413cd691be05534a56a612f2a0966bf6713f4b77
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-05-27  Saam barati  <sbarati@apple.com>
2
3         ShadowChicken/DebuggerCallFrame don't properly handle when the entry stack frame is a tail deleted frame
4         https://bugs.webkit.org/show_bug.cgi?id=158131
5
6         Reviewed by Yusuke Suzuki.
7
8         There were bugs both in DebuggerCallFrame and ShadowChicken when the entry stack
9         frame(s) are tail deleted.
10
11         DebuggerCallFrame had an assertion saying that the entry frame shouldn't be
12         tail deleted. This is clearly wrong. The following program proves that this assertion
13         was misguided:
14         ```
15         "use strict";
16         setTimeout(function foo() { return bar(); }, 0);
17         ```
18
19         ShadowChicken had a very subtle bug when creating the shadow stack when 
20         the entry frames of the stack were tail deleted. Because it places frames into its shadow
21         stack by walking the machine frame and looking up entries in the log,
22         the machine frame doesn't have any notion of those tail deleted frames
23         at the entry of execution. ShadowChicken would never find those frames
24         because it would look for tail deleted frames *before* consulting the
25         current machine frame. This is wrong because if the entry frames
26         are tail deleted, then there is no machine frame for them because there
27         is no machine frame before them! Therefore, we must search for tail deleted
28         frames *after* consulting a machine frame. This is sound because we will always
29         have at least one machine frame on the stack (when we are using StackVisitor on a valid ExecState).
30         So when we consult the machine frame that is the entry frame on the machine stack,
31         we will search for tail deleted frames that come before it in the shadow stack.
32         This will allow us to find those tail deleted frames that are the entry frames
33         for the shadow stack.
34
35         * debugger/DebuggerCallFrame.cpp:
36         (JSC::DebuggerCallFrame::create):
37         * interpreter/ShadowChicken.cpp:
38         (JSC::ShadowChicken::Packet::dump):
39         (JSC::ShadowChicken::update):
40         (JSC::ShadowChicken::dump):
41
42 2016-05-27  Chris Dumez  <cdumez@apple.com>
43
44         WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables
45         https://bugs.webkit.org/show_bug.cgi?id=158111
46
47         Reviewed by Darin Adler.
48
49         WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables.
50         These are often used cross-thread and copying the captured lambda variables can be
51         dangerous (e.g. we do not want to copy a String after calling isolatedCopy() upon
52         capture).
53
54         * runtime/Watchdog.cpp:
55         (JSC::Watchdog::startTimer):
56         (JSC::Watchdog::Watchdog): Deleted.
57         (JSC::Watchdog::setTimeLimit): Deleted.
58         * runtime/Watchdog.h:
59
60 2016-05-27  Konstantin Tokarev  <annulen@yandex.ru>
61
62         Removed unused headers from ExecutableAllocatorFixedVMPool.cpp.
63         https://bugs.webkit.org/show_bug.cgi?id=158159
64
65         Reviewed by Darin Adler.
66
67         * jit/ExecutableAllocatorFixedVMPool.cpp:
68
69 2016-05-27  Keith Miller  <keith_miller@apple.com>
70
71         get_by_id should support caching unset properties in the LLInt
72         https://bugs.webkit.org/show_bug.cgi?id=158136
73
74         Reviewed by Benjamin Poulain.
75
76         Recently, we started supporting prototype load caching for get_by_id
77         in the LLInt. This patch extends that to caching unset properties.
78         While it is uncommon in general for a program to see a single structure
79         without a given property, the Array.prototype.concat function needs to
80         lookup the Symbol.isConcatSpreadable property. For any existing code
81         That property will never be set as it did not exist prior to ES6.
82
83         Similarly to the get_by_id_proto_load bytecode, this patch adds a new
84         bytecode, get_by_id_unset that checks the structureID of the base and
85         assigns undefined to the result.
86
87         There are no new tests here since we already have many tests that
88         incidentally cover this change.
89
90         * bytecode/BytecodeList.json:
91         * bytecode/BytecodeUseDef.h:
92         (JSC::computeUsesForBytecodeOffset):
93         (JSC::computeDefsForBytecodeOffset):
94         * bytecode/CodeBlock.cpp:
95         (JSC::CodeBlock::printGetByIdOp):
96         (JSC::CodeBlock::dumpBytecode):
97         (JSC::CodeBlock::finalizeLLIntInlineCaches):
98         * bytecode/GetByIdStatus.cpp:
99         (JSC::GetByIdStatus::computeFromLLInt):
100         * dfg/DFGByteCodeParser.cpp:
101         (JSC::DFG::ByteCodeParser::parseBlock):
102         * dfg/DFGCapabilities.cpp:
103         (JSC::DFG::capabilityLevel):
104         * jit/JIT.cpp:
105         (JSC::JIT::privateCompileMainPass):
106         (JSC::JIT::privateCompileSlowCases):
107         * llint/LLIntSlowPaths.cpp:
108         (JSC::LLInt::setupGetByIdPrototypeCache):
109         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
110         * llint/LLIntSlowPaths.h:
111         * llint/LowLevelInterpreter32_64.asm:
112         * llint/LowLevelInterpreter64.asm:
113
114 2016-05-26  Filip Pizlo  <fpizlo@apple.com>
115
116         Bogus uses of regexp matching should realize that they will OOM before they start swapping
117         https://bugs.webkit.org/show_bug.cgi?id=158142
118
119         Reviewed by Michael Saboff.
120         
121         Refactored the RegExpObject::matchGlobal() code so that there is less duplication. Took
122         advantage of this to make the code more resilient in case of absurd situations: if the
123         result array gets large, it proceeds with a dry run to detect how many matches there will
124         be. This allows it to OOM before it starts swapping.
125         
126         This also improves the overall performance of the code by using lightweight substrings and
127         skipping the whole intermediate argument array.
128         
129         This makes some jsfunfuzz tests run a lot faster and use a lot less memory.
130         
131         * builtins/RegExpPrototype.js:
132         * CMakeLists.txt:
133         * JavaScriptCore.xcodeproj/project.pbxproj:
134         * runtime/MatchResult.cpp: Added.
135         (JSC::MatchResult::dump):
136         * runtime/MatchResult.h:
137         (JSC::MatchResult::empty):
138         (MatchResult::empty): Deleted.
139         * runtime/RegExpObject.cpp:
140         (JSC::RegExpObject::match):
141         (JSC::collectMatches):
142         (JSC::RegExpObject::matchGlobal):
143         * runtime/StringObject.h:
144         (JSC::jsStringWithReuse):
145         (JSC::jsSubstring):
146         * tests/stress/big-match.js: Added. Make sure that this optimization doesn't break big matches.
147
148 2016-05-26  Gavin & Ellie Barraclough  <barraclough@apple.com>
149
150         Static table property lookup should not require getOwnPropertySlot override.
151         https://bugs.webkit.org/show_bug.cgi?id=158059
152
153         Reviewed by Darin Adler.
154
155         Currently JSObject does not handle property lookup of entries in the static
156         table. Each subclass with static properties mut override getOwnPropertySlot,
157         and explicitly call the lookup functions. This has the following drawbacks:
158
159         - Performance: for any class with static properties, property acces becomes
160           virtual (via method table).
161         - Poor encapsulation: implementation detail of static property access is
162           spread throughout & cross projects, rather than being contained in JSObject.
163         - Code size: this results in a great many additional functions.
164         - Inconsistency: static table presence has to be be taken into account in many
165           other operations, e.g. presence of read-only properties for put.
166         - Memory: in order to avoid the virtual lookup, DOM prototypes eagerly reify
167           all properties. This is likely suboptimal.
168
169         Instead, JSObject::getPropertySlot / JSObject::getOwnPropertySlot should be
170         able to handle static properties.
171
172         This is actually a fairly small & simple change.
173
174         The common pattern is for subclasses of JObject to override getOwnPropertySlot
175         to first defer to JSObject for property storage lookup, and only if this fails
176         consult the static table. They just want the static tables to be consulted after
177         regular property storgae lookup. So just add a fast flag in TypeInfo for JSObject
178         to check, and where it is set, do so. Then it's just a question of switching
179         classes over to start setting this flag, and drop the override.
180
181         The new mechanism does change static table lookup order from oldest-ancestor
182         first to most-derived first. The new ordering makes more sense (means derived
183         class static tables can now override entries from parents), and shoudn't affect
184         any existing code (since overriding didn't previously work, there likely aren't
185         shadowing properties in more derived types).
186
187         This patch changes all classes in JavaScriptCore over to using the new mechanism,
188         except JSGlobalObject. I'll move classes in WebCore over as a separate patch
189         (this is also why I've not moved JSGlobalObject in this patch - doing so would
190         move JSDOMWindow, and I'd rather handle that separately).
191
192         * runtime/JSTypeInfo.h:
193         (JSC::TypeInfo::hasStaticPropertyTable):
194             - Add HasStaticPropertyTable flag.
195         * runtime/Lookup.cpp:
196         (JSC::setUpStaticFunctionSlot):
197             - Change setUpStaticFunctionSlot to take a VM&.
198         * runtime/Lookup.h:
199         (JSC::getStaticPropertySlotFromTable):
200             - Added helper function to perform static lookup alone.
201         (JSC::getStaticPropertySlot):
202         (JSC::getStaticFunctionSlot):
203             - setUpStaticFunctionSlot changed to take a VM&.
204         * runtime/JSObject.cpp:
205         (JSC::JSObject::getOwnStaticPropertySlot):
206             - Added, walks ClassInfo chain looking for static properties.
207         * runtime/JSObject.h:
208         (JSC::JSObject::getOwnNonIndexPropertySlot):
209             - getOwnNonIndexPropertySlot is used internally by getPropertySlot
210               & getOwnPropertySlot. If property is not present in storage array
211               then check the static table.
212         * runtime/ArrayConstructor.cpp:
213         (JSC::ArrayConstructor::finishCreation):
214         (JSC::constructArrayWithSizeQuirk):
215         (JSC::ArrayConstructor::getOwnPropertySlot): Deleted.
216         * runtime/ArrayConstructor.h:
217         (JSC::ArrayConstructor::create):
218         * runtime/ArrayIteratorPrototype.cpp:
219         (JSC::ArrayIteratorPrototype::finishCreation):
220         (JSC::ArrayIteratorPrototype::getOwnPropertySlot): Deleted.
221         * runtime/ArrayIteratorPrototype.h:
222         (JSC::ArrayIteratorPrototype::create):
223         (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype):
224         * runtime/BooleanPrototype.cpp:
225         (JSC::BooleanPrototype::finishCreation):
226         (JSC::booleanProtoFuncToString):
227         (JSC::BooleanPrototype::getOwnPropertySlot): Deleted.
228         * runtime/BooleanPrototype.h:
229         (JSC::BooleanPrototype::create):
230         * runtime/DateConstructor.cpp:
231         (JSC::DateConstructor::finishCreation):
232         (JSC::millisecondsFromComponents):
233         (JSC::DateConstructor::getOwnPropertySlot): Deleted.
234         * runtime/DateConstructor.h:
235         (JSC::DateConstructor::create):
236         * runtime/DatePrototype.cpp:
237         (JSC::DatePrototype::finishCreation):
238         (JSC::dateProtoFuncToString):
239         (JSC::DatePrototype::getOwnPropertySlot): Deleted.
240         * runtime/DatePrototype.h:
241         (JSC::DatePrototype::create):
242         * runtime/ErrorPrototype.cpp:
243         (JSC::ErrorPrototype::finishCreation):
244         (JSC::ErrorPrototype::getOwnPropertySlot): Deleted.
245         * runtime/ErrorPrototype.h:
246         (JSC::ErrorPrototype::create):
247         * runtime/GeneratorPrototype.cpp:
248         (JSC::GeneratorPrototype::finishCreation):
249         (JSC::GeneratorPrototype::getOwnPropertySlot): Deleted.
250         * runtime/GeneratorPrototype.h:
251         (JSC::GeneratorPrototype::create):
252         (JSC::GeneratorPrototype::createStructure):
253         (JSC::GeneratorPrototype::GeneratorPrototype):
254         * runtime/InspectorInstrumentationObject.cpp:
255         (JSC::InspectorInstrumentationObject::finishCreation):
256         (JSC::InspectorInstrumentationObject::isEnabled):
257         (JSC::InspectorInstrumentationObject::getOwnPropertySlot): Deleted.
258         * runtime/InspectorInstrumentationObject.h:
259         (JSC::InspectorInstrumentationObject::create):
260         (JSC::InspectorInstrumentationObject::createStructure):
261         * runtime/IntlCollatorConstructor.cpp:
262         (JSC::IntlCollatorConstructor::getCallData):
263         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
264         (JSC::IntlCollatorConstructor::getOwnPropertySlot): Deleted.
265         * runtime/IntlCollatorConstructor.h:
266         * runtime/IntlCollatorPrototype.cpp:
267         (JSC::IntlCollatorPrototype::finishCreation):
268         (JSC::IntlCollatorFuncCompare):
269         (JSC::IntlCollatorPrototype::getOwnPropertySlot): Deleted.
270         * runtime/IntlCollatorPrototype.h:
271         * runtime/IntlDateTimeFormatConstructor.cpp:
272         (JSC::IntlDateTimeFormatConstructor::getCallData):
273         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
274         (JSC::IntlDateTimeFormatConstructor::getOwnPropertySlot): Deleted.
275         * runtime/IntlDateTimeFormatConstructor.h:
276         * runtime/IntlDateTimeFormatPrototype.cpp:
277         (JSC::IntlDateTimeFormatPrototype::finishCreation):
278         (JSC::IntlDateTimeFormatFuncFormatDateTime):
279         (JSC::IntlDateTimeFormatPrototype::getOwnPropertySlot): Deleted.
280         * runtime/IntlDateTimeFormatPrototype.h:
281         * runtime/IntlNumberFormatConstructor.cpp:
282         (JSC::IntlNumberFormatConstructor::getCallData):
283         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
284         (JSC::IntlNumberFormatConstructor::getOwnPropertySlot): Deleted.
285         * runtime/IntlNumberFormatConstructor.h:
286         * runtime/IntlNumberFormatPrototype.cpp:
287         (JSC::IntlNumberFormatPrototype::finishCreation):
288         (JSC::IntlNumberFormatFuncFormatNumber):
289         (JSC::IntlNumberFormatPrototype::getOwnPropertySlot): Deleted.
290         * runtime/IntlNumberFormatPrototype.h:
291         * runtime/JSDataViewPrototype.cpp:
292         (JSC::JSDataViewPrototype::createStructure):
293         (JSC::getData):
294         (JSC::JSDataViewPrototype::getOwnPropertySlot): Deleted.
295         * runtime/JSDataViewPrototype.h:
296         * runtime/JSInternalPromiseConstructor.cpp:
297         (JSC::JSInternalPromiseConstructor::getCallData):
298         (JSC::JSInternalPromiseConstructor::getOwnPropertySlot): Deleted.
299         * runtime/JSInternalPromiseConstructor.h:
300         * runtime/JSONObject.cpp:
301         (JSC::Walker::Walker):
302         (JSC::JSONObject::getOwnPropertySlot): Deleted.
303         * runtime/JSONObject.h:
304         (JSC::JSONObject::create):
305         * runtime/JSPromiseConstructor.cpp:
306         (JSC::JSPromiseConstructor::getCallData):
307         (JSC::JSPromiseConstructor::getOwnPropertySlot): Deleted.
308         * runtime/JSPromiseConstructor.h:
309         * runtime/JSPromisePrototype.cpp:
310         (JSC::JSPromisePrototype::addOwnInternalSlots):
311         (JSC::JSPromisePrototype::getOwnPropertySlot): Deleted.
312         * runtime/JSPromisePrototype.h:
313         * runtime/MapPrototype.cpp:
314         (JSC::MapPrototype::finishCreation):
315         (JSC::getMap):
316         (JSC::MapPrototype::getOwnPropertySlot): Deleted.
317         * runtime/MapPrototype.h:
318         (JSC::MapPrototype::create):
319         (JSC::MapPrototype::MapPrototype):
320         * runtime/ModuleLoaderObject.cpp:
321         (JSC::ModuleLoaderObject::finishCreation):
322         (JSC::printableModuleKey):
323         (JSC::ModuleLoaderObject::getOwnPropertySlot): Deleted.
324         * runtime/ModuleLoaderObject.h:
325         * runtime/NumberPrototype.cpp:
326         (JSC::NumberPrototype::finishCreation):
327         (JSC::toThisNumber):
328         (JSC::NumberPrototype::getOwnPropertySlot): Deleted.
329         * runtime/NumberPrototype.h:
330         (JSC::NumberPrototype::create):
331         * runtime/ObjectConstructor.cpp:
332         (JSC::ObjectConstructor::addDefineProperty):
333         (JSC::constructObject):
334         (JSC::ObjectConstructor::getOwnPropertySlot): Deleted.
335         * runtime/ObjectConstructor.h:
336         (JSC::ObjectConstructor::create):
337         (JSC::ObjectConstructor::createStructure):
338         * runtime/ReflectObject.cpp:
339         (JSC::ReflectObject::finishCreation):
340         (JSC::ReflectObject::getOwnPropertySlot): Deleted.
341         * runtime/ReflectObject.h:
342         (JSC::ReflectObject::create):
343         (JSC::ReflectObject::createStructure):
344         * runtime/RegExpConstructor.cpp:
345         (JSC::RegExpConstructor::getRightContext):
346         (JSC::regExpConstructorDollar):
347         (JSC::RegExpConstructor::getOwnPropertySlot): Deleted.
348         * runtime/RegExpConstructor.h:
349         (JSC::RegExpConstructor::create):
350         (JSC::RegExpConstructor::createStructure):
351         * runtime/SetPrototype.cpp:
352         (JSC::SetPrototype::finishCreation):
353         (JSC::getSet):
354         (JSC::SetPrototype::getOwnPropertySlot): Deleted.
355         * runtime/SetPrototype.h:
356         (JSC::SetPrototype::create):
357         (JSC::SetPrototype::SetPrototype):
358         * runtime/StringConstructor.cpp:
359         (JSC::StringConstructor::finishCreation):
360         (JSC::stringFromCharCodeSlowCase):
361         (JSC::StringConstructor::getOwnPropertySlot): Deleted.
362         * runtime/StringConstructor.h:
363         (JSC::StringConstructor::create):
364         * runtime/StringIteratorPrototype.cpp:
365         (JSC::StringIteratorPrototype::finishCreation):
366         (JSC::StringIteratorPrototype::getOwnPropertySlot): Deleted.
367         * runtime/StringIteratorPrototype.h:
368         (JSC::StringIteratorPrototype::create):
369         (JSC::StringIteratorPrototype::StringIteratorPrototype):
370         * runtime/StringPrototype.cpp:
371         (JSC::StringPrototype::create):
372         (JSC::substituteBackreferencesSlow):
373         (JSC::StringPrototype::getOwnPropertySlot): Deleted.
374         * runtime/StringPrototype.h:
375         * runtime/SymbolConstructor.cpp:
376         (JSC::SymbolConstructor::finishCreation):
377         (JSC::callSymbol):
378         (JSC::SymbolConstructor::getOwnPropertySlot): Deleted.
379         * runtime/SymbolConstructor.h:
380         (JSC::SymbolConstructor::create):
381         * runtime/SymbolPrototype.cpp:
382         (JSC::SymbolPrototype::finishCreation):
383         (JSC::SymbolPrototype::getOwnPropertySlot): Deleted.
384         * runtime/SymbolPrototype.h:
385         (JSC::SymbolPrototype::create):
386             - remove getOwnPropertySlot, replace OverridesGetOwnPropertySlot flag with HasStaticPropertyTable.
387
388 2016-05-26  Commit Queue  <commit-queue@webkit.org>
389
390         Unreviewed, rolling out r201436.
391         https://bugs.webkit.org/show_bug.cgi?id=158143
392
393         Caused 30% regression on Dromaeo DOM core tests (Requested by
394         rniwa on #webkit).
395
396         Reverted changeset:
397
398         "REGRESSION: JSBench spends a lot of time transitioning
399         to/from dictionary"
400         https://bugs.webkit.org/show_bug.cgi?id=158045
401         http://trac.webkit.org/changeset/201436
402
403 2016-05-26  Geoffrey Garen  <ggaren@apple.com>
404
405         REGRESSION: JSBench spends a lot of time transitioning to/from dictionary
406         https://bugs.webkit.org/show_bug.cgi?id=158045
407
408         Reviewed by Saam Barati.
409
410         15% speedup on jsbench-amazon-firefox, possibly 5% speedup overall on jsbench.
411
412         This regression seems to have two parts:
413
414         (1) Transitioning the window object to/from dictionary is more expensive
415         than it used to be to because the window object has lots more properties.
416         The window object has more properties because, for WebIDL compatibility,
417         we reify DOM APIs as properties when you delete.
418
419         (2) DOM prototypes transition to/from dictionary upon creation
420         because, once again for WebIDL compatibility, we reify their static
421         APIs eagerly.
422
423         The solution is to chill out a bit on dictionary transitions.
424
425         * bytecode/ObjectPropertyConditionSet.cpp: Don't flatten a dictionary
426         if we've already done so before. This avoids pathological churn, and it
427         is our idiom in other places.
428
429         * interpreter/Interpreter.cpp:
430         (JSC::Interpreter::execute): Do flatten the global object unconditionally
431         if it is an uncacheable dictionary because the global object is super
432         important.
433
434         * runtime/BatchedTransitionOptimizer.h:
435         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
436         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer): Deleted.
437         Don't transition away from dictionary after a batched set of property
438         puts because normal dictionaries are cacheable and that's a perfectly
439         fine state to be in -- and the transition is expensive.
440
441         * runtime/JSGlobalObject.cpp:
442         (JSC::JSGlobalObject::init): Do start the global object out as a cacheable
443         dictionary because it will inevitably have enough properties to become
444         a dictionary.
445
446         * runtime/Operations.h:
447         (JSC::normalizePrototypeChain): Same as ObjectPropertyConditionSet.cpp.
448
449 2016-05-25  Geoffrey Garen  <ggaren@apple.com>
450
451         replaceable own properties seem to ignore replacement after property caching
452         https://bugs.webkit.org/show_bug.cgi?id=158091
453
454         Reviewed by Darin Adler.
455
456         * runtime/Lookup.h:
457         (JSC::replaceStaticPropertySlot): New helper function for replacing a
458         static property with a direct property. We need to do an attribute changed
459         transition because client code might have cached our static property.
460
461 2016-05-25  Benjamin Poulain  <benjamin@webkit.org>
462
463         [JSC] RegExp with deeply nested subexpressions overflow the stack in Yarr
464         https://bugs.webkit.org/show_bug.cgi?id=158011
465         rdar://problem/25946592
466
467         Reviewed by Saam Barati.
468
469         When generating the meta-data required for compilation,
470         Yarr uses a recursive function over the various expression in the pattern.
471
472         If you have many nested expressions, you can run out of stack
473         and crash the WebProcess.
474         This patch changes that into a soft failure. The expression is just
475         considered invalid.
476
477         * runtime/RegExp.cpp:
478         (JSC::RegExp::finishCreation):
479         (JSC::RegExp::compile):
480         (JSC::RegExp::compileMatchOnly):
481         * yarr/YarrPattern.cpp:
482         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
483         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
484         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
485         (JSC::Yarr::YarrPattern::compile):
486         (JSC::Yarr::YarrPattern::YarrPattern):
487         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets): Deleted.
488         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets): Deleted.
489         * yarr/YarrPattern.h:
490
491 2016-05-25  Alex Christensen  <achristensen@webkit.org>
492
493         Fix Win64 build after r201335
494         https://bugs.webkit.org/show_bug.cgi?id=158078
495
496         Reviewed by Mark Lam.
497
498         * offlineasm/x86.rb:
499         Add intel implementations for loadbs and loadhs
500
501 2016-05-25  Carlos Garcia Campos  <cgarcia@igalia.com>
502
503         REGRESSION(r201066): [GTK] Several intl tests started to fail in GTK+ bot after r201066
504         https://bugs.webkit.org/show_bug.cgi?id=158066
505
506         Reviewed by Darin Adler.
507
508         run-javascriptcore-tests does $ENV{LANG}="en_US.UTF-8"; but we are not actually honoring the environment
509         variables at all when using jsc binary. We are using setlocale() with a nullptr locale to get the current one, but
510         the current one is always "C", because to set the locale according to the environment variables we need to call
511         setlocale with an empty string as locale. That's done by gtk_init(), which is called by all our binaries (web
512         process, network process, etc.), but not by jsc (because jsc doesn't depend on GTK+). The reason why it has
513         always worked for EFL is because they call ecore_init() in jsc that calls setlocale.
514
515         * jsc.cpp:
516         (main): Call setlocale(LC_ALL, "") on GTK+.
517
518 2016-05-25  Csaba Osztrogonác  <ossy@webkit.org>
519
520         [ARM] Fix the Wcast-align warning in LinkBuffer.cpp
521         https://bugs.webkit.org/show_bug.cgi?id=157889
522
523         Reviewed by Darin Adler.
524
525         * assembler/LinkBuffer.cpp:
526         (JSC::recordLinkOffsets):
527
528 2016-05-24  Keith Miller  <keith_miller@apple.com>
529
530         TypedArray.prototype.slice should not throw if no arguments are provided
531         https://bugs.webkit.org/show_bug.cgi?id=158044
532         <rdar://problem/26433280>
533
534         Reviewed by Geoffrey Garen.
535
536         We were throwing an exception if the TypedArray.prototype.slice function
537         was not provided arguments. This was wrong. Instead we should just assume
538         the first argument was 0.
539
540         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
541         (JSC::genericTypedArrayViewProtoFuncSlice): Deleted.
542         * tests/stress/typedarray-slice.js:
543
544 2016-05-24  Keith Miller  <keith_miller@apple.com>
545
546         LLInt should be able to cache prototype loads for values in GetById
547         https://bugs.webkit.org/show_bug.cgi?id=158032
548
549         Reviewed by Filip Pizlo.
550
551         This patch adds prototype value caching to the LLInt for op_get_by_id.
552         Two previously unused words in the op_get_by_id bytecode have been
553         repurposed to hold extra information for the cache. The first is a
554         counter that records the number of get_by_ids that hit a cacheable value
555         on a prototype. When the counter is decremented from one to zero we
556         attempt to cache the prototype load, which will be discussed further
557         below. The second word is used to hold the prototype object when we have
558         started caching.
559
560         When the counter is decremented to zero we first attempt to generate and
561         watch the property conditions needed to ensure the validity of prototype
562         load. If the watchpoints are successfully created and installed we
563         replace the op_get_by_id opcode with the new op_get_by_id_proto_load
564         opcode, which tells the LLInt to use the cache prototype object for the
565         load rather than the base value.
566
567         Prior to this patch there was not LLInt specific data onCodeBlocks.
568         Since the CodeBlock needs to own the Watchpoints for the cache, a weak
569         map from each base structure to a bag of Watchpoints created for that
570         structure by some op_get_by_id has been added to the CodeBlock. During
571         GC, if we find that the a structure in the map has not been marked we
572         free the associated bag on the CodeBlock.
573
574         * JavaScriptCore.xcodeproj/project.pbxproj:
575         * bytecode/BytecodeList.json:
576         * bytecode/BytecodeUseDef.h:
577         (JSC::computeUsesForBytecodeOffset):
578         (JSC::computeDefsForBytecodeOffset):
579         * bytecode/CodeBlock.cpp:
580         (JSC::CodeBlock::printGetByIdOp):
581         (JSC::CodeBlock::printGetByIdCacheStatus):
582         (JSC::CodeBlock::dumpBytecode):
583         (JSC::CodeBlock::finalizeLLIntInlineCaches):
584         * bytecode/CodeBlock.h:
585         (JSC::CodeBlock::llintGetByIdWatchpointMap):
586         (JSC::clearLLIntGetByIdCache):
587         * bytecode/GetByIdStatus.cpp:
588         (JSC::GetByIdStatus::computeFromLLInt):
589         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Added.
590         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
591         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
592         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
593         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Added.
594         * bytecode/ObjectPropertyConditionSet.cpp:
595         (JSC::ObjectPropertyConditionSet::isValidAndWatchable):
596         * bytecode/ObjectPropertyConditionSet.h:
597         * bytecompiler/BytecodeGenerator.cpp:
598         (JSC::BytecodeGenerator::emitGetById):
599         * dfg/DFGByteCodeParser.cpp:
600         (JSC::DFG::ByteCodeParser::parseBlock):
601         * dfg/DFGCapabilities.cpp:
602         (JSC::DFG::capabilityLevel):
603         * jit/JIT.cpp:
604         (JSC::JIT::privateCompileMainPass):
605         (JSC::JIT::privateCompileSlowCases):
606         * llint/LLIntSlowPaths.cpp:
607         (JSC::LLInt::setupGetByIdPrototypeCache):
608         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
609         * llint/LLIntSlowPaths.h:
610         * llint/LowLevelInterpreter32_64.asm:
611         * llint/LowLevelInterpreter64.asm:
612         * runtime/Options.h:
613         * tests/stress/llint-get-by-id-cache-prototype-load-from-dictionary.js: Added.
614         (test):
615
616 2016-05-24  Keith Miller  <keith_miller@apple.com>
617
618         We should be able to use the sampling profiler with DRT/WTR.
619         https://bugs.webkit.org/show_bug.cgi?id=158041
620
621         Reviewed by Saam Barati.
622
623         This patch makes the sampling profiler use a new option, samplingProfilerPath, which
624         specifies the path to a directory to output sampling profiler data when the program
625         terminates or the VM is destroyed. Additionally, it fixes some other issues with the
626         bytecode profiler that would cause crashes on debug builds.
627
628         * profiler/ProfilerDatabase.cpp:
629         (JSC::Profiler::Database::ensureBytecodesFor):
630         (JSC::Profiler::Database::performAtExitSave):
631         * runtime/Options.h:
632         * runtime/SamplingProfiler.cpp:
633         (JSC::SamplingProfiler::registerForReportAtExit):
634         (JSC::SamplingProfiler::reportDataToOptionFile):
635         (JSC::SamplingProfiler::reportTopFunctions):
636         (JSC::SamplingProfiler::reportTopBytecodes):
637         * runtime/SamplingProfiler.h:
638         * runtime/VM.cpp:
639         (JSC::VM::VM):
640         (JSC::VM::~VM):
641
642 2016-05-24  Saam barati  <sbarati@apple.com>
643
644         We can cache lookups to JSScope::abstractResolve inside CodeBlock::finishCreation
645         https://bugs.webkit.org/show_bug.cgi?id=158036
646
647         Reviewed by Geoffrey Garen.
648
649         This patch implements a 1 item cache for JSScope::abstractResolve. I also tried
650         implementing the cache as a HashMap, but it seemed either less profitable on some
651         benchmarks or just as profitable on others. Therefore, it's cleaner to just
652         use a 1 item cache.
653
654         * bytecode/CodeBlock.cpp:
655         (JSC::CodeBlock::CodeBlock):
656         (JSC::AbstractResolveKey::AbstractResolveKey):
657         (JSC::AbstractResolveKey::operator==):
658         (JSC::AbstractResolveKey::isEmptyValue):
659         (JSC::CodeBlock::finishCreation):
660         * runtime/GetPutInfo.h:
661         (JSC::needsVarInjectionChecks):
662         (JSC::ResolveOp::ResolveOp):
663
664 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
665
666         Unreviwed, add a comment to describe the test's failure mode. Suggested by mlam.
667
668         * tests/stress/override-map-constructor.js:
669         (Map):
670
671 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
672
673         Map should not be in JSGlobalObject's static hashtable because it's initialized eagerly via FOR_EACH_SIMPLE_BUILTIN_TYPE_WITH_CONSTRUCTOR
674         https://bugs.webkit.org/show_bug.cgi?id=158031
675         rdar://problem/26353661
676
677         Reviewed by Geoffrey Garen.
678         
679         We were listing Map as being a lazy class structure. It's not. m_mapStructure is a WriteBarrier<>
680         not a LazyClassStructure<> and there is nothing lazy about it.
681
682         * runtime/JSGlobalObject.cpp: The fix is to remove Map here.
683         * runtime/Lookup.cpp: Add some dumping on the assert path.
684         (JSC::setUpStaticFunctionSlot):
685         * tests/stress/override-map-constructor.js: Added. This test used to crash.
686         (Map):
687
688 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
689
690         LLInt64 should have typed array fast paths for get_by_val
691         https://bugs.webkit.org/show_bug.cgi?id=157931
692
693         Reviewed by Keith Miller.
694
695         I think that the LLInt should be able to access typed arrays more quickly than it does now.
696         Ideally we would have fast paths for every major typed array operation and we would use
697         inline cache optimizations. I don't want to do this all in one go, so my plan is to
698         incrementally add support for this as time allows.
699         
700         This change just adds the easy typed array fast paths for get_by_val in the 64-bit version
701         of LLInt.
702         
703         Another bug, https://bugs.webkit.org/show_bug.cgi?id=157922, tracks the overall task of
704         adding all typed array fast paths to both versions of the LLInt.
705         
706         This is a 30% speed-up on typed array benchmarks in LLInt. This is not a speed-up when the
707         JITs are enabled.
708
709         * llint/LLIntData.cpp:
710         (JSC::LLInt::Data::performAssertions):
711         * llint/LLIntOffsetsExtractor.cpp:
712         * llint/LowLevelInterpreter.asm:
713         * llint/LowLevelInterpreter64.asm:
714         * offlineasm/backends.rb:
715         * runtime/JSArrayBufferView.h:
716         * runtime/JSType.h:
717
718 2016-05-24  Saam barati  <sbarati@apple.com> and Yusuke Suzuki <utatane.tea@gmail.com>
719
720         ThisTDZMode is no longer needed
721         https://bugs.webkit.org/show_bug.cgi?id=157209
722
723         Reviewed by Saam Barati.
724
725         ThisTDZMode is no longer needed because we have ConstructorKind
726         and DerivedContextType. The value of ThisTDZMode is strictly less
727         expressive than the combination of those two values. We were
728         using those values anyways, and this patch just makes it official
729         by removing ThisTDZMode.
730
731         This patch also cleans up caching keys. We extract SourceCodeFlags
732         from SourceCodeKey and use it in EvalCodeCache. It correctly
733         contains needed cache attributes: EvalContextType, DerivedContextType,
734         etc. Here, we still use specialized keys for EvalCodeCache instead
735         of SourceCodeKey for performance; it does not include name String and
736         does not allocate SourceCode.
737
738         * bytecode/EvalCodeCache.h:
739         (JSC::EvalCodeCache::CacheKey::CacheKey):
740         (JSC::EvalCodeCache::CacheKey::operator==):
741         (JSC::EvalCodeCache::CacheKey::Hash::equal):
742         (JSC::EvalCodeCache::tryGet):
743         (JSC::EvalCodeCache::getSlow):
744         * bytecompiler/NodesCodegen.cpp:
745         (JSC::ThisNode::emitBytecode): Deleted.
746         * debugger/DebuggerCallFrame.cpp:
747         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
748         * interpreter/Interpreter.cpp:
749         (JSC::eval):
750         * parser/ASTBuilder.h:
751         (JSC::ASTBuilder::createThisExpr):
752         * parser/NodeConstructors.h:
753         (JSC::ThisNode::ThisNode):
754         * parser/Nodes.h:
755         * parser/Parser.cpp:
756         (JSC::Parser<LexerType>::Parser):
757         (JSC::Parser<LexerType>::parsePrimaryExpression):
758         * parser/Parser.h:
759         (JSC::parse):
760         * parser/ParserModes.h:
761         * parser/SourceCodeKey.h:
762         (JSC::SourceCodeFlags::SourceCodeFlags):
763         (JSC::SourceCodeFlags::operator==):
764         (JSC::SourceCodeKey::SourceCodeKey):
765         (JSC::SourceCodeKey::Hash::hash):
766         (JSC::SourceCodeKey::Hash::equal):
767         (JSC::SourceCodeKey::HashTraits::isEmptyValue):
768         (JSC::SourceCodeKeyHash::hash): Deleted.
769         (JSC::SourceCodeKeyHash::equal): Deleted.
770         (JSC::SourceCodeKeyHashTraits::isEmptyValue): Deleted.
771         * parser/SyntaxChecker.h:
772         (JSC::SyntaxChecker::createThisExpr):
773         * runtime/CodeCache.cpp:
774         (JSC::CodeCache::getGlobalCodeBlock):
775         (JSC::CodeCache::getProgramCodeBlock):
776         (JSC::CodeCache::getEvalCodeBlock):
777         (JSC::CodeCache::getModuleProgramCodeBlock):
778         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
779         * runtime/CodeCache.h:
780         * runtime/Executable.cpp:
781         (JSC::EvalExecutable::create):
782         * runtime/Executable.h:
783         * runtime/JSGlobalObject.cpp:
784         (JSC::JSGlobalObject::createEvalCodeBlock):
785         * runtime/JSGlobalObject.h:
786         * runtime/JSGlobalObjectFunctions.cpp:
787         (JSC::globalFuncEval):
788         * tests/stress/code-cache-incorrect-caching.js: Added.
789         (shouldBe):
790         (hello):
791         (catch):
792         (shouldBe.test.hello):
793         (globalEval.ok):
794         (global.hello.hello):
795
796 2016-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>
797
798         Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
799         https://bugs.webkit.org/show_bug.cgi?id=157080
800
801         Reviewed by Saam Barati.
802
803         In custom accessor getter, the argument "thisValue" can be altered by using `Reflect.get`.
804         In this patch, we add a new parameter, "slotBase". This represents the base value offering
805         this custom getter. And use it in ProxyObject's performGet custom accessor getter.
806
807         * API/JSCallbackObject.h:
808         * API/JSCallbackObjectFunctions.h:
809         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
810         (JSC::JSCallbackObject<Parent>::callbackGetter):
811         * bytecode/PolymorphicAccess.cpp:
812         (JSC::AccessCase::generateImpl):
813         In PolymorphicAccess case, the thisValue and the slotBase are always cells.
814         This is because IC is enabled in the case that the base value is a cell.
815         And slotBase is always on the prototype chain from this base value.
816
817         * jit/CCallHelpers.h:
818         (JSC::CCallHelpers::setupArgumentsWithExecState):
819         * jsc.cpp:
820         (WTF::CustomGetter::customGetter):
821         (WTF::RuntimeArray::lengthGetter):
822         * runtime/CustomGetterSetter.cpp:
823         (JSC::callCustomSetter):
824         * runtime/JSBoundSlotBaseFunction.cpp:
825         (JSC::boundSlotBaseFunctionCall):
826         * runtime/JSFunction.cpp:
827         (JSC::JSFunction::argumentsGetter):
828         (JSC::JSFunction::callerGetter):
829         * runtime/JSFunction.h:
830         * runtime/JSModuleNamespaceObject.cpp:
831         (JSC::callbackGetter):
832         * runtime/PropertySlot.cpp:
833         (JSC::PropertySlot::customGetter):
834         * runtime/PropertySlot.h:
835         * runtime/ProxyObject.cpp:
836         (JSC::performProxyGet):
837         * runtime/RegExpConstructor.cpp:
838         (JSC::regExpConstructorDollar):
839         (JSC::regExpConstructorInput):
840         (JSC::regExpConstructorMultiline):
841         (JSC::regExpConstructorLastMatch):
842         (JSC::regExpConstructorLastParen):
843         (JSC::regExpConstructorLeftContext):
844         (JSC::regExpConstructorRightContext):
845         (JSC::regExpConstructorDollar1): Deleted.
846         (JSC::regExpConstructorDollar2): Deleted.
847         (JSC::regExpConstructorDollar3): Deleted.
848         (JSC::regExpConstructorDollar4): Deleted.
849         (JSC::regExpConstructorDollar5): Deleted.
850         (JSC::regExpConstructorDollar6): Deleted.
851         (JSC::regExpConstructorDollar7): Deleted.
852         (JSC::regExpConstructorDollar8): Deleted.
853         (JSC::regExpConstructorDollar9): Deleted.
854         * tests/stress/proxy-get-with-primitive-receiver.js: Added.
855         (shouldBe):
856
857 2016-05-23  Geoffrey Garen  <ggaren@apple.com>
858
859         REGRESSION (196374): deleting a global property is expensive
860         https://bugs.webkit.org/show_bug.cgi?id=158005
861
862         Reviewed by Chris Dumez.
863
864         * runtime/JSObject.cpp:
865         (JSC::JSObject::deleteProperty): We only need to reify static properties
866         if the name being deleted matches a static property. Otherwise, we can
867         be sure that delete won't observe any static properties.
868
869 2016-05-23  Saam barati  <sbarati@apple.com>
870
871         The baseline JIT crashes when compiling "(1,1)/1"
872         https://bugs.webkit.org/show_bug.cgi?id=157933
873
874         Reviewed by Benjamin Poulain.
875
876         op_div in the baseline JIT needed to better handle when both the lhs
877         and rhs are constants. It needs to make sure to load either the lhs or
878         the rhs into a register since the div generator can't handle both
879         the lhs and rhs being constants.
880
881         * jit/JITArithmetic.cpp:
882         (JSC::JIT::emit_op_div):
883         * tests/stress/jit-gracefully-handle-double-constants-in-math-operators.js: Added.
884         (assert):
885         (test):
886
887 2016-05-23  Saam barati  <sbarati@apple.com>
888
889         String template don't handle let initialization properly inside eval
890         https://bugs.webkit.org/show_bug.cgi?id=157991
891
892         Reviewed by Oliver Hunt.
893
894         The fix is to make sure we emit TDZ checks. 
895
896         * bytecompiler/NodesCodegen.cpp:
897         (JSC::TaggedTemplateNode::emitBytecode):
898         * tests/stress/tagged-template-tdz.js: Added.
899         (shouldThrowTDZ):
900         (test):
901
902 2016-05-22  Saam barati  <sbarati@apple.com>
903
904         Unreviewed. Fixed debug assertion failures from r201235.
905
906         * runtime/JSScope.cpp:
907         (JSC::abstractAccess):
908
909 2016-05-22  Brady Eidson  <beidson@apple.com>
910
911         Attempted Yosemite build fix after http://trac.webkit.org/changeset/201255
912
913         Suggested by and reviewed by Anders Carlsson.
914
915         * b3/B3CCallValue.h: Initialize the effects member more conventionally.
916
917 2016-05-22  Brady Eidson  <beidson@apple.com>
918
919         Move to C++14.
920         https://bugs.webkit.org/show_bug.cgi?id=157948
921
922         Reviewed by Michael Catanzaro.
923
924         * Configurations/Base.xcconfig:
925
926 2016-05-22  Saam barati  <sbarati@apple.com>
927
928         REGRESSION(r199075): String.prototype.replace fails after being used many times with different replace values
929         https://bugs.webkit.org/show_bug.cgi?id=157968
930         <rdar://problem/26404735>
931
932         Reviewed by Ryosuke Niwa and Filip Pizlo.
933
934         There was a bug in the DFG where we were checking a condition
935         on the wrong variable.
936
937         * dfg/DFGStrengthReductionPhase.cpp:
938         (JSC::DFG::StrengthReductionPhase::handleNode):
939
940 2016-05-22  Chris Dumez  <cdumez@apple.com>
941
942         Remove uses of PassRefPtr in JS bindings code
943         https://bugs.webkit.org/show_bug.cgi?id=157949
944
945         Reviewed by Andreas Kling.
946
947         Remove uses of PassRefPtr in JS bindings code.
948
949         * runtime/JSGlobalObject.cpp:
950         (JSC::JSGlobalObject::queueMicrotask):
951         * runtime/JSGlobalObject.h:
952
953 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
954
955         Remove LegacyProfiler
956         https://bugs.webkit.org/show_bug.cgi?id=153565
957
958         Reviewed by Mark Lam.
959
960         JavaScriptCore now provides a sampling profiler and it is enabled
961         by all ports. Web Inspector switched months ago to using the
962         sampling profiler and displaying its data. Remove the legacy
963         profiler, as it is no longer being used by anything other then
964         console.profile and tests. We will update console.profile's
965         behavior soon to have new behavior and use the sampling data.
966
967         * API/JSProfilerPrivate.cpp: Removed.
968         * API/JSProfilerPrivate.h: Removed.
969         * CMakeLists.txt:
970         * JavaScriptCore.xcodeproj/project.pbxproj:
971         * bytecode/BytecodeList.json:
972         * bytecode/BytecodeUseDef.h:
973         (JSC::computeUsesForBytecodeOffset): Deleted.
974         (JSC::computeDefsForBytecodeOffset): Deleted.
975         * bytecode/CodeBlock.cpp:
976         (JSC::CodeBlock::dumpBytecode): Deleted.
977         * bytecode/UnlinkedFunctionExecutable.cpp:
978         (JSC::generateUnlinkedFunctionCodeBlock):
979         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
980         * bytecode/UnlinkedFunctionExecutable.h:
981         * bytecompiler/BytecodeGenerator.cpp:
982         (JSC::BytecodeGenerator::BytecodeGenerator):
983         (JSC::BytecodeGenerator::emitCall):
984         (JSC::BytecodeGenerator::emitCallVarargs):
985         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
986         (JSC::BytecodeGenerator::emitConstructVarargs):
987         (JSC::BytecodeGenerator::emitConstruct):
988         * bytecompiler/BytecodeGenerator.h:
989         (JSC::CallArguments::profileHookRegister): Deleted.
990         (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
991         * bytecompiler/NodesCodegen.cpp:
992         (JSC::CallFunctionCallDotNode::emitBytecode):
993         (JSC::ApplyFunctionCallDotNode::emitBytecode):
994         (JSC::CallArguments::CallArguments): Deleted.
995         * dfg/DFGAbstractInterpreterInlines.h:
996         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
997         * dfg/DFGByteCodeParser.cpp:
998         (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
999         * dfg/DFGCapabilities.cpp:
1000         (JSC::DFG::capabilityLevel): Deleted.
1001         * dfg/DFGClobberize.h:
1002         (JSC::DFG::clobberize): Deleted.
1003         * dfg/DFGDoesGC.cpp:
1004         (JSC::DFG::doesGC): Deleted.
1005         * dfg/DFGFixupPhase.cpp:
1006         (JSC::DFG::FixupPhase::fixupNode): Deleted.
1007         * dfg/DFGNodeType.h:
1008         * dfg/DFGPredictionPropagationPhase.cpp:
1009         * dfg/DFGSafeToExecute.h:
1010         (JSC::DFG::safeToExecute): Deleted.
1011         * dfg/DFGSpeculativeJIT32_64.cpp:
1012         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1013         * dfg/DFGSpeculativeJIT64.cpp:
1014         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1015         * inspector/InjectedScriptBase.cpp:
1016         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
1017         * interpreter/Interpreter.cpp:
1018         (JSC::UnwindFunctor::operator()): Deleted.
1019         (JSC::Interpreter::execute): Deleted.
1020         (JSC::Interpreter::executeCall): Deleted.
1021         (JSC::Interpreter::executeConstruct): Deleted.
1022         * jit/JIT.cpp:
1023         (JSC::JIT::privateCompileMainPass): Deleted.
1024         * jit/JIT.h:
1025         * jit/JITOpcodes.cpp:
1026         (JSC::JIT::emit_op_profile_will_call): Deleted.
1027         (JSC::JIT::emit_op_profile_did_call): Deleted.
1028         * jit/JITOpcodes32_64.cpp:
1029         (JSC::JIT::emit_op_profile_will_call): Deleted.
1030         (JSC::JIT::emit_op_profile_did_call): Deleted.
1031         * jit/JITOperations.cpp:
1032         * jit/JITOperations.h:
1033         * llint/LLIntSlowPaths.cpp:
1034         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
1035         * llint/LLIntSlowPaths.h:
1036         * llint/LowLevelInterpreter.asm:
1037         * parser/ParserModes.h:
1038         * profiler/CallIdentifier.h: Removed.
1039         * profiler/LegacyProfiler.cpp: Removed.
1040         * profiler/LegacyProfiler.h: Removed.
1041         * profiler/Profile.cpp: Removed.
1042         * profiler/Profile.h: Removed.
1043         * profiler/ProfileGenerator.cpp: Removed.
1044         * profiler/ProfileGenerator.h: Removed.
1045         * profiler/ProfileNode.cpp: Removed.
1046         * profiler/ProfileNode.h: Removed.
1047         * profiler/ProfilerJettisonReason.cpp:
1048         (WTF::printInternal): Deleted.
1049         * profiler/ProfilerJettisonReason.h:
1050         * runtime/CodeCache.cpp:
1051         (JSC::CodeCache::getGlobalCodeBlock):
1052         (JSC::CodeCache::getProgramCodeBlock):
1053         (JSC::CodeCache::getEvalCodeBlock):
1054         (JSC::CodeCache::getModuleProgramCodeBlock):
1055         * runtime/CodeCache.h:
1056         * runtime/Executable.cpp:
1057         (JSC::ScriptExecutable::newCodeBlockFor):
1058         * runtime/JSGlobalObject.cpp:
1059         (JSC::JSGlobalObject::createProgramCodeBlock):
1060         (JSC::JSGlobalObject::createEvalCodeBlock):
1061         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
1062         (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
1063         (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
1064         * runtime/JSGlobalObject.h:
1065         * runtime/Options.h:
1066         * runtime/VM.cpp:
1067         (JSC::VM::VM): Deleted.
1068         (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
1069         (JSC::VM::setEnabledProfiler): Deleted.
1070         * runtime/VM.h:
1071         (JSC::VM::enabledProfiler): Deleted.
1072         (JSC::VM::enabledProfilerAddress): Deleted.
1073
1074 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
1075
1076         Remove LegacyProfiler
1077         https://bugs.webkit.org/show_bug.cgi?id=153565
1078
1079         Reviewed by Saam Barati.
1080
1081         * inspector/protocol/Timeline.json:
1082         * jsc.cpp:
1083         * runtime/JSGlobalObject.cpp:
1084         (JSC::JSGlobalObject::hasLegacyProfiler):
1085         * runtime/JSGlobalObject.h:
1086         (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
1087
1088 2016-05-20  Saam barati  <sbarati@apple.com>
1089
1090         JSScope::abstractAccess doesn't need to copy the SymbolTableEntry, it can use it by reference
1091         https://bugs.webkit.org/show_bug.cgi?id=157956
1092
1093         Reviewed by Geoffrey Garen.
1094
1095         A SymbolTableEntry may be a FatEntry. Copying a FatEntry is slow because we have to
1096         malloc memory for it, then free the malloced memory once the entry goes out of
1097         scope. abstractAccess uses a SymbolTableEntry temporarily when performing scope
1098         accesses during bytecode linking. It copies out the SymbolTableEntry every time
1099         it does a SymbolTable lookup. This is not cheap when the entry happens to be a
1100         FatEntry. We should really just be using a reference to the entry because
1101         there is no need to copy it in such a scenario.
1102
1103         * runtime/JSScope.cpp:
1104         (JSC::abstractAccess):
1105
1106 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
1107
1108         Web Inspector: retained size for typed arrays does not count native backing store
1109         https://bugs.webkit.org/show_bug.cgi?id=157945
1110         <rdar://problem/26392238>
1111
1112         Reviewed by Geoffrey Garen.
1113
1114         * runtime/JSArrayBuffer.h:
1115         * runtime/JSArrayBuffer.cpp:
1116         (JSC::JSArrayBuffer::estimatedSize):
1117         Include an estimatedSize implementation for JSArrayBuffer.
1118         ArrayBuffer has a unique path, different from other data
1119         stored in the Heap.
1120
1121         * tests/heapProfiler/typed-array-sizes.js: Added.
1122         Test sizes of TypedArray with and without an ArrayBuffer.
1123         When the TypedArray is a view wrapping an ArrayBuffer, the
1124         ArrayBuffer has the size.
1125
1126 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
1127
1128         reifyAllStaticProperties makes two copies of every string
1129         https://bugs.webkit.org/show_bug.cgi?id=157953
1130
1131         Reviewed by Mark Lam.
1132
1133         Let's not do that.
1134
1135         * runtime/JSObject.cpp:
1136         (JSC::JSObject::reifyAllStaticProperties): Pass our Identifier to
1137         reifyStaticProperty so it doesn't have to make its own.
1138
1139         * runtime/Lookup.h:
1140         (JSC::reifyStaticProperty): No need to null check because callers never
1141         pass null anymore. No need to make an identifier because callers pass
1142         us one.
1143
1144         (JSC::reifyStaticProperties): Honor new interface.
1145
1146 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
1147
1148         JSBench regression: CodeBlock linking always copies the symbol table
1149         https://bugs.webkit.org/show_bug.cgi?id=157951
1150
1151         Reviewed by Saam Barati.
1152
1153         We always put a SymbolTable into the constant pool, even in simple
1154         functions in which it won't be used -- i.e., there's on eval and there
1155         are no captured variables and so on.
1156
1157         This is costly because linking must copy any provided symbol tables.
1158
1159         * bytecompiler/BytecodeGenerator.cpp:
1160         (JSC::BytecodeGenerator::BytecodeGenerator):
1161         (JSC::BytecodeGenerator::emitProfileType): Only add the symbol table
1162         as a constant if we will use it at runtime.
1163
1164 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
1165
1166         [JSC] Improve int->float conversion in FTL
1167         https://bugs.webkit.org/show_bug.cgi?id=157936
1168
1169         Reviewed by Filip Pizlo.
1170
1171         The integer -> floating point lowering was very barebone.
1172
1173         For example, converting a constant integer to double
1174         was doing:
1175             mov #const, %eax
1176             xor %xmm0, %xmm0
1177             cvtsi2sd %eax, %xmm0
1178
1179         Conversion from integer to float was also missing.
1180         We were always converting to double then rounding the double
1181         to float.
1182
1183         This patch adds the basics:
1184         -Constant folding.
1185         -Integer to Float opcode.
1186         -Reducing int->double to int->float when used by DoubleToFloat.
1187
1188         * assembler/MacroAssemblerX86Common.h:
1189         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
1190         * assembler/MacroAssemblerX86_64.h:
1191         (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
1192         (JSC::MacroAssemblerX86_64::convertInt64ToFloat):
1193         * assembler/X86Assembler.h:
1194         (JSC::X86Assembler::cvtsi2ss_rr):
1195         (JSC::X86Assembler::cvtsi2ssq_rr):
1196         (JSC::X86Assembler::cvtsi2sdq_mr):
1197         (JSC::X86Assembler::cvtsi2ssq_mr):
1198         (JSC::X86Assembler::cvtsi2ss_mr):
1199         * assembler/MacroAssemblerARM64.h:
1200         * b3/B3Const32Value.cpp:
1201         (JSC::B3::Const32Value::iToDConstant):
1202         (JSC::B3::Const32Value::iToFConstant):
1203         * b3/B3Const32Value.h:
1204         * b3/B3Const64Value.cpp:
1205         (JSC::B3::Const64Value::iToDConstant):
1206         (JSC::B3::Const64Value::iToFConstant):
1207         * b3/B3Const64Value.h:
1208         * b3/B3LowerToAir.cpp:
1209         (JSC::B3::Air::LowerToAir::lower):
1210         * b3/B3Opcode.cpp:
1211         (WTF::printInternal):
1212         * b3/B3Opcode.h:
1213         * b3/B3ReduceDoubleToFloat.cpp:
1214         * b3/B3ReduceStrength.cpp:
1215         * b3/B3Validate.cpp:
1216         * b3/B3Value.cpp:
1217         (JSC::B3::Value::iToDConstant):
1218         (JSC::B3::Value::iToFConstant):
1219         (JSC::B3::Value::isRounded):
1220         (JSC::B3::Value::effects):
1221         (JSC::B3::Value::key):
1222         (JSC::B3::Value::typeFor):
1223         * b3/B3Value.h:
1224         * b3/B3ValueKey.cpp:
1225         (JSC::B3::ValueKey::materialize):
1226         * b3/air/AirFixPartialRegisterStalls.cpp:
1227         * b3/air/AirOpcode.opcodes:
1228         * b3/testb3.cpp:
1229         (JSC::B3::int64Operands):
1230         (JSC::B3::testIToD64Arg):
1231         (JSC::B3::testIToF64Arg):
1232         (JSC::B3::testIToD32Arg):
1233         (JSC::B3::testIToF32Arg):
1234         (JSC::B3::testIToD64Mem):
1235         (JSC::B3::testIToF64Mem):
1236         (JSC::B3::testIToD32Mem):
1237         (JSC::B3::testIToF32Mem):
1238         (JSC::B3::testIToD64Imm):
1239         (JSC::B3::testIToF64Imm):
1240         (JSC::B3::testIToD32Imm):
1241         (JSC::B3::testIToF32Imm):
1242         (JSC::B3::testIToDReducedToIToF64Arg):
1243         (JSC::B3::testIToDReducedToIToF32Arg):
1244         (JSC::B3::run):
1245
1246 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
1247
1248         [JSC] FTL can crash on stack overflow
1249         https://bugs.webkit.org/show_bug.cgi?id=157881
1250         rdar://problem/24665964
1251
1252         Reviewed by Michael Saboff.
1253
1254         The VM's m_largestFTLStackSize was never set anywhere (updateFTLLargestStackSize()
1255         was never called). We forgot to change that when implementing B3.
1256
1257         Even when it is set, we still have a problem on OSR Exit.
1258         If the last frame is a FTL frame and it OSR Exits, the space required for
1259         that frame becomes significantly larger. What happens is we crash in the OSR Exit
1260         instead of the FTL frame (this is what happens in rdar://problem/24665964).
1261
1262         This patch changes the stack boundary checks in FTL to be the same as DFG:
1263         we verify that we have enough space for the current optimized function but
1264         also for the baseline version (including inlining) in case of exit.
1265
1266         * ftl/FTLLowerDFGToB3.cpp:
1267         (JSC::FTL::DFG::LowerDFGToB3::lower):
1268         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack): Deleted.
1269         * runtime/VM.cpp:
1270         (JSC::VM::VM): Deleted.
1271         (JSC::VM::updateStackLimit): Deleted.
1272         (JSC::VM::updateFTLLargestStackSize): Deleted.
1273         * runtime/VM.h:
1274         (JSC::VM::addressOfFTLStackLimit): Deleted.
1275
1276 2016-05-18  Filip Pizlo  <fpizlo@apple.com>
1277
1278         DFG::LICMPhase shouldn't hoist type checks unless it knows that the check will succeed at the loop pre-header
1279         https://bugs.webkit.org/show_bug.cgi?id=144527
1280
1281         Reviewed by Saam Barati.
1282         
1283         This adds a control flow equivalence analysis (called ControlEquivalenceAnalysis) based on
1284         dominator analysis over the backwards CFG. Two basic blocks are control flow equivalent if
1285         the execution of one implies that the other one must also execute. It means that the two
1286         blocks' forward and backward dominance are reciprocated: (A dom B and B backdom A) or (B dom
1287         A and A backdom B). LICM now uses it to become more conservative about hoisting checks, if
1288         this has caused problems in the past. If we hoist something that may exit from a block that
1289         was not control equivalent to the pre-header then it's possible that the node's speculation
1290         will fail even though it wouldn't have if it wasn't hoisted. So, we flag these nodes'
1291         origins as being "wasHoisted" and we track all of their exits as "HoistingFailed". LICM will
1292         turn off such speculative hoisting if the CodeBlock from which we are hoisting had the
1293         HoistingFailed exit kind.
1294         
1295         Note that this deliberately still allows us to hoist things that may exit even if they are
1296         not control equivalent to the pre-header. This is necessary because the profitability of
1297         hoisting is so huge in all of the cases that we're aware of that it's worth giving it a
1298         shot.
1299         
1300         This is neutral on macrobenchmarks since none of the benchmarks we track have a hoistable
1301         operation that would exit only if hoisted. I added microbenchmarks to illustrate the problem
1302         and two of them speed up by ~40% while one of them is neutral (Int52 saves us from having
1303         problems on that program even though LICM previously did the wrong thing).
1304
1305         * JavaScriptCore.xcodeproj/project.pbxproj:
1306         * bytecode/ExitKind.cpp:
1307         (JSC::exitKindToString):
1308         * bytecode/ExitKind.h:
1309         * dfg/DFGAtTailAbstractState.h:
1310         (JSC::DFG::AtTailAbstractState::operator bool):
1311         (JSC::DFG::AtTailAbstractState::initializeTo):
1312         * dfg/DFGBackwardsCFG.h: Added.
1313         (JSC::DFG::BackwardsCFG::BackwardsCFG):
1314         * dfg/DFGBackwardsDominators.h: Added.
1315         (JSC::DFG::BackwardsDominators::BackwardsDominators):
1316         * dfg/DFGCommon.h:
1317         (JSC::DFG::checkAndSet): Deleted.
1318         * dfg/DFGControlEquivalenceAnalysis.h: Added.
1319         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
1320         (JSC::DFG::ControlEquivalenceAnalysis::dominatesEquivalently):
1321         (JSC::DFG::ControlEquivalenceAnalysis::areEquivalent):
1322         * dfg/DFGGraph.cpp:
1323         (JSC::DFG::Graph::dump):
1324         (JSC::DFG::Graph::dumpBlockHeader):
1325         (JSC::DFG::Graph::invalidateCFG):
1326         (JSC::DFG::Graph::substituteGetLocal):
1327         (JSC::DFG::Graph::handleAssertionFailure):
1328         (JSC::DFG::Graph::ensureDominators):
1329         (JSC::DFG::Graph::ensurePrePostNumbering):
1330         (JSC::DFG::Graph::ensureNaturalLoops):
1331         (JSC::DFG::Graph::ensureBackwardsCFG):
1332         (JSC::DFG::Graph::ensureBackwardsDominators):
1333         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
1334         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1335         * dfg/DFGGraph.h:
1336         (JSC::DFG::Graph::hasDebuggerEnabled):
1337         * dfg/DFGInPlaceAbstractState.h:
1338         (JSC::DFG::InPlaceAbstractState::operator bool):
1339         (JSC::DFG::InPlaceAbstractState::createValueForNode):
1340         (JSC::DFG::InPlaceAbstractState::forNode):
1341         * dfg/DFGLICMPhase.cpp:
1342         (JSC::DFG::LICMPhase::run):
1343         (JSC::DFG::LICMPhase::attemptHoist):
1344         * dfg/DFGMayExit.cpp:
1345         (JSC::DFG::mayExit):
1346         * dfg/DFGMayExit.h:
1347         * dfg/DFGNode.h:
1348         * dfg/DFGNodeOrigin.cpp:
1349         (JSC::DFG::NodeOrigin::dump):
1350         * dfg/DFGNodeOrigin.h:
1351         (JSC::DFG::NodeOrigin::takeValidExit):
1352         (JSC::DFG::NodeOrigin::withWasHoisted):
1353         (JSC::DFG::NodeOrigin::forInsertingAfter):
1354         * dfg/DFGNullAbstractState.h: Added.
1355         (JSC::DFG::NullAbstractState::NullAbstractState):
1356         (JSC::DFG::NullAbstractState::operator bool):
1357         (JSC::DFG::NullAbstractState::forNode):
1358         * dfg/DFGOSRExit.cpp:
1359         (JSC::DFG::OSRExit::OSRExit):
1360         * dfg/DFGOSRExitBase.cpp:
1361         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
1362         * dfg/DFGOSRExitBase.h:
1363         (JSC::DFG::OSRExitBase::OSRExitBase):
1364         * dfg/DFGTypeCheckHoistingPhase.cpp:
1365         (JSC::DFG::TypeCheckHoistingPhase::run):
1366         * ftl/FTLOSRExit.cpp:
1367         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
1368         (JSC::FTL::OSRExit::OSRExit):
1369         * ftl/FTLOSRExit.h:
1370
1371 2016-05-19  Mark Lam  <mark.lam@apple.com>
1372
1373         Code that null checks the VM pointer before any use should ref the VM.
1374         https://bugs.webkit.org/show_bug.cgi?id=157864
1375
1376         Reviewed by Filip Pizlo and Keith Miller.
1377
1378         JSLock::willReleaseLock() and HeapTimer::timerDidFire() need to reference the VM
1379         through a RefPtr.  Otherwise, there's no guarantee that the VM won't be deleted
1380         after their null checks.
1381
1382         * bytecode/CodeBlock.h:
1383         (JSC::CodeBlock::vm):
1384         (JSC::CodeBlock::setVM): Deleted.
1385         - Not used, and suggests that it can be changed during the lifetime of the
1386           CodeBlock (which should not be).
1387
1388         * heap/HeapTimer.cpp:
1389         (JSC::HeapTimer::timerDidFire):
1390         * runtime/JSLock.cpp:
1391         (JSC::JSLock::willReleaseLock):
1392         - Store the VM pointer in a RefPtr first, and null check the RefPtr instead of
1393           the raw VM pointer.  This makes the null check a strong guarantee that the
1394           VM pointer is valid while these functions are using it.
1395
1396 2016-05-19  Saam barati  <sbarati@apple.com>
1397
1398         arrow function lexical environment should reuse the same environment as the function's lexical environment where possible
1399         https://bugs.webkit.org/show_bug.cgi?id=157908
1400
1401         Reviewed by Filip Pizlo.
1402
1403         We can safely combine these two environment when we have
1404         a simple parameter list (no default parameters, no destructring parameters).
1405
1406         * bytecompiler/BytecodeGenerator.cpp:
1407         (JSC::BytecodeGenerator::BytecodeGenerator):
1408         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1409         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1410         * bytecompiler/BytecodeGenerator.h:
1411
1412 2016-05-19  Michael Saboff  <msaboff@apple.com>
1413
1414         Unreviewed build fix.
1415
1416         Skipping this new test as it times out on the bots.
1417
1418         Issue tracked in https://bugs.webkit.org/show_bug.cgi?id=157903
1419
1420         * tests/stress/regress-157595.js:
1421         (MyRegExp):
1422
1423 2016-05-19  Guillaume Emont  <guijemont@igalia.com>
1424
1425         JSC: DFG::SpeculativeJIT::compile special case for MIPS for PutByValWithThis
1426         https://bugs.webkit.org/show_bug.cgi?id=157741
1427
1428         Reviewed by Saam Barati.
1429
1430         The PutByValWithThis case needs a special case for MIPS because we
1431         don't have enough registers. The special case needs to be different
1432         from the x86 one because we have a different ABI.
1433
1434         * dfg/DFGSpeculativeJIT32_64.cpp:
1435         (JSC::DFG::SpeculativeJIT::compile):
1436
1437 2016-05-19  Brian Burg  <bburg@apple.com>
1438
1439         Web Inspector: use a consistent prefix for injected scripts
1440         https://bugs.webkit.org/show_bug.cgi?id=157715
1441         <rdar://problem/26287188>
1442
1443         Reviewed by Timothy Hatcher.
1444
1445         * CMakeLists.txt:
1446         * DerivedSources.make:
1447         * inspector/InjectedScriptSource.js:
1448
1449 2016-05-19  Csaba Osztrogonác  <ossy@webkit.org>
1450
1451         [ARM] Remove redefined macro after r200606
1452         https://bugs.webkit.org/show_bug.cgi?id=157890
1453
1454         Reviewed by Michael Saboff.
1455
1456         * bytecode/PolymorphicAccess.cpp:
1457         * jit/CCallHelpers.h:
1458
1459 2016-05-18  Saam barati  <sbarati@apple.com>
1460
1461         Function with default parameter values that are arrow functions that capture this isn't working
1462         https://bugs.webkit.org/show_bug.cgi?id=157786
1463         <rdar://problem/26327329>
1464
1465         Reviewed by Geoffrey Garen.
1466
1467         To make the scopes ordered properly, I needed to initialize the arrow 
1468         function lexical environment before initializing default parameter values.
1469         I also made the code easier to reason about by never reusing the function's
1470         var lexical environment for the arrow function lexical environment. The
1471         reason for this is that that code was wrong, and we just didn't have code to
1472         that properly tested it. It was easy for that code to be wrong because
1473         sometimes the function's lexical environment isn't the top-most scope
1474         (namely, when a function's parameter list is non-simple) and sometimes
1475         it is (when the function's parameter list is simple).
1476
1477         Also, because a function's default parameter values may capture the
1478         'arguments' variable inside an arrow function, I needed to take care
1479         to initialize the 'arguments' variable as part of whichever scope
1480         is the top-most scope. It's either the function's var environment
1481         if the parameter list is simple, or it's the function's parameter
1482         environment if the parameter list is non-simple.
1483
1484         * bytecompiler/BytecodeGenerator.cpp:
1485         (JSC::BytecodeGenerator::BytecodeGenerator):
1486         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1487         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1488         (JSC::BytecodeGenerator::initializeParameters):
1489         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
1490         (JSC::BytecodeGenerator::visibleNameForParameter):
1491         * bytecompiler/BytecodeGenerator.h:
1492         * tests/stress/arrow-functions-as-default-parameter-values.js: Added.
1493         (assert):
1494         (test):
1495         (test.foo):
1496         * tests/stress/op-push-name-scope-crashes-profiler.js:
1497         (test):
1498
1499 2016-05-18  Michael Saboff  <msaboff@apple.com>
1500
1501         r199812 broke test262
1502         https://bugs.webkit.org/show_bug.cgi?id=157595
1503
1504         Reviewed by Filip Pizlo.
1505
1506         Added a reasonable limit to the size of the match result array to catch possible
1507         infinite loops when matching.
1508         Added a new tests that creates an infinite loop in RegExp.prototype.[Symbol.match]
1509         by creating a subclass of RegExp where the base RegExp's global flag is false and
1510         the subclass overrides .global with a getter that always returns true.
1511
1512         * builtins/RegExpPrototype.js:
1513         (match):
1514         * tests/stress/regress-157595.js: Added.
1515         (MyRegExp):
1516         (MyRegExp.prototype.get global):
1517         (test):
1518         (catch):
1519
1520 2016-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1521
1522         [ES6] Namespace object re-export should be handled as local export
1523         https://bugs.webkit.org/show_bug.cgi?id=157806
1524
1525         Reviewed by Mark Lam.
1526
1527         We align the implementation of ExportEntry to the spec; remove Type::Namespace.
1528         This Type::Namespace is used for re-exported namespace object binding. For example,
1529
1530             import * as namespace from "namespace.js"
1531             export { namespace }
1532
1533         In the above case, we used ExportEntry(Type::Namespace). In this patch, we drop this
1534         and use normal local export (Type::Local) instead because namespace object actually has
1535         the local binding in the above module environment. And this handling strictly meets the
1536         spec (Sec 15.2.1.16.1 step 11-a-ii-2-b).
1537
1538         And we also clean up the ExportEntry implementation; dropping unnecessary information.
1539         This change fixes the test262/test/language/module-code/instn-star-equality.js crash.
1540
1541         * parser/ModuleAnalyzer.cpp:
1542         (JSC::ModuleAnalyzer::exportVariable):
1543         * runtime/JSModuleRecord.cpp:
1544         (JSC::getExportedNames):
1545         (JSC::JSModuleRecord::dump): Deleted.
1546         * runtime/JSModuleRecord.h:
1547         * tests/modules/namespace-re-export.js: Added.
1548         * tests/modules/namespace-re-export/namespace-re-export-fixture.js: Added.
1549         * tests/modules/namespace-re-export/namespace-re-export.js: Added.
1550         * tests/modules/resources/assert.js:
1551         (export.shouldNotBe):
1552
1553 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
1554
1555         JSC should detect the right default locale even when it's not embedded in WebCore
1556         https://bugs.webkit.org/show_bug.cgi?id=157755
1557         rdar://problem/24665424
1558
1559         Reviewed by Keith Miller.
1560         
1561         This makes JSC try to use WTF's platform user preferred language detection if the DOM did
1562         not register a defaultLanguage callback. The result is that when JSC runs standalone it
1563         will detect the platform user preferred language almost the same way as when it's embedded
1564         in WebCore. The only difference is that WebCore may have its own additional overrides via
1565         the WK API. But in the absence of overrides, WebCore uses the same WTF logic that JSC falls
1566         back to.
1567         
1568         We first found this bug because on iOS, the intl tests would fail because ICU would report
1569         a somewhat bogus locale on that platform. Prior to this change, standalone JSC would fall
1570         back to ICU's locale detection. It turns out that the ICU default locale is also bogus on
1571         OS X, just less so. For example, setting things to Poland did not result in the jsc shell
1572         printing dates Polish-style. Now it will print them Polish-style if your system preferences
1573         say so. Also, the tests don't fail on iOS anymore.
1574         
1575         * runtime/IntlObject.cpp:
1576         (JSC::defaultLocale):
1577
1578 2016-05-17  Dean Jackson  <dino@apple.com>
1579
1580         Remove ES6_GENERATORS flag
1581         https://bugs.webkit.org/show_bug.cgi?id=157815
1582         <rdar://problem/26332894>
1583
1584         Reviewed by Geoffrey Garen.
1585
1586         This flag isn't needed. Generators are enabled everywhere and
1587         part of a stable specification.
1588
1589         * Configurations/FeatureDefines.xcconfig:
1590         * parser/Parser.cpp:
1591         (JSC::Parser<LexerType>::parseFunctionDeclaration): Deleted.
1592         (JSC::Parser<LexerType>::parseClass): Deleted.
1593         (JSC::Parser<LexerType>::parseExportDeclaration): Deleted.
1594         (JSC::Parser<LexerType>::parseAssignmentExpression): Deleted.
1595         (JSC::Parser<LexerType>::parseProperty): Deleted.
1596         (JSC::Parser<LexerType>::parseFunctionExpression): Deleted.
1597
1598 2016-05-17  Keith Miller  <keith_miller@apple.com>
1599
1600         Rollout r200426 since it causes PLT regressions.
1601         https://bugs.webkit.org/show_bug.cgi?id=157812
1602
1603         Unreviewed rollout of r200426 since the bots see a ~.6% PLT regression from the patch.
1604
1605 2016-05-17  Keith Miller  <keith_miller@apple.com>
1606
1607         Add test262 harness support code
1608         https://bugs.webkit.org/show_bug.cgi?id=157797
1609
1610         Reviewed by Filip Pizlo.
1611
1612         This patch adds some new tooling needed to run Test262 with the jsc
1613         CLI. There were three options that needed to be added for Test262:
1614
1615         1) "--test262-async" This option overrides the print function in the test runner to look for
1616         'Test262:AsyncTestComplete' instead of printing the passed text. If test262-async mode is on
1617         and that string is not passed then the test is marked as failing.
1618
1619         2) "--strict-file=<file>" This option appends `"use strict";\n` to the beginning of the
1620         passed file before passing the source code to the VM. This option can, in theory, be passed
1621         multiple times.
1622
1623         3) "--exception=<name>" This option asserts that at the end of the last script file passed
1624         the VM has an uncaught exception with its name property equal to the passed name.
1625
1626         * jsc.cpp:
1627         (Script::Script):
1628         (fillBufferWithContentsOfFile):
1629         (functionPrint):
1630         (checkUncaughtException):
1631         (runWithScripts):
1632         (printUsageStatement):
1633         (CommandLine::parseArguments):
1634         (runJSC):
1635
1636 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
1637
1638         WTF should know about Language
1639         https://bugs.webkit.org/show_bug.cgi?id=157756
1640
1641         Reviewed by Geoffrey Garen.
1642
1643         Teach our scripts that a ObjC class beginning with WTF is totally cool.
1644
1645         * JavaScriptCore.xcodeproj/project.pbxproj:
1646
1647 2016-05-17  Joseph Pecoraro  <pecoraro@apple.com>
1648
1649         console namespace breaks putting properties on console.__proto__
1650         https://bugs.webkit.org/show_bug.cgi?id=157782
1651         <rdar://problem/26250526>
1652
1653         Reviewed by Geoffrey Garen.
1654
1655         Some websites currently depend on console.__proto__ existing and being
1656         a separate object from Object.prototype. This patch adds back a basic
1657         console.__proto__ object, but all the console functions are left on
1658         the ConsoleObject itself.
1659
1660         * runtime/JSGlobalObject.cpp:
1661         (JSC::createConsoleProperty):
1662
1663 2016-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1664
1665         Unreviewed, dump more information when math-pow-stable-results.js failed
1666         https://bugs.webkit.org/show_bug.cgi?id=157168
1667
1668         * tests/stress/math-pow-stable-results.js:
1669
1670 2016-05-16  Saam barati  <sbarati@apple.com>
1671
1672         ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
1673         https://bugs.webkit.org/show_bug.cgi?id=157770
1674
1675         Reviewed by Filip Pizlo.
1676
1677         ShadowChicken was reading the scope from a half formed
1678         frame as it threw a stack overflow exception. The frame had
1679         a valid CodeBlock pointer, but it did not have a valid scope.
1680         The code in ShadowChicken's throw packet logging mechanism didn't
1681         account for this. The fix is to respect whether genericUnwind wants
1682         to unwind from the current frame or the caller's frame. For stack
1683         overflow errors, we always unwind the caller's frame.
1684
1685         * jit/JITExceptions.cpp:
1686         (JSC::genericUnwind):
1687
1688 2016-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1689
1690         REGRESSION(r200208): It made 2 JSC stress tests fail on x86
1691         https://bugs.webkit.org/show_bug.cgi?id=157168
1692
1693         Reviewed by Benjamin Poulain.
1694
1695         The fast path in operationMathPow produces different results between x87 and the other environments.
1696         This is because x87 calculates the double value in 80bit precision.
1697         The situation is the following: in x86 32bit environment, floating point operations are compiled to
1698         x87 operations by default even if we can use SSE2. But in DFG environment, we aggressively use SSE2
1699         if the cpuid reports SSE2 is available. As a result, the implementations differ between C runtime
1700         and DFG JIT code. The C runtime uses x87 while DFG JIT code uses SSE2. This causes a precision
1701         problem since x87 has 80bit precision while SSE2 has 64bit precision.
1702
1703         In this patch, in x86 32bit environment, we use `volatile double` if the `-mfpmath=sse and -msse2 (or later)`
1704         is not specified. This will round the x87 value into 64bit per multiplying. Note that this problem does not
1705         occur in OS X clang 32bit environment. This is because `-mfpmath=sse` is enabled by default in OS X clang 32bit.
1706
1707         * b3/B3MathExtras.cpp:
1708         (JSC::B3::powDoubleInt32):
1709         * runtime/MathCommon.cpp:
1710         (JSC::operationMathPow):
1711
1712 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
1713
1714         [JSC] "return this" in a constructor does not need a branch on isObject(this)
1715         https://bugs.webkit.org/show_bug.cgi?id=157775
1716
1717         Reviewed by Saam Barati and Ryosuke Niwa.
1718
1719         When returning "this" in a constructor, the bytecode generator was generating:
1720             is_object         locX, this
1721             jtrue             locX, 5(->second ret)
1722             ret               this
1723             ret               this
1724
1725         That code is eliminated in DFG but it is pretty costly lower tiers.
1726
1727         This patch changes bytecode generation to avoid the is_object test
1728         when possible and not generate two ret if they encode the same thing.
1729
1730         * bytecompiler/BytecodeGenerator.cpp:
1731         (JSC::BytecodeGenerator::emitReturn):
1732
1733 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
1734
1735         [JSC] Remove the index check from op_get_by_val/op_put_by_val when the index is constant
1736         https://bugs.webkit.org/show_bug.cgi?id=157766
1737
1738         Reviewed by Geoffrey Garen.
1739
1740         If the index is an integer constant, do not generate the index check.
1741
1742         * jit/JITPropertyAccess.cpp:
1743         (JSC::JIT::emit_op_get_by_val):
1744         (JSC::JIT::emitSlow_op_get_by_val):
1745         (JSC::JIT::emit_op_put_by_val):
1746         (JSC::JIT::emitSlow_op_put_by_val):
1747
1748 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
1749
1750         [JSC][DFG] Fill spilled Int32 as Int32 instead of JSInt32
1751         https://bugs.webkit.org/show_bug.cgi?id=157700
1752
1753         Reviewed by Michael Saboff.
1754
1755         In general, fillSpeculateInt32() originate from SpeculateInt32
1756         and the user does not care about the tag.
1757
1758         This is particularily obvious on Sunspider's math-spectral-norm.js.
1759         In that test, registers are frequently spilled because of x86's DIV.
1760
1761         When they are re-filled, they were always tagged.
1762         Since the loops are small, all the tagging adds up.
1763
1764         * dfg/DFGSpeculativeJIT64.cpp:
1765         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1766
1767 2016-05-16  Saam barati  <sbarati@apple.com>
1768
1769         Unreviewed Cloop build fix.
1770
1771         * bytecode/CodeBlock.cpp:
1772         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
1773
1774 2016-05-16  Saam barati  <sbarati@apple.com>
1775
1776         Hook up ShadowChicken to the debugger to show tail deleted frames
1777         https://bugs.webkit.org/show_bug.cgi?id=156685
1778         <rdar://problem/25770521>
1779
1780         Reviewed by Filip Pizlo and Mark Lam and Joseph Pecoraro.
1781
1782         The heart of this patch hooks up ShadowChicken to DebuggerCallFrame to
1783         allow the Web Inspector to display the ShadowChicken's shadow stack.
1784         This means the Web Inspector can now display tail deleted frames.
1785         To make this work, I made the necessary changes to ShadowChicken and
1786         DebuggerCallFrame to allow DebuggerCallFrame to keep the same API
1787         when representing both machine frames and tail deleted frames.
1788
1789         - ShadowChicken prologue packets now log the current scope. Tail packets
1790           log the current scope, the 'this' value, the CodeBlock, and the
1791           CallSiteIndex. This allows the inspector to not only show the
1792           tail deleted frame, but also show exactly where the tail call happened (line and column numbers),
1793           with which scope it executed, and with which 'this' value. This
1794           patch also allows DebuggerCallFrame to execute console statements
1795           in a tail deleted frame.
1796
1797         - I changed ShadowChicken's stack resizing algorithm. ShadowChicken
1798           now only keeps a maximum number of tail deleted frames in its shadow stack.
1799           It will happily represent all machine frames without limit. Right now, the
1800           maximum number of tail deleted frames I chose to keep alive is 128.
1801           We will keep frames alive starting from the top of the stack. This
1802           allows us to have a strong defense against runaway memory usage. We will only
1803           keep around at most 128 "shadow" frames that wouldn't have naturally been kept
1804           alive by the executing program. We can play around with this number
1805           if we find that 128 is either too many or too few frames.
1806
1807         - DebuggerCallFrame is no longer a cheap class to create. When it is created,
1808           we will eagerly create the entire virtual debugger stack. So I modified the
1809           existing code to lazily create DebuggerCallFrames only when necessary. We
1810           used to eagerly create them at each op_debug statement even though we would
1811           just throw them away if we didn't hit a breakpoint.
1812
1813         - A valid DebuggerCallFrame will always have a valid CallFrame* pointer
1814           into the stack. This pointer won't always refer to the logical frame
1815           that the DebuggerCallFrame represents because a DebuggerCallFrame can
1816           now represent a tail deleted frame. To do this, DebuggerCallFrame now
1817           has a ShadowChicken::Frame member variable. This allows DebuggerCallFrame
1818           to know when it represents a tail deleted frame and gives DebuggerCallFrame
1819           a mechanism to ask the tail deleted frame for interesting information
1820           (like its 'this' value, scope, CodeBlock, etc). A tail deleted frame's
1821           machine frame pointer will be the machine caller of the tail deleted frame
1822           (or the machine caller of the first of a series of consecutive tail calls).
1823
1824         - I added a new flag to UnlinkedCodeBlock to indicate when it is compiled
1825           with debugging opcodes. I did this because ShadowChicken may read a JSScope
1826           from the machine stack. This is only safe if the machine CodeBlock was
1827           compiled with debugging opcodes. This is safer than asking if the
1828           CodeBlock's global object has an interactive debugger enabled because
1829           it's theoretically possible for the debugger to be enabled while code
1830           compiled without a debugger is still live on the stack. This field is
1831           also now used to indicate to the DFGGraph that the interactive debugger
1832           is enabled.
1833
1834         - Finally, this patch adds a new field to the Inspector's CallFrame protocol
1835           object called 'isTailDeleted' to allow the Inspector to know when a
1836           CallFrame represents a tail deleted frame.
1837
1838         * JavaScriptCore.xcodeproj/project.pbxproj:
1839         * bytecode/BytecodeList.json:
1840         * bytecode/BytecodeUseDef.h:
1841         (JSC::computeUsesForBytecodeOffset):
1842         * bytecode/CodeBlock.cpp:
1843         (JSC::CodeBlock::dumpBytecode):
1844         (JSC::CodeBlock::findPC):
1845         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
1846         * bytecode/CodeBlock.h:
1847         (JSC::CodeBlock::clearDebuggerRequests):
1848         (JSC::CodeBlock::wasCompiledWithDebuggingOpcodes):
1849         * bytecode/UnlinkedCodeBlock.cpp:
1850         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1851         * bytecode/UnlinkedCodeBlock.h:
1852         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes):
1853         (JSC::UnlinkedCodeBlock::finishCreation):
1854         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
1855         * bytecode/UnlinkedFunctionExecutable.cpp:
1856         (JSC::generateUnlinkedFunctionCodeBlock):
1857         * bytecompiler/BytecodeGenerator.cpp:
1858         (JSC::BytecodeGenerator::generate):
1859         (JSC::BytecodeGenerator::BytecodeGenerator):
1860         (JSC::BytecodeGenerator::emitEnter):
1861         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
1862         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
1863         (JSC::BytecodeGenerator::emitCallDefineProperty):
1864         * debugger/Debugger.cpp:
1865         (JSC::DebuggerPausedScope::DebuggerPausedScope):
1866         (JSC::DebuggerPausedScope::~DebuggerPausedScope):
1867         (JSC::Debugger::didReachBreakpoint):
1868         (JSC::Debugger::currentDebuggerCallFrame):
1869         * debugger/Debugger.h:
1870         * debugger/DebuggerCallFrame.cpp:
1871         (JSC::LineAndColumnFunctor::operator()):
1872         (JSC::DebuggerCallFrame::create):
1873         (JSC::DebuggerCallFrame::DebuggerCallFrame):
1874         (JSC::DebuggerCallFrame::callerFrame):
1875         (JSC::DebuggerCallFrame::globalExec):
1876         (JSC::DebuggerCallFrame::vmEntryGlobalObject):
1877         (JSC::DebuggerCallFrame::sourceID):
1878         (JSC::DebuggerCallFrame::functionName):
1879         (JSC::DebuggerCallFrame::scope):
1880         (JSC::DebuggerCallFrame::type):
1881         (JSC::DebuggerCallFrame::thisValue):
1882         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1883         (JSC::DebuggerCallFrame::invalidate):
1884         (JSC::DebuggerCallFrame::currentPosition):
1885         (JSC::DebuggerCallFrame::positionForCallFrame):
1886         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1887         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor): Deleted.
1888         (JSC::FindCallerMidStackFunctor::operator()): Deleted.
1889         (JSC::FindCallerMidStackFunctor::getCallerFrame): Deleted.
1890         (JSC::DebuggerCallFrame::thisValueForCallFrame): Deleted.
1891         * debugger/DebuggerCallFrame.h:
1892         (JSC::DebuggerCallFrame::isValid):
1893         (JSC::DebuggerCallFrame::isTailDeleted):
1894         (JSC::DebuggerCallFrame::create): Deleted.
1895         (JSC::DebuggerCallFrame::exec): Deleted.
1896         * dfg/DFGByteCodeParser.cpp:
1897         (JSC::DFG::ByteCodeParser::parseBlock):
1898         * dfg/DFGFixupPhase.cpp:
1899         (JSC::DFG::FixupPhase::fixupNode):
1900         * dfg/DFGGraph.cpp:
1901         (JSC::DFG::Graph::Graph):
1902         (JSC::DFG::Graph::~Graph):
1903         * dfg/DFGJITCompiler.h:
1904         (JSC::DFG::JITCompiler::addCallSite):
1905         (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
1906         (JSC::DFG::JITCompiler::emitStoreCallSiteIndex):
1907         * dfg/DFGSpeculativeJIT32_64.cpp:
1908         (JSC::DFG::SpeculativeJIT::compile):
1909         * dfg/DFGSpeculativeJIT64.cpp:
1910         (JSC::DFG::SpeculativeJIT::compile):
1911         * ftl/FTLAbstractHeapRepository.h:
1912         * ftl/FTLLowerDFGToB3.cpp:
1913         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
1914         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
1915         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
1916         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1917         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
1918         (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket): Deleted.
1919         * inspector/InjectedScriptSource.js:
1920         (InjectedScript.CallFrameProxy):
1921         * inspector/JSJavaScriptCallFrame.cpp:
1922         (Inspector::JSJavaScriptCallFrame::thisObject):
1923         (Inspector::JSJavaScriptCallFrame::isTailDeleted):
1924         (Inspector::JSJavaScriptCallFrame::type):
1925         * inspector/JSJavaScriptCallFrame.h:
1926         * inspector/JSJavaScriptCallFramePrototype.cpp:
1927         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
1928         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
1929         (Inspector::jsJavaScriptCallFrameAttributeType):
1930         (Inspector::jsJavaScriptCallFrameIsTailDeleted):
1931         * inspector/JavaScriptCallFrame.h:
1932         (Inspector::JavaScriptCallFrame::type):
1933         (Inspector::JavaScriptCallFrame::scopeChain):
1934         (Inspector::JavaScriptCallFrame::vmEntryGlobalObject):
1935         (Inspector::JavaScriptCallFrame::isTailDeleted):
1936         (Inspector::JavaScriptCallFrame::thisValue):
1937         (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension):
1938         * inspector/ScriptDebugServer.cpp:
1939         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
1940         * inspector/protocol/Debugger.json:
1941         * interpreter/ShadowChicken.cpp:
1942         (JSC::ShadowChicken::update):
1943         (JSC::ShadowChicken::visitChildren):
1944         (JSC::ShadowChicken::reset):
1945         * interpreter/ShadowChicken.h:
1946         (JSC::ShadowChicken::Packet::throwMarker):
1947         (JSC::ShadowChicken::Packet::prologue):
1948         (JSC::ShadowChicken::Packet::tail):
1949         (JSC::ShadowChicken::Frame::Frame):
1950         (JSC::ShadowChicken::Frame::operator==):
1951         * jit/CCallHelpers.cpp:
1952         (JSC::CCallHelpers::logShadowChickenProloguePacket):
1953         (JSC::CCallHelpers::logShadowChickenTailPacket):
1954         (JSC::CCallHelpers::ensureShadowChickenPacket):
1955         (JSC::CCallHelpers::setupShadowChickenPacket): Deleted.
1956         * jit/CCallHelpers.h:
1957         * jit/JITOpcodes.cpp:
1958         (JSC::JIT::emit_op_profile_type):
1959         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1960         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1961         (JSC::JIT::emit_op_get_enumerable_length):
1962         (JSC::JIT::emit_op_resume):
1963         * jit/JITOpcodes32_64.cpp:
1964         (JSC::JIT::emit_op_profile_type):
1965         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1966         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1967         * jit/RegisterSet.cpp:
1968         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
1969         (JSC::RegisterSet::argumentGPRS):
1970         (JSC::RegisterSet::registersToNotSaveForJSCall):
1971         * jit/RegisterSet.h:
1972         * llint/LLIntData.cpp:
1973         (JSC::LLInt::Data::performAssertions):
1974         * llint/LLIntSlowPaths.cpp:
1975         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1976         * llint/LowLevelInterpreter.asm:
1977         * llint/LowLevelInterpreter32_64.asm:
1978         * llint/LowLevelInterpreter64.asm:
1979         * runtime/CodeCache.cpp:
1980         (JSC::CodeCache::getGlobalCodeBlock):
1981         * runtime/Options.h:
1982         * tests/stress/shadow-chicken-enabled.js:
1983         (test5a.foo):
1984         (test5a):
1985         (test5b.foo):
1986         (test5b):
1987         (test6.foo):
1988         (test6):
1989
1990 2016-05-16  Saam barati  <sbarati@apple.com>
1991
1992         TypeSet/StructureShape have a flawed sense of JS prototype chains
1993         https://bugs.webkit.org/show_bug.cgi?id=157760
1994
1995         Reviewed by Joseph Pecoraro.
1996
1997         There was an assumption that we would bottom out in "Object". This is
1998         not true for many reasons. JS objects may not end in Object.prototype.
1999         Also, our mechanism of grabbing an Object's class name may also not
2000         bottom out in "Object". We were seeing this in the JS objects we use
2001         in the InjectedScriptSource.js inspector script.
2002
2003         * runtime/TypeSet.cpp:
2004         (JSC::StructureShape::leastCommonAncestor):
2005         * tests/typeProfiler/weird-prototype-chain.js: Added.
2006         (wrapper.foo):
2007         (wrapper.let.o2):
2008         (wrapper):
2009
2010 2016-05-16  Joseph Pecoraro  <pecoraro@apple.com>
2011
2012         Unreviewed rollout r200924. Caused js/regress/string-replace-generic.html to fail.
2013
2014         * API/JSProfilerPrivate.cpp: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
2015         (JSStartProfiling):
2016         (JSEndProfiling):
2017         * API/JSProfilerPrivate.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
2018         * CMakeLists.txt:
2019         * JavaScriptCore.xcodeproj/project.pbxproj:
2020         * bytecode/BytecodeList.json:
2021         * bytecode/BytecodeUseDef.h:
2022         (JSC::computeUsesForBytecodeOffset):
2023         (JSC::computeDefsForBytecodeOffset):
2024         * bytecode/CodeBlock.cpp:
2025         (JSC::CodeBlock::dumpBytecode):
2026         * bytecode/UnlinkedFunctionExecutable.cpp:
2027         (JSC::generateUnlinkedFunctionCodeBlock):
2028         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2029         * bytecode/UnlinkedFunctionExecutable.h:
2030         * bytecompiler/BytecodeGenerator.cpp:
2031         (JSC::BytecodeGenerator::BytecodeGenerator):
2032         (JSC::BytecodeGenerator::emitCall):
2033         (JSC::BytecodeGenerator::emitCallVarargs):
2034         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
2035         (JSC::BytecodeGenerator::emitConstructVarargs):
2036         (JSC::BytecodeGenerator::emitConstruct):
2037         * bytecompiler/BytecodeGenerator.h:
2038         (JSC::CallArguments::profileHookRegister):
2039         (JSC::BytecodeGenerator::shouldEmitProfileHooks):
2040         * bytecompiler/NodesCodegen.cpp:
2041         (JSC::CallArguments::CallArguments):
2042         (JSC::CallFunctionCallDotNode::emitBytecode):
2043         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2044         * dfg/DFGAbstractInterpreterInlines.h:
2045         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2046         * dfg/DFGByteCodeParser.cpp:
2047         (JSC::DFG::ByteCodeParser::parseBlock):
2048         * dfg/DFGCapabilities.cpp:
2049         (JSC::DFG::capabilityLevel):
2050         * dfg/DFGClobberize.h:
2051         (JSC::DFG::clobberize):
2052         * dfg/DFGDoesGC.cpp:
2053         (JSC::DFG::doesGC):
2054         * dfg/DFGFixupPhase.cpp:
2055         (JSC::DFG::FixupPhase::fixupNode):
2056         * dfg/DFGNodeType.h:
2057         * dfg/DFGPredictionPropagationPhase.cpp:
2058         * dfg/DFGSafeToExecute.h:
2059         (JSC::DFG::safeToExecute):
2060         * dfg/DFGSpeculativeJIT32_64.cpp:
2061         (JSC::DFG::SpeculativeJIT::compile):
2062         * dfg/DFGSpeculativeJIT64.cpp:
2063         (JSC::DFG::SpeculativeJIT::compile):
2064         * inspector/InjectedScriptBase.cpp:
2065         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
2066         * inspector/protocol/Timeline.json:
2067         * interpreter/Interpreter.cpp:
2068         (JSC::UnwindFunctor::operator()):
2069         (JSC::Interpreter::execute):
2070         (JSC::Interpreter::executeCall):
2071         (JSC::Interpreter::executeConstruct):
2072         * jit/JIT.cpp:
2073         (JSC::JIT::privateCompileMainPass):
2074         * jit/JIT.h:
2075         * jit/JITOpcodes.cpp:
2076         (JSC::JIT::emit_op_profile_will_call):
2077         (JSC::JIT::emit_op_profile_did_call):
2078         * jit/JITOpcodes32_64.cpp:
2079         (JSC::JIT::emit_op_profile_will_call):
2080         (JSC::JIT::emit_op_profile_did_call):
2081         * jit/JITOperations.cpp:
2082         * jit/JITOperations.h:
2083         * jsc.cpp:
2084         * llint/LLIntSlowPaths.cpp:
2085         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2086         * llint/LLIntSlowPaths.h:
2087         * llint/LowLevelInterpreter.asm:
2088         * parser/ParserModes.h:
2089         * profiler/CallIdentifier.h: Added.
2090         (JSC::CallIdentifier::CallIdentifier):
2091         (JSC::CallIdentifier::functionName):
2092         (JSC::CallIdentifier::url):
2093         (JSC::CallIdentifier::lineNumber):
2094         (JSC::CallIdentifier::columnNumber):
2095         (JSC::CallIdentifier::operator==):
2096         (JSC::CallIdentifier::operator!=):
2097         (JSC::CallIdentifier::Hash::hash):
2098         (JSC::CallIdentifier::Hash::equal):
2099         (JSC::CallIdentifier::hash):
2100         (JSC::CallIdentifier::operator const char*):
2101         (JSC::CallIdentifier::c_str):
2102         (WTF::HashTraits<JSC::CallIdentifier>::constructDeletedValue):
2103         (WTF::HashTraits<JSC::CallIdentifier>::isDeletedValue):
2104         * profiler/LegacyProfiler.cpp: Added.
2105         (JSC::LegacyProfiler::profiler):
2106         (JSC::LegacyProfiler::startProfiling):
2107         (JSC::LegacyProfiler::stopProfiling):
2108         (JSC::callFunctionForProfilesWithGroup):
2109         (JSC::LegacyProfiler::suspendProfiling):
2110         (JSC::LegacyProfiler::unsuspendProfiling):
2111         (JSC::LegacyProfiler::willExecute):
2112         (JSC::LegacyProfiler::didExecute):
2113         (JSC::LegacyProfiler::exceptionUnwind):
2114         (JSC::LegacyProfiler::createCallIdentifier):
2115         (JSC::createCallIdentifierFromFunctionImp):
2116         * profiler/LegacyProfiler.h: Added.
2117         (JSC::LegacyProfiler::currentProfiles):
2118         * profiler/Profile.cpp: Added.
2119         (JSC::Profile::create):
2120         (JSC::Profile::Profile):
2121         (JSC::Profile::~Profile):
2122         (JSC::Profile::debugPrint):
2123         (JSC::functionNameCountPairComparator):
2124         (JSC::Profile::debugPrintSampleStyle):
2125         * profiler/Profile.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
2126         * profiler/ProfileGenerator.cpp: Added.
2127         (JSC::ProfileGenerator::create):
2128         (JSC::ProfileGenerator::ProfileGenerator):
2129         (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
2130         (JSC::AddParentForConsoleStartFunctor::foundParent):
2131         (JSC::AddParentForConsoleStartFunctor::operator()):
2132         (JSC::ProfileGenerator::addParentForConsoleStart):
2133         (JSC::ProfileGenerator::title):
2134         (JSC::ProfileGenerator::beginCallEntry):
2135         (JSC::ProfileGenerator::endCallEntry):
2136         (JSC::ProfileGenerator::willExecute):
2137         (JSC::ProfileGenerator::didExecute):
2138         (JSC::ProfileGenerator::exceptionUnwind):
2139         (JSC::ProfileGenerator::stopProfiling):
2140         (JSC::ProfileGenerator::removeProfileStart):
2141         (JSC::ProfileGenerator::removeProfileEnd):
2142         * profiler/ProfileGenerator.h: Added.
2143         (JSC::ProfileGenerator::profile):
2144         (JSC::ProfileGenerator::origin):
2145         (JSC::ProfileGenerator::profileGroup):
2146         (JSC::ProfileGenerator::setIsSuspended):
2147         * profiler/ProfileNode.cpp: Added.
2148         (JSC::ProfileNode::ProfileNode):
2149         (JSC::ProfileNode::addChild):
2150         (JSC::ProfileNode::removeChild):
2151         (JSC::ProfileNode::spliceNode):
2152         (JSC::ProfileNode::traverseNextNodePostOrder):
2153         (JSC::ProfileNode::debugPrint):
2154         (JSC::ProfileNode::debugPrintSampleStyle):
2155         (JSC::ProfileNode::debugPrintRecursively):
2156         (JSC::ProfileNode::debugPrintSampleStyleRecursively):
2157         * profiler/ProfileNode.h: Added.
2158         (JSC::ProfileNode::create):
2159         (JSC::ProfileNode::Call::Call):
2160         (JSC::ProfileNode::Call::startTime):
2161         (JSC::ProfileNode::Call::setStartTime):
2162         (JSC::ProfileNode::Call::elapsedTime):
2163         (JSC::ProfileNode::Call::setElapsedTime):
2164         (JSC::ProfileNode::operator==):
2165         (JSC::ProfileNode::callerCallFrame):
2166         (JSC::ProfileNode::callIdentifier):
2167         (JSC::ProfileNode::id):
2168         (JSC::ProfileNode::functionName):
2169         (JSC::ProfileNode::url):
2170         (JSC::ProfileNode::lineNumber):
2171         (JSC::ProfileNode::columnNumber):
2172         (JSC::ProfileNode::parent):
2173         (JSC::ProfileNode::setParent):
2174         (JSC::ProfileNode::calls):
2175         (JSC::ProfileNode::lastCall):
2176         (JSC::ProfileNode::appendCall):
2177         (JSC::ProfileNode::children):
2178         (JSC::ProfileNode::firstChild):
2179         (JSC::ProfileNode::lastChild):
2180         (JSC::ProfileNode::nextSibling):
2181         (JSC::ProfileNode::setNextSibling):
2182         (JSC::ProfileNode::forEachNodePostorder):
2183         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
2184         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
2185         * profiler/ProfilerJettisonReason.cpp:
2186         (WTF::printInternal):
2187         * profiler/ProfilerJettisonReason.h:
2188         * runtime/CodeCache.cpp:
2189         (JSC::CodeCache::getGlobalCodeBlock):
2190         (JSC::CodeCache::getProgramCodeBlock):
2191         (JSC::CodeCache::getEvalCodeBlock):
2192         (JSC::CodeCache::getModuleProgramCodeBlock):
2193         * runtime/CodeCache.h:
2194         * runtime/Executable.cpp:
2195         (JSC::ScriptExecutable::newCodeBlockFor):
2196         * runtime/JSGlobalObject.cpp:
2197         (JSC::JSGlobalObject::~JSGlobalObject):
2198         (JSC::JSGlobalObject::hasLegacyProfiler):
2199         (JSC::JSGlobalObject::createProgramCodeBlock):
2200         (JSC::JSGlobalObject::createEvalCodeBlock):
2201         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2202         * runtime/JSGlobalObject.h:
2203         (JSC::JSGlobalObject::supportsLegacyProfiling):
2204         * runtime/Options.h:
2205         * runtime/VM.cpp:
2206         (JSC::VM::VM):
2207         (JSC::SetEnabledProfilerFunctor::operator()):
2208         (JSC::VM::setEnabledProfiler):
2209         * runtime/VM.h:
2210         (JSC::VM::enabledProfiler):
2211         (JSC::VM::enabledProfilerAddress):
2212
2213 2016-05-16  Konstantin Tokarev  <annulen@yandex.ru>
2214
2215         Unreviewed, fixed typo in a comment.
2216
2217         * assembler/MacroAssembler.h: Replaced "onvenience" with
2218         "convenience".
2219
2220 2016-05-16  Filip Pizlo  <fpizlo@apple.com>
2221
2222         FixupPhase should be more eager to demote bit math to untyped
2223         https://bugs.webkit.org/show_bug.cgi?id=157746
2224
2225         Reviewed by Mark Lam.
2226         
2227         This just makes the logic for how we fixup bit math match the way we do it in other places.
2228         This doesn't affect performance on any major benchmark but it's a big win on new
2229         microbenchmarks added in this change.
2230         
2231         Details:
2232
2233         object-and                                     11.1610+-0.7602     ^      4.8105+-0.1690        ^ definitely 2.3201x faster
2234         object-or                                      11.0845+-0.2487     ^      4.7146+-0.0374        ^ definitely 2.3511x faster
2235         object-xor                                     10.2946+-0.9946     ^      4.7278+-0.0814        ^ definitely 2.1775x faster
2236         object-lshift                                  10.4896+-1.0867     ^      4.7699+-0.0721        ^ definitely 2.1991x faster
2237         object-rshift                                  11.1239+-0.5010     ^      4.7194+-0.0445        ^ definitely 2.3570x faster
2238         object-urshift                                 10.9745+-0.1315     ^      4.7848+-0.0479        ^ definitely 2.2936x faster
2239
2240         * dfg/DFGFixupPhase.cpp:
2241         (JSC::DFG::FixupPhase::fixupNode):
2242
2243 2016-05-15  Michael Saboff  <msaboff@apple.com>
2244
2245         RegExp /y flag incorrect handling of mixed-length alternation
2246         https://bugs.webkit.org/show_bug.cgi?id=157723
2247
2248         Reviewed by Filip Pizlo.
2249
2250         Previously for sticky patterns, we were bailing out and exiting when backtracking
2251         alternatives with dissimilar match lengths.  Deleted that code.  Instead, for
2252         sticky patterns we need to process the backtracking except for advancing to the
2253         next input index.
2254
2255         * yarr/YarrJIT.cpp:
2256         (JSC::Yarr::YarrGenerator::backtrack):
2257
2258 2016-05-15  Filip Pizlo  <fpizlo@apple.com>
2259
2260         DFG::Plan shouldn't read from its VM once it's been cancelled
2261         https://bugs.webkit.org/show_bug.cgi?id=157726
2262
2263         Reviewed by Saam Barati.
2264         
2265         Plan::vm was a reference, not a pointer, and so wasn't nulled by Plan::cancel(). So, a
2266         cancelled plan may have a dangling pointer to a VM: we could delete the VM after cancelling
2267         the plan.
2268         
2269         Prior to http://trac.webkit.org/changeset/200705, this was probably fine because nobody
2270         would read Plan::vm if the plan was cancelled. But r200705 changed that. It was a hard
2271         regression to spot because usually a cancelled plan will still refer to a valid VM.
2272         
2273         This change fixes the regression and makes it a lot easier to spot the regression in the
2274         future. Plan::vm is now a pointer and we null it in Plan::cancel(). Now if you make this
2275         mistake, you will get a crash anytime the Plan is cancelled, not just anytime the plan is
2276         cancelled and the VM gets deleted. Also, it's now very clear what to do when you want to
2277         use Plan::vm on the cancel path: you can null-check vm; if it's null, assume the worst.
2278         
2279         Because we null the VM of a cancelled plan, we cannot have Safepoint::vm() return the
2280         plan's VM anymore. That's because when we cancel a plan that is at a safepoint, we use the
2281         safepoint's VM to determine whether this is one of our safepoints *after* the plan is
2282         already cancelled. So, Safepoint now has its own copy of m_vm, and that copy gets nulled
2283         when the Safepoint is cancelled. The Safepoint's m_vm will be nulled moments after Plan's
2284         vm gets nulled (see Worklist::removeDeadPlans(), which has a cancel path for Plans in one
2285         loop and a cancel path for Safepoints in the loop after it).
2286
2287         * dfg/DFGJITFinalizer.cpp:
2288         (JSC::DFG::JITFinalizer::finalizeCommon):
2289         * dfg/DFGPlan.cpp:
2290         (JSC::DFG::Plan::Plan):
2291         (JSC::DFG::Plan::computeCompileTimes):
2292         (JSC::DFG::Plan::reportCompileTimes):
2293         (JSC::DFG::Plan::compileInThreadImpl):
2294         (JSC::DFG::Plan::reallyAdd):
2295         (JSC::DFG::Plan::notifyCompiling):
2296         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2297         (JSC::DFG::Plan::cancel):
2298         * dfg/DFGPlan.h:
2299         (JSC::DFG::Plan::canTierUpAndOSREnter):
2300         * dfg/DFGSafepoint.cpp:
2301         (JSC::DFG::Safepoint::cancel):
2302         (JSC::DFG::Safepoint::vm):
2303         * dfg/DFGSafepoint.h:
2304         * dfg/DFGWorklist.cpp:
2305         (JSC::DFG::Worklist::isActiveForVM):
2306         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
2307         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
2308         (JSC::DFG::Worklist::rememberCodeBlocks):
2309         (JSC::DFG::Worklist::visitWeakReferences):
2310         (JSC::DFG::Worklist::removeDeadPlans):
2311         (JSC::DFG::Worklist::runThread):
2312         * ftl/FTLJITFinalizer.cpp:
2313         (JSC::FTL::JITFinalizer::finalizeFunction):
2314
2315 2016-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2316
2317         Modernize Intl constructors; using InternalFunction::createSubclassStructure
2318         https://bugs.webkit.org/show_bug.cgi?id=157082
2319
2320         Reviewed by Darin Adler.
2321
2322         Previously, Intl constructors retrieve "prototype" to inherit the "new.target".
2323         At that time, this mis-assumed that getDirect() always returns meaningful JS value.
2324         Actually, it returns an empty value if a property does not exist.
2325
2326         Instead of fixing this assertion, we now use InternalFunction::createSubclassStructure
2327         in Intl constructors. It is modern and preferable way since it can cache the derived
2328         structures in InternalFunction.
2329
2330         This patch also cleans up the workaround in Intl.NumberFormat and Intl.DateTimeFormat.
2331         Those code are largely duplicate. This is now extracted into
2332         constructIntlInstanceWithWorkaroundForLegacyIntlConstructor. This clean up does not
2333         have any behavior changes. They are already tested in LayoutTests/js/intl-datetimeformat
2334         and LayoutTests/js/intl-numberformat.
2335
2336         * JavaScriptCore.xcodeproj/project.pbxproj:
2337         * runtime/IntlCollator.cpp:
2338         (JSC::IntlCollator::create):
2339         * runtime/IntlCollator.h:
2340         * runtime/IntlCollatorConstructor.cpp:
2341         (JSC::constructIntlCollator):
2342         (JSC::callIntlCollator):
2343         * runtime/IntlDateTimeFormat.cpp:
2344         (JSC::IntlDateTimeFormat::create):
2345         * runtime/IntlDateTimeFormat.h:
2346         * runtime/IntlDateTimeFormatConstructor.cpp:
2347         (JSC::constructIntlDateTimeFormat):
2348         (JSC::callIntlDateTimeFormat):
2349         * runtime/IntlDateTimeFormatPrototype.cpp:
2350         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2351         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
2352         * runtime/IntlNumberFormat.cpp:
2353         (JSC::IntlNumberFormat::create):
2354         * runtime/IntlNumberFormat.h:
2355         * runtime/IntlNumberFormatConstructor.cpp:
2356         (JSC::constructIntlNumberFormat):
2357         (JSC::callIntlNumberFormat):
2358         * runtime/IntlNumberFormatPrototype.cpp:
2359         (JSC::IntlNumberFormatPrototypeGetterFormat):
2360         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
2361         * runtime/IntlObjectInlines.h: Added.
2362         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
2363         * tests/stress/intl-constructors-with-proxy.js: Added.
2364         (shouldBe):
2365         (throw.new.Error.Empty):
2366         (throw.new.Error):
2367         (shouldBe.Empty):
2368
2369 2016-05-14  Joseph Pecoraro  <pecoraro@apple.com>
2370
2371         Remove LegacyProfiler
2372         https://bugs.webkit.org/show_bug.cgi?id=153565
2373
2374         Reviewed by Mark Lam.
2375
2376         JavaScriptCore now provides a sampling profiler and it is enabled
2377         by all ports. Web Inspector switched months ago to using the
2378         sampling profiler and displaying its data. Remove the legacy
2379         profiler, as it is no longer being used by anything other then
2380         console.profile and tests. We will update console.profile's
2381         behavior soon to have new behavior and use the sampling data.
2382
2383         * API/JSProfilerPrivate.cpp: Removed.
2384         * API/JSProfilerPrivate.h: Removed.
2385         * CMakeLists.txt:
2386         * JavaScriptCore.xcodeproj/project.pbxproj:
2387         * bytecode/BytecodeList.json:
2388         * bytecode/BytecodeUseDef.h:
2389         (JSC::computeUsesForBytecodeOffset): Deleted.
2390         (JSC::computeDefsForBytecodeOffset): Deleted.
2391         * bytecode/CodeBlock.cpp:
2392         (JSC::CodeBlock::dumpBytecode): Deleted.
2393         * bytecode/UnlinkedFunctionExecutable.cpp:
2394         (JSC::generateUnlinkedFunctionCodeBlock):
2395         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2396         * bytecode/UnlinkedFunctionExecutable.h:
2397         * bytecompiler/BytecodeGenerator.cpp:
2398         (JSC::BytecodeGenerator::BytecodeGenerator):
2399         (JSC::BytecodeGenerator::emitCall):
2400         (JSC::BytecodeGenerator::emitCallVarargs):
2401         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
2402         (JSC::BytecodeGenerator::emitConstructVarargs):
2403         (JSC::BytecodeGenerator::emitConstruct):
2404         * bytecompiler/BytecodeGenerator.h:
2405         (JSC::CallArguments::profileHookRegister): Deleted.
2406         (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
2407         * bytecompiler/NodesCodegen.cpp:
2408         (JSC::CallFunctionCallDotNode::emitBytecode):
2409         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2410         (JSC::CallArguments::CallArguments): Deleted.
2411         * dfg/DFGAbstractInterpreterInlines.h:
2412         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
2413         * dfg/DFGByteCodeParser.cpp:
2414         (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
2415         * dfg/DFGCapabilities.cpp:
2416         (JSC::DFG::capabilityLevel): Deleted.
2417         * dfg/DFGClobberize.h:
2418         (JSC::DFG::clobberize): Deleted.
2419         * dfg/DFGDoesGC.cpp:
2420         (JSC::DFG::doesGC): Deleted.
2421         * dfg/DFGFixupPhase.cpp:
2422         (JSC::DFG::FixupPhase::fixupNode): Deleted.
2423         * dfg/DFGNodeType.h:
2424         * dfg/DFGPredictionPropagationPhase.cpp:
2425         * dfg/DFGSafeToExecute.h:
2426         (JSC::DFG::safeToExecute): Deleted.
2427         * dfg/DFGSpeculativeJIT32_64.cpp:
2428         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2429         * dfg/DFGSpeculativeJIT64.cpp:
2430         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2431         * inspector/InjectedScriptBase.cpp:
2432         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
2433         * inspector/protocol/Timeline.json:
2434         * interpreter/Interpreter.cpp:
2435         (JSC::UnwindFunctor::operator()): Deleted.
2436         (JSC::Interpreter::execute): Deleted.
2437         (JSC::Interpreter::executeCall): Deleted.
2438         (JSC::Interpreter::executeConstruct): Deleted.
2439         * jit/JIT.cpp:
2440         (JSC::JIT::privateCompileMainPass): Deleted.
2441         * jit/JIT.h:
2442         * jit/JITOpcodes.cpp:
2443         (JSC::JIT::emit_op_profile_will_call): Deleted.
2444         (JSC::JIT::emit_op_profile_did_call): Deleted.
2445         * jit/JITOpcodes32_64.cpp:
2446         (JSC::JIT::emit_op_profile_will_call): Deleted.
2447         (JSC::JIT::emit_op_profile_did_call): Deleted.
2448         * jit/JITOperations.cpp:
2449         * jit/JITOperations.h:
2450         * jsc.cpp:
2451         * llint/LLIntSlowPaths.cpp:
2452         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
2453         * llint/LLIntSlowPaths.h:
2454         * llint/LowLevelInterpreter.asm:
2455         * parser/ParserModes.h:
2456         * profiler/CallIdentifier.h: Removed.
2457         * profiler/LegacyProfiler.cpp: Removed.
2458         * profiler/LegacyProfiler.h: Removed.
2459         * profiler/Profile.cpp: Removed.
2460         * profiler/Profile.h: Removed.
2461         * profiler/ProfileGenerator.cpp: Removed.
2462         * profiler/ProfileGenerator.h: Removed.
2463         * profiler/ProfileNode.cpp: Removed.
2464         * profiler/ProfileNode.h: Removed.
2465         * profiler/ProfilerJettisonReason.cpp:
2466         (WTF::printInternal): Deleted.
2467         * profiler/ProfilerJettisonReason.h:
2468         * runtime/CodeCache.cpp:
2469         (JSC::CodeCache::getGlobalCodeBlock):
2470         (JSC::CodeCache::getProgramCodeBlock):
2471         (JSC::CodeCache::getEvalCodeBlock):
2472         (JSC::CodeCache::getModuleProgramCodeBlock):
2473         * runtime/CodeCache.h:
2474         * runtime/Executable.cpp:
2475         (JSC::ScriptExecutable::newCodeBlockFor):
2476         * runtime/JSGlobalObject.cpp:
2477         (JSC::JSGlobalObject::createProgramCodeBlock):
2478         (JSC::JSGlobalObject::createEvalCodeBlock):
2479         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2480         (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
2481         (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
2482         * runtime/JSGlobalObject.h:
2483         (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
2484         * runtime/Options.h:
2485         * runtime/VM.cpp:
2486         (JSC::VM::VM): Deleted.
2487         (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
2488         (JSC::VM::setEnabledProfiler): Deleted.
2489         * runtime/VM.h:
2490         (JSC::VM::enabledProfiler): Deleted.
2491         (JSC::VM::enabledProfilerAddress): Deleted.
2492
2493 2016-05-13  Joseph Pecoraro  <pecoraro@apple.com>
2494
2495         jsc: samplingProfilerStackTraces() without starting sampling should not cause jsc to crash
2496         https://bugs.webkit.org/show_bug.cgi?id=157704
2497
2498         Reviewed by Saam Barati.
2499
2500         * jsc.cpp:
2501         (functionStartSamplingProfiler):
2502         (functionSamplingProfilerStackTraces):
2503         Throw an exception instead of crashing if we haven't started sampling.
2504
2505         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2506         (Inspector::InspectorScriptProfilerAgent::startTracking):
2507         * runtime/VM.h:
2508         * runtime/VM.cpp:
2509         (JSC::VM::ensureSamplingProfiler):
2510         Switch ensure to returning a reference, like most other ensures.
2511
2512 2016-05-13  Saam barati  <sbarati@apple.com>
2513
2514         DFG/FTL have a few bugs in their reasoning about the scope
2515         https://bugs.webkit.org/show_bug.cgi?id=157696
2516
2517         Reviewed by Benjamin Poulain.
2518
2519         1. When the debugger is enabled, it is easier for the DFG to reason
2520         about the scope register by simply claiming all nodes read the scope
2521         register. This prevents us from ever entering the runtime where we
2522         may take a stack trace but there isn't a scope on the stack.
2523
2524         2. This patch fixes a bug where the FTL compilation wasn't properly
2525         setting the CodeBlock register. It was only doing this when there
2526         was inline data, but when the debugger is enabled, we never inline.
2527         So this code just needed to be removed from that loop. It was never
2528         right for it to be inside the loop.
2529
2530         * dfg/DFGClobberize.h:
2531         (JSC::DFG::clobberize):
2532         * ftl/FTLCompile.cpp:
2533         (JSC::FTL::compile):
2534
2535 2016-05-13  Benjamin Poulain  <bpoulain@apple.com>
2536
2537         [JSC] SetLocal without exit do not need phantoms
2538         https://bugs.webkit.org/show_bug.cgi?id=157653
2539
2540         Reviewed by Filip Pizlo.
2541
2542         I made a mistake in r200498.
2543
2544         If a SetLocal cannot possibly exit, we were not clearing
2545         the source of the operand. As a result, we sometime kept
2546         a value alive up to the end of the block.
2547
2548         That's uncommon because SetLocal typically appear
2549         toward the end of blocks. That's probably why there was
2550         no perf impact with that fix.
2551
2552         * dfg/DFGPhantomInsertionPhase.cpp:
2553
2554 2016-05-13  Benjamin Poulain  <bpoulain@apple.com>
2555
2556         [JSC] Move the CheckTierUp function calls out of the main path
2557         https://bugs.webkit.org/show_bug.cgi?id=157668
2558
2559         Reviewed by Mark Lam.
2560
2561         If you have a tiny tiny loop (for example, Sunspider's bits-in-byte),
2562         the size of CheckTierUp is a problem.
2563
2564         On multi-issue CPUs, the node is so big that we do not
2565         get to run anything from the loop in the instruction fetch.
2566
2567         On x86, having a bigger loop also pushes us out of the LSD.
2568
2569         This is a 6% improvement on bits-in-byte. Other Sunspider tests
2570         only improves marginally.
2571
2572         * dfg/DFGSpeculativeJIT.cpp:
2573         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
2574         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
2575         * dfg/DFGSpeculativeJIT.h:
2576         (JSC::DFG::SpeculativeJIT::silentSpill):
2577         (JSC::DFG::SpeculativeJIT::silentFill):
2578         * dfg/DFGSpeculativeJIT64.cpp:
2579         (JSC::DFG::SpeculativeJIT::compile):
2580
2581 2016-05-13  Benjamin Poulain  <bpoulain@apple.com>
2582
2583         [JSC] Emit the loads of emitLoadWithStructureCheck() in the order they are used
2584         https://bugs.webkit.org/show_bug.cgi?id=157671
2585
2586         Reviewed by Mark Lam.
2587
2588         This improves the chances of having a value
2589         when issuing the TEST.
2590
2591         * jit/JITPropertyAccess.cpp:
2592         (JSC::JIT::emitLoadWithStructureCheck):
2593
2594 2016-05-13  Joseph Pecoraro  <pecoraro@apple.com>
2595
2596         Web Inspector: Inform augmenting client when inspector controller is destroyed
2597         https://bugs.webkit.org/show_bug.cgi?id=157688
2598         <rdar://problem/25832724>
2599
2600         Reviewed by Timothy Hatcher.
2601
2602         * inspector/JSGlobalObjectInspectorController.cpp:
2603         (Inspector::JSGlobalObjectInspectorController::~JSGlobalObjectInspectorController):
2604         * inspector/augmentable/AugmentableInspectorControllerClient.h:
2605         There is a weak relationship between the InspectorController and the
2606         AugmentingClient. Let the augmenting client know when the controller
2607         is destroyed so it doesn't try to use us anymore.
2608
2609 2016-05-13  Geoffrey Garen  <ggaren@apple.com>
2610
2611         Runaway malloc memory usage in this simple JSC program
2612         https://bugs.webkit.org/show_bug.cgi?id=157682
2613
2614         Reviewed by Mark Lam.
2615
2616         * heap/WeakSet.cpp:
2617         (JSC::WeakSet::sweep): Whenever we might add a block to
2618         m_logicallyEmptyWeakBlocks, be sure also to sweep a block in
2619         m_logicallyEmptyWeakBlocks. Otherwise, additions might outpace removals
2620         even when all memory is freed.
2621
2622         We do this whenever we *might* add a block and not just whenever we *do*
2623         add a block because we'd like to sweep the entries in
2624         m_logicallyEmptyWeakBlocks promptly even when it's not growing, and this
2625         is a reasonably rate-limited opportunity to do so.
2626
2627 2016-05-13  Mark Lam  <mark.lam@apple.com>
2628
2629         We should have one calleeSaveRegistersBuffer per VMEntryFrame, not one per VM.
2630         https://bugs.webkit.org/show_bug.cgi?id=157537
2631         <rdar://problem/24794845>
2632
2633         Reviewed by Michael Saboff.
2634
2635         The pre-existing code behaves this way:
2636
2637         1. When JS code throws an exception, it saves callee save registers in
2638            the VM calleeSaveRegistersBuffer.  These values are meant to be restored
2639            to the callee save registers later either at the catch handler or at the
2640            uncaught exception handler.
2641
2642         2. If the Inspector is enable, the VM will invoke inspector C++ code to inspect
2643            the exception.  That C++ code can change the values of the callee save
2644            registers.
2645
2646            The inspector code in turn re-enters the VM to execute JS inspector code.
2647
2648            The JS inspector code can run hot enough that we do an enterOptimizationCheck
2649            on it.  The enterOptimizationCheck first saves all callee save registers
2650            into the VM calleeSaveRegistersBuffer.
2651
2652            This effectively overwrites the values in the VM calleeSaveRegistersBuffer
2653            from (1).
2654
2655         3. Eventually, execution returns to the catch handler or the uncaught exception
2656            handler which restores the overwritten values in the VM
2657            calleeSaveRegistersBuffer to the callee save registers.
2658
2659            When execution returns to the C++ code that entered the VM before (1), the
2660            values in the callee registers are not what that code expects, and badness
2661            and/or crashes ensues.
2662
2663         This patch applies the following fix:
2664         
2665         1. Allocate space in the VMEntryFrame for the calleeSaveRegistersBuffer.
2666            This ensures that each VM entry session has its own buffer to use, and will
2667            not corrupt the one from the previous VM entry session.
2668
2669            Delete the VM calleeSaveRegistersBuffer.
2670
2671         2. Change all locations that uses the VM calleeSaveRegistersBuffer to use the
2672            calleeSaveRegistersBuffer in the current VMEntryFrame.
2673
2674         3. Renamed all uses of the term "VMCalleeSavesBuffer" to
2675            "VMEntryFrameCalleeSavesBuffer".
2676
2677         This fix has been tested on the following configurations:
2678         1. JSC and layout tests on a debug ASan build for 64-bit x86_64.
2679         2. JSC tests on a release ASan build for 32-bit x86.
2680         3. JSC tests on a release normal (non-ASan) build for ARM64.
2681         4. JSC tests on a release normal (non-ASan) build for ARMv7 and ARMv7s.
2682         5. JSC tests on a release ASan CLOOP build for x86_64.
2683
2684         These test runs did not produce any new crashes.  The ASan CLOOP has some
2685         pre-existing crashes which are not due to this patch.
2686
2687         This bug can be tested by running the inspector/debugger/regress-133182.html test
2688         on an ASan build.
2689
2690         * bytecode/PolymorphicAccess.cpp:
2691         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
2692         * dfg/DFGJITCompiler.cpp:
2693         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2694         * dfg/DFGOSREntry.cpp:
2695         (JSC::DFG::prepareOSREntry):
2696         * dfg/DFGOSRExitCompiler.cpp:
2697         * dfg/DFGOSRExitCompiler32_64.cpp:
2698         (JSC::DFG::OSRExitCompiler::compileExit):
2699         * dfg/DFGOSRExitCompiler64.cpp:
2700         (JSC::DFG::OSRExitCompiler::compileExit):
2701         * dfg/DFGThunks.cpp:
2702         (JSC::DFG::osrEntryThunkGenerator):
2703         * ftl/FTLCompile.cpp:
2704         (JSC::FTL::compile):
2705         * ftl/FTLLowerDFGToB3.cpp:
2706         (JSC::FTL::DFG::LowerDFGToB3::lower):
2707         * ftl/FTLOSRExitCompiler.cpp:
2708         (JSC::FTL::compileStub):
2709         * interpreter/Interpreter.cpp:
2710         (JSC::UnwindFunctor::operator()):
2711         (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2712         (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
2713         * interpreter/Interpreter.h:
2714         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2715         * interpreter/VMEntryRecord.h:
2716         (JSC::VMEntryRecord::calleeSaveRegistersBufferOffset):
2717         (JSC::VMEntryRecord::prevTopCallFrame):
2718         (JSC::VMEntryRecord::unsafePrevTopCallFrame):
2719         (JSC::VMEntryFrame::vmEntryRecordOffset):
2720         (JSC::VMEntryFrame::calleeSaveRegistersBufferOffset):
2721         * jit/AssemblyHelpers.cpp:
2722         (JSC::AssemblyHelpers::emitRandomThunk):
2723         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2724         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
2725         * jit/AssemblyHelpers.h:
2726         (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
2727         (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2728         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer):
2729         (JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
2730         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer): Deleted.
2731         * jit/JIT.cpp:
2732         (JSC::JIT::emitEnterOptimizationCheck):
2733         (JSC::JIT::privateCompileExceptionHandlers):
2734         * jit/JITOpcodes.cpp:
2735         (JSC::JIT::emit_op_throw):
2736         (JSC::JIT::emit_op_catch):
2737         (JSC::JIT::emitSlow_op_loop_hint):
2738         * jit/JITOpcodes32_64.cpp:
2739         (JSC::JIT::emit_op_throw):
2740         (JSC::JIT::emit_op_catch):
2741         * jit/ThunkGenerators.cpp:
2742         (JSC::throwExceptionFromCallSlowPathGenerator):
2743         (JSC::nativeForGenerator):
2744         * llint/LLIntThunks.cpp:
2745         (JSC::vmEntryRecord):
2746         * llint/LowLevelInterpreter.asm:
2747         * llint/LowLevelInterpreter32_64.asm:
2748         * llint/LowLevelInterpreter64.asm:
2749         * runtime/VM.h:
2750         (JSC::VM::getCTIStub):
2751         (JSC::VM::calleeSaveRegistersBufferOffset): Deleted.
2752         * wasm/WASMFunctionCompiler.h:
2753         (JSC::WASMFunctionCompiler::endFunction):
2754
2755 2016-05-13  Beth Dakin  <bdakin@apple.com>
2756
2757         Add dyldSPI.h for linked on or after checks, and add one for link preview
2758         https://bugs.webkit.org/show_bug.cgi?id=157401
2759         -and corresponding-
2760         rdar://problem/26253396
2761
2762         Reviewed by Darin Adler.
2763
2764         Import #import <wtf/spi/darwin/dyldSPI.h> which now declares all of the 
2765         needed dyld code.
2766         * API/JSWrapperMap.mm:
2767
2768 2016-05-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2769
2770         Assertion failure for direct eval in non-class method
2771         https://bugs.webkit.org/show_bug.cgi?id=157138
2772
2773         Reviewed by Saam Barati.
2774
2775         This assertion was incorrect. In method definitions in object literals,
2776         it can be sloppy mode, but its DerivedContextType may not be DerivedContextType::None.
2777
2778         * bytecode/EvalCodeCache.h:
2779         (JSC::EvalCodeCache::CacheKey::CacheKey):
2780         (JSC::EvalCodeCache::CacheKey::operator==):
2781         (JSC::EvalCodeCache::CacheKey::Hash::equal):
2782         (JSC::EvalCodeCache::tryGet):
2783         (JSC::EvalCodeCache::getSlow):
2784         * interpreter/Interpreter.cpp:
2785         (JSC::eval):
2786         * tests/stress/direct-eval-in-object-literal-methods.js: Added.
2787         (shouldBe):
2788         (throw.new.Error):
2789         (shouldBe.Parent.prototype.l):
2790         (shouldBe.Parent):
2791         (shouldBe.Derived.prototype.m):
2792         (shouldBe.Derived):
2793
2794 2016-05-13  Skachkov Oleksandr  <gskachkov@gmail.com>
2795
2796         Assertion failure for super() call in arrow function default parameters
2797         https://bugs.webkit.org/show_bug.cgi?id=157079
2798
2799         Reviewed by Saam Barati.
2800
2801         Root of the issue that in arrow function we load bounded variables this/super/new.target just after 
2802         input parameters were initialized, and did not covered case of default values for 
2803         function parameters. 
2804         Current patch tried to fix issue and allow to load bounded variables earlier, before the input 
2805         parameters are assigned by default values.
2806
2807         * bytecompiler/BytecodeGenerator.cpp:
2808         (JSC::BytecodeGenerator::BytecodeGenerator):
2809         * tests/stress/arrowfunction-lexical-bind-this-2.js:
2810
2811 2016-05-12  Mark Lam  <mark.lam@apple.com>
2812
2813         Baseline and DFG's JSC_report...CompileTimes needs CodeBlock hashes.
2814         https://bugs.webkit.org/show_bug.cgi?id=157643
2815
2816         Reviewed by Keith Miller.
2817
2818         * runtime/Options.cpp:
2819         (JSC::recomputeDependentOptions):
2820
2821 2016-05-12  Csaba Osztrogonác  <ossy@webkit.org>
2822
2823         Remove ENABLE(ES6_ARROWFUNCTION_SYNTAX) guards
2824         https://bugs.webkit.org/show_bug.cgi?id=157564
2825
2826         Reviewed by Darin Adler.
2827
2828         * Configurations/FeatureDefines.xcconfig:
2829         * parser/Parser.cpp:
2830
2831 2016-05-12  Joseph Pecoraro  <pecoraro@apple.com>
2832
2833         Web Inspector: CRASH getting internal properties of function with no bound arguments causes
2834         https://bugs.webkit.org/show_bug.cgi?id=157613
2835         <rdar://problem/26238754>
2836
2837         Reviewed by Timothy Hatcher.
2838
2839         * inspector/JSInjectedScriptHost.cpp:
2840         (Inspector::JSInjectedScriptHost::getInternalProperties):
2841         Gracefully handle a JSBoundFunction with no bound arguments.
2842         In this case boundArgs is JSValue() which we don't want to
2843         expose as the value of the internal property.
2844
2845 2016-05-11  Benjamin Poulain  <bpoulain@apple.com>
2846
2847         [JSC] Make sure StringRange is passed to Vector by register
2848         https://bugs.webkit.org/show_bug.cgi?id=157603
2849
2850         Reviewed by Darin Adler.
2851
2852         This is bizarre, but on my SDK, Vector::append(StringRange)
2853         is passing the values on the stack.
2854         The two integers are written to the stack, the address given
2855         to append(), then append() reads it back and store it.
2856
2857         This patch changes the code to use constructAndAppend(), ensuring
2858         the values are used directly.
2859
2860         On my machine, this helps Sunspider and Octane.
2861         This might be something wrong with my SDK but the fix is so easy
2862         that we might as well do this.
2863
2864         * runtime/StringPrototype.cpp:
2865         (JSC::removeUsingRegExpSearch):
2866         (JSC::replaceUsingRegExpSearch):
2867
2868 2016-05-11  Zan Dobersek  <zdobersek@igalia.com>
2869
2870         ARMv7Assembler: suppress a -Wnarrowing warning when compiling with GCC
2871         https://bugs.webkit.org/show_bug.cgi?id=157576
2872
2873         Reviewed by Csaba Osztrogonác.
2874
2875         * assembler/ARMv7Assembler.h:
2876         (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2): Explicitly cast the
2877         `OP_CMP_reg_T2 | left` value to uint16_t, avoiding a narrowing conversion
2878         warning that's being reported when compiling with GCC. The warning is sprung
2879         due to RegisterID (which is the type of `left`) being an enum based on int,
2880         even when the enum itself only declares 23 values.
2881
2882 2016-05-11  Joseph Pecoraro  <pecoraro@apple.com>
2883
2884         Web Inspector: `this` in Scope Chain Sidebar does not have preview, looks poor
2885         https://bugs.webkit.org/show_bug.cgi?id=157602
2886
2887         Reviewed by Timothy Hatcher.
2888
2889         * inspector/InjectedScriptSource.js:
2890         (InjectedScript.CallFrameProxy):
2891         Include a preview when creating the RemoteObject for `this`.
2892
2893 2016-05-11  Keith Miller  <keith_miller@apple.com>
2894
2895         Unreviewed, correct the title of the ChangeLog for r200667.
2896
2897 2016-05-11  Joseph Pecoraro  <pecoraro@apple.com>
2898
2899         JSC test stress/reflect-set.js failing after 200694
2900         https://bugs.webkit.org/show_bug.cgi?id=157586
2901
2902         Unreviewed test rebaseline.
2903
2904         * tests/stress/reflect-set.js:
2905         Update the expected error message. We are in strict mode, so the
2906         improved error message makes sense.
2907
2908 2016-05-11  Filip Pizlo  <fpizlo@apple.com>
2909
2910         Beef up JSC profiler event log
2911         https://bugs.webkit.org/show_bug.cgi?id=157584
2912
2913         Reviewed by Saam Barati.
2914         
2915         Also log more about compilation.
2916
2917         * bytecode/ExecutionCounter.cpp: Changed the meaning of codeBlock to be the codeBlock that is doing the profiling. This will now get the baseline version if it needs it. This is needed for logging the threshold checking event.
2918         (JSC::applyMemoryUsageHeuristics):
2919         (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
2920         * dfg/DFGJITCode.cpp: Pass the right codeBlock.
2921         (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
2922         (JSC::DFG::JITCode::optimizeNextInvocation):
2923         (JSC::DFG::JITCode::dontOptimizeAnytimeSoon):
2924         (JSC::DFG::JITCode::optimizeSoon):
2925         (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently):
2926         * dfg/DFGPlan.cpp: Log things about compile times and whether the compiler succeeded or failed.
2927         (JSC::DFG::Plan::computeCompileTimes):
2928         (JSC::DFG::Plan::reportCompileTimes):
2929         (JSC::DFG::Plan::compileInThread):
2930         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2931         * jit/ExecutableAllocatorFixedVMPool.cpp: Make it possible to look at memory usage, though separately from the log, for now.
2932         (JSC::ExecutableAllocator::allocate):
2933         * runtime/Options.h:
2934
2935 2016-05-11  Saam barati  <sbarati@apple.com>
2936
2937         Air may decide to put the result register of an arithmetic snippet in the tag register
2938         https://bugs.webkit.org/show_bug.cgi?id=157548
2939
2940         Reviewed by Filip Pizlo.
2941
2942         This patch adds a new ValueRep to B3 called LateRegister. The semantics
2943         are similar to Register in that it can be used to pin an argument to
2944         a particular register. It differs from ValueRep::Register in that the semantics of
2945         LateRegister are that it is used after the result of the node its an argument to
2946         is computed. This means that a LateRegister argument will interfere with the result
2947         of a node. LateRegister is not a valid result ValueRep.
2948
2949         This was needed because there was a bug where B3/Air would assign the
2950         result of a patchpoint to the TagTypeNumber register. This broke our
2951         code when we would box a double into a JSValue in a snippet when the
2952         result is the same as the TagTypeNumber register. To fix the issue,
2953         we pass TagMaskRegister and TagTypeNumberRegister as ValueRep::LateRegister
2954         arguments to various patchpoints.
2955
2956         * b3/B3LowerToAir.cpp:
2957         (JSC::B3::Air::LowerToAir::fillStackmap):
2958         * b3/B3PatchpointSpecial.cpp:
2959         (JSC::B3::PatchpointSpecial::admitsStack):
2960         * b3/B3StackmapSpecial.cpp:
2961         (JSC::B3::StackmapSpecial::forEachArgImpl):
2962         (JSC::B3::StackmapSpecial::isArgValidForRep):
2963         * b3/B3Validate.cpp:
2964         * b3/B3ValueRep.cpp:
2965         (JSC::B3::ValueRep::addUsedRegistersTo):
2966         (JSC::B3::ValueRep::dump):
2967         (JSC::B3::ValueRep::emitRestore):
2968         (JSC::B3::ValueRep::recoveryForJSValue):
2969         (WTF::printInternal):
2970         * b3/B3ValueRep.h:
2971         (JSC::B3::ValueRep::reg):
2972         (JSC::B3::ValueRep::lateReg):
2973         (JSC::B3::ValueRep::stack):
2974         (JSC::B3::ValueRep::operator==):
2975         (JSC::B3::ValueRep::isSomeRegister):
2976         (JSC::B3::ValueRep::isReg):
2977         * b3/testb3.cpp:
2978         (JSC::B3::testSpillUseLargerThanDef):
2979         (JSC::B3::testLateRegister):
2980         (JSC::B3::zero):
2981         (JSC::B3::run):
2982         * ftl/FTLLowerDFGToB3.cpp:
2983         (JSC::FTL::DFG::LowerDFGToB3::lower):
2984         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2985         (JSC::FTL::DFG::LowerDFGToB3::getById):
2986         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
2987         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
2988         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
2989
2990 2016-05-11  Joseph Pecoraro  <pecoraro@apple.com>
2991
2992         Improve error messages for accessing arguments.callee and similar getters in strict mode
2993         https://bugs.webkit.org/show_bug.cgi?id=157545
2994
2995         Reviewed by Mark Lam.
2996
2997         * runtime/ClonedArguments.cpp:
2998         (JSC::ClonedArguments::getOwnPropertySlot):
2999         (JSC::ClonedArguments::materializeSpecials):
3000         Provide better error GetterSetter in strict mode.
3001
3002         * runtime/JSFunction.cpp:
3003         (JSC::getThrowTypeErrorGetterSetter):
3004         (JSC::JSFunction::defineOwnProperty):
3005         Provide better error GetterSetter in strict mode.
3006
3007         * runtime/JSGlobalObject.cpp:
3008         (JSC::JSGlobalObject::init):
3009         (JSC::JSGlobalObject::visitChildren):
3010         * runtime/JSGlobalObject.h:
3011         (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
3012         (JSC::JSGlobalObject::throwTypeErrorCalleeAndCallerGetterSetter):
3013         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInStrictModeGetterSetter):
3014         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInClassContextGetterSetter):
3015         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerGetterSetter): Deleted.
3016         * runtime/JSGlobalObjectFunctions.cpp:
3017         (JSC::globalFuncThrowTypeErrorCalleeAndCaller):
3018         (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInStrictMode):
3019         (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInClassContext):
3020         (JSC::globalFuncThrowTypeErrorArgumentsAndCaller): Deleted.
3021         * runtime/JSGlobalObjectFunctions.h:
3022         Rename and expose new handles for new error getter setter native functions.
3023
3024 2016-05-11  Commit Queue  <commit-queue@webkit.org>
3025
3026         Unreviewed, rolling out r200481.
3027         https://bugs.webkit.org/show_bug.cgi?id=157573
3028
3029         it's bad news for asm.js (Requested by pizlo on #webkit).
3030
3031         Reverted changeset:
3032
3033         "Reduce maximum JIT pool size on X86_64."
3034         http://trac.webkit.org/changeset/200481
3035
3036 2016-05-10  Keith Miller  <keith_miller@apple.com>
3037
3038         TypedArray.prototype.slice should not use the byteLength of the passed array for memmove
3039         https://bugs.webkit.org/show_bug.cgi?id=157551
3040         <rdar://problem/26179914>
3041
3042         Reviewed by Michael Saboff.
3043
3044         The TypedArray.prototype.slice function would use the byteLength of the passed array
3045         to determine the amount of data to copy. It should have been using the passed length
3046         times the size of each element. This fixes a crash on JavaPoly.com
3047
3048         * runtime/JSGenericTypedArrayViewInlines.h:
3049         (JSC::JSGenericTypedArrayView<Adaptor>::set):
3050         * tests/stress/typedarray-slice.js:
3051
3052 2016-05-10  Michael Saboff  <msaboff@apple.com>
3053
3054         REGRESSION(r200447): Unable to build C_LOOP with clang version 800.0.12 or higher
3055         https://bugs.webkit.org/show_bug.cgi?id=157549
3056
3057         Reviewed by Keith Miller.
3058
3059         Disable debug annotations for C_LOOP builds.  They are inline assembly directives,
3060         unnecessary and they cause syntax errors.
3061
3062         * offlineasm/asm.rb:
3063
3064 2016-05-10  Filip Pizlo  <fpizlo@apple.com>
3065
3066         Internal JSC profiler should have a timestamped log of events for each code block
3067         https://bugs.webkit.org/show_bug.cgi?id=157538
3068
3069         Reviewed by Benjamin Poulain.
3070         
3071         For example, in 3d-cube, I can query the events for MMulti and I get:
3072
3073         1462917476.17083  MMulti#DTZ7qc                          installCode        
3074         1462917476.179663 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode        
3075         1462917476.179664 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline osrEntry           at bc#49
3076         1462917476.185651 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1011.214233/1717.000000, -707
3077         1462917476.187913 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG      installCode        
3078         1462917476.187917 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG      osrEntry           at bc#49
3079         1462917476.205365 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG      jettison           due to OSRExit, counting = true, detail = (null)
3080         1462917476.205368 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit       bc#65: BadCache/FromDFG
3081         1462917476.205369 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode        
3082         1462917476.205482 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1013.000000/3434.000000, -1000
3083         1462917476.211547 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 2013.000000/3434.000000, -1000
3084         1462917476.213721 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG      installCode        
3085         1462917476.213726 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG      osrEntry           at bc#49
3086         1462917476.223976 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG      jettison           due to OSRExit, counting = true, detail = (null)
3087         1462917476.223981 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit       bc#77: BadCache/FromDFG
3088         1462917476.223982 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit       bc#94: BadCache/FromDFG
3089         1462917476.223982 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode        
3090         1462917476.224064 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1013.000000/6868.000000, -1000
3091         1462917476.224151 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 2013.000000/6868.000000, -1000
3092         1462917476.224258 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 3013.000000/6868.000000, -1000
3093         1462917476.224337 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 4023.000000/6868.000000, -1000
3094         1462917476.224425 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 5023.000000/6868.000000, -1000
3095         1462917476.224785 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 6023.396484/6868.000000, -862
3096         1462917476.227669 MMulti#DTZ7qc MMulti#DTZ7qc-4-DFG      installCode        
3097         1462917476.227675 MMulti#DTZ7qc MMulti#DTZ7qc-4-DFG      osrEntry           at bc#0
3098         
3099         The output is ugly but useful. We can make it less ugly later.
3100
3101         * CMakeLists.txt:
3102         * JavaScriptCore.xcodeproj/project.pbxproj:
3103         * bytecode/CodeBlock.cpp:
3104         (JSC::CodeBlock::jettison):
3105         * bytecode/CodeBlock.h:
3106         (JSC::ScriptExecutable::forEachCodeBlock):
3107         * bytecode/DFGExitProfile.cpp:
3108         (JSC::DFG::ExitProfile::add):
3109         * dfg/DFGJITFinalizer.cpp:
3110         (JSC::DFG::JITFinalizer::finalizeCommon):
3111         * dfg/DFGOperations.cpp:
3112         * ftl/FTLJITFinalizer.cpp:
3113         (JSC::FTL::JITFinalizer::finalizeFunction):
3114         * jit/JIT.cpp:
3115         (JSC::JIT::privateCompile):
3116         * jit/JITOperations.cpp:
3117         * llint/LLIntSlowPaths.cpp:
3118         (JSC::LLInt::jitCompileAndSetHeuristics):
3119         (JSC::LLInt::entryOSR):
3120         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3121         * profiler/ProfilerCompilation.cpp:
3122         (JSC::Profiler::Compilation::Compilation):
3123         (JSC::Profiler::Compilation::setJettisonReason):
3124         (JSC::Profiler::Compilation::dump):
3125         (JSC::Profiler::Compilation::toJS):
3126         * profiler/ProfilerCompilation.h:
3127         (JSC::Profiler::Compilation::uid):
3128         * profiler/ProfilerDatabase.cpp:
3129         (JSC::Profiler::Database::ensureBytecodesFor):
3130         (JSC::Profiler::Database::notifyDestruction):
3131         (JSC::Profiler::Database::addCompilation):
3132         (JSC::Profiler::Database::toJS):
3133         (JSC::Profiler::Database::registerToSaveAtExit):
3134         (JSC::Profiler::Database::logEvent):
3135         (JSC::Profiler::Database::addDatabaseToAtExit):
3136         * profiler/ProfilerDatabase.h:
3137         * profiler/ProfilerEvent.cpp: Added.
3138         (JSC::Profiler::Event::dump):
3139         (JSC::Profiler::Event::toJS):
3140         * profiler/ProfilerEvent.h: Added.
3141         (JSC::Profiler::Event::Event):
3142         (JSC::Profiler::Event::operator bool):
3143         (JSC::Profiler::Event::time):
3144         (JSC::Profiler::Event::bytecodes):
3145         (JSC::Profiler::Event::compilation):
3146         (JSC::Profiler::Event::summary):
3147         (JSC::Profiler::Event::detail):
3148         * profiler/ProfilerUID.cpp: Added.
3149         (JSC::Profiler::UID::create):
3150         (JSC::Profiler::UID::dump):
3151         (JSC::Profiler::UID::toJS):
3152         * profiler/ProfilerUID.h: Added.
3153         (JSC::Profiler::UID::UID):
3154         (JSC::Profiler::UID::fromInt):
3155         (JSC::Profiler::UID::toInt):
3156         (JSC::Profiler::UID::operator==):
3157         (JSC::Profiler::UID::operator!=):
3158         (JSC::Profiler::UID::operator bool):
3159         (JSC::Profiler::UID::isHashTableDeletedValue):
3160         (JSC::Profiler::UID::hash):
3161         (JSC::Profiler::UIDHash::hash):
3162         (JSC::Profiler::UIDHash::equal):
3163         * runtime/CommonIdentifiers.h:
3164         * runtime/Executable.cpp:
3165         (JSC::ScriptExecutable::installCode):
3166         * runtime/VM.h:
3167         (JSC::VM::bytecodeIntrinsicRegistry):
3168         (JSC::VM::shadowChicken):
3169         * runtime/VMInlines.h:
3170         (JSC::VM::shouldTriggerTermination):
3171         (JSC::VM::logEvent):
3172
3173 2016-05-10  Joseph Pecoraro  <pecoraro@apple.com>
3174
3175         Web Inspector: Backend should initiate timeline recordings on page navigations to ensure nothing is missed
3176         https://bugs.webkit.org/show_bug.cgi?id=157504
3177         <rdar://problem/26188642>
3178
3179         Reviewed by Brian Burg.
3180
3181         * inspector/protocol/Timeline.json:
3182         Add protocol commands to enable/disable auto capture and list the
3183         instruments that should be enabled when auto capture starts.
3184         Add protocol event for when the backend starts an auto capture.
3185
3186 2016-05-10  Joseph Pecoraro  <pecoraro@apple.com>
3187
3188         Make the different evaluateWithScopeExtension implementations more consistent
3189         https://bugs.webkit.org/show_bug.cgi?id=157536
3190
3191         Reviewed by Timothy Hatcher.
3192
3193         * inspector/JSInjectedScriptHost.cpp:
3194         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
3195         Throw the exception consistent with JSJavaScriptCallFrame.
3196
3197         * inspector/JSJavaScriptCallFrame.cpp:
3198         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
3199         Better error message consistent with InjectedScriptHost.
3200
3201         * runtime/Completion.h:
3202         * runtime/Completion.cpp:
3203         (JSC::evaluateWithScopeExtension):
3204         Give this an Exception out parameter like other evaluations
3205         so the caller can decide what to do with it.
3206
3207 2016-05-10  Benjamin Poulain  <bpoulain@apple.com>
3208
3209         [JSC] FTL can produce GetByVal nodes without proper bounds checking
3210         https://bugs.webkit.org/show_bug.cgi?id=157502
3211         rdar://problem/26027027
3212
3213         Reviewed by Filip Pizlo.
3214
3215         It was possible for FTL to generates GetByVal on arbitrary offsets
3216         without any bounds checking.
3217
3218         The bug is caused by the order of optimization phases:
3219         -First, the Integer Range Optimization proves that a CheckInBounds
3220          test can never fail.
3221          This proof is based on control flow or preceeding instructions
3222          inside a loop.
3223         -The Loop Invariant Code Motion phase finds that the GetByVal does not
3224          depend on anything in the loop and hoist it out of the loop.
3225         -> As a result, the conditions that were necessary to eliminate
3226            the CheckInBounds are no longer met before the GetByVal.
3227
3228         This patch just moves the Integer Range Optimization phase after
3229         Loop Invariant Code Motion to make sure no code is moved after
3230         its integer ranges bounds proofs have been used.
3231
3232         * dfg/DFGPlan.cpp:
3233         (JSC::DFG::Plan::compileInThreadImpl):
3234         * tests/stress/bounds-check-not-eliminated-by-licm.js: Added.
3235         (testInLoopTests):
3236
3237 2016-05-10  Joseph Pecoraro  <pecoraro@apple.com>
3238
3239         Web Inspector: Eliminate the crazy code for evaluateOnCallFrame
3240         https://bugs.webkit.org/show_bug.cgi?id=157510
3241         <rdar://problem/26191332>
3242
3243         Reviewed by Timothy Hatcher.
3244
3245         * debugger/DebuggerCallFrame.cpp:
3246         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
3247         Set and clear an optional scope extension object.
3248
3249         * inspector/InjectedScriptSource.js:
3250         (InjectedScript.prototype.evaluate):
3251         (InjectedScript.prototype._evaluateOn):
3252         (InjectedScript.prototype.evaluateOnCallFrame):
3253         Unify the code to use the passed in evaluate function and object.
3254         When evaluating on a call frame the evaluate function ends up being
3255         DebuggerCallFrame::evaluateWithScopeExtension. When evaluating globally
3256         this ends up being JSInjectedScriptHost::evaluateWithScopeExtension.
3257         In both cases "object" is the preferred this object to use.
3258
3259         * debugger/DebuggerCallFrame.h:
3260         * inspector/JSJavaScriptCallFrame.cpp:
3261         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
3262         (Inspector::JSJavaScriptCallFrame::evaluate): Deleted.
3263         * inspector/JSJavaScriptCallFrame.h:
3264         * inspector/JSJavaScriptCallFramePrototype.cpp:
3265         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
3266         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
3267         * inspector/JavaScriptCallFrame.h:
3268         (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension):
3269         (Inspector::JavaScriptCallFrame::evaluate): Deleted.
3270         Pass through to DebuggerCallFrame with the proper arguments.
3271
3272         * debugger/Debugger.cpp:
3273         (JSC::Debugger::hasBreakpoint):
3274         * inspector/ScriptDebugServer.cpp:
3275         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
3276         Use the new evaluate on call frame method name and no scope extension object.
3277
3278 2016-05-10  Saam barati  <sbarati@apple.com>
3279
3280         Make super-property-access.js test run for less time because it was timing out in debug builds.
3281
3282         Rubber stamped by Filip Pizlo.
3283
3284         * tests/stress/super-property-access.js:
3285         (test):
3286         (test.value):
3287         (test.foo):
3288         (test.B.prototype.bar):
3289         (test.B):
3290
3291 2016-05-10  Csaba Osztrogonác  <ossy@webkit.org>
3292
3293         [JSC] Fix the !ENABLE(DFG_JIT) build
3294         https://bugs.webkit.org/show_bug.cgi?id=157512
3295
3296         Reviewed by Mark Lam.
3297
3298         * jit/Repatch.cpp:
3299
3300 2016-05-09  Joseph Pecoraro  <pecoraro@apple.com>
3301
3302         Web Inspector: CRASH under JSC::DebuggerCallFrame::thisValue when hitting breakpoint
3303         https://bugs.webkit.org/show_bug.cgi?id=157442
3304         <rdar://problem/24172015>
3305
3306         Reviewed by Saam Barati.
3307
3308         * debugger/DebuggerCallFrame.cpp:
3309         (JSC::DebuggerCallFrame::thisValueForCallFrame):
3310         When the thisValue is JSValue() return undefined and avoid calling
3311         toThisValue which would lead to a crash. Having `this` be an empty
3312         JSValue could happen inside an ES6 class constructor, before
3313         calling super.
3314
3315 2016-05-09  Filip Pizlo  <fpizlo@apple.com>
3316
3317         Unreviewed, fix cloop.
3318
3319         * bytecode/ValueProfile.cpp:
3320         (JSC::ResultProfile::emitDetectNumericness):
3321         (JSC::ResultProfile::emitSetNonNumber):
3322         * bytecode/ValueProfile.h:
3323         (JSC::ResultProfile::addressOfFlags):
3324         (JSC::ResultProfile::addressOfSpecialFastPathCount):
3325         (JSC::ResultProfile::detectNumericness):
3326         (JSC::ResultProfile::hasBits):
3327
3328 2016-05-09  Michael Saboff  <msaboff@apple.com>
3329
3330         Crash beneath ObjCCallbackFunctionImpl::call
3331         https://bugs.webkit.org/show_bug.cgi?id=157491
3332
3333         Reviewed by Saam Barati.
3334
3335         Clear any exceptions after the micro task runs.
3336
3337         Tried creating a test case, but I don't have source for the app.
3338         I can't seem to find the right combination of Promises and ObjC code.
3339
3340         * runtime/JSJob.cpp:
3341         (JSC::JSJobMicrotask::run):
3342
3343 2016-05-09  Filip Pizlo  <fpizlo@apple.com>
3344
3345         Polymorphic operands in operators coerces downstream values to double.
3346         https://bugs.webkit.org/show_bug.cgi?id=151793
3347
3348         Reviewed by Mark Lam.
3349         
3350         Previously if an object flowed into arithmetic, the prediction propagation phase would either
3351         assume that the output of the arithmetic had to be double or sometimes it would assume that it
3352         couldn't be double. We want it to only assume that the output is double if it actually had been.
3353         
3354         The first part of this patch is to roll out http://trac.webkit.org/changeset/200502. That removed
3355         some of the machinery that we had in place to detect whether the output of an operation is int or
3356         double. That changeset claimed that the machinery was "fundamentally broken". It actually wasn't.
3357         The reason why it didn't work was that ByteCodeParser was ignoring it if likelyToTakeSlowCase was
3358         false. I think this was a complete goof-up: the code in ByteCodeParser::makeSafe was structured
3359         in a way that made it non-obvious that the method is a no-op if !likelyToTakeSlowCase. So, this
3360         change rolls out r200502 and makes ResultProfile do its job by reshaping how makeSafe processes
3361         it.
3362         
3363         This also makes two other changes to shore up ResultProfile:
3364         - OSR exit can now refine a ResultProfile the same way that it refines ValueProfile.
3365         - Baseline JIT slow paths now set bits in ResultProfile.
3366         
3367         Based on this stuff, the DFG now predicts int/double/string in op_add/op_sub/op_mul based on
3368         ResultProfiles. To be conservative, we still only use the ResultProfiles if the incoming
3369         prediction is not number-or-boolean. This ensures that we exactly retain our old behavior in
3370         those cases for which it was tuned. But I hope to remove this soon. I believe that ResultProfile
3371         is already strictly better than what prediction propagation was doing before.
3372         
3373         This can be an enormous win. This patch adds some simple microbenchmarks that demonstrate the
3374         problem of assuming that arithmetic on objects returns double. The most extreme of these speeds
3375         up 8x with this change (object-int-add-array).
3376         
3377         * CMakeLists.txt:
3378         * JavaScriptCore.xcodeproj/project.pbxproj:
3379         * bytecode/CodeBlock.h:
3380         (JSC::CodeBlock::addFrequentExitSite):
3381         (JSC::CodeBlock::hasExitSite):
3382         * bytecode/DFGExitProfile.cpp:
3383         (JSC::DFG::FrequentExitSite::dump):
3384         (JSC::DFG::ExitProfile::ExitProfile):
3385         (JSC::DFG::ExitProfile::~ExitProfile):
3386         (JSC::DFG::ExitProfile::add):
3387         * bytecode/DFGExitProfile.h:
3388         (JSC::DFG::FrequentExitSite::isHashTableDeletedValue):
3389         * bytecode/MethodOfGettingAValueProfile.cpp:
3390         (JSC::MethodOfGettingAValueProfile::fromLazyOperand):
3391         (JSC::MethodOfGettingAValueProfile::emitReportValue):
3392         (JSC::MethodOfGettingAValueProfile::getSpecFailBucket): Deleted.
3393         * bytecode/MethodOfGettingAValueProfile.h:
3394         (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
3395         (JSC::MethodOfGettingAValueProfile::operator bool):
3396         (JSC::MethodOfGettingAValueProfile::operator!): Deleted.
3397         * bytecode/PolymorphicAccess.cpp:
3398         (JSC::AccessCase::generateImpl):
3399         * bytecode/ValueProfile.cpp:
3400         (JSC::ResultProfile::emitDetectBitsLight):
3401         (JSC::ResultProfile::emitSetDouble):
3402         (JSC::ResultProfile::emitSetNonNumber):
3403         (WTF::printInternal):
3404         * bytecode/ValueProfile.h:
3405         (JSC::ResultProfile::ResultProfile):
3406         (JSC::ResultProfile::bytecodeOffset):
3407         (JSC::ResultProfile::specialFastPathCount):
3408         (JSC::ResultProfile::didObserveNonInt32):
3409         (JSC::ResultProfile::didObserveDouble):
3410         (JSC::ResultProfile::didObserveNonNegZeroDouble):
3411         (JSC::ResultProfile::didObserveNegZeroDouble):
3412         (JSC::ResultProfile::didObserveNonNumber):
3413         (JSC::ResultProfile::didObserveInt32Overflow):
3414         (JSC::ResultProfile::didObserveInt52Overflow):
3415         (JSC::ResultProfile::setObservedNonNegZeroDouble):
3416         (JSC::ResultProfile::setObservedNegZeroDouble):
3417         (JSC::ResultProfile::setObservedNonNumber):
3418         (JSC::ResultProfile::setObservedInt32Overflow):
3419         (JSC::ResultProfile::addressOfFlags):
3420         (JSC::ResultProfile::addressOfSpecialFastPathCount):
3421         (JSC::ResultProfile::detectBitsLight):
3422         (JSC::ResultProfile::hasBits):
3423         * dfg/DFGByteCodeParser.cpp:
3424         (JSC::DFG::ByteCodeParser::makeSafe):
3425         * dfg/DFGFixupPhase.cpp:
3426         (JSC::DFG::FixupPhase::fixupNode):
3427         * dfg/DFGGraph.cpp:
3428         (JSC::DFG::Graph::ensureNaturalLoops):
3429         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3430         (JSC::DFG::Graph::valueProfileFor): Deleted.
3431         * dfg/DFGGraph.h:
3432         (JSC::DFG::Graph::hasExitSite):
3433         (JSC::DFG::Graph::numBlocks):
3434         * dfg/DFGNode.h:
3435         (JSC::DFG::Node::arithNodeFlags):
3436         (JSC::DFG::Node::mayHaveNonIntResult):
3437         (JSC::DFG::Node::mayHaveDoubleResult):
3438         (JSC::DFG::Node::mayHaveNonNumberResult):
3439         (JSC::DFG::Node::hasConstantBuffer):
3440         * dfg/DFGNodeFlags.cpp:
3441         (JSC::DFG::dumpNodeFlags):
3442         * dfg/DFGNodeFlags.h:
3443         * dfg/DFGOSRExitCompiler32_64.cpp:
3444         (JSC::DFG::OSRExitCompiler::compileExit):
3445         * dfg/DFGOSRExitCompiler64.cpp:
3446         (JSC::DFG::OSRExitCompiler::compileExit):
3447         * dfg/DFGOperations.cpp:
3448         * dfg/DFGOperations.h:
3449         * dfg/DFGPredictionPropagationPhase.cpp:
3450         * dfg/DFGSpeculativeJIT.h:
3451         (JSC::DFG::SpeculativeJIT::callOperation):
3452         * ftl/FTLOSRExitCompiler.cpp:
3453         (JSC::FTL::compileStub):
3454         * jit/AssemblyHelpers.h:
3455         (JSC::AssemblyHelpers::branchIfEqual):
3456         (JSC::AssemblyHelpers::branchIfNotCell):
3457         (JSC::AssemblyHelpers::branchIfNotNumber):
3458         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
3459         (JSC::AssemblyHelpers::branchIfBoolean):
3460         (JSC::AssemblyHelpers::branchIfEmpty):
3461         (JSC::AssemblyHelpers::branchStructure):
3462         * jit/CCallHelpers.h:
3463         (JSC::CCallHelpers::CCallHelpers):
3464         (JSC::CCallHelpers::setupArguments):
3465         (JSC::CCallHelpers::setupArgumentsWithExecState):
3466         * jit/IntrinsicEmitter.cpp:
3467         (JSC::AccessCase::emitIntrinsicGetter):
3468         * jit/JIT.h:
3469         * jit/JITAddGenerator.cpp:
3470         (JSC::JITAddGenerator::generateFastPath):
3471         * jit/JITAddGenerator.h:
3472         (JSC::JITAddGenerator::JITAddGenerator):
3473         * jit/JITArithmetic.cpp:
3474         (JSC::JIT::emit_op_add):
3475         (JSC::JIT::emitSlow_op_add):
3476         (JSC::JIT::emit_op_div):
3477         (JSC::JIT::emit_op_mul):
3478         (JSC::JIT::emitSlow_op_mul):
3479         (JSC::JIT::emit_op_sub):
3480         (JSC::JIT::emitSlow_op_sub):
3481         * jit/JITInlines.h:
3482         (JSC::JIT::callOperation):
3483         (JSC::JIT::callOperationNoExceptionCheck):
3484         * jit/JITMulGenerator.cpp:
3485         (JSC::JITMulGenerator::generateFastPath):
3486         * jit/JITOperations.cpp:
3487         * jit/JITOperations.h:
3488         * jit/JITSubGenerator.cpp:
3489         (JSC::JITSubGenerator::generateFastPath):
3490         * jit/JITSubGenerator.h:
3491         (JSC::JITSubGenerator::JITSubGenerator):
3492         * jit/TagRegistersMode.cpp: Added.
3493         (WTF::printInternal):
3494         * jit/TagRegistersMode.h: Added.
3495         * runtime/CommonSlowPaths.cpp:
3496         (JSC::updateResultProfileForBinaryArithOp):
3497
3498 2016-05-09  Keith Miller  <keith_miller@apple.com>
3499
3500         CallObjectConstructor should not call operationToThis in the FTL
3501         https://bugs.webkit.org/show_bug.cgi?id=157492
3502         <rdar://problem/26149904>
3503
3504         Reviewed by Mark Lam.
3505
3506         At some point when I was working on intrinsifying the Object
3507         constructor, I realized that the Object constructor was different
3508         from the ToObject operation. I fixed the DFG but I guess I didn't
3509         fix the FTL.
3510
3511         This patch fixes an issue with www.wunderground.com not loading
3512         the 10-day forecast and local map.
3513
3514         * ftl/FTLLowerDFGToB3.cpp:
3515         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
3516         * tests/stress/call-object-constructor.js: Added.
3517         (test):
3518         (assert):
3519
3520 2016-05-09  Saam barati  <sbarati@apple.com>
3521
3522         Getter and setter on super are called with wrong "this" object
3523         https://bugs.webkit.org/show_bug.cgi?id=147064
3524         <rdar://problem/21885916>
3525
3526         Reviewed by Filip Pizlo.
3527
3528         This patch implements calls to 'super' getters and setters.
3529         The problem before is we were passing the 'super' (i.e, the prototype
3530         object) as the this value to these getters/setters, which is wrong. 
3531         We should be passing the caller's this value.
3532
3533         To implement this behavior, I've introduced four new opcodes and their corresponding DFG nodes:
3534         - op_get_by_id_with_this | GetByIdWithThis
3535         - op_put_by_id_with_this | PutByIdWithThis
3536         - op_get_by_val_with_this | GetByValWithThis
3537         - op_put_by_val_with_this | PutByValWithThis
3538
3539         These are implemented with no optimizations. The future plan is 
3540         to unite them with the *by_id and *by_val opcodes and nodes:
3541         https://bugs.webkit.org/show_bug.cgi?id=157215
3542
3543         * bytecode/BytecodeList.json:
3544         * bytecode/BytecodeUseDef.h:
3545         (JSC::computeUsesForBytecodeOffset):
3546         (JSC::computeDefsForBytecodeOffset):
3547         * bytecode/CodeBlock.cpp:
3548         (JSC::CodeBlock::dumpBytecode):
3549         * bytecompiler/BytecodeGenerator.cpp:
3550         (JSC::BytecodeGenerator::emitGetById):
3551         (JSC::BytecodeGenerator::emitPutById):
3552         (JSC::BytecodeGenerator::emitDirectPutById):
3553         (JSC::BytecodeGenerator::emitGetByVal):
3554         (JSC::BytecodeGenerator::emitPutByVal):
3555         (JSC::BytecodeGenerator::emitDirectPutByVal):
3556         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
3557         (JSC::BytecodeGenerator::ensureThis):
3558         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
3559         * bytecompiler/BytecodeGenerator.h:
3560         * bytecompiler/NodesCodegen.cpp:
3561         (JSC::ThisNode::emitBytecode):
3562         (JSC::emitHomeObjectForCallee):
3563         (JSC::emitSuperBaseForCallee):
3564         (JSC::emitGetSuperFunctionForConstruct):
3565         (JSC::SuperNode::emitBytecode):
3566         (JSC::NewTargetNode::emitBytecode):
3567         (JSC::TaggedTemplateNode::emitBytecode):
3568         (JSC::BracketAccessorNode::emitBytecode):
3569         (JSC::DotAccessorNode::emitBytecode):
3570         (JSC::FunctionCallValueNode::emitBytecode):
3571         (JSC::FunctionCallBracketNode::emitBytecode):
3572         (JSC::FunctionCallDotNode::emitBytecode):
3573         (JSC::CallFunctionCallDotNode::emitBytecode):
3574         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3575         (JSC::PostfixNode::emitBracket):
3576         (JSC::PostfixNode::emitDot):
3577         (JSC::PrefixNode::emitBracket):
3578         (JSC::PrefixNode::emitDot):
3579         (JSC::AssignDotNode::emitBytecode):
3580         (JSC::ReadModifyDotNode::emitBytecode):
3581         (JSC::AssignBracketNode::emitBytecode):
3582         (JSC::ReadModifyBracketNode::emitBytecode):
3583         (JSC::ForInNode::emitLoopHeader):
3584         (JSC::ForOfNode::emitBytecode):
3585         (JSC::AssignmentElementNode::bindValue):
3586         * dfg/DFGAbstractInterpreterInlines.h:
3587         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3588         * dfg/DFGByteCodeParser.cpp:
3589         (JSC::DFG::ByteCodeParser::parseBlock):
3590         * dfg/DFGCapabilities.cpp:
3591         (JSC::DFG::capabilityLevel):
3592         * dfg/DFGClobberize.h:
3593         (JSC::DFG::clobberize):
3594         * dfg/DFGDoesGC.cpp:
3595         (JSC::DFG::doesGC):
3596         * dfg/DFGFixupPhase.cpp:
3597         (JSC::DFG::FixupPhase::fixupNode):
3598         * dfg/DFGNode.h:
3599         (JSC::DFG::Node::hasIdentifier):
3600         * dfg/DFGNodeType.h:
3601         * dfg/DFGOperations.cpp:
3602         (JSC::DFG::newTypedArrayWithSize):
3603         (JSC::DFG::putWithThis):
3604         * dfg/DFGOperations.h:
3605         * dfg/DFGPredictionPropagationPhase.cpp:
3606         * dfg/DFGSafeToExecute.h:
3607         (JSC::DFG::safeToExecute):
3608         * dfg/DFGSpeculativeJIT.h:
3609         (JSC::DFG::SpeculativeJIT::callOperation):
3610         * dfg/DFGSpeculativeJIT32_64.cpp:
3611         (JSC::DFG::SpeculativeJIT::compile):
3612         * dfg/DFGSpeculativeJIT64.cpp:
3613         (JSC::DFG::SpeculativeJIT::compile):
3614         * ftl/FTLCapabilities.cpp:
3615         (JSC::FTL::canCompile):
3616         * ftl/FTLLowerDFGToB3.cpp:
3617         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3618         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
3619         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
3620         (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis):
3621         (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis):
3622         (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis):
3623         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
3624         * jit/CCallHelpers.cpp:
3625         (JSC::CCallHelpers::setupShadowChickenPacket):
3626         (JSC::CCallHelpers::setupFourStubArgsGPR):
3627         * jit/CCallHelpers.h:
3628         (JSC::CCallHelpers::setupArgumentsWithExecState):
3629         (JSC::CCallHelpers::setupThreeStubArgsGPR):
3630         (JSC::CCallHelpers::setupTwoStubArgsFPR):
3631         (JSC::CCallHelpers::setupStubArguments134):
3632         * jit/GPRInfo.h:
3633         (JSC::argumentRegisterFor): Deleted.
3634         * jit/JIT.cpp:
3635         (JSC::JIT::privateCompileMainPass):
3636         * jit/JIT.h:
3637         * jit/JITOperations.h:
3638         * jit/JITPropertyAccess.cpp:
3639         (JSC::JIT::emit_op_put_by_val):
3640         (JSC::JIT::emit_op_put_by_val_with_this):
3641         (JSC::JIT::emitGenericContiguousPutByVal):
3642         (JSC::JIT::emit_op_get_by_id):
3643         (JSC::JIT::emit_op_get_by_id_with_this):
3644         (JSC::JIT::emit_op_get_by_val_with_this):
3645         (JSC::JIT::emitSlow_op_get_by_id):
3646         (JSC::JIT::emit_op_put_by_id):
3647         (JSC::JIT::emit_op_put_by_id_with_this):
3648         (JSC::JIT::emitSlow_op_put_by_id):
3649         * jit/JITPropertyAccess32_64.cpp:
3650         (JSC::JIT::emit_op_put_to_arguments):
3651         (JSC::JIT::emit_op_get_by_id_with_this):
3652         (JSC::JIT::emit_op_get_by_val_with_this):
3653         (JSC::JIT::emit_op_put_by_id_with_this):
3654         (JSC::JIT::emit_op_put_by_val_with_this):
3655         * llint/LowLevelInterpreter.asm:
3656         * runtime/CommonSlowPaths.cpp:
3657         (JSC::SLOW_PATH_DECL):
3658         * runtime/CommonSlowPaths.h:
3659         * tests/stress/super-property-access-exceptions.js: Added.
3660         (assert):
3661         (test):
3662         (test.fooProp):
3663         (test.A.prototype.get foo):
3664         (test.A.prototype.get x):
3665         (test.A):
3666         (test.B):
3667         (test.B.prototype.bar):
3668         (test.B.prototype.baz):
3669         (test.foo):
3670         (test.func):
3671         (test.A.prototype.set foo):
3672         * tests/stress/super-property-access-tdz.js: Added.
3673         (assert):
3674         (test):
3675         (shouldThrowTDZ):
3676         (test.A.prototype.get foo):
3677         (test.A.prototype.set foo):
3678         (test.A):
3679         (test.fooProp):
3680         (test.B):
3681         (test.C):
3682         (test.D):
3683         (test.E):
3684         (test.F):
3685         * tests/stress/super-property-access.js: Added.
3686         (assert):
3687         (test):
3688         (func):
3689         (test.A):
3690         (test.A.prototype.set value):
3691         (test.A.prototype.get value):
3692         (test.B.prototype.set value):
3693         (test.B.prototype.get value):
3694         (test.B):
3695         (test.value):
3696         (test.A.prototype.get func):
3697         (test.B.prototype.inc):
3698         (test.B.prototype.dec):
3699         (test.B.prototype.preInc):
3700         (test.B.prototype.preDec):
3701         (test.B.prototype.plusEq):
3702         (test.B.prototype.minusEq):
3703         (test.B.prototype.timesEq):
3704         (test.B.prototype.divEq):
3705         (test.B.prototype.funcDot):
3706         (test.B.prototype.funcBracket):
3707         (test.foo):
3708         (test.B.prototype.baz):
3709         (test.B.prototype.jaz):
3710         (test.B.prototype.bar):
3711         (test.B.prototype.index):
3712         (test.):
3713         (test.prototype.bar):
3714         (test.A.prototype.set foo):
3715         (test.A.prototype.get array):
3716         (test.A.prototype.get foo):
3717         (test.obj):
3718         (test.A.prototype.get call):
3719         (test.A.prototype.get apply):
3720         (test.B.prototype.foo):
3721         (test.A.prototype.get i):
3722
3723 2016-05-08  Chris Dumez  <cdumez@apple.com>
3724
3725         [COCOA] Disable HAVE_DTRACE at build time
3726         https://bugs.webkit.org/show_bug.cgi?id=157433
3727         <rdar://problem/26148841>
3728
3729         Reviewed by Mark Lam.
3730
3731         Drop DTRACE-related code from JSC since it is very old and seems
3732         unused.
3733
3734         * JavaScriptCore.xcodeproj/project.pbxproj:
3735         * PlatformMac.cmake:
3736         * heap/Heap.cpp:
3737         (JSC::Heap::collectImpl): Deleted.
3738         (JSC::Heap::didFinishCollection): Deleted.
3739         * profiler/ProfileGenerator.cpp:
3740         (JSC::ProfileGenerator::willExecute): Deleted.
3741         (JSC::ProfileGenerator::didExecute): Deleted.
3742         * runtime/Tracing.d: Removed.
3743         * runtime/Tracing.h: Removed.
3744
3745 2016-05-07  Mark Lam  <mark.lam@apple.com>
3746
3747         Add JSC options bytecodeRangeToJITCompile and jitWhitelist.
3748         https://bugs.webkit.org/show_bug.cgi?id=157428
3749
3750         Reviewed by Michael Saboff.
3751
3752         1. Added Options::bytecodeRangeToJITCompile and Options::jitWhitelist options.
3753
3754         2. Moved DFGFunctionWhitelist* to FunctionWhitelist* and made it generic so that
3755            it can be used for more than one whitelist instance.  In this case, we now have
3756            two: the dfgWhitelist and the jitWhitelist.
3757
3758         3. Added "can compile" checks in LLInt::shouldJIT() to check
3759            Options::bytecodeRangeToJITCompile and Options::jitWhitelist.
3760
3761         * CMakeLists.txt:
3762         * JavaScriptCore.xcodeproj/project.pbxproj:
3763         * dfg/DFGDriver.cpp:
3764         (JSC::DFG::getNumCompilations):
3765         (JSC::DFG::ensureGlobalDFGWhitelist):
3766         (JSC::DFG::compileImpl):
3767         * dfg/DFGFunctionWhitelist.cpp: Removed.
3768         * dfg/DFGFunctionWhitelist.h: Removed.
3769
3770         * llint/LLIntSlowPaths.cpp:
3771         (JSC::LLInt::ensureGlobalJITWhitelist):
3772         (JSC::LLInt::shouldJIT):
3773
3774         * runtime/Options.h:
3775
3776         * tools/FunctionWhitelist.cpp: Copied from Source/JavaScriptCore/dfg/DFGFunctionWhitelist.cpp.
3777         (JSC::FunctionWhitelist::FunctionWhitelist):
3778         (JSC::FunctionWhitelist::contains):
3779         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist): Deleted.
3780         (JSC::DFG::FunctionWhitelist::FunctionWhitelist): Deleted.
3781         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile): Deleted.
3782         (JSC::DFG::FunctionWhitelist::contains): Deleted.
3783         * tools/FunctionWhitelist.h: Copied from Source/JavaScriptCore/dfg/DFGFunctionWhitelist.h.
3784
3785 2016-05-07  Benjamin Poulain  <bpoulain@apple.com>
3786
3787         [JSC][32bit] stress/tagged-templates-template-object.js fails in debug
3788         https://bugs.webkit.org/show_bug.cgi?id=157436
3789
3790         Reviewed by Filip Pizlo.
3791
3792         * dfg/DFGSpeculativeJIT32_64.cpp:
3793         (JSC::DFG::SpeculativeJIT::compile):
3794         The node OverridesHasInstance had a speculation after a jump.
3795
3796 2016-05-06  Joseph Pecoraro  <pecoraro@apple.com>
3797
3798         Web Inspector: Misc CommandLineAPI cleanup
3799         https://bugs.webkit.org/show_bug.cgi?id=157450
3800
3801         Reviewed by Ryosuke Niwa.
3802
3803         * inspector/InjectedScriptSource.js:
3804         (BasicCommandLineAPI):
3805         Fix mistake in r200533, and modernize related code.
3806
3807 2016-05-06  Joseph Pecoraro  <pecoraro@apple.com>
3808
3809         Web Inspector: Improve console.count()
3810         https://bugs.webkit.org/show_bug.cgi?id=157439
3811         <rdar://problem/26152654>
3812
3813         Reviewed by Timothy Hatcher.
3814
3815           - make console.count() increment an unnamed global counter.
3816           - make console.count(label) increment a counter with that label name.
3817
3818         * inspector/agents/InspectorConsoleAgent.cpp:
3819         (Inspector::InspectorConsoleAgent::count):
3820
3821 2016-05-06  Simon Fraser  <simon.fraser@apple.com>
3822
3823         Enable IOS_TEXT_AUTOSIZING on Mac and make it testable
3824         https://bugs.webkit.org/show_bug.cgi?id=157432
3825         rdar://problem/16406720
3826
3827         Reviewed by Dean Jackson.
3828
3829         Enable IOS_TEXT_AUTOSIZING on Mac so it can be tested.
3830
3831         * Configurations/FeatureDefines.xcconfig:
3832
3833 2016-05-06  Joseph Pecoraro  <pecoraro@apple.com>
3834
3835         Web Inspector: Console: Variables defined with let/const aren't accessible outside of console's scope
3836         https://bugs.webkit.org/show_bug.cgi?id=150752
3837         <rdar://problem/23343385>
3838
3839         Reviewed by Mark Lam.
3840
3841         This approach allows Web Inspector to hang a "Scope Extension", a
3842         WithObjectScope, off the GlobalObject. When resolving identifiers
3843         in fails to resolve anything in the normal scope chain, consult
3844         the scope extension.
3845
3846         This allows us to eliminate the `with (commandLineAPI) { ... }`
3847         block in global console evaluations, and instead makes it a full
3848         program evaluation, with the commandLineAPI available and safely
3849         shadowed by actual variables as expected.
3850
3851         * inspector/InjectedScriptSource.js:
3852         (InjectedScript.prototype._evaluateOn):
3853         Use the new evaluateWithScopeExtension and provide the CommandLineAPI
3854         object as the scope extension object.
3855
3856         (BasicCommandLineAPI):
3857         (BasicCommandLineAPI.inScopeVariables): Deleted.
3858         Simplify now that we don't need to check for variable shadowing ourselves.
3859
3860         * inspector/JSInjectedScriptHost.cpp:
3861         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
3862         * inspector/JSInjectedScriptHost.h:
3863         * inspector/JSInjectedScriptHostPrototype.cpp:
3864         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
3865         (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
3866         Provide a new InjectedScriptHost method to evaluate a program
3867         with a scope extension.
3868
3869         * runtime/Completion.cpp:
3870         (JSC::evaluateWithScopeExtension):
3871         * runtime/Completion.h:
3872         General JSC::evaluate function to evaluate a program with a scope extension.
3873
3874         * runtime/JSGlobalObject.cpp:
3875         (JSC::JSGlobalObject::setGlobalScopeExtension):
3876         (JSC::JSGlobalObject::clearGlobalScopeExtension):
3877         (JSC::JSGlobalObject::visitChildren):
3878         * runtime/JSGlobalObject.h:
3879         (JSC::JSGlobalObject::globalScopeExtension):
3880         Hang a scope extension off the global object.
3881
3882         * runtime/JSScope.cpp:
3883         (JSC::JSScope::resolve):
3884         Consult the scope extension when resolve fails to find anything normally.
3885
3886 2016-05-06  Mark Lam  <mark.lam@apple.com>
3887
3888         Add JSC options reportBaselineCompileTimes and reportDFGCompileTimes.
3889         https://bugs.webkit.org/show_bug.cgi?id=157427
3890