Debug JSC test failure: stress/multi-put-by-offset-reallocation-butterfly-cse.js...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-04-09  Filip Pizlo  <fpizlo@apple.com>
2
3         Debug JSC test failure: stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool
4         https://bugs.webkit.org/show_bug.cgi?id=156406
5
6         Reviewed by Saam Barati.
7
8         The failure was because the GC ran from within the butterfly allocation call in a put_by_id
9         transition AccessCase that had to deal with indexing storage. When the GC runs in a call from a stub,
10         then we need to be extra careful:
11
12         1) The GC may reset the IC and delete the stub. So, the stub needs to tell the GC that it might be on
13            the stack during GC, so that the GC keeps it alive if it's currently running.
14         
15         2) If the stub uses (dereferences or stores) some object after the call, then we need to ensure that
16            the stub routine knows about that object independently of the IC.
17         
18         In the case of put_by_id transitions that use a helper to allocate the butterfly, we have both
19         issues. A long time ago, we had to deal with (2), and we still had code to handle that case, although
20         it appears to be dead. This change revives that code and glues it together with PolymorphicAccess.
21
22         * bytecode/PolymorphicAccess.cpp:
23         (JSC::AccessCase::alternateBase):
24         (JSC::AccessCase::doesCalls):
25         (JSC::AccessCase::couldStillSucceed):
26         (JSC::AccessCase::generate):
27         (JSC::PolymorphicAccess::regenerate):
28         * bytecode/PolymorphicAccess.h:
29         (JSC::AccessCase::customSlotBase):
30         (JSC::AccessCase::isGetter):
31         (JSC::AccessCase::doesCalls): Deleted.
32         * jit/GCAwareJITStubRoutine.cpp:
33         (JSC::GCAwareJITStubRoutine::markRequiredObjectsInternal):
34         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
35         (JSC::MarkingGCAwareJITStubRoutine::~MarkingGCAwareJITStubRoutine):
36         (JSC::MarkingGCAwareJITStubRoutine::markRequiredObjectsInternal):
37         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
38         (JSC::createJITStubRoutine):
39         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
40         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::~MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
41         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::markRequiredObjectsInternal): Deleted.
42         * jit/GCAwareJITStubRoutine.h:
43         (JSC::createJITStubRoutine):
44
45 2016-04-08  Joseph Pecoraro  <pecoraro@apple.com>
46
47         Web Inspector: XHRs and Web Worker scripts are not searchable
48         https://bugs.webkit.org/show_bug.cgi?id=154214
49         <rdar://problem/24643587>
50
51         Reviewed by Timothy Hatcher.
52
53         * inspector/protocol/Page.json:
54         Add optional requestId to search results properties and search
55         parameters for when the frameId and url are not enough. XHR
56         resources, and "Other" resources will use this.
57
58 2016-04-08  Guillaume Emont  <guijemont@igalia.com>
59
60         MIPS: support Signed cond in branchTest32()
61         https://bugs.webkit.org/show_bug.cgi?id=156260
62
63         This is needed since r197688 makes use of it.
64
65         Reviewed by Mark Lam.
66
67         * assembler/MacroAssemblerMIPS.h:
68         (JSC::MacroAssemblerMIPS::branchTest32):
69
70 2016-04-08  Alex Christensen  <achristensen@webkit.org>
71
72         Progress towards running CMake WebKit2 on Mac
73         https://bugs.webkit.org/show_bug.cgi?id=156426
74
75         Reviewed by Tim Horton.
76
77         * PlatformMac.cmake:
78
79 2016-04-08  Saam barati  <sbarati@apple.com>
80
81         Debugger may dereference m_currentCallFrame even after the VM has gone idle
82         https://bugs.webkit.org/show_bug.cgi?id=156413
83
84         Reviewed by Mark Lam.
85
86         There is a bug where the debugger may dereference its m_currentCallFrame
87         pointer after that pointer becomes invalid to read from. This happens like so:
88
89         We may step over an instruction which causes the end of execution for the
90         current program. This causes the VM to exit. Then, we perform a GC which
91         causes us to collect the global object. The global object being collected
92         causes us to detach the debugger. In detaching, we think we still have a 
93         valid m_currentCallFrame, we dereference it, and crash. The solution is to
94         make sure we're paused when dereferencing this pointer inside ::detach().
95
96         * debugger/Debugger.cpp:
97         (JSC::Debugger::detach):
98
99 2016-04-08  Brian Burg  <bburg@apple.com>
100
101         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
102         https://bugs.webkit.org/show_bug.cgi?id=156407
103         <rdar://problem/25627659>
104
105         Reviewed by Timothy Hatcher.
106
107         There's no point having these subclasses as they don't save any space.
108         Add m_stringValue to the union and merge some implementations of writeJSON.
109         Move uses of the subclass to InspectorValue and delete redundant methods.
110         Now, most InspectorValue methods are non-virtual so they can be templated.
111
112         * bindings/ScriptValue.cpp:
113         (Deprecated::jsToInspectorValue):
114         * inspector/InjectedScriptBase.cpp:
115         (Inspector::InjectedScriptBase::makeCall):
116         Don't used deleted subclasses.
117
118         * inspector/InspectorValues.cpp:
119         (Inspector::InspectorValue::null):
120         (Inspector::InspectorValue::create):
121         (Inspector::InspectorValue::asValue):
122         (Inspector::InspectorValue::asBoolean):
123         (Inspector::InspectorValue::asDouble):
124         (Inspector::InspectorValue::asInteger):
125         (Inspector::InspectorValue::asString):
126         These only need one implementation now.
127
128         (Inspector::InspectorValue::writeJSON):
129         Still a virtual method since Object and Array need their members.
130
131         (Inspector::InspectorObjectBase::InspectorObjectBase):
132         (Inspector::InspectorBasicValue::asBoolean): Deleted.
133         (Inspector::InspectorBasicValue::asDouble): Deleted.
134         (Inspector::InspectorBasicValue::asInteger): Deleted.
135         (Inspector::InspectorBasicValue::writeJSON): Deleted.
136         (Inspector::InspectorString::asString): Deleted.
137         (Inspector::InspectorString::writeJSON): Deleted.
138         (Inspector::InspectorString::create): Deleted.
139         (Inspector::InspectorBasicValue::create): Deleted.
140
141         * inspector/InspectorValues.h:
142         (Inspector::InspectorObjectBase::setBoolean):
143         (Inspector::InspectorObjectBase::setInteger):
144         (Inspector::InspectorObjectBase::setDouble):
145         (Inspector::InspectorObjectBase::setString):
146         (Inspector::InspectorArrayBase::pushBoolean):
147         (Inspector::InspectorArrayBase::pushInteger):
148         (Inspector::InspectorArrayBase::pushDouble):
149         (Inspector::InspectorArrayBase::pushString):
150         Use new factory methods.
151
152         * replay/EncodedValue.cpp:
153         (JSC::ScalarEncodingTraits<bool>::encodeValue):
154         (JSC::ScalarEncodingTraits<double>::encodeValue):
155         (JSC::ScalarEncodingTraits<float>::encodeValue):
156         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
157         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
158         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
159         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
160         * replay/EncodedValue.h:
161         Use new factory methods.
162
163 2016-04-08  Filip Pizlo  <fpizlo@apple.com>
164
165         Add IC support for arguments.length
166         https://bugs.webkit.org/show_bug.cgi?id=156389
167
168         Reviewed by Geoffrey Garen.
169         
170         This adds support for caching accesses to arguments.length for both DirectArguments and
171         ScopedArguments. In strict mode, we already cached these accesses since they were just
172         normal properties.
173
174         Amazingly, we also already supported caching of overridden arguments.length in both
175         DirectArguments and ScopedArguments. This is because when you override, the property gets
176         materialized as a normal JS property and the structure is changed.
177         
178         This patch painstakingly preserves our previous caching of overridden length while
179         introducing caching of non-overridden length (i.e. the common case). In fact, we even cache
180         the case where it could either be overridden or not, since we just end up with an AccessCase
181         for each and they cascade to each other.
182
183         This is a >3x speed-up on microbenchmarks that do arguments.length in a polymorphic context.
184         Entirely monomorphic accesses were already handled by the DFG.
185
186         * bytecode/PolymorphicAccess.cpp:
187         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
188         (JSC::AccessCase::guardedByStructureCheck):
189         (JSC::AccessCase::generateWithGuard):
190         (JSC::AccessCase::generate):
191         (WTF::printInternal):
192         * bytecode/PolymorphicAccess.h:
193         * jit/ICStats.h:
194         * jit/JITOperations.cpp:
195         * jit/Repatch.cpp:
196         (JSC::tryCacheGetByID):
197         (JSC::tryCachePutByID):
198         (JSC::tryRepatchIn):
199         * tests/stress/direct-arguments-override-length-then-access-normal-length.js: Added.
200         (args):
201         (foo):
202         (result.foo):
203
204 2016-04-08  Benjamin Poulain  <bpoulain@apple.com>
205
206         UInt32ToNumber should have an Int52 path
207         https://bugs.webkit.org/show_bug.cgi?id=125704
208
209         Reviewed by Filip Pizlo.
210
211         When dealing with big numbers, fall back to Int52 instead
212         of double when possible.
213
214         * dfg/DFGAbstractInterpreterInlines.h:
215         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
216         * dfg/DFGFixupPhase.cpp:
217         (JSC::DFG::FixupPhase::fixupNode):
218         * dfg/DFGPredictionPropagationPhase.cpp:
219         (JSC::DFG::PredictionPropagationPhase::propagate):
220         * dfg/DFGSpeculativeJIT.cpp:
221         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
222         * ftl/FTLLowerDFGToB3.cpp:
223         (JSC::FTL::DFG::LowerDFGToB3::compileUInt32ToNumber):
224
225 2016-04-08  Brian Burg  <bburg@apple.com>
226
227         Web Inspector: protocol generator should emit an error when 'type' is used instead of '$ref'
228         https://bugs.webkit.org/show_bug.cgi?id=156275
229         <rdar://problem/25569331>
230
231         Reviewed by Darin Adler.
232
233         * inspector/protocol/Heap.json: Fix a mistake that's now caught by the protocol generator.
234
235         * inspector/scripts/codegen/models.py:
236         (TypeReference.__init__): Check here if type_kind is on a whitelist of primitive types.
237         (TypeReference.referenced_name): Update comment.
238
239         Add a new test specifically for the case when the type would otherwise be resolved. Rebaseline.
240
241         * inspector/scripts/tests/expected/fail-on-type-reference-as-primitive-type.json-error: Added.
242         * inspector/scripts/tests/expected/fail-on-unknown-type-reference-in-type-declaration.json-error:
243         * inspector/scripts/tests/fail-on-type-reference-as-primitive-type.json: Added.
244
245 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
246
247         Remove ENABLE(ENABLE_ES6_CLASS_SYNTAX) guards
248         https://bugs.webkit.org/show_bug.cgi?id=156384
249
250         Reviewed by Ryosuke Niwa.
251
252         * Configurations/FeatureDefines.xcconfig:
253         * features.json: Mark as Done.
254         * parser/Parser.cpp:
255         (JSC::Parser<LexerType>::parseExportDeclaration):
256         (JSC::Parser<LexerType>::parseStatementListItem):
257         (JSC::Parser<LexerType>::parsePrimaryExpression):
258         (JSC::Parser<LexerType>::parseMemberExpression):
259
260 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
261
262         Implementing caching transition puts that need to reallocate with indexing storage
263         https://bugs.webkit.org/show_bug.cgi?id=130914
264
265         Reviewed by Saam Barati.
266
267         This enables the IC's put_by_id path to handle reallocating the out-of-line storage even if
268         the butterfly has indexing storage. Like the DFG, we do this by calling operations that
269         reallocate the butterfly. Those use JSObject API and do all of the nasty work for us, like
270         triggering a barrier.
271
272         This does a bunch of refactoring to how PolymorphicAccess makes calls. It's a lot easier to
273         do it now because the hard work is hidden under AccessGenerationState methods. This means
274         that custom accessors now share logic with put_by_id transitions.
275
276         * bytecode/PolymorphicAccess.cpp:
277         (JSC::AccessGenerationState::succeed):
278         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
279         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
280         (JSC::AccessGenerationState::originalCallSiteIndex):
281         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
282         (JSC::AccessCase::AccessCase):
283         (JSC::AccessCase::transition):
284         (JSC::AccessCase::generate):
285         (JSC::PolymorphicAccess::regenerate):
286         * bytecode/PolymorphicAccess.h:
287         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
288         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
289         * dfg/DFGOperations.cpp:
290         * dfg/DFGOperations.h:
291         * jit/JITOperations.cpp:
292         * jit/JITOperations.h:
293
294 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
295
296         Remote Inspector: When disallowing remote inspection on a debuggable, a listing is still sent to debuggers
297         https://bugs.webkit.org/show_bug.cgi?id=156380
298         <rdar://problem/25323727>
299
300         Reviewed by Timothy Hatcher.
301
302         * inspector/remote/RemoteInspector.mm:
303         (Inspector::RemoteInspector::updateTarget):
304         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
305         When a target has been updated and it no longer generates a listing,
306         we should remove the old listing as that is now stale and should
307         not be sent. Not generating a listing means this target is no
308         longer allowed to be debugged.
309
310 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
311
312         Web Inspector: Not necessary to validate webinspectord connection on iOS
313         https://bugs.webkit.org/show_bug.cgi?id=156377
314         <rdar://problem/25612460>
315
316         Reviewed by Simon Fraser.
317
318         * inspector/remote/RemoteInspectorXPCConnection.h:
319         * inspector/remote/RemoteInspectorXPCConnection.mm:
320         (Inspector::RemoteInspectorXPCConnection::handleEvent):
321
322 2016-04-07  Keith Miller  <keith_miller@apple.com>
323
324         Rename ArrayMode::supportsLength to supportsSelfLength
325         https://bugs.webkit.org/show_bug.cgi?id=156374
326
327         Reviewed by Filip Pizlo.
328
329         The name supportsLength is confusing because TypedArray have a
330         length function however it is on the prototype and not on the
331         instance. supportsSelfLength makes more sense since we use the
332         function during fixup to tell if we can intrinsic the length
333         property lookup on self accesses.
334
335         * dfg/DFGArrayMode.h:
336         (JSC::DFG::ArrayMode::supportsSelfLength):
337         (JSC::DFG::ArrayMode::supportsLength): Deleted.
338         * dfg/DFGFixupPhase.cpp:
339         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
340
341 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
342
343         Web Inspector: ProfileView source links are off by 1 line, worse in pretty printed code
344         https://bugs.webkit.org/show_bug.cgi?id=156371
345
346         Reviewed by Timothy Hatcher.
347
348         * inspector/protocol/ScriptProfiler.json:
349         Clarify that these locations are 1-based.
350
351 2016-04-07  Jon Davis  <jond@apple.com>
352
353         Add Web Animations API to Feature Status Page
354         https://bugs.webkit.org/show_bug.cgi?id=156360
355
356         Reviewed by Timothy Hatcher.
357
358         * features.json:
359
360 2016-04-07  Saam barati  <sbarati@apple.com>
361
362         Invalid assertion inside DebuggerScope::getOwnPropertySlot
363         https://bugs.webkit.org/show_bug.cgi?id=156357
364
365         Reviewed by Keith Miller.
366
367         The Type Profiler might profile JS code that uses DebuggerScope and accesses properties
368         on it. Therefore, it may have a DebuggerScope object in its log. Objects in the log
369         are subject to having their getOwnPropertySlot method called. Therefore, the DebuggerScope
370         might not always be in a valid state when its getOwnPropertySlot method is called.
371         Therefore, the assertion invalid.
372
373         * debugger/DebuggerScope.cpp:
374         (JSC::DebuggerScope::getOwnPropertySlot):
375
376 2016-04-07  Saam barati  <sbarati@apple.com>
377
378         Initial implementation of annex b.3.3 behavior was incorrect
379         https://bugs.webkit.org/show_bug.cgi?id=156276
380
381         Reviewed by Keith Miller.
382
383         I almost got annex B.3.3 correct in my first implementation.
384         There is a subtlety here I got wrong. We always create a local binding for
385         a function at the very beginning of execution of a block scope. So we
386         hoist function declarations to their local binding within a given
387         block scope. When we actually evaluate the function declaration statement
388         itself, we must lookup the binding in the current scope, and bind the
389         value to the binding in the "var" scope. We perform the following
390         abstract operations when executing a function declaration statement.
391
392         f = lookupBindingInCurrentScope("func")
393         store(varScope, "func", f)
394
395         I got this wrong by performing the store to the var binding at the beginning
396         of the block scope instead of when we evaluate the function declaration statement.
397         This behavior is observable. For example, a program could change the value
398         of "func" before the actual function declaration statement executes.
399         Consider the following two functions:
400         ```
401         function foo1() {
402             // func === undefined
403             {
404                 // typeof func === "function"
405                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
406                 func = 20 // This sets the local "func" binding to 20.
407             }
408             // typeof func === "function"
409         }
410
411         function foo2() {
412             // func === undefined
413             {
414                 // typeof func === "function"
415                 func = 20 // This sets the local "func" binding to 20.
416                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
417             }
418             // func === 20
419         }
420         ```
421
422         * bytecompiler/BytecodeGenerator.cpp:
423         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
424         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
425         * bytecompiler/BytecodeGenerator.h:
426         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
427         * bytecompiler/NodesCodegen.cpp:
428         (JSC::FuncDeclNode::emitBytecode):
429         * tests/stress/sloppy-mode-function-hoisting.js:
430         (test.foo):
431         (test):
432         (test.):
433         (test.bar):
434         (test.switch.case.0):
435         (test.capFoo1):
436         (test.switch.capFoo2):
437         (test.outer):
438         (foo):
439
440 2016-04-07  Alex Christensen  <achristensen@webkit.org>
441
442         Build fix after r199170
443
444         * CMakeLists.txt:
445
446 2016-04-07  Keith Miller  <keith_miller@apple.com>
447
448         We should support the ability to do a non-effectful getById
449         https://bugs.webkit.org/show_bug.cgi?id=156116
450
451         Reviewed by Benjamin Poulain.
452
453         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
454         useful because it enables us to take different code paths based on values that we would
455         otherwise not be able to have knowledge of. This patch adds this new feature called
456         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
457         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
458         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
459         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
460         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
461         the global object that indicates we could not get the result.
462
463         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
464         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
465         get_by_id the same way we would for load and return the value at the appropriate offset.
466         Additionally, in order to make sure the we can properly compare the GetterSetter object
467         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
468         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
469         likely to have little to no impact on memory usage as normal accessors are generally rare.
470
471         * JavaScriptCore.xcodeproj/project.pbxproj:
472         * builtins/BuiltinExecutableCreator.cpp: Added.
473         (JSC::createBuiltinExecutable):
474         * builtins/BuiltinExecutableCreator.h: Copied from Source/JavaScriptCore/builtins/BuiltinExecutables.h.
475         * builtins/BuiltinExecutables.cpp:
476         (JSC::BuiltinExecutables::createDefaultConstructor):
477         (JSC::BuiltinExecutables::createBuiltinExecutable):
478         (JSC::createBuiltinExecutable):
479         (JSC::BuiltinExecutables::createExecutable):
480         (JSC::createExecutableInternal): Deleted.
481         * builtins/BuiltinExecutables.h:
482         * bytecode/BytecodeIntrinsicRegistry.h:
483         * bytecode/BytecodeList.json:
484         * bytecode/BytecodeUseDef.h:
485         (JSC::computeUsesForBytecodeOffset):
486         (JSC::computeDefsForBytecodeOffset):
487         * bytecode/CodeBlock.cpp:
488         (JSC::CodeBlock::dumpBytecode):
489         * bytecode/PolymorphicAccess.cpp:
490         (JSC::AccessCase::tryGet):
491         (JSC::AccessCase::generate):
492         (WTF::printInternal):
493         * bytecode/PolymorphicAccess.h:
494         (JSC::AccessCase::isGet): Deleted.
495         (JSC::AccessCase::isPut): Deleted.
496         (JSC::AccessCase::isIn): Deleted.
497         * bytecode/StructureStubInfo.cpp:
498         (JSC::StructureStubInfo::reset):
499         * bytecode/StructureStubInfo.h:
500         * bytecompiler/BytecodeGenerator.cpp:
501         (JSC::BytecodeGenerator::emitTryGetById):
502         * bytecompiler/BytecodeGenerator.h:
503         * bytecompiler/NodesCodegen.cpp:
504         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
505         * dfg/DFGSpeculativeJIT32_64.cpp:
506         (JSC::DFG::SpeculativeJIT::cachedGetById):
507         * dfg/DFGSpeculativeJIT64.cpp:
508         (JSC::DFG::SpeculativeJIT::cachedGetById):
509         * ftl/FTLLowerDFGToB3.cpp:
510         (JSC::FTL::DFG::LowerDFGToB3::getById):
511         * jit/JIT.cpp:
512         (JSC::JIT::privateCompileMainPass):
513         (JSC::JIT::privateCompileSlowCases):
514         * jit/JIT.h:
515         * jit/JITInlineCacheGenerator.cpp:
516         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
517         * jit/JITInlineCacheGenerator.h:
518         * jit/JITInlines.h:
519         (JSC::JIT::callOperation):
520         * jit/JITOperations.cpp:
521         * jit/JITOperations.h:
522         * jit/JITPropertyAccess.cpp:
523         (JSC::JIT::emitGetByValWithCachedId):
524         (JSC::JIT::emit_op_try_get_by_id):
525         (JSC::JIT::emitSlow_op_try_get_by_id):
526         (JSC::JIT::emit_op_get_by_id):
527         * jit/JITPropertyAccess32_64.cpp:
528         (JSC::JIT::emitGetByValWithCachedId):
529         (JSC::JIT::emit_op_try_get_by_id):
530         (JSC::JIT::emitSlow_op_try_get_by_id):
531         (JSC::JIT::emit_op_get_by_id):
532         * jit/Repatch.cpp:
533         (JSC::repatchByIdSelfAccess):
534         (JSC::appropriateOptimizingGetByIdFunction):
535         (JSC::appropriateGenericGetByIdFunction):
536         (JSC::tryCacheGetByID):
537         (JSC::repatchGetByID):
538         (JSC::resetGetByID):
539         * jit/Repatch.h:
540         * jsc.cpp:
541         (GlobalObject::finishCreation):
542         (functionGetGetterSetter):
543         (functionCreateBuiltin):
544         * llint/LLIntData.cpp:
545         (JSC::LLInt::Data::performAssertions):
546         * llint/LLIntSlowPaths.cpp:
547         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
548         * llint/LLIntSlowPaths.h:
549         * llint/LowLevelInterpreter.asm:
550         * runtime/GetterSetter.cpp:
551         * runtime/GetterSetter.h:
552         * runtime/JSType.h:
553         * runtime/PropertySlot.cpp:
554         (JSC::PropertySlot::getPureResult):
555         * runtime/PropertySlot.h:
556         * runtime/ProxyObject.cpp:
557         (JSC::ProxyObject::getOwnPropertySlotCommon):
558         * tests/stress/try-get-by-id.js: Added.
559         (tryGetByIdText):
560         (getCaller.obj.1.throw.new.Error.let.func):
561         (getCaller.obj.1.throw.new.Error):
562         (throw.new.Error.get let):
563         (throw.new.Error.):
564         (throw.new.Error.let.get createBuiltin):
565         (get let):
566         (let.get createBuiltin):
567         (let.func):
568         (get let.func):
569         (get throw):
570
571 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
572
573         Rationalize the makeSpaceForCCall stuff
574         https://bugs.webkit.org/show_bug.cgi?id=156352
575
576         Reviewed by Mark Lam.
577
578         I want to add more code to PolymorphicAccess that makes C calls, so that I can finally fix
579         https://bugs.webkit.org/show_bug.cgi?id=130914 (allow transition caches to handle indexing
580         headers).
581
582         When trying to understand what it takes to make a C call, I came across code that was making
583         room on the stack for spilled arguments. This logic was guarded with some complicated
584         condition. At first, I tried to just refactor the code so that the same ugly condition
585         wouldn't have to be copy-pasted everywhere that we made C calls. But then I started thinking
586         about the condition, and realized that it was probably wrong: if the outer PolymorphicAccess
587         harness decides to reuse a register for the scratchGPR then the top of the stack will store
588         the old value of scratchGPR, but the condition wouldn't necessarily trigger. So if the call
589         then overwrote something on the stack, we'd have a bad time.
590
591         Making room on the stack for a call is a cheap operation. It's orders of magnitude cheaper
592         than the rest of the call. Therefore, I think that it's best to just unconditionally make
593         room on the stack.
594
595         This patch makes us do just that. I also made the relevant helpers not inline, because I
596         think that we have too many inline methods in our assemblers. Now it's much easier to make
597         C calls from PolymorphicAccess because you just call the AssemblyHelper methods for making
598         space. There are no special conditions or anything like that.
599
600         * bytecode/PolymorphicAccess.cpp:
601         (JSC::AccessCase::generate):
602         * jit/AssemblyHelpers.cpp:
603         (JSC::AssemblyHelpers::emitLoadStructure):
604         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall):
605         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall):
606         (JSC::emitRandomThunkImpl):
607         * jit/AssemblyHelpers.h:
608         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall): Deleted.
609         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall): Deleted.
610
611 2016-04-07  Commit Queue  <commit-queue@webkit.org>
612
613         Unreviewed, rolling out r199128 and r199141.
614         https://bugs.webkit.org/show_bug.cgi?id=156348
615
616         Causes crashes on multiple webpages (Requested by keith_mi_ on
617         #webkit).
618
619         Reverted changesets:
620
621         "[ES6] Add support for Symbol.isConcatSpreadable."
622         https://bugs.webkit.org/show_bug.cgi?id=155351
623         http://trac.webkit.org/changeset/199128
624
625         "Unreviewed, uncomment accidentally commented line in test."
626         http://trac.webkit.org/changeset/199141
627
628 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
629
630         Rationalize the handling of PutById transitions a bit
631         https://bugs.webkit.org/show_bug.cgi?id=156330
632
633         Reviewed by Mark Lam.
634
635         * bytecode/PolymorphicAccess.cpp:
636         (JSC::AccessCase::generate): Get rid of the specialized slow calls. We can just use the failAndIgnore jump target. We just need to make sure that we don't make observable effects until we're done with all of the fast path checks.
637         * bytecode/StructureStubInfo.cpp:
638         (JSC::StructureStubInfo::addAccessCase): MadeNoChanges indicates that we should keep trying to repatch. Currently PutById transitions might trigger the case that addAccessCase() sees null, if the transition involves an indexing header. Doing repatching in that case is probably not good. But, we should just fix this the right way eventually.
639
640 2016-04-07  Per Arne Vollan  <peavo@outlook.com>
641
642         [Win] Fix for JSC stress test failures.
643         https://bugs.webkit.org/show_bug.cgi?id=156343
644
645         Reviewed by Filip Pizlo.
646
647         We need to make it clear to MSVC that the method loadPtr(ImplicitAddress address, RegisterID dest)
648         should be used, and not loadPtr(const void* address, RegisterID dest).
649
650         * jit/CCallHelpers.cpp:
651         (JSC::CCallHelpers::setupShadowChickenPacket):
652
653 2016-04-06  Benjamin Poulain  <bpoulain@apple.com>
654
655         [JSC] UInt32ToNumber should be NodeMustGenerate
656         https://bugs.webkit.org/show_bug.cgi?id=156329
657
658         Reviewed by Filip Pizlo.
659
660         It exits on negative numbers on the integer path.
661
662         * dfg/DFGFixupPhase.cpp:
663         (JSC::DFG::FixupPhase::fixupNode):
664         * dfg/DFGNodeType.h:
665
666 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
667
668         Unreviewed, rolling out r199016.
669         https://bugs.webkit.org/show_bug.cgi?id=156140
670
671         "Perf bots are down, so I can't re-land this right now."
672
673         Reverted changeset:
674
675         CopiedBlock should be 16kB
676         https://bugs.webkit.org/show_bug.cgi?id=156168
677         http://trac.webkit.org/changeset/199016
678
679 2016-04-06  Mark Lam  <mark.lam@apple.com>
680
681         String.prototype.match() should be calling internal function RegExpCreate.
682         https://bugs.webkit.org/show_bug.cgi?id=156318
683
684         Reviewed by Filip Pizlo.
685
686         RegExpCreate is not the same as the RegExp constructor.  The current implementation
687         invokes new @RegExp which calls the constructor.  This results in failures in
688         es6/Proxy_internal_get_calls_String.prototype.match.js, and
689         es6/Proxy_internal_get_calls_String.prototype.search.js due to observable side
690         effects.
691
692         This patch fixes this by factoring out the part of the RegExp constructor that
693         makes the RegExpCreate function, and changing String's match and search to call
694         RegExpCreate instead in accordance with the ES6 spec. 
695
696         * builtins/StringPrototype.js:
697         (match):
698         (search):
699         * runtime/CommonIdentifiers.h:
700         * runtime/JSGlobalObject.cpp:
701         (JSC::JSGlobalObject::init):
702         * runtime/RegExpConstructor.cpp:
703         (JSC::toFlags):
704         (JSC::regExpCreate):
705         (JSC::constructRegExp):
706         (JSC::esSpecRegExpCreate):
707         (JSC::constructWithRegExpConstructor):
708         * runtime/RegExpConstructor.h:
709         (JSC::isRegExp):
710
711 2016-04-06  Keith Miller  <keith_miller@apple.com>
712
713         Unreviewed, uncomment accidentally commented line in test.
714
715         * tests/stress/array-concat-spread-object.js:
716
717 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
718
719         JSC should have a simple way of gathering IC statistics
720         https://bugs.webkit.org/show_bug.cgi?id=156317
721
722         Reviewed by Benjamin Poulain.
723
724         This adds a cheap, runtime-enabled way of gathering statistics about why we take the slow
725         paths for inline caches. This is complementary to our existing bytecode profiler. Eventually
726         we may want to combine the two things.
727         
728         This is not a slow-down on anything because we only do extra work on IC slow paths and if
729         it's disabled it's just a load-and-branch to skip the stats gathering code.
730
731         * CMakeLists.txt:
732         * JavaScriptCore.xcodeproj/project.pbxproj:
733         * jit/ICStats.cpp: Added.
734         * jit/ICStats.h: Added.
735         * jit/JITOperations.cpp:
736         * runtime/JSCJSValue.h:
737         * runtime/JSCJSValueInlines.h:
738         (JSC::JSValue::inherits):
739         (JSC::JSValue::classInfoOrNull):
740         (JSC::JSValue::toThis):
741         * runtime/Options.h:
742
743 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
744
745         32-bit JSC stress/multi-put-by-offset-multiple-transitions.js failing
746         https://bugs.webkit.org/show_bug.cgi?id=156292
747
748         Reviewed by Benjamin Poulain.
749
750         Make sure that we stash the callsite index before calling operationReallocateStorageAndFinishPut.
751
752         * bytecode/PolymorphicAccess.cpp:
753         (JSC::AccessCase::generate):
754
755 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
756
757         JSC test stress/arrowfunction-lexical-bind-superproperty.js failing
758         https://bugs.webkit.org/show_bug.cgi?id=156309
759
760         Reviewed by Saam Barati.
761
762         Just be honest about the fact that the ArgumentCount and Callee parts of inline callframe runtime
763         meta-data can be read at any time.
764         
765         We only have to say this for the inline callframe forms of ArgumentCount and Callee because we don't
766         sink any part of the machine prologue. This change just prevents us from sinking the pseudoprologue
767         of inlined varargs or closure calls.
768
769         Shockingly, this is not a regression on anything.
770
771         * dfg/DFGClobberize.h:
772         (JSC::DFG::clobberize):
773
774 2016-03-29  Keith Miller  <keith_miller@apple.com>
775
776         [ES6] Add support for Symbol.isConcatSpreadable.
777         https://bugs.webkit.org/show_bug.cgi?id=155351
778
779         Reviewed by Saam Barati.
780
781         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
782         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
783         a builtin performant. First, four new DFG intrinsics were added.
784
785         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
786            the Array.isArray function.
787         2) IsJSArray: checks the first child is a JSArray object.
788         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
789         4) CallObjectConstructor: an intrinsic of the Object constructor.
790
791         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
792         we are able to prove that the first child is an Array or for ToObject an Object.
793
794         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
795         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
796         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
797         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
798         into a contiguous array).
799
800         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
801         values onto the result array. This works roughly the same as the two array fast path using the same methodology
802         to decide if we can memcpy the other butterfly into the result butterfly.
803
804         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
805         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
806         dataLog function on it.
807
808         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
809         JSValueOperand if the operand's use count is one.
810
811         * JavaScriptCore.xcodeproj/project.pbxproj:
812         * builtins/ArrayPrototype.js:
813         (concatSlowPath):
814         (concat):
815         * bytecode/BytecodeIntrinsicRegistry.cpp:
816         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
817         * bytecode/BytecodeIntrinsicRegistry.h:
818         * dfg/DFGAbstractInterpreterInlines.h:
819         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
820         * dfg/DFGByteCodeParser.cpp:
821         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
822         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
823         * dfg/DFGClobberize.h:
824         (JSC::DFG::clobberize):
825         * dfg/DFGDoesGC.cpp:
826         (JSC::DFG::doesGC):
827         * dfg/DFGFixupPhase.cpp:
828         (JSC::DFG::FixupPhase::fixupNode):
829         * dfg/DFGNodeType.h:
830         * dfg/DFGOperations.cpp:
831         * dfg/DFGOperations.h:
832         * dfg/DFGPredictionPropagationPhase.cpp:
833         (JSC::DFG::PredictionPropagationPhase::propagate):
834         * dfg/DFGSafeToExecute.h:
835         (JSC::DFG::safeToExecute):
836         * dfg/DFGSpeculativeJIT.cpp:
837         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
838         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
839         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
840         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
841         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
842         * dfg/DFGSpeculativeJIT.h:
843         (JSC::DFG::SpeculativeJIT::callOperation):
844         * dfg/DFGSpeculativeJIT32_64.cpp:
845         (JSC::DFG::SpeculativeJIT::compile):
846         * dfg/DFGSpeculativeJIT64.cpp:
847         (JSC::DFG::SpeculativeJIT::compile):
848         * ftl/FTLCapabilities.cpp:
849         (JSC::FTL::canCompile):
850         * ftl/FTLLowerDFGToB3.cpp:
851         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
852         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
853         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
854         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
855         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
856         (JSC::FTL::DFG::LowerDFGToB3::isArray):
857         * jit/JITOperations.h:
858         * jsc.cpp:
859         (WTF::RuntimeArray::createStructure):
860         (GlobalObject::finishCreation):
861         (functionDebug):
862         (functionDataLogValue):
863         * runtime/ArrayConstructor.cpp:
864         (JSC::ArrayConstructor::finishCreation):
865         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
866         * runtime/ArrayConstructor.h:
867         (JSC::isArrayConstructor):
868         * runtime/ArrayPrototype.cpp:
869         (JSC::ArrayPrototype::finishCreation):
870         (JSC::arrayProtoPrivateFuncIsJSArray):
871         (JSC::moveElements):
872         (JSC::arrayProtoPrivateFuncConcatMemcpy):
873         (JSC::arrayProtoPrivateFuncAppendMemcpy):
874         (JSC::arrayProtoFuncConcat): Deleted.
875         * runtime/ArrayPrototype.h:
876         (JSC::ArrayPrototype::createStructure):
877         * runtime/CommonIdentifiers.h:
878         * runtime/Intrinsic.h:
879         * runtime/JSArray.cpp:
880         (JSC::JSArray::appendMemcpy):
881         (JSC::JSArray::fastConcatWith): Deleted.
882         * runtime/JSArray.h:
883         (JSC::JSArray::createStructure):
884         (JSC::JSArray::fastConcatType): Deleted.
885         * runtime/JSArrayInlines.h: Added.
886         (JSC::JSArray::memCopyWithIndexingType):
887         (JSC::JSArray::canFastCopy):
888         * runtime/JSGlobalObject.cpp:
889         (JSC::JSGlobalObject::init):
890         * runtime/JSType.h:
891         * runtime/ObjectConstructor.h:
892         (JSC::constructObject):
893         * tests/es6.yaml:
894         * tests/stress/array-concat-spread-object.js: Added.
895         (arrayEq):
896         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
897         (arrayEq):
898         * tests/stress/array-concat-spread-proxy.js: Added.
899         (arrayEq):
900         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
901         (arrayEq):
902         * tests/stress/array-species-config-array-constructor.js:
903
904 2016-04-06  Commit Queue  <commit-queue@webkit.org>
905
906         Unreviewed, rolling out r199070.
907         https://bugs.webkit.org/show_bug.cgi?id=156324
908
909         "It didn't fix the timeout" (Requested by saamyjoon on
910         #webkit).
911
912         Reverted changeset:
913
914         "jsc-layout-tests.yaml/js/script-tests/regress-141098.js
915         failing on Yosemite Debug after r198989"
916         https://bugs.webkit.org/show_bug.cgi?id=156187
917         http://trac.webkit.org/changeset/199070
918
919 2016-04-06  Geoffrey Garen  <ggaren@apple.com>
920
921         Unreviewed, rolling in r199016.
922         https://bugs.webkit.org/show_bug.cgi?id=156140
923
924         It might work this time without regression because 16kB aligned requests
925         now take the allocation fast path.
926
927         Restored changeset:
928
929         CopiedBlock should be 16kB
930         https://bugs.webkit.org/show_bug.cgi?id=156168
931         http://trac.webkit.org/changeset/199016
932
933 2016-04-06  Mark Lam  <mark.lam@apple.com>
934
935         Update es6.yaml to expect es6/Proxy_internal_get_calls_RegExp_constructor.js to pass.
936         https://bugs.webkit.org/show_bug.cgi?id=156314
937
938         Reviewed by Saam Barati.
939
940         * tests/es6.yaml:
941
942 2016-04-06  Commit Queue  <commit-queue@webkit.org>
943
944         Unreviewed, rolling out r199104.
945         https://bugs.webkit.org/show_bug.cgi?id=156301
946
947         Still breaks internal builds (Requested by keith_miller on
948         #webkit).
949
950         Reverted changeset:
951
952         "We should support the ability to do a non-effectful getById"
953         https://bugs.webkit.org/show_bug.cgi?id=156116
954         http://trac.webkit.org/changeset/199104
955
956 2016-04-06  Keith Miller  <keith_miller@apple.com>
957
958         RegExp constructor should use Symbol.match and other properties
959         https://bugs.webkit.org/show_bug.cgi?id=155873
960
961         Reviewed by Michael Saboff.
962
963         This patch updates the behavior of the RegExp constructor. Now the constructor
964         should get the Symbol.match property and check if it exists to decide if something
965         should be constructed like a regexp object.
966
967         * runtime/RegExpConstructor.cpp:
968         (JSC::toFlags):
969         (JSC::constructRegExp):
970         (JSC::constructWithRegExpConstructor):
971         (JSC::callRegExpConstructor):
972         * runtime/RegExpConstructor.h:
973         * tests/stress/regexp-constructor.js: Added.
974         (assert):
975         (throw.new.Error.get let):
976         (throw.new.Error.):
977         (throw.new.Error.get re):
978
979 2016-04-06  Keith Miller  <keith_miller@apple.com>
980
981         We should support the ability to do a non-effectful getById
982         https://bugs.webkit.org/show_bug.cgi?id=156116
983
984         Reviewed by Benjamin Poulain.
985
986         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
987         useful because it enables us to take different code paths based on values that we would
988         otherwise not be able to have knowledge of. This patch adds this new feature called
989         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
990         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
991         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
992         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
993         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
994         the global object that indicates we could not get the result.
995
996         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
997         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
998         get_by_id the same way we would for load and return the value at the appropriate offset.
999         Additionally, in order to make sure the we can properly compare the GetterSetter object
1000         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
1001         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
1002         likely to have little to no impact on memory usage as normal accessors are generally rare.
1003
1004         * builtins/BuiltinExecutables.cpp:
1005         (JSC::BuiltinExecutables::createDefaultConstructor):
1006         (JSC::BuiltinExecutables::createBuiltinExecutable):
1007         (JSC::createBuiltinExecutable):
1008         (JSC::BuiltinExecutables::createExecutable):
1009         (JSC::createExecutableInternal): Deleted.
1010         * builtins/BuiltinExecutables.h:
1011         * bytecode/BytecodeIntrinsicRegistry.h:
1012         * bytecode/BytecodeList.json:
1013         * bytecode/BytecodeUseDef.h:
1014         (JSC::computeUsesForBytecodeOffset):
1015         (JSC::computeDefsForBytecodeOffset):
1016         * bytecode/CodeBlock.cpp:
1017         (JSC::CodeBlock::dumpBytecode):
1018         * bytecode/PolymorphicAccess.cpp:
1019         (JSC::AccessCase::tryGet):
1020         (JSC::AccessCase::generate):
1021         (WTF::printInternal):
1022         * bytecode/PolymorphicAccess.h:
1023         (JSC::AccessCase::isGet): Deleted.
1024         (JSC::AccessCase::isPut): Deleted.
1025         (JSC::AccessCase::isIn): Deleted.
1026         * bytecode/StructureStubInfo.cpp:
1027         (JSC::StructureStubInfo::reset):
1028         * bytecode/StructureStubInfo.h:
1029         * bytecompiler/BytecodeGenerator.cpp:
1030         (JSC::BytecodeGenerator::emitTryGetById):
1031         * bytecompiler/BytecodeGenerator.h:
1032         * bytecompiler/NodesCodegen.cpp:
1033         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
1034         * dfg/DFGSpeculativeJIT32_64.cpp:
1035         (JSC::DFG::SpeculativeJIT::cachedGetById):
1036         * dfg/DFGSpeculativeJIT64.cpp:
1037         (JSC::DFG::SpeculativeJIT::cachedGetById):
1038         * ftl/FTLLowerDFGToB3.cpp:
1039         (JSC::FTL::DFG::LowerDFGToB3::getById):
1040         * jit/JIT.cpp:
1041         (JSC::JIT::privateCompileMainPass):
1042         (JSC::JIT::privateCompileSlowCases):
1043         * jit/JIT.h:
1044         * jit/JITInlineCacheGenerator.cpp:
1045         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1046         * jit/JITInlineCacheGenerator.h:
1047         * jit/JITInlines.h:
1048         (JSC::JIT::callOperation):
1049         * jit/JITOperations.cpp:
1050         * jit/JITOperations.h:
1051         * jit/JITPropertyAccess.cpp:
1052         (JSC::JIT::emitGetByValWithCachedId):
1053         (JSC::JIT::emit_op_try_get_by_id):
1054         (JSC::JIT::emitSlow_op_try_get_by_id):
1055         (JSC::JIT::emit_op_get_by_id):
1056         * jit/JITPropertyAccess32_64.cpp:
1057         (JSC::JIT::emitGetByValWithCachedId):
1058         (JSC::JIT::emit_op_try_get_by_id):
1059         (JSC::JIT::emitSlow_op_try_get_by_id):
1060         (JSC::JIT::emit_op_get_by_id):
1061         * jit/Repatch.cpp:
1062         (JSC::repatchByIdSelfAccess):
1063         (JSC::appropriateOptimizingGetByIdFunction):
1064         (JSC::appropriateGenericGetByIdFunction):
1065         (JSC::tryCacheGetByID):
1066         (JSC::repatchGetByID):
1067         (JSC::resetGetByID):
1068         * jit/Repatch.h:
1069         * jsc.cpp:
1070         (GlobalObject::finishCreation):
1071         (functionGetGetterSetter):
1072         (functionCreateBuiltin):
1073         * llint/LLIntData.cpp:
1074         (JSC::LLInt::Data::performAssertions):
1075         * llint/LLIntSlowPaths.cpp:
1076         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1077         * llint/LLIntSlowPaths.h:
1078         * llint/LowLevelInterpreter.asm:
1079         * runtime/GetterSetter.cpp:
1080         * runtime/GetterSetter.h:
1081         * runtime/JSType.h:
1082         * runtime/PropertySlot.cpp:
1083         (JSC::PropertySlot::getPureResult):
1084         * runtime/PropertySlot.h:
1085         * runtime/ProxyObject.cpp:
1086         (JSC::ProxyObject::getOwnPropertySlotCommon):
1087         * tests/stress/try-get-by-id.js: Added.
1088         (tryGetByIdText):
1089         (getCaller.obj.1.throw.new.Error.let.func):
1090         (getCaller.obj.1.throw.new.Error):
1091         (throw.new.Error.get let):
1092         (throw.new.Error.):
1093         (throw.new.Error.let.get createBuiltin):
1094         (get let):
1095         (let.get createBuiltin):
1096         (let.func):
1097         (get let.func):
1098         (get throw):
1099
1100 2016-04-05  Chris Dumez  <cdumez@apple.com>
1101
1102         Add support for [EnabledAtRuntime] operations on DOMWindow
1103         https://bugs.webkit.org/show_bug.cgi?id=156272
1104
1105         Reviewed by Alex Christensen.
1106
1107         Add identifier for 'fetch' so it can be used from the generated
1108         bindings.
1109
1110         * runtime/CommonIdentifiers.h:
1111
1112 2016-04-05  Alex Christensen  <achristensen@webkit.org>
1113
1114         Make CMake-generated binaries on Mac able to run
1115         https://bugs.webkit.org/show_bug.cgi?id=156268
1116
1117         Reviewed by Daniel Bates.
1118
1119         * CMakeLists.txt:
1120
1121 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
1122
1123         Improve some other cases of context-sensitive inlining
1124         https://bugs.webkit.org/show_bug.cgi?id=156277
1125
1126         Reviewed by Benjamin Poulain.
1127         
1128         This implements some improvements for inlining:
1129
1130         - We no longer do guarded inlining when the profiling doesn't come from a stub. Doing so would have
1131           been risky, and according to benchmarks, it wasn't common enough to matter. I think it's better to
1132           err on the side of not inlining.
1133         
1134         - The jneq_ptr pattern for variadic calls no longer breaks the basic block. Not breaking the block
1135           increases the chances of the parser seeing the callee constant. While inlining doesn't require a
1136           callee constant, sometimes it makes a difference. Note that we were previously breaking the block
1137           for no reason at all: if the boundary after jneq_ptr is a jump target from some other jump, then
1138           the parser will automatically break the block for us. There is no reason to add any block breaking
1139           ourselves since we implement jneq_ptr by ignoring the affirmative jump destination and inserting a
1140           check and falling through.
1141         
1142         - get_by_id handling now tries to apply some common sense to its status object. In particular, if
1143           the source is a NewObject and there was no interfering operation that could clobber the structure,
1144           then we know which case of a polymorphic GetByIdStatus we would take. This arises in some
1145           constructor patterns.
1146         
1147         Long term, we should address all of these cases comprehensively by having a late inliner. The inliner
1148         being part of the bytecode parser means that there is a lot of complexity in the parser and it
1149         prevents us from inlining upon learning new information from static analysis. But for now, I think
1150         it's fine to experiment with one-off hacks, if only to learn what the possibilities are.
1151         
1152         This is a 14% speed-up on Octane/raytrace.
1153
1154         * bytecode/CallLinkStatus.cpp:
1155         (JSC::CallLinkStatus::dump):
1156         * bytecode/CallLinkStatus.h:
1157         (JSC::CallLinkStatus::couldTakeSlowPath):
1158         (JSC::CallLinkStatus::setCouldTakeSlowPath):
1159         (JSC::CallLinkStatus::variants):
1160         (JSC::CallLinkStatus::size):
1161         (JSC::CallLinkStatus::at):
1162         * bytecode/GetByIdStatus.cpp:
1163         (JSC::GetByIdStatus::makesCalls):
1164         (JSC::GetByIdStatus::filter):
1165         (JSC::GetByIdStatus::dump):
1166         * bytecode/GetByIdStatus.h:
1167         (JSC::GetByIdStatus::wasSeenInJIT):
1168         * dfg/DFGByteCodeParser.cpp:
1169         (JSC::DFG::ByteCodeParser::handleCall):
1170         (JSC::DFG::ByteCodeParser::refineStatically):
1171         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1172         (JSC::DFG::ByteCodeParser::handleInlining):
1173         (JSC::DFG::ByteCodeParser::handleGetById):
1174         (JSC::DFG::ByteCodeParser::parseBlock):
1175         * runtime/Options.h:
1176
1177 2016-04-05  Saam barati  <sbarati@apple.com>
1178
1179         JSC SamplingProfiler: Use a thread + sleep loop instead of WTF::WorkQueue for taking samples
1180         https://bugs.webkit.org/show_bug.cgi?id=154017
1181
1182         Reviewed by Geoffrey Garen.
1183
1184         By moving to an explicitly created seperate thread + sample-then-sleep
1185         loop, we can remove a lot of the crufty code around WorkQueue.
1186         We're also getting sample rates that are much closer to what we're
1187         asking the OS for. When the sampling handler was built off of WorkQueue,
1188         we'd often get sample rates much higher than the 1ms we asked for. On Kraken,
1189         we would average about 1.7ms sample rates, even though we'd ask for a 1ms rate.
1190         Now, on Kraken, we're getting about 1.2ms rates. Because we're getting
1191         higher rates, this patch is a performance regression. It's slower because
1192         we're sampling more frequently.
1193
1194         Before this patch, the sampling profiler had the following overhead:
1195         - 10% on Kraken
1196         - 12% on octane
1197         - 15% on AsmBench
1198
1199         With this patch, the sampling profiler has the following overhead:
1200         - 16% on Kraken
1201         - 17% on Octane
1202         - 30% on AsmBench
1203
1204         Comparatively, this new patch has the following overhead over the old sampling profiler:
1205         - 5% on Kraken
1206         - 3.5% on Octane
1207         - 13% slower on AsmBench
1208
1209         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1210         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1211         * runtime/SamplingProfiler.cpp:
1212         (JSC::SamplingProfiler::SamplingProfiler):
1213         (JSC::SamplingProfiler::~SamplingProfiler):
1214         (JSC::SamplingProfiler::createThreadIfNecessary):
1215         (JSC::SamplingProfiler::timerLoop):
1216         (JSC::SamplingProfiler::takeSample):
1217         (JSC::tryGetBytecodeIndex):
1218         (JSC::SamplingProfiler::shutdown):
1219         (JSC::SamplingProfiler::start):
1220         (JSC::SamplingProfiler::pause):
1221         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1222         (JSC::SamplingProfiler::noticeJSLockAcquisition):
1223         (JSC::SamplingProfiler::noticeVMEntry):
1224         (JSC::SamplingProfiler::clearData):
1225         (JSC::SamplingProfiler::stop): Deleted.
1226         (JSC::SamplingProfiler::dispatchIfNecessary): Deleted.
1227         (JSC::SamplingProfiler::dispatchFunction): Deleted.
1228         * runtime/SamplingProfiler.h:
1229         (JSC::SamplingProfiler::setTimingInterval):
1230         (JSC::SamplingProfiler::setStopWatch):
1231         * runtime/VM.cpp:
1232         (JSC::VM::VM):
1233
1234 2016-04-05  Commit Queue  <commit-queue@webkit.org>
1235
1236         Unreviewed, rolling out r199073.
1237         https://bugs.webkit.org/show_bug.cgi?id=156261
1238
1239         This change broke internal Mac builds (Requested by ryanhaddad
1240         on #webkit).
1241
1242         Reverted changeset:
1243
1244         "We should support the ability to do a non-effectful getById"
1245         https://bugs.webkit.org/show_bug.cgi?id=156116
1246         http://trac.webkit.org/changeset/199073
1247
1248 2016-04-05  Youenn Fablet  <youenn.fablet@crf.canon.fr>
1249
1250         [Fetch API] Add a runtime flag to fetch API and related constructs
1251         https://bugs.webkit.org/show_bug.cgi?id=156113
1252  
1253         Reviewed by Alex Christensen.
1254
1255         Add a fetch API runtime flag based on preferences.
1256         Disable fetch API by default.
1257  
1258         * runtime/CommonIdentifiers.h:
1259
1260 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
1261
1262         Unreviewed, fix cloop some more.
1263
1264         * runtime/RegExpInlines.h:
1265         (JSC::RegExp::hasCodeFor):
1266         (JSC::RegExp::hasMatchOnlyCodeFor):
1267
1268 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
1269
1270         Unreviewed, fix cloop.
1271
1272         * jit/CCallHelpers.cpp:
1273
1274 2016-03-18  Filip Pizlo  <fpizlo@apple.com>
1275
1276         JSC should use a shadow stack version of CHICKEN so that debuggers have the option of retrieving tail-deleted frames
1277         https://bugs.webkit.org/show_bug.cgi?id=155598
1278
1279         Reviewed by Saam Barati.
1280         
1281         JSC is the first JSVM to have proper tail calls. This means that error.stack and the
1282         debugger will appear to "delete" strict mode stack frames, if the call that this frame made
1283         was in tail position. This is exactly what functional programmers expect - they don't want
1284         the VM to waste resources on tail-deleted frames to ensure that it's legal to loop forever
1285         using tail calls. It's also something that non-functional programmers fear. It's not clear
1286         that tail-deleted frames would actually degrade the debugging experience, but the fear is
1287         real, so it's worthwhile to do something about it.
1288
1289         It turns out that there is at least one tail call implementation that doesn't suffer from
1290         this problem. It implements proper tail calls in the sense that you won't run out of memory
1291         by tail-looping. It also has the power to show you tail-deleted frames in a backtrace, so
1292         long as you haven't yet run out of memory. It's called CHICKEN Scheme, and it's one of my
1293         favorite hacks:
1294         
1295         http://www.more-magic.net/posts/internals-gc.html
1296
1297         CHICKEN does many awesome things. The intuition from CHICKEN that we use here is a simple
1298         one: what if a tail call still kept the tail-deleted frame, and the GC actually deleted that
1299         frame only once we proved that there was insufficient memory to keep it around.
1300         
1301         CHICKEN does this by reshaping the C stack with longjmp/setjmp. We can't do that because we
1302         can have arbitrary native code, and that native code does not have relocatable stack frames.
1303         
1304         But we can do something almost like CHICKEN on a shadow stack. It's a common trick to have a
1305         VM maintain two stacks - the actual execution stack plus a shadow stack that has some extra
1306         information. The shadow stack can be reshaped, moved, etc, since the VM tightly controls its
1307         layout. The main stack can then continue to obey ABI rules.
1308
1309         This patch implements a mechanism for being able to display stack traces that include
1310         tail-deleted frames. It uses a shadow stack that behaves like a CHICKEN stack: it has all
1311         frames all the time, though we will collect the tail-deleted ones if the stack gets too big.
1312         This new mechanism is called ShadowChicken, obviously: it's CHICKEN on a shadow stack.
1313         
1314         ShadowChicken is always on, but individual CodeBlocks may make their own choices about
1315         whether to opt into it. They will do that at bytecompile time based on the debugger mode on
1316         their global object.
1317
1318         When no CodeBlock opts in, there is no overhead, since ShadowChicken ends up doing nothing
1319         in that case. Well, except when exceptions are thrown. Then it might do some work, but it's
1320         minor.
1321
1322         When all CodeBlocks opt in, there is about 6% overhead. That's too much overhead to enable
1323         this all the time, but it's low enough to justify enabling in the Inspector. It's currently
1324         enabled on all CodeBlocks only when you use an Option. Otherwise it will auto-enable if the
1325         debugger is on.
1326
1327         Note that ShadowChicken attempts to gracefully handle the presence of stack frames that have
1328         no logging. This is essential since we *can* have debugging enabled in one GlobalObject and
1329         disabled in another. Also, some frames don't do ShadowChicken because they just haven't been
1330         hacked to do it yet. Native frames fall into this category, as do the VM entry frames.
1331
1332         This doesn't yet wire ShadowChicken into DebuggerCallFrame. That will take more work. It
1333         just makes a ShadowChicken stack walk function available to jsc. It's used from the
1334         shadow-chicken tests.
1335
1336         * API/JSContextRef.cpp:
1337         (BacktraceFunctor::BacktraceFunctor):
1338         (BacktraceFunctor::operator()):
1339         (JSContextCreateBacktrace):
1340         * CMakeLists.txt:
1341         * JavaScriptCore.xcodeproj/project.pbxproj:
1342         * bytecode/BytecodeList.json:
1343         * bytecode/BytecodeUseDef.h:
1344         (JSC::computeUsesForBytecodeOffset):
1345         (JSC::computeDefsForBytecodeOffset):
1346         * bytecode/CodeBlock.cpp:
1347         (JSC::CodeBlock::dumpBytecode):
1348         (JSC::RecursionCheckFunctor::RecursionCheckFunctor):
1349         (JSC::RecursionCheckFunctor::operator()):
1350         (JSC::CodeBlock::noticeIncomingCall):
1351         * bytecompiler/BytecodeGenerator.cpp:
1352         (JSC::BytecodeGenerator::emitEnter):
1353         (JSC::BytecodeGenerator::emitCallInTailPosition):
1354         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
1355         (JSC::BytecodeGenerator::emitCallVarargs):
1356         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
1357         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
1358         (JSC::BytecodeGenerator::emitCallDefineProperty):
1359         * bytecompiler/BytecodeGenerator.h:
1360         * debugger/DebuggerCallFrame.cpp:
1361         (JSC::LineAndColumnFunctor::operator()):
1362         (JSC::LineAndColumnFunctor::column):
1363         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
1364         (JSC::FindCallerMidStackFunctor::operator()):
1365         (JSC::DebuggerCallFrame::DebuggerCallFrame):
1366         * dfg/DFGAbstractInterpreterInlines.h:
1367         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1368         * dfg/DFGByteCodeParser.cpp:
1369         (JSC::DFG::ByteCodeParser::parseBlock):
1370         * dfg/DFGClobberize.h:
1371         (JSC::DFG::clobberize):
1372         * dfg/DFGDoesGC.cpp:
1373         (JSC::DFG::doesGC):
1374         * dfg/DFGFixupPhase.cpp:
1375         (JSC::DFG::FixupPhase::fixupNode):
1376         * dfg/DFGNodeType.h:
1377         * dfg/DFGPredictionPropagationPhase.cpp:
1378         (JSC::DFG::PredictionPropagationPhase::propagate):
1379         * dfg/DFGSafeToExecute.h:
1380         (JSC::DFG::safeToExecute):
1381         * dfg/DFGSpeculativeJIT32_64.cpp:
1382         (JSC::DFG::SpeculativeJIT::compile):
1383         * dfg/DFGSpeculativeJIT64.cpp:
1384         (JSC::DFG::SpeculativeJIT::compile):
1385         * ftl/FTLAbstractHeapRepository.cpp:
1386         * ftl/FTLAbstractHeapRepository.h:
1387         * ftl/FTLCapabilities.cpp:
1388         (JSC::FTL::canCompile):
1389         * ftl/FTLLowerDFGToB3.cpp:
1390         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1391         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
1392         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
1393         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
1394         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
1395         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1396         (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket):
1397         (JSC::FTL::DFG::LowerDFGToB3::boolify):
1398         * heap/Heap.cpp:
1399         (JSC::Heap::markRoots):
1400         (JSC::Heap::visitSamplingProfiler):
1401         (JSC::Heap::visitShadowChicken):
1402         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
1403         (JSC::Heap::collectImpl):
1404         * heap/Heap.h:
1405         * inspector/ScriptCallStackFactory.cpp:
1406         (Inspector::CreateScriptCallStackFunctor::CreateScriptCallStackFunctor):
1407         (Inspector::CreateScriptCallStackFunctor::operator()):
1408         (Inspector::createScriptCallStack):
1409         * interpreter/CallFrame.h:
1410         (JSC::ExecState::iterate):
1411         * interpreter/Interpreter.cpp:
1412         (JSC::DumpRegisterFunctor::DumpRegisterFunctor):
1413         (JSC::DumpRegisterFunctor::operator()):
1414         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
1415         (JSC::GetStackTraceFunctor::operator()):
1416         (JSC::Interpreter::getStackTrace):
1417         (JSC::GetCatchHandlerFunctor::handler):
1418         (JSC::GetCatchHandlerFunctor::operator()):
1419         (JSC::notifyDebuggerOfUnwinding):
1420         (JSC::UnwindFunctor::UnwindFunctor):
1421         (JSC::UnwindFunctor::operator()):
1422         (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer):
1423         * interpreter/ShadowChicken.cpp: Added.
1424         (JSC::ShadowChicken::Packet::dump):
1425         (JSC::ShadowChicken::Frame::dump):
1426         (JSC::ShadowChicken::ShadowChicken):
1427         (JSC::ShadowChicken::~ShadowChicken):
1428         (JSC::ShadowChicken::log):
1429         (JSC::ShadowChicken::update):
1430         (JSC::ShadowChicken::visitChildren):
1431         (JSC::ShadowChicken::reset):
1432         (JSC::ShadowChicken::dump):
1433         (JSC::ShadowChicken::functionsOnStack):
1434         * interpreter/ShadowChicken.h: Added.
1435         (JSC::ShadowChicken::Packet::Packet):
1436         (JSC::ShadowChicken::Packet::tailMarker):
1437         (JSC::ShadowChicken::Packet::throwMarker):
1438         (JSC::ShadowChicken::Packet::prologue):
1439         (JSC::ShadowChicken::Packet::tail):
1440         (JSC::ShadowChicken::Packet::throwPacket):
1441         (JSC::ShadowChicken::Packet::operator bool):
1442         (JSC::ShadowChicken::Packet::isPrologue):
1443         (JSC::ShadowChicken::Packet::isTail):
1444         (JSC::ShadowChicken::Packet::isThrow):
1445         (JSC::ShadowChicken::Frame::Frame):
1446         (JSC::ShadowChicken::Frame::operator==):
1447         (JSC::ShadowChicken::Frame::operator!=):
1448         (JSC::ShadowChicken::log):
1449         (JSC::ShadowChicken::logSize):
1450         (JSC::ShadowChicken::addressOfLogCursor):
1451         (JSC::ShadowChicken::logEnd):
1452         * interpreter/ShadowChickenInlines.h: Added.
1453         (JSC::ShadowChicken::iterate):
1454         * interpreter/StackVisitor.h:
1455         (JSC::StackVisitor::Frame::callee):
1456         (JSC::StackVisitor::Frame::codeBlock):
1457         (JSC::StackVisitor::Frame::bytecodeOffset):
1458         (JSC::StackVisitor::Frame::inlineCallFrame):
1459         (JSC::StackVisitor::Frame::isJSFrame):
1460         (JSC::StackVisitor::Frame::isInlinedFrame):
1461         (JSC::StackVisitor::visit):
1462         * jit/CCallHelpers.cpp: Added.
1463         (JSC::CCallHelpers::logShadowChickenProloguePacket):
1464         (JSC::CCallHelpers::logShadowChickenTailPacket):
1465         (JSC::CCallHelpers::setupShadowChickenPacket):
1466         * jit/CCallHelpers.h:
1467         (JSC::CCallHelpers::prepareForTailCallSlow):
1468         * jit/JIT.cpp:
1469         (JSC::JIT::privateCompileMainPass):
1470         * jit/JIT.h:
1471         * jit/JITExceptions.cpp:
1472         (JSC::genericUnwind):
1473         * jit/JITOpcodes.cpp:
1474         (JSC::JIT::emit_op_resume):
1475         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1476         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1477         * jit/JITOperations.cpp:
1478         * jit/JITOperations.h:
1479         * jsc.cpp:
1480         (GlobalObject::finishCreation):
1481         (FunctionJSCStackFunctor::FunctionJSCStackFunctor):
1482         (FunctionJSCStackFunctor::operator()):
1483         (functionClearSamplingFlags):
1484         (functionShadowChickenFunctionsOnStack):
1485         (functionReadline):
1486         * llint/LLIntOffsetsExtractor.cpp:
1487         * llint/LLIntSlowPaths.cpp:
1488         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1489         (JSC::LLInt::llint_throw_stack_overflow_error):
1490         * llint/LLIntSlowPaths.h:
1491         * llint/LowLevelInterpreter.asm:
1492         * profiler/ProfileGenerator.cpp:
1493         (JSC::AddParentForConsoleStartFunctor::foundParent):
1494         (JSC::AddParentForConsoleStartFunctor::operator()):
1495         * runtime/Error.cpp:
1496         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
1497         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
1498         (JSC::addErrorInfoAndGetBytecodeOffset):
1499         * runtime/JSFunction.cpp:
1500         (JSC::RetrieveArgumentsFunctor::result):
1501         (JSC::RetrieveArgumentsFunctor::operator()):
1502         (JSC::retrieveArguments):
1503         (JSC::RetrieveCallerFunctionFunctor::result):
1504         (JSC::RetrieveCallerFunctionFunctor::operator()):
1505         (JSC::retrieveCallerFunction):
1506         * runtime/JSGlobalObjectFunctions.cpp:
1507         (JSC::GlobalFuncProtoGetterFunctor::result):
1508         (JSC::GlobalFuncProtoGetterFunctor::operator()):
1509         (JSC::globalFuncProtoGetter):
1510         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
1511         (JSC::GlobalFuncProtoSetterFunctor::operator()):
1512         * runtime/NullSetterFunction.cpp:
1513         (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
1514         (JSC::GetCallerStrictnessFunctor::operator()):
1515         (JSC::GetCallerStrictnessFunctor::callerIsStrict):
1516         (JSC::callerIsStrict):
1517         * runtime/ObjectConstructor.cpp:
1518         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
1519         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1520         (JSC::objectConstructorGetPrototypeOf):
1521         * runtime/Options.h:
1522         * runtime/VM.cpp:
1523         (JSC::VM::VM):
1524         (JSC::SetEnabledProfilerFunctor::operator()):
1525         * runtime/VM.h:
1526         (JSC::VM::shouldBuilderPCToCodeOriginMapping):
1527         (JSC::VM::bytecodeIntrinsicRegistry):
1528         (JSC::VM::shadowChicken):
1529         * tests/stress/resources/shadow-chicken-support.js: Added.
1530         (describeFunction):
1531         (describeArray):
1532         (expectStack):
1533         (initialize):
1534         * tests/stress/shadow-chicken-disabled.js: Added.
1535         (test1.foo):
1536         (test1.bar):
1537         (test1.baz):
1538         (test1):
1539         (test2.foo):
1540         (test2.bar):
1541         (test2.baz):
1542         (test2):
1543         (test3.foo):
1544         (test3.bar):
1545         (test3.baz):
1546         (test3):
1547         * tests/stress/shadow-chicken-enabled.js: Added.
1548         (test1.foo):
1549         (test1.bar):
1550         (test1.baz):
1551         (test1):
1552         (test2.foo):
1553         (test2.bar):
1554         (test2.baz):
1555         (test2):
1556         (test3.bob):
1557         (test3.thingy):
1558         (test3.foo):
1559         (test3.bar):
1560         (test3.baz):
1561         (test3):
1562         (test4.bob):
1563         (test4.thingy):
1564         (test4.foo):
1565         (test4.bar):
1566         (test4.baz):
1567         (test4):
1568         (test5.foo):
1569         (test5):
1570         * tools/JSDollarVMPrototype.cpp:
1571         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
1572         (JSC::CallerFrameJITTypeFunctor::operator()):
1573         (JSC::CallerFrameJITTypeFunctor::jitType):
1574         (JSC::functionLLintTrue):
1575         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
1576         (JSC::CellAddressCheckFunctor::operator()):
1577         (JSC::JSDollarVMPrototype::isValidCell):
1578         (JSC::JSDollarVMPrototype::isValidCodeBlock):
1579         (JSC::JSDollarVMPrototype::codeBlockForFrame):
1580         (JSC::PrintFrameFunctor::PrintFrameFunctor):
1581         (JSC::PrintFrameFunctor::operator()):
1582         (JSC::printCallFrame):
1583
1584 2016-03-19  Filip Pizlo  <fpizlo@apple.com>
1585
1586         DFG and FTL should constant-fold RegExpExec, RegExpTest, and StringReplace
1587         https://bugs.webkit.org/show_bug.cgi?id=155270
1588
1589         Reviewed by Saam Barati.
1590
1591         This enables constant-folding of RegExpExec, RegExpTest, and StringReplace.
1592
1593         It's now possible to run Yarr on the JIT threads. Since previous work on constant-folding
1594         strings gave the DFG an API for reasoning about JSString constants in terms of
1595         JIT-thread-local WTF::Strings, it's now super easy to just pass strings to Yarr and build IR
1596         based on the results.
1597
1598         But RegExpExec is hard: the folded version still must allocate a RegExpMatchesArray. We must
1599         use the same Structure that the code would have used or else we'll pollute the program's
1600         inline caches. Also, RegExpMatchesArray.h|cpp will allocate the array and its named
1601         properties in one go - we don't want to lose that optimization. So, this patch enables
1602         MaterializeNewObject to allocate objects or arrays with any number of indexed or named
1603         properties. Previously it could only handle objects (but not arrays) and named properties
1604         (but not indexed ones).
1605
1606         This also adds a few minor things for setting the RegExpConstructor cached result.
1607
1608         This is about a 2x speed-up on microbenchmarks when we fold a match success and about a
1609         8x speed-up when we fold a match failure. It's a 10% speed-up on Octane/regexp.
1610
1611         * JavaScriptCore.xcodeproj/project.pbxproj:
1612         * dfg/DFGAbstractInterpreterInlines.h:
1613         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1614         * dfg/DFGClobberize.h:
1615         (JSC::DFG::clobberize):
1616         * dfg/DFGDoesGC.cpp:
1617         (JSC::DFG::doesGC):
1618         * dfg/DFGFixupPhase.cpp:
1619         (JSC::DFG::FixupPhase::fixupNode):
1620         * dfg/DFGGraph.cpp:
1621         (JSC::DFG::Graph::dump):
1622         * dfg/DFGInsertionSet.cpp:
1623         (JSC::DFG::InsertionSet::insertSlow):
1624         (JSC::DFG::InsertionSet::execute):
1625         * dfg/DFGInsertionSet.h:
1626         (JSC::DFG::InsertionSet::insertCheck):
1627         * dfg/DFGLazyJSValue.cpp:
1628         (JSC::DFG::LazyJSValue::tryGetString):
1629         * dfg/DFGMayExit.cpp:
1630         (JSC::DFG::mayExit):
1631         * dfg/DFGNode.h:
1632         (JSC::DFG::StackAccessData::flushedAt):
1633         (JSC::DFG::OpInfo::OpInfo): Deleted.
1634         * dfg/DFGNodeType.h:
1635         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1636         * dfg/DFGObjectMaterializationData.cpp:
1637         (JSC::DFG::ObjectMaterializationData::dump):
1638         (JSC::DFG::PhantomPropertyValue::dump): Deleted.
1639         (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore): Deleted.
1640         (JSC::DFG::ObjectMaterializationData::similarityScore): Deleted.
1641         * dfg/DFGObjectMaterializationData.h:
1642         (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue): Deleted.
1643         (JSC::DFG::PhantomPropertyValue::operator==): Deleted.
1644         * dfg/DFGOpInfo.h: Added.
1645         (JSC::DFG::OpInfo::OpInfo):
1646         * dfg/DFGOperations.cpp:
1647         * dfg/DFGOperations.h:
1648         * dfg/DFGPredictionPropagationPhase.cpp:
1649         (JSC::DFG::PredictionPropagationPhase::propagate):
1650         * dfg/DFGPromotedHeapLocation.cpp:
1651         (WTF::printInternal):
1652         * dfg/DFGPromotedHeapLocation.h:
1653         * dfg/DFGSafeToExecute.h:
1654         (JSC::DFG::safeToExecute):
1655         * dfg/DFGSpeculativeJIT.cpp:
1656         (JSC::DFG::SpeculativeJIT::~SpeculativeJIT):
1657         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1658         (JSC::DFG::SpeculativeJIT::emitGetLength):
1659         (JSC::DFG::SpeculativeJIT::compileLazyJSConstant):
1660         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
1661         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
1662         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): Deleted.
1663         * dfg/DFGSpeculativeJIT.h:
1664         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
1665         * dfg/DFGSpeculativeJIT32_64.cpp:
1666         (JSC::DFG::SpeculativeJIT::compile):
1667         * dfg/DFGSpeculativeJIT64.cpp:
1668         (JSC::DFG::SpeculativeJIT::compile):
1669         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1670         * dfg/DFGStrengthReductionPhase.cpp:
1671         (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
1672         (JSC::DFG::StrengthReductionPhase::handleNode):
1673         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
1674         (JSC::DFG::StrengthReductionPhase::executeInsertionSet):
1675         * dfg/DFGValidate.cpp:
1676         (JSC::DFG::Validate::validate):
1677         (JSC::DFG::Validate::validateCPS):
1678         * ftl/FTLAbstractHeapRepository.cpp:
1679         * ftl/FTLAbstractHeapRepository.h:
1680         * ftl/FTLCapabilities.cpp:
1681         (JSC::FTL::canCompile):
1682         * ftl/FTLLowerDFGToB3.cpp:
1683         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1684         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1685         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1686         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1687         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
1688         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
1689         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
1690         (JSC::FTL::DFG::LowerDFGToB3::storageForTransition):
1691         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
1692         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
1693         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
1694         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
1695         * ftl/FTLOperations.cpp:
1696         (JSC::FTL::operationPopulateObjectInOSR):
1697         (JSC::FTL::operationNewObjectWithButterfly): Deleted.
1698         * ftl/FTLOperations.h:
1699         * inspector/ContentSearchUtilities.cpp:
1700         * runtime/JSObject.h:
1701         (JSC::JSObject::createRawObject):
1702         (JSC::JSFinalObject::create):
1703         * runtime/RegExp.cpp:
1704         (JSC::RegExp::compile):
1705         (JSC::RegExp::match):
1706         (JSC::RegExp::matchConcurrently):
1707         (JSC::RegExp::compileMatchOnly):
1708         (JSC::RegExp::deleteCode):
1709         * runtime/RegExp.h:
1710         * runtime/RegExpCachedResult.h:
1711         (JSC::RegExpCachedResult::offsetOfLastRegExp):
1712         (JSC::RegExpCachedResult::offsetOfLastInput):
1713         (JSC::RegExpCachedResult::offsetOfResult):
1714         (JSC::RegExpCachedResult::offsetOfReified):
1715         * runtime/RegExpConstructor.h:
1716         (JSC::RegExpConstructor::offsetOfCachedResult):
1717         * runtime/RegExpInlines.h:
1718         (JSC::RegExp::hasCodeFor):
1719         (JSC::RegExp::compileIfNecessary):
1720         (JSC::RegExp::matchInline):
1721         (JSC::RegExp::hasMatchOnlyCodeFor):
1722         (JSC::RegExp::compileIfNecessaryMatchOnly):
1723         * runtime/RegExpObjectInlines.h:
1724         (JSC::RegExpObject::execInline):
1725         * runtime/StringPrototype.cpp:
1726         (JSC::substituteBackreferencesSlow):
1727         (JSC::substituteBackreferencesInline):
1728         (JSC::substituteBackreferences):
1729         (JSC::StringRange::StringRange):
1730         * runtime/StringPrototype.h:
1731         * runtime/VM.h:
1732         * tests/stress/simple-regexp-exec-folding-fail.js: Added.
1733         (foo):
1734         * tests/stress/simple-regexp-exec-folding.js: Added.
1735         (foo):
1736         * tests/stress/simple-regexp-test-folding-fail.js: Added.
1737         (foo):
1738         * tests/stress/simple-regexp-test-folding.js: Added.
1739         (foo):
1740         * yarr/RegularExpression.cpp:
1741         * yarr/Yarr.h:
1742         * yarr/YarrInterpreter.cpp:
1743         (JSC::Yarr::Interpreter::interpret):
1744         (JSC::Yarr::ByteCompiler::ByteCompiler):
1745         (JSC::Yarr::ByteCompiler::compile):
1746         (JSC::Yarr::ByteCompiler::checkInput):
1747         (JSC::Yarr::byteCompile):
1748         (JSC::Yarr::interpret):
1749         * yarr/YarrInterpreter.h:
1750         (JSC::Yarr::BytecodePattern::BytecodePattern):
1751
1752 2016-04-05  Keith Miller  <keith_miller@apple.com>
1753
1754         We should support the ability to do a non-effectful getById
1755         https://bugs.webkit.org/show_bug.cgi?id=156116
1756
1757         Reviewed by Benjamin Poulain.
1758
1759         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
1760         useful because it enables us to take different code paths based on values that we would
1761         otherwise not be able to have knowledge of. This patch adds this new feature called
1762         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
1763         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
1764         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
1765         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
1766         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
1767         the global object that indicates we could not get the result.
1768
1769         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
1770         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
1771         get_by_id the same way we would for load and return the value at the appropriate offset.
1772         Additionally, in order to make sure the we can properly compare the GetterSetter object
1773         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
1774         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
1775         likely to have little to no impact on memory usage as normal accessors are generally rare.
1776
1777         * JavaScriptCore.xcodeproj/project.pbxproj:
1778         * builtins/BuiltinExecutables.cpp:
1779         (JSC::BuiltinExecutables::createDefaultConstructor):
1780         (JSC::BuiltinExecutables::createBuiltinExecutable):
1781         (JSC::createBuiltinExecutable):
1782         (JSC::BuiltinExecutables::createExecutable):
1783         (JSC::createExecutableInternal): Deleted.
1784         * builtins/BuiltinExecutables.h:
1785         * bytecode/BytecodeIntrinsicRegistry.h:
1786         * bytecode/BytecodeList.json:
1787         * bytecode/BytecodeUseDef.h:
1788         (JSC::computeUsesForBytecodeOffset):
1789         (JSC::computeDefsForBytecodeOffset):
1790         * bytecode/CodeBlock.cpp:
1791         (JSC::CodeBlock::dumpBytecode):
1792         * bytecode/PolymorphicAccess.cpp:
1793         (JSC::AccessCase::tryGet):
1794         (JSC::AccessCase::generate):
1795         (WTF::printInternal):
1796         * bytecode/PolymorphicAccess.h:
1797         (JSC::AccessCase::isGet): Deleted.
1798         (JSC::AccessCase::isPut): Deleted.
1799         (JSC::AccessCase::isIn): Deleted.
1800         * bytecode/StructureStubInfo.cpp:
1801         (JSC::StructureStubInfo::reset):
1802         * bytecode/StructureStubInfo.h:
1803         * bytecompiler/BytecodeGenerator.cpp:
1804         (JSC::BytecodeGenerator::emitTryGetById):
1805         * bytecompiler/BytecodeGenerator.h:
1806         * bytecompiler/NodesCodegen.cpp:
1807         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
1808         * dfg/DFGSpeculativeJIT32_64.cpp:
1809         (JSC::DFG::SpeculativeJIT::cachedGetById):
1810         * dfg/DFGSpeculativeJIT64.cpp:
1811         (JSC::DFG::SpeculativeJIT::cachedGetById):
1812         * ftl/FTLLowerDFGToB3.cpp:
1813         (JSC::FTL::DFG::LowerDFGToB3::getById):
1814         * jit/JIT.cpp:
1815         (JSC::JIT::privateCompileMainPass):
1816         (JSC::JIT::privateCompileSlowCases):
1817         * jit/JIT.h:
1818         * jit/JITInlineCacheGenerator.cpp:
1819         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1820         * jit/JITInlineCacheGenerator.h:
1821         * jit/JITInlines.h:
1822         (JSC::JIT::callOperation):
1823         * jit/JITOperations.cpp:
1824         * jit/JITOperations.h:
1825         * jit/JITPropertyAccess.cpp:
1826         (JSC::JIT::emitGetByValWithCachedId):
1827         (JSC::JIT::emit_op_try_get_by_id):
1828         (JSC::JIT::emitSlow_op_try_get_by_id):
1829         (JSC::JIT::emit_op_get_by_id):
1830         * jit/JITPropertyAccess32_64.cpp:
1831         (JSC::JIT::emitGetByValWithCachedId):
1832         (JSC::JIT::emit_op_try_get_by_id):
1833         (JSC::JIT::emitSlow_op_try_get_by_id):
1834         (JSC::JIT::emit_op_get_by_id):
1835         * jit/Repatch.cpp:
1836         (JSC::repatchByIdSelfAccess):
1837         (JSC::appropriateOptimizingGetByIdFunction):
1838         (JSC::appropriateGenericGetByIdFunction):
1839         (JSC::tryCacheGetByID):
1840         (JSC::repatchGetByID):
1841         (JSC::resetGetByID):
1842         * jit/Repatch.h:
1843         * jsc.cpp:
1844         (GlobalObject::finishCreation):
1845         (functionGetGetterSetter):
1846         (functionCreateBuiltin):
1847         * llint/LLIntData.cpp:
1848         (JSC::LLInt::Data::performAssertions):
1849         * llint/LLIntSlowPaths.cpp:
1850         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1851         * llint/LLIntSlowPaths.h:
1852         * llint/LowLevelInterpreter.asm:
1853         * runtime/GetterSetter.cpp:
1854         * runtime/GetterSetter.h:
1855         * runtime/JSType.h:
1856         * runtime/PropertySlot.cpp:
1857         (JSC::PropertySlot::getPureResult):
1858         * runtime/PropertySlot.h:
1859         * runtime/ProxyObject.cpp:
1860         (JSC::ProxyObject::getOwnPropertySlotCommon):
1861         * tests/stress/try-get-by-id.js: Added.
1862         (tryGetByIdText):
1863         (getCaller.obj.1.throw.new.Error.let.func):
1864         (getCaller.obj.1.throw.new.Error):
1865         (throw.new.Error.get let):
1866         (throw.new.Error.):
1867         (throw.new.Error.let.get createBuiltin):
1868         (get let):
1869         (let.get createBuiltin):
1870         (let.func):
1871         (get let.func):
1872         (get throw):
1873
1874 2016-04-05  Saam barati  <sbarati@apple.com>
1875
1876         jsc-layout-tests.yaml/js/script-tests/regress-141098.js failing on Yosemite Debug after r198989
1877         https://bugs.webkit.org/show_bug.cgi?id=156187
1878
1879         Reviewed by Filip Pizlo.
1880
1881         This is a speculative fix. Lets see if the prevents the timeout.
1882
1883         * parser/Parser.cpp:
1884         (JSC::Parser<LexerType>::parseStatementListItem):
1885
1886 2016-04-04  Filip Pizlo  <fpizlo@apple.com>
1887
1888         PolymorphicAccess should have a MegamorphicLoad case
1889         https://bugs.webkit.org/show_bug.cgi?id=156182
1890
1891         Reviewed by Geoffrey Garen and Keith Miller.
1892
1893         This introduces a new case to PolymorphicAccess called MegamorphicLoad. This inlines the lookup in
1894         the PropertyTable. It's cheaper than switching on a huge number of cases and it's cheaper than
1895         calling into C++ to do the same job - particularly since inlining the lookup into an access means
1896         that we can precompute the hash code.
1897
1898         When writing the inline code for the hashtable lookup, I found that our hashing algorithm was not
1899         optimal. It used a double-hashing method for reducing collision pathologies. This is great for
1900         improving the performance of some worst-case scenarios. But this misses the point of a hashtable: we
1901         want to optimize the average-case performance. When optimizing for average-case, we can choose to
1902         either focus on maximizing the likelihood of the fast case happening, or to minimize the cost of the
1903         worst-case, or to minimize the cost of the fast case. Even a very basic hashtable will achieve a high
1904         probability of hitting the fast case. So, doing work to reduce the likelihood of a worst-case
1905         pathology only makes sense if it also preserves the good performance of the fast case, or reduces the
1906         likelihood of the worst-case by so much that it's a win for the average case even with a slow-down in
1907         the fast case.
1908
1909         I don't believe, based on looking at how the double-hashing is implemented, that it's possible that
1910         this preserves the good performance of the fast case. It requires at least one more value to be live
1911         around the loop, and dramatically increases the register pressure at key points inside the loop. The
1912         biggest offender is the doubleHash() method itself. There is no getting around how bad this is: if
1913         the compiler live-range-splits that method to death to avoid degrading register pressure elsewhere
1914         then we will pay a steep price anytime we take the second iteration around the loop; but if the
1915         compiler doesn't split around the call then the hashtable lookup fast path will be full of spills on
1916         some architectures (I performed biological register allocation and found that I needed 9 registers
1917         for complete lookup, while x86-64 has only 6 callee-saves; OTOH ARM64 has 10 callee-saves so it might
1918         be better off).
1919
1920         Hence, this patch changes the hashtable lookup to use simple linear probing. This was not a slow-down
1921         on anything, and it made MegamorphicLoad much more sensible since it is less likely to have to spill.
1922
1923         There are some other small changes in this patch, like rationalizing the IC's choice between giving
1924         up after a repatch (i.e. never trying again) and just pretending that nothing happened (so we can
1925         try to repatch again in the future). It looked like the code in Repatch.cpp was set up to be able to
1926         choose between those options, but we weren't fully taking advantage of it because the
1927         regenerateWithCase() method just returned null for any failure, and didn't say whether it was the
1928         sort of failure that renders the inline cache unrepatchable (like memory allocation failure). Now
1929         this is all made explicit. I wanted to make sure this change happened in this patch since the
1930         MegamorphicLoad code automagically generates a MegamorphicLoad case by coalescing other cases. Since
1931         this is intended to avoid blowing out the cache and making it unrepatchable, I wanted to make sure
1932         that the rules for giving up were something that made sense to me.
1933         
1934         This is a big win on microbenchmarks. It's neutral on traditional JS benchmarks. It's a slight
1935         speed-up for page loading, because many real websites like to have megamorphic property accesses.
1936
1937         * bytecode/PolymorphicAccess.cpp:
1938         (JSC::AccessGenerationResult::dump):
1939         (JSC::AccessGenerationState::addWatchpoint):
1940         (JSC::AccessCase::get):
1941         (JSC::AccessCase::megamorphicLoad):
1942         (JSC::AccessCase::replace):
1943         (JSC::AccessCase::guardedByStructureCheck):
1944         (JSC::AccessCase::couldStillSucceed):
1945         (JSC::AccessCase::canBeReplacedByMegamorphicLoad):
1946         (JSC::AccessCase::canReplace):
1947         (JSC::AccessCase::generateWithGuard):
1948         (JSC::AccessCase::generate):
1949         (JSC::PolymorphicAccess::PolymorphicAccess):
1950         (JSC::PolymorphicAccess::~PolymorphicAccess):
1951         (JSC::PolymorphicAccess::regenerateWithCases):
1952         (JSC::PolymorphicAccess::regenerateWithCase):
1953         (WTF::printInternal):
1954         * bytecode/PolymorphicAccess.h:
1955         (JSC::AccessCase::isGet):
1956         (JSC::AccessCase::isPut):
1957         (JSC::AccessCase::isIn):
1958         (JSC::AccessGenerationResult::AccessGenerationResult):
1959         (JSC::AccessGenerationResult::operator==):
1960         (JSC::AccessGenerationResult::operator!=):
1961         (JSC::AccessGenerationResult::operator bool):
1962         (JSC::AccessGenerationResult::kind):
1963         (JSC::AccessGenerationResult::code):
1964         (JSC::AccessGenerationResult::madeNoChanges):
1965         (JSC::AccessGenerationResult::gaveUp):
1966         (JSC::AccessGenerationResult::generatedNewCode):
1967         (JSC::PolymorphicAccess::isEmpty):
1968         (JSC::AccessGenerationState::AccessGenerationState):
1969         * bytecode/StructureStubInfo.cpp:
1970         (JSC::StructureStubInfo::aboutToDie):
1971         (JSC::StructureStubInfo::addAccessCase):
1972         * bytecode/StructureStubInfo.h:
1973         * jit/AssemblyHelpers.cpp:
1974         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1975         (JSC::AssemblyHelpers::loadProperty):
1976         (JSC::emitRandomThunkImpl):
1977         (JSC::AssemblyHelpers::emitRandomThunk):
1978         (JSC::AssemblyHelpers::emitLoadStructure):
1979         * jit/AssemblyHelpers.h:
1980         (JSC::AssemblyHelpers::loadValue):
1981         (JSC::AssemblyHelpers::moveValueRegs):
1982         (JSC::AssemblyHelpers::argumentsStart):
1983         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1984         (JSC::AssemblyHelpers::emitLoadStructure): Deleted.
1985         * jit/GPRInfo.cpp:
1986         (JSC::JSValueRegs::dump):
1987         * jit/GPRInfo.h:
1988         (JSC::JSValueRegs::uses):
1989         * jit/Repatch.cpp:
1990         (JSC::replaceWithJump):
1991         (JSC::tryCacheGetByID):
1992         (JSC::tryCachePutByID):
1993         (JSC::tryRepatchIn):
1994         * jit/ThunkGenerators.cpp:
1995         (JSC::virtualThunkFor):
1996         * runtime/Options.h:
1997         * runtime/PropertyMapHashTable.h:
1998         (JSC::PropertyTable::begin):
1999         (JSC::PropertyTable::find):
2000         (JSC::PropertyTable::get):
2001         * runtime/Structure.h:
2002
2003 2016-04-05  Antoine Quint  <graouts@apple.com>
2004
2005         [WebGL2] Turn the ENABLE_WEBGL2 flag on
2006         https://bugs.webkit.org/show_bug.cgi?id=156061
2007         <rdar://problem/25463193>
2008
2009         Reviewed by Alex Christensen.
2010
2011         * Configurations/FeatureDefines.xcconfig:
2012         * runtime/CommonIdentifiers.h:
2013
2014         Define the conditionalized classes WebGL2RenderingContext and WebGLVertexArrayObject. 
2015
2016 2016-04-04  Zan Dobersek  <zdobersek@igalia.com>
2017
2018         Add missing EABI_32BIT_DUMMY_ARG arguments for some callOperation(J_JITOperation_EGReoJ, ...) overloads
2019         https://bugs.webkit.org/show_bug.cgi?id=156161
2020
2021         Reviewed by Yusuke Suzuki.
2022
2023         r197641 added a couple of callOperation(J_JITOperation_EGReoJ, ...) overloads
2024         that handle arguments split into the tag and the payload. The two were split
2025         between the last argument register and the stack on 32-bit ARM EABI systems,
2026         causing incorrect behavior.
2027
2028         Adding EABI_32BIT_DUMMY_ARG pushes the tag and payload together onto the
2029         stack, removing the issue.
2030
2031         * dfg/DFGSpeculativeJIT.h:
2032         (JSC::DFG::SpeculativeJIT::callOperation):
2033
2034 2016-04-04  Joseph Pecoraro  <pecoraro@apple.com>
2035
2036         Avoid copying ModuleLoaderObject.js to resources bundle
2037         https://bugs.webkit.org/show_bug.cgi?id=156188
2038         <rdar://problem/25534383>
2039
2040         Reviewed by Alexey Proskuryakov.
2041
2042         * JavaScriptCore.xcodeproj/project.pbxproj:
2043
2044 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
2045
2046         Unreviewed, rolling out r199016.
2047         https://bugs.webkit.org/show_bug.cgi?id=156140
2048
2049         "Regressed Octane and Kraken on the perf bots."
2050
2051         Reverted changeset:
2052
2053         CopiedBlock should be 16kB
2054         https://bugs.webkit.org/show_bug.cgi?id=156168
2055         http://trac.webkit.org/changeset/199016
2056
2057 2016-04-04  Benjamin Poulain  <bpoulain@apple.com>
2058
2059         [JSC][x86] Fix an assertion in MacroAssembler::branch8()
2060         https://bugs.webkit.org/show_bug.cgi?id=156181
2061
2062         Reviewed by Geoffrey Garen.
2063
2064         * assembler/MacroAssemblerX86Common.h:
2065         (JSC::MacroAssemblerX86Common::branch8):
2066         The test was wrong because valid negative numbers have ones
2067         in the top bits.
2068
2069         I replaced the assertion to be explicit about the valid range.
2070
2071 2016-04-04  Chris Dumez  <cdumez@apple.com>
2072
2073         Regression(r196145): Crash in getOwnPropertyDescriptor on http://www.history.com/shows/vikings
2074         https://bugs.webkit.org/show_bug.cgi?id=156136
2075         <rdar://problem/25410767>
2076
2077         Reviewed by Ryosuke Niwa.
2078
2079         Add a few more identifiers for using in the generated bindings.
2080
2081         * runtime/CommonIdentifiers.h:
2082
2083 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
2084
2085         CopiedBlock should be 16kB
2086         https://bugs.webkit.org/show_bug.cgi?id=156168
2087
2088         Reviewed by Mark Lam.
2089
2090         MarkedBlock is 16kB, and bmalloc's largest fast-path allocation is 16kB,
2091         and the largest page size on Apple devices is 16kB -- so this change
2092         should improve sharing and recycling and keep us on the fast path more.
2093
2094         32kB is also super aggro. At 16kB, we support allocations up to 8kB,
2095         which covers 99.3% of allocations on facebook.com. The 32kB block size
2096         only covered an additional 0.2% of allocations.
2097
2098         * heap/CopiedBlock.h:
2099
2100 2016-04-04  Carlos Garcia Campos  <cgarcia@igalia.com>
2101
2102         REGRESSION(r198792): [GTK] Inspector crashes in Inspector::Protocol::getEnumConstantValue since r198792
2103         https://bugs.webkit.org/show_bug.cgi?id=155745
2104         <rdar://problem/25289456>
2105
2106         Reviewed by Brian Burg.
2107
2108         The problem is that we are generating the Inspector::Protocol::getEnumConstantValue() method and the
2109         enum_constant_values array for every framework that has enum values. So, in case of GTK port we have two
2110         implementations, one for the inspector in JavaScriptCore and another one for Web Automation in WebKit2, but when
2111         using the inspector in WebKit2 we always end up using the one in WebKit2. Since the enum_constant_values array
2112         is smaller in WebKit2 than the one in JavaScriptCore, we crash every time we receive an enum value higher than
2113         the array size. We need to disambiguate the getEnumConstantValue() generated and used for every framework, so we
2114         can use a specific namespace for the enum conversion methods.
2115
2116         * inspector/agents/InspectorDebuggerAgent.cpp:
2117         (Inspector::breakpointActionTypeForString): Use Inspector::Protocol::InspectorHelpers.
2118         * inspector/scripts/codegen/cpp_generator.py:
2119         (CppGenerator.helpers_namespace): Return the namespace name that should be used for the helper methods.
2120         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2121         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): Use
2122         CppGenerator.helpers_namespace() to use the right namespace when using getEnumConstantValue().
2123         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Ditto.
2124         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2125         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): Ditto.
2126         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2127         (CppProtocolTypesHeaderGenerator.generate_output): Move declaration of getEnumConstantValue to a helper function.
2128         (_generate_enum_constant_value_conversion_methods): Do not emit any code if there aren't enums and ensure all
2129         conversion methods are declared inside the helpers namespace.
2130         (_generate_builder_setter_for_member): Use CppGenerator.helpers_namespace() to use the right namespace when
2131         using getEnumConstantValue().
2132         (_generate_unchecked_setter_for_member): Ditto.
2133         (_generate_declarations_for_enum_conversion_methods): Return a list instead of a string so that we can return an
2134         empty list in case of not emitting any code. The caller will use extend() that has no effect when an empty list
2135         is passed.
2136         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2137         (CppProtocolTypesImplementationGenerator.generate_output): Use the new helper function to generate both the enum
2138         mapping and conversion methods inside the helpers namespace.
2139         (CppProtocolTypesImplementationGenerator._generate_enum_mapping): Return a list instead of a string so that we
2140         can return an empty list in case of not emitting any code.
2141         (CppProtocolTypesImplementationGenerator._generate_enum_mapping_and_conversion_methods): Ensure we only emit
2142         code when there are enum values, and it's generated inside the helpers namespace.
2143         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2144         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2145         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2146         * inspector/scripts/tests/expected/enum-values.json-result:
2147         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2148         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2149         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2150         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2151         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2152         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2153         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2154         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2155         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2156
2157 2016-04-04  Csaba Osztrogon√°c  <ossy@webkit.org>
2158
2159         Unreviewed ARM buildfix after r198981.
2160
2161         * assembler/MacroAssemblerARM.h:
2162         (JSC::MacroAssemblerARM::roundTowardZeroDouble):
2163
2164 2016-04-03  Saam barati  <sbarati@apple.com>
2165
2166         Implement Annex B.3.3 function hoisting rules for function code
2167         https://bugs.webkit.org/show_bug.cgi?id=155672
2168
2169         Reviewed by Geoffrey Garen.
2170
2171         The spec states that functions declared inside a function
2172         inside a block scope are subject to the rules of Annex B.3.3:
2173         https://tc39.github.io/ecma262/#sec-block-level-function-declarations-web-legacy-compatibility-semantics
2174
2175         The rule states that functions declared in such blocks should
2176         be local bindings of the block. If declaring the function's name
2177         as a "var" in the function would not lead to a syntax error (i.e,
2178         if we don't have a let/const/class variable with the same name)
2179         and if we don't have a parameter with the same name, then we
2180         implictly also declare the funcion name as a "var". When evaluating
2181         the block statement we bind the hoisted "var" to be the value
2182         of the local function binding.
2183
2184         There is one more thing we do for web compatibility. We allow
2185         function declarations inside if/else statements that aren't
2186         blocks. For such statements, we transform the code as if the
2187         function were declared inside a block statement. For example:
2188         ``` function foo() { if (cond) function baz() { } }```
2189         is transformed into:
2190         ``` function foo() { if (cond) { function baz() { } } }```
2191
2192         * bytecompiler/BytecodeGenerator.cpp:
2193         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2194         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
2195         * bytecompiler/BytecodeGenerator.h:
2196         * parser/Nodes.cpp:
2197         (JSC::ScopeNode::ScopeNode):
2198         (JSC::ProgramNode::ProgramNode):
2199         (JSC::ModuleProgramNode::ModuleProgramNode):
2200         (JSC::EvalNode::EvalNode):
2201         (JSC::FunctionNode::FunctionNode):
2202         * parser/Nodes.h:
2203         (JSC::ScopeNode::hasCapturedVariables):
2204         (JSC::ScopeNode::captures):
2205         (JSC::ScopeNode::hasSloppyModeHoistedFunction):
2206         (JSC::ScopeNode::varDeclarations):
2207         (JSC::ProgramNode::startColumn):
2208         (JSC::ProgramNode::endColumn):
2209         (JSC::EvalNode::startColumn):
2210         (JSC::EvalNode::endColumn):
2211         (JSC::ModuleProgramNode::startColumn):
2212         (JSC::ModuleProgramNode::endColumn):
2213         * parser/Parser.cpp:
2214         (JSC::Parser<LexerType>::Parser):
2215         (JSC::Parser<LexerType>::parseInner):
2216         (JSC::Parser<LexerType>::didFinishParsing):
2217         (JSC::Parser<LexerType>::parseStatement):
2218         (JSC::Parser<LexerType>::parseIfStatement):
2219         * parser/Parser.h:
2220         (JSC::Scope::declareVariable):
2221         (JSC::Scope::declareFunction):
2222         (JSC::Scope::addSloppyModeHoistableFunctionCandidate):
2223         (JSC::Scope::appendFunction):
2224         (JSC::Scope::declareParameter):
2225         (JSC::Scope::mergeInnerArrowFunctionFeatures):
2226         (JSC::Scope::getSloppyModeHoistedFunctions):
2227         (JSC::Scope::getCapturedVars):
2228         (JSC::ScopeRef::containingScope):
2229         (JSC::ScopeRef::operator==):
2230         (JSC::ScopeRef::operator!=):
2231         (JSC::Parser::declareFunction):
2232         (JSC::Parser::hasDeclaredVariable):
2233         (JSC::Parser::isFunctionMetadataNode):
2234         (JSC::Parser::DepthManager::DepthManager):
2235         (JSC::Parser<LexerType>::parse):
2236         * parser/VariableEnvironment.h:
2237         (JSC::VariableEnvironmentEntry::isImported):
2238         (JSC::VariableEnvironmentEntry::isImportedNamespace):
2239         (JSC::VariableEnvironmentEntry::isFunction):
2240         (JSC::VariableEnvironmentEntry::isParameter):
2241         (JSC::VariableEnvironmentEntry::isSloppyModeHoistingCandidate):
2242         (JSC::VariableEnvironmentEntry::setIsCaptured):
2243         (JSC::VariableEnvironmentEntry::setIsConst):
2244         (JSC::VariableEnvironmentEntry::setIsImported):
2245         (JSC::VariableEnvironmentEntry::setIsImportedNamespace):
2246         (JSC::VariableEnvironmentEntry::setIsFunction):
2247         (JSC::VariableEnvironmentEntry::setIsParameter):
2248         (JSC::VariableEnvironmentEntry::setIsSloppyModeHoistingCandidate):
2249         (JSC::VariableEnvironmentEntry::clearIsVar):
2250         * runtime/CodeCache.h:
2251         (JSC::SourceCodeValue::SourceCodeValue):
2252         * runtime/JSScope.cpp:
2253         * runtime/JSScope.h:
2254         * tests/es6.yaml:
2255         * tests/stress/sloppy-mode-function-hoisting.js: Added.
2256         (assert):
2257         (test):
2258         (falsey):
2259         (truthy):
2260         (test.):
2261         (test.a):
2262         (test.f):
2263         (test.let.funcs.f):
2264         (test.catch.f):
2265         (test.foo):
2266         (test.bar):
2267         (test.switch.case.0):
2268         (test.else.f):
2269         (test.b):
2270         (test.c):
2271         (test.d):
2272         (test.e):
2273         (test.g):
2274         (test.h):
2275         (test.i):
2276         (test.j):
2277         (test.k):
2278         (test.l):
2279         (test.m):
2280         (test.n):
2281         (test.o):
2282         (test.p):
2283         (test.q):
2284         (test.r):
2285         (test.s):
2286         (test.t):
2287         (test.u):
2288         (test.v):
2289         (test.w):
2290         (test.x):
2291         (test.y):
2292         (test.z):
2293         (foo):
2294         (bar):
2295         (falsey.bar):
2296         (baz):
2297         (falsey.baz):
2298
2299 2016-04-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2300
2301         Unreviewed, turn ES6 for-in loop test success
2302         https://bugs.webkit.org/show_bug.cgi?id=155451
2303
2304         * tests/es6.yaml:
2305
2306 2016-04-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2307
2308         [JSC] Add truncate operation (rounding to zero)
2309         https://bugs.webkit.org/show_bug.cgi?id=156072
2310
2311         Reviewed by Saam Barati.
2312
2313         Add TruncIntrinsic for Math.trunc. DFG handles it as ArithTrunc.
2314         In DFG, ArithTrunc behaves similar to ArithRound, ArithCeil, and ArithFloor.
2315         ArithTrunc rounds the value towards zero.
2316
2317         And we rewrite @toInteger to use @trunc instead of @abs, @floor, negation and branch.
2318         This is completely the same to what we do in JSValue::toInteger.
2319
2320         Since DFG recognize it, DFG can convert ArithTrunc to Identity if the given argument is Int32.
2321         This is useful because almost all the argument is Int32 in @toLength -> @toInteger -> @trunc case.
2322         In such cases, we can eliminate trunc() call.
2323
2324         As a bonus, to speed up Math.trunc operation, we use x86 SSE round and frintz in ARM64 for ArithRound.
2325         In DFG, we emit these instructions. In FTL, we use Patchpoint to emit these instructions to avoid adding a new B3 IR.
2326
2327         * assembler/MacroAssemblerARM64.h:
2328         (JSC::MacroAssemblerARM64::roundTowardZeroDouble):
2329         (JSC::MacroAssemblerARM64::roundTowardZeroFloat):
2330         * assembler/MacroAssemblerARMv7.h:
2331         (JSC::MacroAssemblerARMv7::roundTowardZeroDouble):
2332         * assembler/MacroAssemblerMIPS.h:
2333         (JSC::MacroAssemblerMIPS::roundTowardZeroDouble):
2334         * assembler/MacroAssemblerSH4.h:
2335         (JSC::MacroAssemblerSH4::roundTowardZeroDouble):
2336         * assembler/MacroAssemblerX86Common.h:
2337         (JSC::MacroAssemblerX86Common::roundTowardZeroDouble):
2338         (JSC::MacroAssemblerX86Common::roundTowardZeroFloat):
2339         * builtins/GlobalObject.js:
2340         (toInteger):
2341         * dfg/DFGAbstractInterpreterInlines.h:
2342         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2343         * dfg/DFGByteCodeParser.cpp:
2344         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2345         * dfg/DFGClobberize.h:
2346         (JSC::DFG::clobberize):
2347         * dfg/DFGDoesGC.cpp:
2348         (JSC::DFG::doesGC):
2349         * dfg/DFGFixupPhase.cpp:
2350         (JSC::DFG::FixupPhase::fixupNode):
2351         * dfg/DFGGraph.h:
2352         (JSC::DFG::Graph::roundShouldSpeculateInt32):
2353         * dfg/DFGNode.h:
2354         (JSC::DFG::Node::arithNodeFlags):
2355         (JSC::DFG::Node::hasHeapPrediction):
2356         (JSC::DFG::Node::hasArithRoundingMode):
2357         * dfg/DFGNodeType.h:
2358         * dfg/DFGPredictionPropagationPhase.cpp:
2359         (JSC::DFG::PredictionPropagationPhase::propagate):
2360         * dfg/DFGSafeToExecute.h:
2361         (JSC::DFG::safeToExecute):
2362         * dfg/DFGSpeculativeJIT.cpp:
2363         (JSC::DFG::SpeculativeJIT::compileArithRounding):
2364         * dfg/DFGSpeculativeJIT.h:
2365         * dfg/DFGSpeculativeJIT32_64.cpp:
2366         (JSC::DFG::SpeculativeJIT::compile):
2367         * dfg/DFGSpeculativeJIT64.cpp:
2368         (JSC::DFG::SpeculativeJIT::compile):
2369         * ftl/FTLCapabilities.cpp:
2370         (JSC::FTL::canCompile):
2371         * ftl/FTLLowerDFGToB3.cpp:
2372         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2373         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
2374         * ftl/FTLOutput.cpp:
2375         (JSC::FTL::Output::doubleTrunc):
2376         * ftl/FTLOutput.h:
2377         * jit/ThunkGenerators.cpp:
2378         (JSC::truncThunkGenerator):
2379         * jit/ThunkGenerators.h:
2380         * runtime/CommonIdentifiers.h:
2381         * runtime/Intrinsic.h:
2382         * runtime/JSGlobalObject.cpp:
2383         (JSC::JSGlobalObject::init):
2384         * runtime/MathObject.cpp:
2385         (JSC::MathObject::finishCreation):
2386         * runtime/MathObject.h:
2387         * runtime/VM.cpp:
2388         (JSC::thunkGeneratorForIntrinsic):
2389         * tests/stress/math-rounding-infinity.js:
2390         (testTrunc):
2391         * tests/stress/math-rounding-nan.js:
2392         (testTrunc):
2393         * tests/stress/math-rounding-negative-zero.js:
2394         (testTrunc):
2395         * tests/stress/math-trunc-arith-rounding-mode.js: Added.
2396         (firstCareAboutZeroSecondDoesNot):
2397         (firstDoNotCareAboutZeroSecondDoes):
2398         (warmup):
2399         (verifyNegativeZeroIsPreserved):
2400         * tests/stress/math-trunc-basics.js: Added.
2401         (mathTruncOnIntegers):
2402         (mathTruncOnDoubles):
2403         (mathTruncOnBooleans):
2404         (uselessMathTrunc):
2405         (mathTruncWithOverflow):
2406         (mathTruncConsumedAsDouble):
2407         (mathTruncDoesNotCareAboutMinusZero):
2408         (mathTruncNoArguments):
2409         (mathTruncTooManyArguments):
2410         (testMathTruncOnConstants):
2411         (mathTruncStructTransition):
2412         (Math.trunc):
2413         * tests/stress/math-trunc-should-be-truncate.js: Added.
2414         (mathTrunc):
2415
2416 2016-04-03  Skachkov Oleksandr  <gskachkov@gmail.com>
2417
2418         [ES6] Class syntax. Access to new.target inside of the eval should not lead to SyntaxError
2419         https://bugs.webkit.org/show_bug.cgi?id=155545
2420
2421         Reviewed by Saam Barati.
2422        
2423         Current patch allow to invoke new.target in eval if this eval is executed within function, 
2424         otherwise this will lead to Syntax error 
2425    
2426         * bytecode/EvalCodeCache.h:
2427         (JSC::EvalCodeCache::getSlow):
2428         * bytecode/ExecutableInfo.h:
2429         (JSC::ExecutableInfo::ExecutableInfo):
2430         (JSC::ExecutableInfo::evalContextType):
2431         * bytecode/UnlinkedCodeBlock.cpp:
2432         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2433         * bytecode/UnlinkedCodeBlock.h:
2434         (JSC::UnlinkedCodeBlock::evalContextType):
2435         * bytecode/UnlinkedFunctionExecutable.cpp:
2436         (JSC::generateUnlinkedFunctionCodeBlock):
2437         * debugger/DebuggerCallFrame.cpp:
2438         (JSC::DebuggerCallFrame::evaluate):
2439         * interpreter/Interpreter.cpp:
2440         (JSC::eval):
2441         * parser/Parser.cpp:
2442         (JSC::Parser<LexerType>::Parser):
2443         (JSC::Parser<LexerType>::parseMemberExpression):
2444         * parser/Parser.h:
2445         (JSC::Scope::Scope):
2446         (JSC::Scope::setEvalContextType):
2447         (JSC::Scope::evalContextType):
2448         (JSC::parse):
2449         * runtime/CodeCache.cpp:
2450         (JSC::CodeCache::getGlobalCodeBlock):
2451         (JSC::CodeCache::getProgramCodeBlock):
2452         (JSC::CodeCache::getEvalCodeBlock):
2453         (JSC::CodeCache::getModuleProgramCodeBlock):
2454         * runtime/CodeCache.h:
2455         * runtime/Executable.cpp:
2456         (JSC::ScriptExecutable::ScriptExecutable):
2457         (JSC::EvalExecutable::create):
2458         (JSC::EvalExecutable::EvalExecutable):
2459         (JSC::ProgramExecutable::ProgramExecutable):
2460         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2461         (JSC::FunctionExecutable::FunctionExecutable):
2462         * runtime/Executable.h:
2463         (JSC::ScriptExecutable::evalContextType):
2464         * runtime/JSGlobalObject.cpp:
2465         (JSC::JSGlobalObject::createEvalCodeBlock):
2466         * runtime/JSGlobalObjectFunctions.cpp:
2467         (JSC::globalFuncEval):
2468         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
2469         * tests/stress/new-target.js:
2470
2471 2016-04-02  Commit Queue  <commit-queue@webkit.org>
2472
2473         Unreviewed, rolling out r198976.
2474         https://bugs.webkit.org/show_bug.cgi?id=156140
2475
2476         "Causes js/regress/array-nonarray-polymorhpic-access.html to
2477         crash." (Requested by ddkilzer on #webkit).
2478
2479         Reverted changeset:
2480
2481         "[JSC] Initialize SSA's live values at tail lazily"
2482         https://bugs.webkit.org/show_bug.cgi?id=156126
2483         http://trac.webkit.org/changeset/198976
2484
2485 2016-04-02  Benjamin Poulain  <bpoulain@apple.com>
2486
2487         [JSC] Initialize SSA's live values at tail lazily
2488         https://bugs.webkit.org/show_bug.cgi?id=156126
2489
2490         Reviewed by Mark Lam.
2491
2492         Setting up the clean state early looks harmless but it is
2493         actually quite expensive.
2494
2495         The problem is AbstractValue is gigantic, you really want
2496         to minimize how much you touch that memory.
2497
2498         By removing the initialization, most blocks only
2499         get 2 or 3 accesses. Once to setup the value, and a few
2500         queries for merging the current block with the successors.
2501
2502         * dfg/DFGInPlaceAbstractState.cpp:
2503         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2504         (JSC::DFG::setLiveValues): Deleted.
2505         (JSC::DFG::InPlaceAbstractState::initialize): Deleted.
2506
2507 2016-04-02  Benjamin Poulain  <bpoulain@apple.com>
2508
2509         [JSC] Add an option to avoid disassembling baseline code for the JSC Profiler
2510         https://bugs.webkit.org/show_bug.cgi?id=156127
2511
2512         Reviewed by Mark Lam.
2513
2514         The profiler run out of memory on big programs if you dump
2515         the baseline disassembly.
2516
2517         * jit/JIT.cpp:
2518         (JSC::JIT::privateCompile):
2519         * runtime/Options.h:
2520
2521 2016-04-02  Dan Bernstein  <mitz@apple.com>
2522
2523         jsc binary embedded in relocatable JavaScriptCore.framework links against system JavaScriptCore.framework
2524         https://bugs.webkit.org/show_bug.cgi?id=156134
2525         <rdar://problem/25443824>
2526
2527         Reviewed by Mark Lam.
2528
2529         * Configurations/JSC.xcconfig: Define WK_RELOCATABLE_FRAMEWORKS_LDFLAGS when building
2530           relocatable frameworks to include a -dyld_env option setting DYLD_FRAMEWORK_PATH to point
2531           to the directory containing JavaScript.framework, and add
2532           WK_RELOCATABLE_FRAMEWORKS_LDFLAGS to OTHER_LDFLAGS.
2533
2534 2016-04-01  Benjamin Poulain  <bpoulain@apple.com>
2535
2536         [JSC][x86] Add the 3 operands form of floating point substraction
2537         https://bugs.webkit.org/show_bug.cgi?id=156095
2538
2539         Reviewed by Geoffrey Garen.
2540
2541         Same old, same old. Add the AVX form of subsd and subss.
2542
2543         Unfortunately, we cannot benefit from the 3 register form
2544         in B3 yet because the Air script does not support CPU flags yet.
2545         That can be fixed later.
2546
2547         * assembler/MacroAssemblerX86Common.h:
2548         (JSC::MacroAssemblerX86Common::subDouble):
2549         (JSC::MacroAssemblerX86Common::subFloat):
2550         * assembler/X86Assembler.h:
2551         (JSC::X86Assembler::vsubsd_rr):
2552         (JSC::X86Assembler::subsd_mr):
2553         (JSC::X86Assembler::vsubsd_mr):
2554         (JSC::X86Assembler::vsubss_rr):
2555         (JSC::X86Assembler::subss_mr):
2556         (JSC::X86Assembler::vsubss_mr):
2557         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
2558         * b3/air/AirOpcode.opcodes:
2559
2560 2016-04-01  Alberto Garcia  <berto@igalia.com>
2561
2562         [JSC] Missing PATH_MAX definition
2563         https://bugs.webkit.org/show_bug.cgi?id=156102
2564
2565         Reviewed by Yusuke Suzuki.
2566
2567         Not all systems define PATH_MAX, so add a fallback value that is
2568         long enough.
2569
2570         * jsc.cpp:
2571
2572 2016-03-31  Benjamin Poulain  <bpoulain@apple.com>
2573
2574         [JSC] CFA's valuesAtHead should be a list, not a map
2575         https://bugs.webkit.org/show_bug.cgi?id=156087
2576
2577         Reviewed by Mark Lam.
2578
2579         One more step toward moving to the Air-style of liveness analysis:
2580
2581         Make DFG's valuesAtHead a list of Node*-AbstractValue.
2582         This patch alone is already a speedup because our many CFAs
2583         spend an unreasonable amount of time updating at block boundaries.
2584
2585         * dfg/DFGBasicBlock.h:
2586         * dfg/DFGCFAPhase.cpp:
2587         (JSC::DFG::CFAPhase::performBlockCFA):
2588         * dfg/DFGGraph.cpp:
2589         (JSC::DFG::Graph::dump):
2590         * dfg/DFGInPlaceAbstractState.cpp:
2591         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2592         (JSC::DFG::setLiveValues):
2593         (JSC::DFG::InPlaceAbstractState::merge):
2594         * dfg/DFGNode.h:
2595         (JSC::DFG::nodeValuePairComparator):
2596         (JSC::DFG::nodeValuePairListDump):
2597
2598 2016-03-31  Saam barati  <sbarati@apple.com>
2599
2600         Revert rewrite const as var workaround
2601         https://bugs.webkit.org/show_bug.cgi?id=155393
2602
2603         Reviewed by Mark Lam.
2604
2605         * parser/Parser.h:
2606         (JSC::Parser::next):
2607         (JSC::Parser::nextExpectIdentifier):
2608         * runtime/VM.h:
2609         (JSC::VM::setShouldRewriteConstAsVar): Deleted.
2610         (JSC::VM::shouldRewriteConstAsVar): Deleted.
2611
2612 2016-03-31  Saam barati  <sbarati@apple.com>
2613
2614         [ES6] Disallow var assignments in for-in loops
2615         https://bugs.webkit.org/show_bug.cgi?id=155451
2616
2617         Reviewed by Mark Lam.
2618
2619         We're doing this in its own patch instead of the patch for https://bugs.webkit.org/show_bug.cgi?id=155384
2620         because last time we made this change it broke some websites. Lets try making
2621         it again because it's what the ES6 mandates. If it still breaks things we will
2622         roll it out.
2623
2624         * parser/Parser.cpp:
2625         (JSC::Parser<LexerType>::parseForStatement):
2626
2627 2016-03-31  Saam barati  <sbarati@apple.com>
2628
2629         parsing arrow function expressions slows down the parser by 8% lets recoup some loss
2630         https://bugs.webkit.org/show_bug.cgi?id=155988
2631
2632         Reviewed by Benjamin Poulain.
2633
2634         We used to eagerly check if we're parsing an arrow function.
2635         We did this inside parseAssignmentExpression(), and it was
2636         very costly. The reason it was costly is that arrow functions
2637         might start with an identifier. This means anytime we saw an
2638         identifier we would have to do a lookahead, and then most likely
2639         backtrack because more often than not, we wouldn't see "=>"
2640         as the next token.
2641
2642         In this patch I implement a new approach. We just parse
2643         the lhs of an assignment expression eagerly without doing any
2644         lookahead. Retroactively, if we see that we might have started
2645         with an arrow function, and we don't have a valid lhs or the
2646         next token is a "=>", we try to parse as an arrow function.
2647
2648         Here are a few examples motivating why this is valid:
2649
2650         `x => x`
2651         In this example:
2652         - "x" is a valid arrow function starting point.
2653         - "x" also happens to be a valid lhs
2654         - because we see "=>" as the next token, we parse as an arrow function and succeed.
2655
2656         `(x) => x`
2657         In this example:
2658         - "(" is a valid arrow function starting point.
2659         - "(x)" also happens to be a valid lhs
2660         - because we see "=>" as the next token, we parse as an arrow function and succeed.
2661
2662         `({x = 30}) => x;`
2663         In this example:
2664         - "(" is a valid arrow function starting point.
2665         - "({x = 30})" is NOT a valid lhs. Because of this, we try to parse it as an arrow function and succeed.
2666
2667         There is one interesting implementation detail where we might
2668         parse something that is both a valid LHS but happens
2669         to actually be the arrow function parameters. The valid LHS
2670         parsing might declare such variables as "uses" which would cause 
2671         weird capture analysis. This patch also introduces a mechanism
2672         to backtrack on used variable analysis.
2673
2674         This is a 3.5%-4.5% octane code load speedup.
2675
2676         * parser/Lexer.h:
2677         (JSC::Lexer::sawError):
2678         (JSC::Lexer::setSawError):
2679         (JSC::Lexer::getErrorMessage):
2680         (JSC::Lexer::setErrorMessage):
2681         (JSC::Lexer::sourceURL):
2682         (JSC::Lexer::sourceMappingURL):
2683         * parser/Parser.cpp:
2684         (JSC::Parser<LexerType>::isArrowFunctionParameters):
2685         (JSC::Parser<LexerType>::parseAssignmentExpression):
2686         (JSC::Parser<LexerType>::parsePrimaryExpression):
2687         * parser/Parser.h:
2688         (JSC::Scope::Scope):
2689         (JSC::Scope::startSwitch):
2690         (JSC::Scope::declareParameter):
2691         (JSC::Scope::usedVariablesContains):
2692         (JSC::Scope::useVariable):
2693         (JSC::Scope::pushUsedVariableSet):
2694         (JSC::Scope::currentUsedVariablesSize):
2695         (JSC::Scope::revertToPreviousUsedVariables):
2696         (JSC::Scope::setNeedsFullActivation):
2697         (JSC::Scope::needsFullActivation):
2698         (JSC::Scope::isArrowFunctionBoundary):
2699         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
2700         (JSC::Scope::collectFreeVariables):
2701         (JSC::Scope::fillParametersForSourceProviderCache):
2702         (JSC::Scope::restoreFromSourceProviderCache):
2703         (JSC::Scope::setIsModule):
2704
2705 2016-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2706
2707         Fails to build in Linux / PowerPC due to different ucontext_t definition
2708         https://bugs.webkit.org/show_bug.cgi?id=156015
2709
2710         Reviewed by Michael Catanzaro.
2711
2712         PPC does not have mcontext_t in ucontext_t::uc_mcontext.
2713         So we take the special way to retrieve mcontext_t in PPC.
2714
2715         * heap/MachineStackMarker.cpp:
2716         (pthreadSignalHandlerSuspendResume):
2717
2718 2016-03-31  Benjamin Poulain  <benjamin@webkit.org>
2719
2720         [JSC][x86] Add the indexed forms of floating point addition and multiplication
2721         https://bugs.webkit.org/show_bug.cgi?id=156058
2722
2723         Reviewed by Geoffrey Garen.
2724
2725         B3 supports lowering [base, index] addresses into
2726         arbitrary instructions but we were not using that feature.
2727
2728         This patch adds the missing support for the lowering
2729         of Add and Mul.
2730
2731         * assembler/MacroAssemblerX86Common.h:
2732         (JSC::MacroAssemblerX86Common::addDouble):
2733         (JSC::MacroAssemblerX86Common::addFloat):
2734         (JSC::MacroAssemblerX86Common::mulDouble):
2735         (JSC::MacroAssemblerX86Common::mulFloat):
2736         * assembler/X86Assembler.h:
2737         (JSC::X86Assembler::addsd_mr):
2738         (JSC::X86Assembler::vaddsd_mr):
2739         (JSC::X86Assembler::addss_mr):
2740         (JSC::X86Assembler::vaddss_mr):
2741         (JSC::X86Assembler::mulsd_mr):
2742         (JSC::X86Assembler::vmulsd_mr):
2743         (JSC::X86Assembler::mulss_mr):
2744         (JSC::X86Assembler::vmulss_mr):
2745         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
2746         * b3/B3LowerToAir.cpp:
2747         (JSC::B3::Air::LowerToAir::appendBinOp):
2748         Unlike the Addr form, we never need to transform a Tmp
2749         into an Index for spilling.
2750
2751         Instead of duplicating all the code in MacroAssembler, I can
2752         just have the lowering phase try using addresses for the first
2753         argument when possible.
2754
2755         * b3/air/AirOpcode.opcodes:
2756         * b3/air/testair.cpp:
2757         (JSC::B3::Air::testX86VMULSDBaseNeedsRex):
2758         (JSC::B3::Air::testX86VMULSDIndexNeedsRex):
2759         (JSC::B3::Air::testX86VMULSDBaseIndexNeedRex):
2760         (JSC::B3::Air::run):
2761
2762 2016-03-31  Saam barati  <sbarati@apple.com>
2763
2764         DFG JIT bug in typeof constant folding where the input to typeof is an object or function
2765         https://bugs.webkit.org/show_bug.cgi?id=156034
2766         <rdar://problem/25446785>
2767
2768         Reviewed by Ryosuke Niwa.
2769
2770         AI would constant fold TypeOf to the string "object" if it saw that
2771         its input type didn't expand past the types contained in the set 
2772         "SpecObject - SpecObjectOther". But, SpecObject contains SpecFunction.
2773         And typeof of a function should return "function". This patch fixes
2774         this bug by making sure we constant fold to object iff the type
2775         doesn't expand past the set "SpecObject - SpecObjectOther - SpecFunction".
2776
2777         * dfg/DFGAbstractInterpreterInlines.h:
2778         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2779         * tests/stress/typeof-dfg-function-or-object.js: Added.
2780         (assert):
2781         (foo.else.o):
2782         (foo):
2783
2784 2016-03-31  Mark Lam  <mark.lam@apple.com>
2785
2786         Gardening: Build and logic fix after r198873.
2787         https://bugs.webkit.org/show_bug.cgi?id=156043
2788
2789         Not reviewed.
2790
2791         * assembler/MacroAssemblerX86Common.h:
2792         (JSC::MacroAssemblerX86Common::addFloat):
2793         - 2 args were meant to be ordered differently in order to call the other addFloat.
2794           Instead, there was an infinite recursion bug.  This is now fixed.
2795
2796 2016-03-30  Benjamin Poulain  <benjamin@webkit.org>
2797
2798         [JSC][x86] Add the 3 operands forms of floating point addition and multiplication
2799         https://bugs.webkit.org/show_bug.cgi?id=156043
2800
2801         Reviewed by Geoffrey Garen.
2802
2803         When they are available, VADD and VMUL are better options to lower
2804         floating point addition and multiplication.
2805
2806         In the simple cases when one of the operands is aliased to the destination,
2807         those forms have the same size or 1 byte shorter depending on the registers.
2808
2809         In the more advanced cases, we gain nice advantages with the new forms:
2810         -We can get rid of the MoveDouble in front the instruction when we cannot
2811          alias.
2812         -We can disable aliasing entirely in Air. That is useful for latency
2813          since computing coalescing is not exactly cheap.
2814
2815         * assembler/MacroAssemblerX86Common.cpp:
2816         * assembler/MacroAssemblerX86Common.h:
2817         (JSC::MacroAssemblerX86Common::and32):
2818         (JSC::MacroAssemblerX86Common::mul32):
2819         (JSC::MacroAssemblerX86Common::or32):
2820         (JSC::MacroAssemblerX86Common::xor32):
2821         (JSC::MacroAssemblerX86Common::branchAdd32):
2822         The change in B3LowerToAir exposed a bug in the fake 3 operands
2823         forms of those instructions. If the address is equal to
2824         the destination, we were nuking the address.
2825
2826         For example,
2827             Add32([%r11], %eax, %r11)
2828         would generate:
2829             move %eax, %r11
2830             add32 [%r11], %r11
2831         which crashes.
2832
2833         I updated codegen of those cases to support that case through
2834             load32 [%r11], %r11
2835             add32 %eax, %r11
2836
2837         The weird case were all arguments have the same registers
2838         is handled too.
2839
2840         (JSC::MacroAssemblerX86Common::addDouble):
2841         (JSC::MacroAssemblerX86Common::addFloat):
2842         (JSC::MacroAssemblerX86Common::mulDouble):
2843         (JSC::MacroAssemblerX86Common::mulFloat):
2844         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
2845         (JSC::MacroAssemblerX86Common::supportsAVX):
2846         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
2847         * assembler/MacroAssemblerX86_64.h:
2848         (JSC::MacroAssemblerX86_64::branchAdd64):
2849         * assembler/X86Assembler.h:
2850         (JSC::X86Assembler::vaddsd_rr):
2851         (JSC::X86Assembler::vaddsd_mr):
2852         (JSC::X86Assembler::vaddss_rr):
2853         (JSC::X86Assembler::vaddss_mr):
2854         (JSC::X86Assembler::vmulsd_rr):
2855         (JSC::X86Assembler::vmulsd_mr):
2856         (JSC::X86Assembler::vmulss_rr):
2857         (JSC::X86Assembler::vmulss_mr):
2858         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
2859         * b3/B3LowerToAir.cpp:
2860         (JSC::B3::Air::LowerToAir::appendBinOp):
2861         Add the 3 operand forms so that we lower Add and Mul
2862         to the best form directly.
2863
2864         I will change how we lower the fake 3 operands instructions
2865         but the codegen should end up the same in most cases.
2866         The new codegen is the load32 + op above.
2867
2868         * b3/air/AirInstInlines.h:
2869         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2870         * b3/air/testair.cpp:
2871         (JSC::B3::Air::testX86VMULSD):
2872         (JSC::B3::Air::testX86VMULSDDestRex):
2873         (JSC::B3::Air::testX86VMULSDOp1DestRex):
2874         (JSC::B3::Air::testX86VMULSDOp2DestRex):
2875         (JSC::B3::Air::testX86VMULSDOpsDestRex):
2876         (JSC::B3::Air::testX86VMULSDAddr):
2877         (JSC::B3::Air::testX86VMULSDAddrOpRexAddr):
2878         (JSC::B3::Air::testX86VMULSDDestRexAddr):
2879         (JSC::B3::Air::testX86VMULSDRegOpDestRexAddr):
2880         (JSC::B3::Air::testX86VMULSDAddrOpDestRexAddr):
2881         Make sure we have some coverage for AVX encoding of instructions.
2882
2883 2016-03-30  Saam Barati  <sbarati@apple.com>
2884
2885         Change some release asserts in CodeBlock linking into debug asserts
2886         https://bugs.webkit.org/show_bug.cgi?id=155500
2887
2888         Reviewed by Filip Pizlo.
2889
2890         * bytecode/CodeBlock.cpp:
2891         (JSC::CodeBlock::finishCreation):
2892
2893 2016-03-30  Joseph Pecoraro  <pecoraro@apple.com>
2894
2895         Remove unused ScriptProfiler.Samples.totalTime
2896         https://bugs.webkit.org/show_bug.cgi?id=156002
2897
2898         Reviewed by Saam Barati.
2899
2900         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2901         (Inspector::buildSamples):
2902         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2903         * inspector/protocol/ScriptProfiler.json:
2904         Remove totalTime.
2905
2906         * runtime/SamplingProfiler.cpp:
2907         (JSC::SamplingProfiler::SamplingProfiler): Deleted.
2908         * runtime/SamplingProfiler.h:
2909         (JSC::SamplingProfiler::totalTime): Deleted.
2910         Remove now unused m_totalTime.
2911
2912 2016-03-30  Michael Saboff  <msaboff@apple.com>
2913
2914         [ES6] Quantified unicode regular expressions do not work for counts greater than 1
2915         https://bugs.webkit.org/show_bug.cgi?id=156044
2916
2917         Reviewed by Mark Lam.
2918
2919         Fixed incorrect indexing of non-BMP characters in fixed patterns.  The old code
2920         was indexing by character units, a single JS character, instead of code points
2921         which is 2 JS characters.
2922
2923         * yarr/YarrInterpreter.cpp:
2924         (JSC::Yarr::Interpreter::matchDisjunction):
2925
2926 2016-03-30  Mark Lam  <mark.lam@apple.com>
2927
2928         Make the $vm debugging tools available to builtins as @$vm.
2929         https://bugs.webkit.org/show_bug.cgi?id=156012
2930
2931         Reviewed by Saam Barati.
2932
2933         We also need some debugging tools for builtin development.  The $vm object will
2934         be made available to builtins as @$vm, which gives us, amongst many goodies,
2935         @$vm.print() (which prints the toString() values of its args) and
2936         @$vm.printValue() (which dataLogs its arg as a JSValue).  @$vm will only be
2937         available if we run with JSC_useDollarVM=true.
2938
2939         Also changed @$vm.print() to not automatically insert a space between the
2940         printing of each of its args.  This makes it clearer as to what will be printed
2941         i.e. it will only print what is passed to it.
2942
2943         * builtins/BuiltinNames.h:
2944         (JSC::BuiltinNames::BuiltinNames):
2945         (JSC::BuiltinNames::dollarVMPublicName):
2946         (JSC::BuiltinNames::dollarVMPrivateName):
2947         * runtime/JSGlobalObject.cpp:
2948         (JSC::JSGlobalObject::init):
2949         * tools/JSDollarVMPrototype.cpp:
2950         (JSC::functionPrint):
2951
2952 2016-03-30  Keith Miller  <keith_miller@apple.com>
2953
2954         Unreviewed, buildfix.
2955
2956         * bytecode/BytecodeIntrinsicRegistry.h:
2957
2958 2016-03-30  Keith Miller <keith_miller@apple.com>
2959
2960         Unreviewed, rollout r198808. The patch causes crashes on 32-bit and appears to be a JSBench regression.
2961
2962 2016-03-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2963
2964         [JSC] Implement String.prototype.repeat in builtins JS
2965         https://bugs.webkit.org/show_bug.cgi?id=155974
2966
2967         Reviewed by Darin Adler.
2968
2969         This patch converts C++ String.prototype.repeat implementation into JS builtins.
2970         |this| in strict mode is correctly inferred as String[1]. This fact encourages us
2971         to write PrimitiveTypes.prototype.XXX methods in builtin JS.
2972
2973         LayoutTests/js/string-repeat.html already covers the tests for this change.
2974
2975         Note: String.prototype.repeat functionality is similar to Harmony's
2976         String.prototype.{padStart, padEnd}. It's nice to port them to builtin JS in
2977         the other patch.
2978
2979         The existing C++ code has the fast path for singleCharacterString repeating.
2980         Since this use is important (e.g. generating N length spaces: ' '.repeat(N)),
2981         we keep this fast path as @repeatCharacter().
2982
2983         The performance results show that, while the performance of the single character fast path
2984         is neutral, other string repeating has significant speed up.
2985         There are two reasons.
2986
2987         1. Not resolving string rope.
2988
2989         We added several tests postfixed "not-resolving". In that tests, we do not touch the content
2990         of the generated string. As a result, the generated rope is not resolved.
2991
2992         2. O(log N) intermediate JSRopeStrings.
2993
2994         In the existing C++ implementation, we use JSString::RopeBuilder. We iterate N times and append
2995         the given string to the builder.
2996         In this case, the intermediate rope strings generated in JSString::RopeBuilder is O(N).
2997         In JS builtin implementation, we only iterate log N times. As a result, the number of the
2998         intermediate rope strings becomes O(log N).
2999
3000         [1]: http://trac.webkit.org/changeset/195938
3001
3002         * builtins/StringPrototype.js:
3003         (repeatSlowPath):
3004         (repeat):
3005         * bytecode/BytecodeIntrinsicRegistry.cpp:
3006         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3007         * bytecode/BytecodeIntrinsicRegistry.h:
3008         * runtime/CommonIdentifiers.h:
3009         * runtime/JSGlobalObject.cpp:
3010         (JSC::JSGlobalObject::init):
3011         * runtime/StringPrototype.cpp:
3012         (JSC::stringProtoFuncRepeatCharacter):
3013         (JSC::StringPrototype::finishCreation): Deleted.
3014         (JSC::stringProtoFuncRepeat): Deleted.
3015         * runtime/StringPrototype.h:
3016         * tests/stress/string-repeat-edge-cases.js: Added.
3017         (shouldBe):
3018         (let.object.toString):
3019         (valueOf):
3020         (shouldThrow):
3021
3022 2016-03-30  Benjamin Poulain  <benjamin@webkit.org>
3023
3024         [JSC] Update udis86
3025         https://bugs.webkit.org/show_bug.cgi?id=156005
3026
3027         Reviewed by Geoffrey Garen.
3028
3029         * CMakeLists.txt:
3030         * DerivedSources.make:
3031         * JavaScriptCore.xcodeproj/project.pbxproj:
3032         * disassembler/udis86/differences.txt:
3033         * disassembler/udis86/itab.py: Removed.
3034         * disassembler/udis86/optable.xml:
3035         * disassembler/udis86/ud_itab.py: Added.
3036         * disassembler/udis86/ud_opcode.py:
3037         * disassembler/udis86/ud_optable.py: Removed.
3038         * disassembler/udis86/udis86.c:
3039         * disassembler/udis86/udis86_decode.c:
3040         * disassembler/udis86/udis86_decode.h:
3041         * disassembler/udis86/udis86_extern.h:
3042         * disassembler/udis86/udis86_input.c: Removed.
3043         * disassembler/udis86/udis86_input.h: Removed.
3044         * disassembler/udis86/udis86_syn-att.c:
3045         * disassembler/udis86/udis86_syn.h:
3046         * disassembler/udis86/udis86_types.h:
3047         * disassembler/udis86/udis86_udint.h:
3048
3049 2016-03-30  Benjamin Poulain  <bpoulain@apple.com>
3050
3051         [JSC] Get rid of operationInitGlobalConst(), it is useless
3052         https://bugs.webkit.org/show_bug.cgi?id=156010
3053
3054         Reviewed by Geoffrey Garen.
3055
3056         * jit/JITOperations.cpp:
3057         * jit/JITOperations.h:
3058
3059 2016-03-29  Saam barati  <sbarati@apple.com>
3060
3061         Fix typos in our error messages and remove some trailing periods
3062         https://bugs.webkit.org/show_bug.cgi?id=155985
3063
3064         Reviewed by Mark Lam.
3065
3066         * bytecompiler/BytecodeGenerator.cpp:
3067         (JSC::BytecodeGenerator::BytecodeGenerator):
3068         * runtime/ArrayConstructor.h:
3069         (JSC::isArray):
3070         * runtime/ProxyConstructor.cpp:
3071         (JSC::makeRevocableProxy):
3072         (JSC::proxyRevocableConstructorThrowError):
3073         (JSC::ProxyConstructor::finishCreation):
3074         (JSC::constructProxyObject):
3075         * runtime/ProxyObject.cpp:
3076         (JSC::ProxyObject::finishCreation):
3077         (JSC::performProxyGet):
3078         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3079         (JSC::ProxyObject::performHasProperty):
3080         (JSC::ProxyObject::performPut):
3081         (JSC::performProxyCall):
3082         (JSC::performProxyConstruct):
3083         (JSC::ProxyObject::performDelete):
3084         (JSC::ProxyObject::performPreventExtensions):
3085         (JSC::ProxyObject::performIsExtensible):
3086         (JSC::ProxyObject::performDefineOwnProperty):
3087         (JSC::ProxyObject::performGetOwnPropertyNames):
3088         (JSC::ProxyObject::performSetPrototype):
3089         (JSC::ProxyObject::performGetPrototype):
3090         * runtime/StringPrototype.cpp:
3091         (JSC::stringProtoFuncStartsWith):
3092         (JSC::stringProtoFuncEndsWith):
3093         (JSC::stringProtoFuncIncludes):
3094         * runtime/Structure.cpp:
3095         (JSC::Structure::preventExtensionsTransition):
3096         * tests/stress/proxy-basic.js:
3097         * tests/stress/proxy-construct.js:
3098         (throw.new.Error):
3099         (assert):
3100         * tests/stress/proxy-define-own-property.js:
3101         (assert):
3102         (throw.new.Error):
3103         (i.catch):
3104         (assert.set get catch):
3105         * tests/stress/proxy-delete.js:
3106         (assert):
3107         * tests/stress/proxy-get-own-property.js:
3108         (assert):
3109         (i.catch):
3110         (set get let):
3111         * tests/stress/proxy-get-prototype-of.js:
3112         (assert):
3113         (assert.get let):
3114         (assert.get catch):
3115         * tests/stress/proxy-has-property.js:
3116         (assert):
3117         * tests/stress/proxy-is-array.js:
3118         (test):
3119         * tests/stress/proxy-is-extensible.js:
3120         (assert):
3121         * tests/stress/proxy-json.js:
3122         (assert):
3123         (test):
3124         * tests/stress/proxy-own-keys.js:
3125         (assert):
3126         (i.catch):
3127         * tests/stress/proxy-prevent-extensions.js:
3128         (assert):
3129         * tests/stress/proxy-property-descriptor.js:
3130         * tests/stress/proxy-revoke.js:
3131         (assert):
3132         (throw.new.Error.):
3133         (throw.new.Error):
3134         (shouldThrowNullHandler):
3135         * tests/stress/proxy-set-prototype-of.js:
3136         (assert.set let):
3137         (assert.set catch):
3138         (assert):
3139         (set catch):
3140         * tests/stress/proxy-set.js:
3141         (throw.new.Error.let.handler.set 45):
3142         (throw.new.Error):
3143         * tests/stress/proxy-with-private-symbols.js:
3144         (assert):
3145         * tests/stress/proxy-with-unbalanced-getter-setter.js:
3146         (assert):
3147         * tests/stress/reflect-set-proxy-set.js:
3148         (throw.new.Error.let.handler.set 45):
3149         (throw.new.Error):
3150         * tests/stress/reflect-set-receiver-proxy-set.js:
3151         (let.handler.set 45):
3152         (catch):
3153         * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js:
3154         (test):
3155         (test.get let):
3156
3157 2016-03-29  Keith Miller  <keith_miller@apple.com>
3158
3159         [ES6] Add support for Symbol.isConcatSpreadable.
3160         https://bugs.webkit.org/show_bug.cgi?id=155351
3161
3162         Reviewed by Saam Barati.
3163
3164         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
3165         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
3166         a builtin performant. First, four new DFG intrinsics were added.
3167
3168         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
3169            the Array.isArray function.
3170         2) IsJSArray: checks the first child is a JSArray object.
3171         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
3172         4) CallObjectConstructor: an intrinsic of the Object constructor.
3173
3174         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
3175         we are able to prove that the first child is an Array or for ToObject an Object.
3176
3177         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
3178         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
3179         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
3180         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
3181         into a contiguous array).
3182
3183         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
3184         values onto the result array. This works roughly the same as the two array fast path using the same methodology
3185         to decide if we can memcpy the other butterfly into the result butterfly.
3186
3187         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
3188         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
3189         dataLog function on it.
3190
3191         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
3192         JSValueOperand if the operand's use count is one.
3193
3194         * JavaScriptCore.xcodeproj/project.pbxproj:
3195         * builtins/ArrayPrototype.js:
3196         (concatSlowPath):
3197         (concat):
3198         * bytecode/BytecodeIntrinsicRegistry.cpp:
3199         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3200         * bytecode/BytecodeIntrinsicRegistry.h:
3201         * dfg/DFGAbstractInterpreterInlines.h:
3202         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3203         * dfg/DFGByteCodeParser.cpp:
3204         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3205         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3206         * dfg/DFGClobberize.h:
3207         (JSC::DFG::clobberize):
3208         * dfg/DFGDoesGC.cpp:
3209         (JSC::DFG::doesGC):
3210         * dfg/DFGFixupPhase.cpp:
3211         (JSC::DFG::FixupPhase::fixupNode):
3212         * dfg/DFGNodeType.h:
3213         * dfg/DFGOperations.cpp:
3214         * dfg/DFGOperations.h:
3215         * dfg/DFGPredictionPropagationPhase.cpp:
3216         (JSC::DFG::PredictionPropagationPhase::propagate):
3217         * dfg/DFGSafeToExecute.h:
3218         (JSC::DFG::safeToExecute):
3219         * dfg/DFGSpeculativeJIT.cpp:
3220         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3221         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
3222         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
3223         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
3224         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
3225         * dfg/DFGSpeculativeJIT.h:
3226         (JSC::DFG::SpeculativeJIT::callOperation):
3227         * dfg/DFGSpeculativeJIT32_64.cpp:
3228         (JSC::DFG::SpeculativeJIT::compile):
3229         * dfg/DFGSpeculativeJIT64.cpp:
3230         (JSC::DFG::SpeculativeJIT::compile):
3231         * ftl/FTLCapabilities.cpp:
3232         (JSC::FTL::canCompile):
3233         * ftl/FTLLowerDFGToB3.cpp:
3234         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3235         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
3236         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
3237         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
3238         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
3239         (JSC::FTL::DFG::LowerDFGToB3::isArray):
3240         * jit/JITOperations.h:
3241         * jsc.cpp:
3242         (WTF::RuntimeArray::createStructure):
3243         (GlobalObject::finishCreation):
3244         (functionDebug):
3245         (functionDataLogValue):
3246         * runtime/ArrayConstructor.cpp:
3247         (JSC::ArrayConstructor::finishCreation):
3248         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
3249         * runtime/ArrayConstructor.h:
3250         (JSC::isArrayConstructor):
3251         * runtime/ArrayPrototype.cpp:
3252         (JSC::ArrayPrototype::finishCreation):
3253         (JSC::arrayProtoPrivateFuncIsJSArray):
3254         (JSC::moveElements):
3255         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3256         (JSC::arrayProtoPrivateFuncAppendMemcpy):
3257         (JSC::arrayProtoFuncConcat): Deleted.
3258         * runtime/ArrayPrototype.h:
3259         (JSC::ArrayPrototype::createStructure):
3260         * runtime/CommonIdentifiers.h:
3261         * runtime/Intrinsic.h:
3262         * runtime/JSArray.cpp:
3263         (JSC::JSArray::appendMemcpy):
3264         (JSC::JSArray::fastConcatWith): Deleted.
3265         * runtime/JSArray.h:
3266         (JSC::JSArray::createStructure):
3267         (JSC::JSArray::fastConcatType): Deleted.
3268         * runtime/JSArrayInlines.h: Added.
3269         (JSC::JSArray::memCopyWithIndexingType):
3270         (JSC::JSArray::canFastCopy):
3271         * runtime/JSGlobalObject.cpp:
3272         (JSC::JSGlobalObject::init):
3273         * runtime/JSType.h:
3274         * runtime/ObjectConstructor.h:
3275         (JSC::constructObject):
3276         * tests/es6.yaml:
3277         * tests/stress/array-concat-spread-object.js: Added.
3278         (arrayEq):
3279         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
3280         (arrayEq):
3281         * tests/stress/array-concat-spread-proxy.js: Added.
3282         (arrayEq):
3283         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
3284         (arrayEq):
3285         * tests/stress/array-species-config-array-constructor.js:
3286
3287 2016-03-29  Saam barati  <sbarati@apple.com>
3288
3289         We don't properly optimize TDZ checks when we declare a let variable without an initializer
3290         https://bugs.webkit.org/show_bug.cgi?id=150453
3291
3292         Reviewed by Mark Lam.
3293
3294         * bytecompiler/NodesCodegen.cpp:
3295         (JSC::EmptyLetExpression::emitBytecode):
3296
3297 2016-03-29  Saam barati  <sbarati@apple.com>
3298
3299         Allow builtin JS functions to be intrinsics
3300         https://bugs.webkit.org/show_bug.cgi?id=155960
3301
3302         Reviewed by Mark Lam.
3303
3304         Builtin functions can now be recognized as intrinsics inside
3305         the DFG. This gives us the flexibility to either lower a builtin
3306         as an intrinsic in the DFG or as a normal function call.
3307         Because we may decide to not lower it as an intrinsic, the DFG
3308         inliner could still inline the function call.
3309
3310         You can annotate a builtin function like so to make
3311         it be recognized as an intrinsic.
3312         ```
3313         [intrinsic=FooIntrinsic] function foo() { ... }
3314         ```
3315         where FooIntrinsic is an enum value of the Intrinsic enum.
3316
3317         So in the future if we write RegExp.prototype.test as a builtin, we would do:
3318         ``` RegExpPrototype.js
3319         [intrinsic=RegExpTestIntrinsic] function test() { ... }
3320         ```
3321
3322         * Scripts/builtins/builtins_generate_combined_implementation.py:
3323         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3324         * Scripts/builtins/builtins_generate_separate_implementation.py:
3325         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3326         * Scripts/builtins/builtins_generator.py:
3327         (BuiltinsGenerator.generate_embedded_code_string_section_for_function):
3328         * Scripts/builtins/builtins_model.py:
3329         (BuiltinObject.__init__):
3330         (BuiltinFunction):
3331         (BuiltinFunction.__init__):
3332         (BuiltinFunction.fromString):
3333         (BuiltinFunction.__str__):
3334         * Scripts/builtins/builtins_templates.py:
3335         * bytecode/UnlinkedFunctionExecutable.cpp:
3336         (JSC::UnlinkedFunctionExecutable::visitChildren):
3337         (JSC::UnlinkedFunctionExecutable::link):
3338         * bytecode/UnlinkedFunctionExecutable.h:
3339         * dfg/DFGByteCodeParser.cpp:
3340         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
3341         * runtime/Executable.cpp: