Use NeverDestroyed instead of DEPRECATED_DEFINE_STATIC_LOCAL
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-01-09  Andreas Kling  <akling@apple.com>
2
3         Use NeverDestroyed instead of DEPRECATED_DEFINE_STATIC_LOCAL
4         <https://webkit.org/b/152902>
5
6         Reviewed by Anders Carlsson.
7
8         Mostly mechanical conversion to NeverDestroyed throughout JavaScriptCore.
9
10         * API/JSAPIWrapperObject.mm:
11         (jsAPIWrapperObjectHandleOwner):
12         * API/JSManagedValue.mm:
13         (managedValueHandleOwner):
14         * inspector/agents/InspectorDebuggerAgent.cpp:
15         (Inspector::objectGroupForBreakpointAction):
16         * jit/ExecutableAllocator.cpp:
17         (JSC::DemandExecutableAllocator::allocators):
18
19 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
20
21         FTL B3 should do varargs tail calls and stack overflows
22         https://bugs.webkit.org/show_bug.cgi?id=152934
23
24         Reviewed by Saam Barati.
25
26         I was trying to get tail-call-varargs-no-stack-overflow.js.ftl-no-cjit-validate to work and
27         at first I hit the stack overflow issue and then I hit the varargs tail call issue. That's
28         why I have two fixes in one change. Now the test passes.
29
30         This reduces the number of failures from 13 to 0.
31
32         * ftl/FTLLowerDFGToLLVM.cpp:
33         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Implement stack overflow handling.
34         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs): Varargs tail calls need to
35         append an Oops (i.e. "unreachable").
36
37 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
38
39         B3 needs Neg()
40         https://bugs.webkit.org/show_bug.cgi?id=152925
41
42         Reviewed by Mark Lam.
43
44         Previously we said that negation should be represented as Sub(0, x). That's wrong, since
45         for floats, Sub(0, 0) == 0 while Neg(0) == -0.
46
47         One way to solve this would be to say that anyone trying to say Neg(x) where x is a float
48         should instead say BitXor(x, -0). That's actually correct, but I think that it would be odd
49         to use bitops to represent floating point operations. Whatever cuteness this would have
50         bought us would be outweighed by the annoyance of having to write code that matches
51         Sub(0, x) for integer negation and BitXor(x, -0) for double negation. For example, this
52         would mean strictly more code for anyone implementing a Neg(Neg(x))=>x strength reduction.
53         Also, I suspect that the omission of Neg would cause others to make the mistake of using
54         Sub to represent floating point negation.
55
56         So, this introduces a proper Neg() opcode to B3. It's now the canonical way of saying
57         negation for both ints and floats. For ints, we canonicalize Sub(0, x) to Neg(x). For
58         floats, we lower it to BitXor(x, -0) on x86.
59
60         This reduces the number of failures from 13 to 12.
61
62         * assembler/MacroAssemblerX86Common.h:
63         (JSC::MacroAssemblerX86Common::andFloat):
64         (JSC::MacroAssemblerX86Common::xorDouble):
65         (JSC::MacroAssemblerX86Common::xorFloat):
66         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
67         * b3/B3LowerMacrosAfterOptimizations.cpp:
68         * b3/B3LowerToAir.cpp:
69         (JSC::B3::Air::LowerToAir::lower):
70         * b3/B3Opcode.cpp:
71         (WTF::printInternal):
72         * b3/B3Opcode.h:
73         * b3/B3ReduceStrength.cpp:
74         * b3/B3Validate.cpp:
75         * b3/B3Value.cpp:
76         (JSC::B3::Value::effects):
77         (JSC::B3::Value::key):
78         (JSC::B3::Value::typeFor):
79         * b3/air/AirOpcode.opcodes:
80         * ftl/FTLB3Output.cpp:
81         (JSC::FTL::Output::lockedStackSlot):
82         (JSC::FTL::Output::neg):
83         (JSC::FTL::Output::bitNot):
84         * ftl/FTLB3Output.h:
85         (JSC::FTL::Output::chillDiv):
86         (JSC::FTL::Output::mod):
87         (JSC::FTL::Output::chillMod):
88         (JSC::FTL::Output::doubleAdd):
89         (JSC::FTL::Output::doubleSub):
90         (JSC::FTL::Output::doubleMul):
91         (JSC::FTL::Output::doubleDiv):
92         (JSC::FTL::Output::doubleMod):
93         (JSC::FTL::Output::doubleNeg):
94         (JSC::FTL::Output::bitAnd):
95         (JSC::FTL::Output::bitOr):
96         (JSC::FTL::Output::neg): Deleted.
97         * tests/stress/ftl-negate-zero.js: Added. This was already covered by op_negate but since
98         it's such a glaring bug, I thought having a test for it specifically would be good.
99
100 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
101
102         FTL B3 compile() doesn't clear exception handlers before we add FTL-specific ones
103         https://bugs.webkit.org/show_bug.cgi?id=152922
104
105         Reviewed by Saam Barati.
106
107         FTL B3 was generating a handler table that first contained the old baseline handlers keyed
108         by baseline's bytecode indices and then the FTL handlers keyed by FTL callsite index. That's
109         wrong, since the FTL code block should not contain any baseline handlers. The fix is to
110         clear the handlers before generation, sort of like FTL LLVM does.
111
112         Also added some stuff to make it easier to inspect the handler table.
113
114         This reduces the numbe rof failures from 25 to 13.
115
116         * bytecode/CodeBlock.cpp:
117         (JSC::CodeBlock::dumpBytecode):
118         (JSC::CodeBlock::dumpExceptionHandlers):
119         (JSC::CodeBlock::beginDumpProfiling):
120         * bytecode/CodeBlock.h:
121         * ftl/FTLB3Compile.cpp:
122         (JSC::FTL::compile):
123
124 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
125
126         B3 incorrectly turns NotEqual(bool, 1) into Equal(bool, 1) instead of Equal(bool, 0)
127         https://bugs.webkit.org/show_bug.cgi?id=152916
128
129         Reviewed by Mark Lam.
130
131         This was causing a failure in an ancient DFG layout test. Thanks, ftl-eager-no-cjit!
132
133         This reduces the number of failures from 27 to 25.
134
135         * b3/B3ReduceStrength.cpp:
136
137 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
138
139         FTL B3 allocateCell() should not crash
140         https://bugs.webkit.org/show_bug.cgi?id=152909
141
142         Reviewed by Mark Lam.
143
144         This code was crashing in some tests that forced GC slow paths because it was stubbed out
145         due to the use of undef. B3 doesn't have undef. In this case, there's no good reason to use
146         undef. We can just use zero. Since the path is dead anyway in that case, we weren't gaining
147         any LLVM optimizations by using undef.
148
149         This reduces the number of failures from 35 to 27.
150
151         * ftl/FTLLowerDFGToLLVM.cpp:
152         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
153
154 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
155
156         FTL B3 fails to realize that binary snippets might choose to omit their fast path
157         https://bugs.webkit.org/show_bug.cgi?id=152901
158
159         Reviewed by Mark Lam.
160
161         This reduces the number of failures from 99 to 35.
162
163         * ftl/FTLLowerDFGToLLVM.cpp:
164         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
165
166 2016-01-08  Saam barati  <sbarati@apple.com>
167
168         restoreCalleeSavesFromVMCalleeSavesBuffer should use the scratch register
169         https://bugs.webkit.org/show_bug.cgi?id=152879
170
171         Reviewed by Filip Pizlo.
172
173         We were clobbering a register we needed when picking
174         a scratch register inside an FTL OSR Exit.
175
176         * dfg/DFGThunks.cpp:
177         (JSC::DFG::osrEntryThunkGenerator):
178         * jit/AssemblyHelpers.cpp:
179         (JSC::AssemblyHelpers::emitRandomThunk):
180         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer):
181         * jit/AssemblyHelpers.h:
182         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer):
183         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
184         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
185         (foo):
186
187 2016-01-08  Mark Lam  <mark.lam@apple.com>
188
189         Rolling out: Rename StringFromCharCode to StringFromSingleCharCode.
190         https://bugs.webkit.org/show_bug.cgi?id=152897
191
192         Not reviewed.
193
194         * dfg/DFGAbstractInterpreterInlines.h:
195         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
196         * dfg/DFGByteCodeParser.cpp:
197         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
198         * dfg/DFGClobberize.h:
199         (JSC::DFG::clobberize):
200         * dfg/DFGDoesGC.cpp:
201         (JSC::DFG::doesGC):
202         * dfg/DFGFixupPhase.cpp:
203         (JSC::DFG::FixupPhase::fixupNode):
204         * dfg/DFGNodeType.h:
205         * dfg/DFGOperations.cpp:
206         * dfg/DFGOperations.h:
207         * dfg/DFGPredictionPropagationPhase.cpp:
208         (JSC::DFG::PredictionPropagationPhase::propagate):
209         * dfg/DFGSafeToExecute.h:
210         (JSC::DFG::safeToExecute):
211         * dfg/DFGSpeculativeJIT.cpp:
212         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
213         * dfg/DFGSpeculativeJIT32_64.cpp:
214         (JSC::DFG::SpeculativeJIT::compile):
215         * dfg/DFGSpeculativeJIT64.cpp:
216         (JSC::DFG::SpeculativeJIT::compile):
217         * runtime/StringConstructor.cpp:
218         (JSC::stringFromCharCode):
219         (JSC::stringFromSingleCharCode): Deleted.
220         * runtime/StringConstructor.h:
221
222 2016-01-08  Per Arne Vollan  <peavo@outlook.com>
223
224         [JSC] Use std::call_once instead of pthread_once when initializing LLVM.
225         https://bugs.webkit.org/show_bug.cgi?id=152893
226
227         Reviewed by Mark Lam.
228
229         Use std::call_once since pthreads is not present on all platforms.
230
231         * llvm/InitializeLLVM.cpp:
232         (JSC::initializeLLVMImpl):
233         (JSC::initializeLLVM):
234
235 2016-01-08  Mark Lam  <mark.lam@apple.com>
236
237         Rename StringFromCharCode to StringFromSingleCharCode.
238         https://bugs.webkit.org/show_bug.cgi?id=152897
239
240         Reviewed by Daniel Bates.
241
242         StringFromSingleCharCode is a better name because the intrinsic it represents
243         only applies when we are converting from a single char code.  This is purely
244         a refactoring patch.  There is no semantic change.
245
246         * dfg/DFGAbstractInterpreterInlines.h:
247         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
248         * dfg/DFGByteCodeParser.cpp:
249         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
250         * dfg/DFGClobberize.h:
251         (JSC::DFG::clobberize):
252         * dfg/DFGDoesGC.cpp:
253         (JSC::DFG::doesGC):
254         * dfg/DFGFixupPhase.cpp:
255         (JSC::DFG::FixupPhase::fixupNode):
256         * dfg/DFGNodeType.h:
257         * dfg/DFGOperations.cpp:
258         * dfg/DFGOperations.h:
259         * dfg/DFGPredictionPropagationPhase.cpp:
260         (JSC::DFG::PredictionPropagationPhase::propagate):
261         * dfg/DFGSafeToExecute.h:
262         (JSC::DFG::safeToExecute):
263         * dfg/DFGSpeculativeJIT.cpp:
264         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
265         * dfg/DFGSpeculativeJIT32_64.cpp:
266         (JSC::DFG::SpeculativeJIT::compile):
267         * dfg/DFGSpeculativeJIT64.cpp:
268         (JSC::DFG::SpeculativeJIT::compile):
269         * runtime/StringConstructor.cpp:
270         (JSC::stringFromCharCode):
271         (JSC::stringFromSingleCharCode):
272         * runtime/StringConstructor.h:
273
274 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
275
276         [mips] Fixed unused parameter warnings
277         https://bugs.webkit.org/show_bug.cgi?id=152885
278
279         Reviewed by Mark Lam.
280
281         * jit/CCallHelpers.h:
282         (JSC::CCallHelpers::setupArgumentsWithExecState):
283
284 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
285
286         [mips] Max value of immediate arg of logical ops is 0xffff
287         https://bugs.webkit.org/show_bug.cgi?id=152884
288
289         Reviewed by Michael Saboff.
290
291         Replaced imm.m_value < 65535 checks with imm.m_value <= 65535
292
293         * assembler/MacroAssemblerMIPS.h:
294         (JSC::MacroAssemblerMIPS::and32):
295         (JSC::MacroAssemblerMIPS::or32):
296
297 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
298
299         [mips] Add new or32 implementation after r194613
300         https://bugs.webkit.org/show_bug.cgi?id=152865
301
302         Reviewed by Michael Saboff.
303
304         * assembler/MacroAssemblerMIPS.h:
305         (JSC::MacroAssemblerMIPS::or32):
306
307 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
308
309         FTL B3 lazy slow paths should do exceptions
310         https://bugs.webkit.org/show_bug.cgi?id=152853
311
312         Reviewed by Saam Barati.
313
314         This reduces the number of JSC test failures to 97.
315
316         * ftl/FTLLowerDFGToLLVM.cpp:
317         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
318         * tests/stress/ftl-new-negative-array-size.js: Added.
319         (foo):
320
321 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
322
323         Unreviewed, skip more tests that fail.
324
325         * tests/stress/ftl-shr-exception.js:
326         (foo):
327         * tests/stress/ftl-xor-exception.js:
328         (foo):
329
330 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
331
332         FTL B3 binary snippets should do exceptions
333         https://bugs.webkit.org/show_bug.cgi?id=152852
334
335         Reviewed by Saam Barati.
336
337         This reduces the number of JSC test failures to 110.
338
339         * ftl/FTLLowerDFGToLLVM.cpp:
340         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
341         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
342         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
343         * tests/stress/ftl-shr-exception.js: Added.
344         (foo):
345         (result.foo.valueOf):
346         * tests/stress/ftl-sub-exception.js: Added.
347         (foo):
348         (result.foo.valueOf):
349         * tests/stress/ftl-xor-exception.js: Added.
350         (foo):
351         (result.foo.valueOf):
352
353 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
354
355         Unreviewed, skipping this test. Looks like LLVM can't handle this one, either.
356
357         * tests/stress/ftl-call-varargs-bad-args-exception-interesting-live-state.js:
358         (foo):
359
360 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
361
362         Unreviewed, skipping this test. Looks like LLVM can't handle it.
363
364         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
365         (foo):
366
367 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
368
369         FTL B3 JS calls should do exceptions
370         https://bugs.webkit.org/show_bug.cgi?id=152851
371
372         Reviewed by Geoffrey Garen.
373
374         This reduces the number of JSC test failures with FTL B3 to 111.
375
376         * dfg/DFGSpeculativeJIT64.cpp:
377         (JSC::DFG::SpeculativeJIT::emitCall):
378         * ftl/FTLLowerDFGToLLVM.cpp:
379         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
380         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
381         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
382         * tests/stress/ftl-call-bad-args-exception-interesting-live-state.js: Added.
383         * tests/stress/ftl-call-bad-callee-exception-interesting-live-state.js: Added.
384         * tests/stress/ftl-call-exception-interesting-live-state.js: Added.
385         * tests/stress/ftl-call-exception-no-catch.js: Added.
386         * tests/stress/ftl-call-exception.js: Added.
387         * tests/stress/ftl-call-varargs-bad-callee-exception-interesting-live-state.js: Added.
388         * tests/stress/ftl-call-varargs-exception-interesting-live-state.js: Added.
389         * tests/stress/ftl-call-varargs-exception-no-catch.js: Added.
390         * tests/stress/ftl-call-varargs-exception.js: Added.
391
392 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
393
394         FTL B3 PutById should do exceptions
395         https://bugs.webkit.org/show_bug.cgi?id=152850
396
397         Reviewed by Saam Barati.
398
399         Implemented PutById exception handling by following the idiom used in GetById. Reduces the
400         number of JSC test failures to 128.
401
402         * ftl/FTLLowerDFGToLLVM.cpp:
403         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
404         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js: Added.
405         * tests/stress/ftl-put-by-id-setter-exception-no-catch.js: Added.
406         * tests/stress/ftl-put-by-id-setter-exception.js: Added.
407         * tests/stress/ftl-put-by-id-slow-exception-interesting-live-state.js: Added.
408         * tests/stress/ftl-put-by-id-slow-exception-no-catch.js: Added.
409         * tests/stress/ftl-put-by-id-slow-exception.js: Added.
410
411 2016-01-07  Commit Queue  <commit-queue@webkit.org>
412
413         Unreviewed, rolling out r194714.
414         https://bugs.webkit.org/show_bug.cgi?id=152864
415
416         it broke many JSC tests when FTL B3 is enabled (Requested by
417         pizlo on #webkit).
418
419         Reverted changeset:
420
421         "[JSC] When resolving Stack arguments, use addressing from SP
422         when addressing from FP is invalid"
423         https://bugs.webkit.org/show_bug.cgi?id=152840
424         http://trac.webkit.org/changeset/194714
425
426 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
427
428         [mips] Lower immediates of logical operations.
429         https://bugs.webkit.org/show_bug.cgi?id=152693
430
431         On MIPS immediate operands of andi, ori, and xori are required to be 16-bit
432         non-negative numbers.
433
434         Reviewed by Michael Saboff.
435
436         * offlineasm/mips.rb:
437
438 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
439
440         [JSC] Update testCheckSubBadImm() for ARM64
441         https://bugs.webkit.org/show_bug.cgi?id=152846
442
443         Reviewed by Mark Lam.
444
445         * b3/testb3.cpp:
446         (JSC::B3::testCheckSubBadImm):
447         The test was assuming the constant can always be used
448         as immediate. That's obviously not the case on ARM64.
449
450 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
451
452         FTL B3 getById() should do exceptions
453         https://bugs.webkit.org/show_bug.cgi?id=152810
454
455         Reviewed by Saam Barati.
456
457         This adds abstractions for doing exceptions from patchpoints, and uses them to implement
458         exceptions from GetById. This covers all of the following ways that a GetById might throw an
459         exceptions:
460
461         - Throw without try/catch from the vmCall() in a GetById(Untyped:)
462         - Throw with try/catch from the vmCall() in a GetById(Untyped:)
463         - Throw without try/catch from the callOperation() in the patchpoint of a GetById
464         - Throw with try/catch from the callOperation() in the patchpoint of a GetById
465         - Throw without try/catch from the Call IC generated in the patchpoint of a GetById
466         - Throw with try/catch from the Call IC generated in the patchpoint of a GetById
467
468         This requires having a default exception target in FTL-generated code, and ensuring that this
469         target is generated regardless of whether we have branches to the B3 basic block of the
470         default exception target. This also requires adding some extra arguments to a
471         PatchpointValue, and then knowing that the arguments are used for OSR exit and not anything
472         else. This also requires associating the CallSiteIndex of the patchpoint with the register
473         set used for exit and with the OSR exit label for the unwind exit.
474
475         All of the stuff that you have to worry about when wiring a patchpoint to exception handling
476         is covered by the new PatchpointExceptionHandle object. You create one by calling
477         preparePatchpointForExceptions(). This sets up the B3 IR representation of the patchpoint
478         with stackmap arguments for the exceptional exit, and creates a PatchpointExceptionHandle
479         object that can be used to create zero or more actual OSR exits. It can create both OSR exits
480         for operation calls and OSR exits for unwind. You call the
481         PatchpointExceptionHandle::scheduleExitCreationXXX() methods from the generator callback to
482         actually get OSR exits.
483
484         This API makes heavy use of Box<>, late paths, and link tasks. For example, you can use the
485         PatchpointExceptionHandle to get a Box<JumpList> that you can append exception jumps to. When
486         you use this API, it automatically registers a link task that will link the JumpList to the
487         actual OSR exit label.
488
489         This API is very flexible about how you get to the label of the OSR exit. You are encouraged
490         to use the Box<JumpList> approach, but if you really just need the label, you can also get
491         a RefPtr<ExceptionTarget> and rely on the fact that the ExceptionTarget object will be able
492         to vend you the OSR exit label at link-time.
493
494         This reduces the number of JSC test failures with FTL B3 from 186 to 133. It also adds a
495         bunch of new tests specifically for all of the ways you might throw from GetById, and B3
496         passes all of these new tests. Note that I'm not counting the new tests as part of the
497         previous 186 test failures (FTL B3 failed all of the new tests prior to this change).
498
499         After this change, it should be easy to make all of the other patchpoints also handle
500         exceptions by just following the preparePatchpointForExceptions() idiom.
501
502         * CMakeLists.txt:
503         * JavaScriptCore.xcodeproj/project.pbxproj:
504         * b3/B3StackmapValue.h:
505         * b3/B3ValueRep.cpp:
506         (JSC::B3::ValueRep::addUsedRegistersTo):
507         (JSC::B3::ValueRep::usedRegisters):
508         (JSC::B3::ValueRep::dump):
509         * b3/B3ValueRep.h:
510         (JSC::B3::ValueRep::doubleValue):
511         (JSC::B3::ValueRep::withOffset):
512         (JSC::B3::ValueRep::usedRegisters):
513         * ftl/FTLB3Compile.cpp:
514         (JSC::FTL::compile):
515         * ftl/FTLB3Output.h:
516         (JSC::FTL::Output::unreachable):
517         (JSC::FTL::Output::speculate):
518         * ftl/FTLExceptionTarget.cpp: Added.
519         (JSC::FTL::ExceptionTarget::~ExceptionTarget):
520         (JSC::FTL::ExceptionTarget::label):
521         (JSC::FTL::ExceptionTarget::jumps):
522         (JSC::FTL::ExceptionTarget::ExceptionTarget):
523         * ftl/FTLExceptionTarget.h: Added.
524         * ftl/FTLJITCode.cpp:
525         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
526         * ftl/FTLLowerDFGToLLVM.cpp:
527         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
528         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
529         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
530         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
531         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
532         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
533         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
534         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
535         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
536         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
537         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
538         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
539         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
540         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
541         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
542         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
543         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
544         * ftl/FTLPatchpointExceptionHandle.cpp: Added.
545         (JSC::FTL::PatchpointExceptionHandle::create):
546         (JSC::FTL::PatchpointExceptionHandle::defaultHandle):
547         (JSC::FTL::PatchpointExceptionHandle::~PatchpointExceptionHandle):
548         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreation):
549         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
550         (JSC::FTL::PatchpointExceptionHandle::PatchpointExceptionHandle):
551         (JSC::FTL::PatchpointExceptionHandle::createHandle):
552         * ftl/FTLPatchpointExceptionHandle.h: Added.
553         * ftl/FTLState.cpp:
554         * ftl/FTLState.h:
555         (JSC::FTL::verboseCompilationEnabled):
556         * tests/stress/ftl-get-by-id-getter-exception-interesting-live-state.js: Added.
557         * tests/stress/ftl-get-by-id-getter-exception-no-catch.js: Added.
558         * tests/stress/ftl-get-by-id-getter-exception.js: Added.
559         * tests/stress/ftl-get-by-id-slow-exception-interesting-live-state.js: Added.
560         * tests/stress/ftl-get-by-id-slow-exception-no-catch.js: Added.
561         * tests/stress/ftl-get-by-id-slow-exception.js: Added.
562         * tests/stress/ftl-operation-exception-interesting-live-state.js: Added.
563         * tests/stress/ftl-operation-exception-no-catch.js: Added.
564
565 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
566
567         [mips] Implemented missing branch patching methods.
568         https://bugs.webkit.org/show_bug.cgi?id=152845
569
570         Reviewed by Michael Saboff.
571
572         * assembler/MacroAssemblerMIPS.h:
573         (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranch32WithPatch):
574         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
575         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
576
577 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
578
579         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
580         https://bugs.webkit.org/show_bug.cgi?id=152840
581
582         Reviewed by Mark Lam.
583
584         ARM64 has two kinds of addressing with immediates:
585         -Signed 9bits direct (really only -256 to 255).
586         -Unsigned 12bits scaled by the load/store size.
587
588         When resolving the stack addresses, we easily run
589         past -256 bytes from FP. Addressing from SP gives us more
590         room to address the stack efficiently because we can
591         use unsigned immediates.
592
593         * b3/B3StackmapSpecial.cpp:
594         (JSC::B3::StackmapSpecial::repForArg):
595         * b3/air/AirAllocateStack.cpp:
596         (JSC::B3::Air::allocateStack):
597
598 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
599
600         [mips] Make repatchCall public to fix compilation.
601         https://bugs.webkit.org/show_bug.cgi?id=152843
602
603         Reviewed by Michael Saboff.
604
605         * assembler/MacroAssemblerMIPS.h:
606         (JSC::MacroAssemblerMIPS::repatchCall):
607         (JSC::MacroAssemblerMIPS::linkCall): Deleted.
608
609 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
610
611         [mips] Replaced subi with addi in getHostCallReturnValue
612         https://bugs.webkit.org/show_bug.cgi?id=152841
613
614         Reviewed by Michael Saboff.
615
616         MIPS architecture does not have subi instruction, addi with negative
617         number should be used instead.
618
619         * jit/JITOperations.cpp:
620
621 2016-01-07  Mark Lam  <mark.lam@apple.com>
622
623         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
624         https://bugs.webkit.org/show_bug.cgi?id=152833
625
626         Reviewed by Michael Saboff.
627
628         Follow-up patch to fix illegal use of memoryTempRegister as the src for ARM64's
629         store32.
630
631         * assembler/MacroAssemblerARM64.h:
632         (JSC::MacroAssemblerARM64::or32):
633         (JSC::MacroAssemblerARM64::store):
634
635 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
636
637         [mips] GPRInfo::toArgumentRegister missing
638         https://bugs.webkit.org/show_bug.cgi?id=152838
639
640         Reviewed by Michael Saboff.
641
642         * jit/GPRInfo.h:
643         (JSC::GPRInfo::toArgumentRegister):
644
645 2016-01-07  Mark Lam  <mark.lam@apple.com>
646
647         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
648         https://bugs.webkit.org/show_bug.cgi?id=152833
649
650         Reviewed by Benjamin Poulain.
651
652         * assembler/MacroAssemblerARM.h:
653         (JSC::MacroAssemblerARM::or32):
654         - Added some assertions to make sure it is safe to use ARMRegisters::S0 as a temp.
655         * assembler/MacroAssemblerARM64.h:
656         (JSC::MacroAssemblerARM64::or32):
657         - Implement an optimization that avoids reloading the memoryTempRegister when
658           the immediate is encodable as an instruction immediate.
659         * assembler/MacroAssemblerARMv7.h:
660         (JSC::MacroAssemblerARMv7::or32):
661         - Added an assertion to make sure it is safe to use the dataTempRegister as a temp.
662         - Implement an optimization that avoids reloading the memoryTempRegister when
663           the immediate is encodable as an instruction immediate.  In the event that we
664           cannot encode the immediate, we'll use the addressTempRegister as a temp, and
665           reload it later.
666
667 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
668
669         [CMake] JSC shell sources should include JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
670         https://bugs.webkit.org/show_bug.cgi?id=152664
671
672         Reviewed by Alex Christensen.
673
674         * shell/CMakeLists.txt:
675
676 2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>
677
678         Web Inspector: CRASH Attempting to pause on CSP violation not inside of script
679         https://bugs.webkit.org/show_bug.cgi?id=152825
680         <rdar://problem/24021276>
681
682         Reviewed by Timothy Hatcher.
683
684         * debugger/Debugger.cpp:
685         (JSC::Debugger::breakProgram):
686         We cannot pause if we are not evaluating JavaScript, so bail.
687
688 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
689
690         [JSC] Re-enable lea() in Air on ARM64
691         https://bugs.webkit.org/show_bug.cgi?id=152832
692
693         Reviewed by Michael Saboff.
694
695         Lea() on the MacroAssembler is not the full x86 Lea (the real one being
696         x86Lea32()). Instead, it is a addPtr() with SP and a constant.
697
698         The instruction is required to implement B3's StackSlot. It is not
699         safe for big offsets but none of the stack operations are at the moment.
700
701         * b3/air/AirOpcode.opcodes:
702
703 2016-01-07  Julien Brianceau  <jbriance@cisco.com>
704
705         [mips] Add two missing abortWithReason implementations
706         https://bugs.webkit.org/show_bug.cgi?id=136753
707
708         Reviewed by Benjamin Poulain.
709
710         * assembler/MacroAssemblerMIPS.h:
711         (JSC::MacroAssemblerMIPS::memoryFence):
712         (JSC::MacroAssemblerMIPS::abortWithReason):
713         (JSC::MacroAssemblerMIPS::readCallTarget):
714
715 2016-01-07  Csaba Osztrogonác  <ossy@webkit.org>
716
717         Add new or32 implementation to MacroAssemblerARM after r194613
718         https://bugs.webkit.org/show_bug.cgi?id=152784
719
720         Reviewed by Benjamin Poulain.
721
722         * assembler/MacroAssemblerARM.h:
723         (JSC::MacroAssemblerARM::or32):
724
725 2016-01-06  Mark Lam  <mark.lam@apple.com>
726
727         REGRESSION(r194613): JITMulGenerator needs a scratch GPR on 32-bit too.
728         https://bugs.webkit.org/show_bug.cgi?id=152805
729
730         Reviewed by Michael Saboff.
731
732         There aren't enough registers on x86 32-bit to allocate the needed scratch GPR.
733         So, we'll continue to use one of the result registers as the scratch, and
734         re-compute the result at the end.
735
736         * jit/JITMulGenerator.cpp:
737         (JSC::JITMulGenerator::generateFastPath):
738
739 2016-01-06  Anders Carlsson  <andersca@apple.com>
740
741         Add a smart block pointer
742         https://bugs.webkit.org/show_bug.cgi?id=152799
743
744         Reviewed by Tim Horton.
745
746         Get rid of RemoteTargetBlock and replace it with WTF::BlockPtr<void ()>.
747
748         * inspector/remote/RemoteConnectionToTarget.h:
749         (Inspector::RemoteTargetBlock::RemoteTargetBlock): Deleted.
750         (Inspector::RemoteTargetBlock::~RemoteTargetBlock): Deleted.
751         (Inspector::RemoteTargetBlock::operator=): Deleted.
752         (Inspector::RemoteTargetBlock::operator()): Deleted.
753         * inspector/remote/RemoteConnectionToTarget.mm:
754         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
755         (Inspector::RemoteConnectionToTarget::queueTaskOnPrivateRunLoop):
756
757 2016-01-06  Benjamin Poulain  <bpoulain@apple.com>
758
759         [JSC] More B3 tests passing on ARM64
760         https://bugs.webkit.org/show_bug.cgi?id=152787
761
762         Reviewed by Michael Saboff.
763
764         Some more minor bugs.
765
766         * assembler/MacroAssemblerARM64.h:
767         (JSC::MacroAssemblerARM64::urshift64):
768         The offset was being truncated. That code was just copied
769         from the 32bits version of urshift.
770
771         * b3/B3LowerToAir.cpp:
772         (JSC::B3::Air::LowerToAir::createGenericCompare):
773         Very few instructions can encode -1 as immediate.
774         TST certainly can't. The fallback works for ARM.
775
776         * b3/air/AirOpcode.opcodes:
777         Bit instructions have very specific immediate encoding.
778         B3 cannot express that properly yet. I disabled those
779         forms for now. Immediates encoding is something we'll really 
780         have to look into at some point for B3 ARM64.
781
782 2016-01-06  Michael Catanzaro  <mcatanzaro@igalia.com>
783
784         Silence -Wtautological-compare
785         https://bugs.webkit.org/show_bug.cgi?id=152768
786
787         Reviewed by Saam Barati.
788
789         * runtime/Options.cpp:
790         (JSC::Options::setAliasedOption):
791
792 2016-01-06  Filip Pizlo  <fpizlo@apple.com>
793
794         Make sure that the basic throw-from-operation mode of throwing makes sense in FTL B3
795         https://bugs.webkit.org/show_bug.cgi?id=152798
796
797         Reviewed by Oliver Hunt.
798
799         This really just contains one change: we inline emitBranchToOSRExitIfWillCatchException()
800         into callCheck(), since that was its only caller. This makes it a bit more clear what is
801         going on.
802
803         It turns out that FTL B3 already handled this case properly. I added a test that I believe
804         illustrates this. Note that although the test uses GetById, which ordinarily throws
805         exceptions from inside a patchpoint, it uses it in such a way that the exception is thrown
806         from the operation call for the non-cell bypass path of a GetById(UntypedUse:).
807
808         * ftl/FTLLowerDFGToLLVM.cpp:
809         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
810         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
811         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
812         (JSC::FTL::DFG::LowerDFGToLLVM::emitBranchToOSRExitIfWillCatchException): Deleted.
813         * tests/stress/ftl-operation-exception.js: Added.
814         (foo):
815
816 2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>
817
818         Web Inspector: Remove duplicate check
819         https://bugs.webkit.org/show_bug.cgi?id=152792
820
821         Reviewed by Timothy Hatcher.
822
823         * inspector/InjectedScriptSource.js:
824         (InjectedScript.RemoteObject.prototype._generatePreview): Deleted.
825         This method is only called from one place, and it does an equivalent
826         check before calling this function. Remove the duplicate check.
827
828 2016-01-06  Brian Burg  <bburg@apple.com>
829
830         Add a WebKit SPI for registering an automation controller with RemoteInspector
831         https://bugs.webkit.org/show_bug.cgi?id=151576
832
833         Reviewed by Dan Bernstein and Joseph Pecoraro.
834
835         Given a RemoteInspector endpoint that is instantiated in UIProcess, there
836         should be a way to delegate automation-related functionality and policy to
837         clients of WebKit.
838
839         This class adds a RemoteInspector::Client interface that serves a delegate.
840         This is ultimately delegated via _WKAutomationDelegate, which is an SPI
841         that allows clients to install an Objective-C delegate for automation.
842
843         The setting for whether remote automation is allowed is included in the
844         listing that RemoteInspector sends out. It is updated when RemoteInspector::Client
845         is assigned, or when the client signals that its capabilities have changed.
846
847         * inspector/remote/RemoteInspector.h:
848         * inspector/remote/RemoteInspector.mm:
849         (Inspector::RemoteInspector::setRemoteInspectorClient): Added.
850         (Inspector::RemoteInspector::pushListingsNow):
851
852             In the listing, include whether the application supports remote automation.
853
854         * inspector/remote/RemoteInspectorConstants.h: Add a constant.
855
856 2016-01-05  Keith Miller  <keith_miller@apple.com>
857
858         [ES6] Boolean, Number, Map, RegExp, and Set should be subclassable
859         https://bugs.webkit.org/show_bug.cgi?id=152765
860
861         Reviewed by Michael Saboff.
862
863         This patch enables subclassing of five more builtins: Boolean, Number, Map, RegExp, and Set.
864
865         * runtime/BooleanConstructor.cpp:
866         (JSC::constructWithBooleanConstructor):
867         (JSC::constructBoolean): Deleted.
868         * runtime/BooleanConstructor.h:
869         * runtime/MapConstructor.cpp:
870         (JSC::constructMap):
871         * runtime/NumberConstructor.cpp:
872         (JSC::constructWithNumberConstructor):
873         * runtime/RegExpConstructor.cpp:
874         (JSC::getRegExpStructure):
875         (JSC::constructRegExp):
876         * runtime/SetConstructor.cpp:
877         (JSC::constructSet):
878         * tests/es6.yaml:
879         * tests/stress/class-subclassing-misc.js: Added.
880         (B):
881         (N):
882         (M):
883         (R):
884         (S):
885         (test):
886
887 2016-01-06  Julien Brianceau  <jbriance@cisco.com>
888
889         [mips] Fix branchTruncateDoubleToUint32 implementation in macro assembler
890         https://bugs.webkit.org/show_bug.cgi?id=152782
891
892         Reviewed by Benjamin Poulain.
893
894         Already covered by LayoutTests/js/dfg-uint32array-overflow-values test.
895
896         * assembler/MacroAssemblerMIPS.h:
897         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
898
899 2016-01-06  Julien Brianceau  <jbriance@cisco.com>
900
901         [mips] Fix or32 implementation in macro assembler
902         https://bugs.webkit.org/show_bug.cgi?id=152781
903
904         Reviewed by Michael Saboff.
905
906         * assembler/MacroAssemblerMIPS.h:
907         (JSC::MacroAssemblerMIPS::or32):
908
909 2016-01-06  Julien Brianceau  <jbriance@cisco.com>
910
911         [mips] Add missing branchAdd32 implementation in macro assembler
912         https://bugs.webkit.org/show_bug.cgi?id=152785
913
914         Reviewed by Michael Saboff.
915
916         * assembler/MacroAssemblerMIPS.h:
917         (JSC::MacroAssemblerMIPS::branchAdd32):
918
919 2016-01-06  Andy VanWagoner  <thetalecrafter@gmail.com>
920
921         [ES6] Date.prototype should be a plain object
922         https://bugs.webkit.org/show_bug.cgi?id=152574
923
924         Reviewed by Benjamin Poulain.
925
926         * runtime/DateConstructor.cpp:
927         (JSC::DateConstructor::finishCreation):
928         * runtime/DatePrototype.cpp:
929         (JSC::DatePrototype::DatePrototype):
930         * runtime/DatePrototype.h:
931         * tests/mozilla/mozilla-tests.yaml: Expect errors from old Date.prototype as Date instance tests.
932
933 2016-01-06  Benjamin Poulain  <bpoulain@apple.com>
934
935         [JSC] Get more of testb3 to pass on ARM64
936         https://bugs.webkit.org/show_bug.cgi?id=152737
937
938         Reviewed by Geoffrey Garen.
939
940         A bunch of minor bugs and missing function to make most of testb3
941         run on ARM64.
942
943         * JavaScriptCore.xcodeproj/project.pbxproj:
944         * assembler/ARM64Assembler.h:
945         (JSC::ARM64Assembler::canEncodePImmOffset):
946         (JSC::ARM64Assembler::canEncodeSImmOffset):
947         (JSC::isInt9): Deleted.
948         (JSC::isUInt12): Deleted.
949         * assembler/ARMv7Assembler.h:
950         * assembler/AssemblerCommon.h: Added.
951         (JSC::isInt9):
952         (JSC::isUInt12):
953         (JSC::isValidScaledUImm12):
954         (JSC::isValidSignedImm9):
955         * assembler/MacroAssemblerARM64.h:
956         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
957         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
958         (JSC::MacroAssemblerARM64::store16):
959         (JSC::MacroAssemblerARM64::absFloat):
960         (JSC::MacroAssemblerARM64::loadFloat):
961         (JSC::MacroAssemblerARM64::storeFloat):
962         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate):
963         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate):
964         (JSC::MacroAssemblerARM64::tryLoadSignedWithOffset):
965         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate<8>):
966         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate<16>):
967         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate<8>):
968         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate<16>):
969         * assembler/X86Assembler.h:
970         * b3/B3LowerToAir.cpp:
971         (JSC::B3::Air::LowerToAir::effectiveAddr):
972         (JSC::B3::Air::LowerToAir::lower):
973         * b3/air/AirArg.h:
974         (JSC::B3::Air::Arg::isValidImmForm):
975         (JSC::B3::Air::Arg::isValidAddrForm):
976         (JSC::B3::Air::Arg::isValidForm):
977         * b3/air/AirOpcode.opcodes:
978
979 2016-01-05  Zan Dobersek  <zdobersek@igalia.com>
980
981         [CMake] Remove USE_UDIS86 variable
982         https://bugs.webkit.org/show_bug.cgi?id=152731
983
984         Reviewed by Gyuyoung Kim.
985
986         * CMakeLists.txt: Unconditionally build the Udis86-specific files.
987
988 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
989
990         FTL B3 fails cdjs-tests.yaml/red_black_tree_test.js.ftl-eager-no-cjit
991         https://bugs.webkit.org/show_bug.cgi?id=152770
992
993         Reviewed by Mark Lam.
994
995         It turns out that liveness didn't know that the return value GPR or FPR is live at the
996         return. Consequently, we can end up with code that clobbers the return value register after
997         the move of the return value into that register. This could happen if we start with
998         something like:
999
1000             Move 42(%tmp1), %tmp2
1001             Move 50(%tmp1), %tmp3
1002             Move %tmp3, 58(%tmp1)
1003             Move %tmp2, %rax
1004             Ret
1005
1006         Then we might coalesce %tmp2 with %rax:
1007
1008             Move 42(%tmp1), %rax
1009             Move 50(%tmp1), %tmp3
1010             Move %tmp3, 58(%tmp1)
1011             Ret
1012
1013         But now there is no use of %rax after that first instruction, so %rax appears dead at the
1014         other two Move's. So, the register allocator could then do this:
1015
1016             Move 42(%tmp1), %rax
1017             Move 50(%tmp1), %rax
1018             Move %rax, 58(%tmp1)
1019             Ret
1020
1021         And that's clearly wrong. This patch solves this issue by replacing the old Ret instruction
1022         with Ret32, Ret64, RetFloat, and RetDouble. These all take the return value register as an
1023         argument. They also tell Air which parts of the return value register the caller will
1024         observe. That's great for width analysis.
1025
1026         This resolves a test failure in the CDjs red_black_tree_test. This reduces the total number
1027         of JSC test failures from 217 to 191.
1028
1029         * assembler/MacroAssembler.h:
1030         (JSC::MacroAssembler::oops):
1031         (JSC::MacroAssembler::ret32):
1032         (JSC::MacroAssembler::ret64):
1033         (JSC::MacroAssembler::retFloat):
1034         (JSC::MacroAssembler::retDouble):
1035         (JSC::MacroAssembler::shouldConsiderBlinding):
1036         * b3/B3LowerToAir.cpp:
1037         (JSC::B3::Air::LowerToAir::lower):
1038         * b3/air/AirGenerate.cpp:
1039         (JSC::B3::Air::generate):
1040         * b3/air/AirHandleCalleeSaves.cpp:
1041         (JSC::B3::Air::handleCalleeSaves):
1042         * b3/air/AirOpcode.opcodes:
1043         * b3/air/opcode_generator.rb:
1044
1045 2016-01-05  Keith Miller  <keith_miller@apple.com>
1046
1047         Unreviewed build fix. A symbol was being exported that should not have been.
1048
1049         * runtime/Structure.h:
1050
1051 2016-01-05  Commit Queue  <commit-queue@webkit.org>
1052
1053         Unreviewed, rolling out r194603.
1054         https://bugs.webkit.org/show_bug.cgi?id=152762
1055
1056         This change introduced JSC test failures (Requested by
1057         ryanhaddad on #webkit).
1058
1059         Reverted changeset:
1060
1061         "[ES6] Date.prototype should be a plain object"
1062         https://bugs.webkit.org/show_bug.cgi?id=152574
1063         http://trac.webkit.org/changeset/194603
1064
1065 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
1066
1067         stress/v8-crypto-strict.js.ftl-eager-no-cjit in FTL B3 fails with an assertion in the callframe shuffler
1068         https://bugs.webkit.org/show_bug.cgi?id=152756
1069
1070         Reviewed by Saam Barati.
1071
1072         This fixes a really obvious and dumb tail call bug in FTL B3. I think that tail calls work
1073         for real now. I have no idea why I got any tail call tests to pass before this fix.
1074
1075         * ftl/FTLLowerDFGToLLVM.cpp:
1076         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
1077
1078 2016-01-04  Mark Lam  <mark.lam@apple.com>
1079
1080         Profiling should detect when multiplication overflows but does not create negative zero.
1081         https://bugs.webkit.org/show_bug.cgi?id=132470
1082
1083         Reviewed by Geoffrey Garen.
1084
1085         * assembler/MacroAssemblerARM64.h:
1086         (JSC::MacroAssemblerARM64::or32):
1087         * assembler/MacroAssemblerARMv7.h:
1088         (JSC::MacroAssemblerARMv7::or32):
1089         - New or32 emitter needed by the mul snippet.
1090
1091         * bytecode/CodeBlock.cpp:
1092         (JSC::CodeBlock::resultProfileForBytecodeOffset):
1093         (JSC::CodeBlock::updateResultProfileForBytecodeOffset): Deleted.
1094         * bytecode/CodeBlock.h:
1095         (JSC::CodeBlock::ensureResultProfile):
1096         (JSC::CodeBlock::addResultProfile): Deleted.
1097         (JSC::CodeBlock::likelyToTakeDeepestSlowCase): Deleted.
1098         - Added a m_bytecodeOffsetToResultProfileIndexMap because we can now add result
1099           profiles in any order (based on runtime execution), not necessarily in bytecode
1100           order at baseline compilation time.
1101
1102         * bytecode/ValueProfile.cpp:
1103         (WTF::printInternal):
1104         * bytecode/ValueProfile.h:
1105         (JSC::ResultProfile::didObserveInt52Overflow):
1106         (JSC::ResultProfile::setObservedInt52Overflow):
1107         - Add new Int52Overflow flags.
1108
1109         * dfg/DFGByteCodeParser.cpp:
1110         (JSC::DFG::ByteCodeParser::makeSafe):
1111         - Now with more straightforward mapping of profiling info.
1112
1113         * dfg/DFGCommon.h:
1114         - Fixed a typo in a comment.
1115
1116         * dfg/DFGNode.h:
1117         (JSC::DFG::Node::arithNodeFlags):
1118         (JSC::DFG::Node::mayHaveNonIntResult):
1119         (JSC::DFG::Node::hasConstantBuffer):
1120         * dfg/DFGNodeFlags.cpp:
1121         (JSC::DFG::dumpNodeFlags):
1122         * dfg/DFGNodeFlags.h:
1123         (JSC::DFG::nodeMayOverflowInt52):
1124         (JSC::DFG::nodeCanSpeculateInt52):
1125         * dfg/DFGPredictionPropagationPhase.cpp:
1126         (JSC::DFG::PredictionPropagationPhase::propagate):
1127         - We now have profiling info for whether the result was ever seen to be a non-Int.
1128           Use this to make a better prediction.
1129
1130         * jit/JITArithmetic.cpp:
1131         (JSC::JIT::emit_op_div):
1132         (JSC::JIT::emit_op_mul):
1133         - Switch to using CodeBlock::ensureResultProfile().  ResultProfiles can now be
1134           created at any time (including the slow path), not just in bytecode order
1135           during baseline compilation.
1136
1137         * jit/JITMulGenerator.cpp:
1138         (JSC::JITMulGenerator::generateFastPath):
1139         - Removed the fast path profiling code for NegZero because we'll go to the slow
1140           path anyway.  Let the slow path do the profiling for us.
1141         - Added profiling for NegZero and potential Int52 overflows in the fast path
1142           that does double math.
1143
1144         * runtime/CommonSlowPaths.cpp:
1145         (JSC::updateResultProfileForBinaryArithOp):
1146         - Removed the RETURN_WITH_RESULT_PROFILING macro (2 less macros), and just use
1147           the RETURN_WITH_PROFILING macro instead with a call to
1148           updateResultProfileForBinaryArithOp().  This makes it clear what we're doing
1149           to do profiling in each case, and also allows us to do custom profiling for
1150           each opcode if needed.  However, so far, we always call
1151           updateResultProfileForBinaryArithOp().
1152
1153 2016-01-05  Keith Miller  <keith_miller@apple.com>
1154
1155         [ES6] Arrays should be subclassable.
1156         https://bugs.webkit.org/show_bug.cgi?id=152706
1157
1158         Reviewed by Benjamin Poulain.
1159
1160         This patch enables full subclassing of Arrays. We do this by fetching the new.target's prototype property
1161         in the Array constructor and transitioning the old structure to have the new prototype. This method has
1162         two downsides. The first is that we clobber the transition watchpoint on the base structure. The second,
1163         which is currently very significant but should be fixed in a future patch, is that we allocate a new
1164         structure for each new derived class we allocate.
1165
1166         * runtime/ArrayConstructor.cpp:
1167         (JSC::constructArrayWithSizeQuirk):
1168         (JSC::constructWithArrayConstructor):
1169         (JSC::callArrayConstructor):
1170         * runtime/ArrayConstructor.h:
1171         * runtime/JSGlobalObject.h:
1172         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
1173         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
1174         (JSC::constructEmptyArray):
1175         (JSC::constructArray):
1176         (JSC::constructArrayNegativeIndexed):
1177         * runtime/PrototypeMap.h:
1178         * runtime/Structure.h:
1179         * runtime/StructureInlines.h:
1180         (JSC::Structure::createSubclassStructure):
1181         * tests/es6.yaml:
1182         * tests/stress/class-subclassing-array.js: Added.
1183         (A):
1184         (B.prototype.get 1):
1185         (B):
1186         (C):
1187         (test):
1188
1189 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
1190
1191         regress/script-tests/deltablue-varargs.js.ftl-no-cjit-no-put-stack-validate on FTL B3 gets a B3 validation failure
1192         https://bugs.webkit.org/show_bug.cgi?id=152754
1193
1194         Reviewed by Geoffrey Garen and Saam Barati.
1195
1196         It turns out that the FTL was creating orphans. Rather than making the FTL handle them by
1197         itself, I gave B3 the power to eliminate them for you. I also made the dumper print them
1198         since otherwise, you wouldn't know anything about the orphan when looking at a validation
1199         failure or other kind of procedure dump.
1200
1201         * b3/B3IndexSet.h:
1202         (JSC::B3::IndexSet::add):
1203         (JSC::B3::IndexSet::addAll):
1204         (JSC::B3::IndexSet::remove):
1205         * b3/B3Procedure.cpp:
1206         (JSC::B3::Procedure::dump):
1207         (JSC::B3::Procedure::deleteValue):
1208         (JSC::B3::Procedure::deleteOrphans):
1209         (JSC::B3::Procedure::dominators):
1210         * b3/B3Procedure.h:
1211         (JSC::B3::Procedure::cfg):
1212         * ftl/FTLLowerDFGToLLVM.cpp:
1213         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1214
1215 2015-12-24  Mark Lam  <mark.lam@apple.com>
1216
1217         Re-landing: Add validation of JSC options to catch typos.
1218         https://bugs.webkit.org/show_bug.cgi?id=152549
1219
1220         Reviewed by Benjamin Poulain.
1221
1222         1. If a JSC_xxx option is found and xxx is not a valid option, we will now log
1223            an error message.
1224         2. If a --xxx jsc option is specified, but xxx is not a valid option, we will
1225            now log an error message.
1226         3. Added JSC_validateOptions, which if set to true will cause the VM to crash if
1227            an invalid option was seen during options parsing.
1228
1229         In this version for re-landing, I removed the change where I disallowed -- options
1230         after the script name.  Apparently, we have some test harnesses that do append the
1231         -- options after the script name.
1232
1233         * jsc.cpp:
1234         (CommandLine::parseArguments):
1235         * runtime/Options.cpp:
1236         (JSC::Options::initialize):
1237         * runtime/Options.h:
1238
1239 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
1240
1241         FTL B3 should do ArithNegate
1242         https://bugs.webkit.org/show_bug.cgi?id=152745
1243
1244         Reviewed by Geoffrey Garen.
1245
1246         * ftl/FTLLowerDFGToLLVM.cpp:
1247         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
1248
1249 2016-01-05  Andy VanWagoner  <thetalecrafter@gmail.com>
1250
1251         [ES6] Date.prototype should be a plain object
1252         https://bugs.webkit.org/show_bug.cgi?id=152574
1253
1254         Reviewed by Benjamin Poulain.
1255
1256         * runtime/DateConstructor.cpp:
1257         (JSC::DateConstructor::finishCreation):
1258         * runtime/DatePrototype.cpp:
1259         (JSC::DatePrototype::DatePrototype):
1260         * runtime/DatePrototype.h:
1261
1262 2016-01-05  Commit Queue  <commit-queue@webkit.org>
1263
1264         Unreviewed, rolling out r194590.
1265         https://bugs.webkit.org/show_bug.cgi?id=152751
1266
1267         "Causes bot failures" (Requested by mlam on #webkit).
1268
1269         Reverted changeset:
1270
1271         "Add validation of JSC options to catch typos."
1272         https://bugs.webkit.org/show_bug.cgi?id=152549
1273         http://trac.webkit.org/changeset/194590
1274
1275 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
1276
1277         FTL B3 should do In
1278         https://bugs.webkit.org/show_bug.cgi?id=152744
1279
1280         Reviewed by Michael Saboff.
1281
1282         This was easy; I just used the same idiom that we already established for ICs in FTL B3.
1283
1284         * ftl/FTLLowerDFGToLLVM.cpp:
1285         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
1286
1287 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
1288
1289         Implement B3 version of FTL::Output::check()
1290         https://bugs.webkit.org/show_bug.cgi?id=152743
1291
1292         Reviewed by Geoffrey Garen.
1293
1294         Turns out this was just like the LLVM version.
1295
1296         * ftl/FTLB3Output.cpp:
1297         (JSC::FTL::Output::branch):
1298         (JSC::FTL::Output::check):
1299         * ftl/FTLB3Output.h:
1300         (JSC::FTL::Output::switchInstruction):
1301         (JSC::FTL::Output::check): Deleted.
1302
1303 2016-01-05  Mark Lam  <mark.lam@apple.com>
1304
1305         Add support for aliasing JSC Options.
1306         https://bugs.webkit.org/show_bug.cgi?id=152551
1307
1308         Reviewed by Filip Pizlo.
1309
1310         This allows us to use old options names as well.  This is for the benefit of
1311         third party tools which may have been built to rely on those old options.  The
1312         old option names will be mapped to the current option names in setOption().
1313
1314         For some options, the old option name specifies the inverse boolean value of the
1315         current option name.  setOption() will take care of inverting the value before
1316         applying it to the option.
1317
1318         * jsc.cpp:
1319         (CommandLine::parseArguments):
1320         - Switch to dumping only overridden options here.  Verbose dumping is too much
1321           for common usage.
1322         * runtime/Options.cpp:
1323         (JSC::overrideOptionWithHeuristic):
1324         (JSC::Options::overrideAliasedOptionWithHeuristic):
1325         (JSC::computeNumberOfWorkerThreads):
1326         (JSC::Options::initialize):
1327         (JSC::Options::setOptionWithoutAlias):
1328         (JSC::invertBoolOptionValue):
1329         (JSC::Options::setAliasedOption):
1330         (JSC::Options::setOption):
1331         (JSC::Options::dumpAllOptions):
1332         - String.ascii() converts newline characters to '?', and this was messing up the
1333           printing of the options.  Switched to using String.utf8() instead.
1334         (JSC::Options::dumpOption):
1335         * runtime/Options.h:
1336
1337 2016-01-05  Mark Lam  <mark.lam@apple.com>
1338
1339         Add validation of JSC options to catch typos.
1340         https://bugs.webkit.org/show_bug.cgi?id=152549
1341
1342         Reviewed by Benjamin Poulain.
1343
1344         1. If a JSC_xxx option is found and xxx is not a valid option, we will now log
1345            an error message.
1346         2. The jsc app is commonly used as follows:
1347
1348                $ jsc [jsc options] [scripts]
1349      
1350            Previously, we'll continue to parse for [jsc options] after [scripts] is seen.
1351            We won't do this anymore.  Any --xxx jsc options must precede the [scripts]
1352            arguments.
1353
1354         3. If a --xxx jsc option is specified, but xxx is not a valid option, we will
1355            now log an error message.
1356
1357         4. Added JSC_validateOptions, which if set to true will cause the VM to crash if
1358            an invalid option was seen during options parsing.
1359
1360         * jsc.cpp:
1361         (CommandLine::parseArguments):
1362         * runtime/Options.cpp:
1363         (JSC::Options::initialize):
1364         * runtime/Options.h:
1365
1366 2016-01-04  Keith Miller  <keith_miller@apple.com>
1367
1368         Turn off Internal Function inlining in the DFG for super calls.
1369         https://bugs.webkit.org/show_bug.cgi?id=152695
1370
1371         Reviewed by Geoffrey Garen.
1372
1373         Currently, we inline several InternalFunctions into an alloctation with a
1374         fixed structure in the DFG. This optimization is not valid when the
1375         InternalFunction is called via a super call.
1376
1377         * dfg/DFGByteCodeParser.cpp:
1378         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1379         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1380
1381 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
1382
1383         FTL B3 should do binary snippets
1384         https://bugs.webkit.org/show_bug.cgi?id=152668
1385
1386         Reviewed by Mark Lam.
1387
1388         This finishes all of the rest of the snippets.
1389
1390         * ftl/FTLLowerDFGToLLVM.cpp:
1391         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
1392         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
1393         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
1394         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
1395         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
1396         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
1397         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
1398         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
1399         * tests/stress/object-bit-or.js: Added.
1400         (foo):
1401         (things.valueOf):
1402         * tests/stress/object-bit-xor.js: Added.
1403         (foo):
1404         (things.valueOf):
1405         * tests/stress/object-lshift.js: Added.
1406         (foo):
1407         (things.valueOf):
1408         * tests/stress/object-rshift.js: Added.
1409         (foo):
1410         (things.valueOf):
1411         * tests/stress/object-urshift.js: Added.
1412         (foo):
1413         (things.valueOf):
1414         * tests/stress/untyped-bit-or.js: Added.
1415         (foo):
1416         (valueOf):
1417         * tests/stress/untyped-bit-xor.js: Added.
1418         (foo):
1419         (valueOf):
1420         * tests/stress/untyped-lshift.js: Added.
1421         (foo):
1422         (valueOf):
1423         * tests/stress/untyped-rshift.js: Added.
1424         (foo):
1425         (valueOf):
1426         * tests/stress/untyped-urshift.js: Added.
1427         (foo):
1428         (valueOf):
1429
1430 2016-01-04  Mark Lam  <mark.lam@apple.com>
1431
1432         isUntypedSpeculationForArithmetic is wrong.
1433         https://bugs.webkit.org/show_bug.cgi?id=152708
1434
1435         Reviewed by Filip Pizlo.
1436
1437         The isUntypedSpeculation...() checks should return true is we ever see
1438         non-numeric types, regardless of whether numeric types are seen or not.
1439         Previously, they only return true if we only see non-numeric types, and false if
1440         we ever see numeric types.
1441
1442         This patch is perf neutral on both x86_64 and x86.
1443
1444         * bytecode/SpeculatedType.h:
1445         (JSC::isUntypedSpeculationForArithmetic):
1446         (JSC::isUntypedSpeculationForBitOps):
1447
1448 2016-01-04  Tim Horton  <timothy_horton@apple.com>
1449
1450         Turn on gesture events when building for Yosemite
1451         https://bugs.webkit.org/show_bug.cgi?id=152704
1452         rdar://problem/24042472
1453
1454         Reviewed by Anders Carlsson.
1455
1456         * Configurations/FeatureDefines.xcconfig:
1457
1458 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
1459
1460         FTL B3 should do BitAnd binary snippets
1461         https://bugs.webkit.org/show_bug.cgi?id=152713
1462
1463         Reviewed by Mark Lam.
1464
1465         Getting ready to finish up the binary bitop snippets.
1466
1467         * ftl/FTLLowerDFGToLLVM.cpp:
1468         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
1469         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
1470         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
1471         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
1472         * tests/stress/object-bit-and.js: Added.
1473         (foo):
1474         (things.valueOf):
1475         * tests/stress/untyped-bit-and.js: Added.
1476         (foo):
1477         (valueOf):
1478
1479 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
1480
1481         FTL B3 should do all of the non-bitop binary snippets
1482         https://bugs.webkit.org/show_bug.cgi?id=152709
1483
1484         Reviewed by Mark Lam.
1485
1486         * ftl/FTLLowerDFGToLLVM.cpp:
1487         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
1488         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
1489         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
1490         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
1491         * tests/stress/object-add.js: Added.
1492         (foo):
1493         (things.valueOf):
1494         * tests/stress/object-div.js: Added.
1495         (foo):
1496         (things.valueOf):
1497         * tests/stress/object-mul.js: Added.
1498         (foo):
1499         (things.valueOf):
1500         * tests/stress/untyped-add.js: Added.
1501         (foo):
1502         (valueOf):
1503         * tests/stress/untyped-div.js: Added.
1504         (foo):
1505         (valueOf):
1506         * tests/stress/untyped-mul.js: Added.
1507         (foo):
1508         (valueOf):
1509
1510 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
1511
1512         FTL B3 should do the ArithSub binary snippet
1513         https://bugs.webkit.org/show_bug.cgi?id=152705
1514
1515         Reviewed by Saam Barati.
1516
1517         This implements the ArithSub binary snippet generator in FTL B3.
1518
1519         While doing this, I discovered that the DFG type inference logic for ArithSub contains a
1520         classic mistake: it causes the snippets to kick in when the type set does not contain numbers
1521         rather than kicking in when the type set contains non-numbers. So, the original test that I
1522         wrote for this doesn't work right (it runs to completion but OSR exits ad infinitum). I wrote
1523         a second test that is simpler, and that one shows that the binary snippets "work". That's
1524         sort of a joke though, since the only way to trigger binary snippets is to never pass numbers
1525         and the only way to actually cause a binary snippet to do meaninful work is to pass numbers.
1526         I filed a bug about this mess: https://bugs.webkit.org/show_bug.cgi?id=152708.
1527
1528         * ftl/FTLLowerDFGToLLVM.cpp:
1529         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp):
1530         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
1531         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
1532         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
1533         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
1534         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
1535         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
1536         * tests/stress/object-sub.js: Added.
1537         (foo):
1538         (things.valueOf):
1539         * tests/stress/untyped-sub.js: Added.
1540         (foo):
1541         (valueOf):
1542
1543 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
1544
1545         Unreviewed, disable FTL B3 for now. I didn't intend to enable it yet.
1546
1547         * dfg/DFGCommon.h:
1548
1549 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
1550
1551         B3 patchpoints should allow requesting scratch registers
1552         https://bugs.webkit.org/show_bug.cgi?id=152669
1553
1554         Reviewed by Benjamin Poulain.
1555
1556         Scratch registers are something that we often need in many patchpoint use cases. In LLVM's
1557         patchpoints, we didn't have a good way to request scratch registers. So, our current FTL code
1558         often does crazy scratch register allocation madness even when it would be better to just ask
1559         the backend for some registers. This patch adds a mechanism for requesting scratch registers
1560         in B3, and wires it all the way to all of our register allocation and liveness
1561         infrastructure.
1562
1563         From the standpoint of a patchpoint, a "scratch register" is an instruction argument that
1564         only admits Tmp and is defined early (like an early clobber register) and is used late (like
1565         what we previously called LateUse, except that this time it's also a warm use). We already
1566         had the beginning of support for early def's because of early clobbers, and we already
1567         supported late uses albeit cold ones. I really only needed to add one new role: "Scratch",
1568         which means both early def and late use in much the same way as "UseDef" means both early
1569         use and late def. But, it feels better to complete the set of roles, so I added LateColdUse
1570         to differentiate from LateUse (which is now a warm use) and EarlyDef to differentiate from
1571         Def (which is, and always has been, a late def). Forcing the code to deal with the full
1572         matrix of possibilities resulted in what is probably a progression in how we handle defs in
1573         the register and stack allocators. The new Inst::forEachDef(Inst*, Inst*, callback) fully
1574         recognizes that a "def" is something that can come from either the preceding instruction or
1575         the succeeding one.
1576
1577         This doesn't add any new functionality to FTL B3 yet, but the new scratch register mechanism
1578         is covered by new testb3 tests.
1579
1580         * b3/B3CheckSpecial.cpp:
1581         (JSC::B3::CheckSpecial::isValid):
1582         (JSC::B3::CheckSpecial::admitsStack):
1583         (JSC::B3::CheckSpecial::generate):
1584         * b3/B3LowerToAir.cpp:
1585         (JSC::B3::Air::LowerToAir::lower):
1586         * b3/B3PatchpointSpecial.cpp:
1587         (JSC::B3::PatchpointSpecial::forEachArg):
1588         (JSC::B3::PatchpointSpecial::isValid):
1589         (JSC::B3::PatchpointSpecial::admitsStack):
1590         (JSC::B3::PatchpointSpecial::generate):
1591         * b3/B3PatchpointValue.cpp:
1592         (JSC::B3::PatchpointValue::dumpMeta):
1593         (JSC::B3::PatchpointValue::PatchpointValue):
1594         * b3/B3PatchpointValue.h:
1595         * b3/B3StackmapGenerationParams.cpp:
1596         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
1597         * b3/B3StackmapGenerationParams.h:
1598         (JSC::B3::StackmapGenerationParams::gpScratch):
1599         (JSC::B3::StackmapGenerationParams::fpScratch):
1600         * b3/B3StackmapSpecial.cpp:
1601         (JSC::B3::StackmapSpecial::forEachArgImpl):
1602         (JSC::B3::StackmapSpecial::isValidImpl):
1603         (JSC::B3::StackmapSpecial::admitsStackImpl):
1604         (JSC::B3::StackmapSpecial::repsImpl):
1605         (JSC::B3::StackmapSpecial::isArgValidForValue):
1606         (JSC::B3::StackmapSpecial::appendRepsImpl): Deleted.
1607         * b3/B3StackmapSpecial.h:
1608         * b3/air/AirAllocateStack.cpp:
1609         (JSC::B3::Air::allocateStack):
1610         * b3/air/AirArg.cpp:
1611         (WTF::printInternal):
1612         * b3/air/AirArg.h:
1613         (JSC::B3::Air::Arg::isAnyUse):
1614         (JSC::B3::Air::Arg::isColdUse):
1615         (JSC::B3::Air::Arg::isEarlyUse):
1616         (JSC::B3::Air::Arg::isLateUse):
1617         (JSC::B3::Air::Arg::isAnyDef):
1618         (JSC::B3::Air::Arg::isEarlyDef):
1619         (JSC::B3::Air::Arg::isLateDef):
1620         (JSC::B3::Air::Arg::isZDef):
1621         (JSC::B3::Air::Arg::Arg):
1622         (JSC::B3::Air::Arg::imm):
1623         (JSC::B3::Air::Arg::isDef): Deleted.
1624         * b3/air/AirBasicBlock.h:
1625         (JSC::B3::Air::BasicBlock::at):
1626         (JSC::B3::Air::BasicBlock::get):
1627         (JSC::B3::Air::BasicBlock::last):
1628         * b3/air/AirEliminateDeadCode.cpp:
1629         (JSC::B3::Air::eliminateDeadCode):
1630         * b3/air/AirFixPartialRegisterStalls.cpp:
1631         (JSC::B3::Air::fixPartialRegisterStalls):
1632         * b3/air/AirInst.cpp:
1633         (JSC::B3::Air::Inst::hasArgEffects):
1634         * b3/air/AirInst.h:
1635         * b3/air/AirInstInlines.h:
1636         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
1637         (JSC::B3::Air::Inst::forEachDef):
1638         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
1639         (JSC::B3::Air::Inst::reportUsedRegisters):
1640         (JSC::B3::Air::Inst::forEachTmpWithExtraClobberedRegs): Deleted.
1641         * b3/air/AirIteratedRegisterCoalescing.cpp:
1642         * b3/air/AirLiveness.h:
1643         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
1644         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
1645         * b3/air/AirSpillEverything.cpp:
1646         (JSC::B3::Air::spillEverything):
1647         * b3/air/AirTmpWidth.cpp:
1648         (JSC::B3::Air::TmpWidth::recompute):
1649         * b3/air/AirUseCounts.h:
1650         (JSC::B3::Air::UseCounts::UseCounts):
1651         * b3/testb3.cpp:
1652         (JSC::B3::testPatchpointAny):
1653         (JSC::B3::testPatchpointGPScratch):
1654         (JSC::B3::testPatchpointFPScratch):
1655         (JSC::B3::testPatchpointLotsOfLateAnys):
1656         (JSC::B3::run):
1657
1658 2016-01-04  Csaba Osztrogonác  <ossy@webkit.org>
1659
1660         Fix the !ENABLE(INTL) build after r193493
1661         https://bugs.webkit.org/show_bug.cgi?id=152689
1662
1663         Reviewed by Alex Christensen.
1664
1665         * runtime/NumberPrototype.cpp:
1666         (JSC::NumberPrototype::finishCreation):
1667
1668 2016-01-04  Csaba Osztrogonác  <ossy@webkit.org>
1669
1670         JSC generator scripts shouldn't have verbose output
1671         https://bugs.webkit.org/show_bug.cgi?id=152382
1672
1673         Reviewed by Michael Catanzaro.
1674
1675         * b3/air/opcode_generator.rb:
1676         * generate-bytecode-files:
1677         * offlineasm/asm.rb:
1678         * offlineasm/generate_offset_extractor.rb:
1679         * offlineasm/parser.rb:
1680
1681 2016-01-04  Benjamin Poulain  <bpoulain@apple.com>
1682
1683         [JSC] Build B3 by default on iOS ARM64
1684         https://bugs.webkit.org/show_bug.cgi?id=152525
1685
1686         Reviewed by Filip Pizlo.
1687
1688         Minor changes required to get testb3 to compile.
1689
1690         * Configurations/ToolExecutable.xcconfig:
1691         We need an entitlement to allocate executable memory.
1692
1693         * assembler/MacroAssemblerARM64.h:
1694         (JSC::MacroAssemblerARM64::scratchRegister):
1695         (JSC::MacroAssemblerARM64::getCachedDataTempRegisterIDAndInvalidate):
1696         (JSC::MacroAssemblerARM64::getCachedMemoryTempRegisterIDAndInvalidate):
1697         Expose one of the scratch registers for ValueRep::emitRestore().
1698         Guard the use of scratch registers when not allowed.
1699
1700         * b3/air/AirOpcode.opcodes:
1701         ARM addressing is a bit different. Skip Addr to make things build.
1702
1703         * b3/testb3.cpp:
1704         (JSC::B3::testPatchpointWithStackArgumentResult):
1705         Add on memory only exists on x86.
1706
1707         * jit/RegisterSet.cpp:
1708         (JSC::RegisterSet::macroScratchRegisters):
1709         Add the two scratch registers, useful for patchpoints.
1710
1711 2016-01-03  Khem Raj  <raj.khem@gmail.com>
1712
1713         WebKit fails to build with musl libc library
1714         https://bugs.webkit.org/show_bug.cgi?id=152625
1715
1716         Reviewed by Daniel Bates.
1717
1718         Qualify isnan() calls with std namespace.
1719
1720         * runtime/Options.cpp:
1721         (Option::operator==): Add std namespace qualifier.
1722
1723 2016-01-03  Andreas Kling  <akling@apple.com>
1724
1725         Remove redundant StringImpl substring creation function.
1726         <https://webkit.org/b/152652>
1727
1728         Reviewed by Daniel Bates.
1729
1730         Remove jsSubstring8() and make the only call site use jsSubstring().
1731
1732         * runtime/JSString.h:
1733         (JSC::jsSubstring8): Deleted.
1734         * runtime/StringPrototype.cpp:
1735         (JSC::replaceUsingRegExpSearch):
1736
1737 2016-01-02  Khem Raj  <raj.khem@gmail.com>
1738
1739         Clang's builtin for clear_cache accepts char* and errors out
1740         when using void*, using char* work on both gcc and clang
1741         since char* is auto-converted to void* in gcc case.
1742         https://bugs.webkit.org/show_bug.cgi?id=152654
1743
1744         Reviewed by Michael Saboff;
1745
1746         * assembler/ARM64Assembler.h:
1747         (linuxPageFlush): Convert arguments to __builtin___clear_cache()
1748         to char*.
1749
1750 2015-12-31  Andy Estes  <aestes@apple.com>
1751
1752         Replace WTF::move with WTFMove
1753         https://bugs.webkit.org/show_bug.cgi?id=152601
1754
1755         Reviewed by Brady Eidson.
1756
1757         * API/ObjCCallbackFunction.mm:
1758         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
1759         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
1760         (JSC::ObjCCallbackFunction::create):
1761         (objCCallbackFunctionForInvocation):
1762         * assembler/AssemblerBuffer.h:
1763         (JSC::AssemblerBuffer::releaseAssemblerData):
1764         * assembler/LinkBuffer.cpp:
1765         (JSC::LinkBuffer::linkCode):
1766         * b3/B3BlockInsertionSet.cpp:
1767         (JSC::B3::BlockInsertionSet::insert):
1768         (JSC::B3::BlockInsertionSet::splitForward):
1769         * b3/B3LowerToAir.cpp:
1770         (JSC::B3::Air::LowerToAir::run):
1771         (JSC::B3::Air::LowerToAir::lower):
1772         * b3/B3OpaqueByproducts.cpp:
1773         (JSC::B3::OpaqueByproducts::add):
1774         * b3/B3Procedure.cpp:
1775         (JSC::B3::Procedure::addBlock):
1776         (JSC::B3::Procedure::addDataSection):
1777         * b3/B3Procedure.h:
1778         (JSC::B3::Procedure::releaseByproducts):
1779         * b3/B3ProcedureInlines.h:
1780         (JSC::B3::Procedure::add):
1781         * b3/B3Value.h:
1782         * b3/air/AirCode.cpp:
1783         (JSC::B3::Air::Code::addBlock):
1784         (JSC::B3::Air::Code::addStackSlot):
1785         (JSC::B3::Air::Code::addSpecial):
1786         * b3/air/AirInst.h:
1787         (JSC::B3::Air::Inst::Inst):
1788         * b3/air/AirIteratedRegisterCoalescing.cpp:
1789         * b3/air/AirSimplifyCFG.cpp:
1790         (JSC::B3::Air::simplifyCFG):
1791         * bindings/ScriptValue.cpp:
1792         (Deprecated::jsToInspectorValue):
1793         * builtins/BuiltinExecutables.cpp:
1794         (JSC::createExecutableInternal):
1795         * bytecode/BytecodeBasicBlock.cpp:
1796         (JSC::computeBytecodeBasicBlocks):
1797         * bytecode/CodeBlock.cpp:
1798         (JSC::CodeBlock::finishCreation):
1799         (JSC::CodeBlock::setCalleeSaveRegisters):
1800         * bytecode/CodeBlock.h:
1801         (JSC::CodeBlock::setJITCodeMap):
1802         (JSC::CodeBlock::livenessAnalysis):
1803         * bytecode/GetByIdStatus.cpp:
1804         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1805         * bytecode/GetByIdVariant.cpp:
1806         (JSC::GetByIdVariant::GetByIdVariant):
1807         * bytecode/PolymorphicAccess.cpp:
1808         (JSC::PolymorphicAccess::regenerateWithCases):
1809         (JSC::PolymorphicAccess::regenerateWithCase):
1810         (JSC::PolymorphicAccess::regenerate):
1811         * bytecode/PutByIdStatus.cpp:
1812         (JSC::PutByIdStatus::computeForStubInfo):
1813         * bytecode/PutByIdVariant.cpp:
1814         (JSC::PutByIdVariant::setter):
1815         * bytecode/StructureStubClearingWatchpoint.cpp:
1816         (JSC::StructureStubClearingWatchpoint::push):
1817         * bytecode/StructureStubClearingWatchpoint.h:
1818         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
1819         * bytecode/StructureStubInfo.cpp:
1820         (JSC::StructureStubInfo::addAccessCase):
1821         * bytecode/UnlinkedCodeBlock.cpp:
1822         (JSC::UnlinkedCodeBlock::setInstructions):
1823         * bytecode/UnlinkedFunctionExecutable.cpp:
1824         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1825         * bytecode/UnlinkedFunctionExecutable.h:
1826         * bytecompiler/SetForScope.h:
1827         (JSC::SetForScope::SetForScope):
1828         * dfg/DFGGraph.cpp:
1829         (JSC::DFG::Graph::livenessFor):
1830         (JSC::DFG::Graph::killsFor):
1831         * dfg/DFGJITCompiler.cpp:
1832         (JSC::DFG::JITCompiler::link):
1833         (JSC::DFG::JITCompiler::compile):
1834         (JSC::DFG::JITCompiler::compileFunction):
1835         * dfg/DFGJITFinalizer.cpp:
1836         (JSC::DFG::JITFinalizer::JITFinalizer):
1837         * dfg/DFGLivenessAnalysisPhase.cpp:
1838         (JSC::DFG::LivenessAnalysisPhase::process):
1839         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1840         * dfg/DFGSpeculativeJIT.cpp:
1841         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
1842         (JSC::DFG::SpeculativeJIT::compileIn):
1843         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1844         * dfg/DFGSpeculativeJIT32_64.cpp:
1845         (JSC::DFG::SpeculativeJIT::cachedGetById):
1846         (JSC::DFG::SpeculativeJIT::cachedPutById):
1847         * dfg/DFGSpeculativeJIT64.cpp:
1848         (JSC::DFG::SpeculativeJIT::cachedGetById):
1849         (JSC::DFG::SpeculativeJIT::cachedPutById):
1850         * dfg/DFGWorklist.cpp:
1851         (JSC::DFG::Worklist::finishCreation):
1852         * disassembler/Disassembler.cpp:
1853         (JSC::disassembleAsynchronously):
1854         * ftl/FTLB3Compile.cpp:
1855         (JSC::FTL::compile):
1856         * ftl/FTLCompile.cpp:
1857         (JSC::FTL::mmAllocateDataSection):
1858         * ftl/FTLJITCode.cpp:
1859         (JSC::FTL::JITCode::initializeB3Byproducts):
1860         * ftl/FTLJITFinalizer.h:
1861         (JSC::FTL::OutOfLineCodeInfo::OutOfLineCodeInfo):
1862         * ftl/FTLLink.cpp:
1863         (JSC::FTL::link):
1864         * ftl/FTLLowerDFGToLLVM.cpp:
1865         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
1866         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
1867         * heap/Heap.cpp:
1868         (JSC::Heap::releaseDelayedReleasedObjects):
1869         (JSC::Heap::markRoots):
1870         (JSC::Heap::setIncrementalSweeper):
1871         * heap/HeapInlines.h:
1872         (JSC::Heap::releaseSoon):
1873         (JSC::Heap::registerWeakGCMap):
1874         * heap/WeakInlines.h:
1875         * inspector/ConsoleMessage.cpp:
1876         (Inspector::ConsoleMessage::addToFrontend):
1877         * inspector/ContentSearchUtilities.cpp:
1878         (Inspector::ContentSearchUtilities::searchInTextByLines):
1879         * inspector/InjectedScript.cpp:
1880         (Inspector::InjectedScript::getFunctionDetails):
1881         (Inspector::InjectedScript::getProperties):
1882         (Inspector::InjectedScript::getDisplayableProperties):
1883         (Inspector::InjectedScript::getInternalProperties):
1884         (Inspector::InjectedScript::getCollectionEntries):
1885         (Inspector::InjectedScript::wrapCallFrames):
1886         * inspector/InspectorAgentRegistry.cpp:
1887         (Inspector::AgentRegistry::append):
1888         (Inspector::AgentRegistry::appendExtraAgent):
1889         * inspector/InspectorBackendDispatcher.cpp:
1890         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
1891         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1892         (Inspector::BackendDispatcher::BackendDispatcher):
1893         (Inspector::BackendDispatcher::create):
1894         (Inspector::BackendDispatcher::sendPendingErrors):
1895         * inspector/InspectorProtocolTypes.h:
1896         (Inspector::Protocol::Array::addItem):
1897         * inspector/InspectorValues.cpp:
1898         * inspector/InspectorValues.h:
1899         (Inspector::InspectorObjectBase::setValue):
1900         (Inspector::InspectorObjectBase::setObject):
1901         (Inspector::InspectorObjectBase::setArray):
1902         (Inspector::InspectorArrayBase::pushValue):
1903         (Inspector::InspectorArrayBase::pushObject):
1904         (Inspector::InspectorArrayBase::pushArray):
1905         * inspector/JSGlobalObjectConsoleClient.cpp:
1906         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
1907         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
1908         * inspector/JSGlobalObjectInspectorController.cpp:
1909         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1910         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
1911         * inspector/JSInjectedScriptHost.cpp:
1912         (Inspector::JSInjectedScriptHost::JSInjectedScriptHost):
1913         * inspector/JSInjectedScriptHost.h:
1914         (Inspector::JSInjectedScriptHost::create):
1915         * inspector/agents/InspectorAgent.cpp:
1916         (Inspector::InspectorAgent::activateExtraDomain):
1917         * inspector/agents/InspectorConsoleAgent.cpp:
1918         (Inspector::InspectorConsoleAgent::addMessageToConsole):
1919         (Inspector::InspectorConsoleAgent::addConsoleMessage):
1920         * inspector/agents/InspectorDebuggerAgent.cpp:
1921         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1922         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
1923         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1924         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
1925         (Inspector::InspectorDebuggerAgent::breakProgram):
1926         * inspector/agents/InspectorHeapAgent.cpp:
1927         (Inspector::InspectorHeapAgent::didGarbageCollect):
1928         * inspector/agents/InspectorRuntimeAgent.cpp:
1929         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1930         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1931         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1932         (Inspector::InspectorScriptProfilerAgent::addEvent):
1933         (Inspector::buildInspectorObject):
1934         (Inspector::buildProfileInspectorObject):
1935         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1936         * inspector/augmentable/AlternateDispatchableAgent.h:
1937         * inspector/scripts/codegen/cpp_generator_templates.py:
1938         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1939         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
1940         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1941         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1942         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1943         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1944         (_generate_unchecked_setter_for_member):
1945         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1946         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
1947         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1948         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1949         * inspector/scripts/codegen/objc_generator_templates.py:
1950         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1951         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1952         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1953         * inspector/scripts/tests/expected/enum-values.json-result:
1954         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1955         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1956         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1957         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1958         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1959         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1960         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1961         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1962         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1963         * jit/CallFrameShuffler.cpp:
1964         (JSC::CallFrameShuffler::performSafeWrites):
1965         * jit/PolymorphicCallStubRoutine.cpp:
1966         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1967         * jit/Repatch.cpp:
1968         (JSC::tryCacheGetByID):
1969         (JSC::tryCachePutByID):
1970         (JSC::tryRepatchIn):
1971         (JSC::linkPolymorphicCall):
1972         * parser/Nodes.cpp:
1973         (JSC::ProgramNode::setClosedVariables):
1974         * parser/Parser.cpp:
1975         (JSC::Parser<LexerType>::parseInner):
1976         (JSC::Parser<LexerType>::parseFunctionInfo):
1977         * parser/Parser.h:
1978         (JSC::Parser::closedVariables):
1979         * parser/SourceProviderCache.cpp:
1980         (JSC::SourceProviderCache::add):
1981         * profiler/ProfileNode.h:
1982         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
1983         * replay/EncodedValue.cpp:
1984         (JSC::EncodedValue::get<EncodedValue>):
1985         * replay/scripts/CodeGeneratorReplayInputs.py:
1986         (Generator.generate_member_move_expression):
1987         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
1988         (Test::HandleWheelEvent::HandleWheelEvent):
1989         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
1990         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
1991         (Test::MapInput::MapInput):
1992         (JSC::InputTraits<Test::MapInput>::decode):
1993         * runtime/ConsoleClient.cpp:
1994         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
1995         (JSC::ConsoleClient::logWithLevel):
1996         (JSC::ConsoleClient::clear):
1997         (JSC::ConsoleClient::dir):
1998         (JSC::ConsoleClient::dirXML):
1999         (JSC::ConsoleClient::table):
2000         (JSC::ConsoleClient::trace):
2001         (JSC::ConsoleClient::assertCondition):
2002         (JSC::ConsoleClient::group):
2003         (JSC::ConsoleClient::groupCollapsed):
2004         (JSC::ConsoleClient::groupEnd):
2005         * runtime/JSNativeStdFunction.cpp:
2006         (JSC::JSNativeStdFunction::create):
2007         * runtime/JSString.h:
2008         (JSC::jsNontrivialString):
2009         * runtime/JSStringJoiner.cpp:
2010         (JSC::JSStringJoiner::join):
2011         * runtime/JSStringJoiner.h:
2012         (JSC::JSStringJoiner::append):
2013         * runtime/NativeStdFunctionCell.cpp:
2014         (JSC::NativeStdFunctionCell::create):
2015         (JSC::NativeStdFunctionCell::NativeStdFunctionCell):
2016         * runtime/ScopedArgumentsTable.cpp:
2017         (JSC::ScopedArgumentsTable::setLength):
2018         * runtime/StructureIDTable.cpp:
2019         (JSC::StructureIDTable::resize):
2020         * runtime/TypeSet.cpp:
2021         (JSC::StructureShape::inspectorRepresentation):
2022         * runtime/WeakGCMap.h:
2023         (JSC::WeakGCMap::set):
2024         * tools/CodeProfile.h:
2025         (JSC::CodeProfile::addChild):
2026         * yarr/YarrInterpreter.cpp:
2027         (JSC::Yarr::ByteCompiler::compile):
2028         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
2029         * yarr/YarrInterpreter.h:
2030         (JSC::Yarr::BytecodePattern::BytecodePattern):
2031         * yarr/YarrPattern.cpp:
2032         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
2033         (JSC::Yarr::YarrPatternConstructor::reset):
2034         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
2035         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
2036         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
2037         (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin):
2038         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
2039
2040 2016-01-01  Filip Pizlo  <fpizlo@apple.com>
2041
2042         Unreviewed, fix copyright dates. It's super annoying when we forget to update these, and I
2043         just forgot to do so in the last commit. Also update the date of the last commit in the
2044         ChangeLog.
2045
2046         * b3/air/AirIteratedRegisterCoalescing.cpp:
2047         * b3/air/AirOpcode.opcodes:
2048         * b3/air/AirTmpWidth.cpp:
2049         * b3/air/AirTmpWidth.h:
2050         * ftl/FTLB3Output.cpp:
2051         * ftl/FTLB3Output.h:
2052
2053 2016-01-01  Filip Pizlo  <fpizlo@apple.com>
2054
2055         FTL B3 should be able to run all of the old V8v7 tests
2056         https://bugs.webkit.org/show_bug.cgi?id=152579
2057
2058         Reviewed by Saam Barati.
2059
2060         Fixes some silly bugs that were preventing us from running all of the old V8v7 tests.
2061
2062         IRC's analysis of when to turn a Move into a Move32 when spilling is based on the premise
2063         that if the dst has a 32-bit def width, then the src must also have a 32-bit def width. But
2064         that doesn't happen if the src is an immediate.
2065
2066         This changes that condition in IRC to use the combined use/def width of both src and dst
2067         rather than being clever. This is great because it's the combined width that determines the
2068         size of the spill slot.
2069
2070         Also added some more debug support to TmpWidth.
2071
2072         This also fixes Air's description of DivDouble; previously it claimed to be a 32-bit
2073         operation. Also implements Output::unsignedToDouble(), since we already had everything we
2074         needed to implement this optimally.
2075
2076         * b3/air/AirIteratedRegisterCoalescing.cpp:
2077         * b3/air/AirOpcode.opcodes:
2078         * b3/air/AirTmpWidth.cpp:
2079         (JSC::B3::Air::TmpWidth::recompute):
2080         (JSC::B3::Air::TmpWidth::Widths::dump):
2081         * b3/air/AirTmpWidth.h:
2082         (JSC::B3::Air::TmpWidth::Widths::Widths):
2083         * ftl/FTLB3Output.cpp:
2084         (JSC::FTL::Output::doubleToUInt):
2085         (JSC::FTL::Output::unsignedToDouble):
2086         * ftl/FTLB3Output.h:
2087         (JSC::FTL::Output::zeroExt):
2088         (JSC::FTL::Output::zeroExtPtr):
2089         (JSC::FTL::Output::intToDouble):
2090         (JSC::FTL::Output::castToInt32):
2091         (JSC::FTL::Output::unsignedToDouble): Deleted.
2092
2093 2016-01-01  Jeff Miller  <jeffm@apple.com>
2094
2095         Update user-visible copyright strings to include 2016
2096         https://bugs.webkit.org/show_bug.cgi?id=152531
2097
2098         Reviewed by Alexey Proskuryakov.
2099
2100         * Info.plist:
2101
2102 2015-12-31  Andy Estes  <aestes@apple.com>
2103
2104         Fix warnings uncovered by migrating to WTF_MOVE
2105         https://bugs.webkit.org/show_bug.cgi?id=152601
2106
2107         Reviewed by Daniel Bates.
2108
2109         * create_regex_tables: Moving a return value prevented copy elision.
2110         * ftl/FTLUnwindInfo.cpp:
2111         (JSC::FTL::parseUnwindInfo): Ditto.
2112         * replay/EncodedValue.h: Ditto.
2113
2114 2015-12-30  Aleksandr Skachkov  <gskachkov@gmail.com>
2115
2116         [ES6] Arrow function syntax. Arrow function specific features. Lexical bind "super"
2117         https://bugs.webkit.org/show_bug.cgi?id=149615
2118
2119         Reviewed by Saam Barati.
2120
2121         Implemented lexical bind "super" property for arrow function. 'super' property can be accessed 
2122         inside of the arrow function in case if arrow function is nested in constructor, method, 
2123         getter or setter of class. In current patch using 'super' in arrow function, that declared out of the 
2124         class, lead to wrong type of error, should be SyntaxError(https://bugs.webkit.org/show_bug.cgi?id=150893) 
2125         and this will be fixed in separete patch.
2126
2127         * builtins/BuiltinExecutables.cpp:
2128         (JSC::createExecutableInternal):
2129         * bytecode/EvalCodeCache.h:
2130         (JSC::EvalCodeCache::getSlow):
2131         * bytecode/ExecutableInfo.h:
2132         (JSC::ExecutableInfo::ExecutableInfo):
2133         (JSC::ExecutableInfo::derivedContextType):
2134         (JSC::ExecutableInfo::isClassContext):
2135         * bytecode/UnlinkedCodeBlock.cpp:
2136         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2137         * bytecode/UnlinkedCodeBlock.h:
2138         (JSC::UnlinkedCodeBlock::derivedContextType):
2139         (JSC::UnlinkedCodeBlock::isClassContext):
2140         * bytecode/UnlinkedFunctionExecutable.cpp:
2141         (JSC::generateUnlinkedFunctionCodeBlock):
2142         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2143         * bytecode/UnlinkedFunctionExecutable.h:
2144         * bytecompiler/BytecodeGenerator.cpp:
2145         (JSC::BytecodeGenerator::BytecodeGenerator):
2146         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
2147         * bytecompiler/BytecodeGenerator.h:
2148         (JSC::BytecodeGenerator::derivedContextType):
2149         (JSC::BytecodeGenerator::isDerivedConstructorContext):
2150         (JSC::BytecodeGenerator::isDerivedClassContext):
2151         (JSC::BytecodeGenerator::isArrowFunction):
2152         (JSC::BytecodeGenerator::makeFunction):
2153         * bytecompiler/NodesCodegen.cpp:
2154         (JSC::emitHomeObjectForCallee):
2155         (JSC::FunctionCallValueNode::emitBytecode):
2156         * debugger/DebuggerCallFrame.cpp:
2157         (JSC::DebuggerCallFrame::evaluate):
2158         * interpreter/Interpreter.cpp:
2159         (JSC::eval):
2160         * runtime/CodeCache.cpp:
2161         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2162         * runtime/Executable.cpp:
2163         (JSC::ScriptExecutable::ScriptExecutable):
2164         (JSC::EvalExecutable::create):
2165         (JSC::EvalExecutable::EvalExecutable):
2166         (JSC::ProgramExecutable::ProgramExecutable):
2167         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2168         (JSC::FunctionExecutable::FunctionExecutable):
2169         * runtime/Executable.h:
2170         (JSC::ScriptExecutable::derivedContextType):
2171         * runtime/JSGlobalObjectFunctions.cpp:
2172         (JSC::globalFuncEval):
2173         * tests/es6.yaml:
2174         * tests/stress/arrowfunction-lexical-bind-superproperty.js: Added.
2175
2176 2015-12-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2177
2178         Unreviewed, relax limitation in operationCreateThis
2179         https://bugs.webkit.org/show_bug.cgi?id=152383
2180
2181         Unreviewed. operationCreateThis now can be called with non constructible function.
2182
2183         * dfg/DFGOperations.cpp:
2184
2185 2015-12-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2186
2187         [ES6][ES7] Drop Constructability of generator function
2188         https://bugs.webkit.org/show_bug.cgi?id=152383
2189
2190         Reviewed by Saam Barati.
2191
2192         We drop the constructability of generator functions.
2193         This functionality is already landed in ES 2016 draft[1].
2194         And this simplifies the existing JSC's generator implementation;
2195         dropping GeneratorThisMode flag.
2196
2197         [1]: https://github.com/tc39/ecma262/releases/tag/es2016-draft-20151201
2198
2199         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2200         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2201         * JavaScriptCore.xcodeproj/project.pbxproj:
2202         * builtins/BuiltinExecutables.cpp:
2203         (JSC::createExecutableInternal):
2204         * bytecode/ExecutableInfo.h:
2205         (JSC::ExecutableInfo::ExecutableInfo):
2206         (JSC::ExecutableInfo::generatorThisMode): Deleted.
2207         * bytecode/UnlinkedCodeBlock.cpp:
2208         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
2209         * bytecode/UnlinkedCodeBlock.h:
2210         (JSC::UnlinkedCodeBlock::generatorThisMode): Deleted.
2211         * bytecode/UnlinkedFunctionExecutable.cpp:
2212         (JSC::generateUnlinkedFunctionCodeBlock):
2213         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2214         * bytecode/UnlinkedFunctionExecutable.h:
2215         * bytecompiler/BytecodeGenerator.cpp:
2216         (JSC::BytecodeGenerator::BytecodeGenerator): Deleted.
2217         * bytecompiler/BytecodeGenerator.h:
2218         (JSC::BytecodeGenerator::makeFunction):
2219         (JSC::BytecodeGenerator::generatorThisMode): Deleted.
2220         * bytecompiler/NodesCodegen.cpp:
2221         (JSC::ThisNode::emitBytecode):
2222         * interpreter/Interpreter.cpp:
2223         (JSC::eval): Deleted.
2224         * runtime/CodeCache.cpp:
2225         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2226         * runtime/Executable.h:
2227         * runtime/GeneratorThisMode.h: Removed.
2228         * tests/stress/generator-eval-this.js:
2229         (shouldThrow):
2230         * tests/stress/generator-is-not-constructible.js: Added.
2231         (shouldThrow):
2232         (A.staticGen):
2233         (A.prototype.gen):
2234         (A):
2235         (TypeError):
2236         * tests/stress/generator-this.js:
2237         (shouldBe.g.next):
2238         * tests/stress/generator-with-new-target.js:
2239         (shouldThrow):
2240
2241 2015-12-27  Filip Pizlo  <fpizlo@apple.com>
2242
2243         FTL B3 should know that used registers are not the same thing as used registers. Rename the
2244         latter to unavailable registers to avoid future confusion.
2245         https://bugs.webkit.org/show_bug.cgi?id=152572
2246
2247         Reviewed by Saam Barati.
2248
2249         Prior to this change, we used the term "used registers" in two different senses:
2250
2251         - The set of registers that are live at some point in the current compilation unit. A
2252           register is live at some point if it is read after that point on some path through that
2253           point.
2254
2255         - The set of registers that are not available for scratch register use at some point. A
2256           register may not be available if it is live or if it is a callee-save register but it is
2257           not being saved by the current compilation.
2258
2259         In the old FTL LLVM code, we had some translations from the first sense into the second
2260         sense. We forgot to do those in FTL B3, and so we get crashes, for example in V8/splay. That
2261         benchmark highlighted this issue because it fired some lazy slow paths, and then used an
2262         unsaved callee-save for scratch.
2263  
2264         Curiously, we could merge these two definitions by observing that, in some sense, an unsaved
2265         callee save is live at every point in a compilation in the sense that it may contain a value
2266         that will be read when the compilation returns. That's pretty cool, but it feels strange to
2267         me. This isn't how we would normally define liveness of registers. It's not how the
2268         Air::TmpLiveness analysis would do it for any of its other clients.
2269
2270         So, this changes B3 to have two different concepts:
2271
2272         - Used registers. These are the registers that are live.
2273
2274         - Unavailable registers. These are the registers that are not available for scratch. It's
2275           always a superset of used registers.
2276
2277         This also changes FTLLower to use unavailableRegisters() pretty much everywhere that it
2278         previously used usedRegisters().
2279
2280         This makes it possible to run V8/splay.
2281
2282         * b3/B3StackmapGenerationParams.cpp:
2283         (JSC::B3::StackmapGenerationParams::usedRegisters):
2284         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
2285         (JSC::B3::StackmapGenerationParams::proc):
2286         * b3/B3StackmapGenerationParams.h:
2287         * ftl/FTLLowerDFGToLLVM.cpp:
2288         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
2289         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
2290         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
2291
2292 2015-12-25  Andy Estes  <aestes@apple.com>
2293
2294         Stop moving local objects in return statements
2295         https://bugs.webkit.org/show_bug.cgi?id=152557
2296
2297         Reviewed by Brady Eidson.
2298
2299         Calling std::move() on a local object in a return statement prevents the compiler from applying the return value optimization.
2300
2301         Clang can warn about these mistakes with -Wpessimizing-move, although only when std::move() is called directly.
2302         I found these issues by temporarily replacing WTF::move with std::move and recompiling.
2303
2304         * inspector/ScriptCallStack.cpp:
2305         (Inspector::ScriptCallStack::buildInspectorArray):
2306         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2307         (Inspector::buildInspectorObject):
2308         * jit/CallFrameShuffler.h:
2309         (JSC::CallFrameShuffler::snapshot):
2310         * runtime/TypeSet.cpp:
2311         (JSC::TypeSet::allStructureRepresentations):
2312         (JSC::StructureShape::inspectorRepresentation):
2313
2314 2015-12-26  Mark Lam  <mark.lam@apple.com>
2315
2316         Rename NodeMayOverflowInXXX to NodeMayOverflowInt32InXXX.
2317         https://bugs.webkit.org/show_bug.cgi?id=152555
2318
2319         Reviewed by Alex Christensen.
2320
2321         That's because the NodeMayOverflowInBaseline and NodeMayOverflowInDFG flags only
2322         indicates potential overflowing of Int32 values.  We'll be adding overflow
2323         profiling for Int52 values later, and we should disambiguate between the 2 types.
2324
2325         This is purely a renaming patch.  There are no semantic changes.
2326
2327         * dfg/DFGByteCodeParser.cpp:
2328         (JSC::DFG::ByteCodeParser::makeSafe):
2329         (JSC::DFG::ByteCodeParser::makeDivSafe):
2330         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2331         * dfg/DFGNodeFlags.cpp:
2332         (JSC::DFG::dumpNodeFlags):
2333         * dfg/DFGNodeFlags.h:
2334         (JSC::DFG::nodeMayOverflowInt32):
2335         (JSC::DFG::nodeCanSpeculateInt32):
2336         (JSC::DFG::nodeMayOverflow): Deleted.
2337
2338 2015-12-23  Andreas Kling  <akling@apple.com>
2339
2340         jsc CLI tool crashes on EOF.
2341         <https://webkit.org/b/152522>
2342
2343         Reviewed by Benjamin Poulain.
2344
2345         SourceProvider should treat String() like the empty string for hashing purposes.
2346         This was a subtle behavior change in r194017 due to how zero-length strings are
2347         treated by StringImpl::createSubstringSharingImpl().
2348
2349         I made these SourceProviders store a Ref<StringImpl> internally instead of a
2350         String, to codify the fact that these strings can't be null strings.
2351
2352         I couldn't find a way to cause this crash through the API.
2353
2354         * API/JSScriptRef.cpp:
2355         (OpaqueJSScript::OpaqueJSScript):
2356         * parser/SourceProvider.h:
2357         (JSC::StringSourceProvider::StringSourceProvider):
2358
2359 2015-12-23  Filip Pizlo  <fpizlo@apple.com>
2360
2361         FTL B3 should be able to run crypto-sha1 in eager mode
2362         https://bugs.webkit.org/show_bug.cgi?id=152539
2363
2364         Reviewed by Saam Barati.
2365
2366         This patch contains one real bug fix and some other fixes that are primarily there for sanity
2367         because I don't believe they are symptomatic.
2368
2369         The real fix is the instruction selector's handling of Phi. It was assuming that the correct
2370         lowering of Phi is to do nothing and the correct lowering of Upsilon is to store into the tmp
2371         that the Phi uses. But this fails for code patterns like:
2372
2373             @a = Phi()
2374             Upsilon(@x, ^a)
2375             use(@a) // this should see the value that @a had at the point that "@a = Phi()" executed.
2376
2377         This arises when we have a lot of Upsilons in a row and they are trying to perform a
2378         shuffling. Prior to this change, "use(@a)" would see the new value of @a, i.e. @x. That's
2379         wrong. So, this changes the lowering to make each Phi have a special shadow Tmp, and Upsilon
2380         stores to it while Phi loads from it. Most of these assignments get copy-propagated by IRC,
2381         so it doesn't really hurt us. I couldn't find any benchmarks that slowed down because of
2382         this. In fact, I believe that the only time that this would lead to extra interference or
2383         extra assignments is when it's actually needed to be correct.
2384
2385         This also contains other fixes, which are probably not for real bugs, but they make me feel
2386         all warm and fuzzy:
2387
2388         - spillEverything() works again.  Previously, it didn't have all of IRC's smarts for handling
2389           a spill of a ZDef.  I fixed this by creating a helper phase that finds all subwidth ZDefs
2390           to spill slots and amends them with zero-fills of the top bits.
2391
2392         - IRC no longer requires precise TmpWidth analysis.  Previously, if TmpWidth gave pessimistic
2393           results, the subwidth ZDef bug would return.  That probably means that it was never fixed
2394           to begin with, since it's totally cool for just a single def or use of a tmp to cause it
2395           to become pessimistic. But there may still have been some subwidth ZDefs.  The way that I
2396           fixed this bug is to have IRC also run the ZDef fixup code that spillEverything() uses.
2397           This is abstracted behind the beautifully named Air::fixSpillSlotZDef().
2398
2399         - B3::validate() does dominance checks!  So, if you shoot yourself in the foot by using
2400           something before defining it, validate() will tell you.
2401
2402         - Air::TmpWidth is now easy to "turn off" - i.e. to make it go fully conservative. It's not
2403           an Option; you have to hack code. But that's better than nothing, and it's consistent with
2404           what we do for other super-internal compiler options that we use rarely.
2405
2406         - You can now run spillEverything() without hacking code.  Just use
2407           Options::airSpillSeverything().
2408
2409         * JavaScriptCore.xcodeproj/project.pbxproj:
2410         * b3/B3LowerToAir.cpp:
2411         (JSC::B3::Air::LowerToAir::LowerToAir):
2412         (JSC::B3::Air::LowerToAir::run):
2413         (JSC::B3::Air::LowerToAir::lower):
2414         * b3/B3Validate.cpp:
2415         * b3/air/AirCode.h:
2416         (JSC::B3::Air::Code::specials):
2417         (JSC::B3::Air::Code::forAllTmps):
2418         (JSC::B3::Air::Code::isFastTmp):
2419         * b3/air/AirFixSpillSlotZDef.h: Added.
2420         (JSC::B3::Air::fixSpillSlotZDef):
2421         * b3/air/AirGenerate.cpp:
2422         (JSC::B3::Air::prepareForGeneration):
2423         * b3/air/AirIteratedRegisterCoalescing.cpp:
2424         * b3/air/AirSpillEverything.cpp:
2425         (JSC::B3::Air::spillEverything):
2426         * b3/air/AirTmpWidth.cpp:
2427         (JSC::B3::Air::TmpWidth::recompute):
2428         * jit/JITOperations.cpp:
2429         * runtime/Options.h:
2430
2431 2015-12-23  Filip Pizlo  <fpizlo@apple.com>
2432
2433         Need a story for platform-specific Args
2434         https://bugs.webkit.org/show_bug.cgi?id=152529
2435
2436         Reviewed by Michael Saboff.
2437
2438         This teaches Arg that some Arg forms are not valid on some targets. The instruction selector now
2439         uses this to avoid immediates and addresses that the target wouldn't like.
2440
2441         This shouldn't change code generation on X86, but is meant as a step towards ARM64 support.
2442
2443         * b3/B3LowerToAir.cpp:
2444         (JSC::B3::Air::LowerToAir::crossesInterference):
2445         (JSC::B3::Air::LowerToAir::effectiveAddr):
2446         (JSC::B3::Air::LowerToAir::addr):
2447         (JSC::B3::Air::LowerToAir::loadPromise):
2448         (JSC::B3::Air::LowerToAir::imm):
2449         (JSC::B3::Air::LowerToAir::lower):
2450         * b3/air/AirAllocateStack.cpp:
2451         (JSC::B3::Air::allocateStack):
2452         * b3/air/AirArg.h:
2453         (JSC::B3::Air::Arg::Arg):
2454         (JSC::B3::Air::Arg::imm):
2455         (JSC::B3::Air::Arg::imm64):
2456         (JSC::B3::Air::Arg::callArg):
2457         (JSC::B3::Air::Arg::isValidScale):
2458         (JSC::B3::Air::Arg::tmpIndex):
2459         (JSC::B3::Air::Arg::withOffset):
2460         (JSC::B3::Air::Arg::isValidImmForm):
2461         (JSC::B3::Air::Arg::isValidAddrForm):
2462         (JSC::B3::Air::Arg::isValidIndexForm):
2463         (JSC::B3::Air::Arg::isValidForm):
2464         (JSC::B3::Air::Arg::forEachTmpFast):
2465         * b3/air/opcode_generator.rb:
2466
2467 2015-12-23  Keith Miller  <keith_miller@apple.com>
2468
2469         [JSC] Bugfix for intrinsic getters with dictionary structures.
2470         https://bugs.webkit.org/show_bug.cgi?id=152538
2471
2472         Reviewed by Mark Lam.
2473
2474         Intrinsic getters did not check if an object was a dictionary. This meant, if a property on
2475         the prototype chain of a dictionary was an intrinsic getter we would IC it. Later, if a
2476         property is added to the dictionary the IC would still return the result of the intrinsic.
2477         The fix is to no longer IC intrinsic getters if the base object is a dictionary.
2478
2479         * jit/Repatch.cpp:
2480         (JSC::tryCacheGetByID):
2481         * tests/stress/typedarray-length-dictionary.js: Added.
2482         (len):
2483
2484 2015-12-23  Andy VanWagoner  <andy@instructure.com>
2485
2486         [INTL] Implement DateTime Format Functions
2487         https://bugs.webkit.org/show_bug.cgi?id=147606
2488
2489         Reviewed by Benjamin Poulain.
2490
2491         Initialize a UDateFormat from the generated pattern. Use udat_format()
2492         to format the value. Make sure that the UDateFormat is cleaned up when
2493         the DateTimeFormat is deconstructed.
2494
2495         * runtime/IntlDateTimeFormat.cpp:
2496         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat):
2497         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2498         (JSC::IntlDateTimeFormat::format):
2499         * runtime/IntlDateTimeFormat.h:
2500
2501 2015-12-23  Andy VanWagoner  <thetalecrafter@gmail.com>
2502
2503         [INTL] Implement String.prototype.localeCompare in ECMA-402
2504         https://bugs.webkit.org/show_bug.cgi?id=147607
2505
2506         Reviewed by Benjamin Poulain.
2507
2508         Add localeCompare in builtin JavaScript that delegates comparing to Intl.Collator.
2509         Keep existing native implementation for use if INTL flag is disabled.
2510         For the common case where no locale or options are specified, avoid creating
2511         a new collator and just use the prototype which is initialized with the defaults.
2512
2513         * CMakeLists.txt:
2514         * DerivedSources.make:
2515         * JavaScriptCore.xcodeproj/project.pbxproj:
2516         * builtins/StringPrototype.js: Added.
2517         (localeCompare):
2518         * runtime/StringPrototype.cpp:
2519         (JSC::StringPrototype::finishCreation):
2520
2521 2015-12-23  Benjamin Poulain  <benjamin@webkit.org>
2522
2523         Fix x86_64 after r194388
2524
2525         * b3/B3LowerToAir.cpp:
2526         (JSC::B3::Air::LowerToAir::appendShift):
2527         (JSC::B3::Air::LowerToAir::lower):
2528         (JSC::B3::Air::LowerToAir::lowerX86Div):
2529
2530 2015-12-23  Benjamin Poulain  <bpoulain@apple.com>
2531
2532         [JSC] Get the JavaScriptCore framework to build on ARM64 with B3 enabled
2533         https://bugs.webkit.org/show_bug.cgi?id=152503
2534
2535         Reviewed by Filip Pizlo.
2536
2537         It is not working but it builds.
2538
2539         * assembler/ARM64Assembler.h:
2540         (JSC::ARM64Assembler::vand):
2541         (JSC::ARM64Assembler::vectorDataProcessing2Source):
2542         * assembler/MacroAssemblerARM64.h:
2543         (JSC::MacroAssemblerARM64::add32):
2544         (JSC::MacroAssemblerARM64::add64):
2545         (JSC::MacroAssemblerARM64::countLeadingZeros64):
2546         (JSC::MacroAssemblerARM64::not32):
2547         (JSC::MacroAssemblerARM64::not64):
2548         (JSC::MacroAssemblerARM64::zeroExtend16To32):
2549         (JSC::MacroAssemblerARM64::signExtend16To32):
2550         (JSC::MacroAssemblerARM64::zeroExtend8To32):
2551         (JSC::MacroAssemblerARM64::signExtend8To32):
2552         (JSC::MacroAssemblerARM64::addFloat):
2553         (JSC::MacroAssemblerARM64::ceilFloat):
2554         (JSC::MacroAssemblerARM64::branchDouble):
2555         (JSC::MacroAssemblerARM64::branchFloat):
2556         (JSC::MacroAssemblerARM64::divFloat):
2557         (JSC::MacroAssemblerARM64::moveZeroToDouble):
2558         (JSC::MacroAssemblerARM64::moveFloatTo32):
2559         (JSC::MacroAssemblerARM64::move32ToFloat):
2560         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
2561         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
2562         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
2563         (JSC::MacroAssemblerARM64::mulFloat):
2564         (JSC::MacroAssemblerARM64::andDouble):
2565         (JSC::MacroAssemblerARM64::andFloat):
2566         (JSC::MacroAssemblerARM64::sqrtFloat):
2567         (JSC::MacroAssemblerARM64::subFloat):
2568         (JSC::MacroAssemblerARM64::signExtend32ToPtr):
2569         (JSC::MacroAssemblerARM64::moveConditionally32):
2570         (JSC::MacroAssemblerARM64::moveConditionally64):
2571         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
2572         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
2573         (JSC::MacroAssemblerARM64::test32):
2574         (JSC::MacroAssemblerARM64::setCarry):
2575         (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
2576         * assembler/MacroAssemblerX86.h:
2577         (JSC::MacroAssemblerX86::moveDoubleToInts):
2578         (JSC::MacroAssemblerX86::moveIntsToDouble):
2579         * assembler/MacroAssemblerX86Common.h:
2580         (JSC::MacroAssemblerX86Common::move32ToFloat):
2581         (JSC::MacroAssemblerX86Common::moveFloatTo32):
2582         (JSC::MacroAssemblerX86Common::moveInt32ToPacked): Deleted.
2583         (JSC::MacroAssemblerX86Common::movePackedToInt32): Deleted.
2584         * b3/B3LowerToAir.cpp:
2585         (JSC::B3::Air::LowerToAir::appendShift):
2586         (JSC::B3::Air::LowerToAir::lower):
2587         * b3/air/AirInstInlines.h:
2588         (JSC::B3::Air::isX86DivHelperValid):
2589         * b3/air/AirOpcode.opcodes:
2590         * jit/AssemblyHelpers.h:
2591         (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
2592         (JSC::AssemblyHelpers::emitFunctionEpilogue):
2593         * jit/FPRInfo.h:
2594         (JSC::FPRInfo::toArgumentRegister):
2595
2596 2015-12-23  Andy VanWagoner  <andy@instructure.com>
2597
2598         [INTL] Implement Intl.DateTimeFormat.prototype.resolvedOptions ()
2599         https://bugs.webkit.org/show_bug.cgi?id=147603
2600
2601         Reviewed by Benjamin Poulain.
2602
2603         Implements InitializeDateTimeFormat and related abstract operations
2604         using ICU. Lazy initialization is used for DateTimeFormat.prototype.
2605         Refactor to align with Collator work.
2606
2607         * icu/unicode/udatpg.h: Added.
2608         * icu/unicode/unumsys.h: Added.
2609         * runtime/CommonIdentifiers.h:
2610         * runtime/IntlDateTimeFormat.cpp:
2611         (JSC::defaultTimeZone):
2612         (JSC::canonicalizeTimeZoneName):
2613         (JSC::localeData):
2614         (JSC::toDateTimeOptions):
2615         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
2616         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2617         (JSC::IntlDateTimeFormat::weekdayString):
2618         (JSC::IntlDateTimeFormat::eraString):
2619         (JSC::IntlDateTimeFormat::yearString):
2620         (JSC::IntlDateTimeFormat::monthString):
2621         (JSC::IntlDateTimeFormat::dayString):
2622         (JSC::IntlDateTimeFormat::hourString):
2623         (JSC::IntlDateTimeFormat::minuteString):
2624         (JSC::IntlDateTimeFormat::secondString):
2625         (JSC::IntlDateTimeFormat::timeZoneNameString):
2626         (JSC::IntlDateTimeFormat::resolvedOptions):
2627         (JSC::IntlDateTimeFormat::format):
2628         (JSC::IntlDateTimeFormatFuncFormatDateTime): Deleted.
2629         * runtime/IntlDateTimeFormat.h:
2630         * runtime/IntlDateTimeFormatConstructor.cpp:
2631         (JSC::constructIntlDateTimeFormat):
2632         (JSC::callIntlDateTimeFormat):
2633         * runtime/IntlDateTimeFormatPrototype.cpp:
2634         (JSC::IntlDateTimeFormatFuncFormatDateTime):
2635         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2636         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
2637         * runtime/IntlObject.cpp:
2638         (JSC::resolveLocale):
2639         (JSC::getNumberingSystemsForLocale):
2640         * runtime/IntlObject.h:
2641
2642 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
2643
2644         REGRESSION(194382): FTL B3 no longer runs V8/encrypt
2645         https://bugs.webkit.org/show_bug.cgi?id=152519
2646
2647         Reviewed by Saam Barati.
2648
2649         A "Move Imm, Tmp" instruction should turn into "Move32 Imm, Tmp" if the Tmp is spilled to a
2650         32-bit slot. Changing where we check isTmp() achieves this. Since all of the logic is only
2651         relevant to when we spill without introducing a Tmp, and since a Move does not have a "Move Addr,
2652         Addr" form, this code ensures that the logic only happens for "Tmp, Tmp" and "Imm, Tmp".
2653
2654         * b3/air/AirIteratedRegisterCoalescing.cpp:
2655         * dfg/DFGOperations.cpp:
2656
2657 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
2658
2659         FTL B3 should use the right type for comparison slow paths
2660         https://bugs.webkit.org/show_bug.cgi?id=152521
2661
2662         Reviewed by Saam Barati.
2663
2664         Fixes a small goof that was leading to B3 validation failures.
2665
2666         * ftl/FTLLowerDFGToLLVM.cpp:
2667         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
2668
2669 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
2670
2671         FTL B3 should be able to run richards
2672         https://bugs.webkit.org/show_bug.cgi?id=152514
2673
2674         Reviewed by Michael Saboff.
2675
2676         This came down to a liveness bug and a register allocation bug.
2677
2678         The liveness bug was that the code that determined whether we should go around the fixpoint
2679         assumed that BitVector::quickSet() would return true if the bit changed state from false to
2680         true. That's not how it works. It returns the old value of the bit, so it will return false
2681         if the bit changed from false to true. Since there is already a lot of code that relies on
2682         this behavior, I fixed Liveness instead of changing BitVector.
2683
2684         The register allocation bug was that we weren't guarding some checks of tmp()'s with checks
2685         that the Arg isTmp().
2686
2687         The liveness took a long time to track down, and I needed to add a lot of dumping to do it.
2688         It's now possible to dump more of the liveness states, including liveAtHead. I found this
2689         extremely helpful, so I removed the code that cleared liveAtHead.
2690
2691         * b3/air/AirIteratedRegisterCoalescing.cpp:
2692         * b3/air/AirLiveness.h:
2693         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
2694         (JSC::B3::Air::AbstractLiveness::Iterable::Iterable):
2695         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::iterator):
2696         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator*):
2697         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator++):
2698         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator==):
2699         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator!=):
2700         (JSC::B3::Air::AbstractLiveness::Iterable::begin):
2701         (JSC::B3::Air::AbstractLiveness::Iterable::end):
2702         (JSC::B3::Air::AbstractLiveness::liveAtHead):
2703         (JSC::B3::Air::AbstractLiveness::liveAtTail):
2704         * b3/air/AirStackSlot.h:
2705         (WTF::printInternal):
2706         * ftl/FTLOSRExitCompiler.cpp:
2707         (JSC::FTL::compileFTLOSRExit):
2708
2709 2015-12-22  Saam barati  <sbarati@apple.com>
2710
2711         Cloop build fix after https://bugs.webkit.org/show_bug.cgi?id=152511.
2712
2713         Unreviewed build fix.
2714
2715         * runtime/Options.cpp:
2716         (JSC::recomputeDependentOptions):
2717
2718 2015-12-22  Saam barati  <sbarati@apple.com>
2719
2720         Work around issue in bug #152510
2721         https://bugs.webkit.org/show_bug.cgi?id=152511
2722
2723         Reviewed by Filip Pizlo.
2724
2725         * runtime/Options.cpp:
2726         (JSC::recomputeDependentOptions):
2727
2728 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
2729
2730         FTL B3 does not logicalNot correctly
2731         https://bugs.webkit.org/show_bug.cgi?id=152512
2732
2733         Reviewed by Saam Barati.
2734
2735         I'm working on a bug where V8/richards does not run correctly. I noticed that the codegen was
2736         doing a log of Not32's followed by branches, which smelled like badness. To debug this, I
2737         needed B3's origins to dump as something other than a hexed pointer to a node. The node index
2738         would be better. So, I added the notion of an origin printer to Procedure.
2739
2740         The bug was easy enough to fix. This introduces Output::logicalNot(). In LLVM, it's the same
2741         as bitNot(). In B3, it's compiled to Equal(value, 0). We could have also compiled it to
2742         BitXor(value, 1), except that B3 will strength-reduce to that anyway whenever it's safe. It's
2743         sort of nice that right now, you could use logicalNot() on non-bool values and get C-like
2744         behavior.
2745
2746         Richards still doesn't run, though. There are more bugs!
2747
2748         * JavaScriptCore.xcodeproj/project.pbxproj:
2749         * b3/B3BasicBlock.cpp:
2750         (JSC::B3::BasicBlock::dump):
2751         (JSC::B3::BasicBlock::deepDump):
2752         * b3/B3BasicBlock.h:
2753         (JSC::B3::BasicBlock::frequency):
2754         (JSC::B3::DeepBasicBlockDump::DeepBasicBlockDump):
2755         (JSC::B3::DeepBasicBlockDump::dump):
2756         (JSC::B3::deepDump):
2757         * b3/B3LowerToAir.cpp:
2758         (JSC::B3::Air::LowerToAir::run):
2759         (JSC::B3::Air::LowerToAir::lower):
2760         * b3/B3Origin.h:
2761         (JSC::B3::Origin::data):
2762         * b3/B3OriginDump.h: Added.
2763         (JSC::B3::OriginDump::OriginDump):
2764         (JSC::B3::OriginDump::dump):
2765         * b3/B3Procedure.cpp:
2766         (JSC::B3::Procedure::~Procedure):
2767         (JSC::B3::Procedure::printOrigin):
2768         (JSC::B3::Procedure::addBlock):
2769         (JSC::B3::Procedure::dump):
2770         * b3/B3Procedure.h:
2771         (JSC::B3::Procedure::setOriginPrinter):
2772         * b3/B3Value.cpp:
2773         (JSC::B3::Value::dumpChildren):
2774         (JSC::B3::Value::deepDump):
2775         * b3/B3Value.h:
2776         (JSC::B3::DeepValueDump::DeepValueDump):
2777         (JSC::B3::DeepValueDump::dump):
2778         (JSC::B3::deepDump):
2779         * ftl/FTLB3Output.cpp:
2780         (JSC::FTL::Output::lockedStackSlot):
2781         (JSC::FTL::Output::bitNot):
2782         (JSC::FTL::Output::logicalNot):
2783         (JSC::FTL::Output::load):
2784         * ftl/FTLB3Output.h:
2785         (JSC::FTL::Output::aShr):
2786         (JSC::FTL::Output::lShr):
2787         (JSC::FTL::Output::ctlz32):
2788         (JSC::FTL::Output::addWithOverflow32):
2789         (JSC::FTL::Output::lessThanOrEqual):
2790         (JSC::FTL::Output::doubleEqual):
2791         (JSC::FTL::Output::doubleEqualOrUnordered):
2792         (JSC::FTL::Output::doubleNotEqualOrUnordered):
2793         (JSC::FTL::Output::doubleLessThan):
2794         (JSC::FTL::Output::doubleLessThanOrEqual):
2795         (JSC::FTL::Output::doubleGreaterThan):
2796         (JSC::FTL::Output::doubleGreaterThanOrEqual):
2797         (JSC::FTL::Output::doubleNotEqualAndOrdered):
2798         (JSC::FTL::Output::doubleLessThanOrUnordered):
2799         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
2800         (JSC::FTL::Output::doubleGreaterThanOrUnordered):
2801         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
2802         (JSC::FTL::Output::isZero32):
2803         (JSC::FTL::Output::notZero32):
2804         (JSC::FTL::Output::addIncomingToPhi):
2805         (JSC::FTL::Output::bitCast):
2806         (JSC::FTL::Output::bitNot): Deleted.
2807         * ftl/FTLLowerDFGToLLVM.cpp:
2808         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckArray):
2809         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
2810         (JSC::FTL::DFG::LowerDFGToLLVM::compileLogicalNot):
2811         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
2812         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
2813         (JSC::FTL::DFG::LowerDFGToLLVM::compileCountExecution):
2814         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
2815         (JSC::FTL::DFG::LowerDFGToLLVM::isMisc):
2816         (JSC::FTL::DFG::LowerDFGToLLVM::isNotBoolean):
2817         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean):
2818         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean):
2819         (JSC::FTL::DFG::LowerDFGToLLVM::isNotType):
2820         (JSC::FTL::DFG::LowerDFGToLLVM::speculateObject):
2821         * ftl/FTLOutput.h:
2822         (JSC::FTL::Output::aShr):
2823         (JSC::FTL::Output::lShr):
2824         (JSC::FTL::Output::bitNot):
2825         (JSC::FTL::Output::logicalNot):
2826         (JSC::FTL::Output::insertElement):
2827         * ftl/FTLState.cpp:
2828         (JSC::FTL::State::State):
2829
2830 2015-12-22  Keith Miller  <keith_miller@apple.com>
2831
2832         Remove OverridesHasInstance from TypeInfoFlags
2833         https://bugs.webkit.org/show_bug.cgi?id=152005
2834
2835         Reviewed by Saam Barati.
2836
2837         Currently, we have three TypeInfo flags associated with instanceof behavior,
2838         ImplementsHasInstance, ImplementDefaultHasInstance, and OverridesHasInstance. This patch
2839         removes the third and moves the first to the out of line flags. In theory, we should only
2840         need one flag but removing ImplementsHasInstance is more involved and should be done in a
2841         separate patch.
2842
2843         * API/JSCallbackConstructor.h:
2844         * API/JSCallbackObject.h:
2845         * jit/JITOpcodes.cpp:
2846         (JSC::JIT::emit_op_overrides_has_instance):
2847         * jit/JITOpcodes32_64.cpp:
2848         (JSC::JIT::emit_op_overrides_has_instance):
2849         * llint/LLIntData.cpp:
2850         (JSC::LLInt::Data::performAssertions):
2851         * llint/LowLevelInterpreter.asm:
2852         * runtime/InternalFunction.h:
2853         * runtime/JSBoundFunction.h:
2854         * runtime/JSCallee.h:
2855         * runtime/JSTypeInfo.h:
2856         (JSC::TypeInfo::implementsHasInstance):
2857         (JSC::TypeInfo::TypeInfo): Deleted.
2858         (JSC::TypeInfo::overridesHasInstance): Deleted.
2859         * runtime/NumberConstructor.h:
2860
2861 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
2862
2863         FTL B3 should do tail calls
2864         https://bugs.webkit.org/show_bug.cgi?id=152494
2865
2866         Reviewed by Michael Saboff.
2867
2868         OMG this was so easy.
2869
2870         The only shady part is that I broke a layering rule that we had so far been following: B3 was
2871         sitting below the JSC runtime, and did not use JS-specific types. No more, since B3::ValueRep
2872         can now turn itself into a ValueRecovery for a JSValue. This small feature makes a huge
2873         difference for the readability of tail call code: it makes it plain that the call frame
2874         shuffler is basically just directly consuming the stackmap generation params, and insofar as
2875         there is any data transformation, it's just because it uses different classes to say the same
2876         thing.
2877
2878         I think we should avoid adding too many JS-specific things to B3. But, so long as it's still
2879         possible to use B3 to compile things that aren't JS, I think we'll be fine.
2880
2881         * b3/B3ValueRep.cpp:
2882         (JSC::B3::ValueRep::dump):
2883         (JSC::B3::ValueRep::emitRestore):
2884         (JSC::B3::ValueRep::recoveryForJSValue):
2885         * b3/B3ValueRep.h:
2886         * ftl/FTLLowerDFGToLLVM.cpp:
2887         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
2888         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
2889         * test/stress/ftl-tail-call.js: Added.
2890
2891 2015-12-21  Mark Lam  <mark.lam@apple.com>
2892
2893         Snippefy op_negate for the baseline JIT.
2894         https://bugs.webkit.org/show_bug.cgi?id=152447
2895
2896         Reviewed by Benjamin Poulain.
2897
2898         * CMakeLists.txt:
2899         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2900         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2901         * JavaScriptCore.xcodeproj/project.pbxproj:
2902         * jit/JITArithmetic.cpp:
2903         (JSC::JIT::emit_op_unsigned):
2904         (JSC::JIT::emit_op_negate):
2905         (JSC::JIT::emitSlow_op_negate):
2906         (JSC::JIT::emitBitBinaryOpFastPath):
2907         * jit/JITArithmetic32_64.cpp:
2908         (JSC::JIT::emit_compareAndJump):
2909         (JSC::JIT::emit_op_negate): Deleted.
2910         (JSC::JIT::emitSlow_op_negate): Deleted.
2911         * jit/JITNegGenerator.cpp: Added.
2912         (JSC::JITNegGenerator::generateFastPath):
2913         * jit/JITNegGenerator.h: Added.
2914         (JSC::JITNegGenerator::JITNegGenerator):
2915         (JSC::JITNegGenerator::didEmitFastPath):
2916         (JSC::JITNegGenerator::endJumpList):
2917         (JSC::JITNegGenerator::slowPathJumpList):
2918
2919 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
2920
2921         Address review feedback from Saam.  I should have landed it in r194354.
2922
2923         * b3/testb3.cpp:
2924         (JSC::B3::testStore16Arg):
2925
2926 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
2927
2928         B3 should be able to compile Store16
2929         https://bugs.webkit.org/show_bug.cgi?id=152493
2930
2931         Reviewed by Saam Barati.
2932
2933         This adds comprehensive Store16 support to our assembler, Air, and B3->Air lowering.
2934
2935         * assembler/MacroAssemblerX86Common.h:
2936         (JSC::MacroAssemblerX86Common::store16):
2937         * assembler/X86Assembler.h:
2938         (JSC::X86Assembler::movb_rm):
2939         (JSC::X86Assembler::movw_rm):
2940         * b3/B3LowerToAir.cpp:
2941         (JSC::B3::Air::LowerToAir::lower):
2942         * b3/air/AirOpcode.opcodes:
2943         * b3/testb3.cpp:
2944         (JSC::B3::testStorePartial8BitRegisterOnX86):
2945         (JSC::B3::testStore16Arg):
2946         (JSC::B3::testStore16Imm):
2947         (JSC::B3::testTrunc):
2948         (JSC::B3::run):
2949
2950 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
2951
2952         Unreviewed, remove highBitsAreZero(), it's unused.
2953
2954         * b3/B3LowerToAir.cpp:
2955         (JSC::B3::Air::LowerToAir::run):
2956         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
2957         (JSC::B3::Air::LowerToAir::highBitsAreZero): Deleted.
2958
2959 2015-12-21  Csaba Osztrogonác  <ossy@webkit.org>
2960
2961         Unreviewed, fix the !FTL_USES_B3 build after r194334.
2962
2963         * ftl/FTLLowerDFGToLLVM.cpp: Mark forwarding unused variable.
2964         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
2965
2966 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
2967
2968         FTL B3 should do doubleToInt32
2969         https://bugs.webkit.org/show_bug.cgi?id=152484
2970
2971         Reviewed by Saam Barati.
2972
2973         We used to have a DToI32 opcode in B3 that we never implemented. This removes that opcode,
2974         since double-to-int conversion has dramatically different semantics on different
2975         architectures. We let FTL get the conversion instruction it wants by using a patchpoint.
2976
2977         * b3/B3Opcode.cpp:
2978         (WTF::printInternal):
2979         * b3/B3Opcode.h:
2980         * b3/B3Validate.cpp:
2981         * b3/B3Value.cpp:
2982         (JSC::B3::Value::effects):
2983         (JSC::B3::Value::key):
2984         (JSC::B3::Value::typeFor):
2985         * b3/B3ValueKey.cpp:
2986         (JSC::B3::ValueKey::materialize):
2987         * ftl/FTLB3Output.cpp:
2988         (JSC::FTL::Output::Output):
2989         (JSC::FTL::Output::appendTo):
2990         (JSC::FTL::Output::lockedStackSlot):
2991         (JSC::FTL::Output::load):
2992         (JSC::FTL::Output::doublePowi):
2993         (JSC::FTL::Output::hasSensibleDoubleToInt):
2994         (JSC::FTL::Output::doubleToInt):
2995         (JSC::FTL::Output::doubleToUInt):
2996         (JSC::FTL::Output::load8SignExt32):
2997         (JSC::FTL::Output::load8ZeroExt32):
2998         (JSC::FTL::Output::load16SignExt32):
2999         (JSC::FTL::Output::load16ZeroExt32):
3000         (JSC::FTL::Output::store):
3001         (JSC::FTL::Output::store32As8):
3002         (JSC::FTL::Output::store32As16):
3003         (JSC::FTL::Output::branch):
3004         * ftl/FTLB3Output.h:
3005         (JSC::FTL::Output::doubleLog):
3006         (JSC::FTL::Output::signExt32To64):
3007         (JSC::FTL::Output::zeroExt):
3008         (JSC::FTL::Output::zeroExtPtr):
3009         (JSC::FTL::Output::intToDouble):
3010         (JSC::FTL::Output::unsignedToDouble):
3011         (JSC::FTL::Output::castToInt32):
3012         (JSC::FTL::Output::hasSensibleDoubleToInt): Deleted.
3013         (JSC::FTL::Output::sensibleDoubleToInt): Deleted.
3014         (JSC::FTL::Output::fpToInt32): Deleted.
3015         (JSC::FTL::Output::fpToUInt32): Deleted.
3016         * ftl/FTLLowerDFGToLLVM.cpp:
3017         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithPow):
3018         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutByVal):
3019         (JSC::FTL::DFG::LowerDFGToLLVM::compileSwitch):
3020         (JSC::FTL::DFG::LowerDFGToLLVM::doubleToInt32):
3021         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
3022         (JSC::FTL::DFG::LowerDFGToLLVM::convertDoubleToInt32):
3023         * ftl/FTLOutput.h:
3024         (JSC::FTL::Output::hasSensibleDoubleToInt):
3025         (JSC::FTL::Output::doubleToInt):
3026         (JSC::FTL::Output::doubleToUInt):
3027         (JSC::FTL::Output::signExt32To64):
3028         (JSC::FTL::Output::zeroExt):
3029
3030 2015-12-21  Skachkov Oleksandr  <gskachkov@gmail.com>
3031
3032         Unexpected exception assigning to this._property inside arrow function
3033         https://bugs.webkit.org/show_bug.cgi?id=152028
3034
3035         Reviewed by Saam Barati.
3036
3037         The issue appeared in case if in arrow function created base-level lexical envioronment, and in this case 
3038         |this| value was loaded from wrong scope. The problem was that loading of the |this| happened too early when
3039         compiling bytecode because the bytecode generators's scope stack wasn't in sync with runtime scope stack.
3040         To fix issue loading of |this| was moved after initializeDefaultParameterValuesAndSetupFunctionScopeStack 
3041         in BytecodeGenerator.cpp   
3042
3043         * bytecompiler/BytecodeGenerator.cpp:
3044         (JSC::BytecodeGenerator::BytecodeGenerator):
3045         * tests/stress/arrowfunction-lexical-bind-this-2.js:
3046
3047 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
3048
3049         FTL B3 should do vararg calls
3050         https://bugs.webkit.org/show_bug.cgi?id=152468
3051
3052         Reviewed by Benjamin Poulain.
3053
3054         This adds FTL->B3 lowering of all kinds of varargs calls - forwarding or not, tail or not,
3055         and construct or not. Like all other such lowerings, all of the code is in one place in
3056         FTLLower.
3057
3058         I removed code for varargs and exception spill slots from the B3 path, since it won't need
3059         it. The plan is to rely on B3 doing the spilling for us by using some combination of early
3060         clobber and late use.
3061
3062         This adds ValueRep::emitRestore(), a helpful method for emitting code to restore any ValueRep
3063         into any 64-bit Reg (FPR or GPR).
3064
3065         I wrote new tests for vararg calls, because I wasn't sure which of the existing ones we can
3066         run. These are short-running tests, so I'm not worried about bloating our test suite.
3067
3068         * b3/B3ValueRep.cpp:
3069         (JSC::B3::ValueRep::dump):
3070         (JSC::B3::ValueRep::emitRestore):
3071         * b3/B3ValueRep.h:
3072         * ftl/FTLLowerDFGToLLVM.cpp:
3073         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3074         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
3075         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
3076         * ftl/FTLState.h:
3077         * tests/stress/varargs-no-forward.js: Added.
3078         * tests/stress/varargs-simple.js: Added.
3079         * tests/stress/varargs-two-level.js: Added.
3080
3081 2015-12-18  Mark Lam  <mark.lam@apple.com>
3082
3083         Add unary operator tests to compare JIT and LLINT results.
3084         https://bugs.webkit.org/show_bug.cgi?id=152453
3085
3086         Reviewed by Benjamin Poulain.
3087
3088         Also fixed a few things in the binary-op-test.js.
3089
3090         * tests/stress/op_negate.js: Added.
3091         (o1.valueOf):
3092         * tests/stress/op_postdec.js: Added.
3093         (o1.valueOf):
3094         * tests/stress/op_postinc.js: Added.
3095         (o1.valueOf):
3096         * tests/stress/op_predec.js: Added.
3097         (o1.valueOf):
3098         * tests/stress/op_preinc.js: Added.
3099         (o1.valueOf):
3100         * tests/stress/resources/binary-op-test.js:
3101         (stringifyIfNeeded):
3102         (isIdentical):
3103         (run):
3104         * tests/stress/resources/unary-op-test.js: Added.
3105         (stringifyIfNeeded):
3106         (generateBinaryTests):
3107         (isIdentical):
3108         (runTest):
3109         (run):
3110
3111 2015-12-21  Ryan Haddad  <ryanhaddad@apple.com>
3112
3113         Unreviewed, rolling out r194328.
3114
3115         This change appears to have caused failures in JSC tests
3116
3117         Reverted changeset:
3118
3119         "[INTL] Implement String.prototype.localeCompare in ECMA-402"
3120         https://bugs.webkit.org/show_bug.cgi?id=147607
3121         http://trac.webkit.org/changeset/194328
3122
3123 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
3124
3125         B3->Air lowering incorrectly copy-propagates over ZExt32's
3126         https://bugs.webkit.org/show_bug.cgi?id=152365
3127
3128         Reviewed by Benjamin Poulain.
3129
3130         The instruction selector thinks that Value's that return Int32's are going to always be lowered
3131         to instructions that zero-extend the destination. But this isn't actually true. If you have an
3132         Add32 with a destination on the stack (i.e. spilled) then it only writes 4 bytes. Then, the
3133         filler will load 8 bytes from the stack at the point of use. So, the use of the Add32 will see
3134         garbage in the high bits.
3135
3136         The fact that the spiller chose to use 8 bytes for a Tmp that gets defined by an Add32 is a
3137         pretty sad bug, but:
3138
3139         - It's entirely up to the spiller to decide how many bytes to use for a Tmp, since we do not
3140           ascribe a type to Tmps. We could ascribe types to Tmps, but then coalescing would become
3141           harder. Our goal is to fix the bug while still enabling coalescing in cases like "a[i]" where
3142           "i" is a 32-bit integer that is computed using operations that already do zero-extension.
3143
3144         - More broadly, it's strange that the instruction selector decides whether a Value will be
3145           lowered to something that zero-extends. That's too constraining, since the most optimal
3146           instruction selection might involve something that doesn't zero-extend in cases of spilling, so
3147           the zero-extension should only happen if it's actually needed. This means that we need to
3148           understand which Air instructions cause zero-extensions.
3149
3150         - If we know which Air instructions cause zero-extensions, then we don't need the instruction
3151           selector to copy-propagate ZExt32's. We have copy-propagation in Air thanks to the register
3152           allocator.
3153
3154         In fact, the register allocator is exactly where all of the pieces come together. It's there that
3155         we want to know which operations zero-extend and which don't. It also wants to know how many bits
3156         of a Tmp each instruction reads. Armed with that information, the register allocator can emit
3157         more optimal spill code, use less stack space for spill slots, and coalesce Move32's. As a bonus,
3158         on X86, it replaces Move's with Move32's whenever it can. On X86, Move32 is cheaper.
3159
3160         This fixes a crash bug in V8/encrypt. After fixing this, I only needed two minor fixes to get
3161         V8/encrypt to run. We're about 10% behind LLVM on steady state throughput on this test. It
3162         appears to be mostly due to excessive spilling caused by CCall slow paths. That's fixable: we
3163         could make CCalls on slow paths use a variant of CCallSpecial that promises not to clobber any
3164         registers, and then have it emit spill code around the call itself. LLVM probably gets this
3165         optimization from its live range splitting.
3166
3167         I tried writing a regression test. The problem is that you need garbage on the stack for this to
3168         work, and I didn't feel like writing a flaky test. It appears that running V8/encrypt will cover
3169         this, so we do have coverage.
3170
3171         * CMakeLists.txt:
3172         * JavaScriptCore.xcodeproj/project.pbxproj:
3173         * assembler/AbstractMacroAssembler.h:
3174         (JSC::isX86):
3175         (JSC::isX86_64):
3176         (JSC::optimizeForARMv7IDIVSupported):
3177         (JSC::optimizeForX86):
3178         (JSC::optimizeForX86_64):
3179         * b3/B3LowerToAir.cpp:
3180         (JSC::B3::Air::LowerToAir::highBitsAreZero):
3181         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
3182         (JSC::B3::Air::LowerToAir::lower):
3183         * b3/B3PatchpointSpecial.cpp:
3184         (JSC::B3::PatchpointSpecial::forEachArg):
3185         * b3/B3StackmapSpecial.cpp:
3186         (JSC::B3::StackmapSpecial::forEachArgImpl):
3187         * b3/B3Value.h:
3188         * b3/air/AirAllocateStack.cpp:
3189         (JSC::B3::Air::allocateStack):
3190         * b3/air/AirArg.cpp:
3191         (WTF::printInternal):
3192         * b3/air/AirArg.h:
3193         (JSC::B3::Air::Arg::pointerWidth):
3194         (JSC::B3::Air::Arg::isAnyUse):
3195         (JSC::B3::Air::Arg::isColdUse):
3196         (JSC::B3::Air::Arg::isEarlyUse):
3197         (JSC::B3::Air::Arg::isDef):
3198         (JSC::B3::Air::Arg::isZDef):
3199         (JSC::B3::Air::Arg::widthForB3Type):
3200         (JSC::B3::Air::Arg::conservativeWidth):
3201         (JSC::B3::Air::Arg::minimumWidth):
3202         (JSC::B3::Air::Arg::bytes):
3203         (JSC::B3::Air::Arg::widthForBytes):
3204         (JSC::B3::Air::Arg::Arg):
3205         (JSC::B3::Air::Arg::forEachTmp):
3206         * b3/air/AirCCallSpecial.cpp:
3207         (JSC::B3::Air::CCallSpecial::forEachArg):
3208         * b3/air/AirEliminateDeadCode.cpp:
3209         (JSC::B3::Air::eliminateDeadCode):
3210         * b3/air/AirFixPartialRegisterStalls.cpp:
3211         (JSC::B3::Air::fixPartialRegisterStalls):
3212         * b3/air/AirInst.cpp:
3213         (JSC::B3::Air::Inst::hasArgEffects):
3214         * b3/air/AirInst.h:
3215         (JSC::B3::Air::Inst::forEachTmpFast):
3216         (JSC::B3::Air::Inst::forEachTmp):
3217         * b3/air/AirInstInlines.h:
3218         (JSC::B3::Air::Inst::forEachTmpWithExtraClobberedRegs):
3219         * b3/air/AirIteratedRegisterCoalescing.cpp:
3220         * b3/air/AirLiveness.h:
3221         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
3222         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
3223         * b3/air/AirOpcode.opcodes:
3224         * b3/air/AirSpillEverything.cpp:
3225         (JSC::B3::Air::spillEverything):
3226         * b3/air/AirTmpWidth.cpp: Added.
3227         (JSC::B3::Air::TmpWidth::TmpWidth):
3228         (JSC::B3::Air::TmpWidth::~TmpWidth):
3229         * b3/air/AirTmpWidth.h: Added.
3230         (JSC::B3::Air::TmpWidth::width):
3231         (JSC::B3::Air::TmpWidth::defWidth):
3232         (JSC::B3::Air::TmpWidth::useWidth):
3233         (JSC::B3::Air::TmpWidth::Widths::Widths):
3234         * b3/air/AirUseCounts.h:
3235         (JSC::B3::Air::UseCounts::UseCounts):
3236         * b3/air/opcode_generator.rb:
3237         * b3/testb3.cpp:
3238         (JSC::B3::testCheckMegaCombo):
3239         (JSC::B3::testCheckTrickyMegaCombo):
3240         (JSC::B3::testCheckTwoMegaCombos):
3241         (JSC::B3::run):
3242
3243 2015-12-21  Andy VanWagoner  <thetalecrafter@gmail.com>
3244
3245         [INTL] Implement String.prototype.localeCompare in ECMA-402
3246         https://bugs.webkit.org/show_bug.cgi?id=147607
3247
3248         Reviewed by Darin Adler.
3249
3250         Add localeCompare in builtin JavaScript that delegates comparing to Intl.Collator.
3251         Keep existing native implementation for use if INTL flag is disabled.
3252
3253         * CMakeLists.txt:
3254         * DerivedSources.make:
3255         * JavaScriptCore.xcodeproj/project.pbxproj:
3256         * builtins/StringPrototype.js: Added.
3257         (localeCompare):
3258         * runtime/StringPrototype.cpp:
3259         (JSC::StringPrototype::finishCreation):
3260
3261 2015-12-18  Filip Pizlo  <fpizlo@apple.com>
3262
3263         Implement compareDouble in B3/Air
3264         https://bugs.webkit.org/show_bug.cgi?id=150903
3265
3266         Reviewed by Benjamin Poulain.
3267
3268         A hole in our coverage is that we don't fuse a double comparison into a branch, then we will
3269         crash in the instruction selector. Obviously, we *really* want to fuse double comparisons,
3270         but we can't guarantee that this will always happen.
3271
3272         This also removes all uses of WTF::Dominators verification, since it's extremely slow even in
3273         a release build. This speeds up testb3 with validateGraphAtEachPhase=true by an order of
3274         magnitude.
3275
3276         * assembler/MacroAssembler.h:
3277         (JSC::MacroAssembler::moveDoubleConditionallyFloat):
3278         (JSC::MacroAssembler::compareDouble):
3279         (JSC::MacroAssembler::compareFloat):
3280         (JSC::MacroAssembler::lea):
3281         * b3/B3Dominators.h:
3282         (JSC::B3::Dominators::Dominators):
3283         * b3/B3LowerToAir.cpp:
3284         (JSC::B3::Air::LowerToAir::createCompare):
3285         (JSC::B3::Air::LowerToAir::lower):
3286         * b3/air/AirOpcode.opcodes:
3287         * b3/testb3.cpp:
3288         (JSC::B3::testCompare):
3289         (JSC::B3::testEqualDouble):
3290         (JSC::B3::simpleFunction):
3291         (JSC::B3::run):
3292         * dfg/DFGDominators.h:
3293         (JSC::DFG::Dominators::Dominators):
3294
3295 2015-12-19  Dan Bernstein  <mitz@apple.com>
3296
3297         [Mac] WebKit contains dead source code for OS X Mavericks and earlier
3298         https://bugs.webkit.org/show_bug.cgi?id=152462
3299
3300         Reviewed by Alexey Proskuryakov.
3301
3302         - Removed build setting definitions for OS X 10.9 and earlier, and simplified defintions
3303           that became uniform across all OS X versions as a result:
3304
3305         * Configurations/DebugRelease.xcconfig:
3306         * Configurations/FeatureDefines.xcconfig:
3307         * Configurations/Version.xcconfig:
3308
3309         * API/JSBase.h: Removed check against __MAC_OS_X_VERSION_MIN_REQUIRED that was always true.
3310
3311 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
3312
3313         [JSC] Streamline Tmp indexing inside the register allocator
3314         https://bugs.webkit.org/show_bug.cgi?id=152420
3315
3316         Reviewed by Filip Pizlo.
3317
3318         AirIteratedRegisterCoalescing has been accumulating a bit of mess over time.
3319
3320         When it started, every map addressed by Tmp was using Tmp hashing.
3321         That caused massive performance problems. Everything perf sensitive was moved
3322         to direct array addressing by the absolute Tmp index. This left the code
3323         with half of the function using Tmp, the other half using indices.
3324
3325         With this patch, almost everything is moved to absolute indexing.
3326         There are a few advantages to this:
3327         -No more conversion churn for Floating Point registers.
3328         -Most of the functions can now be shared between GP and FP.
3329         -A bit of clean up since the core algorithm only deals with integers now.
3330
3331         This patch also changes the index type to be a template argument.
3332         That will allow future specialization of "m_interferenceEdges" based
3333         on the expected problem size.
3334
3335         Finally, the code related to the program modification (register assignment
3336         and spilling) was moved to the wrapper "IteratedRegisterCoalescing".
3337
3338         The current split is:
3339         -AbstractColoringAllocator: common core. Share as much as possible between
3340          GP and FP.
3341         -ColoringAllocator: the remaining parts of the algorithm, everything that
3342          is specific to GP, FP.
3343         -IteratedRegisterCoalescing: the "iterated" part of the algorithm.
3344          Try to allocate and modify the code as needed.
3345
3346         The long term plan is:
3347         -Move selectSpill() and the coloring loop to AbstractColoringAllocator.
3348         -Specialize m_interferenceEdges to make it faster.
3349
3350         * b3/air/AirIteratedRegisterCoalescing.cpp:
3351         * b3/air/AirTmpInlines.h:
3352         (JSC::B3::Air::AbsoluteTmpMapper<Arg::GP>::lastMachineRegisterIndex):
3353         (JSC::B3::Air::AbsoluteTmpMapper<Arg::FP>::lastMachineRegisterIndex):
3354
3355 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
3356
3357         [JSC] FTLB3Output generates some invalid ZExt32
3358         https://bugs.webkit.org/show_bug.cgi?id=151905
3359
3360         Reviewed by Filip Pizlo.
3361
3362         FTLLowerDFGToLLVM calls zeroExt() to int32 in some cases.
3363         We were generating ZExt32 with Int32 as return type :(
3364
3365         * ftl/FTLB3Output.h:
3366         (JSC::FTL::Output::zeroExt):
3367
3368 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
3369
3370         [JSC] Add EqualOrUnordered to B3
3371         https://bugs.webkit.org/show_bug.cgi?id=152425
3372
3373         Reviewed by Mark Lam.
3374
3375         Add EqualOrUnordered to B3 and use it to implements
3376         FTL::Output's NotEqualAndOrdered.
3377
3378         * b3/B3ConstDoubleValue.cpp:
3379         (JSC::B3::ConstDoubleValue::equalOrUnordered):
3380         * b3/B3ConstDoubleValue.h:
3381         * b3/B3LowerToAir.cpp:
3382         (JSC::B3::Air::LowerToAir::createGenericCompare):
3383         (JSC::B3::Air::LowerToAir::lower):
3384         * b3/B3Opcode.cpp:
3385         (WTF::printInternal):
3386         * b3/B3Opcode.h:
3387         * b3/B3ReduceDoubleToFloat.cpp:
3388         (JSC::B3::reduceDoubleToFloat):
3389         * b3/B3ReduceStrength.cpp:
3390         * b3/B3Validate.cpp:
3391         * b3/B3Value.cpp:
3392         (JSC::B3::Value::equalOrUnordered):