generate-js-builtins.js should support @internal annotation
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-11-08  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2
3         generate-js-builtins.js should support @internal annotation
4         https://bugs.webkit.org/show_bug.cgi?id=150929
5
6         Reviewed by Darin Adler.
7
8         * Scripts/builtins/builtins_generate_separate_header.py:
9         (BuiltinsSeparateHeaderGenerator.generate_output): Generate internal boilerplate code only if @internal annotation is available.
10         * Scripts/builtins/builtins_templates.py: Split boilerplate in two templates (one that is used for all built-ins and one dedicated to internals).
11         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: Removed internal boilerplate.
12         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Ditto.
13         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Ditto.
14
15 2015-11-08  Yusuke Suzuki  <utatane.tea@gmail.com>
16
17         [ES6] Minimize ENABLE_ES6_TEMPLATE_LITERAL_SYNTAX ifdefs
18         https://bugs.webkit.org/show_bug.cgi?id=150998
19
20         Reviewed by Geoffrey Garen.
21
22         This patch minimizes ENABLE_ES6_TEMPLATE_LITERAL_SYNTAX ifdefs.
23         It only keeps 2 ENABLE_ES6_TEMPLATE_LITERAL_SYNTAX in Parser.cpp, one for
24         template literals and one for tagged templates.
25         This change makes difference minimal between the enabled and disabled configurations;
26         reducing accidental build breaks of the disabled configuration.
27
28         * bytecompiler/BytecodeGenerator.cpp:
29         * bytecompiler/BytecodeGenerator.h:
30         * bytecompiler/NodesCodegen.cpp:
31         * parser/ASTBuilder.h:
32         * parser/Lexer.cpp:
33         (JSC::Lexer<T>::Lexer): Deleted.
34         (JSC::Lexer<T>::lex): Deleted.
35         * parser/Lexer.h:
36         * parser/NodeConstructors.h:
37         * parser/Nodes.h:
38         * parser/Parser.cpp:
39         * parser/Parser.h:
40         * parser/SyntaxChecker.h:
41
42 2015-11-06  Filip Pizlo  <fpizlo@apple.com>
43
44         B3->Air lowering should do pattern matching the old fashioned way
45         https://bugs.webkit.org/show_bug.cgi?id=150994
46
47         Reviewed by Geoffrey Garen.
48
49         When I first wrote the B3->Air lowering prototype, I was convinced that the patterns would get
50         so gnarly that we'd want a pattern language to write them in. So I made one, and that's what
51         the lowering has used. But as we've worked with the IR, we've found that it's very easy to
52         pattern match in C++ using the B3 API, and we've also found that most of the patterns we wrote
53         using the pattern language were mostly trivial. So this change removes the pattern match code
54         generator and the patterns files, and redoes the lowering using good old fashioned switch
55         statements. This actually reduces the total code of the lowering.
56
57         I also took the opportunity to refactoring UnOp and BinOp lowering. We had a lot of repetetive
58         code for 32-vs-64-bit opcode selection, so I factored that out into a helper. This also saves a
59         lot of code.
60
61         * CMakeLists.txt:
62         * DerivedSources.make:
63         * b3/B3AddressMatcher.patterns: Removed.
64         * b3/B3LowerToAir.cpp:
65         (JSC::B3::Air::LowerToAir::LowerToAir):
66         (JSC::B3::Air::LowerToAir::run):
67         (JSC::B3::Air::LowerToAir::highBitsAreZero):
68         (JSC::B3::Air::LowerToAir::tmp):
69         (JSC::B3::Air::LowerToAir::canBeInternal):
70         (JSC::B3::Air::LowerToAir::commitInternal):
71         (JSC::B3::Air::LowerToAir::crossesInterference):
72         (JSC::B3::Air::LowerToAir::effectiveAddr):
73         (JSC::B3::Air::LowerToAir::addr):
74         (JSC::B3::Air::LowerToAir::loadPromise):
75         (JSC::B3::Air::LowerToAir::imm):
76         (JSC::B3::Air::LowerToAir::immForMove):
77         (JSC::B3::Air::LowerToAir::immOrTmpForMove):
78         (JSC::B3::Air::LowerToAir::tryOpcodeForType):
79         (JSC::B3::Air::LowerToAir::opcodeForType):
80         (JSC::B3::Air::LowerToAir::appendUnOp):
81         (JSC::B3::Air::LowerToAir::appendBinOp):
82         (JSC::B3::Air::LowerToAir::appendShift):
83         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp):
84         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
85         (JSC::B3::Air::LowerToAir::append):
86         (JSC::B3::Air::LowerToAir::ensureSpecial):
87         (JSC::B3::Air::LowerToAir::fillStackmap):
88         (JSC::B3::Air::LowerToAir::createGenericCompare):
89         (JSC::B3::Air::LowerToAir::createBranch):
90         (JSC::B3::Air::LowerToAir::createCompare):
91         (JSC::B3::Air::LowerToAir::lower):
92         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
93         (JSC::B3::Air::LowerToAir::AddressSelector::AddressSelector): Deleted.
94         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRoot): Deleted.
95         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRootLate): Deleted.
96         (JSC::B3::Air::LowerToAir::AddressSelector::acceptInternals): Deleted.
97         (JSC::B3::Air::LowerToAir::AddressSelector::acceptInternalsLate): Deleted.
98         (JSC::B3::Air::LowerToAir::AddressSelector::acceptOperands): Deleted.
99         (JSC::B3::Air::LowerToAir::AddressSelector::acceptOperandsLate): Deleted.
100         (JSC::B3::Air::LowerToAir::AddressSelector::tryAddShift1): Deleted.
101         (JSC::B3::Air::LowerToAir::AddressSelector::tryAddShift2): Deleted.
102         (JSC::B3::Air::LowerToAir::AddressSelector::tryAdd): Deleted.
103         (JSC::B3::Air::LowerToAir::AddressSelector::tryFramePointer): Deleted.
104         (JSC::B3::Air::LowerToAir::AddressSelector::tryStackSlot): Deleted.
105         (JSC::B3::Air::LowerToAir::AddressSelector::tryDirect): Deleted.
106         (JSC::B3::Air::LowerToAir::acceptRoot): Deleted.
107         (JSC::B3::Air::LowerToAir::acceptRootLate): Deleted.
108         (JSC::B3::Air::LowerToAir::acceptInternals): Deleted.
109         (JSC::B3::Air::LowerToAir::acceptInternalsLate): Deleted.
110         (JSC::B3::Air::LowerToAir::acceptOperands): Deleted.
111         (JSC::B3::Air::LowerToAir::acceptOperandsLate): Deleted.
112         (JSC::B3::Air::LowerToAir::tryLoad): Deleted.
113         (JSC::B3::Air::LowerToAir::tryLoad8S): Deleted.
114         (JSC::B3::Air::LowerToAir::tryLoad8Z): Deleted.
115         (JSC::B3::Air::LowerToAir::tryLoad16S): Deleted.
116         (JSC::B3::Air::LowerToAir::tryLoad16Z): Deleted.
117         (JSC::B3::Air::LowerToAir::tryAdd): Deleted.
118         (JSC::B3::Air::LowerToAir::trySub): Deleted.
119         (JSC::B3::Air::LowerToAir::tryAnd): Deleted.
120         (JSC::B3::Air::LowerToAir::tryOr): Deleted.
121         (JSC::B3::Air::LowerToAir::tryXor): Deleted.
122         (JSC::B3::Air::LowerToAir::tryShl): Deleted.
123         (JSC::B3::Air::LowerToAir::trySShr): Deleted.
124         (JSC::B3::Air::LowerToAir::tryZShr): Deleted.
125         (JSC::B3::Air::LowerToAir::tryStoreAddLoad): Deleted.
126         (JSC::B3::Air::LowerToAir::tryStoreSubLoad): Deleted.
127         (JSC::B3::Air::LowerToAir::tryStoreAndLoad): Deleted.
128         (JSC::B3::Air::LowerToAir::tryStore): Deleted.
129         (JSC::B3::Air::LowerToAir::tryTrunc): Deleted.
130         (JSC::B3::Air::LowerToAir::tryZExt32): Deleted.
131         (JSC::B3::Air::LowerToAir::tryArgumentReg): Deleted.
132         (JSC::B3::Air::LowerToAir::tryConst32): Deleted.
133         (JSC::B3::Air::LowerToAir::tryConst64): Deleted.
134         (JSC::B3::Air::LowerToAir::tryFramePointer): Deleted.
135         (JSC::B3::Air::LowerToAir::tryStackSlot): Deleted.
136         (JSC::B3::Air::LowerToAir::tryEqual): Deleted.
137         (JSC::B3::Air::LowerToAir::tryNotEqual): Deleted.
138         (JSC::B3::Air::LowerToAir::tryLessThan): Deleted.
139         (JSC::B3::Air::LowerToAir::tryGreaterThan): Deleted.
140         (JSC::B3::Air::LowerToAir::tryLessEqual): Deleted.
141         (JSC::B3::Air::LowerToAir::tryGreaterEqual): Deleted.
142         (JSC::B3::Air::LowerToAir::tryAbove): Deleted.
143         (JSC::B3::Air::LowerToAir::tryBelow): Deleted.
144         (JSC::B3::Air::LowerToAir::tryAboveEqual): Deleted.
145         (JSC::B3::Air::LowerToAir::tryBelowEqual): Deleted.
146         (JSC::B3::Air::LowerToAir::tryPatchpoint): Deleted.
147         (JSC::B3::Air::LowerToAir::tryCheck): Deleted.
148         (JSC::B3::Air::LowerToAir::tryUpsilon): Deleted.
149         (JSC::B3::Air::LowerToAir::tryPhi): Deleted.
150         (JSC::B3::Air::LowerToAir::tryBranch): Deleted.
151         (JSC::B3::Air::LowerToAir::tryJump): Deleted.
152         (JSC::B3::Air::LowerToAir::tryIdentity): Deleted.
153         (JSC::B3::Air::LowerToAir::tryReturn): Deleted.
154         * b3/B3LoweringMatcher.patterns: Removed.
155         * b3/generate_pattern_matcher.rb: Removed.
156
157 2015-11-07  Michael Saboff  <msaboff@apple.com>
158
159         Add conditional moves to the MacroAssembler
160         https://bugs.webkit.org/show_bug.cgi?id=150761
161
162         Reviewed by Filip Pizlo.
163
164         Added moveConditionally, moveConditionallyTest & moveConditionallyDouble to X86 macro assemblers.
165         Bench tested correct opcodes and operations on X86-64 and X86 for a select number of comparisons.
166
167         * assembler/MacroAssemblerX86Common.h:
168         (JSC::MacroAssemblerX86Common::moveConditionally):
169         (JSC::MacroAssemblerX86Common::moveConditionallyTest):
170         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
171         * assembler/X86Assembler.h:
172         (JSC::X86Assembler::cmovcc):
173         (JSC::X86Assembler::cmovl_rr):
174         (JSC::X86Assembler::cmovl_mr):
175         (JSC::X86Assembler::cmovel_rr):
176         (JSC::X86Assembler::cmovnel_rr):
177         (JSC::X86Assembler::cmovpl_rr):
178         (JSC::X86Assembler::cmovnpl_rr):
179         (JSC::X86Assembler::cmovq_rr):
180         (JSC::X86Assembler::cmovq_mr):
181         (JSC::X86Assembler::cmoveq_rr):
182         (JSC::X86Assembler::cmovneq_rr):
183         (JSC::X86Assembler::cmovpq_rr):
184         (JSC::X86Assembler::cmovnpq_rr):
185         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp64):
186
187 2015-11-06  Saam barati  <sbarati@apple.com>
188
189         Control Flow Profiler should keep execution counts of basic blocks
190         https://bugs.webkit.org/show_bug.cgi?id=146099
191
192         Reviewed by Mark Lam.
193
194         This patch changes the control flow profiler to now
195         keep track of execution counts for each basic block
196         instead of a boolean indicating if the basic block has 
197         executed at all.  This has the consequence of us having to 
198         always compile all op_profile_control_flows in the baseline and DFG.
199
200         This patch adds a new "executionCount" field to the inspector protocol
201         corresponding to the execution of a basic block. This patch, for now,
202         still maintains the previous field of "hasExecuted" even though this is
203         redundant with "executionCount".
204
205         * dfg/DFGSpeculativeJIT32_64.cpp:
206         (JSC::DFG::SpeculativeJIT::compile):
207         * dfg/DFGSpeculativeJIT64.cpp:
208         (JSC::DFG::SpeculativeJIT::compile):
209         * inspector/agents/InspectorRuntimeAgent.cpp:
210         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
211         * inspector/protocol/Runtime.json:
212         * jit/JITOpcodes.cpp:
213         (JSC::JIT::emit_op_profile_control_flow):
214         (JSC::JIT::emit_op_create_direct_arguments):
215         * jsc.cpp:
216         (GlobalObject::finishCreation):
217         (functionHasBasicBlockExecuted):
218         (functionBasicBlockExecutionCount):
219         (functionEnableExceptionFuzz):
220         (functionDrainMicrotasks):
221         (functionIs32BitPlatform):
222         (functionLoadWebAssembly):
223         * llint/LowLevelInterpreter.asm:
224         * llint/LowLevelInterpreter32_64.asm:
225         * llint/LowLevelInterpreter64.asm:
226         * runtime/BasicBlockLocation.cpp:
227         (JSC::BasicBlockLocation::BasicBlockLocation):
228         (JSC::BasicBlockLocation::dumpData):
229         (JSC::BasicBlockLocation::emitExecuteCode):
230         * runtime/BasicBlockLocation.h:
231         (JSC::BasicBlockLocation::endOffset):
232         (JSC::BasicBlockLocation::setStartOffset):
233         (JSC::BasicBlockLocation::setEndOffset):
234         (JSC::BasicBlockLocation::hasExecuted):
235         (JSC::BasicBlockLocation::executionCount):
236         * runtime/ControlFlowProfiler.cpp:
237         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
238         (JSC::findBasicBlockAtTextOffset):
239         (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
240         (JSC::ControlFlowProfiler::basicBlockExecutionCountAtTextOffset):
241         * runtime/ControlFlowProfiler.h:
242         (JSC::ControlFlowProfiler::dummyBasicBlock):
243         * tests/controlFlowProfiler/execution-count.js: Added.
244         (noop):
245         (foo):
246         (a):
247         (b):
248         (baz):
249         (jaz):
250         (testWhile):
251         (is32BitPlatform.testMax):
252         (is32BitPlatform):
253
254 2015-11-06  Filip Pizlo  <fpizlo@apple.com>
255
256         B3 and Air should simplify CFGs
257         https://bugs.webkit.org/show_bug.cgi?id=150960
258
259         Reviewed by Geoffrey Garen.
260
261         This adds CFG simplification to both B3 and Air.
262
263         In B3, the simplification is done inside the B3::reduceStrength() fixpoint because we expect
264         that it will help to reveal more optimization opportunities. This is going to be particularly
265         true when we add Phi elimination.
266
267         In Air, the simplification is its own phase. We expect it to produce most of its benefits once
268         we have coalescing. Then, CFG simplification in Air will unbreak critial edges.
269
270         * JavaScriptCore.xcodeproj/project.pbxproj:
271         * assembler/AbortReason.h:
272         * assembler/MacroAssembler.h:
273         (JSC::MacroAssembler::oops): Reveal this as a method so that we can have an Oops instruction.
274         * b3/B3BasicBlock.h:
275         (JSC::B3::BasicBlock::predecessor):
276         (JSC::B3::BasicBlock::predecessors):
277         (JSC::B3::BasicBlock::containsPredecessor):
278         * b3/B3BasicBlockUtils.h: Bunch of fixes for blocks being killed.
279         (JSC::B3::replacePredecessor):
280         (JSC::B3::resetReachability):
281         * b3/B3ReduceStrength.cpp: Implement B3 CFG simplification.
282         * b3/B3ReduceStrength.h:
283         * b3/air/AirBasicBlock.h:
284         (JSC::B3::Air::BasicBlock::resize):
285         (JSC::B3::Air::BasicBlock::insts):
286         (JSC::B3::Air::BasicBlock::appendInst):
287         (JSC::B3::Air::BasicBlock::containsPredecessor):
288         * b3/air/AirGenerate.cpp:
289         (JSC::B3::Air::generate):
290         * b3/air/AirInst.cpp:
291         (JSC::B3::Air::Inst::hasArgEffects):
292         (JSC::B3::Air::Inst::dump):
293         * b3/air/AirInst.h:
294         * b3/air/AirLiveness.h:
295         (JSC::B3::Air::Liveness::Liveness): Fix for when blocks were killed.
296         * b3/air/AirOpcode.opcodes:
297         * b3/air/AirSimplifyCFG.cpp: Added.
298         (JSC::B3::Air::simplifyCFG):
299         * b3/air/AirSimplifyCFG.h: Added.
300
301 2015-11-05  Nikos Andronikos  <nikos.andronikos-webkit@cisra.canon.com.au>
302
303         Add runtime and compile time flags for enabling Web Animations API and model.
304         https://bugs.webkit.org/show_bug.cgi?id=150914
305
306         Reviewed by Benjamin Poulain.
307
308         Add ENABLE_WEB_ANIMATIONS compile time flag, runtime flag webAnimationsEnabled and Expose WK2 preference for runtime flag.
309
310         * Configurations/FeatureDefines.xcconfig:
311
312 2015-11-05  Sukolsak Sakshuwong  <sukolsak@gmail.com>
313
314         Layout Test js/intl-collator.html is crashing on win 7 debug
315         https://bugs.webkit.org/show_bug.cgi?id=150943
316
317         Reviewed by Geoffrey Garen.
318
319         The string length returned by ICU's uenum_next seems to be unreliable
320         on an old version of ICU. Since uenum_next returns a null-terminated
321         string anyway, this patch removes the use of the length.
322
323         * runtime/IntlCollatorConstructor.cpp:
324         (JSC::sortLocaleData):
325
326 2015-11-05  Filip Pizlo  <fpizlo@apple.com>
327
328         Unreviewed, add FIXMEs referencing https://bugs.webkit.org/show_bug.cgi?id=150958 and
329         https://bugs.webkit.org/show_bug.cgi?id=150954.
330
331         * b3/B3LowerToAir.cpp:
332         (JSC::B3::Air::LowerToAir::createGenericCompare):
333         * b3/B3ReduceStrength.cpp:
334
335 2015-11-05  Aleksandr Skachkov  <gskachkov@gmail.com>
336
337         Using emitResolveScope & emitGetFromScope with 'this' that is TDZ lead to segfault in DFG
338         https://bugs.webkit.org/show_bug.cgi?id=150902
339
340         Reviewed by Geoffrey Garen.
341
342         Tiny fix provided by Saam Barati. This fix prevent segfault error in arrow function, 
343         when it uses in constructor of derived class, before 'super' is called.
344
345         * dfg/DFGAbstractInterpreterInlines.h:
346         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
347
348 2015-11-05  Filip Pizlo  <fpizlo@apple.com>
349
350         B3->Air lowering should have a story for compare-branch fusion
351         https://bugs.webkit.org/show_bug.cgi?id=150721
352
353         Reviewed by Geoffrey Garen.
354
355         This adds comprehensive support for compares and compare/branch fusion to B3. The fusion is
356         super aggressive. It can even handle things like Branch(LessThan(Load8S(...), constant)). It
357         can even handle flipping the operands to the branch, and flipping the comparison condition,
358         if it enables a more efficient instruction. This happens when there is asymmetry in the
359         admitted argument kinds. For example, Branch32 will only accept an Imm as a second operand.
360         If we do a LessThan(constant, load) then we will generate it as:
361
362             Branch32 GreaterThan, (addr), $imm
363
364         This also supports compiling and fusing tests, and to some extent, compiling and fusing
365         double compares. Though we cannot test doubles yet because we don't have enough support for
366         that.
367
368         This also supports fusing compare/branches in Checks. We basically get that for free.
369
370         Because I wanted to fuse comparisons with sub-32-bit loads, I added support for those loads
371         directly, too.
372
373         The tests are now getting super big, so I made testb3 run tests in parallel.
374
375         Finally, this slightly changes the semantics of Branch and Check. Previously they would have
376         accepted a double to branch on. I found that this is awkward. It's especially awkward since
377         we want to be explicit about when a double zero constant is materialized. So, from now on, we
378         require that to branch on a double being non-zero, you have to do Branch(NotEqual(value, 0)).
379
380         * assembler/MacroAssembler.h:
381         (JSC::MacroAssembler::invert):
382         (JSC::MacroAssembler::isInvertible):
383         (JSC::MacroAssembler::flip):
384         (JSC::MacroAssembler::isSigned):
385         (JSC::MacroAssembler::isUnsigned):
386         * assembler/MacroAssemblerX86Common.h:
387         (JSC::MacroAssemblerX86Common::test32):
388         (JSC::MacroAssemblerX86Common::invert):
389         * b3/B3CheckSpecial.cpp:
390         (JSC::B3::CheckSpecial::Key::Key):
391         (JSC::B3::CheckSpecial::Key::dump):
392         (JSC::B3::CheckSpecial::CheckSpecial):
393         (JSC::B3::CheckSpecial::~CheckSpecial):
394         * b3/B3CheckSpecial.h:
395         (JSC::B3::CheckSpecial::Key::Key):
396         (JSC::B3::CheckSpecial::Key::operator==):
397         (JSC::B3::CheckSpecial::Key::operator!=):
398         (JSC::B3::CheckSpecial::Key::operator bool):
399         (JSC::B3::CheckSpecial::Key::opcode):
400         (JSC::B3::CheckSpecial::Key::numArgs):
401         (JSC::B3::CheckSpecial::Key::isHashTableDeletedValue):
402         (JSC::B3::CheckSpecial::Key::hash):
403         (JSC::B3::CheckSpecialKeyHash::hash):
404         (JSC::B3::CheckSpecialKeyHash::equal):
405         * b3/B3Const32Value.cpp:
406         (JSC::B3::Const32Value::zShrConstant):
407         (JSC::B3::Const32Value::equalConstant):
408         (JSC::B3::Const32Value::notEqualConstant):
409         (JSC::B3::Const32Value::lessThanConstant):
410         (JSC::B3::Const32Value::greaterThanConstant):
411         (JSC::B3::Const32Value::lessEqualConstant):
412         (JSC::B3::Const32Value::greaterEqualConstant):
413         (JSC::B3::Const32Value::aboveConstant):
414         (JSC::B3::Const32Value::belowConstant):
415         (JSC::B3::Const32Value::aboveEqualConstant):
416         (JSC::B3::Const32Value::belowEqualConstant):
417         (JSC::B3::Const32Value::dumpMeta):
418         * b3/B3Const32Value.h:
419         * b3/B3Const64Value.cpp:
420         (JSC::B3::Const64Value::zShrConstant):
421         (JSC::B3::Const64Value::equalConstant):
422         (JSC::B3::Const64Value::notEqualConstant):
423         (JSC::B3::Const64Value::lessThanConstant):
424         (JSC::B3::Const64Value::greaterThanConstant):
425         (JSC::B3::Const64Value::lessEqualConstant):
426         (JSC::B3::Const64Value::greaterEqualConstant):
427         (JSC::B3::Const64Value::aboveConstant):
428         (JSC::B3::Const64Value::belowConstant):
429         (JSC::B3::Const64Value::aboveEqualConstant):
430         (JSC::B3::Const64Value::belowEqualConstant):
431         (JSC::B3::Const64Value::dumpMeta):
432         * b3/B3Const64Value.h:
433         * b3/B3ConstDoubleValue.cpp:
434         (JSC::B3::ConstDoubleValue::subConstant):
435         (JSC::B3::ConstDoubleValue::equalConstant):
436         (JSC::B3::ConstDoubleValue::notEqualConstant):
437         (JSC::B3::ConstDoubleValue::lessThanConstant):
438         (JSC::B3::ConstDoubleValue::greaterThanConstant):
439         (JSC::B3::ConstDoubleValue::lessEqualConstant):
440         (JSC::B3::ConstDoubleValue::greaterEqualConstant):
441         (JSC::B3::ConstDoubleValue::dumpMeta):
442         * b3/B3ConstDoubleValue.h:
443         * b3/B3LowerToAir.cpp:
444         (JSC::B3::Air::LowerToAir::LowerToAir):
445         (JSC::B3::Air::LowerToAir::run):
446         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
447         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise):
448         (JSC::B3::Air::LowerToAir::ArgPromise::tmp):
449         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool):
450         (JSC::B3::Air::LowerToAir::ArgPromise::kind):
451         (JSC::B3::Air::LowerToAir::ArgPromise::peek):
452         (JSC::B3::Air::LowerToAir::ArgPromise::consume):
453         (JSC::B3::Air::LowerToAir::tmp):
454         (JSC::B3::Air::LowerToAir::tmpPromise):
455         (JSC::B3::Air::LowerToAir::canBeInternal):
456         (JSC::B3::Air::LowerToAir::addr):
457         (JSC::B3::Air::LowerToAir::loadPromise):
458         (JSC::B3::Air::LowerToAir::imm):
459         (JSC::B3::Air::LowerToAir::appendBinOp):
460         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp):
461         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
462         (JSC::B3::Air::LowerToAir::createGenericCompare):
463         (JSC::B3::Air::LowerToAir::createBranch):
464         (JSC::B3::Air::LowerToAir::createCompare):
465         (JSC::B3::Air::LowerToAir::tryLoad):
466         (JSC::B3::Air::LowerToAir::tryLoad8S):
467         (JSC::B3::Air::LowerToAir::tryLoad8Z):
468         (JSC::B3::Air::LowerToAir::tryLoad16S):
469         (JSC::B3::Air::LowerToAir::tryLoad16Z):
470         (JSC::B3::Air::LowerToAir::tryAdd):
471         (JSC::B3::Air::LowerToAir::tryStackSlot):
472         (JSC::B3::Air::LowerToAir::tryEqual):
473         (JSC::B3::Air::LowerToAir::tryNotEqual):
474         (JSC::B3::Air::LowerToAir::tryLessThan):
475         (JSC::B3::Air::LowerToAir::tryGreaterThan):
476         (JSC::B3::Air::LowerToAir::tryLessEqual):
477         (JSC::B3::Air::LowerToAir::tryGreaterEqual):
478         (JSC::B3::Air::LowerToAir::tryAbove):
479         (JSC::B3::Air::LowerToAir::tryBelow):
480         (JSC::B3::Air::LowerToAir::tryAboveEqual):
481         (JSC::B3::Air::LowerToAir::tryBelowEqual):
482         (JSC::B3::Air::LowerToAir::tryPatchpoint):
483         (JSC::B3::Air::LowerToAir::tryCheck):
484         (JSC::B3::Air::LowerToAir::tryBranch):
485         (JSC::B3::Air::LowerToAir::loadAddr): Deleted.
486         * b3/B3LoweringMatcher.patterns:
487         * b3/B3Opcode.cpp:
488         (JSC::B3::invertedCompare):
489         * b3/B3Opcode.h:
490         (JSC::B3::isCheckMath):
491         * b3/B3Procedure.cpp:
492         (JSC::B3::Procedure::addBlock):
493         (JSC::B3::Procedure::addIntConstant):
494         (JSC::B3::Procedure::addBoolConstant):
495         (JSC::B3::Procedure::resetValueOwners):
496         * b3/B3Procedure.h:
497         * b3/B3ReduceStrength.cpp:
498         * b3/B3Validate.cpp:
499         * b3/B3Value.cpp:
500         (JSC::B3::Value::zShrConstant):
501         (JSC::B3::Value::equalConstant):
502         (JSC::B3::Value::notEqualConstant):
503         (JSC::B3::Value::lessThanConstant):
504         (JSC::B3::Value::greaterThanConstant):
505         (JSC::B3::Value::lessEqualConstant):
506         (JSC::B3::Value::greaterEqualConstant):
507         (JSC::B3::Value::aboveConstant):
508         (JSC::B3::Value::belowConstant):
509         (JSC::B3::Value::aboveEqualConstant):
510         (JSC::B3::Value::belowEqualConstant):
511         (JSC::B3::Value::invertedCompare):
512         * b3/B3Value.h:
513         * b3/air/AirArg.cpp:
514         (JSC::B3::Air::Arg::isRepresentableAs):
515         (JSC::B3::Air::Arg::dump):
516         (WTF::printInternal):
517         * b3/air/AirArg.h:
518         (JSC::B3::Air::Arg::isUse):
519         (JSC::B3::Air::Arg::typeForB3Type):
520         (JSC::B3::Air::Arg::widthForB3Type):
521         (JSC::B3::Air::Arg::Arg):
522         (JSC::B3::Air::Arg::value):
523         (JSC::B3::Air::Arg::isRepresentableAs):
524         (JSC::B3::Air::Arg::asNumber):
525         (JSC::B3::Air::Arg::pointerValue):
526         (JSC::B3::Air::Arg::asDoubleCondition):
527         (JSC::B3::Air::Arg::inverted):
528         (JSC::B3::Air::Arg::flipped):
529         (JSC::B3::Air::Arg::isSignedCond):
530         (JSC::B3::Air::Arg::isUnsignedCond):
531         * b3/air/AirInst.h:
532         (JSC::B3::Air::Inst::Inst):
533         (JSC::B3::Air::Inst::operator bool):
534         * b3/air/AirOpcode.opcodes:
535         * b3/air/opcode_generator.rb:
536         * b3/testb3.cpp:
537         (hiddenTruthBecauseNoReturnIsStupid):
538         (JSC::B3::testStoreLoadStackSlot):
539         (JSC::B3::modelLoad):
540         (JSC::B3::testLoad):
541         (JSC::B3::testBranch):
542         (JSC::B3::testComplex):
543         (JSC::B3::testSimplePatchpoint):
544         (JSC::B3::testSimpleCheck):
545         (JSC::B3::genericTestCompare):
546         (JSC::B3::modelCompare):
547         (JSC::B3::testCompareLoad):
548         (JSC::B3::testCompareImpl):
549         (JSC::B3::testCompare):
550         (JSC::B3::run):
551         (main):
552         * dfg/DFGSpeculativeJIT.cpp:
553         (JSC::DFG::SpeculativeJIT::compileArithMod):
554         * jit/JITPropertyAccess.cpp:
555         (JSC::JIT::emitIntTypedArrayGetByVal):
556         (JSC::JIT::emitIntTypedArrayPutByVal):
557
558 2015-11-05  Joseph Pecoraro  <pecoraro@apple.com>
559
560         Web Inspector: Clean up InjectedScript uses
561         https://bugs.webkit.org/show_bug.cgi?id=150921
562
563         Reviewed by Timothy Hatcher.
564
565         * inspector/InjectedScript.cpp:
566         (Inspector::InjectedScript::wrapCallFrames):
567         * inspector/InjectedScript.h:
568         * inspector/InjectedScriptBase.cpp:
569         (Inspector::InjectedScriptBase::initialize): Deleted.
570         * inspector/InjectedScriptBase.h:
571         * inspector/InjectedScriptManager.cpp:
572         (Inspector::InjectedScriptManager::didCreateInjectedScript):
573         * inspector/InjectedScriptManager.h:
574         * inspector/InjectedScriptModule.cpp:
575         (Inspector::InjectedScriptModule::ensureInjected):
576         * inspector/InjectedScriptModule.h:
577         * inspector/agents/InspectorDebuggerAgent.cpp:
578         (Inspector::InspectorDebuggerAgent::currentCallFrames):
579         * inspector/agents/InspectorDebuggerAgent.h:
580
581 2015-11-05  Joseph Pecoraro  <pecoraro@apple.com>
582
583         Web Inspector: Put ScriptDebugServer into InspectorEnvironment and cleanup duplicate references
584         https://bugs.webkit.org/show_bug.cgi?id=150869
585
586         Reviewed by Brian Burg.
587
588         ScriptDebugServer (JSC::Debugger) is being used by more and more agents
589         for instrumentation into JavaScriptCore. Currently the ScriptDebugServer
590         is owned by DebuggerAgent subclasses that make their own ScriptDebugServer
591         subclass. As more agents want to use it there was added boilerplate.
592         Instead, put the ScriptDebugServer in the InspectorEnvironment (Controllers).
593         Then each agent can access it during construction through the environment.
594
595         Do the same clean up for RuntimeAgent::globalVM, which is now just a
596         duplication of InspectorEnvironment::vm.
597
598         * inspector/InspectorEnvironment.h:
599         Add scriptDebugServer().
600
601         * inspector/JSGlobalObjectInspectorController.h:
602         * inspector/JSGlobalObjectInspectorController.cpp:
603         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
604         (Inspector::JSGlobalObjectInspectorController::scriptDebugServer):
605         Own the JSGlobalObjectScriptDebugServer.
606
607         * inspector/agents/InspectorDebuggerAgent.h:
608         * inspector/agents/InspectorDebuggerAgent.cpp:
609         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
610         (Inspector::InspectorDebuggerAgent::enable):
611         (Inspector::InspectorDebuggerAgent::disable):
612         (Inspector::InspectorDebuggerAgent::setBreakpointsActive):
613         (Inspector::InspectorDebuggerAgent::isPaused):
614         (Inspector::InspectorDebuggerAgent::setSuppressAllPauses):
615         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
616         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
617         (Inspector::InspectorDebuggerAgent::continueToLocation):
618         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
619         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
620         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
621         (Inspector::InspectorDebuggerAgent::resume):
622         (Inspector::InspectorDebuggerAgent::stepOver):
623         (Inspector::InspectorDebuggerAgent::stepInto):
624         (Inspector::InspectorDebuggerAgent::stepOut):
625         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
626         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
627         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
628         (Inspector::InspectorDebuggerAgent::didPause):
629         (Inspector::InspectorDebuggerAgent::breakProgram):
630         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
631         * inspector/agents/InspectorRuntimeAgent.h:
632         * inspector/agents/InspectorRuntimeAgent.cpp:
633         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
634         (Inspector::setPauseOnExceptionsState):
635         (Inspector::InspectorRuntimeAgent::parse):
636         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
637         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
638         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
639         Use VM and ScriptDebugServer passed during construction.
640
641         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
642         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
643         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
644         (Inspector::JSGlobalObjectDebuggerAgent::JSGlobalObjectDebuggerAgent): Deleted.
645         One special case needed by this subclass as a convenience to access the global object.
646
647         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
648         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
649         (Inspector::JSGlobalObjectRuntimeAgent::globalVM): Deleted.
650         This virtual method is no longer needed, the base class has everything now.
651
652 2015-11-05  Xabier Rodriguez Calvar  <calvaris@igalia.com>
653
654         [Streams API] Shield implementation from user mangling Promise.reject and resolve methods
655         https://bugs.webkit.org/show_bug.cgi?id=150895
656
657         Reviewed by Youenn Fablet.
658
659         Keep Promise.resolve and reject also as internal slots for the Promise constructor given that there is no way to
660         retrieve the former implementation if the user decides to replace it. This allows to safely create vended
661         promises even if the user changes the constructor methods.
662
663         * runtime/JSPromiseConstructor.h:
664         * runtime/JSPromiseConstructor.cpp:
665         (JSC::JSPromiseConstructor::addOwnInternalSlots): Added to include @reject and @resolve.
666         (JSC::JSPromiseConstructor::create): Call addOwnInternalSlots.
667
668 2015-11-04  Benjamin Poulain  <bpoulain@apple.com>
669
670         [JSC] Add B3-to-Air lowering for the shift opcodes
671         https://bugs.webkit.org/show_bug.cgi?id=150919
672
673         Reviewed by Filip Pizlo.
674
675         * assembler/MacroAssemblerX86_64.h:
676         (JSC::MacroAssemblerX86_64::rshift64):
677         (JSC::MacroAssemblerX86_64::urshift64):
678         * assembler/X86Assembler.h:
679         (JSC::X86Assembler::shrq_CLr):
680         * b3/B3Const32Value.cpp:
681         (JSC::B3::Const32Value::shlConstant):
682         (JSC::B3::Const32Value::sShrConstant):
683         (JSC::B3::Const32Value::zShrConstant):
684         * b3/B3Const32Value.h:
685         * b3/B3Const64Value.cpp:
686         (JSC::B3::Const64Value::shlConstant):
687         (JSC::B3::Const64Value::sShrConstant):
688         (JSC::B3::Const64Value::zShrConstant):
689         * b3/B3Const64Value.h:
690         * b3/B3LowerToAir.cpp:
691         (JSC::B3::Air::LowerToAir::appendShift):
692         (JSC::B3::Air::LowerToAir::tryShl):
693         (JSC::B3::Air::LowerToAir::trySShr):
694         (JSC::B3::Air::LowerToAir::tryZShr):
695         * b3/B3LoweringMatcher.patterns:
696         * b3/B3Opcode.h:
697         * b3/B3ReduceStrength.cpp:
698         * b3/B3Value.cpp:
699         (JSC::B3::Value::shlConstant):
700         (JSC::B3::Value::sShrConstant):
701         (JSC::B3::Value::zShrConstant):
702         * b3/B3Value.h:
703         * b3/air/AirInstInlines.h:
704         (JSC::B3::Air::isShiftValid):
705         (JSC::B3::Air::isRshift32Valid):
706         (JSC::B3::Air::isRshift64Valid):
707         (JSC::B3::Air::isUrshift32Valid):
708         (JSC::B3::Air::isUrshift64Valid):
709         * b3/air/AirOpcode.opcodes:
710         * b3/testb3.cpp:
711         (JSC::B3::testShlArgs):
712         (JSC::B3::testShlImms):
713         (JSC::B3::testShlArgImm):
714         (JSC::B3::testShlArgs32):
715         (JSC::B3::testShlImms32):
716         (JSC::B3::testShlArgImm32):
717         (JSC::B3::testSShrArgs):
718         (JSC::B3::testSShrImms):
719         (JSC::B3::testSShrArgImm):
720         (JSC::B3::testSShrArgs32):
721         (JSC::B3::testSShrImms32):
722         (JSC::B3::testSShrArgImm32):
723         (JSC::B3::testZShrArgs):
724         (JSC::B3::testZShrImms):
725         (JSC::B3::testZShrArgImm):
726         (JSC::B3::testZShrArgs32):
727         (JSC::B3::testZShrImms32):
728         (JSC::B3::testZShrArgImm32):
729         (JSC::B3::run):
730
731 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
732
733         B3 should be able to compile a Check
734         https://bugs.webkit.org/show_bug.cgi?id=150878
735
736         Reviewed by Saam Barati.
737
738         The Check opcode in B3 is going to be our main OSR exit mechanism. It is a stackmap
739         value, so you can pass it any number of additional arguments, and you will get to find
740         out how those arguments are represented at the point that the value lands in the machine
741         code. Unlike a Patchpoint, a Check branches on a value, with the goal of supporting full
742         compare/branch fusion. The stackmap's generator runs in an out-of-line path to which
743         that branch is linked.
744
745         This change fills in the glue necessary to compile a Check and it includes a simple
746         test of this functionality. That test also happens to check that such simple code will
747         never use callee-saves, which I think is sensible.
748
749         * b3/B3LowerToAir.cpp:
750         (JSC::B3::Air::LowerToAir::append):
751         (JSC::B3::Air::LowerToAir::ensureSpecial):
752         (JSC::B3::Air::LowerToAir::fillStackmap):
753         (JSC::B3::Air::LowerToAir::tryStackSlot):
754         (JSC::B3::Air::LowerToAir::tryPatchpoint):
755         (JSC::B3::Air::LowerToAir::tryCheck):
756         (JSC::B3::Air::LowerToAir::tryUpsilon):
757         * b3/B3LoweringMatcher.patterns:
758         * b3/testb3.cpp:
759         (JSC::B3::testSimplePatchpoint):
760         (JSC::B3::testSimpleCheck):
761         (JSC::B3::run):
762
763 2015-10-30  Keith Miller  <keith_miller@apple.com>
764
765         Fix endless OSR exits when creating a rope that contains an object that ToPrimitive's to a number.
766         https://bugs.webkit.org/show_bug.cgi?id=150583
767
768         Reviewed by Benjamin Poulain.
769
770         Before we assumed that the result of ToPrimitive on any object was a string.
771         This had a couple of negative effects. First, the result ToPrimitive on an
772         object can be overridden to be any primitive type. In fact, as of ES6, ToPrimitive,
773         when part of a addition expression, will type hint a number value. Second, even after
774         repeatedly exiting with a bad type we would continue to think that the result
775         of ToPrimitive would be a string so we continue to convert StrCats into MakeRope.
776
777         The fix is to make Prediction Propagation match the behavior of Fixup and move
778         canOptimizeStringObjectAccess to DFGGraph.
779
780         * bytecode/SpeculatedType.h:
781         * dfg/DFGFixupPhase.cpp:
782         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
783         (JSC::DFG::FixupPhase::fixupToPrimitive):
784         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
785         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
786         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): Deleted.
787         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): Deleted.
788         * dfg/DFGGraph.cpp:
789         (JSC::DFG::Graph::isStringPrototypeMethodSane):
790         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
791         * dfg/DFGGraph.h:
792         * dfg/DFGPredictionPropagationPhase.cpp:
793         (JSC::DFG::PredictionPropagationPhase::resultOfToPrimitive):
794         (JSC::DFG::resultOfToPrimitive): Deleted.
795
796         * bytecode/SpeculatedType.h:
797         * dfg/DFGFixupPhase.cpp:
798         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
799         (JSC::DFG::FixupPhase::fixupToPrimitive):
800         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
801         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
802         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): Deleted.
803         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): Deleted.
804         * dfg/DFGGraph.cpp:
805         (JSC::DFG::Graph::isStringPrototypeMethodSane):
806         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
807         * dfg/DFGGraph.h:
808         * dfg/DFGPredictionPropagationPhase.cpp:
809         (JSC::DFG::PredictionPropagationPhase::resultOfToPrimitive):
810         (JSC::DFG::resultOfToPrimitive): Deleted.
811         * tests/stress/string-rope-with-custom-valueof.js: Added.
812         (catNumber):
813         (number.valueOf):
814         (catBool):
815         (bool.valueOf):
816         (catUndefined):
817         (undef.valueOf):
818         (catRandom):
819         (random.valueOf):
820
821 2015-11-04  Xabier Rodriguez Calvar  <calvaris@igalia.com>
822
823         Remove bogus global internal functions for properties and prototype retrieval
824         https://bugs.webkit.org/show_bug.cgi?id=150892
825
826         Reviewed by Darin Adler.
827
828         Global @getOwnPropertyNames and @getPrototypeOf point to the floor function, so it is bogus dead code.
829
830         * runtime/JSGlobalObject.cpp:
831         (JSC::JSGlobalObject::init): Removed global @getOwnPropertyNames and @getPrototypeOf.
832
833 2015-11-03  Benjamin Poulain  <bpoulain@apple.com>
834
835         [JSC] Add B3-to-Air lowering for BitXor
836         https://bugs.webkit.org/show_bug.cgi?id=150872
837
838         Reviewed by Filip Pizlo.
839
840         * assembler/MacroAssemblerX86Common.h:
841         (JSC::MacroAssemblerX86Common::xor32):
842         Fix the indentation.
843
844         * b3/B3Const32Value.cpp:
845         (JSC::B3::Const32Value::bitXorConstant):
846         * b3/B3Const32Value.h:
847         * b3/B3Const64Value.cpp:
848         (JSC::B3::Const64Value::bitXorConstant):
849         * b3/B3Const64Value.h:
850         * b3/B3LowerToAir.cpp:
851         (JSC::B3::Air::LowerToAir::tryXor):
852         * b3/B3LoweringMatcher.patterns:
853         * b3/B3ReduceStrength.cpp:
854         * b3/B3Value.cpp:
855         (JSC::B3::Value::bitXorConstant):
856         * b3/B3Value.h:
857         * b3/air/AirOpcode.opcodes:
858         * b3/testb3.cpp:
859         (JSC::B3::testBitXorArgs):
860         (JSC::B3::testBitXorSameArg):
861         (JSC::B3::testBitXorImms):
862         (JSC::B3::testBitXorArgImm):
863         (JSC::B3::testBitXorImmArg):
864         (JSC::B3::testBitXorBitXorArgImmImm):
865         (JSC::B3::testBitXorImmBitXorArgImm):
866         (JSC::B3::testBitXorArgs32):
867         (JSC::B3::testBitXorSameArg32):
868         (JSC::B3::testBitXorImms32):
869         (JSC::B3::testBitXorArgImm32):
870         (JSC::B3::testBitXorImmArg32):
871         (JSC::B3::testBitXorBitXorArgImmImm32):
872         (JSC::B3::testBitXorImmBitXorArgImm32):
873         (JSC::B3::run):
874
875 2015-11-03  Mark Lam  <mark.lam@apple.com>
876
877         Add op_add tests to compare behavior of JIT generated code to the LLINT's.
878         https://bugs.webkit.org/show_bug.cgi?id=150864
879
880         Reviewed by Saam Barati.
881
882         * tests/stress/op_add.js: Added.
883         (o1.valueOf):
884         (generateScenarios):
885         (printScenarios):
886         (testCases.func):
887         (func):
888         (initializeTestCases):
889         (runTest):
890
891 2015-11-03  Mark Lam  <mark.lam@apple.com>
892
893         Rename DFG's compileAdd to compileArithAdd.
894         https://bugs.webkit.org/show_bug.cgi?id=150866
895
896         Reviewed by Benjamin Poulain.
897
898         The function is only supposed to generate code to do arithmetic addition on
899         numeric types.  Naming it compileArithAdd() is more accurate, and is consistent
900         with the name of the node it emits code for (i.e. ArithAdd) as well as other
901         compiler functions for analogous operations e.g. compileArithSub.
902
903         * dfg/DFGSpeculativeJIT.cpp:
904         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
905         (JSC::DFG::SpeculativeJIT::compileArithAdd):
906         (JSC::DFG::SpeculativeJIT::compileAdd): Deleted.
907         * dfg/DFGSpeculativeJIT.h:
908         * dfg/DFGSpeculativeJIT32_64.cpp:
909         (JSC::DFG::SpeculativeJIT::compile):
910         * dfg/DFGSpeculativeJIT64.cpp:
911         (JSC::DFG::SpeculativeJIT::compile):
912
913 2015-11-03  Joseph Pecoraro  <pecoraro@apple.com>
914
915         Web Inspector: Remove duplication among ScriptDebugServer subclasses
916         https://bugs.webkit.org/show_bug.cgi?id=150860
917
918         Reviewed by Timothy Hatcher.
919
920         ScriptDebugServer expects a list of listeners to dispatch events to.
921         However each of its subclasses had their own implementation of the
922         list because of different handling when the first was added or when
923         the last was removed. Extract common code into ScriptDebugServer
924         which simplifies things.
925
926         Subclasses now only implement a virtual methods "attachDebugger"
927         and "detachDebugger" which is the unique work done when the first
928         listener is added or last is removed.
929
930         * inspector/JSGlobalObjectScriptDebugServer.cpp:
931         (Inspector::JSGlobalObjectScriptDebugServer::attachDebugger):
932         (Inspector::JSGlobalObjectScriptDebugServer::detachDebugger):
933         (Inspector::JSGlobalObjectScriptDebugServer::addListener): Deleted.
934         (Inspector::JSGlobalObjectScriptDebugServer::removeListener): Deleted.
935         * inspector/JSGlobalObjectScriptDebugServer.h:
936         * inspector/ScriptDebugServer.cpp:
937         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
938         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
939         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
940         (Inspector::ScriptDebugServer::sourceParsed):
941         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
942         (Inspector::ScriptDebugServer::addListener):
943         (Inspector::ScriptDebugServer::removeListener):
944         * inspector/ScriptDebugServer.h:
945         * inspector/agents/InspectorDebuggerAgent.cpp:
946         (Inspector::InspectorDebuggerAgent::enable):
947         (Inspector::InspectorDebuggerAgent::disable):
948         * inspector/agents/InspectorDebuggerAgent.h:
949         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
950         (Inspector::JSGlobalObjectDebuggerAgent::startListeningScriptDebugServer): Deleted.
951         (Inspector::JSGlobalObjectDebuggerAgent::stopListeningScriptDebugServer): Deleted.
952         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
953
954         * inspector/ScriptDebugListener.h:
955         (Inspector::ScriptDebugListener::Script::Script):
956         Drive-by convert Script to a struct, it has public fields and is used as such.
957
958 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
959
960         B3::LowerToAir should recognize Neg (i.e. Sub($0, value))
961         https://bugs.webkit.org/show_bug.cgi?id=150759
962
963         Reviewed by Benjamin Poulain.
964
965         Adds various forms of Sub(0, value) and compiles them as Neg. Also fixes a bug in
966         StoreSubLoad. This bug was correctness-benign, so I couldn't add a test for it.
967
968         * b3/B3LowerToAir.cpp:
969         (JSC::B3::Air::LowerToAir::immOrTmp):
970         (JSC::B3::Air::LowerToAir::appendUnOp):
971         (JSC::B3::Air::LowerToAir::appendBinOp):
972         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp):
973         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
974         (JSC::B3::Air::LowerToAir::trySub):
975         (JSC::B3::Air::LowerToAir::tryStoreSubLoad):
976         * b3/B3LoweringMatcher.patterns:
977         * b3/air/AirOpcode.opcodes:
978         * b3/testb3.cpp:
979         (JSC::B3::testAdd1Ptr):
980         (JSC::B3::testNeg32):
981         (JSC::B3::testNegPtr):
982         (JSC::B3::testStoreAddLoad):
983         (JSC::B3::testStoreAddAndLoad):
984         (JSC::B3::testStoreNegLoad32):
985         (JSC::B3::testStoreNegLoadPtr):
986         (JSC::B3::testAdd1Uncommuted):
987         (JSC::B3::run):
988
989 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
990
991         B3::Values that have effects should allow specification of custom HeapRanges
992         https://bugs.webkit.org/show_bug.cgi?id=150535
993
994         Reviewed by Benjamin Poulain.
995
996         Add a Effects field to calls and patchpoints. Add a HeapRange to MemoryValues.
997
998         In the process, I created a class for the CCall opcode, so that it has somewhere to put
999         the Effects field.
1000
1001         While doing this, I realized that we didn't have a good way of ensuring that an opcode
1002         that requires a specific subclass was actually created with that subclass. So, I added
1003         assertions for this.
1004
1005         * CMakeLists.txt:
1006         * JavaScriptCore.xcodeproj/project.pbxproj:
1007         * b3/B3ArgumentRegValue.h:
1008         * b3/B3CCallValue.cpp: Added.
1009         * b3/B3CCallValue.h: Added.
1010         * b3/B3CheckValue.h:
1011         * b3/B3Const32Value.h:
1012         * b3/B3Const64Value.h:
1013         * b3/B3ConstDoubleValue.h:
1014         (JSC::B3::ConstDoubleValue::ConstDoubleValue):
1015         * b3/B3ControlValue.h:
1016         * b3/B3Effects.h:
1017         (JSC::B3::Effects::forCall):
1018         (JSC::B3::Effects::mustExecute):
1019         * b3/B3MemoryValue.h:
1020         * b3/B3PatchpointValue.h:
1021         * b3/B3StackSlotValue.h:
1022         * b3/B3UpsilonValue.h:
1023         * b3/B3Value.cpp:
1024         (JSC::B3::Value::effects):
1025         (JSC::B3::Value::dumpMeta):
1026         (JSC::B3::Value::checkOpcode):
1027         (JSC::B3::Value::typeFor):
1028         * b3/B3Value.h:
1029
1030 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
1031
1032         B3::Stackmap should be a superclass of B3::PatchpointValue and B3::CheckValue rather than being one of their members
1033         https://bugs.webkit.org/show_bug.cgi?id=150831
1034
1035         Rubber stamped by Benjamin Poulain.
1036
1037         Previously, Stackmap was a value that PatchpointValue and CheckValue would hold as a field.
1038         We'd have convenient ways of getting this field, like via Value::stackmap(). But this was a
1039         bit ridiculous, since Stackmap is logically just a common supertype for Patchpointvalue and
1040         CheckValue. This patch makes this reality by replacing Stackmap with StackmapValue. This makes
1041         the code a lot more reasonable.
1042
1043         I also needed to make dumping a bit more customizable, so I changed dumpMeta() to take a
1044         CommaPrinter&. This gives subclasses better control over whether or not to emit a comma. Also
1045         it's now possible for subclasses of Value to customize how children are printed. StackmapValue
1046         uses this to print the children and their reps together like:
1047
1048             Int32 @2 = Patchpoint(@0:SomeRegister, @1:SomeRegister, generator = 0x1107ec010, clobbered = [], usedRegisters = [], ExitsSideways|ControlDependent|Writes:Top|Reads:Top)
1049
1050         This has no behavior change, it's just a big refactoring. You can see how much simpler this
1051         makes things by looking at the testSimplePatchpoint() test.
1052
1053         * CMakeLists.txt:
1054         * JavaScriptCore.xcodeproj/project.pbxproj:
1055         * b3/B3ArgumentRegValue.cpp:
1056         (JSC::B3::ArgumentRegValue::~ArgumentRegValue):
1057         (JSC::B3::ArgumentRegValue::dumpMeta):
1058         * b3/B3ArgumentRegValue.h:
1059         * b3/B3CheckSpecial.cpp:
1060         (JSC::B3::CheckSpecial::generate):
1061         * b3/B3CheckValue.cpp:
1062         (JSC::B3::CheckValue::~CheckValue):
1063         (JSC::B3::CheckValue::CheckValue):
1064         (JSC::B3::CheckValue::dumpMeta): Deleted.
1065         * b3/B3CheckValue.h:
1066         (JSC::B3::CheckValue::accepts):
1067         * b3/B3Const32Value.cpp:
1068         (JSC::B3::Const32Value::notEqualConstant):
1069         (JSC::B3::Const32Value::dumpMeta):
1070         * b3/B3Const32Value.h:
1071         * b3/B3Const64Value.cpp:
1072         (JSC::B3::Const64Value::notEqualConstant):
1073         (JSC::B3::Const64Value::dumpMeta):
1074         * b3/B3Const64Value.h:
1075         * b3/B3ConstDoubleValue.cpp:
1076         (JSC::B3::ConstDoubleValue::notEqualConstant):
1077         (JSC::B3::ConstDoubleValue::dumpMeta):
1078         * b3/B3ConstDoubleValue.h:
1079         * b3/B3ConstrainedValue.cpp: Added.
1080         (JSC::B3::ConstrainedValue::dump):
1081         * b3/B3ConstrainedValue.h: Added.
1082         (JSC::B3::ConstrainedValue::ConstrainedValue):
1083         (JSC::B3::ConstrainedValue::operator bool):
1084         (JSC::B3::ConstrainedValue::value):
1085         (JSC::B3::ConstrainedValue::rep):
1086         * b3/B3ControlValue.cpp:
1087         (JSC::B3::ControlValue::convertToJump):
1088         (JSC::B3::ControlValue::dumpMeta):
1089         * b3/B3ControlValue.h:
1090         * b3/B3LowerToAir.cpp:
1091         (JSC::B3::Air::LowerToAir::tryPatchpoint):
1092         * b3/B3MemoryValue.cpp:
1093         (JSC::B3::MemoryValue::accessByteSize):
1094         (JSC::B3::MemoryValue::dumpMeta):
1095         * b3/B3MemoryValue.h:
1096         * b3/B3PatchpointSpecial.cpp:
1097         (JSC::B3::PatchpointSpecial::generate):
1098         * b3/B3PatchpointValue.cpp:
1099         (JSC::B3::PatchpointValue::~PatchpointValue):
1100         (JSC::B3::PatchpointValue::PatchpointValue):
1101         (JSC::B3::PatchpointValue::dumpMeta): Deleted.
1102         * b3/B3PatchpointValue.h:
1103         (JSC::B3::PatchpointValue::accepts):
1104         * b3/B3StackSlotValue.cpp:
1105         (JSC::B3::StackSlotValue::~StackSlotValue):
1106         (JSC::B3::StackSlotValue::dumpMeta):
1107         * b3/B3StackSlotValue.h:
1108         * b3/B3Stackmap.cpp: Removed.
1109         * b3/B3Stackmap.h: Removed.
1110         * b3/B3StackmapSpecial.cpp:
1111         (JSC::B3::StackmapSpecial::reportUsedRegisters):
1112         (JSC::B3::StackmapSpecial::extraClobberedRegs):
1113         (JSC::B3::StackmapSpecial::forEachArgImpl):
1114         (JSC::B3::StackmapSpecial::isValidImpl):
1115         (JSC::B3::StackmapSpecial::admitsStackImpl):
1116         * b3/B3StackmapSpecial.h:
1117         * b3/B3StackmapValue.cpp: Added.
1118         (JSC::B3::StackmapValue::~StackmapValue):
1119         (JSC::B3::StackmapValue::append):
1120         (JSC::B3::StackmapValue::setConstrainedChild):
1121         (JSC::B3::StackmapValue::setConstraint):
1122         (JSC::B3::StackmapValue::dumpChildren):
1123         (JSC::B3::StackmapValue::dumpMeta):
1124         (JSC::B3::StackmapValue::StackmapValue):
1125         * b3/B3StackmapValue.h: Added.
1126         * b3/B3SwitchValue.cpp:
1127         (JSC::B3::SwitchValue::appendCase):
1128         (JSC::B3::SwitchValue::dumpMeta):
1129         (JSC::B3::SwitchValue::SwitchValue):
1130         * b3/B3SwitchValue.h:
1131         * b3/B3UpsilonValue.cpp:
1132         (JSC::B3::UpsilonValue::~UpsilonValue):
1133         (JSC::B3::UpsilonValue::dumpMeta):
1134         * b3/B3UpsilonValue.h:
1135         * b3/B3Validate.cpp:
1136         * b3/B3Value.cpp:
1137         (JSC::B3::Value::dump):
1138         (JSC::B3::Value::dumpChildren):
1139         (JSC::B3::Value::deepDump):
1140         (JSC::B3::Value::performSubstitution):
1141         (JSC::B3::Value::dumpMeta):
1142         * b3/B3Value.h:
1143         * b3/B3ValueInlines.h:
1144         (JSC::B3::Value::asNumber):
1145         (JSC::B3::Value::stackmap): Deleted.
1146         * b3/B3ValueRep.h:
1147         (JSC::B3::ValueRep::kind):
1148         (JSC::B3::ValueRep::operator==):
1149         (JSC::B3::ValueRep::operator!=):
1150         (JSC::B3::ValueRep::operator bool):
1151         (JSC::B3::ValueRep::isAny):
1152         * b3/air/AirInstInlines.h:
1153         * b3/testb3.cpp:
1154         (JSC::B3::testSimplePatchpoint):
1155
1156 2015-11-03  Benjamin Poulain  <bpoulain@apple.com>
1157
1158         [JSC] Add Air lowering for BitOr and impove BitAnd
1159         https://bugs.webkit.org/show_bug.cgi?id=150827
1160
1161         Reviewed by Filip Pizlo.
1162
1163         In this patch:
1164         -B3 to Air lowering for BirOr.
1165         -Codegen for BitOr.
1166         -Strength reduction for BitOr and BitAnd.
1167         -Tests for BitAnd and BitOr.
1168         -Bug fix: Move64 with a negative value was destroying the top bits.
1169
1170         * b3/B3Const32Value.cpp:
1171         (JSC::B3::Const32Value::bitAndConstant):
1172         (JSC::B3::Const32Value::bitOrConstant):
1173         * b3/B3Const32Value.h:
1174         * b3/B3Const64Value.cpp:
1175         (JSC::B3::Const64Value::bitAndConstant):
1176         (JSC::B3::Const64Value::bitOrConstant):
1177         * b3/B3Const64Value.h:
1178         * b3/B3LowerToAir.cpp:
1179         (JSC::B3::Air::LowerToAir::immForMove):
1180         (JSC::B3::Air::LowerToAir::immOrTmpForMove):
1181         (JSC::B3::Air::LowerToAir::tryOr):
1182         (JSC::B3::Air::LowerToAir::tryConst64):
1183         (JSC::B3::Air::LowerToAir::tryUpsilon):
1184         (JSC::B3::Air::LowerToAir::tryIdentity):
1185         (JSC::B3::Air::LowerToAir::tryReturn):
1186         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
1187         * b3/B3LoweringMatcher.patterns:
1188         * b3/B3ReduceStrength.cpp:
1189         * b3/B3Value.cpp:
1190         (JSC::B3::Value::bitAndConstant):
1191         (JSC::B3::Value::bitOrConstant):
1192         * b3/B3Value.h:
1193         * b3/air/AirOpcode.opcodes:
1194         * b3/testb3.cpp:
1195         (JSC::B3::testReturnConst64):
1196         (JSC::B3::testBitAndArgs):
1197         (JSC::B3::testBitAndSameArg):
1198         (JSC::B3::testBitAndImms):
1199         (JSC::B3::testBitAndArgImm):
1200         (JSC::B3::testBitAndImmArg):
1201         (JSC::B3::testBitAndBitAndArgImmImm):
1202         (JSC::B3::testBitAndImmBitAndArgImm):
1203         (JSC::B3::testBitAndArgs32):
1204         (JSC::B3::testBitAndSameArg32):
1205         (JSC::B3::testBitAndImms32):
1206         (JSC::B3::testBitAndArgImm32):
1207         (JSC::B3::testBitAndImmArg32):
1208         (JSC::B3::testBitAndBitAndArgImmImm32):
1209         (JSC::B3::testBitAndImmBitAndArgImm32):
1210         (JSC::B3::testBitOrArgs):
1211         (JSC::B3::testBitOrSameArg):
1212         (JSC::B3::testBitOrImms):
1213         (JSC::B3::testBitOrArgImm):
1214         (JSC::B3::testBitOrImmArg):
1215         (JSC::B3::testBitOrBitOrArgImmImm):
1216         (JSC::B3::testBitOrImmBitOrArgImm):
1217         (JSC::B3::testBitOrArgs32):
1218         (JSC::B3::testBitOrSameArg32):
1219         (JSC::B3::testBitOrImms32):
1220         (JSC::B3::testBitOrArgImm32):
1221         (JSC::B3::testBitOrImmArg32):
1222         (JSC::B3::testBitOrBitOrArgImmImm32):
1223         (JSC::B3::testBitOrImmBitOrArgImm32):
1224         (JSC::B3::run):
1225
1226 2015-11-03  Saam barati  <sbarati@apple.com>
1227
1228         Rewrite "const" as "var" for iTunes/iBooks on the Mac
1229         https://bugs.webkit.org/show_bug.cgi?id=150852
1230
1231         Reviewed by Geoffrey Garen.
1232
1233         VM now has a setting indicating if we should treat
1234         "const" variables as "var" to more closely match
1235         JSC's previous implementation of "const" before ES6.
1236
1237         * parser/Parser.h:
1238         (JSC::Parser::next):
1239         (JSC::Parser::nextExpectIdentifier):
1240         * runtime/VM.h:
1241         (JSC::VM::setShouldRewriteConstAsVar):
1242         (JSC::VM::shouldRewriteConstAsVar):
1243
1244 2015-11-03  Mark Lam  <mark.lam@apple.com>
1245
1246         Fix some inefficiencies in the baseline usage of JITAddGenerator.
1247         https://bugs.webkit.org/show_bug.cgi?id=150850
1248
1249         Reviewed by Michael Saboff.
1250
1251         1. emit_op_add() was loading the operands twice.  Removed the redundant load.
1252         2. The snippet may decide that it wants to go the slow path route all the time.
1253            In that case, emit_op_add will end up emitting a branch to an out of line
1254            slow path followed by some dead code to store the result of the fast path
1255            on to the stack.
1256            We now check if the snippet determined that there's no fast path, and just
1257            emit the slow path inline, and skip the dead store of the fast path result.
1258
1259         * jit/JITArithmetic.cpp:
1260         (JSC::JIT::emit_op_add):
1261
1262 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
1263
1264         B3::LowerToAir should do copy propagation
1265         https://bugs.webkit.org/show_bug.cgi?id=150775
1266
1267         Reviewed by Geoffrey Garen.
1268
1269         What we are trying to do is remove the unnecessary Move's and Move32's from Trunc and ZExt32.
1270         You could think of this as an Air optimization, and indeed, Air is powerful enough that we
1271         could write a phase that does copy propagation through Move's and Move32's. For Move32's it
1272         would only copy-propagate if it proved that the value was already zero-extended. We could
1273         know this by just adding a Def32 role to Air.
1274
1275         But this patch takes a different approach: we ensure that we don't generate such redundant
1276         Move's and Move32's to begin with. The reason is that it's much cheaper to do analysis over
1277         B3 than over Air. So, whenever possible, and optimization should be implemented in B3. In
1278         this case the optimization can't quite be implemented in B3 because you cannot remove a Trunc
1279         or ZExt32 without violating the B3 type system. So, the best place to do this optimization is
1280         during lowering: we can use B3 for our analysis and we can use Air to express the
1281         transformation.
1282
1283         Copy propagating during B3->Air lowering is natural because we are creating "SSA-like" Tmps
1284         from the B3 Values. They are SSA-like in the sense that except the tmp for a Phi, we know
1285         that the Tmp will be assigned once and that the assignment will dominate all uses. So, if we
1286         see an operation like Trunc that is semantically just a Move, we can skip the Move and just
1287         claim that the Trunc has the same Tmp as its child. We do something similar for ZExt32,
1288         except with that one we have to analyze IR to ensure that the value will actually be zero
1289         extended. Note that this kind of reasoning about how Tmps work in Air is only possible in the
1290         B3->Air lowering, since at that point we know for sure which Tmps behave this way. If we
1291         wanted to do anything like this as a later Air phase, we'd have to do more analysis to first
1292         prove that Tmps behave in this way.
1293
1294         * b3/B3LowerToAir.cpp:
1295         (JSC::B3::Air::LowerToAir::run):
1296         (JSC::B3::Air::LowerToAir::highBitsAreZero):
1297         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1298         (JSC::B3::Air::LowerToAir::tmp):
1299         (JSC::B3::Air::LowerToAir::tryStore):
1300         (JSC::B3::Air::LowerToAir::tryTrunc):
1301         (JSC::B3::Air::LowerToAir::tryZExt32):
1302         (JSC::B3::Air::LowerToAir::tryIdentity):
1303         (JSC::B3::Air::LowerToAir::tryTruncArgumentReg): Deleted.
1304         * b3/B3LoweringMatcher.patterns:
1305
1306 2015-11-03  Joseph Pecoraro  <pecoraro@apple.com>
1307
1308         Web Inspector: Move ScriptDebugServer::Task to WorkerScriptDebugServer where it is actually used
1309         https://bugs.webkit.org/show_bug.cgi?id=150847
1310
1311         Reviewed by Timothy Hatcher.
1312
1313         * inspector/ScriptDebugServer.h:
1314         Remove Task from here, it isn't needed in the general case.
1315
1316         * parser/SourceProvider.h:
1317         Remove unimplemented method.
1318
1319 2015-11-03  Joseph Pecoraro  <pecoraro@apple.com>
1320
1321         Web Inspector: Handle or Remove ParseHTML Timeline Event Records
1322         https://bugs.webkit.org/show_bug.cgi?id=150689
1323
1324         Reviewed by Timothy Hatcher.
1325
1326         * inspector/protocol/Timeline.json:
1327
1328 2015-11-03  Michael Saboff  <msaboff@apple.com>
1329
1330         Rename InlineCallFrame:: getCallerSkippingDeadFrames to something more descriptive
1331         https://bugs.webkit.org/show_bug.cgi?id=150832
1332
1333         Reviewed by Geoffrey Garen.
1334
1335         Renamed InlineCallFrame::getCallerSkippingDeadFrames() to getCallerSkippingTailCalls().
1336         Did similar renaming to helper InlineCallFrame::computeCallerSkippingTailCalls() and
1337         InlineCallFrame::getCallerInlineFrameSkippingTailCalls().
1338
1339         * bytecode/InlineCallFrame.h:
1340         (JSC::InlineCallFrame::computeCallerSkippingTailCalls):
1341         (JSC::InlineCallFrame::getCallerSkippingTailCalls):
1342         (JSC::InlineCallFrame::getCallerInlineFrameSkippingTailCalls):
1343         (JSC::InlineCallFrame::computeCallerSkippingDeadFrames): Deleted.
1344         (JSC::InlineCallFrame::getCallerSkippingDeadFrames): Deleted.
1345         (JSC::InlineCallFrame::getCallerInlineFrameSkippingDeadFrames): Deleted.
1346         * dfg/DFGByteCodeParser.cpp:
1347         (JSC::DFG::ByteCodeParser::allInlineFramesAreTailCalls):
1348         (JSC::DFG::ByteCodeParser::currentCodeOrigin):
1349         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1350         * dfg/DFGGraph.cpp:
1351         (JSC::DFG::Graph::isLiveInBytecode):
1352         * dfg/DFGGraph.h:
1353         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
1354         * dfg/DFGOSRExitCompilerCommon.cpp:
1355         (JSC::DFG::reifyInlinedCallFrames):
1356         * dfg/DFGPreciseLocalClobberize.h:
1357         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1358         * dfg/DFGSpeculativeJIT32_64.cpp:
1359         (JSC::DFG::SpeculativeJIT::emitCall):
1360         * dfg/DFGSpeculativeJIT64.cpp:
1361         (JSC::DFG::SpeculativeJIT::emitCall):
1362         * ftl/FTLLowerDFGToLLVM.cpp:
1363         (JSC::FTL::DFG::LowerDFGToLLVM::codeOriginDescriptionOfCallSite):
1364         * interpreter/StackVisitor.cpp:
1365         (JSC::StackVisitor::gotoNextFrame):
1366
1367 2015-11-02  Filip Pizlo  <fpizlo@apple.com>
1368
1369         B3/Air should use bubble sort for their insertion sets, because it's faster than std::stable_sort
1370         https://bugs.webkit.org/show_bug.cgi?id=150828
1371
1372         Reviewed by Geoffrey Garen.
1373
1374         Undo the 2% compile time regression caused by http://trac.webkit.org/changeset/191913.
1375
1376         * b3/B3InsertionSet.cpp:
1377         (JSC::B3::InsertionSet::execute): Switch to bubble sort.
1378         * b3/air/AirInsertionSet.cpp:
1379         (JSC::B3::Air::InsertionSet::execute): Switch to bubble sort.
1380         * dfg/DFGBlockInsertionSet.cpp:
1381         (JSC::DFG::BlockInsertionSet::execute): Switch back to quicksort.
1382
1383 2015-11-03  Csaba Osztrogonác  <ossy@webkit.org>
1384
1385         Unreviewed, partially revert r191952.
1386
1387         Removed GCC compiler workarounds (unreachable returns).
1388
1389         * b3/B3Type.h:
1390         (JSC::B3::sizeofType):
1391         * b3/air/AirArg.h:
1392         (JSC::B3::Air::Arg::isUse):
1393         (JSC::B3::Air::Arg::isDef):
1394         (JSC::B3::Air::Arg::isGP):
1395         (JSC::B3::Air::Arg::isFP):
1396         (JSC::B3::Air::Arg::isType):
1397         * b3/air/AirCode.h:
1398         (JSC::B3::Air::Code::newTmp):
1399         (JSC::B3::Air::Code::numTmps):
1400
1401 2015-11-03  Csaba Osztrogonác  <ossy@webkit.org>
1402
1403         Fix the ENABLE(B3_JIT) build on Linux
1404         https://bugs.webkit.org/show_bug.cgi?id=150794
1405
1406         Reviewed by Darin Adler.
1407
1408         * CMakeLists.txt:
1409         * b3/B3HeapRange.h:
1410         * b3/B3IndexSet.h:
1411         (JSC::B3::IndexSet::Iterable::iterator::operator++):
1412         * b3/B3Type.h:
1413         (JSC::B3::sizeofType):
1414         * b3/air/AirArg.cpp:
1415         (JSC::B3::Air::Arg::dump):
1416         * b3/air/AirArg.h:
1417         (JSC::B3::Air::Arg::isUse):
1418         (JSC::B3::Air::Arg::isDef):
1419         (JSC::B3::Air::Arg::isGP):
1420         (JSC::B3::Air::Arg::isFP):
1421         (JSC::B3::Air::Arg::isType):
1422         * b3/air/AirCode.h:
1423         (JSC::B3::Air::Code::newTmp):
1424         (JSC::B3::Air::Code::numTmps):
1425         * b3/air/AirSpecial.cpp:
1426
1427 2015-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1428
1429         Clean up ENABLE(ES6_ARROWFUNCTION_SYNTAX) ifdefs and keep minimal set of them
1430         https://bugs.webkit.org/show_bug.cgi?id=150793
1431
1432         Reviewed by Darin Adler.
1433
1434         Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r191875.
1435         This patch drops many ENABLE(ES6_ARROWFUNCTION_SYNTAX) ifdefs and keep only one of them;
1436         the ifdef in parseAssignmentExpression.
1437         This prevents functionality of parsing arrow function syntax.
1438
1439         * parser/Lexer.cpp:
1440         (JSC::Lexer<T>::lex):
1441         * parser/Parser.cpp:
1442         (JSC::Parser<LexerType>::parseInner): Deleted.
1443         * parser/Parser.h:
1444         (JSC::Parser::isArrowFunctionParamters): Deleted.
1445         * parser/ParserTokens.h:
1446
1447 2015-11-02  Michael Saboff  <msaboff@apple.com>
1448
1449         WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading
1450         https://bugs.webkit.org/show_bug.cgi?id=150745
1451
1452         Reviewed by Geoffrey Garen.
1453
1454         During OSR exit, reifyInlinedCallFrames() was using the call kind from a tail call to
1455         find the CallLinkInfo / StubInfo to find the return PC.  Instead we need to get the call
1456         type of the true caller, that is the function we'll be returning to.
1457
1458         This can be found by remembering the last call type we find while walking up the inlined
1459         frames in InlineCallFrame::getCallerSkippingDeadFrames().
1460
1461         We can also return directly back to a getter or setter callsite without using a thunk.
1462
1463         * bytecode/InlineCallFrame.h:
1464         (JSC::InlineCallFrame::computeCallerSkippingDeadFrames):
1465         (JSC::InlineCallFrame::getCallerSkippingDeadFrames):
1466         * dfg/DFGOSRExitCompilerCommon.cpp:
1467         (JSC::DFG::reifyInlinedCallFrames):
1468         * jit/JITPropertyAccess.cpp:
1469         (JSC::JIT::emit_op_get_by_id): Need to eliminate the stack pointer check, as it is wrong
1470         for reified inlined frames created during OSR exit. 
1471         * jit/ThunkGenerators.cpp:
1472         (JSC::baselineGetterReturnThunkGenerator): Deleted.
1473         (JSC::baselineSetterReturnThunkGenerator): Deleted.
1474         * jit/ThunkGenerators.h:
1475
1476 2015-11-02  Saam barati  <sbarati@apple.com>
1477
1478         Wrong value recovery for DFG try/catch with a getter that throws during an IC miss
1479         https://bugs.webkit.org/show_bug.cgi?id=150760
1480
1481         Reviewed by Geoffrey Garen.
1482
1483         This is related to using PhantomLocal instead of Flush as 
1484         the liveness preservation mechanism for live catch variables. 
1485         I'm temporarily switching things back to Flush. This will be a
1486         performance hit for try/catch in the DFG. Landing this patch,
1487         though, will allow me to land try/catch in the FTL. It also
1488         makes try/catch in the DFG sound. I have opened another
1489         bug to further investigate using PhantomLocal as the
1490         liveness preservation mechanism: https://bugs.webkit.org/show_bug.cgi?id=150824
1491
1492         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1493         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
1494         * tests/stress/dfg-try-catch-wrong-value-recovery-on-ic-miss.js: Added.
1495         (assert):
1496         (let.oThrow.get f):
1497         (let.o2.get f):
1498         (foo):
1499         (f):
1500
1501 2015-11-02  Andy Estes  <aestes@apple.com>
1502
1503         [Cocoa] Add tvOS and watchOS to SUPPORTED_PLATFORMS
1504         https://bugs.webkit.org/show_bug.cgi?id=150819
1505
1506         Reviewed by Dan Bernstein.
1507
1508         This tells Xcode to include these platforms in its Devices dropdown, making it possible to build in the IDE.
1509
1510         * Configurations/Base.xcconfig:
1511
1512 2015-11-02  Brent Fulgham  <bfulgham@apple.com>
1513
1514         [Win] MiniBrowser unable to use WebInspector
1515         https://bugs.webkit.org/show_bug.cgi?id=150810
1516         <rdar://problem/23358514>
1517
1518         Reviewed by Timothy Hatcher.
1519
1520         The CMakeList rule for creating the InjectedScriptSource.min.js was improperly including
1521         the quote characters in the text prepended to InjectedScriptSource.min.js. This caused a
1522         parsing error in the JS file.
1523         
1524         The solution was to switch from using "COMMAND echo" to use the more cross-platform
1525         compatible command "COMMAND ${CMAKE_COMMAND} -E echo ...", which handles the string
1526         escaping properly on all platforms.
1527
1528         * CMakeLists.txt: Switch the 'echo' command syntax to be more cross-platform.
1529
1530 2015-11-02  Filip Pizlo  <fpizlo@apple.com>
1531
1532         B3 should be able to compile a Patchpoint
1533         https://bugs.webkit.org/show_bug.cgi?id=150750
1534
1535         Reviewed by Geoffrey Garen.
1536
1537         This adds the glue in B3::LowerToAir that turns a B3::PatchpointValue into an Air::Patch
1538         with a B3::PatchpointSpecial.
1539
1540         Along the way, I found some bugs. For starters, it became clear that I wanted to be able
1541         to append constraints to a Stackmap, and I wanted to have more flexibility in how I
1542         created a PatchpointValue. I also wanted more helper methods in ValueRep, since
1543         otherwise I would have had to write a lot of boilerplate.
1544
1545         I discovered, and fixed, a minor goof in Air::Code dumping when there are specials.
1546
1547         There were a ton of indexing bugs in B3StackmapSpecial.
1548
1549         The spiller was broken in case the Def was not the last Arg, since it was adding things
1550         to the insertion set both at instIndex and instIndex + 1, and the two types of additions
1551         could occur in the wrong (i.e. the +1 case first) order with an early Def. We often have
1552         bugs like this. In the DFG, we were paranoid about performance so we only admit out-of-
1553         order insertions as a rare case. I think that we don't really need to be so paranoid.
1554         So, I made the new insertion sets use a stable_sort to ensure that everything happens in
1555         the right order. I changed DFG::BlockInsertionSet to also use stable_sort; it previously
1556         used sort, which is slightly wrong.
1557
1558         This adds a new test that uses Patchpoint to implement a 32-bit add. It works!
1559
1560         * b3/B3InsertionSet.cpp:
1561         (JSC::B3::InsertionSet::execute):
1562         * b3/B3LowerToAir.cpp:
1563         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
1564         (JSC::B3::Air::LowerToAir::appendStore):
1565         (JSC::B3::Air::LowerToAir::moveForType):
1566         (JSC::B3::Air::LowerToAir::append):
1567         (JSC::B3::Air::LowerToAir::ensureSpecial):
1568         (JSC::B3::Air::LowerToAir::tryStore):
1569         (JSC::B3::Air::LowerToAir::tryStackSlot):
1570         (JSC::B3::Air::LowerToAir::tryPatchpoint):
1571         (JSC::B3::Air::LowerToAir::tryUpsilon):
1572         * b3/B3LoweringMatcher.patterns:
1573         * b3/B3PatchpointValue.h:
1574         (JSC::B3::PatchpointValue::accepts): Deleted.
1575         (JSC::B3::PatchpointValue::PatchpointValue): Deleted.
1576         * b3/B3Stackmap.h:
1577         (JSC::B3::Stackmap::constrain):
1578         (JSC::B3::Stackmap::appendConstraint):
1579         (JSC::B3::Stackmap::reps):
1580         (JSC::B3::Stackmap::clobber):
1581         * b3/B3StackmapSpecial.cpp:
1582         (JSC::B3::StackmapSpecial::forEachArgImpl):
1583         (JSC::B3::StackmapSpecial::isValidImpl):
1584         * b3/B3Value.h:
1585         * b3/B3ValueRep.h:
1586         (JSC::B3::ValueRep::ValueRep):
1587         (JSC::B3::ValueRep::reg):
1588         (JSC::B3::ValueRep::operator bool):
1589         (JSC::B3::ValueRep::isAny):
1590         (JSC::B3::ValueRep::isSomeRegister):
1591         (JSC::B3::ValueRep::isReg):
1592         (JSC::B3::ValueRep::isGPR):
1593         (JSC::B3::ValueRep::isFPR):
1594         (JSC::B3::ValueRep::gpr):
1595         (JSC::B3::ValueRep::fpr):
1596         (JSC::B3::ValueRep::isStack):
1597         (JSC::B3::ValueRep::offsetFromFP):
1598         (JSC::B3::ValueRep::isStackArgument):
1599         (JSC::B3::ValueRep::offsetFromSP):
1600         (JSC::B3::ValueRep::isConstant):
1601         (JSC::B3::ValueRep::value):
1602         * b3/air/AirCode.cpp:
1603         (JSC::B3::Air::Code::dump):
1604         * b3/air/AirInsertionSet.cpp:
1605         (JSC::B3::Air::InsertionSet::execute):
1606         * b3/testb3.cpp:
1607         (JSC::B3::testComplex):
1608         (JSC::B3::testSimplePatchpoint):
1609         (JSC::B3::run):
1610         * dfg/DFGBlockInsertionSet.cpp:
1611         (JSC::DFG::BlockInsertionSet::execute):
1612
1613 2015-11-02  Mark Lam  <mark.lam@apple.com>
1614
1615         Snippefy op_add for the baseline JIT.
1616         https://bugs.webkit.org/show_bug.cgi?id=150129
1617
1618         Reviewed by Geoffrey Garen and Saam Barati.
1619
1620         Performance is neutral for both 32-bit and 64-bit on X86_64.
1621
1622         * CMakeLists.txt:
1623         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1624         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1625         * JavaScriptCore.xcodeproj/project.pbxproj:
1626         * jit/JIT.h:
1627         (JSC::JIT::getOperandConstantInt):
1628         - Move getOperandConstantInt() from the JSVALUE64 section to the common section
1629           because the snippet needs it.
1630
1631         * jit/JITAddGenerator.cpp: Added.
1632         (JSC::JITAddGenerator::generateFastPath):
1633         * jit/JITAddGenerator.h: Added.
1634         (JSC::JITAddGenerator::JITAddGenerator):
1635         (JSC::JITAddGenerator::endJumpList):
1636         (JSC::JITAddGenerator::slowPathJumpList):
1637         - JITAddGenerator implements an optimization for the case where 1 of the 2 operands
1638           is a constant int32_t.  It does not implement an optimization for the case where
1639           both operands are constant int32_t.  This is because:
1640           1. For the baseline JIT, the ASTBuilder will fold the 2 constants together.
1641           2. For the DFG, the AbstractInterpreter will also fold the 2 constants.
1642
1643           Hence, such an optimization path (for 2 constant int32_t operands) would never
1644           be taken, and is why we won't implement it.
1645
1646         * jit/JITArithmetic.cpp:
1647         (JSC::JIT::compileBinaryArithOp):
1648         (JSC::JIT::compileBinaryArithOpSlowCase):
1649         - Removed op_add cases.  These are no longer used by the op_add emitters.
1650
1651         (JSC::JIT::emit_op_add):
1652         (JSC::JIT::emitSlow_op_add):
1653         - Moved out from the JSVALUE64 section to the common section, and reimplemented
1654           using the snippet.
1655
1656         * jit/JITArithmetic32_64.cpp:
1657         (JSC::JIT::emitBinaryDoubleOp):
1658         (JSC::JIT::emit_op_add): Deleted.
1659         (JSC::JIT::emitAdd32Constant): Deleted.
1660         (JSC::JIT::emitSlow_op_add): Deleted.
1661         - Remove 32-bit specific version of op_add.  The snippet serves both 32-bit
1662           and 64-bit implementations.
1663
1664         * jit/JITInlines.h:
1665         (JSC::JIT::getOperandConstantInt):
1666         - Move getOperandConstantInt() from the JSVALUE64 section to the common section
1667           because the snippet needs it.
1668
1669 2015-11-02  Brian Burg  <bburg@apple.com>
1670
1671         Run sort-Xcode-project-file for the JavaScriptCore project.
1672
1673         Unreviewed. Many things were out of order following recent B3 commits.
1674
1675         * JavaScriptCore.xcodeproj/project.pbxproj:
1676
1677 2015-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1678
1679         Rename op_put_getter_setter to op_put_getter_setter_by_id
1680         https://bugs.webkit.org/show_bug.cgi?id=150773
1681
1682         Reviewed by Mark Lam.
1683
1684         Renaming op_put_getter_setter to op_put_getter_setter_by_id makes this op name consistent with
1685         the other ops' names like op_put_getter_by_id etc.
1686
1687         And to fix build dependencies in Xcode, we added LLIntAssembly.h into Xcode project file.
1688
1689         * JavaScriptCore.xcodeproj/project.pbxproj:
1690         * bytecode/BytecodeList.json:
1691         * bytecode/BytecodeUseDef.h:
1692         (JSC::computeUsesForBytecodeOffset):
1693         (JSC::computeDefsForBytecodeOffset):
1694         * bytecode/CodeBlock.cpp:
1695         (JSC::CodeBlock::dumpBytecode):
1696         * bytecompiler/BytecodeGenerator.cpp:
1697         (JSC::BytecodeGenerator::emitPutGetterSetter):
1698         * dfg/DFGByteCodeParser.cpp:
1699         (JSC::DFG::ByteCodeParser::parseBlock):
1700         * dfg/DFGCapabilities.cpp:
1701         (JSC::DFG::capabilityLevel):
1702         * jit/JIT.cpp:
1703         (JSC::JIT::privateCompileMainPass):
1704         * jit/JIT.h:
1705         * jit/JITPropertyAccess.cpp:
1706         (JSC::JIT::emit_op_put_getter_setter_by_id):
1707         (JSC::JIT::emit_op_put_getter_setter): Deleted.
1708         * jit/JITPropertyAccess32_64.cpp:
1709         (JSC::JIT::emit_op_put_getter_setter_by_id):
1710         (JSC::JIT::emit_op_put_getter_setter): Deleted.
1711         * llint/LLIntSlowPaths.cpp:
1712         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1713         * llint/LLIntSlowPaths.h:
1714         * llint/LowLevelInterpreter.asm:
1715
1716 2015-11-02  Csaba Osztrogonác  <ossy@webkit.org>
1717
1718         Fix the FTL JIT build with system LLVM on Linux
1719         https://bugs.webkit.org/show_bug.cgi?id=150795
1720
1721         Reviewed by Filip Pizlo.
1722
1723         * CMakeLists.txt:
1724
1725 2015-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1726
1727         [ES6] Support Generator Syntax
1728         https://bugs.webkit.org/show_bug.cgi?id=150769
1729
1730         Reviewed by Geoffrey Garen.
1731
1732         This patch implements syntax part of ES6 Generators.
1733
1734         1. Add ENABLE_ES6_GENERATORS compile time flag. It is disabled by default, and will be enabled once ES6 generator functionality is implemented.
1735         2. Add lexer support for YIELD. It changes "yield" from reserved-if-strict word to keyword. And it is correct under the ES6 spec.
1736         3. Implement parsing functionality and YieldExprNode stub. YieldExprNode does not emit meaningful bytecodes yet. This should be implemented in the future patch.
1737         4. Accept "yield" Identifier as an label etc. under sloppy mode && non-generator code. http://ecma-international.org/ecma-262/6.0/#sec-generator-function-definitions-static-semantics-early-errors
1738
1739         * Configurations/FeatureDefines.xcconfig:
1740         * bytecompiler/NodesCodegen.cpp:
1741         (JSC::YieldExprNode::emitBytecode):
1742         * parser/ASTBuilder.h:
1743         (JSC::ASTBuilder::createYield):
1744         * parser/Keywords.table:
1745         * parser/NodeConstructors.h:
1746         (JSC::YieldExprNode::YieldExprNode):
1747         * parser/Nodes.h:
1748         * parser/Parser.cpp:
1749         (JSC::Parser<LexerType>::Parser):
1750         (JSC::Parser<LexerType>::parseInner):
1751         (JSC::Parser<LexerType>::parseStatementListItem):
1752         (JSC::Parser<LexerType>::parseVariableDeclarationList):
1753         (JSC::Parser<LexerType>::parseDestructuringPattern):
1754         (JSC::Parser<LexerType>::parseBreakStatement):
1755         (JSC::Parser<LexerType>::parseContinueStatement):
1756         (JSC::Parser<LexerType>::parseTryStatement):
1757         (JSC::Parser<LexerType>::parseStatement):
1758         (JSC::stringForFunctionMode):
1759         (JSC::Parser<LexerType>::parseFunctionParameters):
1760         (JSC::Parser<LexerType>::parseFunctionInfo):
1761         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1762         (JSC::Parser<LexerType>::parseClass):
1763         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
1764         (JSC::Parser<LexerType>::parseExportDeclaration):
1765         (JSC::Parser<LexerType>::parseAssignmentExpression):
1766         (JSC::Parser<LexerType>::parseYieldExpression):
1767         (JSC::Parser<LexerType>::parseProperty):
1768         (JSC::Parser<LexerType>::parsePropertyMethod):
1769         (JSC::Parser<LexerType>::parseGetterSetter):
1770         (JSC::Parser<LexerType>::parseFunctionExpression):
1771         (JSC::Parser<LexerType>::parsePrimaryExpression):
1772         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
1773         * parser/Parser.h:
1774         (JSC::Scope::Scope):
1775         (JSC::Scope::setSourceParseMode):
1776         (JSC::Scope::isGenerator):
1777         (JSC::Scope::setIsFunction):
1778         (JSC::Scope::setIsGenerator):
1779         (JSC::Scope::setIsModule):
1780         (JSC::Parser::pushScope):
1781         (JSC::Parser::isYIELDMaskedAsIDENT):
1782         (JSC::Parser::matchSpecIdentifier):
1783         (JSC::Parser::saveState):
1784         (JSC::Parser::restoreState):
1785         * parser/ParserModes.h:
1786         (JSC::isFunctionParseMode):
1787         (JSC::isModuleParseMode):
1788         (JSC::isProgramParseMode):
1789         * parser/ParserTokens.h:
1790         * parser/SyntaxChecker.h:
1791         (JSC::SyntaxChecker::createYield):
1792         * tests/stress/generator-methods.js: Added.
1793         (Hello.prototype.gen):
1794         (Hello.gen):
1795         (Hello):
1796         (Hello.prototype.set get string_appeared_here):
1797         (Hello.string_appeared_here):
1798         (Hello.prototype.20):
1799         (Hello.20):
1800         (Hello.prototype.42):
1801         (Hello.42):
1802         (let.object.gen):
1803         (let.object.set get string_appeared_here):
1804         (let.object.20):
1805         (let.object.42):
1806         * tests/stress/generator-syntax.js: Added.
1807         (testSyntax):
1808         (testSyntaxError):
1809         (testSyntaxError.Hello.prototype.get gen):
1810         (testSyntaxError.Hello):
1811         (SyntaxError.Unexpected.token.string_appeared_here.Expected.an.opening.string_appeared_here.before.a.method.testSyntaxError.Hello.prototype.set gen):
1812         (SyntaxError.Unexpected.token.string_appeared_here.Expected.an.opening.string_appeared_here.before.a.method.testSyntaxError.Hello):
1813         (SyntaxError.Unexpected.token.string_appeared_here.Expected.an.opening.string_appeared_here.before.a.method.testSyntaxError.gen):
1814         (testSyntaxError.value):
1815         (testSyntaxError.gen.ng):
1816         (testSyntaxError.gen):
1817         (testSyntax.gen):
1818         * tests/stress/yield-and-line-terminator.js: Added.
1819         (testSyntax):
1820         (testSyntaxError):
1821         (testSyntax.gen):
1822         (testSyntaxError.gen):
1823         * tests/stress/yield-label-generator.js: Added.
1824         (testSyntax):
1825         (testSyntaxError):
1826         (testSyntaxError.test):
1827         (SyntaxError.Unexpected.keyword.string_appeared_here.Expected.an.identifier.as.the.target.a.continue.statement.testSyntax.test):
1828         * tests/stress/yield-label.js: Added.
1829         (yield):
1830         (testSyntaxError):
1831         (testSyntaxError.test):
1832         * tests/stress/yield-named-accessors-generator.js: Added.
1833         (t1.let.object.get yield):
1834         (t1.let.object.set yield):
1835         (t1):
1836         (t2.let.object.get yield):
1837         (t2.let.object.set yield):
1838         (t2):
1839         * tests/stress/yield-named-accessors.js: Added.
1840         (t1.let.object.get yield):
1841         (t1.let.object.set yield):
1842         (t1):
1843         (t2.let.object.get yield):
1844         (t2.let.object.set yield):
1845         (t2):
1846         * tests/stress/yield-named-variable-generator.js: Added.
1847         (testSyntax):
1848         (testSyntaxError):
1849         (testSyntaxError.t1):
1850         (testSyntaxError.t1.yield):
1851         (testSyntax.t1.yield):
1852         (testSyntax.t1):
1853         * tests/stress/yield-named-variable.js: Added.
1854         (testSyntax):
1855         (testSyntaxError):
1856         (testSyntax.t1):
1857         (testSyntaxError.t1):
1858         (testSyntax.t1.yield):
1859         (testSyntaxError.t1.yield):
1860         * tests/stress/yield-out-of-generator.js: Added.
1861         (testSyntax):
1862         (testSyntaxError):
1863         (testSyntaxError.hello):
1864         (testSyntaxError.gen.hello):
1865         (testSyntaxError.gen):
1866         (testSyntax.gen):
1867         (testSyntax.gen.ok):
1868         (testSyntaxError.gen.ok):
1869
1870 2015-11-01  Filip Pizlo  <fpizlo@apple.com>
1871
1872         Dominators should be factored out of the DFG
1873         https://bugs.webkit.org/show_bug.cgi?id=150764
1874
1875         Reviewed by Geoffrey Garen.
1876
1877         Factored DFGDominators.h/DFGDominators.cpp into WTF. To do this, I made two changes to the
1878         DFG:
1879
1880         1) DFG now has a CFG abstraction called DFG::CFG. The cool thing about this is that in the
1881            future if we wanted to support inverted dominators, we could do it by just creating a
1882            DFG::BackwardCFG.
1883
1884         2) Got rid of DFG::Analysis. From now on, an Analysis being invalidated is expressed by the
1885            DFG::Graph having a null pointer for that analysis. When we "run" the analysis, we
1886            just instantiate it. This makes it much more natural to integrate WTF::Dominators into
1887            the DFG.
1888
1889         * CMakeLists.txt:
1890         * JavaScriptCore.xcodeproj/project.pbxproj:
1891         * dfg/DFGAnalysis.h: Removed.
1892         * dfg/DFGCFG.h: Added.
1893         (JSC::DFG::CFG::CFG):
1894         (JSC::DFG::CFG::root):
1895         (JSC::DFG::CFG::newMap<T>):
1896         (JSC::DFG::CFG::successors):
1897         (JSC::DFG::CFG::predecessors):
1898         (JSC::DFG::CFG::index):
1899         (JSC::DFG::CFG::node):
1900         (JSC::DFG::CFG::numNodes):
1901         (JSC::DFG::CFG::dump):
1902         * dfg/DFGCSEPhase.cpp:
1903         * dfg/DFGDisassembler.cpp:
1904         (JSC::DFG::Disassembler::createDumpList):
1905         * dfg/DFGDominators.cpp: Removed.
1906         * dfg/DFGDominators.h:
1907         (JSC::DFG::Dominators::Dominators):
1908         (JSC::DFG::Dominators::strictlyDominates): Deleted.
1909         (JSC::DFG::Dominators::dominates): Deleted.
1910         (JSC::DFG::Dominators::immediateDominatorOf): Deleted.
1911         (JSC::DFG::Dominators::forAllStrictDominatorsOf): Deleted.
1912         (JSC::DFG::Dominators::forAllDominatorsOf): Deleted.
1913         (JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy): Deleted.
1914         (JSC::DFG::Dominators::forAllBlocksDominatedBy): Deleted.
1915         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf): Deleted.
1916         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf): Deleted.
1917         (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf): Deleted.
1918         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl): Deleted.
1919         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl): Deleted.
1920         (JSC::DFG::Dominators::BlockData::BlockData): Deleted.
1921         * dfg/DFGEdgeDominates.h:
1922         (JSC::DFG::EdgeDominates::operator()):
1923         * dfg/DFGGraph.cpp:
1924         (JSC::DFG::Graph::Graph):
1925         (JSC::DFG::Graph::dumpBlockHeader):
1926         (JSC::DFG::Graph::invalidateCFG):
1927         (JSC::DFG::Graph::substituteGetLocal):
1928         (JSC::DFG::Graph::handleAssertionFailure):
1929         (JSC::DFG::Graph::ensureDominators):
1930         (JSC::DFG::Graph::ensurePrePostNumbering):
1931         (JSC::DFG::Graph::ensureNaturalLoops):
1932         (JSC::DFG::Graph::valueProfileFor):
1933         * dfg/DFGGraph.h:
1934         (JSC::DFG::Graph::hasDebuggerEnabled):
1935         * dfg/DFGLICMPhase.cpp:
1936         (JSC::DFG::LICMPhase::run):
1937         (JSC::DFG::LICMPhase::attemptHoist):
1938         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1939         (JSC::DFG::createPreHeader):
1940         (JSC::DFG::LoopPreHeaderCreationPhase::run):
1941         * dfg/DFGNaturalLoops.cpp:
1942         (JSC::DFG::NaturalLoop::dump):
1943         (JSC::DFG::NaturalLoops::NaturalLoops):
1944         (JSC::DFG::NaturalLoops::~NaturalLoops):
1945         (JSC::DFG::NaturalLoops::loopsOf):
1946         (JSC::DFG::NaturalLoops::computeDependencies): Deleted.
1947         (JSC::DFG::NaturalLoops::compute): Deleted.
1948         * dfg/DFGNaturalLoops.h:
1949         (JSC::DFG::NaturalLoops::numLoops):
1950         * dfg/DFGNode.h:
1951         (JSC::DFG::Node::SuccessorsIterable::end):
1952         (JSC::DFG::Node::SuccessorsIterable::size):
1953         (JSC::DFG::Node::SuccessorsIterable::at):
1954         (JSC::DFG::Node::SuccessorsIterable::operator[]):
1955         * dfg/DFGOSREntrypointCreationPhase.cpp:
1956         (JSC::DFG::OSREntrypointCreationPhase::run):
1957         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1958         * dfg/DFGPlan.cpp:
1959         (JSC::DFG::Plan::compileInThreadImpl):
1960         * dfg/DFGPrePostNumbering.cpp:
1961         (JSC::DFG::PrePostNumbering::PrePostNumbering):
1962         (JSC::DFG::PrePostNumbering::~PrePostNumbering):
1963         (JSC::DFG::PrePostNumbering::compute): Deleted.
1964         * dfg/DFGPrePostNumbering.h:
1965         (JSC::DFG::PrePostNumbering::preNumber):
1966         (JSC::DFG::PrePostNumbering::postNumber):
1967         * dfg/DFGPutStackSinkingPhase.cpp:
1968         * dfg/DFGSSACalculator.cpp:
1969         (JSC::DFG::SSACalculator::nonLocalReachingDef):
1970         (JSC::DFG::SSACalculator::reachingDefAtTail):
1971         * dfg/DFGSSACalculator.h:
1972         (JSC::DFG::SSACalculator::computePhis):
1973         * dfg/DFGSSAConversionPhase.cpp:
1974         (JSC::DFG::SSAConversionPhase::run):
1975         * ftl/FTLLink.cpp:
1976         (JSC::FTL::link):
1977         * ftl/FTLLowerDFGToLLVM.cpp:
1978         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1979         (JSC::FTL::DFG::LowerDFGToLLVM::safelyInvalidateAfterTermination):
1980         (JSC::FTL::DFG::LowerDFGToLLVM::isValid):
1981
1982 2015-10-31  Filip Pizlo  <fpizlo@apple.com>
1983
1984         B3::reduceStrength's DCE should be more agro and less wrong
1985         https://bugs.webkit.org/show_bug.cgi?id=150748
1986
1987         Reviewed by Geoffrey Garen.
1988
1989         First of all, our DCE had a bug where it would keep Upsilons after it deleted the Phis that
1990         they referenced. But our B3 DCE was also not aggressive enough. It would not eliminate
1991         cycles. It was also probably slower than it needed to be, since it would eliminate all
1992         never-referenced things on each fixpoint.
1993
1994         This adds a presume-everyone-is-dead-and-find-live-things style DCE. This is very natural to
1995         write, except for Upsilons. For everything but Upsilons, it's just a worklist algorithm. For
1996         Upsilons, it's a fixpoint. It works fine in the end.
1997
1998         I kept finding bugs in this algorithm when I tested it against my "Complex" test that I was
1999         writing as a compile time benchmark. So, I include that test in this change. I also include
2000         the small lowering extensions that it needed - shifting and zero extending.
2001
2002         This change also adds an LLVM version of the Complex test. Though the LLVM version feels
2003         more natural to write because LLVM has traditional Phi's rather than our quirky Phi's, in
2004         the end LLVM ends up performing very badly - 10x to 20x worse than B3. Some of that gap will
2005         close once we give B3 a register allocator, but still, that's pretty good news for our B3
2006         strategy.
2007
2008         * JavaScriptCore.xcodeproj/project.pbxproj:
2009         * assembler/MacroAssemblerX86_64.h:
2010         (JSC::MacroAssemblerX86_64::lshift64):
2011         (JSC::MacroAssemblerX86_64::rshift64):
2012         * assembler/X86Assembler.h:
2013         (JSC::X86Assembler::shlq_i8r):
2014         (JSC::X86Assembler::shlq_CLr):
2015         (JSC::X86Assembler::imull_rr):
2016         * b3/B3BasicBlock.cpp:
2017         (JSC::B3::BasicBlock::replacePredecessor):
2018         (JSC::B3::BasicBlock::dump):
2019         (JSC::B3::BasicBlock::removeNops): Deleted.
2020         * b3/B3BasicBlock.h:
2021         (JSC::B3::BasicBlock::frequency):
2022         * b3/B3Common.cpp:
2023         (JSC::B3::shouldSaveIRBeforePhase):
2024         (JSC::B3::shouldMeasurePhaseTiming):
2025         * b3/B3Common.h:
2026         (JSC::B3::isRepresentableAsImpl):
2027         * b3/B3Generate.cpp:
2028         (JSC::B3::generate):
2029         (JSC::B3::generateToAir):
2030         * b3/B3LowerToAir.cpp:
2031         (JSC::B3::Air::LowerToAir::tryAnd):
2032         (JSC::B3::Air::LowerToAir::tryShl):
2033         (JSC::B3::Air::LowerToAir::tryStoreAddLoad):
2034         (JSC::B3::Air::LowerToAir::tryTrunc):
2035         (JSC::B3::Air::LowerToAir::tryZExt32):
2036         (JSC::B3::Air::LowerToAir::tryArgumentReg):
2037         * b3/B3LoweringMatcher.patterns:
2038         * b3/B3PhaseScope.cpp:
2039         (JSC::B3::PhaseScope::PhaseScope):
2040         * b3/B3PhaseScope.h:
2041         * b3/B3ReduceStrength.cpp:
2042         * b3/B3TimingScope.cpp: Added.
2043         (JSC::B3::TimingScope::TimingScope):
2044         (JSC::B3::TimingScope::~TimingScope):
2045         * b3/B3TimingScope.h: Added.
2046         * b3/B3Validate.cpp:
2047         * b3/air/AirAllocateStack.cpp:
2048         (JSC::B3::Air::allocateStack):
2049         * b3/air/AirGenerate.cpp:
2050         (JSC::B3::Air::generate):
2051         * b3/air/AirInstInlines.h:
2052         (JSC::B3::Air::ForEach<Arg>::forEach):
2053         (JSC::B3::Air::Inst::forEach):
2054         (JSC::B3::Air::isLshift32Valid):
2055         (JSC::B3::Air::isLshift64Valid):
2056         * b3/air/AirLiveness.h:
2057         (JSC::B3::Air::Liveness::isAlive):
2058         (JSC::B3::Air::Liveness::Liveness):
2059         (JSC::B3::Air::Liveness::LocalCalc::execute):
2060         * b3/air/AirOpcode.opcodes:
2061         * b3/air/AirPhaseScope.cpp:
2062         (JSC::B3::Air::PhaseScope::PhaseScope):
2063         * b3/air/AirPhaseScope.h:
2064         * b3/testb3.cpp:
2065         (JSC::B3::testBranchEqualFoldPtr):
2066         (JSC::B3::testComplex):
2067         (JSC::B3::run):
2068         * runtime/Options.h:
2069
2070 2015-11-01  Alexey Proskuryakov  <ap@apple.com>
2071
2072         [ES6] Add support for toStringTag
2073         https://bugs.webkit.org/show_bug.cgi?id=150696
2074
2075         Re-landing, as this wasn't the culprit.
2076
2077         * runtime/ArrayIteratorPrototype.cpp:
2078         (JSC::ArrayIteratorPrototype::finishCreation):
2079         * runtime/CommonIdentifiers.h:
2080         * runtime/JSArrayBufferPrototype.cpp:
2081         (JSC::JSArrayBufferPrototype::finishCreation):
2082         (JSC::JSArrayBufferPrototype::create):
2083         * runtime/JSDataViewPrototype.cpp:
2084         (JSC::JSDataViewPrototype::create):
2085         (JSC::JSDataViewPrototype::finishCreation):
2086         (JSC::JSDataViewPrototype::createStructure):
2087         * runtime/JSDataViewPrototype.h:
2088         * runtime/JSModuleNamespaceObject.cpp:
2089         (JSC::JSModuleNamespaceObject::finishCreation):
2090         * runtime/JSONObject.cpp:
2091         (JSC::JSONObject::finishCreation):
2092         * runtime/JSPromisePrototype.cpp:
2093         (JSC::JSPromisePrototype::finishCreation):
2094         (JSC::JSPromisePrototype::getOwnPropertySlot):
2095         * runtime/JSTypedArrayViewPrototype.cpp:
2096         (JSC::typedArrayViewProtoFuncValues):
2097         (JSC::typedArrayViewProtoGetterFuncToStringTag):
2098         (JSC::JSTypedArrayViewPrototype::JSTypedArrayViewPrototype):
2099         (JSC::JSTypedArrayViewPrototype::finishCreation):
2100         * runtime/MapIteratorPrototype.cpp:
2101         (JSC::MapIteratorPrototype::finishCreation):
2102         (JSC::MapIteratorPrototypeFuncNext):
2103         * runtime/MapPrototype.cpp:
2104         (JSC::MapPrototype::finishCreation):
2105         * runtime/MathObject.cpp:
2106         (JSC::MathObject::finishCreation):
2107         * runtime/ObjectPrototype.cpp:
2108         (JSC::objectProtoFuncToString):
2109         * runtime/SetIteratorPrototype.cpp:
2110         (JSC::SetIteratorPrototype::finishCreation):
2111         (JSC::SetIteratorPrototypeFuncNext):
2112         * runtime/SetPrototype.cpp:
2113         (JSC::SetPrototype::finishCreation):
2114         * runtime/SmallStrings.cpp:
2115         (JSC::SmallStrings::SmallStrings):
2116         (JSC::SmallStrings::initializeCommonStrings):
2117         (JSC::SmallStrings::visitStrongReferences):
2118         * runtime/SmallStrings.h:
2119         (JSC::SmallStrings::typeString):
2120         (JSC::SmallStrings::objectStringStart):
2121         (JSC::SmallStrings::nullObjectString):
2122         (JSC::SmallStrings::undefinedObjectString):
2123         * runtime/StringIteratorPrototype.cpp:
2124         (JSC::StringIteratorPrototype::finishCreation):
2125         * runtime/SymbolPrototype.cpp:
2126         (JSC::SymbolPrototype::finishCreation):
2127         * runtime/WeakMapPrototype.cpp:
2128         (JSC::WeakMapPrototype::finishCreation):
2129         (JSC::getWeakMapData):
2130         * runtime/WeakSetPrototype.cpp:
2131         (JSC::WeakSetPrototype::finishCreation):
2132         (JSC::getWeakMapData):
2133         * tests/es6.yaml:
2134         * tests/modules/namespace.js:
2135         * tests/stress/symbol-tostringtag.js: Copied from Source/JavaScriptCore/tests/stress/symbol-tostringtag.js.
2136
2137 2015-11-01  Commit Queue  <commit-queue@webkit.org>
2138
2139         Unreviewed, rolling out r191815 and r191821.
2140         https://bugs.webkit.org/show_bug.cgi?id=150781
2141
2142         Seems to have broken JSC API tests on some platforms
2143         (Requested by ap on #webkit).
2144
2145         Reverted changesets:
2146
2147         "[ES6] Add support for toStringTag"
2148         https://bugs.webkit.org/show_bug.cgi?id=150696
2149         http://trac.webkit.org/changeset/191815
2150
2151         "Unreviewed, forgot to mark tests as passing for new feature."
2152         http://trac.webkit.org/changeset/191821
2153
2154 2015-11-01  Commit Queue  <commit-queue@webkit.org>
2155
2156         Unreviewed, rolling out r191858.
2157         https://bugs.webkit.org/show_bug.cgi?id=150780
2158
2159         Broke the build (Requested by ap on #webkit).
2160
2161         Reverted changeset:
2162
2163         "Rename op_put_getter_setter to op_put_getter_setter_by_id"
2164         https://bugs.webkit.org/show_bug.cgi?id=150773
2165         http://trac.webkit.org/changeset/191858
2166
2167 2015-11-01  Filip Pizlo  <fpizlo@apple.com>
2168
2169         Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=150777.
2170
2171         * b3/B3LowerToAir.cpp:
2172         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRoot):
2173
2174 2015-11-01  Filip Pizlo  <fpizlo@apple.com>
2175
2176         Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=150775.
2177
2178         * b3/B3LowerToAir.cpp:
2179         (JSC::B3::Air::LowerToAir::tryTrunc):
2180
2181 2015-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2182
2183         Rename op_put_getter_setter to op_put_getter_setter_by_id
2184         https://bugs.webkit.org/show_bug.cgi?id=150773
2185
2186         Reviewed by Mark Lam.
2187
2188         Renaming op_put_getter_setter to op_put_getter_setter_by_id makes this op name consistent with
2189         the other ops' names like op_put_getter_by_id etc.
2190
2191         * bytecode/BytecodeList.json:
2192         * bytecode/BytecodeUseDef.h:
2193         (JSC::computeUsesForBytecodeOffset):
2194         (JSC::computeDefsForBytecodeOffset):
2195         * bytecode/CodeBlock.cpp:
2196         (JSC::CodeBlock::dumpBytecode):
2197         * bytecompiler/BytecodeGenerator.cpp:
2198         (JSC::BytecodeGenerator::emitPutGetterSetter):
2199         * dfg/DFGByteCodeParser.cpp:
2200         (JSC::DFG::ByteCodeParser::parseBlock):
2201         * dfg/DFGCapabilities.cpp:
2202         (JSC::DFG::capabilityLevel):
2203         * jit/JIT.cpp:
2204         (JSC::JIT::privateCompileMainPass):
2205         * jit/JIT.h:
2206         * jit/JITPropertyAccess.cpp:
2207         (JSC::JIT::emit_op_put_getter_setter_by_id):
2208         (JSC::JIT::emit_op_put_getter_setter): Deleted.
2209         * jit/JITPropertyAccess32_64.cpp:
2210         (JSC::JIT::emit_op_put_getter_setter_by_id):
2211         (JSC::JIT::emit_op_put_getter_setter): Deleted.
2212         * llint/LLIntSlowPaths.cpp:
2213         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2214         * llint/LLIntSlowPaths.h:
2215         * llint/LowLevelInterpreter.asm:
2216
2217 2015-10-31  Andreas Kling  <akling@apple.com>
2218
2219         Add a debug overlay with information about web process resource usage.
2220         <https://webkit.org/b/150599>
2221
2222         Reviewed by Darin Adler.
2223
2224         Have Heap track the exact number of bytes allocated in CopiedBlock, MarkedBlock and
2225         WeakBlock objects, keeping them in a single location that can be sampled by the
2226         resource usage overlay thread.
2227
2228         The bulk of these changes is threading a Heap& through from sites where blocks are
2229         allocated or freed.
2230
2231         * heap/CopiedBlock.cpp:
2232         (JSC::CopiedBlock::createNoZeroFill):
2233         (JSC::CopiedBlock::destroy):
2234         (JSC::CopiedBlock::create):
2235         * heap/CopiedBlock.h:
2236         * heap/CopiedSpace.cpp:
2237         (JSC::CopiedSpace::~CopiedSpace):
2238         (JSC::CopiedSpace::tryAllocateOversize):
2239         (JSC::CopiedSpace::tryReallocateOversize):
2240         * heap/CopiedSpaceInlines.h:
2241         (JSC::CopiedSpace::recycleEvacuatedBlock):
2242         (JSC::CopiedSpace::recycleBorrowedBlock):
2243         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
2244         (JSC::CopiedSpace::allocateBlock):
2245         (JSC::CopiedSpace::startedCopying):
2246         * heap/Heap.cpp:
2247         (JSC::Heap::~Heap):
2248         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock):
2249         * heap/Heap.h:
2250         (JSC::Heap::blockBytesAllocated):
2251         * heap/HeapInlines.h:
2252         (JSC::Heap::didAllocateBlock):
2253         (JSC::Heap::didFreeBlock):
2254         * heap/MarkedAllocator.cpp:
2255         (JSC::MarkedAllocator::allocateBlock):
2256         * heap/MarkedBlock.cpp:
2257         (JSC::MarkedBlock::create):
2258         (JSC::MarkedBlock::destroy):
2259         * heap/MarkedBlock.h:
2260         * heap/MarkedSpace.cpp:
2261         (JSC::MarkedSpace::freeBlock):
2262         * heap/WeakBlock.cpp:
2263         (JSC::WeakBlock::create):
2264         (JSC::WeakBlock::destroy):
2265         * heap/WeakBlock.h:
2266         * heap/WeakSet.cpp:
2267         (JSC::WeakSet::~WeakSet):
2268         (JSC::WeakSet::addAllocator):
2269         (JSC::WeakSet::removeAllocator):
2270
2271 2015-10-30  Filip Pizlo  <fpizlo@apple.com>
2272
2273         Air should eliminate dead code
2274         https://bugs.webkit.org/show_bug.cgi?id=150746
2275
2276         Reviewed by Geoffrey Garen.
2277
2278         This adds a very simple dead code elimination to Air. It simply looks at whether a Tmp or
2279         StackSlot has ever been used by a live instruction. An instruction is live if it has non-arg
2280         effects (branching, returning, calling, etc) or if it stores to a live Arg. An Arg is live if
2281         it references a live Tmp or StackSlot, or if it is neither a Tmp nor a StackSlot. The phase
2282         runs these rules to fixpoint, and then removes the dead instructions.
2283
2284         This also changes the AirOpcodes parser to handle multiple attributes per opcode, so that we
2285         could conceivably say things like "FooBar /branch /effects". It also adds the /effects
2286         attribute, which we currently use for Breakpoint and nothing else. C calls, patchpoints, and
2287         checks are all Specials, and the Special base class by default always claims that the
2288         instruction has effects. In the future, we could have B3 use a Patch in Air to implement
2289         exotic math constructs; then the Special associated with that thing would claim that there
2290         are no effects.
2291
2292         * JavaScriptCore.xcodeproj/project.pbxproj:
2293         * b3/air/AirBasicBlock.h:
2294         (JSC::B3::Air::BasicBlock::begin):
2295         (JSC::B3::Air::BasicBlock::end):
2296         (JSC::B3::Air::BasicBlock::at):
2297         (JSC::B3::Air::BasicBlock::last):
2298         (JSC::B3::Air::BasicBlock::resize):
2299         (JSC::B3::Air::BasicBlock::appendInst):
2300         * b3/air/AirEliminateDeadCode.cpp: Added.
2301         (JSC::B3::Air::eliminateDeadCode):
2302         * b3/air/AirEliminateDeadCode.h: Added.
2303         * b3/air/AirGenerate.cpp:
2304         (JSC::B3::Air::generate):
2305         * b3/air/AirInst.h:
2306         * b3/air/AirOpcode.opcodes:
2307         * b3/air/AirSpecial.cpp:
2308         (JSC::B3::Air::Special::name):
2309         (JSC::B3::Air::Special::hasNonArgNonControlEffects):
2310         (JSC::B3::Air::Special::dump):
2311         * b3/air/AirSpecial.h:
2312         * b3/air/opcode_generator.rb:
2313
2314 2015-10-31  Filip Pizlo  <fpizlo@apple.com>
2315
2316         Air needs a late register liveness phase that calls Special::reportUsedRegisters()
2317         https://bugs.webkit.org/show_bug.cgi?id=150511
2318
2319         Reviewed by Saam Barati.
2320
2321         This change adds such a phase. In the process of writing it, I was reminded about the
2322         glaring efficiency bugs in Air::Liveness and so I filed a bug and added FIXMEs.
2323
2324         * JavaScriptCore.xcodeproj/project.pbxproj:
2325         * b3/air/AirAllocateStack.cpp:
2326         (JSC::B3::Air::allocateStack):
2327         * b3/air/AirGenerate.cpp:
2328         (JSC::B3::Air::generate):
2329         * b3/air/AirReportUsedRegisters.cpp: Added.
2330         (JSC::B3::Air::reportUsedRegisters):
2331         * b3/air/AirReportUsedRegisters.h: Added.
2332
2333 2015-10-31  Brian Burg  <bburg@apple.com>
2334
2335         Builtins generator should put WebCore-only wrappers in the per-builtin header
2336         https://bugs.webkit.org/show_bug.cgi?id=150539
2337
2338         Reviewed by Youenn Fablet.
2339
2340         If generating for WebCore, put the XXXWrapper and related boilerplate
2341         in the per-builtin header instead of making a separate XXXWrapper.h.
2342
2343         Rebaseline the tests.
2344
2345         * CMakeLists.txt:
2346         * DerivedSources.make:
2347         * Scripts/builtins/builtins.py:
2348         * Scripts/builtins/builtins_generate_separate_header.py:
2349         (BuiltinsSeparateHeaderGenerator.generate_output):
2350         (generate_header_includes):
2351         * Scripts/builtins/builtins_generate_separate_wrapper.py: Deleted.
2352         * Scripts/builtins/builtins_templates.py: Be consistent with variables.
2353         * Scripts/generate-js-builtins.py:
2354         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2355         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2356         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2357         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2358
2359 2015-10-31  Saam barati  <sbarati@apple.com>
2360
2361         JSC should have a forceGCSlowPaths option
2362         https://bugs.webkit.org/show_bug.cgi?id=150744
2363
2364         Reviewed by Filip Pizlo.
2365
2366         This patch implements the forceGCSlowPaths option.
2367         It defaults to false, but when it is set to true,
2368         the JITs will always allocate objects along the slow
2369         path. This will be helpful for writing a certain class
2370         of tests. This may also come in handy for debugging
2371         later.
2372
2373         This patch also adds the "forceGCSlowPaths" function
2374         in jsc.cpp which sets the option to true. If you
2375         use this function in a jsc stress test, it's best
2376         to call it as the first thing in the program before
2377         we JIT anything.
2378
2379         * dfg/DFGSpeculativeJIT.h:
2380         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2381         * ftl/FTLLowerDFGToLLVM.cpp:
2382         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2383         * jit/JITInlines.h:
2384         (JSC::JIT::emitAllocateJSObject):
2385         * jsc.cpp:
2386         (GlobalObject::finishCreation):
2387         (functionEdenGC):
2388         (functionForceGCSlowPaths):
2389         (functionHeapSize):
2390         * runtime/Options.h:
2391
2392 2015-10-30  Joseph Pecoraro  <pecoraro@apple.com>
2393
2394         Web Inspector: Test Debugger.scriptParsed events received after opening inspector frontend
2395         https://bugs.webkit.org/show_bug.cgi?id=150753
2396
2397         Reviewed by Timothy Hatcher.
2398
2399         * parser/Parser.h:
2400         (JSC::Parser<LexerType>::parse):
2401         Only set the directives on the SourceProvider if we were parsing the
2402         entire file (Program or Module), not if we are in function parsing mode.
2403         This was inadvertently clearing the directives stored on the
2404         SourceProvider when the function parse didn't see directives and reset
2405         the values on the source provider.
2406
2407 2015-10-30  Benjamin Poulain  <bpoulain@apple.com>
2408
2409         [JSC] Add lowering for B3's Sub operation with integers
2410         https://bugs.webkit.org/show_bug.cgi?id=150749
2411
2412         Reviewed by Filip Pizlo.
2413
2414         * b3/B3LowerToAir.cpp:
2415         (JSC::B3::Air::LowerToAir::trySub):
2416         (JSC::B3::Air::LowerToAir::tryStoreSubLoad):
2417         * b3/B3LoweringMatcher.patterns:
2418         Identical to Add but obviously NotCommutative.
2419
2420         * b3/B3ReduceStrength.cpp:
2421         Turn Add/Sub with zero into an identity. I only added for
2422         Add since Sub with a constant is always turned into an Add.
2423
2424         Also switched the Sub optimizations to put the strongest first.
2425
2426         * b3/air/AirOpcode.opcodes:
2427         * b3/testb3.cpp:
2428         (JSC::B3::testAddArgImm):
2429         (JSC::B3::testAddImmArg):
2430         (JSC::B3::testSubArgs):
2431         (JSC::B3::testSubArgImm):
2432         (JSC::B3::testSubImmArg):
2433         (JSC::B3::testSubArgs32):
2434         (JSC::B3::testSubArgImm32):
2435         (JSC::B3::testSubImmArg32):
2436         (JSC::B3::testStoreSubLoad):
2437         (JSC::B3::run):
2438
2439 2015-10-30  Benjamin Poulain  <bpoulain@apple.com>
2440
2441         [JSC] Add the Air Opcode definitions to the Xcode project file
2442         https://bugs.webkit.org/show_bug.cgi?id=150701
2443
2444         Reviewed by Geoffrey Garen.
2445
2446         * JavaScriptCore.xcodeproj/project.pbxproj:
2447         Easier for those who use Xcode :)
2448
2449 2015-10-30  Filip Pizlo  <fpizlo@apple.com>
2450
2451         Unreviewed, removing FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=150540.
2452
2453         * b3/B3ValueRep.h:
2454
2455 2015-10-30  Michael Saboff  <msaboff@apple.com>
2456
2457         Windows X86-64 change for Crash making a tail call from a getter to a host function
2458         https://bugs.webkit.org/show_bug.cgi?id=150737
2459
2460         Reviewed by Geoffrey Garen.
2461
2462         Need to make the same change for Windows X86-64 as was made in change set
2463         http://trac.webkit.org/changeset/191765.
2464
2465         * jit/JITStubsMSVC64.asm:
2466
2467 2015-10-30  Keith Miller  <keith_miller@apple.com>
2468
2469         Unreviewed, forgot to mark tests as passing for new feature.
2470
2471         * tests/es6.yaml:
2472
2473 2015-10-30  Filip Pizlo  <fpizlo@apple.com>
2474
2475         B3 should be able to compile a control flow diamond
2476         https://bugs.webkit.org/show_bug.cgi?id=150720
2477
2478         Reviewed by Benjamin Poulain.
2479
2480         Adds support for Branch, Jump, Upsilon, and Phi. Adds some basic strength reduction for
2481         comparisons and boolean-like operations.
2482
2483         * assembler/MacroAssembler.cpp:
2484         (WTF::printInternal):
2485         * assembler/MacroAssembler.h:
2486         * b3/B3BasicBlockUtils.h:
2487         (JSC::B3::replacePredecessor):
2488         (JSC::B3::resetReachability):
2489         * b3/B3CheckValue.h:
2490         * b3/B3Common.h:
2491         (JSC::B3::isRepresentableAsImpl):
2492         (JSC::B3::isRepresentableAs):
2493         * b3/B3Const32Value.cpp:
2494         (JSC::B3::Const32Value::subConstant):
2495         (JSC::B3::Const32Value::equalConstant):
2496         (JSC::B3::Const32Value::notEqualConstant):
2497         (JSC::B3::Const32Value::dumpMeta):
2498         * b3/B3Const32Value.h:
2499         * b3/B3Const64Value.cpp:
2500         (JSC::B3::Const64Value::subConstant):
2501         (JSC::B3::Const64Value::equalConstant):
2502         (JSC::B3::Const64Value::notEqualConstant):
2503         (JSC::B3::Const64Value::dumpMeta):
2504         * b3/B3Const64Value.h:
2505         * b3/B3ConstDoubleValue.cpp:
2506         (JSC::B3::ConstDoubleValue::subConstant):
2507         (JSC::B3::ConstDoubleValue::equalConstant):
2508         (JSC::B3::ConstDoubleValue::notEqualConstant):
2509         (JSC::B3::ConstDoubleValue::dumpMeta):
2510         * b3/B3ConstDoubleValue.h:
2511         * b3/B3ControlValue.cpp:
2512         (JSC::B3::ControlValue::~ControlValue):
2513         (JSC::B3::ControlValue::convertToJump):
2514         (JSC::B3::ControlValue::dumpMeta):
2515         * b3/B3ControlValue.h:
2516         * b3/B3LowerToAir.cpp:
2517         (JSC::B3::Air::LowerToAir::imm):
2518         (JSC::B3::Air::LowerToAir::tryStackSlot):
2519         (JSC::B3::Air::LowerToAir::tryUpsilon):
2520         (JSC::B3::Air::LowerToAir::tryPhi):
2521         (JSC::B3::Air::LowerToAir::tryBranch):
2522         (JSC::B3::Air::LowerToAir::tryJump):
2523         (JSC::B3::Air::LowerToAir::tryIdentity):
2524         * b3/B3LoweringMatcher.patterns:
2525         * b3/B3Opcode.h:
2526         * b3/B3Procedure.cpp:
2527         (JSC::B3::Procedure::resetReachability):
2528         (JSC::B3::Procedure::dump):
2529         * b3/B3ReduceStrength.cpp:
2530         * b3/B3UpsilonValue.cpp:
2531         (JSC::B3::UpsilonValue::dumpMeta):
2532         * b3/B3UpsilonValue.h:
2533         (JSC::B3::UpsilonValue::accepts): Deleted.
2534         (JSC::B3::UpsilonValue::phi): Deleted.
2535         (JSC::B3::UpsilonValue::UpsilonValue): Deleted.
2536         * b3/B3Validate.cpp:
2537         * b3/B3Value.cpp:
2538         (JSC::B3::Value::subConstant):
2539         (JSC::B3::Value::equalConstant):
2540         (JSC::B3::Value::notEqualConstant):
2541         (JSC::B3::Value::returnsBool):
2542         (JSC::B3::Value::asTriState):
2543         (JSC::B3::Value::effects):
2544         * b3/B3Value.h:
2545         * b3/B3ValueInlines.h:
2546         (JSC::B3::Value::asInt32):
2547         (JSC::B3::Value::isInt32):
2548         (JSC::B3::Value::hasInt64):
2549         (JSC::B3::Value::asInt64):
2550         (JSC::B3::Value::isInt64):
2551         (JSC::B3::Value::hasInt):
2552         (JSC::B3::Value::asIntPtr):
2553         (JSC::B3::Value::isIntPtr):
2554         (JSC::B3::Value::hasDouble):
2555         (JSC::B3::Value::asDouble):
2556         (JSC::B3::Value::isEqualToDouble):
2557         (JSC::B3::Value::hasNumber):
2558         (JSC::B3::Value::representableAs):
2559         (JSC::B3::Value::asNumber):
2560         (JSC::B3::Value::stackmap):
2561         * b3/air/AirArg.cpp:
2562         (JSC::B3::Air::Arg::dump):
2563         * b3/air/AirArg.h:
2564         (JSC::B3::Air::Arg::resCond):
2565         (JSC::B3::Air::Arg::doubleCond):
2566         (JSC::B3::Air::Arg::special):
2567         (JSC::B3::Air::Arg::isResCond):
2568         (JSC::B3::Air::Arg::isDoubleCond):
2569         (JSC::B3::Air::Arg::isSpecial):
2570         (JSC::B3::Air::Arg::isGP):
2571         (JSC::B3::Air::Arg::isFP):
2572         (JSC::B3::Air::Arg::asResultCondition):
2573         (JSC::B3::Air::Arg::asDoubleCondition):
2574         (JSC::B3::Air::Arg::Arg):
2575         * b3/air/AirCode.cpp:
2576         (JSC::B3::Air::Code::resetReachability):
2577         (JSC::B3::Air::Code::dump):
2578         * b3/air/AirOpcode.opcodes:
2579         * b3/air/opcode_generator.rb:
2580         * b3/testb3.cpp:
2581         (hiddenTruthBecauseNoReturnIsStupid):
2582         (usage):
2583         (JSC::B3::compile):
2584         (JSC::B3::invoke):
2585         (JSC::B3::compileAndRun):
2586         (JSC::B3::test42):
2587         (JSC::B3::testStoreLoadStackSlot):
2588         (JSC::B3::testBranch):
2589         (JSC::B3::testDiamond):
2590         (JSC::B3::testBranchNotEqual):
2591         (JSC::B3::testBranchFold):
2592         (JSC::B3::testDiamondFold):
2593         (JSC::B3::run):
2594         (run):
2595         (main):
2596
2597 2015-10-30  Keith Miller  <keith_miller@apple.com>
2598
2599         [ES6] Add support for toStringTag
2600         https://bugs.webkit.org/show_bug.cgi?id=150696
2601
2602         Reviewed by Geoffrey Garen.
2603
2604         This patch adds support for Symbol.toStringTag. This is a simple
2605         feature, if an object passed to Object.prototype.toString() has a
2606         toStringTag we use the tag in the string rather than the class info.
2607         Added a test that checks this works for all the default supported classes
2608         along with the corresponding prototype and custom cases.
2609
2610         * runtime/ArrayIteratorPrototype.cpp:
2611         (JSC::ArrayIteratorPrototype::finishCreation):
2612         * runtime/CommonIdentifiers.h:
2613         * runtime/JSArrayBufferPrototype.cpp:
2614         (JSC::JSArrayBufferPrototype::finishCreation):
2615         * runtime/JSDataViewPrototype.cpp:
2616         (JSC::JSDataViewPrototype::finishCreation):
2617         * runtime/JSDataViewPrototype.h:
2618         * runtime/JSModuleNamespaceObject.cpp:
2619         (JSC::JSModuleNamespaceObject::finishCreation):
2620         * runtime/JSONObject.cpp:
2621         (JSC::JSONObject::finishCreation):
2622         * runtime/JSPromisePrototype.cpp:
2623         (JSC::JSPromisePrototype::finishCreation):
2624         * runtime/JSTypedArrayViewPrototype.cpp:
2625         (JSC::typedArrayViewProtoGetterFuncToStringTag):
2626         (JSC::JSTypedArrayViewPrototype::finishCreation):
2627         * runtime/MapIteratorPrototype.cpp:
2628         (JSC::MapIteratorPrototype::finishCreation):
2629         * runtime/MapPrototype.cpp:
2630         (JSC::MapPrototype::finishCreation):
2631         * runtime/MathObject.cpp:
2632         (JSC::MathObject::finishCreation):
2633         * runtime/ObjectPrototype.cpp:
2634         (JSC::objectProtoFuncToString):
2635         * runtime/SetIteratorPrototype.cpp:
2636         (JSC::SetIteratorPrototype::finishCreation):
2637         * runtime/SetPrototype.cpp:
2638         (JSC::SetPrototype::finishCreation):
2639         * runtime/SmallStrings.cpp:
2640         (JSC::SmallStrings::SmallStrings):
2641         (JSC::SmallStrings::initializeCommonStrings):
2642         (JSC::SmallStrings::visitStrongReferences):
2643         * runtime/SmallStrings.h:
2644         (JSC::SmallStrings::objectStringStart):
2645         * runtime/StringIteratorPrototype.cpp:
2646         (JSC::StringIteratorPrototype::finishCreation):
2647         * runtime/SymbolPrototype.cpp:
2648         (JSC::SymbolPrototype::finishCreation):
2649         * runtime/WeakMapPrototype.cpp:
2650         (JSC::WeakMapPrototype::finishCreation):
2651         * runtime/WeakSetPrototype.cpp:
2652         (JSC::WeakSetPrototype::finishCreation):
2653         * tests/modules/namespace.js:
2654         * tests/stress/symbol-tostringtag.js: Added.
2655         (toStr):
2656         (strName):
2657         (classes.string_appeared_here):
2658
2659 2015-10-29  Joseph Pecoraro  <pecoraro@apple.com>
2660
2661         Web Inspector: Do not show JavaScriptCore builtins in inspector
2662         https://bugs.webkit.org/show_bug.cgi?id=146049
2663
2664         Reviewed by Geoffrey Garen.
2665
2666         * debugger/Debugger.cpp:
2667         When gathering scripts to notify the inspector / debuggers about
2668         skip over sources containing host / built-in functions as those
2669         for those won't contain source code developers expect to see.
2670
2671 2015-10-29  Joseph Pecoraro  <pecoraro@apple.com>
2672
2673         Fix typo in "use strict" in TypedArray builtins
2674         https://bugs.webkit.org/show_bug.cgi?id=150709
2675
2676         Reviewed by Geoffrey Garen.
2677
2678         * builtins/TypedArray.prototype.js:
2679         (toLocaleString):
2680
2681 2015-10-29  Philippe Normand  <pnormand@igalia.com>
2682
2683         [GTK][Mac] disable OBJC JSC API
2684         https://bugs.webkit.org/show_bug.cgi?id=150500
2685
2686         Reviewed by Alex Christensen.
2687
2688         * API/JSBase.h: Disable the Objective-C API on Mac for the GTK port.
2689
2690 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
2691
2692         Air::handleCalleeSaves shouldn't save/restore the frame pointer
2693         https://bugs.webkit.org/show_bug.cgi?id=150688
2694
2695         Reviewed by Michael Saboff.
2696
2697         We save/restore the FP inside Air::generate().
2698
2699         * b3/air/AirHandleCalleeSaves.cpp:
2700         (JSC::B3::Air::handleCalleeSaves):
2701
2702 2015-10-29  Michael Saboff  <msaboff@apple.com>
2703
2704         Crash making a tail call from a getter to a host function
2705         https://bugs.webkit.org/show_bug.cgi?id=150663
2706
2707         Reviewed by Geoffrey Garen.
2708
2709         Change the inline assembly versions of getHostCallReturnValue() to pass the location of the callee
2710         call frame to getHostCallReturnValueWithExecState().  We were passing the caller's frame address.
2711
2712         * jit/JITOperations.cpp:
2713
2714 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
2715
2716         B3::LowerToAir::imm() should work for both 32-bit and 64-bit immediates
2717         https://bugs.webkit.org/show_bug.cgi?id=150685
2718
2719         Reviewed by Geoffrey Garen.
2720
2721         In B3, a constant must match the type of its use. In Air, immediates don't have type, they
2722         only have representation. A 32-bit immediate (i.e. Arg::imm) can be used either for 32-bit
2723         operations or for 64-bit operations. The only difference from a Arg::imm64 is that it
2724         requires fewer bits.
2725
2726         In the B3->Air lowering, we have a lot of code that is effectively polymorphic over integer
2727         type. That code should still be able to use Arg::imm, and it should work even for 64-bit
2728         immediates - so long as they are representable as 32-bit immediates. Therefore, the imm()
2729         helper should happily accept either Const32Value or Const64Value.
2730
2731         We already sort of had this with immAnyType(), but it just turns out that anyone using
2732         immAnyType() should really be using imm().
2733
2734         * b3/B3LowerToAir.cpp:
2735         (JSC::B3::Air::LowerToAir::imm):
2736         (JSC::B3::Air::LowerToAir::tryStore):
2737         (JSC::B3::Air::LowerToAir::tryConst64):
2738         (JSC::B3::Air::LowerToAir::immAnyInt): Deleted.
2739         * b3/testb3.cpp:
2740         (JSC::B3::testAdd1):
2741         (JSC::B3::testAdd1Ptr):
2742         (JSC::B3::testStoreAddLoad):
2743         (JSC::B3::run):
2744
2745 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
2746
2747         StoreOpLoad pattern matching should check effects between the Store and Load
2748         https://bugs.webkit.org/show_bug.cgi?id=150534
2749
2750         Reviewed by Geoffrey Garen.
2751
2752         If we turn:
2753
2754             a = Load(addr)
2755             b = Add(a, 42)
2756             Store(b, addr)
2757
2758         Into:
2759
2760             Add $42, (addr)
2761
2762         Then we must make sure that we didn't really have this to begin with:
2763
2764             a = Load(addr)
2765             Store(666, addr)
2766             b = Add(a, 42)
2767             Store(b, addr)
2768
2769         That's because pattern matching doesn't care about control flow, and it finds the Load
2770         just using data flow. This patch fleshes out B3's aliasing analysis, and makes it powerful
2771         enough to broadly ask questions about whether such a code motion of the Load is legal.
2772
2773         * b3/B3Effects.cpp:
2774         (JSC::B3::Effects::interferes):
2775         (JSC::B3::Effects::dump):
2776         * b3/B3Effects.h:
2777         (JSC::B3::Effects::mustExecute):
2778         * b3/B3LowerToAir.cpp:
2779         (JSC::B3::Air::LowerToAir::run):
2780         (JSC::B3::Air::LowerToAir::commitInternal):
2781         (JSC::B3::Air::LowerToAir::crossesInterference):
2782         (JSC::B3::Air::LowerToAir::effectiveAddr):
2783         (JSC::B3::Air::LowerToAir::loadAddr):
2784         * b3/B3Procedure.cpp:
2785         (JSC::B3::Procedure::addBlock):
2786         (JSC::B3::Procedure::resetValueOwners):
2787         (JSC::B3::Procedure::resetReachability):
2788         * b3/B3Procedure.h:
2789         * b3/B3Value.cpp:
2790         (JSC::B3::Value::effects):
2791         * b3/B3Value.h:
2792         * b3/testb3.cpp:
2793         (JSC::B3::testStoreAddLoad):
2794         (JSC::B3::testStoreAddLoadInterference):
2795         (JSC::B3::testStoreAddAndLoad):
2796         (JSC::B3::testLoadOffsetUsingAdd):
2797         (JSC::B3::testLoadOffsetUsingAddInterference):
2798         (JSC::B3::testLoadOffsetUsingAddNotConstant):
2799         (JSC::B3::run):
2800
2801 2015-10-29  Brady Eidson  <beidson@apple.com>
2802
2803         Modern IDB: deleteObjectStore support.
2804         https://bugs.webkit.org/show_bug.cgi?id=150673
2805
2806         Reviewed by Alex Christensen.
2807
2808         * runtime/VM.h:
2809
2810 2015-10-29  Mark Lam  <mark.lam@apple.com>
2811
2812         cdjs-tests.yaml/main.js.ftl fails due to FTL ArithSub code for supporting UntypedUse operands.
2813         https://bugs.webkit.org/show_bug.cgi?id=150687
2814
2815         Unreviewed.
2816
2817         Disabling the feature while it is being debugged.  I'm doing this by effectively
2818         rolling out only the changes in FTLCapabilities.cpp.
2819
2820         * ftl/FTLCapabilities.cpp:
2821         (JSC::FTL::canCompile):
2822
2823 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
2824
2825         Unreviewed, fix iOS build.
2826
2827         * assembler/MacroAssemblerARM64.h:
2828         (JSC::MacroAssemblerARM64::store64):
2829
2830 2015-10-29  Alex Christensen  <achristensen@webkit.org>
2831
2832         Fix Mac CMake build
2833         https://bugs.webkit.org/show_bug.cgi?id=150686
2834
2835         Reviewed by Filip Pizlo.
2836
2837         * API/ObjCCallbackFunction.mm:
2838         * CMakeLists.txt:
2839         * PlatformMac.cmake:
2840
2841 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
2842
2843         Air needs syntax for escaping StackSlots
2844         https://bugs.webkit.org/show_bug.cgi?id=150430
2845
2846         Reviewed by Geoffrey Garen.
2847
2848         This adds lowering for FramePointer and StackSlot, and to enable this, it adds the Lea
2849         instruction for getting the value of an address. This is necessary to support arbitrary
2850         lowerings of StackSlot, since the only way to get the "value" of a StackSlot in Air is with
2851         this new instruction.
2852
2853         Lea uses a new Role, called UseAddr. This describes exactly what the Intel-style LEA opcode
2854         would do: it evaluates an address, but does not load from it or store to it.
2855
2856         Lea is also the only way to escape a StackSlot. Well, more accurately, UseAddr is the only
2857         way to escape and UseAddr is only used by Lea. The stack allocation phase now understands
2858         that StackSlots may escape, and factors this into its analysis.
2859
2860         * assembler/MacroAssembler.h:
2861         (JSC::MacroAssembler::lea):
2862         * b3/B3AddressMatcher.patterns:
2863         * b3/B3LowerToAir.cpp:
2864         (JSC::B3::Air::LowerToAir::run):
2865         (JSC::B3::Air::LowerToAir::addr):
2866         (JSC::B3::Air::LowerToAir::loadAddr):
2867         (JSC::B3::Air::LowerToAir::AddressSelector::tryAdd):
2868         (JSC::B3::Air::LowerToAir::AddressSelector::tryFramePointer):
2869         (JSC::B3::Air::LowerToAir::AddressSelector::tryStackSlot):
2870         (JSC::B3::Air::LowerToAir::AddressSelector::tryDirect):
2871         (JSC::B3::Air::LowerToAir::tryConst64):
2872         (JSC::B3::Air::LowerToAir::tryFramePointer):
2873         (JSC::B3::Air::LowerToAir::tryStackSlot):
2874         (JSC::B3::Air::LowerToAir::tryIdentity):
2875         * b3/B3LoweringMatcher.patterns:
2876         * b3/B3MemoryValue.cpp:
2877         (JSC::B3::MemoryValue::~MemoryValue):
2878         (JSC::B3::MemoryValue::accessByteSize):
2879         (JSC::B3::MemoryValue::dumpMeta):
2880         * b3/B3MemoryValue.h:
2881         * b3/B3ReduceStrength.cpp:
2882         * b3/B3StackSlotValue.h:
2883         (JSC::B3::StackSlotValue::accepts): Deleted.
2884         * b3/B3Type.h:
2885         (JSC::B3::pointerType):
2886         (JSC::B3::sizeofType):
2887         * b3/B3Validate.cpp:
2888         * b3/B3Value.h:
2889         * b3/air/AirAllocateStack.cpp:
2890         (JSC::B3::Air::allocateStack):
2891         * b3/air/AirArg.h:
2892         (JSC::B3::Air::Arg::isUse):
2893         (JSC::B3::Air::Arg::isDef):
2894         (JSC::B3::Air::Arg::forEachTmp):
2895         * b3/air/AirCode.cpp:
2896         (JSC::B3::Air::Code::addStackSlot):
2897         (JSC::B3::Air::Code::addSpecial):
2898         * b3/air/AirCode.h:
2899         * b3/air/AirOpcode.opcodes:
2900         * b3/air/AirSpillEverything.cpp:
2901         (JSC::B3::Air::spillEverything):
2902         * b3/air/AirStackSlot.h:
2903         (JSC::B3::Air::StackSlot::byteSize):
2904         (JSC::B3::Air::StackSlot::kind):
2905         (JSC::B3::Air::StackSlot::isLocked):
2906         (JSC::B3::Air::StackSlot::index):
2907         (JSC::B3::Air::StackSlot::alignment):
2908         * b3/air/opcode_generator.rb:
2909         * b3/testb3.cpp:
2910         (JSC::B3::testLoadOffsetUsingAddNotConstant):
2911         (JSC::B3::testFramePointer):
2912         (JSC::B3::testStackSlot):
2913         (JSC::B3::testLoadFromFramePointer):
2914         (JSC::B3::testStoreLoadStackSlot):
2915         (JSC::B3::run):
2916
2917 2015-10-29  Saam barati  <sbarati@apple.com>
2918
2919         we're incorrectly adjusting a stack location with respect to the localsOffset in FTLCompile
2920         https://bugs.webkit.org/show_bug.cgi?id=150655
2921
2922         Reviewed by Filip Pizlo.
2923
2924         We're recomputing this value for an *OSRExitDescriptor* for every one
2925         of its corresponding *OSRExits*. This is having a multiplicative
2926         effect on offsets because each computation is relative to the previous
2927         value. We must do this computation just once per OSRExitDescriptor.
2928
2929         * ftl/FTLCompile.cpp:
2930         (JSC::FTL::mmAllocateDataSection):
2931
2932 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
2933
2934         Air::spillEverything() should try to replace tmps with spill slots without using registers whenever possible
2935         https://bugs.webkit.org/show_bug.cgi?id=150657
2936
2937         Reviewed by Geoffrey Garen.
2938
2939         Also added the ability to store an immediate to memory.
2940
2941         * assembler/MacroAssembler.h:
2942         (JSC::MacroAssembler::storePtr):
2943         * assembler/MacroAssemblerARM64.h:
2944         (JSC::MacroAssemblerARM64::store64):
2945         * assembler/MacroAssemblerX86_64.h:
2946         (JSC::MacroAssemblerX86_64::store64):
2947         * b3/B3LowerToAir.cpp:
2948         (JSC::B3::Air::LowerToAir::imm):
2949         (JSC::B3::Air::LowerToAir::immAnyInt):
2950         (JSC::B3::Air::LowerToAir::immOrTmp):
2951         (JSC::B3::Air::LowerToAir::tryStore):
2952         * b3/air/AirOpcode.opcodes:
2953         * b3/air/AirSpillEverything.cpp:
2954         (JSC::B3::Air::spillEverything):
2955         * b3/testb3.cpp:
2956         (JSC::B3::testStore):
2957         (JSC::B3::testStoreConstant):
2958         (JSC::B3::testStoreConstantPtr):
2959         (JSC::B3::testTrunc):
2960         (JSC::B3::run):
2961
2962 2015-10-28  Joseph Pecoraro  <pecoraro@apple.com>
2963
2964         Web Inspector: Rename InspectorResourceAgent to InspectorNetworkAgent
2965         https://bugs.webkit.org/show_bug.cgi?id=150654
2966
2967         Reviewed by Geoffrey Garen.
2968
2969         * inspector/scripts/codegen/generator.py:
2970
2971 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
2972
2973         B3::reduceStrength() should do DCE
2974         https://bugs.webkit.org/show_bug.cgi?id=150656
2975
2976         Reviewed by Saam Barati.
2977
2978         * b3/B3BasicBlock.cpp:
2979         (JSC::B3::BasicBlock::removeNops): This now deletes the values from the procedure, to preserve the invariant that valuesInProc == valuesInBlocks.
2980         * b3/B3BasicBlock.h:
2981         * b3/B3Procedure.cpp:
2982         (JSC::B3::Procedure::deleteValue): Add a utility used by removeNops().
2983         (JSC::B3::Procedure::addValueIndex): Make sure that we reuse Value indices so that m_values doesn't get too sparse.
2984         * b3/B3Procedure.h:
2985         (JSC::B3::Procedure::ValuesCollection::iterator::iterator): Teach this that m_values can be slightly sparse.
2986         (JSC::B3::Procedure::ValuesCollection::iterator::operator++):
2987         (JSC::B3::Procedure::ValuesCollection::iterator::operator!=):
2988         (JSC::B3::Procedure::ValuesCollection::iterator::findNext):
2989         (JSC::B3::Procedure::values):
2990         * b3/B3ProcedureInlines.h:
2991         (JSC::B3::Procedure::add): Use addValueIndex() instead of always creating a new index.
2992         * b3/B3ReduceStrength.cpp: Implement the optimization using UseCounts and Effects.
2993
2994 2015-10-28  Joseph Pecoraro  <pecoraro@apple.com>
2995
2996         Web Inspector: Remove unused / duplicate WebSocket timeline records
2997         https://bugs.webkit.org/show_bug.cgi?id=150647
2998
2999         Reviewed by Timothy Hatcher.
3000
3001         * inspector/protocol/Timeline.json:
3002
3003 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
3004
3005         B3::LowerToAir should not duplicate Loads
3006         https://bugs.webkit.org/show_bug.cgi?id=150651
3007
3008         Reviewed by Benjamin Poulain.
3009
3010         The instruction selector may decide to fuse two Values into one. This ordinarily only happens
3011         if we haven't already emitted code that uses the Value and the Value has only one direct
3012         user. Once we have emitted such code, we ensure that everyone knows that we have "locked" the
3013         Value: we won't emit any more code for it in the future.
3014
3015         The optimization to fuse Loads was forgetting to do all of these things, and so generated
3016         code would have a lot of duplicated Loads. That's bad and this change fixes that.
3017
3018         Ordinarily, this is far less tricky because the pattern matcher does this for us via
3019         acceptInternals() and acceptInternalsLate(). I added a comment to this effect. I hope that we
3020         won't need to do this manually very often.
3021
3022         Also found an uninitialized value bug in UseCounts. That was making all of this super hard to
3023         debug.
3024
3025         * b3/B3IndexMap.h:
3026         (JSC::B3::IndexMap::IndexMap):
3027         (JSC::B3::IndexMap::resize):
3028         (JSC::B3::IndexMap::operator[]):
3029         * b3/B3LowerToAir.cpp:
3030         (JSC::B3::Air::LowerToAir::tmp):
3031         (JSC::B3::Air::LowerToAir::canBeInternal):
3032         (JSC::B3::Air::LowerToAir::commitInternal):
3033         (JSC::B3::Air::LowerToAir::effectiveAddr):
3034         (JSC::B3::Air::LowerToAir::loadAddr):
3035         (JSC::B3::Air::LowerToAir::appendBinOp):
3036         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
3037         (JSC::B3::Air::LowerToAir::acceptInternals):
3038         * b3/B3UseCounts.cpp:
3039         (JSC::B3::UseCounts::UseCounts):
3040
3041 2015-10-28  Mark Lam  <mark.lam@apple.com>
3042
3043         JITSubGenerator::generateFastPath() does not need to be inlined.
3044         https://bugs.webkit.org/show_bug.cgi?id=150645
3045
3046         Reviewed by Geoffrey Garen.
3047
3048         Moving it to a .cpp file to reduce code size.  Benchmarks shows this to be
3049         perf neutral.
3050
3051         * CMakeLists.txt:
3052         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3053         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3054         * JavaScriptCore.xcodeproj/project.pbxproj:
3055         * ftl/FTLCompile.cpp:
3056         * jit/JITSubGenerator.cpp: Added.
3057         (JSC::JITSubGenerator::generateFastPath):
3058         * jit/JITSubGenerator.h:
3059         (JSC::JITSubGenerator::JITSubGenerator):
3060         (JSC::JITSubGenerator::endJumpList):
3061         (JSC::JITSubGenerator::slowPathJumpList):
3062         (JSC::JITSubGenerator::generateFastPath): Deleted.
3063
3064 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
3065
3066         [B3] handleCommutativity should canonicalize commutative operations over non-constants
3067         https://bugs.webkit.org/show_bug.cgi?id=150649
3068
3069         Reviewed by Saam Barati.
3070
3071         Turn this: Add(value1, value2)
3072         Into this: Add(value2, value1)
3073
3074         But ony if value2 should come before value1 according to our total ordering. This will allow
3075         CSE to observe the equality between commuted versions of the same operation, since we will
3076         first canonicalize them into the same order.
3077
3078         * b3/B3ReduceStrength.cpp:
3079
3080 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
3081
3082         Unreviewed, fix the build for case sensitive file systems.
3083
3084         * b3/air/AirBasicBlock.h:
3085         * b3/air/AirStackSlot.h:
3086
3087 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
3088
3089         Create a super rough prototype of B3
3090         https://bugs.webkit.org/show_bug.cgi?id=150280
3091
3092         Reviewed by Benjamin Poulain.
3093
3094         This changeset adds the basic scaffolding of the B3 compiler. B3 stands for Bare Bones
3095         Backend. It's a low-level SSA-based language-agnostic compiler. The basic structure allows
3096         for aggressive C-level optimizations and an awesome portable backend. The backend, called
3097         Air (Assembly IR), is a reflective abstraction over our MacroAssembler. The abstraction is
3098         defined using a spec file (AirOpcode.opcodes) which describes the various kinds of
3099         instructions that we wish to support. Then, the B3::LowerToAir phase, which does our
3100         instruction selection, reflectively selects Air opcodes by querying which instruction forms
3101         are possible. Air allows for optimal register allocation and stack layout. Currently the
3102         register allocator isn't written, but the stack layout is.
3103
3104         Of course this isn't done yet. It can only compile simple programs, seen in the "test suite"
3105         called "testb3.cpp". There's a lot of optimizations that have to be written and a lot of
3106         stuff added to the instruction selector. But it's a neat start.
3107
3108         * CMakeLists.txt:
3109         * DerivedSources.make:
3110         * JavaScriptCore.xcodeproj/project.pbxproj:
3111         * assembler/MacroAssembler.cpp:
3112         (WTF::printInternal):
3113         * assembler/MacroAssembler.h:
3114         * b3: Added.
3115         * b3/B3AddressMatcher.patterns: Added.
3116         * b3/B3ArgumentRegValue.cpp: Added.
3117         (JSC::B3::ArgumentRegValue::~ArgumentRegValue):
3118         (JSC::B3::ArgumentRegValue::dumpMeta):
3119         * b3/B3ArgumentRegValue.h: Added.
3120         * b3/B3BasicBlock.cpp: Added.
3121         (JSC::B3::BasicBlock::BasicBlock):
3122         (JSC::B3::BasicBlock::~BasicBlock):
3123         (JSC::B3::BasicBlock::append):
3124         (JSC::B3::BasicBlock::addPredecessor):
3125         (JSC::B3::BasicBlock::removePredecessor):
3126         (JSC::B3::BasicBlock::replacePredecessor):
3127         (JSC::B3::BasicBlock::removeNops):
3128         (JSC::B3::BasicBlock::dump):
3129         (JSC::B3::BasicBlock::deepDump):
3130         * b3/B3BasicBlock.h: Added.
3131         (JSC::B3::BasicBlock::index):
3132         (JSC::B3::BasicBlock::begin):
3133         (JSC::B3::BasicBlock::end):
3134         (JSC::B3::BasicBlock::size):
3135         (JSC::B3::BasicBlock::at):
3136         (JSC::B3::BasicBlock::last):
3137         (JSC::B3::BasicBlock::values):
3138         (JSC::B3::BasicBlock::numPredecessors):
3139         (JSC::B3::BasicBlock::predecessor):
3140         (JSC::B3::BasicBlock::predecessors):
3141         (JSC::B3::BasicBlock::frequency):
3142         (JSC::B3::DeepBasicBlockDump::DeepBasicBlockDump):
3143         (JSC::B3::DeepBasicBlockDump::dump):
3144         (JSC::B3::deepDump):
3145         * b3/B3BasicBlockInlines.h: Added.
3146         (JSC::B3::BasicBlock::appendNew):
3147         (JSC::B3::BasicBlock::numSuccessors):
3148         (JSC::B3::BasicBlock::successor):
3149         (JSC::B3::BasicBlock::successors):
3150         (JSC::B3::BasicBlock::successorBlock):
3151         (JSC::B3::BasicBlock::successorBlocks):
3152         * b3/B3BasicBlockUtils.h: Added.
3153         (JSC::B3::addPredecessor):
3154         (JSC::B3::removePredecessor):
3155         (JSC::B3::replacePredecessor):
3156         (JSC::B3::resetReachability):
3157         (JSC::B3::blocksInPreOrder):
3158         (JSC::B3::blocksInPostOrder):
3159         * b3/B3BlockWorklist.h: Added.
3160         * b3/B3CheckSpecial.cpp: Added.
3161         (JSC::B3::Air::numB3Args):
3162         (JSC::B3::CheckSpecial::CheckSpecial):
3163         (JSC::B3::CheckSpecial::~CheckSpecial):
3164         (JSC::B3::CheckSpecial::hiddenBranch):
3165         (JSC::B3::CheckSpecial::forEachArg):
3166         (JSC::B3::CheckSpecial::isValid):
3167         (JSC::B3::CheckSpecial::admitsStack):
3168         (JSC::B3::CheckSpecial::generate):
3169         (JSC::B3::CheckSpecial::dumpImpl):
3170         (JSC::B3::CheckSpecial::deepDumpImpl):
3171         * b3/B3CheckSpecial.h: Added.
3172         * b3/B3CheckValue.cpp: Added.
3173         (JSC::B3::CheckValue::~CheckValue):
3174         (JSC::B3::CheckValue::dumpMeta):
3175         * b3/B3CheckValue.h: Added.
3176         * b3/B3Common.cpp: Added.
3177         (JSC::B3::shouldDumpIR):
3178         (JSC::B3::shouldDumpIRAtEachPhase):
3179         (JSC::B3::shouldValidateIR):
3180         (JSC::B3::shouldValidateIRAtEachPhase):
3181         (JSC::B3::shouldSaveIRBeforePhase):
3182         * b3/B3Common.h: Added.
3183         (JSC::B3::is64Bit):
3184         (JSC::B3::is32Bit):
3185         * b3/B3Commutativity.cpp: Added.
3186         (WTF::printInternal):
3187         * b3/B3Commutativity.h: Added.
3188         * b3/B3Const32Value.cpp: Added.
3189         (JSC::B3::Const32Value::~Const32Value):
3190         (JSC::B3::Const32Value::negConstant):
3191         (JSC::B3::Const32Value::addConstant):
3192         (JSC::B3::Const32Value::subConstant):
3193         (JSC::B3::Const32Value::dumpMeta):
3194         * b3/B3Const32Value.h: Added.
3195         * b3/B3Const64Value.cpp: Added.
3196         (JSC::B3::Const64Value::~Const64Value):
3197         (JSC::B3::Const64Value::negConstant):
3198         (JSC::B3::Const64Value::addConstant):
3199         (JSC::B3::Const64Value::subConstant):
3200         (JSC::B3::Const64Value::dumpMeta):
3201         * b3/B3Const64Value.h: Added.
3202         * b3/B3ConstDoubleValue.cpp: Added.
3203         (JSC::B3::ConstDoubleValue::~ConstDoubleValue):
3204         (JSC::B3::ConstDoubleValue::negConstant):
3205         (JSC::B3::ConstDoubleValue::addConstant):
3206         (JSC::B3::ConstDoubleValue::subConstant):
3207         (JSC::B3::ConstDoubleValue::dumpMeta):
3208         * b3/B3ConstDoubleValue.h: Added.
3209         (JSC::B3::ConstDoubleValue::accepts):
3210         (JSC::B3::ConstDoubleValue::value):
3211         (JSC::B3::ConstDoubleValue::ConstDoubleValue):
3212         * b3/B3ConstPtrValue.h: Added.
3213         (JSC::B3::ConstPtrValue::value):
3214         (JSC::B3::ConstPtrValue::ConstPtrValue):
3215         * b3/B3ControlValue.cpp: Added.
3216         (JSC::B3::ControlValue::~ControlValue):
3217         (JSC::B3::ControlValue::dumpMeta):
3218         * b3/B3ControlValue.h: Added.
3219         * b3/B3Effects.cpp: Added.
3220         (JSC::B3::Effects::dump):
3221         * b3/B3Effects.h: Added.
3222         (JSC::B3::Effects::mustExecute):
3223         * b3/B3FrequencyClass.cpp: Added.
3224         (WTF::printInternal):
3225         * b3/B3FrequencyClass.h: Added.
3226         * b3/B3FrequentedBlock.h: Added.
3227         * b3/B3Generate.cpp: Added.
3228         (JSC::B3::generate):
3229         (JSC::B3::generateToAir):
3230         * b3/B3Generate.h: Added.
3231         * b3/B3GenericFrequentedBlock.h: Added.
3232         (JSC::B3::GenericFrequentedBlock::GenericFrequentedBlock):
3233         (JSC::B3::GenericFrequentedBlock::operator==):
3234         (JSC::B3::GenericFrequentedBlock::operator!=):
3235         (JSC::B3::GenericFrequentedBlock::operator bool):
3236         (JSC::B3::GenericFrequentedBlock::block):
3237         (JSC::B3::GenericFrequentedBlock::frequency):
3238         (JSC::B3::GenericFrequentedBlock::dump):
3239         * b3/B3HeapRange.cpp: Added.
3240         (JSC::B3::HeapRange::dump):
3241         * b3/B3HeapRange.h: Added.
3242         (JSC::B3::HeapRange::HeapRange):
3243         (JSC::B3::HeapRange::top):
3244         (JSC::B3::HeapRange::operator==):
3245         (JSC::B3::HeapRange::operator!=):
3246         (JSC::B3::HeapRange::operator bool):
3247         (JSC::B3::HeapRange::begin):
3248         (JSC::B3::HeapRange::end):
3249         (JSC::B3::HeapRange::overlaps):
3250         * b3/B3IndexMap.h: Added.
3251         (JSC::B3::IndexMap::IndexMap):
3252         (JSC::B3::IndexMap::resize):
3253         (JSC::B3::IndexMap::operator[]):
3254         * b3/B3IndexSet.h: Added.
3255         (JSC::B3::IndexSet::IndexSet):
3256         (JSC::B3::IndexSet::add):
3257         (JSC::B3::IndexSet::contains):
3258         (JSC::B3::IndexSet::Iterable::Iterable):
3259         (JSC::B3::IndexSet::Iterable::iterator::iterator):
3260         (JSC::B3::IndexSet::Iterable::iterator::operator*):
3261         (JSC::B3::IndexSet::Iterable::iterator::operator++):
3262         (JSC::B3::IndexSet::Iterable::iterator::operator==):
3263         (JSC::B3::IndexSet::Iterable::iterator::operator!=):
3264         (JSC::B3::IndexSet::Iterable::begin):
3265         (JSC::B3::IndexSet::Iterable::end):
3266         (JSC::B3::IndexSet::values):
3267         (JSC::B3::IndexSet::indices):
3268         (JSC::B3::IndexSet::dump):
3269         * b3/B3InsertionSet.cpp: Added.
3270         (JSC::B3::InsertionSet::execute):
3271         * b3/B3InsertionSet.h: Added.
3272         (JSC::B3::InsertionSet::InsertionSet):
3273         (JSC::B3::InsertionSet::code):
3274         (JSC::B3::InsertionSet::appendInsertion):
3275         (JSC::B3::InsertionSet::insertValue):
3276         * b3/B3InsertionSetInlines.h: Added.
3277         (JSC::B3::InsertionSet::insert):
3278         * b3/B3LowerToAir.cpp: Added.
3279         (JSC::B3::Air::LowerToAir::LowerToAir):
3280         (JSC::B3::Air::LowerToAir::run):
3281         (JSC::B3::Air::LowerToAir::tmp):
3282         (JSC::B3::Air::LowerToAir::effectiveAddr):
3283         (JSC::B3::Air::LowerToAir::addr):
3284         (JSC::B3::Air::LowerToAir::loadAddr):
3285         (JSC::B3::Air::LowerToAir::imm):
3286         (JSC::B3::Air::LowerToAir::immOrTmp):
3287         (JSC::B3::Air::LowerToAir::appendBinOp):
3288         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
3289         (JSC::B3::Air::LowerToAir::moveForType):
3290         (JSC::B3::Air::LowerToAir::relaxedMoveForType):
3291         (JSC::B3::Air::LowerToAir::append):
3292         (JSC::B3::Air::LowerToAir::AddressSelector::AddressSelector):
3293         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRoot):
3294         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRootLate):
3295         (JSC::B3::Air::LowerToAir::AddressSelector::acceptInternals):
3296         (JSC::B3::Air::LowerToAir::AddressSelector::acceptInternalsLate):
3297         (JSC::B3::Air::LowerToAir::AddressSelector::acceptOperands):
3298         (JSC::B3::Air::LowerToAir::AddressSelector::acceptOperandsLate):
3299         (JSC::B3::Air::LowerToAir::AddressSelector::tryAddShift1):
3300         (JSC::B3::Air::LowerToAir::AddressSelector::tryAddShift2):
3301         (JSC::B3::Air::LowerToAir::AddressSelector::tryAdd):
3302         (JSC::B3::Air::LowerToAir::AddressSelector::tryDirect):
3303         (JSC::B3::Air::LowerToAir::acceptRoot):
3304         (JSC::B3::Air::LowerToAir::acceptRootLate):
3305         (JSC::B3::Air::LowerToAir::acceptInternals):
3306         (JSC::B3::Air::LowerToAir::acceptInternalsLate):
3307         (JSC::B3::Air::LowerToAir::acceptOperands):
3308         (JSC::B3::Air::LowerToAir::acceptOperandsLate):
3309         (JSC::B3::Air::LowerToAir::tryLoad):
3310         (JSC::B3::Air::LowerToAir::tryAdd):
3311         (JSC::B3::Air::LowerToAir::tryAnd):
3312         (JSC::B3::Air::LowerToAir::tryStoreAddLoad):
3313         (JSC::B3::Air::LowerToAir::tryStoreAndLoad):
3314         (JSC::B3::Air::LowerToAir::tryStore):
3315         (JSC::B3::Air::LowerToAir::tryTruncArgumentReg):
3316         (JSC::B3::Air::LowerToAir::tryTrunc):
3317         (JSC::B3::Air::LowerToAir::tryArgumentReg):
3318         (JSC::B3::Air::LowerToAir::tryConst32):
3319         (JSC::B3::Air::LowerToAir::tryConst64):
3320         (JSC::B3::Air::LowerToAir::tryIdentity):
3321         (JSC::B3::Air::LowerToAir::tryReturn):
3322         (JSC::B3::lowerToAir):
3323         * b3/B3LowerToAir.h: Added.
3324         * b3/B3LoweringMatcher.patterns: Added.
3325         * b3/B3MemoryValue.cpp: Added.
3326         (JSC::B3::MemoryValue::~MemoryValue):
3327         (JSC::B3::MemoryValue::dumpMeta):
3328         * b3/B3MemoryValue.h: Added.
3329         * b3/B3Opcode.cpp: Added.
3330         (WTF::printInternal):
3331         * b3/B3Opcode.h: Added.
3332         (JSC::B3::isCheckMath):
3333         * b3/B3Origin.cpp: Added.
3334         (JSC::B3::Origin::dump):
3335         * b3/B3Origin.h: Added.
3336         (JSC::B3::Origin::Origin):
3337         (JSC::B3::Origin::operator bool):
3338         (JSC::B3::Origin::data):
3339         * b3/B3PatchpointSpecial.cpp: Added.
3340         (JSC::B3::PatchpointSpecial::PatchpointSpecial):
3341         (JSC::B3::PatchpointSpecial::~PatchpointSpecial):
3342         (JSC::B3::PatchpointSpecial::forEachArg):
3343         (JSC::B3::PatchpointSpecial::isValid):
3344         (JSC::B3::PatchpointSpecial::admitsStack):
3345         (JSC::B3::PatchpointSpecial::generate):
3346         (JSC::B3::PatchpointSpecial::dumpImpl):
3347         (JSC::B3::PatchpointSpecial::deepDumpImpl):
3348         * b3/B3PatchpointSpecial.h: Added.
3349         * b3/B3PatchpointValue.cpp: Added.
3350         (JSC::B3::PatchpointValue::~PatchpointValue):
3351         (JSC::B3::PatchpointValue::dumpMeta):
3352         * b3/B3PatchpointValue.h: Added.
3353         (JSC::B3::PatchpointValue::accepts):
3354         (JSC::B3::PatchpointValue::PatchpointValue):
3355         * b3/B3PhaseScope.cpp: Added.
3356         (JSC::B3::PhaseScope::PhaseScope):
3357         (JSC::B3::PhaseScope::~PhaseScope):
3358         * b3/B3PhaseScope.h: Added.
3359         * b3/B3Procedure.cpp: Added.
3360         (JSC::B3::Procedure::Procedure):
3361         (JSC::B3::Procedure::~Procedure):
3362         (JSC::B3::Procedure::addBlock):
3363         (JSC::B3::Procedure::resetReachability):
3364         (JSC::B3::Procedure::dump):
3365         (JSC::B3::Procedure::blocksInPreOrder):
3366         (JSC::B3::Procedure::blocksInPostOrder):
3367         * b3/B3Procedure.h: Added.
3368         (JSC::B3::Procedure::size):
3369         (JSC::B3::Procedure::at):
3370         (JSC::B3::Procedure::operator[]):
3371         (JSC::B3::Procedure::iterator::iterator):
3372         (JSC::B3::Procedure::iterator::operator*):
3373         (JSC::B3::Procedure::iterator::operator++):
3374         (JSC::B3::Procedure::iterator::operator==):
3375         (JSC::B3::Procedure::iterator::operator!=):
3376         (JSC::B3::Procedure::iterator::findNext):
3377         (JSC::B3::Procedure::begin):
3378         (JSC::B3::Procedure::end):
3379         (JSC::B3::Procedure::ValuesCollection::ValuesCollection):
3380         (JSC::B3::Procedure::ValuesCollection::iterator::iterator):
3381         (JSC::B3::Procedure::ValuesCollection::iterator::operator*):
3382         (JSC::B3::Procedure::ValuesCollection::iterator::operator++):
3383         (JSC::B3::Procedure::ValuesCollection::iterator::operator==):
3384         (JSC::B3::Procedure::ValuesCollection::iterator::operator!=):