
2886         (JSC::JSObject::getOwnPropertyDescriptor):
2887         * runtime/ProxyObject.cpp:
2888         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2889         * tests/stress/proxy-get-own-property.js:
2890         (assert):
2891         (assert.let.handler.get getOwnPropertyDescriptor):
2892
2893 2016-02-18  Saam Barati  <sbarati@apple.com>
2894
2895         Implement Proxy.[[GetOwnProperty]]
2896         https://bugs.webkit.org/show_bug.cgi?id=154314
2897
2898         Reviewed by Filip Pizlo.
2899
2900         This patch implements Proxy.[[GetOwnProperty]].
2901         It's a straight forward implementation as described
2902         in section 9.5.5 of the specification:
2903         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
2904
2905         * runtime/FunctionPrototype.cpp:
2906         (JSC::functionProtoFuncBind):
2907         * runtime/JSObject.cpp:
2908         (JSC::validateAndApplyPropertyDescriptor):
2909         (JSC::JSObject::defineOwnNonIndexProperty):
2910         (JSC::JSObject::defineOwnProperty):
2911         (JSC::JSObject::getGenericPropertyNames):
2912         (JSC::JSObject::getMethod):
2913         * runtime/JSObject.h:
2914         (JSC::JSObject::butterflyAddress):
2915         (JSC::makeIdentifier):
2916         * runtime/ProxyObject.cpp:
2917         (JSC::performProxyGet):
2918         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2919         (JSC::ProxyObject::getOwnPropertySlotCommon):
2920         (JSC::ProxyObject::getOwnPropertySlot):
2921         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2922         (JSC::ProxyObject::visitChildren):
2923         * runtime/ProxyObject.h:
2924         * tests/es6.yaml:
2925         * tests/stress/proxy-basic.js:
2926         (let.handler.get null):
2927         * tests/stress/proxy-get-own-property.js: Added.
2928         (assert):
2929         (throw.new.Error.let.handler.getOwnPropertyDescriptor):
2930         (throw.new.Error):
2931         (let.handler.getOwnPropertyDescriptor):
2932         (i.catch):
2933         (assert.let.handler.getOwnPropertyDescriptor):
2934
2935 2016-02-18  Andreas Kling  <akling@apple.com>
2936
2937         JSString resolution of substrings should use StringImpl sharing optimization.
2938         <https://webkit.org/b/154068>
2939         <rdar://problem/24629358>
2940
2941         Reviewed by Antti Koivisto.
2942
2943         When resolving a JSString that's actually a substring of another JSString,
2944         use the StringImpl sharing optimization to create a new string pointing into
2945         the parent one, instead of copying out the bytes of the string.
2946
2947         This dramatically reduces peak memory usage on Gerrit diff viewer pages.
2948
2949         Another approach to this would be to induce GC far more frequently due to
2950         the added cost of copying out these substrings. It would reduce the risk
2951         of prolonging the life of strings only kept alive by substrings.
2952
2953         This patch chooses to trade that risk for less GC and lower peak memory.
2954
2955         * runtime/JSString.cpp:
2956         (JSC::JSRopeString::resolveRope):
2957
2958 2016-02-18  Chris Dumez  <cdumez@apple.com>
2959
2960         Crash on SES selftest page when loading the page while WebInspector is open
2961         https://bugs.webkit.org/show_bug.cgi?id=154378
2962         <rdar://problem/24713422>
2963
2964         Reviewed by Mark Lam.
2965
2966         Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
2967         returns early again if it detects that getOwnPropertySlot() returns a
2968         non-own property. This check was removed in r196676 because we assumed that
2969         only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
2970         However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
2971         well.
2972
2973         Not having the check would lead to crashes when using the debugger because
2974         we would get a slot with the CustomAccessor attribute but getDirect() would
2975         then fail to return the property (because it is not an own property). We
2976         would then cast the value returned by getDirect() to a CustomGetterSetter*
2977         and dereference it.
2978
2979         * runtime/JSObject.cpp:
2980         (JSC::JSObject::getOwnPropertyDescriptor):
2981
2982 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
2983
2984         Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
2985         for that.
2986
2987         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2988         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2989
2990 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
2991
2992         Unreviewed, fix CMake build. This got messed up when rebasing.
2993
2994         * CMakeLists.txt:
2995
2996 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
2997
2998         Fix the !ENABLE(DFG_JIT) build after r195865
2999         https://bugs.webkit.org/show_bug.cgi?id=154391
3000
3001         Reviewed by Filip Pizlo.
3002
3003         * runtime/SamplingProfiler.cpp:
3004         (JSC::tryGetBytecodeIndex):
3005
3006 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
3007
3008         Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
3009         https://bugs.webkit.org/show_bug.cgi?id=154383
3010
3011         Reviewed by Saam Barati.
3012
3013         I did a grep -i llvm of all of our code and did one of the following for each occurence:
3014
3015         - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
3016           backend".
3017
3018         - Removed the reference because I found it to be dead. In some cases it was a dead
3019           comment: it was telling us things about what LLVM did and that's just not relevant
3020           anymore. In other cases it was dead code that I forgot to delete in a previous patch.
3021
3022         - Edited the comment in some smart way. There were comments talking about what LLVM did
3023           that were still of interest. In some cases, I added a FIXME to consider changing the
3024           code below the comment on the grounds that it was written in a weird way to placate
3025           LLVM and so we can do it better now.
3026
3027         * CMakeLists.txt:
3028         * JavaScriptCore.xcodeproj/project.pbxproj:
3029         * dfg/DFGArgumentsEliminationPhase.cpp:
3030         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
3031         * dfg/DFGPlan.cpp:
3032         (JSC::DFG::Plan::compileInThread):
3033         (JSC::DFG::Plan::compileInThreadImpl):
3034         (JSC::DFG::Plan::compileTimeStats):
3035         * dfg/DFGPutStackSinkingPhase.cpp:
3036         * dfg/DFGSSAConversionPhase.h:
3037         * dfg/DFGStaticExecutionCountEstimationPhase.h:
3038         * dfg/DFGUnificationPhase.cpp:
3039         (JSC::DFG::UnificationPhase::run):
3040         * disassembler/ARM64Disassembler.cpp:
3041         (JSC::tryToDisassemble): Deleted.
3042         * disassembler/X86Disassembler.cpp:
3043         (JSC::tryToDisassemble):
3044         * ftl/FTLAbstractHeap.cpp:
3045         (JSC::FTL::IndexedAbstractHeap::initialize):
3046         * ftl/FTLAbstractHeap.h:
3047         * ftl/FTLFormattedValue.h:
3048         * ftl/FTLJITFinalizer.cpp:
3049         (JSC::FTL::JITFinalizer::finalizeFunction):
3050         * ftl/FTLLink.cpp:
3051         (JSC::FTL::link):
3052         * ftl/FTLLocation.cpp:
3053         (JSC::FTL::Location::restoreInto):
3054         * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
3055         (JSC::FTL::DFG::ftlUnreachable):
3056         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
3057         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
3058         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
3059         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
3060         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
3061         (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
3062         (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
3063         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
3064         (JSC::FTL::lowerDFGToB3):
3065         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
3066         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
3067         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
3068         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
3069         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
3070         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
3071         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
3072         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
3073         (JSC::FTL::lowerDFGToLLVM): Deleted.
3074         * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
3075         * ftl/FTLLowerDFGToLLVM.cpp: Removed.
3076         * ftl/FTLLowerDFGToLLVM.h: Removed.
3077         * ftl/FTLOSRExitCompiler.cpp:
3078         (JSC::FTL::compileStub):
3079         * ftl/FTLWeight.h:
3080         (JSC::FTL::Weight::frequencyClass):
3081         (JSC::FTL::Weight::inverse):
3082         (JSC::FTL::Weight::scaleToTotal): Deleted.
3083         * ftl/FTLWeightedTarget.h:
3084         (JSC::FTL::rarely):
3085         (JSC::FTL::unsure):
3086         * jit/CallFrameShuffler64.cpp:
3087         (JSC::CallFrameShuffler::emitDisplace):
3088         * jit/RegisterSet.cpp:
3089         (JSC::RegisterSet::ftlCalleeSaveRegisters):
3090         * llvm: Removed.
3091         * llvm/InitializeLLVMLinux.cpp: Removed.
3092         * llvm/InitializeLLVMWin.cpp: Removed.
3093         * llvm/library: Removed.
3094         * llvm/library/LLVMTrapCallback.h: Removed.
3095         * llvm/library/libllvmForJSC.version: Removed.
3096         * runtime/Options.cpp:
3097         (JSC::recomputeDependentOptions):
3098         (JSC::Options::initialize):
3099         * runtime/Options.h:
3100         * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
3101         * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
3102         * wasm/WASMFunctionParser.cpp:
3103
3104 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
3105
3106         [cmake] Build system cleanup
3107         https://bugs.webkit.org/show_bug.cgi?id=154337
3108
3109         Reviewed by Žan Doberšek.
3110
3111         * CMakeLists.txt:
3112
3113 2016-02-17  Mark Lam  <mark.lam@apple.com>
3114
3115         Callers of JSString::value() should check for exceptions thereafter.
3116         https://bugs.webkit.org/show_bug.cgi?id=154346
3117
3118         Reviewed by Geoffrey Garen.
3119
3120         JSString::value() can throw an exception if the JS string is a rope and value() 
3121         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
3122         able to resolve the rope, it will return a null string (in addition to throwing
3123         the exception).  If a caller does not check for exceptions after calling
3124         JSString::value(), they may eventually use the returned null string and crash the
3125         VM.
3126
3127         The fix is to add all the necessary exception checks, and do the appropriate
3128         handling if needed.
3129
3130         * jsc.cpp:
3131         (functionRun):
3132         (functionLoad):
3133         (functionReadFile):
3134         (functionCheckSyntax):
3135         (functionLoadWebAssembly):
3136         (functionLoadModule):
3137         (functionCheckModuleSyntax):
3138         * runtime/DateConstructor.cpp:
3139         (JSC::dateParse):
3140         (JSC::dateNow):
3141         * runtime/JSGlobalObjectFunctions.cpp:
3142         (JSC::globalFuncEval):
3143         * tools/JSDollarVMPrototype.cpp:
3144         (JSC::functionPrint):
3145
3146 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
3147
3148         [JSC] ARM64: Support the immediate format used for bit operations in Air
3149         https://bugs.webkit.org/show_bug.cgi?id=154327
3150
3151         Reviewed by Filip Pizlo.
3152
3153         ARM64 supports a pretty rich form of immediates for bit operation.
3154         There are two formats used to encode repeating patterns and common
3155         input in a dense form.
3156
3157         In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
3158         Those represents the valid immediate forms for bit operation.
3159         On x86, any 32bits value is valid. On ARM64, all the encoding
3160         form are tried and the immediate is used when possible.
3161
3162         The arg type Imm64 is renamed to BigImm to better represent what
3163         it is: an immediate that does not fit into Imm.
3164
3165         * assembler/ARM64Assembler.h:
3166         (JSC::LogicalImmediate::create32): Deleted.
3167         (JSC::LogicalImmediate::create64): Deleted.
3168         (JSC::LogicalImmediate::value): Deleted.
3169         (JSC::LogicalImmediate::isValid): Deleted.
3170         (JSC::LogicalImmediate::is64bit): Deleted.
3171         (JSC::LogicalImmediate::LogicalImmediate): Deleted.
3172         (JSC::LogicalImmediate::mask): Deleted.
3173         (JSC::LogicalImmediate::partialHSB): Deleted.
3174         (JSC::LogicalImmediate::highestSetBit): Deleted.
3175         (JSC::LogicalImmediate::findBitRange): Deleted.
3176         (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
3177         * assembler/AssemblerCommon.h:
3178         (JSC::ARM64LogicalImmediate::create32):
3179         (JSC::ARM64LogicalImmediate::create64):
3180         (JSC::ARM64LogicalImmediate::value):
3181         (JSC::ARM64LogicalImmediate::isValid):
3182         (JSC::ARM64LogicalImmediate::is64bit):
3183         (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
3184         (JSC::ARM64LogicalImmediate::mask):
3185         (JSC::ARM64LogicalImmediate::partialHSB):
3186         (JSC::ARM64LogicalImmediate::highestSetBit):
3187         (JSC::ARM64LogicalImmediate::findBitRange):
3188         (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
3189         * assembler/MacroAssemblerARM64.h:
3190         (JSC::MacroAssemblerARM64::and64):
3191         (JSC::MacroAssemblerARM64::or64):
3192         (JSC::MacroAssemblerARM64::xor64):
3193         * b3/B3LowerToAir.cpp:
3194         (JSC::B3::Air::LowerToAir::bitImm):
3195         (JSC::B3::Air::LowerToAir::bitImm64):
3196         (JSC::B3::Air::LowerToAir::appendBinOp):
3197         * b3/air/AirArg.cpp:
3198         (JSC::B3::Air::Arg::dump):
3199         (WTF::printInternal):
3200         * b3/air/AirArg.h:
3201         (JSC::B3::Air::Arg::bitImm):
3202         (JSC::B3::Air::Arg::bitImm64):
3203         (JSC::B3::Air::Arg::isBitImm):
3204         (JSC::B3::Air::Arg::isBitImm64):
3205         (JSC::B3::Air::Arg::isSomeImm):
3206         (JSC::B3::Air::Arg::value):
3207         (JSC::B3::Air::Arg::isGP):
3208         (JSC::B3::Air::Arg::isFP):
3209         (JSC::B3::Air::Arg::hasType):
3210         (JSC::B3::Air::Arg::isValidBitImmForm):
3211         (JSC::B3::Air::Arg::isValidBitImm64Form):
3212         (JSC::B3::Air::Arg::isValidForm):
3213         (JSC::B3::Air::Arg::asTrustedImm32):
3214         (JSC::B3::Air::Arg::asTrustedImm64):
3215         * b3/air/AirOpcode.opcodes:
3216         * b3/air/opcode_generator.rb:
3217
3218 2016-02-17  Keith Miller  <keith_miller@apple.com>
3219
3220         Spread operator should be allowed when not the first argument of parameter list
3221         https://bugs.webkit.org/show_bug.cgi?id=152721
3222
3223         Reviewed by Saam Barati.
3224
3225         Spread arguments to functions should now be ES6 compliant. Before we
3226         would only take a spread operator if it was the sole argument to a
3227         function. Additionally, we would not use the Symbol.iterator on the
3228         object to generate the arguments. Instead we would do a loop up to the
3229         length mapping indexed properties to the corresponding argument. We fix
3230         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
3231         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
3232         old spread semantics). This solution has the downside of requiring the
3233         allocation of another object and copying each element twice but avoids a
3234         large change to the vm calling convention.
3235
3236         * interpreter/Interpreter.cpp:
3237         (JSC::loadVarargs):
3238         * parser/ASTBuilder.h:
3239         (JSC::ASTBuilder::createElementList):
3240         * parser/Parser.cpp:
3241         (JSC::Parser<LexerType>::parseArguments):
3242         (JSC::Parser<LexerType>::parseArgument):
3243         (JSC::Parser<LexerType>::parseMemberExpression):
3244         * parser/Parser.h:
3245         * parser/SyntaxChecker.h:
3246         (JSC::SyntaxChecker::createElementList):
3247         * tests/es6.yaml:
3248         * tests/stress/spread-calling.js: Added.
3249         (testFunction):
3250         (testEmpty):
3251         (makeObject):
3252         (otherIterator.return.next):
3253         (otherIterator):
3254         (totalIter):
3255         (throwingIter.return.next):
3256         (throwingIter):
3257         (i.catch):
3258
3259 2016-02-17  Brian Burg  <bburg@apple.com>
3260
3261         Remove a wrong cast in RemoteInspector::receivedSetupMessage
3262         https://bugs.webkit.org/show_bug.cgi?id=154361
3263         <rdar://problem/24709281>
3264
3265         Reviewed by Joseph Pecoraro.
3266
3267         * inspector/remote/RemoteInspector.mm:
3268         (Inspector::RemoteInspector::receivedSetupMessage):
3269         Not only is this cast unnecessary (the constructor accepts the base class),
3270         but it is wrong since the target could be an automation target. Remove it.
3271
3272 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
3273
3274         Rename FTLB3Blah to FTLBlah
3275         https://bugs.webkit.org/show_bug.cgi?id=154365
3276
3277         Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
3278
3279         * CMakeLists.txt:
3280         * JavaScriptCore.xcodeproj/project.pbxproj:
3281         * ftl/FTLB3Compile.cpp: Removed.
3282         * ftl/FTLB3Output.cpp: Removed.
3283         * ftl/FTLB3Output.h: Removed.
3284         * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
3285         * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
3286         * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
3287
3288 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
3289
3290         Remove LLVM dependencies from WebKit
3291         https://bugs.webkit.org/show_bug.cgi?id=154323
3292
3293         Reviewed by Antti Koivisto and Benjamin Poulain.
3294
3295         We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
3296         LLVM-related code dead, including the disassembler, which was only reachable when you were on
3297         a platform that already had an in-tree disassembler.
3298
3299         * CMakeLists.txt:
3300         * JavaScriptCore.xcodeproj/project.pbxproj:
3301         * dfg/DFGCommon.h:
3302         * dfg/DFGPlan.cpp:
3303         (JSC::DFG::Plan::compileInThread):
3304         (JSC::DFG::Plan::compileInThreadImpl):
3305         (JSC::DFG::Plan::compileTimeStats):
3306         * disassembler/ARM64Disassembler.cpp:
3307         (JSC::tryToDisassemble):
3308         * disassembler/ARMv7Disassembler.cpp:
3309         (JSC::tryToDisassemble):
3310         * disassembler/Disassembler.cpp:
3311         (JSC::disassemble):
3312         (JSC::disassembleAsynchronously):
3313         * disassembler/Disassembler.h:
3314         (JSC::tryToDisassemble):
3315         * disassembler/LLVMDisassembler.cpp: Removed.
3316         * disassembler/LLVMDisassembler.h: Removed.
3317         * disassembler/UDis86Disassembler.cpp:
3318         (JSC::tryToDisassembleWithUDis86):
3319         * disassembler/UDis86Disassembler.h:
3320         (JSC::tryToDisassembleWithUDis86):
3321         * disassembler/X86Disassembler.cpp:
3322         (JSC::tryToDisassemble):
3323         * ftl/FTLAbbreviatedTypes.h:
3324         * ftl/FTLAbbreviations.h: Removed.
3325         * ftl/FTLAbstractHeap.cpp:
3326         (JSC::FTL::AbstractHeap::decorateInstruction):
3327         (JSC::FTL::AbstractHeap::dump):
3328         (JSC::FTL::AbstractField::dump):
3329         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
3330         (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
3331         (JSC::FTL::IndexedAbstractHeap::baseIndex):
3332         (JSC::FTL::IndexedAbstractHeap::dump):
3333         (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
3334         (JSC::FTL::NumberedAbstractHeap::dump):
3335         (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
3336         (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
3337         * ftl/FTLAbstractHeap.h:
3338         (JSC::FTL::AbstractHeap::AbstractHeap):
3339         (JSC::FTL::AbstractHeap::heapName):
3340         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
3341         (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
3342         (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
3343         (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
3344         * ftl/FTLAbstractHeapRepository.cpp:
3345         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
3346         * ftl/FTLAbstractHeapRepository.h:
3347         * ftl/FTLB3Compile.cpp:
3348         * ftl/FTLB3Output.cpp:
3349         (JSC::FTL::Output::Output):
3350         (JSC::FTL::Output::check):
3351         (JSC::FTL::Output::load):
3352         (JSC::FTL::Output::store):
3353         * ftl/FTLB3Output.h:
3354         * ftl/FTLCommonValues.cpp:
3355         (JSC::FTL::CommonValues::CommonValues):
3356         (JSC::FTL::CommonValues::initializeConstants):
3357         * ftl/FTLCommonValues.h:
3358         (JSC::FTL::CommonValues::initialize): Deleted.
3359         * ftl/FTLCompile.cpp: Removed.
3360         * ftl/FTLCompileBinaryOp.cpp: Removed.
3361         * ftl/FTLCompileBinaryOp.h: Removed.
3362         * ftl/FTLDWARFDebugLineInfo.cpp: Removed.
3363         * ftl/FTLDWARFDebugLineInfo.h: Removed.
3364         * ftl/FTLDWARFRegister.cpp: Removed.
3365         * ftl/FTLDWARFRegister.h: Removed.
3366         * ftl/FTLDataSection.cpp: Removed.
3367         * ftl/FTLDataSection.h: Removed.
3368         * ftl/FTLExceptionHandlerManager.cpp: Removed.
3369         * ftl/FTLExceptionHandlerManager.h: Removed.
3370         * ftl/FTLExceptionTarget.cpp:
3371         * ftl/FTLExceptionTarget.h:
3372         * ftl/FTLExitThunkGenerator.cpp: Removed.
3373         * ftl/FTLExitThunkGenerator.h: Removed.
3374         * ftl/FTLFail.cpp:
3375         (JSC::FTL::fail):
3376         * ftl/FTLInlineCacheDescriptor.h: Removed.
3377         * ftl/FTLInlineCacheSize.cpp: Removed.
3378         * ftl/FTLInlineCacheSize.h: Removed.
3379         * ftl/FTLIntrinsicRepository.cpp: Removed.
3380         * ftl/FTLIntrinsicRepository.h: Removed.
3381         * ftl/FTLJITCode.cpp:
3382         (JSC::FTL::JITCode::~JITCode):
3383         (JSC::FTL::JITCode::initializeB3Code):
3384         (JSC::FTL::JITCode::initializeB3Byproducts):
3385         (JSC::FTL::JITCode::initializeAddressForCall):
3386         (JSC::FTL::JITCode::contains):
3387         (JSC::FTL::JITCode::ftl):
3388         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3389         (JSC::FTL::JITCode::initializeExitThunks): Deleted.
3390         (JSC::FTL::JITCode::addHandle): Deleted.
3391         (JSC::FTL::JITCode::addDataSection): Deleted.
3392         (JSC::FTL::JITCode::exitThunks): Deleted.
3393         * ftl/FTLJITCode.h:
3394         (JSC::FTL::JITCode::b3Code):
3395         (JSC::FTL::JITCode::handles): Deleted.
3396         (JSC::FTL::JITCode::dataSections): Deleted.
3397         * ftl/FTLJITFinalizer.cpp:
3398         (JSC::FTL::JITFinalizer::codeSize):
3399         (JSC::FTL::JITFinalizer::finalizeFunction):
3400         * ftl/FTLJITFinalizer.h:
3401         * ftl/FTLJSCall.cpp: Removed.
3402         * ftl/FTLJSCall.h: Removed.
3403         * ftl/FTLJSCallBase.cpp: Removed.
3404         * ftl/FTLJSCallBase.h: Removed.
3405         * ftl/FTLJSCallVarargs.cpp: Removed.
3406         * ftl/FTLJSCallVarargs.h: Removed.
3407         * ftl/FTLJSTailCall.cpp: Removed.
3408         * ftl/FTLJSTailCall.h: Removed.
3409         * ftl/FTLLazySlowPath.cpp:
3410         (JSC::FTL::LazySlowPath::LazySlowPath):
3411         (JSC::FTL::LazySlowPath::generate):
3412         * ftl/FTLLazySlowPath.h:
3413         (JSC::FTL::LazySlowPath::createGenerator):
3414         (JSC::FTL::LazySlowPath::patchableJump):
3415         (JSC::FTL::LazySlowPath::done):
3416         (JSC::FTL::LazySlowPath::usedRegisters):
3417         (JSC::FTL::LazySlowPath::callSiteIndex):
3418         (JSC::FTL::LazySlowPath::stub):
3419         (JSC::FTL::LazySlowPath::patchpoint): Deleted.
3420         * ftl/FTLLink.cpp:
3421         (JSC::FTL::link):
3422         * ftl/FTLLocation.cpp:
3423         (JSC::FTL::Location::forValueRep):
3424         (JSC::FTL::Location::dump):
3425         (JSC::FTL::Location::forStackmaps): Deleted.
3426         * ftl/FTLLocation.h:
3427         (JSC::FTL::Location::forRegister):
3428         (JSC::FTL::Location::forIndirect):
3429         (JSC::FTL::Location::forConstant):
3430         (JSC::FTL::Location::kind):
3431         (JSC::FTL::Location::hasReg):
3432         * ftl/FTLLowerDFGToLLVM.cpp:
3433         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM):
3434         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3435         (JSC::FTL::DFG::LowerDFGToLLVM::createPhiVariables):
3436         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3437         (JSC::FTL::DFG::LowerDFGToLLVM::compileUpsilon):
3438         (JSC::FTL::DFG::LowerDFGToLLVM::compilePhi):
3439         (JSC::FTL::DFG::LowerDFGToLLVM::compileDoubleConstant):
3440         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
3441         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
3442         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
3443         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
3444         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
3445         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
3446         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
3447         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
3448         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
3449         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
3450         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
3451         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
3452         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
3453         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
3454         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
3455         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
3456         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
3457         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
3458         (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadVarargs):
3459         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
3460         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
3461         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
3462         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
3463         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
3464         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
3465         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
3466         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
3467         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
3468         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
3469         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
3470         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
3471         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
3472         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
3473         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
3474         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
3475         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
3476         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForAvailability):
3477         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
3478         (JSC::FTL::DFG::LowerDFGToLLVM::probe):
3479         (JSC::FTL::DFG::LowerDFGToLLVM::crash):
3480         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp): Deleted.
3481         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException): Deleted.
3482         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall): Deleted.
3483         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap): Deleted.
3484         * ftl/FTLOSRExit.cpp:
3485         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
3486         (JSC::FTL::OSRExitDescriptor::validateReferences):
3487         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
3488         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
3489         (JSC::FTL::OSRExit::OSRExit):
3490         (JSC::FTL::OSRExit::codeLocationForRepatch):
3491         (JSC::FTL::OSRExit::gatherRegistersToSpillForCallIfException): Deleted.
3492         (JSC::FTL::OSRExit::spillRegistersToSpillSlot): Deleted.
3493         (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot): Deleted.
3494         (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck): Deleted.
3495         (JSC::FTL::OSRExit::willArriveAtOSRExitFromCallOperation): Deleted.
3496         (JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath): Deleted.
3497         * ftl/FTLOSRExit.h:
3498         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
3499         (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl): Deleted.
3500         * ftl/FTLOSRExitCompilationInfo.h: Removed.
3501         * ftl/FTLOSRExitCompiler.cpp:
3502         (JSC::FTL::compileRecovery):
3503         (JSC::FTL::compileStub):
3504         (JSC::FTL::compileFTLOSRExit):
3505         * ftl/FTLOSRExitHandle.cpp:
3506         * ftl/FTLOSRExitHandle.h:
3507         * ftl/FTLOutput.cpp: Removed.
3508         * ftl/FTLOutput.h: Removed.
3509         * ftl/FTLPatchpointExceptionHandle.cpp:
3510         * ftl/FTLPatchpointExceptionHandle.h:
3511         * ftl/FTLStackMaps.cpp: Removed.
3512         * ftl/FTLStackMaps.h: Removed.
3513         * ftl/FTLState.cpp:
3514         (JSC::FTL::State::State):
3515         (JSC::FTL::State::~State):
3516         (JSC::FTL::State::dumpState): Deleted.
3517         * ftl/FTLState.h:
3518         * ftl/FTLUnwindInfo.cpp: Removed.
3519         * ftl/FTLUnwindInfo.h: Removed.
3520         * ftl/FTLValueRange.cpp:
3521         (JSC::FTL::ValueRange::decorateInstruction):
3522         * ftl/FTLValueRange.h:
3523         (JSC::FTL::ValueRange::ValueRange):
3524         (JSC::FTL::ValueRange::begin):
3525         (JSC::FTL::ValueRange::end):
3526         * ftl/FTLWeight.h:
3527         (JSC::FTL::Weight::value):
3528         (JSC::FTL::Weight::frequencyClass):
3529         (JSC::FTL::Weight::scaleToTotal):
3530         * llvm/InitializeLLVM.cpp: Removed.
3531         * llvm/InitializeLLVM.h: Removed.
3532         * llvm/InitializeLLVMMac.cpp: Removed.
3533         * llvm/InitializeLLVMPOSIX.cpp: Removed.
3534         * llvm/InitializeLLVMPOSIX.h: Removed.
3535         * llvm/LLVMAPI.cpp: Removed.
3536         * llvm/LLVMAPI.h: Removed.
3537         * llvm/LLVMAPIFunctions.h: Removed.
3538         * llvm/LLVMHeaders.h: Removed.
3539         * llvm/library/LLVMAnchor.cpp: Removed.
3540         * llvm/library/LLVMExports.cpp: Removed.
3541         * llvm/library/LLVMOverrides.cpp: Removed.
3542         * llvm/library/config_llvm.h: Removed.
3543
3544 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
3545
3546         [JSC] Remove the overflow check on ArithAbs when possible
3547         https://bugs.webkit.org/show_bug.cgi?id=154325
3548
3549         Reviewed by Filip Pizlo.
3550
3551         This patch adds support for ArithMode for ArithAbs.
3552
3553         It is useful for kraken tests where Math.abs() is used
3554         on values for which the range is known.
3555
3556         For example, imaging-gaussian-blur has two Math.abs() with
3557         integers that are always in a small range around zero.
3558         The IntegerRangeOptimizationPhase detects the range correctly
3559         so we can just update the ArithMode depending on the input.
3560
3561         * dfg/DFGFixupPhase.cpp:
3562         (JSC::DFG::FixupPhase::fixupNode):
3563         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
3564         * dfg/DFGNode.h:
3565         (JSC::DFG::Node::convertToArithNegate):
3566         (JSC::DFG::Node::hasArithMode):
3567         * dfg/DFGSpeculativeJIT64.cpp:
3568         (JSC::DFG::SpeculativeJIT::compile):
3569         * ftl/FTLLowerDFGToLLVM.cpp:
3570         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAbs):
3571         * tests/stress/arith-abs-integer-range-optimization.js: Added.
3572         (negativeRange):
3573         (negativeRangeIncludingZero):
3574         (negativeRangeWithOverflow):
3575         (positiveRange):
3576         (positiveRangeIncludingZero):
3577         (rangeWithoutOverflow):
3578         * tests/stress/arith-abs-with-bitwise-or-zero.js: Added.
3579         (opaqueAbs):
3580
3581 2016-02-17  Chris Dumez  <cdumez@apple.com>
3582
3583         SES selftest page crashes on nightly r196694
3584         https://bugs.webkit.org/show_bug.cgi?id=154350
3585         <rdar://problem/24704334>
3586
3587         Reviewed by Mark Lam.
3588
3589         SES selftest page crashes after r196001 / r196145 when calling
3590         Object.getOwnPropertyDescriptor(window, "length") after the window
3591         has been reified and "length" has been shadowed by a value property.
3592
3593         It was crashing in JSObject::getOwnPropertyDescriptor() because
3594         we are getting a slot that has attribute "CustomAccessor" but
3595         the property is not a CustomGetterSetter. In this case, since
3596         window.length is [Replaceable] and has been set to a numeric value,
3597         it makes that the property is not a CustomGetterSetter. However,
3598         the "CustomAccessor" attribute should have been dropped from the
3599         slot when window.length was shadowed. Therefore, this code path
3600         should not be exercised at all when calling
3601         getOwnPropertyDescriptor().
3602
3603         The issue was that putDirectInternal() was updating the slot
3604         attributes only if the "Accessor" flag has changed, but not
3605         the "customAccessor" flag. This patch fixes the issue.
3606
3607         * runtime/JSObject.h:
3608         (JSC::JSObject::putDirectInternal):
3609
3610 2016-02-17  Saam barati  <sbarati@apple.com>
3611
3612         Implement Proxy [[Get]]
3613         https://bugs.webkit.org/show_bug.cgi?id=154081
3614
3615         Reviewed by Michael Saboff.
3616
3617         This patch implements ProxyObject and ProxyConstructor. Their
3618         implementations are straight forward and follow the spec.
3619         The largest change in this patch is adding a second parameter
3620         to PropertySlot's constructor that specifies the internal method type of
3621         the getOwnPropertySlot inquiry. We use getOwnPropertySlot to 
3622         implement more than one Internal Method in the spec. Because 
3623         of this, we need InternalMethodType to give us context about 
3624         which Internal Method we're executing. Specifically, Proxy will 
3625         call into different handlers based on this information.
3626
3627         InternalMethodType is an enum with the following values:
3628         - Get
3629           This corresponds to [[Get]] internal method in the spec.
3630         - GetOwnProperty
3631           This corresponds to [[GetOwnProperty]] internal method in the spec.
3632         - HasProperty
3633           This corresponds to [[HasProperty]] internal method in the spec.
3634         - VMInquiry
3635           This is basically everything else that isn't one of the above
3636           types. This value also mandates that getOwnPropertySlot does
3637           not perform any user observable effects. I.e, it can't call
3638           a JS function.
3639
3640         The other non-VMInquiry InternalMethodTypes are allowed to perform user
3641         observable effects. I.e, in future patches, ProxyObject will implement
3642         InternalMethodType::HasProperty and InternalMethodType::GetOwnProperty, which will both be defined
3643         to call user defined JS functions, which clearly have the right to perform
3644         user observable effects.
3645
3646         This patch implements getOwnPropertySlot of ProxyObject under
3647         InternalMethodType::Get. 
3648
3649         * API/JSCallbackObjectFunctions.h:
3650         (JSC::JSCallbackObject<Parent>::put):
3651         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
3652         * CMakeLists.txt:
3653         * JavaScriptCore.xcodeproj/project.pbxproj:
3654         * debugger/DebuggerScope.cpp:
3655         (JSC::DebuggerScope::caughtValue):
3656         * interpreter/Interpreter.cpp:
3657         (JSC::Interpreter::execute):
3658         * jit/JITOperations.cpp:
3659         * llint/LLIntSlowPaths.cpp:
3660         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3661         * runtime/ArrayPrototype.cpp:
3662         (JSC::getProperty):
3663         * runtime/CommonIdentifiers.h:
3664         * runtime/JSCJSValueInlines.h:
3665         (JSC::JSValue::get):
3666         * runtime/JSFunction.cpp:
3667         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3668         (JSC::JSFunction::put):
3669         (JSC::JSFunction::defineOwnProperty):
3670         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3671         (JSC::constructGenericTypedArrayViewWithArguments):
3672         * runtime/JSGlobalObject.cpp:
3673         (JSC::JSGlobalObject::init):
3674         (JSC::JSGlobalObject::defineOwnProperty):
3675         * runtime/JSGlobalObject.h:
3676         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
3677         (JSC::JSGlobalObject::moduleRecordStructure):
3678         (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
3679         (JSC::JSGlobalObject::proxyObjectStructure):
3680         (JSC::JSGlobalObject::wasmModuleStructure):
3681         * runtime/JSModuleEnvironment.cpp:
3682         (JSC::JSModuleEnvironment::getOwnPropertySlot):
3683         * runtime/JSModuleNamespaceObject.cpp:
3684         (JSC::callbackGetter):
3685         * runtime/JSONObject.cpp:
3686         (JSC::Stringifier::Holder::appendNextProperty):
3687         (JSC::Walker::walk):
3688         * runtime/JSObject.cpp:
3689         (JSC::JSObject::calculatedClassName):
3690         (JSC::JSObject::putDirectNonIndexAccessor):
3691         (JSC::JSObject::hasProperty):
3692         (JSC::JSObject::deleteProperty):
3693         (JSC::JSObject::hasOwnProperty):
3694         (JSC::JSObject::getOwnPropertyDescriptor):
3695         * runtime/JSObject.h:
3696         (JSC::JSObject::getDirectIndex):
3697         (JSC::JSObject::get):
3698         * runtime/JSScope.cpp:
3699         (JSC::abstractAccess):
3700         * runtime/ObjectConstructor.cpp:
3701         (JSC::toPropertyDescriptor):
3702         * runtime/ObjectPrototype.cpp:
3703         (JSC::objectProtoFuncLookupGetter):
3704         (JSC::objectProtoFuncLookupSetter):
3705         (JSC::objectProtoFuncToString):
3706         * runtime/PropertySlot.h:
3707         (JSC::attributesForStructure):
3708         (JSC::PropertySlot::PropertySlot):
3709         (JSC::PropertySlot::isCacheableGetter):
3710         (JSC::PropertySlot::isCacheableCustom):
3711         (JSC::PropertySlot::internalMethodType):
3712         (JSC::PropertySlot::disableCaching):
3713         (JSC::PropertySlot::getValue):
3714         * runtime/ProxyConstructor.cpp: Added.
3715         (JSC::ProxyConstructor::create):
3716         (JSC::ProxyConstructor::ProxyConstructor):
3717         (JSC::ProxyConstructor::finishCreation):
3718         (JSC::constructProxyObject):
3719         (JSC::ProxyConstructor::getConstructData):
3720         (JSC::ProxyConstructor::getCallData):
3721         * runtime/ProxyConstructor.h: Added.
3722         (JSC::ProxyConstructor::createStructure):
3723         * runtime/ProxyObject.cpp: Added.
3724         (JSC::ProxyObject::ProxyObject):
3725         (JSC::ProxyObject::finishCreation):
3726         (JSC::performProxyGet):
3727         (JSC::ProxyObject::getOwnPropertySlotCommon):
3728         (JSC::ProxyObject::getOwnPropertySlot):
3729         (JSC::ProxyObject::getOwnPropertySlotByIndex):
3730         (JSC::ProxyObject::visitChildren):
3731         * runtime/ProxyObject.h: Added.
3732         (JSC::ProxyObject::create):
3733         (JSC::ProxyObject::createStructure):
3734         (JSC::ProxyObject::target):
3735         (JSC::ProxyObject::handler):
3736         * runtime/ReflectObject.cpp:
3737         (JSC::reflectObjectGet):
3738         * runtime/SamplingProfiler.cpp:
3739         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
3740         * tests/es6.yaml:
3741         * tests/stress/proxy-basic.js: Added.
3742         (assert):
3743         (let.handler.get null):
3744         (get let):
3745         (let.handler.get switch):
3746         (let.handler):
3747         (let.theTarget.get x):
3748         * tests/stress/proxy-in-proto-chain.js: Added.
3749         (assert):
3750         * tests/stress/proxy-of-a-proxy.js: Added.
3751         (assert):
3752         (throw.new.Error.):
3753         * tests/stress/proxy-property-descriptor.js: Added.
3754         (assert):
3755         (set Object):
3756         * wasm/WASMModuleParser.cpp:
3757         (JSC::WASMModuleParser::getImportedValue):
3758
3759 2016-02-17  Mark Lam  <mark.lam@apple.com>
3760
3761         StringPrototype functions should check for exceptions after calling JSString::value().
3762         https://bugs.webkit.org/show_bug.cgi?id=154340
3763
3764         Reviewed by Filip Pizlo.
3765
3766         JSString::value() can throw an exception if the JS string is a rope and value()
3767         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
3768         able to resolve the rope, it will return a null string (in addition to throwing
3769         the exception).  If StringPrototype functions do not check for exceptions after
3770         calling JSString::value(), they may eventually use the returned null string and
3771         crash the VM.
3772
3773         The fix is to add all the necessary exception checks, and do the appropriate
3774         handling if needed.
3775
3776         Also in a few place where when an exception is detected, we return JSValue(), I
3777         changed it to return jsUndefined() instead to be consistent with the rest of the
3778         file.
3779
3780         * runtime/StringPrototype.cpp:
3781         (JSC::replaceUsingRegExpSearch):
3782         (JSC::stringProtoFuncMatch):
3783         (JSC::stringProtoFuncSlice):
3784         (JSC::stringProtoFuncSplit):
3785         (JSC::stringProtoFuncLocaleCompare):
3786         (JSC::stringProtoFuncBig):
3787         (JSC::stringProtoFuncSmall):
3788         (JSC::stringProtoFuncBlink):
3789         (JSC::stringProtoFuncBold):
3790         (JSC::stringProtoFuncFixed):
3791         (JSC::stringProtoFuncItalics):
3792         (JSC::stringProtoFuncStrike):
3793         (JSC::stringProtoFuncSub):
3794         (JSC::stringProtoFuncSup):
3795         (JSC::stringProtoFuncFontcolor):
3796         (JSC::stringProtoFuncFontsize):
3797         (JSC::stringProtoFuncAnchor):
3798         (JSC::stringProtoFuncLink):
3799         (JSC::trimString):
3800
3801 2016-02-17  Commit Queue  <commit-queue@webkit.org>
3802
3803         Unreviewed, rolling out r196675.
3804         https://bugs.webkit.org/show_bug.cgi?id=154344
3805
3806          "Causes major slowdowns on deltablue-varargs" (Requested by
3807         keith_miller on #webkit).
3808
3809         Reverted changeset:
3810
3811         "Spread operator should be allowed when not the first argument
3812         of parameter list"
3813         https://bugs.webkit.org/show_bug.cgi?id=152721
3814         http://trac.webkit.org/changeset/196675
3815
3816 2016-02-17  Gavin Barraclough  <barraclough@apple.com>
3817
3818         JSDOMWindow::put should not do the same thing twice
3819         https://bugs.webkit.org/show_bug.cgi?id=154334
3820
3821         Reviewed by Chris Dumez.
3822
3823         It either calls JSGlobalObject::put or Base::put. Hint: these are basically the same thing.
3824         In the latter case it might call lookupPut. That's redundant; JSObject::put handles static
3825         table entries.
3826
3827         * runtime/JSGlobalObject.h:
3828         (JSC::JSGlobalObject::hasOwnPropertyForWrite): Deleted.
3829             - no longer needed.
3830
3831 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3832
3833         FTL_USES_B3 should be unconditionally true
3834         https://bugs.webkit.org/show_bug.cgi?id=154324
3835
3836         Reviewed by Benjamin Poulain.
3837
3838         * dfg/DFGCommon.h:
3839
3840 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3841
3842         FTL should support CompareEq(String:, String:)
3843         https://bugs.webkit.org/show_bug.cgi?id=154269
3844         rdar://problem/24499921
3845
3846         Reviewed by Benjamin Poulain.
3847
3848         Looks like a slight pdfjs slow-down, probably because we're having some recompilations. I
3849         think we should land the increased coverage first and fix the issues after, especially since
3850         the regression is so small and doesn't have a statistically significant effect on the overall
3851         score.
3852
3853         * ftl/FTLCapabilities.cpp:
3854         (JSC::FTL::canCompile):
3855         * ftl/FTLLowerDFGToLLVM.cpp:
3856         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
3857         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
3858         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
3859         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
3860         * tests/stress/ftl-string-equality.js: Added.
3861         * tests/stress/ftl-string-ident-equality.js: Added.
3862         * tests/stress/ftl-string-strict-equality.js: Added.
3863
3864 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3865
3866         FTL should support NewTypedArray
3867         https://bugs.webkit.org/show_bug.cgi?id=154268
3868
3869         Reviewed by Saam Barati.
3870
3871         3% speed-up on pdfjs. This was already covered by many different tests.
3872
3873         Rolling this back in after fixing the butterfly argument.
3874
3875         * ftl/FTLCapabilities.cpp:
3876         (JSC::FTL::canCompile):
3877         * ftl/FTLLowerDFGToLLVM.cpp:
3878         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3879         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
3880         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
3881         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
3882         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
3883         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
3884         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
3885
3886 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
3887
3888         JSDOMWindow::getOwnPropertySlot should just call getStaticPropertySlot
3889         https://bugs.webkit.org/show_bug.cgi?id=154257
3890
3891         Reviewed by Chris Dumez.
3892
3893         * runtime/Lookup.h:
3894         (JSC::getStaticPropertySlot):
3895         (JSC::getStaticFunctionSlot):
3896         (JSC::getStaticValueSlot):
3897             - this could all do with a little more love.
3898               But enforce the basic precedence:
3899                 (1) regular storage properties always win over static table properties.
3900                 (2) if properties have been reified, don't consult the static tables.
3901                 (3) only if the property is not present on the object & not reified
3902                     should the static hashtable be consulted.
3903
3904 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
3905
3906         JSDOMWindow::getOwnPropertySlot should not search photo chain
3907         https://bugs.webkit.org/show_bug.cgi?id=154102
3908
3909         Reviewed by Chris Dumez.
3910
3911         Should only return *own* properties.
3912