Web Inspector: Add Heap domain start/stop tracking commands

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2016-03-08  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Add Heap domain start/stop tracking commands
        https://bugs.webkit.org/show_bug.cgi?id=155190

        Reviewed by Brian Burg.

        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
        (Inspector::InspectorHeapAgent::startTracking):
        (Inspector::InspectorHeapAgent::stopTracking):
        * inspector/agents/InspectorHeapAgent.h:
        * inspector/protocol/Heap.json:

2016-03-08  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Add a way to create a Heap Snapshot
        https://bugs.webkit.org/show_bug.cgi?id=155188

        Reviewed by Brian Burg.

        * inspector/agents/InspectorHeapAgent.h:
        * inspector/protocol/Heap.json:
        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::InspectorHeapAgent::snapshot):
        Take a heap snapshot and return the JSON string result.

        * inspector/protocol/Debugger.json:
        Remove unused optional inferredName. Our displayName would be inferred.

2016-03-08  Oliver Hunt  <oliver@apple.com>

        Fix ios bot build.

        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):

2016-03-08  Mark Lam  <mark.lam@apple.com>

        Implement Function.name support for getters/setters and inferring name of function properties.
        https://bugs.webkit.org/show_bug.cgi?id=154865

        Rubber-stamped by Joseph Pecoraro.

        Follow up to the fix for this bug: adding a few small clean-ups for issues Joe
        pointed out in the bug.

        * runtime/JSBoundSlotBaseFunction.cpp:
        (JSC::JSBoundSlotBaseFunction::create):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitiveByIndex):

2016-03-08  Oliver Hunt  <oliver@apple.com>

        Start moving to separated writable and executable mappings in the JIT
        https://bugs.webkit.org/show_bug.cgi?id=155178

        Reviewed by Fil Pizlo.

        Start moving to a separate writable and executable heap for the various
        JITs.

        As part of our work to harden the JIT against various attacks, we're
        moving away from our current RWX heap and on to using separate RW and X
        mappings. This means that simply leaking the location of the executable
        mapping is not sufficient to compromise JSC, so we can continue to
        use direct executable pointers in our GC objects (which we need for
        performance), but keep the writable pointer in only a single location
        so that we are less likely to leak the address. To further obscure the
        address of the writable region we place it in an execute only region
        of memory so that it is not possible to read the location from 
        anywhere. That means an attacker must have at least partial control
        of PC (to call jitMemCopy) before they can start to attack the JIT.

        This work is initially ARM64 only, as we use as the jitMemCopy is
        currently specific to that platform's calling conventions and layout.
        We're just landing it in the current form so that we can at least
        ensure it doesn't regress.

        * Configurations/FeatureDefines.xcconfig:
        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::ldp):
        (JSC::ARM64Assembler::ldnp):
        (JSC::ARM64Assembler::fillNops):
        (JSC::ARM64Assembler::stp):
        (JSC::ARM64Assembler::stnp):
        (JSC::ARM64Assembler::replaceWithJump):
        (JSC::ARM64Assembler::replaceWithLoad):
        (JSC::ARM64Assembler::replaceWithAddressComputation):
        (JSC::ARM64Assembler::setPointer):
        (JSC::ARM64Assembler::repatchInt32):
        (JSC::ARM64Assembler::repatchCompact):
        (JSC::ARM64Assembler::linkJumpOrCall):
        (JSC::ARM64Assembler::linkCompareAndBranch):
        (JSC::ARM64Assembler::linkConditionalBranch):
        (JSC::ARM64Assembler::linkTestAndBranch):
        (JSC::ARM64Assembler::loadStoreRegisterPairOffset):
        (JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        (JSC::LinkBuffer::allocate):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::sub64):
        (JSC::MacroAssemblerARM64::load64):
        (JSC::MacroAssemblerARM64::loadPair64):
        (JSC::MacroAssemblerARM64::loadPair64WithNonTemporalAccess):
        (JSC::MacroAssemblerARM64::load8):
        (JSC::MacroAssemblerARM64::store64):
        (JSC::MacroAssemblerARM64::storePair64):
        (JSC::MacroAssemblerARM64::storePair64WithNonTemporalAccess):
        (JSC::MacroAssemblerARM64::store8):
        (JSC::MacroAssemblerARM64::branchAdd64):
        (JSC::MacroAssemblerARM64::branchSub64):
        * jit/ExecutableAllocator.h:
        (JSC::performJITMemcpy):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
        (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2016-03-08  Mark Lam  <mark.lam@apple.com>

        Implement Function.name support for getters/setters and inferring name of function properties.
        https://bugs.webkit.org/show_bug.cgi?id=154865

        Reviewed by Geoffrey Garen.

        1. toString() no longer uses the value of Function.name as the name of the
           function in the returned string, because ...

            i. Function.name is supposed to be configurable.  Hence, it can be made
               writable and can be set to any JSValue, or deleted.
           ii. Function.prototype.toString() is supposed to produce a string that can be
               eval'ed.  Hence, for JS functions, the function name in the produced
               string must be a legal function name (and not some arbitrary value set in
               Function.name).  For example, while a number is a legal value for
               Function.name, it is not legal as the function name in the toString()
               string.

           Instead, we'll always use the original name from the JS source that the
           function was parsed from.

        2. JSFunction::name() now always return the original name, not the value of
           the Function.name property.  As a result, it also no longer needs an
           ExecState* arg.

           If the original name is an empty string, JSFunction::name() will use the
           inferred name.

        3. For JS functions, the original name can be attained from their
           FunctionExecutable object.

           For host/native functions (which do not have a FunctionExecutable), we get the
           "original" name from its NativeExecutable.

        4. The m_hostFunctionStubMap now keys its NativeExecutable pointers using the
           original name, in addition to the native function and constructor pointers.

           This is needed because we want a different NativeExecutable for functions with
           a different name (to satisfy (3) above).

        5. Changed JSBoundFunction to store the name of its bound function in its
           NativeExecutable.  This will later be used to generate the toString() string.
           It's Function.name value is eagerly initialized at construction time.

        6. Function.name for getters/setters are now prefixed with "get"/"set".
           This was done both for the JSBoundSlotBaseFunctions and JS definable get/set
           functions.

        7. Added InternalFunction::m_originalName so that we can use it to generate the
           toString() string.  We're storing it as a JSString instead of a WTF::String
           only because we want InternalFunction to be continue to be trivially
           destructible.

        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::functionDetails):
        * jit/JITThunks.cpp:
        (JSC::JITThunks::finalize):
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITThunks.h:
        * runtime/Executable.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::finishCreation):
        (JSC::InternalFunction::visitChildren):
        (JSC::InternalFunction::name):
        (JSC::InternalFunction::displayName):
        * runtime/InternalFunction.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::create):
        (JSC::JSBoundFunction::visitChildren):
        (JSC::JSBoundFunction::toStringName): Deleted.
        * runtime/JSBoundFunction.h:
        (JSC::JSBoundFunction::boundThis):
        (JSC::JSBoundFunction::boundArgs):
        (JSC::JSBoundFunction::createStructure):
        * runtime/JSBoundSlotBaseFunction.cpp:
        (JSC::boundSlotBaseFunctionCall):
        (JSC::JSBoundSlotBaseFunction::create):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::initializeRareData):
        (JSC::JSFunction::name):
        (JSC::JSFunction::displayName):
        (JSC::JSFunction::calculatedDisplayName):
        (JSC::JSFunction::reifyName):
        * runtime/JSFunction.h:
        * tests/es6.yaml:

2016-03-08  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r197793 and r197799.
        https://bugs.webkit.org/show_bug.cgi?id=155195

        something weird happened while landing this and everything
        broke (Requested by olliej on #webkit).

        Reverted changesets:

        "Start moving to separated writable and executable mappings in
        the JIT"
        https://bugs.webkit.org/show_bug.cgi?id=155178
        http://trac.webkit.org/changeset/197793

        "arm64 build fix after r197793."
        http://trac.webkit.org/changeset/197799

2016-03-08  Alex Christensen  <achristensen@webkit.org>

        arm64 build fix after r197793.

        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        (JSC::FixedVMPoolExecutableAllocator::initializeBulletproofJIT):
        (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
        Use consistent ENABLE macro.  It looks like it was partially renamed.

2016-03-08  Filip Pizlo  <fpizlo@apple.com>

        Regexp matching should incur less call overhead
        https://bugs.webkit.org/show_bug.cgi?id=155181

        Reviewed by Geoffrey Garen.

        Previously we had DFG/FTL code call into the DFGOperation, which then called in to
        RegExpObject, which then called into createRegExpMatchesArray, which then called into
        RegExp, which then called the code generated by Yarr.

        Now we have DFG/FTL code call into the DFGOperation, which does all of the things and calls
        into code generated by Yarr.

        This is another tiny Octane/regexp speed-up.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGOperations.cpp:
        * runtime/RegExp.cpp:
        (JSC::regExpFlags):
        (JSC::RegExp::compile):
        (JSC::RegExp::match):
        (JSC::RegExp::compileMatchOnly):
        (JSC::RegExp::deleteCode):
        (JSC::RegExpFunctionalTestCollector::clearRegExp): Deleted.
        (JSC::RegExp::compileIfNecessary): Deleted.
        (JSC::RegExp::compileIfNecessaryMatchOnly): Deleted.
        * runtime/RegExp.h:
        * runtime/RegExpInlines.h: Added.
        (JSC::RegExpFunctionalTestCollector::clearRegExp):
        (JSC::RegExp::compileIfNecessary):
        (JSC::RegExp::matchInline):
        (JSC::RegExp::compileIfNecessaryMatchOnly):
        * runtime/RegExpMatchesArray.cpp:
        (JSC::createEmptyRegExpMatchesArray):
        (JSC::createStructureImpl):
        (JSC::tryCreateUninitializedRegExpMatchesArray): Deleted.
        (JSC::createRegExpMatchesArray): Deleted.
        * runtime/RegExpMatchesArray.h:
        (JSC::tryCreateUninitializedRegExpMatchesArray):
        (JSC::createRegExpMatchesArray):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::put):
        (JSC::RegExpObject::exec):
        (JSC::RegExpObject::match):
        (JSC::getLastIndexAsUnsigned): Deleted.
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::getLastIndex):
        (JSC::RegExpObject::test):
        (JSC::RegExpObject::testInline):
        * runtime/RegExpObjectInlines.h: Added.
        (JSC::getRegExpObjectLastIndexAsUnsigned):
        (JSC::RegExpObject::execInline):
        (JSC::RegExpObject::matchInline):

2016-03-08  Mark Lam  <mark.lam@apple.com>

        synthesizePrototype() and friends need to be followed by exception checks (or equivalent).
        https://bugs.webkit.org/show_bug.cgi?id=155169

        Reviewed by Geoffrey Garen.

        With the exception checks, we may end up throwing new exceptions over an existing
        one that has been thrown but not handled yet, thereby obscuring it.  It may also
        mean that the VM will continue running on potentially unstable state, which may
        have undesirable consequences.

        I first observed this in some failed assertion while running tests on a patch for
        https://bugs.webkit.org/show_bug.cgi?id=154865.

        Performance is neutral with this patch (tested on x86_64).

        1. Deleted JSNotAnObject, and removed all uses of it.

        2. Added exception checks, when needed, following calls to synthesizePrototype()
           and JSValue::toObject().

           The cases that do not need an exception check are the ones that already ensures
           that JSValue::toObject() is only called on a value that is convertible to an
           object.  In those cases, I added an assertion that no exception was thrown
           after the call.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::createScriptCallStackFromException):
        * interpreter/Interpreter.cpp:
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncConcat):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncIndexOf):
        (JSC::arrayProtoFuncLastIndexOf):
        (JSC::arrayProtoFuncValues):
        (JSC::arrayProtoFuncEntries):
        (JSC::arrayProtoFuncKeys):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/ExceptionHelpers.cpp:
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::toObjectSlowCase):
        (JSC::JSValue::toThisSlowCase):
        (JSC::JSValue::synthesizePrototype):
        (JSC::JSValue::putToPrimitive):
        (JSC::JSValue::putToPrimitiveByIndex):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::getPropertySlot):
        (JSC::JSValue::get):
        * runtime/JSFunction.cpp:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoGetter):
        * runtime/JSNotAnObject.cpp: Removed.
        * runtime/JSNotAnObject.h: Removed.
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorDefineProperties):
        (JSC::objectConstructorCreate):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncValueOf):
        (JSC::objectProtoFuncHasOwnProperty):
        (JSC::objectProtoFuncIsPrototypeOf):
        (JSC::objectProtoFuncToString):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2016-03-08  Oliver Hunt  <oliver@apple.com>

        Start moving to separated writable and executable mappings in the JIT
        https://bugs.webkit.org/show_bug.cgi?id=155178

        Reviewed by Filip Pizlo.

        Start moving to a separate writable and executable heap for the various
        JITs.

        As part of our work to harden the JIT against various attacks, we're
        moving away from our current RWX heap and on to using separate RW and X
        mappings. This means that simply leaking the location of the executable
        mapping is not sufficient to compromise JSC, so we can continue to
        use direct executable pointers in our GC objects (which we need for
        performance), but keep the writable pointer in only a single location
        so that we are less likely to leak the address. To further obscure the
        address of the writable region we place it in an execute only region
        of memory so that it is not possible to read the location from 
        anywhere. That means an attacker must have at least partial control
        of PC (to call jitMemCopy) before they can start to attack the JIT.

        This work is initially ARM64 only, as we use as the jitMemCopy is
        currently specific to that platform's calling conventions and layout.
        We're just landing it in the current form so that we can at least
        ensure it doesn't regress.

        * Configurations/FeatureDefines.xcconfig:
        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::ldp):
        (JSC::ARM64Assembler::ldnp):
        (JSC::ARM64Assembler::fillNops):
        (JSC::ARM64Assembler::stp):
        (JSC::ARM64Assembler::stnp):
        (JSC::ARM64Assembler::replaceWithJump):
        (JSC::ARM64Assembler::replaceWithLoad):
        (JSC::ARM64Assembler::replaceWithAddressComputation):
        (JSC::ARM64Assembler::setPointer):
        (JSC::ARM64Assembler::repatchInt32):
        (JSC::ARM64Assembler::repatchCompact):
        (JSC::ARM64Assembler::linkJumpOrCall):
        (JSC::ARM64Assembler::linkCompareAndBranch):
        (JSC::ARM64Assembler::linkConditionalBranch):
        (JSC::ARM64Assembler::linkTestAndBranch):
        (JSC::ARM64Assembler::loadStoreRegisterPairOffset):
        (JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        (JSC::LinkBuffer::allocate):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::sub64):
        (JSC::MacroAssemblerARM64::load64):
        (JSC::MacroAssemblerARM64::loadPair64):
        (JSC::MacroAssemblerARM64::loadPair64WithNonTemporalAccess):
        (JSC::MacroAssemblerARM64::load8):
        (JSC::MacroAssemblerARM64::store64):
        (JSC::MacroAssemblerARM64::storePair64):
        (JSC::MacroAssemblerARM64::storePair64WithNonTemporalAccess):
        (JSC::MacroAssemblerARM64::store8):
        (JSC::MacroAssemblerARM64::branchAdd64):
        (JSC::MacroAssemblerARM64::branchSub64):
        * jit/ExecutableAllocator.h:
        (JSC::performJITMemcpy):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        (JSC::FixedVMPoolExecutableAllocator::initializeBulletproofJIT):
        (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2016-03-08  Michael Saboff  <msaboff@apple.com>

        [ES6] Regular Expression canonicalization tables for Unicode need to be updated to use Unicode CaseFolding.txt
        https://bugs.webkit.org/show_bug.cgi?id=155114

        Reviewed by Darin Adler.

        Extracted out the Unicode canonicalization table creation from
        YarrCanonicalizeUnicode.js into a new Python script, generateYarrCanonicalizeUnicode.
        That script generates the Unicode tables as the file YarrCanonicalizeUnicode.cpp in
        DerivedSources/JavaScriptCore.

        Updated the processing of ignore case to make the ASCII short cuts dependent on whether
        or not we are a Unicode pattern.

        Renamed yarr/YarrCanonicalizeUnicode.{cpp,js} back to their prior names,
        YarrCanonicalizeUCS2.{cpp,js}.
        Renamed yarr/YarrCanonicalizeUnicode.h to YarrCanonicalize.h as it declares both the
        legacy UCS2 and Unicode tables.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * generateYarrCanonicalizeUnicode: Added.
        * ucd: Added.
        * ucd/CaseFolding.txt: Added.  The current verion, 8.0, of the Unicode CaseFolding table.
        * yarr/YarrCanonicalizeUCS2.cpp: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUnicode.cpp.
        * yarr/YarrCanonicalize.h: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUnicode.h.
        * yarr/YarrCanonicalizeUCS2.js: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUnicode.js.
        (printHeader):
        * yarr/YarrCanonicalizeUnicode.cpp: Removed.
        * yarr/YarrCanonicalizeUnicode.h: Removed.
        * yarr/YarrCanonicalizeUnicode.js: Removed.
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::tryConsumeBackReference):
        * yarr/YarrJIT.cpp:
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::putChar):

2016-03-08  Andreas Kling  <akling@apple.com>

        WeakBlock::visit() should check for a WeakHandleOwner before consulting mark bits.
        <https://webkit.org/b/155154>

        Reviewed by Darin Adler.

        Reorder the checks in WeakBlock::visit() so we don't look at the mark bits in MarkedBlock
        unless the current WeakImpl has a WeakHandleOwner we need to consult.

        I was originally hoping to make an optimization that could skip over entire WeakBlocks
        if they didn't have a single WeakHandleOwner, but it turns out that scenario is not as
        common as I suspected.

        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::visit):

2016-03-07  Saam barati  <sbarati@apple.com>

        [ES6] Implement revocable proxies
        https://bugs.webkit.org/show_bug.cgi?id=154321

        Reviewed by Mark Lam.

        This patch is a straight forward implementation of Proxy.revocable
        with respect to section 26.2.2.1 of the ECMAScript spec.
        https://tc39.github.io/ecma262/#sec-proxy.revocable

        This patch also fixes a bug in Proxy where we
        were incorrectly caching "in", i.e, `"x" in proxy`.
        We should never blatantly cache this because caching is observable
        behavior by users of the language. We could come up with
        a smarter caching scheme that caches only if the Proxy's
        handler doesn't have a "has" property, i.e, we don't have
        to call out to JS code. But for now, it's easiest to disable
        caching.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::moduleRecordStructure):
        (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
        (JSC::JSGlobalObject::proxyObjectStructure):
        (JSC::JSGlobalObject::proxyRevokeStructure):
        (JSC::JSGlobalObject::wasmModuleStructure):
        * runtime/ProxyConstructor.cpp:
        (JSC::ProxyConstructor::create):
        (JSC::ProxyConstructor::ProxyConstructor):
        (JSC::makeRevocableProxy):
        (JSC::proxyRevocableConstructorThrowError):
        (JSC::ProxyConstructor::finishCreation):
        (JSC::constructProxyObject):
        * runtime/ProxyConstructor.h:
        (JSC::ProxyConstructor::createStructure):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::finishCreation):
        (JSC::performProxyGet):
        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
        (JSC::ProxyObject::performHasProperty):
        (JSC::ProxyObject::performPut):
        (JSC::performProxyCall):
        (JSC::performProxyConstruct):
        (JSC::ProxyObject::performDelete):
        (JSC::ProxyObject::performPreventExtensions):
        (JSC::ProxyObject::performIsExtensible):
        (JSC::ProxyObject::performDefineOwnProperty):
        (JSC::ProxyObject::performGetOwnPropertyNames):
        (JSC::ProxyObject::performSetPrototype):
        (JSC::ProxyObject::performGetPrototype):
        (JSC::ProxyObject::getPrototype):
        (JSC::ProxyObject::revoke):
        (JSC::ProxyObject::visitChildren):
        * runtime/ProxyObject.h:
        (JSC::ProxyObject::create):
        * runtime/ProxyRevoke.cpp: Added.
        (JSC::ProxyRevoke::create):
        (JSC::ProxyRevoke::ProxyRevoke):
        (JSC::ProxyRevoke::finishCreation):
        (JSC::performProxyRevoke):
        (JSC::ProxyRevoke::getCallData):
        (JSC::ProxyRevoke::visitChildren):
        * runtime/ProxyRevoke.h: Added.
        (JSC::ProxyRevoke::createStructure):
        (JSC::ProxyRevoke::proxy):
        (JSC::ProxyRevoke::setProxyToNull):
        * tests/stress/proxy-has-property.js:
        (assert):
        (assert.let.handler.has):
        (assert.let.foo):
        * tests/stress/proxy-revoke.js: Added.
        (assert):
        (throw.new.Error.):
        (throw.new.Error):
        (callAllHandlers):
        (shouldThrowNullHandler):
        (allHandlersShouldThrow):
        (i.let.trap.of.traps.trap.string_appeared_here.func):
        (i.let.trap.of.traps.else.func):
        (i.Proxy.revocable):

2016-03-07  Csaba Osztrogonác  <ossy@webkit.org>

        Fix the ARM build after r197687
        https://bugs.webkit.org/show_bug.cgi?id=155128

        Reviewed by Saam Barati.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::moveZeroToDouble):

2016-03-07  Filip Pizlo  <fpizlo@apple.com>

        Reduce the number of instructions needed to record the last regexp result
        https://bugs.webkit.org/show_bug.cgi?id=155161

        Reviewed by Sam Weinig.

        This tightens up RegExpCachedResult::record(). My profiling shows that we spend just
        over 1% of the time in Octane/regexp in this function. This function had two obvious
        redundancies:

        1) It executed the write barrier on owner twice. It only needs to execute it once. Since
           the same RegExpConstructor is likely to be used many times, it makes sense to do the
           barrier without looking at the 'to' objects at all. In steady state, this means that
           the RegExpConstructor will simply be OldGrey so this one barrier will always skip the
           slow path.

        2) It cleared some fields that didn't need to be cleared, since we can just use
           m_reified to indicate that the fields are not meaningful anymore.

        This is meant to be a microscopic regexp speed-up.

        * runtime/RegExpCachedResult.cpp:
        (JSC::RegExpCachedResult::visitChildren):
        (JSC::RegExpCachedResult::lastResult):
        * runtime/RegExpCachedResult.h:
        (JSC::RegExpCachedResult::record):

2016-03-07  Filip Pizlo  <fpizlo@apple.com>

        createRegExpMatchesArray should allocate substrings more quickly
        https://bugs.webkit.org/show_bug.cgi?id=155160

        Reviewed by Sam Weinig.

        This was calling a version of jsSubstring() that isn't inlineable because it was doing a lot
        of checks in finishCreation(). In particular, it was checking that the base string is not
        itself a substring and that it's been resolved. We don't need those checks here, since the
        string must have been resolved prior to regexp processing.

        This patch is also smart about whether to do checks for the empty and full substrings. In
        the matches array loop, these checks are super unlikely to be profitable, so we just
        unconditionally allocate the substring.

        This removes those checks and makes the allocation inlineable. It looks like a 1% speed-up
        on Octane/regexp.

        * runtime/JSString.h:
        (JSC::jsSubstring):
        (JSC::jsSubstringOfResolved):
        * runtime/RegExpMatchesArray.cpp:
        (JSC::createRegExpMatchesArray):

2016-03-07  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Small clean up of how we use SSA's valuesAtHead
        https://bugs.webkit.org/show_bug.cgi?id=155152

        Reviewed by Filip Pizlo.

        liveAtHead and valuesAtHead contain the same nodes,
        we do not need the extra look up.

        This also opens the way to use the same kind of liveness
        analysis as Air (where live values at head do not use a set).

        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
        (JSC::DFG::InPlaceAbstractState::merge):

2016-03-07  Brian Burg  <bburg@apple.com>

        Web Inspector: the protocol generator should generate factory method stubs for protocol types
        https://bugs.webkit.org/show_bug.cgi?id=155103
        <rdar://problem/25002772>

        Reviewed by Timothy Hatcher.

        Generate stubs with unique names so that parsing methods can be used
        reflectively at runtime, based on the protocol version that's loaded.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/scripts/codegen/__init__.py:
        * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
        Added. For each type in a domain, add a method of the form
        -[ProtocolTypeConversions _parseXXX:fromPayload]. This is in a category
        method, and the selector is only ever looked up at runtime.

        (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
        * inspector/scripts/generate-inspector-protocol-bindings.py:
        (generate_from_specification):

        Rebaseline test results with new generator output.

        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/enum-values.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:

2016-03-07  Filip Pizlo  <fpizlo@apple.com>

        RegExp.prototype.exec() should call into Yarr at most once
        https://bugs.webkit.org/show_bug.cgi?id=155139

        Reviewed by Saam Barati.

        For apparently no good reason, RegExp.prototype.match() was calling into Yarr twice, almost
        as if it was hoping that the non-matching case was so common that it was best to have the
        matching case do the work all over again.

        This is a 4% speed-up on Octane/regexp. It's also a matter of common sense: we should not be
        in the business of presuming whether someone's match will succeed or fail. The increased
        cost of running Yarr twice is so much larger than whatever savings we were getting from
        running a match-only regexp that this is just not a good overall deal for the engine.

        Also, it's interesting that we are seeing a 4% speed-up on regexp despite the fact that a
        majority (almost a supermajority, I think) of calls into RegExp.prototype.match() are failed
        matches. So, this change is a 4% speed-up despite being a slow down on the common case. That
        tells you just how bad the old behavior was on the uncommon case.

        * runtime/MatchResult.h:
        (MatchResult::MatchResult):
        (MatchResult::failed):
        (MatchResult::operator bool):
        * runtime/RegExpCachedResult.cpp:
        (JSC::RegExpCachedResult::lastResult):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::setMultiline):
        (JSC::RegExpConstructor::multiline):
        (JSC::RegExpConstructor::performMatch):
        (JSC::RegExpConstructor::recordMatch):
        * runtime/RegExpMatchesArray.cpp:
        (JSC::createRegExpMatchesArray):
        (JSC::createEmptyRegExpMatchesArray):
        (JSC::createStructureImpl):
        * runtime/RegExpMatchesArray.h:
        (JSC::createRegExpMatchesArray):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::put):
        (JSC::getLastIndexAsUnsigned):
        (JSC::RegExpObject::exec):
        (JSC::RegExpObject::match):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::getLastIndex):
        (JSC::RegExpObject::test):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncMatch):

2016-03-07  Joseph Pecoraro  <pecoraro@apple.com>

        Heap Snapshot should include different Edge types and data (Property, Index, Variable)
        https://bugs.webkit.org/show_bug.cgi?id=154937

        Reviewed by Geoffrey Garen.

        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::appendHidden):
        * heap/SlotVisitor.h:
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::appendHidden):
        (JSC::SlotVisitor::appendValuesHidden):
        Add new visit methods to visit a reference without snapshotting the edge.

        * heap/Heap.cpp:
        (JSC::AddExtraHeapSnapshotEdges::AddExtraHeapSnapshotEdges):
        (JSC::AddExtraHeapSnapshotEdges::operator()):
        (JSC::Heap::addHeapSnapshotEdges):
        (JSC::Heap::removeDeadHeapSnapshotNodes):
        (JSC::Heap::collectImpl):
        * heap/Heap.h:
        After marking, visit the live cells for a chance to record extra
        heap snapshotting information about the cell.

        * heap/HeapSnapshotBuilder.cpp:
        (JSC::HeapSnapshotBuilder::appendNode):
        (JSC::HeapSnapshotBuilder::appendEdge):
        (JSC::HeapSnapshotBuilder::appendPropertyNameEdge):
        (JSC::HeapSnapshotBuilder::appendVariableNameEdge):
        (JSC::HeapSnapshotBuilder::appendIndexEdge):
        (JSC::HeapSnapshotBuilder::json):
        * heap/HeapSnapshotBuilder.h:
        (JSC::HeapSnapshotEdge::HeapSnapshotEdge):
        Construct edges with extra data.

        * runtime/ClassInfo.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::heapSnapshot):
        * runtime/JSCell.h:
        Add a new method to provide cells with an opportunity to provide
        extra heap snapshotting information.

        * runtime/JSObject.cpp:
        (JSC::JSObject::visitButterfly):
        (JSC::JSObject::visitChildren):
        (JSC::JSObject::heapSnapshot):
        (JSC::JSFinalObject::visitChildren):
        * runtime/JSObject.h:
        Capture object property names and index names when heap snapshotting.
        Do not include them as internal edges in normal visitChildren.

        * runtime/JSEnvironmentRecord.cpp:
        (JSC::JSEnvironmentRecord::visitChildren):
        (JSC::JSEnvironmentRecord::heapSnapshot):
        * runtime/JSEnvironmentRecord.h:
        * runtime/JSSegmentedVariableObject.cpp:
        (JSC::JSSegmentedVariableObject::visitChildren):
        (JSC::JSSegmentedVariableObject::heapSnapshot):
        * runtime/JSSegmentedVariableObject.h:
        Capture scope variable names when heap snapshotting.

        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren):
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::propertyTable):
        When performing a heap snapshotting collection, don't clear the
        property table so that accessing the table during this GC is okay.

        * tests/heapProfiler/driver/driver.js:
        * tests/heapProfiler/property-edge-types.js: Added.
        * tests/heapProfiler/variable-edge-types.js: Added.
        Tests covering the different edge types and data we capture.

2016-03-07  Saam barati  <sbarati@apple.com>

        [ES6] Implement Proxy.[[GetPrototypeOf]]
        https://bugs.webkit.org/show_bug.cgi?id=155099

        Reviewed by Mark Lam.

        This patch is a straight forward implementation of Proxy.[[GetPrototypeOf]]
        with respect to section 9.5.1 of the ECMAScript spec.
        https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-getprototypeof

        * runtime/ProxyObject.cpp:
        (JSC::performProxyGet):
        (JSC::ProxyObject::setPrototype):
        (JSC::ProxyObject::performGetPrototype):
        (JSC::ProxyObject::getPrototype):
        (JSC::ProxyObject::visitChildren):
        * runtime/ProxyObject.h:
        * tests/es6.yaml:
        * tests/stress/proxy-get-prototype-of.js: Added.
        (assert):
        (throw.new.Error.let.handler.get getPrototypeOf):
        (throw.new.Error.get let):
        (throw.new.Error.get catch):
        (throw.new.Error):
        (assert.let.handler.getPrototypeOf):
        (assert.get let):
        (assert.get catch):
        (assert.):
        (let.handler.getPrototypeOf):
        (get let):
        (let.handler.has):

2016-03-07  Brian Burg  <bburg@apple.com>

        Web Inspector: rename generated *EnumConversionHelpers.h to *TypeConversions.h
        https://bugs.webkit.org/show_bug.cgi?id=155121
        <rdar://problem/25010391>

        Reviewed by Timothy Hatcher.

        Split out this renaming from the work to generate factory method stubs for types.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/scripts/codegen/__init__.py:
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCConfigurationImplementationGenerator.generate_output):
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator.generate_output):
        * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objc_conversion_helpers.py.
        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
        (ObjCProtocolTypesImplementationGenerator.generate_output):
        * inspector/scripts/codegen/objc_generator_templates.py:
        * inspector/scripts/generate-inspector-protocol-bindings.py:
        (generate_from_specification):

        Rebaseline tests after changing generator order.

        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/enum-values.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:

2016-03-07  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Improve and64() and or64() with immediate on x86
        https://bugs.webkit.org/show_bug.cgi?id=155104

        Reviewed by Geoffrey Garen.

        GetButterflyReadOnly was doing:
            movq 0x8(%rbx), %r9
            movq $0xfffffffffffffffc, %r11
            andq %r11, %r9
        There is no need for the move to load the immediate,
        andq sign extend its immediate.

        With this patch, we have:
            movq 0x8(%rbx), %r9
            andq $0xfffffffffffffffc, %r9

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::and64):
        (JSC::MacroAssemblerX86_64::or64):

2016-03-07  Brian Burg  <bburg@apple.com>

        Web Inspector: It should be possible to initialize generated ObjC protocol types from an NSDictionary payload
        https://bugs.webkit.org/show_bug.cgi?id=155102
        <rdar://problem/25002015>

        Reviewed by Timothy Hatcher.

        In Objective-C code, we sometimes prefer to parse JSON using Cocoa rather
        than the InspectorValue classes. Support initializing protocol objects
        directly from an NSDictionary payload. This delegates validation of values to
        the setter methods that already exist on the protocol object classes.

        * inspector/scripts/codegen/generate_objc_header.py:
        (ObjCHeaderGenerator._generate_type_interface):
        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
        (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
        (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload):
        * inspector/scripts/codegen/objc_generator.py:
        (ObjCGenerator.payload_to_objc_expression_for_member):
        Add a new helper method to generate an expression to unpack the value
        from an NSDictionary. If it's not a primitive, the setter performs
        validation of the value's kind using -[NSObject isKindOfClass:].

        Rebaseline relevant tests.

        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:

2016-03-07  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Simplify the overflow check of ArithAbs
        https://bugs.webkit.org/show_bug.cgi?id=155063

        Reviewed by Geoffrey Garen.

        The only integer that overflow abs(int32) is INT_MIN.
        For some reason, our code testing for that case
        was checking the top bit of the result specifically.

        The code required a large immediate on x86 and an extra
        register on ARM64.

        This patch turns the overflow check into a branch on
        the sign of the result.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
        * jit/ThunkGenerators.cpp:
        (JSC::absThunkGenerator):
        * tests/stress/arith-abs-overflow.js: Added.
        (opaqueAbs):

2016-03-07  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Improve how DFG zero Floating Point registers
        https://bugs.webkit.org/show_bug.cgi?id=155096

        Reviewed by Geoffrey Garen.

        DFG had a weird way of zeroing a FPR:
            -zero a GP.
            -move that to a FP.

        Filip added moveZeroToDouble() for B3. This patch
        uses that in the lower tiers.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::moveZeroToDouble):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        * jit/ThunkGenerators.cpp:
        (JSC::floorThunkGenerator):
        (JSC::roundThunkGenerator):

2016-03-07  Andreas Kling  <akling@apple.com>

        REGRESSION (r197303): Web Inspector crashes web process when inspecting an element on TOT
        <https://webkit.org/b/154812>

        Reviewed by Geoffrey Garen.

        Guard against null pointer dereference for UnlinkedCodeBlocks that don't have any control flow
        profiling data.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets):

2016-03-07  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Remove a useless "Move" from baseline-JIT op_mul's fast path
        https://bugs.webkit.org/show_bug.cgi?id=155071

        Reviewed by Geoffrey Garen.

        We do not need to multiply to a scratch and then move the result
        to the destination. We can just multiply to the destination.

        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_mul):
        * jit/JITMulGenerator.cpp:
        (JSC::JITMulGenerator::generateFastPath):

2016-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] StringObject.{put, defineOwnProperty} should realize indexed properties
        https://bugs.webkit.org/show_bug.cgi?id=155089

        Reviewed by Geoffrey Garen.

        Through implementing Reflect.set[1], we found StringObject does not obey the spec.
        StringObject::put should call putByIndex if the given propertyName is index.
        And StringObject::defineOwnProperty should recognize indexed properties since
        JSObject::defineOwnIndexedProperty is specialized to JSObject layout.
        Before calling JSObject::defineOwnProperty,
        StringObject should handle its special indexed own properties.
        It is responsibility of StringObject::defineOwnProperty.

        And the logic is cleaned up by using validateAndApplyPropertyDescriptor.

        [1]: https://bugs.webkit.org/show_bug.cgi?id=155024

        * runtime/StringObject.cpp:
        (JSC::StringObject::put):
        (JSC::StringObject::putByIndex):
        (JSC::isStringOwnProperty):
        (JSC::StringObject::defineOwnProperty):
        (JSC::StringObject::deleteProperty):
        * tests/stress/string-object-define-own-property.js: Added.
        (shouldBe):
        (shouldThrow):
        * tests/stress/string-object-put-by-index.js: Added.
        (shouldBe):
        (shouldThrow):
        (testSloppy):
        (testStrict):

2016-03-06  Brian Burg  <bburg@apple.com>

        Web Inspector: the protocol generator should have separate prefix options for Objective-C classes and filenames
        https://bugs.webkit.org/show_bug.cgi?id=155101
        <rdar://problem/25000053>

        Reviewed by Timothy Hatcher.

        It should be possible to generate Objective-C protocol types without prefixing all class names.
        The prefixes are only necessary when the generated files are part of a framework, but this isn't
        how the generated Objective-C frontend files are used.

        Add a separate framework setting and switch over code to use the 'protocol_group' in filenames,
        and the 'objc_prefix' for Objective-C enum and class prefixes.

        No tests need to be rebaselined because tests always set the protocol_group and objc_prefix
        to the same value.

        * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
        (ObjCBackendDispatcherHeaderGenerator.output_filename):
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCConfigurationImplementationGenerator.output_filename):
        (ObjCConfigurationImplementationGenerator.generate_output):
        * inspector/scripts/codegen/generate_objc_configuration_header.py:
        (ObjCConfigurationHeaderGenerator.output_filename):
        (ObjCConfigurationHeaderGenerator.generate_output):
        (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
        * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
        (ObjCBackendDispatcherImplementationGenerator.output_filename):
        (ObjCBackendDispatcherImplementationGenerator.generate_output):
        (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
        * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
        (ObjCConversionHelpersGenerator.output_filename):
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator.output_filename):
        (ObjCFrontendDispatcherImplementationGenerator.generate_output):
        * inspector/scripts/codegen/generate_objc_header.py:
        (ObjCHeaderGenerator.output_filename):
        * inspector/scripts/codegen/generate_objc_internal_header.py:
        (ObjCInternalHeaderGenerator.output_filename):
        (ObjCInternalHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
        (ObjCProtocolTypesImplementationGenerator.output_filename):
        (ObjCProtocolTypesImplementationGenerator.generate_output):
        * inspector/scripts/codegen/models.py:
        * inspector/scripts/codegen/objc_generator.py:
        (ObjCGenerator):
        (ObjCGenerator.protocol_name):
        (ObjCGenerator.objc_prefix):

2016-03-06  Brian Burg  <bburg@apple.com>

        Unreviewed, rebaseline inspector protocol generator tests after r197563.

        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/enum-values.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:

2016-03-06  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Improve DFG's Int32 ArithMul if one operand is a constant
        https://bugs.webkit.org/show_bug.cgi?id=155066

        Reviewed by Filip Pizlo.

        When multiplying an integer by a constant, DFG was doing quite
        a bit worse than baseline JIT.
        We were loading the constant into a register, doing the multiply,
        the checking the result and both operands for negative zero.

        This patch changes:
        -Use the multiply-by-immediate form on x86.
        -Do as few checks as possible to detect negative-zero.

        In most cases, this reduce the negative-zero checks
        to zero or one TEST+JUMP.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::mul32):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMul):

2016-03-06  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Remove a superfluous Move in front of every double unboxing
        https://bugs.webkit.org/show_bug.cgi?id=155064

        Reviewed by Saam Barati.

        Double unboxing was always doing:
            Move source, scratch
            Add64 tag, scratch
            IntToDouble scratch, fp

        We do not need to "Move" to copy the source.
        Both x86 and ARM64 have an efficient 3 operands Add instruction.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileDoubleRep):
        (JSC::DFG::SpeculativeJIT::speculateRealNumber):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::unboxDouble):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions):
        (JSC::AssemblyHelpers::unboxDouble):
        (JSC::AssemblyHelpers::unboxDoubleNonDestructive):

2016-03-06  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Use 3 operands Add in more places
        https://bugs.webkit.org/show_bug.cgi?id=155082

        Reviewed by Filip Pizlo.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::addPtr):
        (JSC::MacroAssembler::add32):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::add32):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithAdd):
        The case with child1 constant is useless.
        The canonical form will have the constant as child2.

        Also add register reuse for the fast-add.
        Registers are a scarce resource on x86.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::prepareForTailCallSlow):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generate):

2016-03-06  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Improve codegen of Compare and Test
        https://bugs.webkit.org/show_bug.cgi?id=155055

        Reviewed by Filip Pizlo.

        This patch introduces a few improvements on how we lower
        Compare and Test with immediates:
            -Add certain Immediate forms of ARM64.
            -Use CBZ/CBNZ when possible on ARM64.
            -When possible, convert a CMP into a TST
             On some hardware, we can issue more TST simultaneously.

             On x86, any TST+Jump is candidate for macro-fusion.
             They are also smaller.
             (sections 3.4.2.2 and 3.5.1.9)
            -Do not load the mask immediate of a TST
             if it only contains ones (mostly useful for ARM64
             since that would not have been a valid immediate).

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::compare32):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
        (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
        This is somewhat unrelated but I found that out while working
        on moveDoubleConditionallyTest32:
            If "thenCase" and "dest" are assigned the same register
            by the allocator, then the first (f)fcsel would override
            the "thenCase" and the second fcsel would always be "elseCase".

        This is covered by testb3 but was only uncovered
        after recent "Move" removals in lowering.

        (JSC::MacroAssemblerARM64::moveConditionally32):
        (JSC::MacroAssemblerARM64::moveConditionally64):
        (JSC::MacroAssemblerARM64::moveConditionallyTest32):
        (JSC::MacroAssemblerARM64::moveDoubleConditionally32):
        (JSC::MacroAssemblerARM64::moveDoubleConditionally64):
        (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest32):
        (JSC::MacroAssemblerARM64::branch32):
        (JSC::MacroAssemblerARM64::branch64):
        (JSC::MacroAssemblerARM64::branchTest32):
        (JSC::MacroAssemblerARM64::test32):
        The version taking an immediate was guarded by
        (cond == Zero) || (cond == NonZero). That is overzealous,
        and only needed for CBZ/CBNZ.

        (JSC::MacroAssemblerARM64::branchTest64):
        (JSC::MacroAssemblerARM64::compare32):
        (JSC::MacroAssemblerARM64::compare64):
        (JSC::MacroAssemblerARM64::commuteCompareToZeroIntoTest):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::moveConditionally32):
        (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
        (JSC::MacroAssemblerX86Common::branch32):
        (JSC::MacroAssemblerX86Common::test32):
        (JSC::MacroAssemblerX86Common::branchTest32):
        (JSC::MacroAssemblerX86Common::compare32):
        (JSC::MacroAssemblerX86Common::commuteCompareToZeroIntoTest):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::compare64):
        (JSC::MacroAssemblerX86_64::branch64):
        (JSC::MacroAssemblerX86_64::moveConditionally64):
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::createGenericCompare):
        Unfortunately this cannot be abstracted by the MacroAssembler.
        Those immediates are not valid, we have to pick the better
        for right away.

        * b3/air/AirOpcode.opcodes:
        * b3/testb3.cpp:
        (JSC::B3::int64Operands):
        (JSC::B3::modelCompare):
        (JSC::B3::testCompareImpl):
        (JSC::B3::testCompare):
        (JSC::B3::b3Pow):
        (JSC::B3::testPowDoubleByIntegerLoop):
        Some versions of pow(double, int) do not return
        the exact same bits as our integer loop.
        Added a new version to have the same behavior
        as the B3 loop.

        (JSC::B3::run):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileInt32Compare):
        Comparing to an immediate is super common. Do not waste
        a register for that!

2016-03-06  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix build. This was a messed up merge.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):

2016-03-06  Filip Pizlo  <fpizlo@apple.com>

        DFG should know how to speculate StringOrOther
        https://bugs.webkit.org/show_bug.cgi?id=155094

        Reviewed by Saam Barati.

        Any code that processes the regexp matches array was previously doing a relatively expensive
        Branch(Untyped:). This introduces a new use kind called StringOrOther, which is perfect for
        code that loops over the matches array and branches on the entries being non-empty.

        To do this, I needed to introduce code into the FTL that creates new blocks. We still had that
        awful FTL_NEW_BLOCK idiom since the only way to debug LLVM IR was to ascribe names to basic
        blocks. B3 IR is inherently more debuggable since unlike LLVM, B3 knows how to always respect
        code origin, and it knows how to print the code origin nicely in the dumps. So, rather than
        continue using FTL_NEW_BLOCK(m_out, ("things")), I replaced all of that stuff with
        m_out.newBlock(). It's much nicer that way.

        This is a tiny speed-up on Octane/regexp at best. I was hoping for more. Oh well.

        * bytecode/SpeculatedType.h:
        (JSC::isStringSpeculation):
        (JSC::isStringOrOtherSpeculation):
        (JSC::isSymbolSpeculation):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateString):
        (JSC::DFG::Node::shouldSpeculateStringOrOther):
        (JSC::DFG::Node::shouldSpeculateStringObject):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
        (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
        (JSC::DFG::SpeculativeJIT::emitStringBranch):
        (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer):
        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
        (JSC::DFG::SpeculativeJIT::speculateString):
        (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
        (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
        (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber):
        (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithDiv):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithMod):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithMinOrMax):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithPow):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructure):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayifyToStructure):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
        (JSC::FTL::DFG::LowerDFGToB3::compileCopyRest):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetRestLength):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor):
        (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive):
        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
        (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
        (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
        (JSC::FTL::DFG::LowerDFGToB3::compileNotifyWrite):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileSwitch):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsString):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
        (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
        (JSC::FTL::DFG::LowerDFGToB3::checkStructure):
        (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
        (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
        (JSC::FTL::DFG::LowerDFGToB3::loadVectorWithBarrier):
        (JSC::FTL::DFG::LowerDFGToB3::copyBarrier):
        (JSC::FTL::DFG::LowerDFGToB3::loadVectorReadOnly):
        (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
        (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
        (JSC::FTL::DFG::LowerDFGToB3::stringsEqual):
        (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
        (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd):
        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
        (JSC::FTL::DFG::LowerDFGToB3::boolify):
        (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
        (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
        (JSC::FTL::DFG::LowerDFGToB3::switchString):
        (JSC::FTL::DFG::LowerDFGToB3::switchStringRecurse):
        (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
        (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
        (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
        (JSC::FTL::DFG::LowerDFGToB3::strictInt52ToJSValue):
        (JSC::FTL::DFG::LowerDFGToB3::jsValueToStrictInt52):
        (JSC::FTL::DFG::LowerDFGToB3::convertDoubleToInt32):
        (JSC::FTL::DFG::LowerDFGToB3::speculate):
        (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
        (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
        (JSC::FTL::DFG::LowerDFGToB3::speculateString):
        (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
        (JSC::FTL::DFG::LowerDFGToB3::speculateStringIdent):
        (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrStringObject):
        (JSC::FTL::DFG::LowerDFGToB3::speculateRealNumber):
        (JSC::FTL::DFG::LowerDFGToB3::speculateNotStringVar):
        (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
        (JSC::FTL::DFG::LowerDFGToB3::callCheck):
        * ftl/FTLOutput.cpp:
        (JSC::FTL::Output::initialize):
        (JSC::FTL::Output::newBlock):
        (JSC::FTL::Output::check):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::setFrequency):
        (JSC::FTL::Output::insertNewBlocksBefore):

2016-03-06  Saam Barati  <sbarati@apple.com>

        [[GetPrototypeOf]] should be a fully virtual method in the method table
        https://bugs.webkit.org/show_bug.cgi?id=155002

        Reviewed by Filip Pizlo.

        This patch makes us more consistent with how the ES6 specification models the
        [[GetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
        is a prerequisite for implementing Proxy.[[GetPrototypeOf]]. This patch
        still allows directly accessing the prototype for situations where this
        is the desired behavior. This is equivalent to getting the internal
        [[Prototype]] field as described in the specification. 

        * API/JSObjectRef.cpp:
        (JSObjectGetPrototype):
        (JSObjectSetPrototype):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emitSlow_op_instanceof):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emitSlow_op_instanceof):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jsc.cpp:
        (functionCreateProxy):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/ArrayPrototype.cpp:
        (JSC::speciesConstructArray):
        * runtime/ClassInfo.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncBind):
        * runtime/IntlCollatorPrototype.cpp:
        (JSC::IntlCollatorPrototypeGetterCompare):
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototypeGetterFormat):
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototypeGetterFormat):
        * runtime/JSBoundFunction.cpp:
        (JSC::hasInstanceBoundFunction):
        (JSC::getBoundFunctionStructure):
        (JSC::JSBoundFunction::create):
        * runtime/JSBoundFunction.h:
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        * runtime/JSCell.cpp:
        (JSC::JSCell::setPrototype):
        (JSC::JSCell::getPrototype):
        * runtime/JSCell.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::hasLegacyProfiler):
        (JSC::lastInPrototypeChain):
        (JSC::JSGlobalObject::objectPrototypeIsSane):
        (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::finishCreation):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
        (JSC::GlobalFuncProtoGetterFunctor::operator()):
        (JSC::globalFuncProtoGetter):
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::getOwnPropertySlot):
        * runtime/JSObject.cpp:
        (JSC::JSObject::calculatedClassName):
        (JSC::JSObject::putInlineSlow):
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::setPrototype):
        (JSC::JSObject::getPrototype):
        (JSC::JSObject::defaultHasInstance):
        (JSC::objectPrivateFuncInstanceOf):
        (JSC::JSObject::getPropertyNames):
        (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
        (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
        (JSC::JSObject::getGenericPropertyNames):
        * runtime/JSObject.h:
        (JSC::JSObject::finishCreation):
        (JSC::JSObject::JSObject):
        (JSC::JSObject::getPrototypeDirect):
        (JSC::JSObject::getPrototype):
        (JSC::JSObject::getOwnNonIndexPropertySlot):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::getNonIndexPropertySlot):
        (JSC::JSObject::prototype): Deleted.
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::canPerformFastPutInline):
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::setTarget):
        * runtime/JSTypedArrayViewConstructor.cpp:
        (JSC::constructTypedArrayView):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
        (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
        (JSC::objectConstructorGetPrototypeOf):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncIsPrototypeOf):
        * runtime/ProxyObject.cpp:
        (JSC::performProxyGet):
        (JSC::ProxyObject::performSetPrototype):
        * runtime/StructureInlines.h:
        (JSC::Structure::isValid):
        * tests/stress/proxy-has-property.js:
        (assert.let.h1.has):
        (assert.let.h2.has):
        (assert):

2016-03-06  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r197645.
        https://bugs.webkit.org/show_bug.cgi?id=155097

        "Doesn't build properly when building entire webkit"
        (Requested by saamyjoon on #webkit).

        Reverted changeset:

        "[[GetPrototypeOf]] should be a fully virtual method in the
        method table"
        https://bugs.webkit.org/show_bug.cgi?id=155002
        http://trac.webkit.org/changeset/197645

2016-03-06  Saam barati  <sbarati@apple.com>

        [[GetPrototypeOf]] should be a fully virtual method in the method table
        https://bugs.webkit.org/show_bug.cgi?id=155002

        Reviewed by Filip Pizlo.

        This patch makes us more consistent with how the ES6 specification models the
        [[GetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
        is a prerequisite for implementing Proxy.[[GetPrototypeOf]]. This patch
        still allows directly accessing the prototype for situations where this
        is the desired behavior. This is equivalent to getting the internal
        [[Prototype]] field as described in the specification. 

        * API/JSObjectRef.cpp:
        (JSObjectGetPrototype):
        (JSObjectSetPrototype):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emitSlow_op_instanceof):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emitSlow_op_instanceof):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jsc.cpp:
        (functionCreateProxy):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/ArrayPrototype.cpp:
        (JSC::speciesConstructArray):
        * runtime/ClassInfo.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncBind):
        * runtime/IntlCollatorPrototype.cpp:
        (JSC::IntlCollatorPrototypeGetterCompare):
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototypeGetterFormat):
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototypeGetterFormat):
        * runtime/JSBoundFunction.cpp:
        (JSC::hasInstanceBoundFunction):
        (JSC::getBoundFunctionStructure):
        (JSC::JSBoundFunction::create):
        * runtime/JSBoundFunction.h:
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        * runtime/JSCell.cpp:
        (JSC::JSCell::setPrototype):
        (JSC::JSCell::getPrototype):
        * runtime/JSCell.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::hasLegacyProfiler):
        (JSC::lastInPrototypeChain):
        (JSC::JSGlobalObject::objectPrototypeIsSane):
        (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::finishCreation):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
        (JSC::GlobalFuncProtoGetterFunctor::operator()):
        (JSC::globalFuncProtoGetter):
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::getOwnPropertySlot):
        * runtime/JSObject.cpp:
        (JSC::JSObject::calculatedClassName):
        (JSC::JSObject::putInlineSlow):
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::setPrototype):
        (JSC::JSObject::getPrototype):
        (JSC::JSObject::defaultHasInstance):
        (JSC::objectPrivateFuncInstanceOf):
        (JSC::JSObject::getPropertyNames):
        (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
        (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
        (JSC::JSObject::getGenericPropertyNames):
        * runtime/JSObject.h:
        (JSC::JSObject::finishCreation):
        (JSC::JSObject::JSObject):
        (JSC::JSObject::getPrototypeDirect):
        (JSC::JSObject::getPrototype):
        (JSC::JSObject::getOwnNonIndexPropertySlot):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::getNonIndexPropertySlot):
        (JSC::JSObject::prototype): Deleted.
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::canPerformFastPutInline):
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::setTarget):
        * runtime/JSTypedArrayViewConstructor.cpp:
        (JSC::constructTypedArrayView):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
        (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
        (JSC::objectConstructorGetPrototypeOf):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncIsPrototypeOf):
        * runtime/ProxyObject.cpp:
        (JSC::performProxyGet):
        (JSC::ProxyObject::performSetPrototype):
        * runtime/StructureInlines.h:
        (JSC::Structure::isValid):
        * tests/stress/proxy-has-property.js:
        (assert.let.h1.has):
        (assert.let.h2.has):
        (assert):

2016-03-06  Filip Pizlo  <fpizlo@apple.com>

        RegExpMatchesArray doesn't know how to have a bad time
        https://bugs.webkit.org/show_bug.cgi?id=155069

        Reviewed by Yusuke Suzuki.

        In trunk if we are having a bad time, the regexp matches array is still allocated with a
        non-slow-put indexing shape, which makes it have the wrong behavior on indexed setters on
        the prototype chain.

        Getting this to work right requires introducing bad time code paths into the regexp matches
        array. It also requires something more drastic: making this code not play games with the
        global object. The code that creates the matches array needs to have the actual global
        object of the regexp native function that it's logically created by.

        This is totally different from how we've handled global objects in the past because it means
        that the global object is not a constant. Normally we can make it a constant because a
        script executable will know its global object. But with native functions, it's the function
        instance that knows the global object - not the native executable. When we inline a native
        intrinsic, we are guaranteed to know the native executable but we're not guaranteed to know
        the functon instance. This means that the global object may be a variable that gets computed
        by looking at the instance at run-time. So, the RegExpExec/RegExpTest nodes in DFG IR now
        take a global object child. That also meant adding a new node type, GetGlobalObject, which
        does the thing to the callee that CallFrame::lexicalGlobalObject() would have done.
        Eventually, we'll probably have to make other native intrinsics also use GetGlobalObject. It
        turns out that this really isn't so bad because usually it's constant-folded anyway, since
        although the intrinsic code supports executable-based inlining (which leaves the callee
        instance as an unknown), it happens rarely for intrinsics. So, conveying the global object
        via a child isn't any worse than conveying it via meta-data, and it's probably better than
        telling the inliner not to do executable-based inlining of native intrinsics. That would
        have been a confusing special-case.

        This is perf-neutral on my machines but it fixes a bug and it unlocks some interesting
        possibilities. For example, RegExpExec can now make a firm promise about the type of array
        it's creating.

        This also contains some other changes:
        
        - We are now using Structure::addPropertyTransition() in a lot of places even though it was
          meant to be an internal method with a quirky contract - for example if only works if you
          know that there is not existing transition. This relaxes this constraint.
        
        - Restores the use of "*" for heap references in JSString.h. It's very unusual to have heap
          references pointed at with "&", since we don't currently do that anywhere. The fact that
          it was using the wrong reference type also meant that the code couldn't elegantly make use
          of some our GC pointer helpers like jsCast<>.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSkipScope):
        (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileSkipScope):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
        * jit/JITOperations.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::haveABadTime):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.h:
        (JSC::JSObject::putDirectInternal):
        * runtime/JSString.h:
        (JSC::jsString):
        (JSC::jsSubstring):
        * runtime/RegExpCachedResult.cpp:
        (JSC::RegExpCachedResult::lastResult):
        * runtime/RegExpMatchesArray.cpp:
        (JSC::tryCreateUninitializedRegExpMatchesArray):
        (JSC::createRegExpMatchesArray):
        (JSC::createStructureImpl):
        (JSC::createRegExpMatchesArrayStructure):
        (JSC::createRegExpMatchesArraySlowPutStructure):
        * runtime/RegExpMatchesArray.h:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::put):
        (JSC::RegExpObject::exec):
        (JSC::RegExpObject::match):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::getLastIndex):
        (JSC::RegExpObject::test):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTest):
        (JSC::regExpProtoFuncExec):
        (JSC::regExpProtoFuncCompile):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncMatch):
        * runtime/Structure.cpp:
        (JSC::Structure::suggestedArrayStorageTransition):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::addNewPropertyTransition):
        * runtime/Structure.h:
        * tests/stress/regexp-matches-array-bad-time.js: Added.
        * tests/stress/regexp-matches-array-slow-put.js: Added.

2016-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] RegExp#lastIndex should handle writable attribute when defining in defineOwnProperty path
        https://bugs.webkit.org/show_bug.cgi?id=155093

        Reviewed by Filip Pizlo.

        Before this patch, `setLastIndex(ExecState* exec, size_t lastIndex)` always overwrites the existing value
        regardless of writable attribute.
        And when defining RegExp#lastIndex in defineOwnProperty, we need to define the value first
        before making the attribute readonly. After changing the writable attribute, we cannot define the value.

        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::defineOwnProperty):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::setLastIndex):
        * tests/stress/regexp-last-index-writable.js: Added.
        (shouldBe):
        (shouldThrow):
        (regExpLastIndex):

2016-03-05  Filip Pizlo  <fpizlo@apple.com>

        The most aggressive form of RegExpTest/RegExpExec should speculate more aggressively than just cell
        https://bugs.webkit.org/show_bug.cgi?id=154900

        Reviewed by Saam Barati.

        These old operations used to speculate cell. That's what they did when they were first
        introduced. That was probably about as good as they could do back then because we didn't have
        very powerful checks. Now we have powerful checks, so we can do this right.

        The most profitable thing to check is that child1 is a RegExpObject and child2 is a JSString.
        Sometimes though, we will not know what child2 is even though we know that child1 is a
        RegExpObject. So, this patch means that RegExpExec/RegExpTest have the following overloads:

            RegExpExec(RegExpObject:, String:)
            RegExpExec(RegExpObject:, Untyped:)
            RegExpExec(Untyped:, Untyped:)

        This shaves off some type checks in Octane/regexp. It also cleans up some problems in our
        modeling of the effectfulness of these operations.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
        * jit/JITOperations.h:

2016-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Support Reflect.construct
        https://bugs.webkit.org/show_bug.cgi?id=147330

        Reviewed by Saam Barati.

        Based on Saam's r196868, this patch adds support for Reflect.construct.
        This patch implements OrdinaryCreateFromConstructor[1] for fallback cases.
        This path is rarely taken. For example,

            Reflect.construct(function () { }, [], Map);

        In this case, the `new.target` becomes `Map`.
        So we should create an object that `__proto__` is `Map.prototype`.

        And to allow forward declaration (and encouraging strong type checking), we change
        ConstructType, CallType to C++11 enum class.

        [1]: http://ecma-international.org/ecma-262/6.0/#sec-ordinarycreatefromconstructor

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::getConstructData):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::getCallData):
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::getConstructData):
        (JSC::JSCallbackObject<Parent>::getCallData):
        * API/JSObjectRef.cpp:
        (JSObjectIsFunction):
        (JSObjectCallAsFunction):
        (JSObjectIsConstructor):
        (JSObjectCallAsConstructor):
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunction::getCallData):
        (JSC::ObjCCallbackFunction::getConstructData):
        * bindings/ScriptFunctionCall.cpp:
        (Deprecated::ScriptFunctionCall::call):
        * bindings/ScriptValue.cpp:
        (Deprecated::ScriptValue::isFunction):
        * builtins/ReflectObject.js:
        * dfg/DFGOperations.cpp:
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::createInjectedScript):
        * interpreter/Interpreter.cpp:
        (JSC::sizeOfVarargs):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::handleHostCall):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::getConstructData):
        (JSC::ArrayConstructor::getCallData):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::getLength): Deleted.
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::getConstructData):
        (JSC::BooleanConstructor::getCallData):
        * runtime/CallData.cpp:
        (JSC::call):
        * runtime/CallData.h:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/ConstructData.cpp:
        (JSC::construct):
        * runtime/ConstructData.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::getConstructData):
        (JSC::DateConstructor::getCallData):
        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncToJSON):
        * runtime/Error.h:
        (JSC::StrictModeTypeErrorFunction::getConstructData):
        (JSC::StrictModeTypeErrorFunction::getCallData):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::getConstructData):
        (JSC::ErrorConstructor::getCallData):
        * runtime/ExceptionHelpers.cpp:
        (JSC::errorDescriptionForValue):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::getConstructData):
        (JSC::FunctionConstructor::getCallData):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::getCallData):
        (JSC::functionProtoFuncToString):
        (JSC::functionProtoFuncBind):
        * runtime/GeneratorFunctionConstructor.cpp:
        (JSC::GeneratorFunctionConstructor::getCallData):
        (JSC::GeneratorFunctionConstructor::getConstructData):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::getCallData):
        * runtime/IntlCollatorConstructor.cpp:
        (JSC::IntlCollatorConstructor::getConstructData):
        (JSC::IntlCollatorConstructor::getCallData):
        * runtime/IntlDateTimeFormatConstructor.cpp:
        (JSC::IntlDateTimeFormatConstructor::getConstructData):
        (JSC::IntlDateTimeFormatConstructor::getCallData):
        * runtime/IntlNumberFormatConstructor.cpp:
        (JSC::IntlNumberFormatConstructor::getConstructData):
        (JSC::IntlNumberFormatConstructor::getCallData):
        * runtime/IteratorOperations.cpp:
        (JSC::iteratorNext):
        (JSC::iteratorClose):
        * runtime/JSArray.h:
        (JSC::getLength):
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::JSArrayBufferConstructor::getConstructData):
        (JSC::JSArrayBufferConstructor::getCallData):
        * runtime/JSBoundFunction.cpp:
        (JSC::boundFunctionCall):
        (JSC::boundFunctionConstruct):
        (JSC::JSBoundFunction::create):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isFunction):
        (JSC::JSValue::isConstructor):
        * runtime/JSCell.cpp:
        (JSC::JSCell::getCallData):
        (JSC::JSCell::getConstructData):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getCallData):
        (JSC::JSFunction::getConstructData):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayViewWithArguments):
        (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData):
        (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
        * runtime/JSInternalPromise.cpp:
        (JSC::JSInternalPromise::then):
        * runtime/JSInternalPromiseConstructor.cpp:
        (JSC::JSInternalPromiseConstructor::getConstructData):
        (JSC::JSInternalPromiseConstructor::getCallData):
        * runtime/JSJob.cpp:
        (JSC::JSJobMicrotask::run):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Stringifier):
        (JSC::Stringifier::toJSONImpl):
        (JSC::Stringifier::appendStringifiedValue):
        (JSC::JSONProtoFuncParse):
        * runtime/JSObject.cpp:
        (JSC::callToPrimitiveFunction):
        (JSC::JSObject::hasInstance):
        (JSC::JSObject::getMethod):
        * runtime/JSObject.h:
        (JSC::getCallData):
        (JSC::getConstructData):
        * runtime/JSPromise.cpp:
        (JSC::JSPromise::initialize):
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::getConstructData):
        (JSC::JSPromiseConstructor::getCallData):
        * runtime/JSPromiseDeferred.cpp:
        (JSC::newPromiseCapability):
        (JSC::callFunction):
        * runtime/JSTypedArrayViewConstructor.cpp:
        (JSC::constructTypedArrayView):
        (JSC::JSTypedArrayViewConstructor::getConstructData):
        (JSC::JSTypedArrayViewConstructor::getCallData):
        * runtime/MapConstructor.cpp:
        (JSC::constructMap):
        (JSC::MapConstructor::getConstructData):
        (JSC::MapConstructor::getCallData):
        * runtime/ModuleLoaderObject.cpp:
        (JSC::ModuleLoaderObject::provide):
        (JSC::ModuleLoaderObject::loadAndEvaluateModule):
        (JSC::ModuleLoaderObject::loadModule):
        (JSC::ModuleLoaderObject::linkAndEvaluateModule):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::getConstructData):
        (JSC::NativeErrorConstructor::getCallData):
        * runtime/NullGetterFunction.cpp:
        (JSC::NullGetterFunction::getCallData):
        (JSC::NullGetterFunction::getConstructData):
        * runtime/NullSetterFunction.cpp:
        (JSC::NullSetterFunction::getCallData):
        (JSC::NullSetterFunction::getConstructData):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getConstructData):
        (JSC::NumberConstructor::getCallData):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::getConstructData):
        (JSC::ObjectConstructor::getCallData):
        (JSC::toPropertyDescriptor):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncToLocaleString):
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        (JSC::jsIsObjectTypeOrNull):
        (JSC::jsIsFunctionType):
        * runtime/ProxyConstructor.cpp:
        (JSC::ProxyConstructor::getConstructData):
        (JSC::ProxyConstructor::getCallData):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::finishCreation):
        (JSC::performProxyCall):
        (JSC::ProxyObject::getCallData):
        (JSC::performProxyConstruct):
        (JSC::ProxyObject::getConstructData):
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectConstruct):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getConstructData):
        (JSC::RegExpConstructor::getCallData):
        * runtime/RuntimeType.h:
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        * runtime/SetConstructor.cpp:
        (JSC::constructSet):
        (JSC::SetConstructor::getConstructData):
        (JSC::SetConstructor::getCallData):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::getConstructData):
        (JSC::StringConstructor::getCallData):
        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):
        (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
        (JSC::operationStringProtoFuncReplaceRegExpString):
        (JSC::replaceUsingStringSearch):
        * runtime/SymbolConstructor.cpp:
        (JSC::SymbolConstructor::getConstructData):
        (JSC::SymbolConstructor::getCallData):
        * runtime/WeakMapConstructor.cpp:
        (JSC::constructWeakMap):
        (JSC::WeakMapConstructor::getConstructData):
        (JSC::WeakMapConstructor::getCallData):
        * runtime/WeakSetConstructor.cpp:
        (JSC::constructWeakSet):
        (JSC::WeakSetConstructor::getConstructData):
        (JSC::WeakSetConstructor::getCallData):
        * tests/es6.yaml:
        * tests/stress/reflect-construct.js: Added.
        (shouldBe):
        (shouldThrow):
        (shouldThrow.array.get length):
        (shouldThrow.array.get 0):
        (array.get length):
        (array.get 0):
        (shouldBe.Reflect.construct):
        (shouldBe.Reflect.construct.Hello):
        (3.shouldBe.Reflect.construct.Hello):
        (3.newTarget):
        (0.shouldBe.Reflect.construct):
        (shouldBe.A):
        (shouldBe.B):
        (nativeConstructorTest.DerivedMap):
        (nativeConstructorTest.FailedMap):
        (set noInline):

2016-03-04  Andreas Kling  <akling@apple.com>

        [iOS] Throw away compiled RegExp code when navigating to a new page.
        <https://webkit.org/b/155015>

        Reviewed by Anders Carlsson.

        Add a mechanism to have the VM discard all RegExp bytecode and JIT code.

        * runtime/VM.cpp:
        (JSC::VM::deleteAllRegExpCode):
        * runtime/VM.h:

2016-03-04  David Kilzer  <ddkilzer@apple.com>

        REGRESSION (r197531): JavaScriptCore ASan build fails due to weak external symbol
        <http://webkit.org/b/155033>
        <rdar://problem/24979661>

        Reviewed by Alexey Proskuryakov.

        * runtime/JSObject.cpp:
        (JSC::JSObject::ordinaryToPrimitive): Don't mark this method
        inline since it's also used in DatePrototype.cpp, and is
        declared as a public class method.
        * runtime/JSObject.h:
        (JSC::JSObject::ordinaryToPrimitive): Don't export this method
        since it is not used outside of JavaScriptCore.

2016-03-04  Alex Christensen  <achristensen@webkit.org>

        Remove vcxproj build system
        https://bugs.webkit.org/show_bug.cgi?id=154388

        Rubber-stamped by Brent Fulgham.

        * JavaScriptCore.vcxproj/JavaScriptCore.sln: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreCFLite.props: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props: Removed.
        * JavaScriptCore.vcxproj/build-generated-files.pl: Removed.
        * JavaScriptCore.vcxproj/copy-files.cmd: Removed.

2016-03-04  Chris Dumez  <cdumez@apple.com>

        Location.reload should not be writable
        https://bugs.webkit.org/show_bug.cgi?id=154989

        Reviewed by Gavin Barraclough.

        After r196770, operations marked as [Unforgeable] in the IDL (such as
        Location.reload) are correctly reported as not writable by
        Object.getOwnPropertyDescriptor(). Trying to set such property in JS
        is correctly ignored (or throws in strict mode) if the object has
        previously been reified. However, due to a bug in putEntry(), it was
        still possible to override the property if the object was not reified
        yet. This patch fixes the issue by checking in putEntry() that entries
        that are functions are not ReadOnly before calling putDirect().

        * runtime/Lookup.h:
        (JSC::putEntry):

2016-03-04  Skachkov Oleksandr  <gskachkov@gmail.com>

        [ES6] Arrow function syntax. Lexical bind "super" inside of the arrow function in generator.
        https://bugs.webkit.org/show_bug.cgi?id=152575

        Reviewed by Yusuke Suzuki.

        Added support of the 'SuperProperty' in arrow function within of the generator 
        method of class. Before patch parser  did not recognize that current arrow function 
        is declated inside of the generator and raise SyntaxError.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFunctionInfo):
        * parser/Parser.h:
        (JSC::Scope::Scope):
        (JSC::Scope::isGeneratorBoundary):
        (JSC::Scope::setIsFunction):
        (JSC::Scope::setIsGenerator):
        (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
        * tests/stress/arrowfunction-lexical-bind-superproperty.js:

2016-03-03  Filip Pizlo  <fpizlo@apple.com>

        DFG/FTL should inline accesses to RegExpObject::m_lastIndex
        https://bugs.webkit.org/show_bug.cgi?id=155003

        Reviewed by Benjamin Poulain.

        The Octane/regexp benchmark sets RegExps' lastIndex a lot. I could imagine this being
        something that people want to do. Right now, I'm not convinced that making the RegExp object
        be more plain-JS would be a good idea considering that pretty much all uses of it will
        require some special compiler magic. Also, it's good that this patch teaches the compiler
        how to reason about lastIndex since some of my other plans for regexp involve having the
        compiler treat more regexp stuff as intrinsic.

        This is a smaller Octane/regexp speed-up than I hoped - maybe around 1%. It's an enormous
        speed-up on the microbenchmarks attached to this patch.

        * dfg/DFGAbstractHeap.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGHeapLocation.h:
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
        (JSC::DFG::SpeculativeJIT::compileGetRegExpObjectLastIndex):
        (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStoreBarrierInsertionPhase.cpp:
        * ftl/FTLAbstractHeapRepository.cpp:
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetRegExpObjectLastIndex):
        (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
        (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
        (JSC::FTL::DFG::LowerDFGToB3::lowObject):
        (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject):
        (JSC::FTL::DFG::LowerDFGToB3::lowString):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::createStructure):
        (JSC::RegExpObject::offsetOfLastIndex):

2016-03-03  Chris Dumez  <cdumez@apple.com>

        Regression(r196770): Unable to use HipChat Mac app
        https://bugs.webkit.org/show_bug.cgi?id=154999
        <rdar://problem/24931959>

        Reviewed by Darin Adler.

        Add a setter to PutPropertySlot to override the 'isStrictMode' flag.

        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::setStrictMode):

2016-03-03  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Add support for MADD, MSUB and MNEG to Air
        https://bugs.webkit.org/show_bug.cgi?id=154997

        Reviewed by Filip Pizlo.

        ARM64 can do an Add/Sub in the Multiply units.
        LLVM was doing so but we lost that when switching to B3.

        This patch adds those instructions in Air.

        There are more ALUs than multiply units, thus we are more
        likely to successfully schedule a Multiply+Add than 2 Multiply.
        I am conservative and only emit a multiply-add if the value
        can be interned. As far as I can tell from what is generated
        by LLVM, that backend had the same rule.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::multiplyAdd32):
        (JSC::MacroAssemblerARM64::multiplySub32):
        (JSC::MacroAssemblerARM64::multiplyNeg32):
        (JSC::MacroAssemblerARM64::multiplyAdd64):
        (JSC::MacroAssemblerARM64::multiplySub64):
        (JSC::MacroAssemblerARM64::multiplyNeg64):
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::lower):
        * b3/air/AirOpcode.opcodes:
        * b3/testb3.cpp:
        (JSC::B3::populateWithInterestingValues):
        (JSC::B3::floatingPointOperands):
        (JSC::B3::int64Operands):
        (JSC::B3::int32Operands):
        (JSC::B3::testMulAddArgsLeft):
        (JSC::B3::testMulAddArgsRight):
        (JSC::B3::testMulAddArgsLeft32):
        (JSC::B3::testMulAddArgsRight32):
        (JSC::B3::testMulSubArgsLeft):
        (JSC::B3::testMulSubArgsRight):
        (JSC::B3::testMulSubArgsLeft32):
        (JSC::B3::testMulSubArgsRight32):
        (JSC::B3::testMulNegArgs):
        (JSC::B3::testMulNegArgs32):
        (JSC::B3::run):

2016-03-03  Saam Barati  <sbarati@apple.com>

        [ES6] Implement Proxy.[[SetPrototypeOf]]
        https://bugs.webkit.org/show_bug.cgi?id=154931

        Reviewed by Ryosuke Niwa.

        This patch is a straight forward implementation of Proxy.[[SetPrototypeOf]]
        with respect to section 9.5.2 of the ECMAScript spec.
        https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-setprototypeof-v

        * runtime/JSObject.cpp:
        (JSC::JSObject::putInlineSlow):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::put):
        (JSC::ProxyObject::getGenericPropertyNames):
        (JSC::ProxyObject::performSetPrototype):
        (JSC::ProxyObject::setPrototype):
        (JSC::ProxyObject::visitChildren):
        * runtime/ProxyObject.h:
        * tests/es6.yaml:
        * tests/stress/proxy-set-prototype-of.js: Added.
        (assert):
        (throw.new.Error.let.handler.get setPrototypeOf):
        (throw.new.Error.set let):
        (throw.new.Error.set catch):
        (throw.new.Error):
        (assert.let.handler.setPrototypeOf):
        (assert.set let):
        (assert.set catch):
        (let.handler.setPrototypeOf):
        (set let):
        (set catch):

2016-03-03  Keith Miller  <keith_miller@apple.com>

        JSArrayBuffers should be collected less aggressively
        https://bugs.webkit.org/show_bug.cgi?id=154982

        Reviewed by Geoffrey Garen.

        We are currently too aggressive in our collection of ArrayBuffer wrappers.
        There are three cases where we need to avoid collecting ArrayBuffer wrappers.
        1. If the wrapper has custom properties.
        2. If the wrapper is a subclass of ArrayBuffer.
        3. If the wrapper is in a WeakMap/WeakSet.

        Currently, we only pass the first case in WebCore and none in the jsc CLI.
        This patch removes some optimizations that cause us to collect when we
        should not. Namely, always skipping the object unless it has custom
        properties. Additionally, in the case of subclassing, we also need a way
        for custom JSArrayBuffer objects to register themselves as the wrapper for
        an ArrayBuffer class.

        Finally, this patch fixes an issue where views would not mark their ArrayBuffer
        as an opaque root. This patch also moves an associated ASSERT that the
        ArrayBuffer held by a view is not null in JSGenericTypedArrayView::visitChildren
        into JSArrayBufferView::visitChildren, where we add the opaque root.

        * runtime/JSArrayBuffer.cpp:
        (JSC::JSArrayBuffer::finishCreation):
        (JSC::JSArrayBuffer::create):
        (JSC::JSArrayBuffer::createWithoutWrapping):
        * runtime/JSArrayBuffer.h:
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::visitChildren):
        * runtime/JSArrayBufferView.h:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Deleted.
        * runtime/SimpleTypedArrayController.cpp:
        (JSC::SimpleTypedArrayController::toJS):
        (JSC::SimpleTypedArrayController::registerWrapper):
        (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
        (JSC::SimpleTypedArrayController::JSArrayBufferOwner::finalize):
        * runtime/SimpleTypedArrayController.h:
        * runtime/TypedArrayController.h:

2016-03-03  Filip Pizlo  <fpizlo@apple.com>

        Octane/regexp's Exec function should benefit from array length accessor inlining
        https://bugs.webkit.org/show_bug.cgi?id=154994

        Reviewed by Benjamin Poulain.

        It does:

            var thingy = blahbitty.blah;
            if (thingy)
                foo = thingy.length;

        So, 'thingy' is SpecArray | SpecOther, which prevents the array length accessor inlining from
        kicking in. Our strategy for this elsewhere in the DFG is to allow a one-time speculation that
        we won't see SpecOther, since *usually* we see SpecOther mixed with other stuff in cases like
        this where there is some null check guarding the code.

        This gives another slight speed-up on Octane/regexp.

        * bytecode/SpeculatedType.h:
        (JSC::isCellSpeculation):
        (JSC::isCellOrOtherSpeculation):
        (JSC::isNotCellSpeculation):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateCell):
        (JSC::DFG::Node::shouldSpeculateCellOrOther):
        (JSC::DFG::Node::shouldSpeculateNotCell):

2016-03-03  Saam Barati  <sbarati@apple.com>

        Add Proxy tests for exceptions that depend on an object being non-extensible and having configurable properties
        https://bugs.webkit.org/show_bug.cgi?id=154745

        Reviewed by Geoffrey Garen.

        This patch is mostly an implementation of Proxy.[[OwnPropertyKeys]] 
        with respect to section 9.5.11 of the ECMAScript spec.
        https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-ownpropertykeys

        This patch also changes call sites of getOwnPropertyNames and
        getPropertyNames to expect that an exception can be thrown.

        * dfg/DFGOperations.cpp:
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::iteratorEntries):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * runtime/IntlObject.cpp:
        (JSC::supportedLocales):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::get):
        (JSC::JSValue::put):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::JSObject::getPropertyNames):
        (JSC::JSObject::getGenericPropertyNames):
        * runtime/JSObject.h:
        (JSC::makeIdentifier):
        (JSC::createListFromArrayLike):
        * runtime/JSPropertyNameEnumerator.h:
        (JSC::propertyNameEnumerator):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        * runtime/MapConstructor.cpp:
        (JSC::constructMap):
        * runtime/ObjectConstructor.cpp:
        (JSC::defineProperties):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
        (JSC::ownPropertyKeys):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::getOwnPropertySlotByIndex):
        (JSC::ProxyObject::deleteProperty):
        (JSC::ProxyObject::deletePropertyByIndex):
        (JSC::ProxyObject::defineOwnProperty):
        (JSC::ProxyObject::performGetOwnPropertyNames):
        (JSC::ProxyObject::getOwnPropertyNames):
        (JSC::ProxyObject::getOwnNonIndexPropertyNames):
        (JSC::ProxyObject::getStructurePropertyNames):
        (JSC::ProxyObject::getGenericPropertyNames):
        (JSC::ProxyObject::visitChildren):
        * runtime/ProxyObject.h:
        (JSC::ProxyObject::create):
        (JSC::ProxyObject::createStructure):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::add):
        (JSC::Structure::getPropertyNamesFromStructure):
        (JSC::Structure::checkConsistency):
        (JSC::Structure::canCachePropertyNameEnumerator):
        (JSC::Structure::canAccessPropertiesQuicklyForEnumeration):
        (JSC::Structure::canAccessPropertiesQuickly): Deleted.
        * runtime/Structure.h:
        * runtime/WeakMapConstructor.cpp:
        (JSC::constructWeakMap):
        * tests/es6.yaml:
        * tests/stress/proxy-own-keys.js: Added.
        (assert):
        (throw.new.Error.let.handler.ownKeys):
        (throw.new.Error):
        (assert.let.handler.get ownKeys):
        (assert.let.handler.ownKeys):
        (let.handler.ownKeys):
        (i.catch):
        (shallowEq):
        (let.handler.getOwnPropertyDescriptor):
        (i.set assert):
        (set add):
        (set assert):
        (set if):

2016-03-03  Keith Miller  <keith_miller@apple.com>

        Array prototype JS builtins should support Symbol.species
        https://bugs.webkit.org/show_bug.cgi?id=154710

        Reviewed by Geoffrey Garen.

        Add support for Symbol.species in the Array.prototype JS
        builtin functions.

        * builtins/ArrayPrototype.js:
        (filter):
        (map):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::finishCreation):
        (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::create):
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * tests/stress/array-species-functions.js:
        (id):

2016-03-03  Michael Saboff  <msaboff@apple.com>

        [ES6] Make Unicode RegExp pattern parsing conform to the spec
        https://bugs.webkit.org/show_bug.cgi?id=154988

        Reviewed by Benjamin Poulain.

        Updated RegExp pattern processing with 'u' (Unicode) flag to conform to the
        spec (https://tc39.github.io/ecma262/2016/#sec-patterns).  In the spec, the
        grammar is annotated with [U] annotations.  Productions that are prefixed with
        [+U] are only available with the Unicode flags while productions prefixed with
        [~U] are only available without the Unicode flag.
        
        Added flags argument to Yarr::checkSyntax() so we can catch Unicode flag related
        parsing errors at syntax checking time.  Restricted what escapes are available for
        non Unicode patterns.  Most of this is defined in the IdentityEscape rule in the
        pattern grammar.

        Added \- as a CharacterClass only escape in Unicode patterns.

        Updated the tests for these changes.

        Made changes suggested in https://bugs.webkit.org/show_bug.cgi?id=154842#c22 after
        change set r197426 was landed.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createRegExp):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createRegExp):
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::InputStream::readChecked):
        (JSC::Yarr::Interpreter::InputStream::readSurrogatePairChecked):
        (JSC::Yarr::Interpreter::InputStream::reread):
        (JSC::Yarr::Interpreter::InputStream::uncheckInput):
        (JSC::Yarr::Interpreter::InputStream::atStart):
        (JSC::Yarr::Interpreter::InputStream::atEnd):
        (JSC::Yarr::Interpreter::testCharacterClass):
        (JSC::Yarr::Interpreter::backtrackPatternCharacter):
        (JSC::Yarr::Interpreter::matchDisjunction):
        (JSC::Yarr::ByteCompiler::atomPatternCharacter):
        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::Parser):
        (JSC::Yarr::Parser::isIdentityEscapeAnError):
        (JSC::Yarr::Parser::parseEscape):
        (JSC::Yarr::Parser::parse):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::putChar):
        (JSC::Yarr::CharacterClassConstructor::putRange):
        (JSC::Yarr::CharacterClassConstructor::addSorted):
        (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
        * yarr/YarrSyntaxChecker.cpp:
        (JSC::Yarr::SyntaxChecker::disjunction):
        (JSC::Yarr::checkSyntax):
        * yarr/YarrSyntaxChecker.h:

2016-03-03  Saam barati  <sbarati@apple.com>

        [ES6] Implement Proxy.[[DefineOwnProperty]]
        https://bugs.webkit.org/show_bug.cgi?id=154759

        Reviewed by Geoffrey Garen and Mark Lam.

        This patch is a straight forward implementation of Proxy.[[DefineOwnProperty]]
        with respect to section 9.5.6 of the ECMAScript spec.
        https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-defineownproperty-p-desc

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyDescriptor):
        (JSC::objectConstructorGetOwnPropertyDescriptors):
        * runtime/ObjectConstructor.h:
        (JSC::constructEmptyObject):
        (JSC::constructObjectFromPropertyDescriptor):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::isExtensible):
        (JSC::ProxyObject::performDefineOwnProperty):
        (JSC::ProxyObject::defineOwnProperty):
        (JSC::ProxyObject::visitChildren):
        * runtime/ProxyObject.h:
        * tests/es6.yaml:
        * tests/stress/proxy-define-own-property.js: Added.
        (assert):
        (throw.new.Error):
        (assert.let.handler.get defineProperty):
        (assert.let.handler.defineProperty):
        (let.handler.defineProperty):
        (i.catch):
        (assert.try.):
        (assert.set get catch):
        (assert.let.setter):
        (assert.let.getter):
        (assert.set get let.handler.defineProperty):
        (assert.set get let):
        (assert.):

2016-03-03  Keith Miller  <keith_miller@apple.com>

        [ES6] Add support for Symbol.toPrimitive
        https://bugs.webkit.org/show_bug.cgi?id=154877

        Reviewed by Saam Barati.

        This patch adds suport for Symbol.toPrimitive. Since we don't currently
        generate snippits for one side of a binary operation we only need to change
        the JSObject::ToPrimitive function and update some optimizations in the DFG
        that need to know how conversions to primitive values should work. As of
        ES6, the date prototype is also no longer special cased in the ToPrimitive
        operation. Instead, Date.prototype has a Symbol.species function that
        replicates the old behavior.

        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::generateConditionsForPropertyMissConcurrently):
        * bytecode/ObjectPropertyConditionSet.h:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::watchConditions):
        (JSC::DFG::Graph::canOptimizeStringObjectAccess):
        * dfg/DFGGraph.h:
        * runtime/CommonIdentifiers.h:
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::finishCreation):
        (JSC::dateProtoFuncToPrimitiveSymbol):
        * runtime/Error.cpp:
        (JSC::throwTypeError):
        * runtime/Error.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::toPreferredPrimitiveType):
        * runtime/JSObject.cpp:
        (JSC::callToPrimitiveFunction):
        (JSC::JSObject::ordinaryToPrimitive):
        (JSC::JSObject::defaultValue):
        (JSC::JSObject::toPrimitive):
        (JSC::JSObject::getPrimitiveNumber):
        (JSC::callDefaultValueFunction): Deleted.
        (JSC::throwTypeError): Deleted.
        * runtime/JSObject.h:
        (JSC::JSObject::toPrimitive): Deleted.
        * runtime/SmallStrings.h:
        * runtime/SymbolPrototype.cpp:
        (JSC::SymbolPrototype::finishCreation):
        * runtime/SymbolPrototype.h:
        (JSC::SymbolPrototype::create):
        * tests/es6.yaml:
        * tests/stress/date-symbol-toprimitive.js: Added.
        * tests/stress/ropes-symbol-toprimitive.js: Added.
        (ropify):
        (String.prototype.Symbol.toPrimitive):
        * tests/stress/symbol-toprimitive.js: Added.
        (foo.Symbol.toPrimitive):
        (catch):

2016-03-03  Filip Pizlo  <fpizlo@apple.com>

        DFG should be able to compile StringReplace
        https://bugs.webkit.org/show_bug.cgi?id=154979

        Reviewed by Benjamin Poulain.

        Adds support for StringReplace to the DFG tier. This is a 3% speed-up on Octane/regexp.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculateFinalObject):
        (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITOperations.h:

2016-03-03  Saam barati  <sbarati@apple.com>

        [[SetPrototypeOf]] isn't properly implemented everywhere
        https://bugs.webkit.org/show_bug.cgi?id=154943

        Reviewed by Benjamin Poulain.

        We were copy-pasting implememntation bits that belong in OrdinarySetPrototypeOf 
        in a few different places that call O.[[SetPrototypeOf]](v)
        rather than having those bits in OrdinarySetPrototypeOf itself.
        We need to put those copy-pasted bits into OrdinarySetPrototypeOf
        and not the call sites of O.[[SetPrototypeOf]](v) because
        O.[[SetPrototypeOf]](v) won't always call into OrdinarySetPrototypeOf.
        This is needed for correctness because this behavior is now observable
        with the ES6 Proxy object.

        * runtime/ClassInfo.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::isExtensible):
        (JSC::JSCell::setPrototype):
        * runtime/JSCell.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoSetter):
        * runtime/JSObject.cpp:
        (JSC::JSObject::setPrototypeDirect):
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::setPrototype):
        (JSC::JSObject::allowsAccessFrom):
        * runtime/JSObject.h:
        (JSC::JSObject::mayInterceptIndexedAccesses):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorSetPrototypeOf):
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectSetPrototypeOf):

2016-03-03  Alex Christensen  <achristensen@webkit.org>

        Fix Windows build after r197489.

        * jsc.cpp:

2016-03-02  Filip Pizlo  <fpizlo@apple.com>

        RegExpExec/RegExpTest should not unconditionally speculate cell
        https://bugs.webkit.org/show_bug.cgi?id=154901

        Reviewed by Benjamin Poulain.

        This is a three part change. It all started with a simple goal: end the rage-recompiles in
        Octane/regexp by enabling the DFG and FTL to do untyped RegExpExec/RegExpTest. This keeps us
        in the optimized code when you do a regexp match on a number, for example.

        While implementing this, I realized that DFGOperations.cpp was bad at exception checking. When
        it did check for exceptions, it used exec->hadException() instead of vm.exception(). So I
        fixed that. I also made sure that the regexp operations checked for exception after doing
        toString().

        Unfortunately, the introduction of untyped RegExpExec/RegExpTest caused a regression on
        Octane/regexp. This was because we were simultaneously scheduling replacement and OSR compiles
        of some large functions with the FTL JIT. The OSR compiles were not useful. This was a
        regression from the previous changes to make OSR compiles happen sooner. The problem is that
        this change also removed the throttling of OSR compiles even in those cases where we suspect
        that replacement is more likely. This patch reintroduces that throttling, but only in the
        replacement path.

        This change ends up being neutral overall.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
        * tests/stress/regexp-exec-effect-after-exception.js: Added.

2016-03-02  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] JSCell_freeListNext and JSCell_structureID are considered not overlapping
        https://bugs.webkit.org/show_bug.cgi?id=154947

        Reviewed by Filip Pizlo.

        This bug was discovered while testing https://bugs.webkit.org/show_bug.cgi?id=154894.

        The problem was that JSCell_freeListNext and JSCell_structureID were
        considered as disjoint. When reordering instructions, the scheduler
        could move the write of the StructureID first to reduce dependencies.
        This would erase half of JSCell_freeListNext before we get a chance
        to load the value.

        This patch changes the hierarchy to make sure nothing is written
        until JSCell_freeListNext is processed.

        All credits for this patch go to Filip.

        * ftl/FTLAbstractHeapRepository.cpp:
        (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
        * ftl/FTLAbstractHeapRepository.h:

2016-03-02  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Improve Select of Doubles based on Double condition
        https://bugs.webkit.org/show_bug.cgi?id=154572

        Reviewed by Filip Pizlo.

        Octane has a bunch of Select on Double based on comparing Doubles.
        A few nodes generate that: ValueRep, Min, Max, etc.

        On ARM64, we can improve our code a lot. ARM can do a select
        based on flags with the FCSEL instruction.

        On x86, this patch adds aggressive aliasing for moveDoubleConditionallyXXX.
        This has obviously a much more limited impact.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::moveDoubleConditionally32): Deleted.
        (JSC::MacroAssembler::moveDoubleConditionally64): Deleted.
        (JSC::MacroAssembler::moveDoubleConditionallyTest32): Deleted.
        (JSC::MacroAssembler::moveDoubleConditionallyTest64): Deleted.
        (JSC::MacroAssembler::moveDoubleConditionallyDouble): Deleted.
        (JSC::MacroAssembler::moveDoubleConditionallyFloat): Deleted.
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
        (JSC::MacroAssemblerARM64::moveDoubleConditionallyDouble):
        (JSC::MacroAssemblerARM64::moveDoubleConditionallyFloat):
        (JSC::MacroAssemblerARM64::moveConditionally32):
        (JSC::MacroAssemblerARM64::moveDoubleConditionally32):
        (JSC::MacroAssemblerARM64::moveDoubleConditionally64):
        (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest32):
        (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest64):
        (JSC::MacroAssemblerARM64::branch64):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::moveConditionally32):
        (JSC::MacroAssemblerX86Common::moveDoubleConditionally32):
        (JSC::MacroAssemblerX86Common::moveDoubleConditionallyTest32):
        (JSC::MacroAssemblerX86Common::moveDoubleConditionallyDouble):
        (JSC::MacroAssemblerX86Common::moveDoubleConditionallyFloat):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::moveDoubleConditionally64):
        (JSC::MacroAssemblerX86_64::moveDoubleConditionallyTest64):
        * b3/air/AirInstInlines.h:
        (JSC::B3::Air::Inst::shouldTryAliasingDef):
        * b3/air/AirOpcode.opcodes:
        * b3/testb3.cpp:
        (JSC::B3::populateWithInterestingValues):
        (JSC::B3::floatingPointOperands):
        (JSC::B3::int64Operands):
        (JSC::B3::int32Operands):
        (JSC::B3::testSelectCompareFloat):
        (JSC::B3::testSelectCompareFloatToDouble):
        (JSC::B3::testSelectDoubleCompareDouble):
        (JSC::B3::testSelectDoubleCompareDoubleWithAliasing):
        (JSC::B3::testSelectFloatCompareFloat):
        (JSC::B3::testSelectFloatCompareFloatWithAliasing):
        (JSC::B3::run):

2016-03-02  Joseph Pecoraro  <pecoraro@apple.com>

        Add ability to generate a Heap Snapshot
        https://bugs.webkit.org/show_bug.cgi?id=154847

        Reviewed by Mark Lam.

        This adds HeapSnapshot, HeapSnapshotBuilder, and HeapProfiler.

        HeapProfiler hangs off of the VM and holds the list of snapshots.
        I expect to add other HeapProfiling features, such as allocation
        tracking, to the profiler.

        HeapSnapshot contains a collection of live cells and their identifiers.
        It can point to a previous HeapSnapshot, to ensure that a cell that
        already received an identifier maintains the same identifier across
        multiple snapshots. When a snapshotted cell gets garbage collected,
        the cell will be swept from the HeapSnapshot at the end of collection
        to ensure the list contains only live cells.

        When building a HeapSnapshot nodes are added in increasing node
        identifier order. When done building, the list of nodes is complete
        and the snapshot is finalized. At this point the nodes are sorted
        by JSCell* address to allow for quick lookup of a JSCell*.

        HeapSnapshotBuilder is where snapshotting begins. The builder
        will initiate a specialized heap snapshotting garbage collection.
        During this collection the builder will be notified of all marked
        (live) cells, and connections between cells, as seen by SlotVisitors.
        The builder can reference the previous, readonly, HeapSnapshots to
        avoid creating new nodes for cells that have already been snapshotted.
        When it is determined that we are visiting a live cell for the first
        time, we give the cell a unique identifier and add it to the the
        snapshot we are building.

        Since edge data is costly, and of little long term utility, this
        data is only held by the builder for serialization, and not stored
        long term with the HeapSnapshot node data.

        The goals of HeapSnapshotting at this time are:
        - minimal impact on performance when not profiling the heap
        - unique identifier for cells, so they may be identified across multiple snapshots
        - nodes and edges to be able to construct a graph of which nodes reference/retain which other nodes
        - node data - identifier, type (class name), size
        - edge data - from cell, to cell, type / data (to come in a follow-up patch)

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        Add new files to the build.

        * heap/Heap.cpp:
        (JSC::Heap::isHeapSnapshotting):
        (JSC::RemoveDeadHeapSnapshotNodes::RemoveDeadHeapSnapshotNodes):
        (JSC::RemoveDeadHeapSnapshotNodes::operator()):
        (JSC::Heap::removeDeadHeapSnapshotNodes):
        (JSC::Heap::collectImpl):
        After every collection, sweep dead cells from in memory snapshots.

        * runtime/VM.cpp:
        (JSC::VM::ensureHeapProfiler):
        * runtime/VM.h:
        (JSC::VM::heapProfiler):
        * heap/Heap.h:
        * heap/HeapProfiler.cpp: Added.
        (JSC::HeapProfiler::HeapProfiler):
        (JSC::HeapProfiler::~HeapProfiler):
        (JSC::HeapProfiler::mostRecentSnapshot):
        (JSC::HeapProfiler::appendSnapshot):
        (JSC::HeapProfiler::clearSnapshots):
        (JSC::HeapProfiler::setActiveSnapshotBuilder):
        * heap/HeapProfiler.h: Added.
        (JSC::HeapProfiler::vm):
        (JSC::HeapProfiler::activeSnapshotBuilder):
        VM and Heap can look at the profiler to determine if we are building a
        snapshot, or the "head" snapshot to use for sweeping.

        * heap/HeapSnapshot.cpp: Added.
        (JSC::HeapSnapshot::HeapSnapshot):
        (JSC::HeapSnapshot::~HeapSnapshot):
        (JSC::HeapSnapshot::appendNode):
        Add a node to the unfinalized list of new cells.

        (JSC::HeapSnapshot::sweepCell):
        (JSC::HeapSnapshot::shrinkToFit):
        Collect a list of cells for sweeping and then remove them all at once
        in shrinkToFit. This is done to avoid thrashing of individual removes
        that could cause many overlapping moves within the Vector.

        (JSC::HeapSnapshot::finalize):
        Sort the list, and also cache the bounding start/stop identifiers.
        No other snapshot can contain an identifier in this range, so it will
        improve lookup of a node from an identifier.

        (JSC::HeapSnapshot::nodeForCell):
        (JSC::HeapSnapshot::nodeForObjectIdentifier):
        Search helpers.

        * heap/HeapSnapshotBuilder.h: Added.
        (JSC::HeapSnapshotNode::HeapSnapshotNode):
        (JSC::HeapSnapshotEdge::HeapSnapshotEdge):
        Node and Edge struct types the builder creates.

        * heap/HeapSnapshotBuilder.cpp: Added.
        (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
        (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
        (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
        (JSC::HeapSnapshotBuilder::buildSnapshot):
        (JSC::HeapSnapshotBuilder::appendNode):
        (JSC::HeapSnapshotBuilder::appendEdge):
        When building the snapshot, generating the next identifier, and
        appending to any of the lists must be guarded by a lock because
        SlotVisitors running in parallel may be accessing the builder.

        (JSC::HeapSnapshotBuilder::hasExistingNodeForCell):
        Looking up if a node already exists in a previous snapshot can be
        done without a lock because at this point the data is readonly.

        (JSC::edgeTypeToNumber):
        (JSC::edgeTypeToString):
        (JSC::HeapSnapshotBuilder::json):
        JSON serialization of a heap snapshot contains node and edge data.

        * heap/SlotVisitor.h:
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::didStartMarking):
        (JSC::SlotVisitor::reset):
        Set/clear the active snapshot builder to know if this will be a
        snapshotting GC or not.

        (JSC::SlotVisitor::append):
        (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
        Inform the builder of a new node or edge.

        (JSC::SlotVisitor::visitChildren):
        Remember the current cell we are visiting so that if we need to
        inform the builder of edges we know the "from" cell.

        * jsc.cpp:
        (SimpleObject::SimpleObject):
        (SimpleObject::create):
        (SimpleObject::finishCreation):
        (SimpleObject::visitChildren):
        (SimpleObject::createStructure):
        (SimpleObject::hiddenValue):
        (SimpleObject::setHiddenValue):
        Create a new class "SimpleObject" that can be used by heap snapshotting
        tests. It is easy to filter for this new class name and test internal
        edge relationships created by garbage collection visiting the cell.

        (functionCreateSimpleObject):
        (functionGetHiddenValue):
        (functionSetHiddenValue):
        Expose methods to create and interact with a SimpleObject.

        (functionGenerateHeapSnapshot):
        Expose methods to create a heap snapshot. This currently automatically
        turns the serialized string into a JSON object. That may change.

        * tests/heapProfiler.yaml: Added.
        * tests/heapProfiler/basic-edges.js: Added.
        (excludeStructure):
        * tests/heapProfiler/basic-nodes.js: Added.
        (hasDifferentSizeNodes):
        (hasAllInternalNodes):
        Add tests for basic node and edge data.

        * tests/heapProfiler/driver/driver.js: Added.
        (assert):
        (CheapHeapSnapshotNode):
        (CheapHeapSnapshotEdge):
        (CheapHeapSnapshotEdge.prototype.get from):
        (CheapHeapSnapshotEdge.prototype.get to):
        (CheapHeapSnapshot):
        (CheapHeapSnapshot.prototype.get nodes):
        (CheapHeapSnapshot.prototype.get edges):
        (CheapHeapSnapshot.prototype.nodeWithIdentifier):
        (CheapHeapSnapshot.prototype.nodesWithClassName):
        (CheapHeapSnapshot.prototype.classNameFromTableIndex):
        (CheapHeapSnapshot.prototype.edgeTypeFromTableIndex):
        (createCheapHeapSnapshot):
        (HeapSnapshotNode):
        (HeapSnapshotEdge):
        (HeapSnapshot):
        (HeapSnapshot.prototype.nodesWithClassName):
        (createHeapSnapshot):
        Add two HeapSnapshot representations.
        CheapHeapSnapshot creates two lists of node and edge data that
        lazily creates objects as needed.
        HeapSnapshot creates an object for each node and edge. This
        is wasteful but easier to use.

2016-03-02  Filip Pizlo  <fpizlo@apple.com>

        RegExpPrototype should check for exceptions after calling toString and doing so should not be expensive
        https://bugs.webkit.org/show_bug.cgi?id=154927

        Reviewed by Saam Barati.

        While working on regexp optimizations, I found that RegExpPrototype calls toString(), an
        effectful operation that could do anything, without then checking for hadException().

        So I added a call to hadException().

        But that regressed Octane/regexp by 5%!  That's a lot!  It turns out that
        exec->hadException() is soooper slow. So, I made it cheaper to check for exceptions from
        toString(): there is now a variant called toStringFast() that returns null iff it throws an
        exception.

        This allowed me to add the exception check without regressing perf.

        Note that toString() must retain its old behavior of returning an empty string on exception.
        There is just too much code that relies on that behavior.

        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::isValidCallee):
        (JSC::JSValue::toStringSlowCase):
        (JSC::JSValue::toWTFStringSlowCase):
        * runtime/JSCJSValue.h:
        (JSC::JSValue::asValue):
        * runtime/JSString.h:
        (JSC::JSValue::toString):
        (JSC::JSValue::toStringFast):
        (JSC::JSValue::toWTFString):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTest):
        (JSC::regExpProtoFuncExec):
        (JSC::regExpProtoFuncCompile):

2016-03-02  Saam barati  <sbarati@apple.com>

        clean up JSObject::isExtensibleInline and JSObject::setPrototypeOfInline, and rename setPrototypeOf to setPrototype
        https://bugs.webkit.org/show_bug.cgi?id=154942

        Reviewed by Benjamin Poulain.

        These don't need to be inlined in the way they are.
        Doing dynamic dispatch is ok performance wise until
        we have evidence stating otherwise.

        * API/JSObjectRef.cpp:
        (JSObjectSetPrototype):
        (JSObjectHasProperty):
        * runtime/ClassInfo.h:
        * runtime/IntlCollatorConstructor.cpp:
        (JSC::constructIntlCollator):
        * runtime/IntlDateTimeFormatConstructor.cpp:
        (JSC::constructIntlDateTimeFormat):
        * runtime/IntlNumberFormatConstructor.cpp:
        (JSC::constructIntlNumberFormat):
        * runtime/JSCell.cpp:
        (JSC::JSCell::isExtensible):
        (JSC::JSCell::setPrototype):
        (JSC::JSCell::setPrototypeOf): Deleted.
        * runtime/JSCell.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoSetter):
        * runtime/JSObject.cpp:
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::setPrototype):
        (JSC::JSObject::allowsAccessFrom):
        (JSC::JSObject::isExtensible):
        (JSC::JSObject::reifyAllStaticProperties):
        (JSC::JSObject::defineOwnNonIndexProperty):
        (JSC::JSObject::setPrototypeOf): Deleted.
        * runtime/JSObject.h:
        (JSC::JSObject::mayInterceptIndexedAccesses):
        (JSC::JSObject::indexingShouldBeSparse):
        (JSC::JSObject::setPrototypeOfInline): Deleted.
        (JSC::JSObject::isExtensibleInline): Deleted.
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorSetPrototypeOf):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
        (JSC::objectConstructorIsExtensible):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
        (JSC::ProxyObject::performHasProperty):
        (JSC::ProxyObject::performPreventExtensions):
        (JSC::ProxyObject::performIsExtensible):
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectIsExtensible):
        (JSC::reflectObjectSetPrototypeOf):
        * runtime/StringObject.cpp:
        (JSC::StringObject::defineOwnProperty):

2016-03-02  Konstantin Tokarev  <annulen@yandex.ru>

        [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
        https://bugs.webkit.org/show_bug.cgi?id=154651

        Reviewed by Alex Christensen.

        * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.

2016-03-02  Saam barati  <sbarati@apple.com>

        [[SetPrototypeOf]] should be a fully virtual method in ClassInfo::methodTable
        https://bugs.webkit.org/show_bug.cgi?id=154897

        Reviewed by Filip Pizlo.

        This patch makes us more consistent with how the ES6 specification models the
        [[SetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
        is a prerequisite for implementing Proxy.[[SetPrototypeOf]]. This patch
        still allows directly setting the prototype for situations where this
        is the desired behavior. This is equivalent to setting the internal
        [[Prototype]] field as described in the specification. 

        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype):
        * API/JSObjectRef.cpp:
        (JSObjectMake):
        (JSObjectSetPrototype):
        (JSObjectHasProperty):
        * API/JSWrapperMap.mm:
        (makeWrapper):
        * runtime/ClassInfo.h:
        * runtime/IntlCollatorConstructor.cpp:
        (JSC::constructIntlCollator):
        * runtime/IntlDateTimeFormatConstructor.cpp:
        (JSC::constructIntlDateTimeFormat):
        * runtime/IntlNumberFormatConstructor.cpp:
        (JSC::constructIntlNumberFormat):
        * runtime/JSCell.cpp:
        (JSC::JSCell::isExtensible):
        (JSC::JSCell::setPrototypeOf):
        * runtime/JSCell.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::resetPrototype):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoSetter):
        * runtime/JSObject.cpp:
        (JSC::JSObject::switchToSlowPutArrayStorage):
        (JSC::JSObject::setPrototypeDirect):
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::setPrototypeOf):
        (JSC::JSObject::allowsAccessFrom):
        (JSC::JSObject::setPrototype): Deleted.
        * runtime/JSObject.h:
        (JSC::JSObject::setPrototypeOfInline):
        (JSC::JSObject::mayInterceptIndexedAccesses):
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::setTarget):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorSetPrototypeOf):
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectSetPrototypeOf):

2016-03-02  Saam barati  <sbarati@apple.com>

        SIGSEGV in Proxy [[Get]] and [[Set]] recursion
        https://bugs.webkit.org/show_bug.cgi?id=154854

        Reviewed by Yusuke Suzuki.

        We need to be aware of the possibility that the VM
        may recurse and that we can stack overflow.

        * runtime/ProxyObject.cpp:
        (JSC::performProxyGet):
        (JSC::ProxyObject::performPut):
        * tests/stress/proxy-get-and-set-recursion-stack-overflow.js: Added.
        (assert):
        (testStackOverflowGet):
        (testStackOverflowIndexedGet):
        (testStackOverflowSet):
        (testStackOverflowIndexedSet):

2016-03-02  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Use a Move without REX byte when possible
        https://bugs.webkit.org/show_bug.cgi?id=154801

        Reviewed by Alex Christensen.

        Filip wrote an optimization in the register allocator
        to use 32bit "Move" when we don't care about the top bytes.

        When I moved the commutative ops to the fake 3 operands instruction
        I largely destroyed this since all the "Moves" became full register.

        In this patch, I switch back to 32bit "Moves" for 32bit operations.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::and32):
        (JSC::MacroAssemblerX86Common::lshift32):
        (JSC::MacroAssemblerX86Common::mul32):
        (JSC::MacroAssemblerX86Common::or32):
        (JSC::MacroAssemblerX86Common::rshift32):
        (JSC::MacroAssemblerX86Common::urshift32):
        (JSC::MacroAssemblerX86Common::xor32):
        (JSC::MacroAssemblerX86Common::branchAdd32):
        (JSC::MacroAssemblerX86Common::branchMul32):
        (JSC::MacroAssemblerX86Common::branchSub32):
        (JSC::MacroAssemblerX86Common::move32IfNeeded):

2016-03-01  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Simplify ArithMod(ArithMod(x, const1), const2) if const2 >= const1
        https://bugs.webkit.org/show_bug.cgi?id=154904

        Reviewed by Saam Barati.

        The ASM test "ubench" has a "x % 10 % 255".
        The second modulo should be eliminated.

        This is a 15% improvement on ASMJS' ubench.

        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * tests/stress/arith-modulo-twice.js: Added.
        (opaqueModuloSmaller):
        (opaqueModuloEqual):
        (opaqueModuloLarger):