Unreviewed, rolling out r190520, some tests assert / crash.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-10-02  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Unreviewed, rolling out r190520, some tests assert / crash.
4
5         * CMakeLists.txt:
6         * DerivedSources.make:
7         * JavaScriptCore.xcodeproj/project.pbxproj:
8         * heap/Heap.cpp:
9         (JSC::Heap::willStartCollection): Deleted.
10         (JSC::Heap::didFinishCollection): Deleted.
11         * heap/Heap.h:
12         (JSC::Heap::addObserver): Deleted.
13         (JSC::Heap::removeObserver): Deleted.
14         * heap/HeapObserver.h: Removed.
15         * heap/MarkedSpace.h:
16         * inspector/InspectorEnvironment.h:
17         * inspector/JSGlobalObjectInspectorController.cpp:
18         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
19         (Inspector::JSGlobalObjectInspectorController::vm): Deleted.
20         * inspector/JSGlobalObjectInspectorController.h:
21         * inspector/agents/InspectorHeapAgent.cpp: Removed.
22         * inspector/agents/InspectorHeapAgent.h: Removed.
23         * inspector/protocol/Heap.json: Removed.
24
25 2015-10-01  Geoffrey Garen  <ggaren@apple.com>
26
27         Unreviewed, rolling back in r190450
28         https://bugs.webkit.org/show_bug.cgi?id=149727
29
30         The cause of the crash was a CodeBlock, after surviving a call to
31         deleteAllCode by virtue of being in the remembered set, trying to mark
32         its inlined CodeBlocks via pointers from its inlined executables.
33         Since deleteAllCode clears those pointers, the CodeBlock would ASSERT.
34         (Any other choice to retain a CodeBlock after deleteAllCode -- for
35         example, conservative marking -- could trigger the same bug.)
36
37         The fix is for InlineCallFrame to point directly to its inlined CodeBlock
38         instead of pointing indirectly via an executable. This guarantees that
39         CodeBlocks are GC safe regardless of whether we've called deleteAllCode.
40
41         Restored changesets:
42
43         "CodeBlock should be a GC object"
44         https://bugs.webkit.org/show_bug.cgi?id=149727
45         http://trac.webkit.org/changeset/190450
46
47 2015-10-02  Joseph Pecoraro  <pecoraro@apple.com>
48
49         Web Inspector: Include Garbage Collection Event in Timeline
50         https://bugs.webkit.org/show_bug.cgi?id=142510
51
52         Reviewed by Geoffrey Garen.
53
54         * CMakeLists.txt:
55         * DerivedSources.make:
56         * JavaScriptCore.xcodeproj/project.pbxproj:
57
58         * heap/HeapObserver.h:        
59         * heap/Heap.cpp:
60         (JSC::Heap::willStartCollection):
61         (JSC::Heap::didFinishCollection):
62         * heap/Heap.h:
63         (JSC::Heap::addObserver):
64         (JSC::Heap::removeObserver):
65         Allow observers on heap to add hooks for starting / ending garbage collection.
66
67         * inspector/InspectorEnvironment.h:
68         * inspector/JSGlobalObjectInspectorController.cpp:
69         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
70         (Inspector::JSGlobalObjectInspectorController::vm):
71         * inspector/JSGlobalObjectInspectorController.h:
72         Access the VM through the InspectorEnvironment as it won't change.
73
74         * inspector/agents/InspectorHeapAgent.cpp: Added.
75         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
76         (Inspector::InspectorHeapAgent::~InspectorHeapAgent):
77         (Inspector::InspectorHeapAgent::didCreateFrontendAndBackend):
78         (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
79         (Inspector::InspectorHeapAgent::enable):
80         (Inspector::InspectorHeapAgent::disable):
81         (Inspector::InspectorHeapAgent::gc):
82         (Inspector::protocolTypeForHeapOperation):
83         (Inspector::InspectorHeapAgent::willGarbageCollect):
84         (Inspector::InspectorHeapAgent::didGarbageCollect):
85         * inspector/agents/InspectorHeapAgent.h: Added.
86         * inspector/protocol/Heap.json: Added.
87         New domain and agent to handle tasks related to the JavaScriptCore heap.
88
89 2015-10-01  Geoffrey Garen  <ggaren@apple.com>
90
91         Unreviewed, rolling out r190450
92         https://bugs.webkit.org/show_bug.cgi?id=148560
93
94         Crashes seen on el cap wk1 bots.
95
96         Reverted changesets:
97
98         "CodeBlock should be a GC object"
99         https://bugs.webkit.org/show_bug.cgi?id=149727
100         http://trac.webkit.org/changeset/190450
101
102         * bytecode/CodeBlock.cpp:
103         (JSC::CodeBlock::inferredName):
104         (JSC::CodeBlock::dumpAssumingJITType):
105         (JSC::CodeBlock::CodeBlock):
106         (JSC::CodeBlock::~CodeBlock):
107         (JSC::CodeBlock::setNumParameters):
108         (JSC::CodeBlock::specialOSREntryBlockOrNull):
109         (JSC::CodeBlock::visitStrongly):
110         (JSC::CodeBlock::visitAggregate):
111         (JSC::CodeBlock::shouldVisitStrongly):
112         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
113         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
114         (JSC::CodeBlock::shouldJettisonDueToOldAge):
115         (JSC::CodeBlock::determineLiveness):
116         (JSC::CodeBlock::visitWeakReferences):
117         (JSC::CodeBlock::finalizeLLIntInlineCaches):
118         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
119         (JSC::CodeBlock::finalizeUnconditionally):
120         (JSC::CodeBlock::visitOSRExitTargets):
121         (JSC::CodeBlock::unlinkIncomingCalls):
122         (JSC::CodeBlock::linkIncomingCall):
123         (JSC::CodeBlock::newReplacement):
124         (JSC::ProgramCodeBlock::replacement):
125         (JSC::ModuleProgramCodeBlock::replacement):
126         (JSC::EvalCodeBlock::replacement):
127         (JSC::FunctionCodeBlock::replacement):
128         (JSC::ProgramCodeBlock::capabilityLevelInternal):
129         (JSC::ModuleProgramCodeBlock::capabilityLevelInternal):
130         (JSC::EvalCodeBlock::capabilityLevelInternal):
131         (JSC::FunctionCodeBlock::capabilityLevelInternal):
132         (JSC::WebAssemblyCodeBlock::replacement):
133         (JSC::WebAssemblyCodeBlock::capabilityLevelInternal):
134         (JSC::CodeBlock::jettison):
135         (JSC::CodeBlock::capabilityLevel):
136         (JSC::FunctionCodeBlock::destroy): Deleted.
137         (JSC::WebAssemblyCodeBlock::destroy): Deleted.
138         (JSC::ProgramCodeBlock::destroy): Deleted.
139         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
140         (JSC::EvalCodeBlock::destroy): Deleted.
141         (JSC::CodeBlock::finishCreation): Deleted.
142         (JSC::CodeBlock::setAlternative): Deleted.
143         (JSC::CodeBlock::visitWeakly): Deleted.
144         (JSC::CodeBlock::visitChildren): Deleted.
145         (JSC::timeToLive): Deleted.
146         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
147         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
148         (JSC::CodeBlock::replacement): Deleted.
149         (JSC::CodeBlock::computeCapabilityLevel): Deleted.
150         * bytecode/CodeBlock.h:
151         (JSC::CodeBlock::unlinkedCodeBlock):
152         (JSC::CodeBlock::addressOfNumParameters):
153         (JSC::CodeBlock::offsetOfNumParameters):
154         (JSC::CodeBlock::alternative):
155         (JSC::CodeBlock::setAlternative):
156         (JSC::CodeBlock::forEachRelatedCodeBlock):
157         (JSC::CodeBlock::specializationKind):
158         (JSC::CodeBlock::instructionCount):
159         (JSC::CodeBlock::setJITCode):
160         (JSC::CodeBlock::hasBaselineJITProfiling):
161         (JSC::CodeBlock::capabilityLevelState):
162         (JSC::CodeBlock::addConstant):
163         (JSC::CodeBlock::appendExceptionHandler):
164         (JSC::CodeBlock::setConstantRegisters):
165         (JSC::CodeBlock::replaceConstant):
166         (JSC::GlobalCodeBlock::GlobalCodeBlock):
167         (JSC::ProgramCodeBlock::ProgramCodeBlock):
168         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock):
169         (JSC::EvalCodeBlock::EvalCodeBlock):
170         (JSC::EvalCodeBlock::variable):
171         (JSC::EvalCodeBlock::numVariables):
172         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock):
173         (JSC::FunctionCodeBlock::FunctionCodeBlock):
174         (JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock):
175         (JSC::ExecState::uncheckedR):
176         (JSC::CodeBlock::clearMarks):
177         (JSC::CodeBlockSet::mark):
178         (JSC::ScriptExecutable::forEachCodeBlock):
179         (JSC::ProgramCodeBlock::create): Deleted.
180         (JSC::ProgramCodeBlock::createStructure): Deleted.
181         (JSC::ModuleProgramCodeBlock::create): Deleted.
182         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
183         (JSC::EvalCodeBlock::create): Deleted.
184         (JSC::EvalCodeBlock::createStructure): Deleted.
185         (JSC::FunctionCodeBlock::create): Deleted.
186         (JSC::FunctionCodeBlock::createStructure): Deleted.
187         (JSC::WebAssemblyCodeBlock::create): Deleted.
188         (JSC::WebAssemblyCodeBlock::createStructure): Deleted.
189         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
190         * bytecode/DeferredCompilationCallback.cpp:
191         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
192         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
193         (JSC::DeferredCompilationCallback::compilationDidComplete):
194         * bytecode/DeferredCompilationCallback.h:
195         * bytecode/EvalCodeCache.h:
196         (JSC::EvalCodeCache::tryGet):
197         (JSC::EvalCodeCache::getSlow):
198         * bytecode/PolymorphicAccess.cpp:
199         (JSC::AccessCase::generate):
200         (JSC::PolymorphicAccess::regenerate):
201         * bytecode/StructureStubInfo.cpp:
202         (JSC::StructureStubInfo::addAccessCase):
203         * dfg/DFGByteCodeParser.cpp:
204         (JSC::DFG::ByteCodeParser::parse):
205         * dfg/DFGDesiredTransitions.cpp:
206         (JSC::DFG::DesiredTransition::reallyAdd):
207         * dfg/DFGDesiredWeakReferences.cpp:
208         (JSC::DFG::DesiredWeakReferences::reallyAdd):
209         * dfg/DFGDriver.cpp:
210         (JSC::DFG::compile):
211         * dfg/DFGGraph.cpp:
212         (JSC::DFG::Graph::Graph):
213         * dfg/DFGJITCode.h:
214         (JSC::DFG::JITCode::osrEntryBlock): Deleted.
215         (JSC::DFG::JITCode::setOSREntryBlock): Deleted.
216         (JSC::DFG::JITCode::clearOSREntryBlock): Deleted.
217         * dfg/DFGJITFinalizer.cpp:
218         (JSC::DFG::JITFinalizer::finalize):
219         (JSC::DFG::JITFinalizer::finalizeFunction):
220         (JSC::DFG::JITFinalizer::finalizeCommon):
221         * dfg/DFGOSRExitCompilerCommon.cpp:
222         (JSC::DFG::adjustAndJumpToTarget):
223         * dfg/DFGOperations.cpp:
224         * dfg/DFGPlan.cpp:
225         (JSC::DFG::Plan::Plan):
226         (JSC::DFG::Plan::reallyAdd):
227         (JSC::DFG::Plan::notifyReady):
228         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
229         (JSC::DFG::Plan::finalizeAndNotifyCallback):
230         (JSC::DFG::Plan::key):
231         (JSC::DFG::Plan::clearCodeBlockMarks):
232         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
233         (JSC::DFG::Plan::rememberCodeBlocks): Deleted.
234         * dfg/DFGPlan.h:
235         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
236         (JSC::DFG::ToFTLDeferredCompilationCallback::ToFTLDeferredCompilationCallback):
237         (JSC::DFG::ToFTLDeferredCompilationCallback::~ToFTLDeferredCompilationCallback):
238         (JSC::DFG::ToFTLDeferredCompilationCallback::create):
239         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
240         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
241         * dfg/DFGToFTLDeferredCompilationCallback.h:
242         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
243         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback):
244         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::~ToFTLForOSREntryDeferredCompilationCallback):
245         (JSC::DFG::Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create):
246         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
247         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
248         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
249         * dfg/DFGWorklist.cpp:
250         (JSC::DFG::Worklist::completeAllPlansForVM):
251         (JSC::DFG::Worklist::clearCodeBlockMarks):
252         (JSC::DFG::completeAllPlansForVM):
253         (JSC::DFG::clearCodeBlockMarks):
254         (JSC::DFG::Worklist::rememberCodeBlocks): Deleted.
255         (JSC::DFG::rememberCodeBlocks): Deleted.
256         * dfg/DFGWorklist.h:
257         (JSC::DFG::worklistForIndexOrNull):
258         * ftl/FTLJITFinalizer.cpp:
259         (JSC::FTL::JITFinalizer::finalizeFunction):
260         * heap/CodeBlockSet.cpp:
261         (JSC::CodeBlockSet::~CodeBlockSet):
262         (JSC::CodeBlockSet::add):
263         (JSC::CodeBlockSet::clearMarksForFullCollection):
264         (JSC::CodeBlockSet::clearMarksForEdenCollection):
265         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
266         (JSC::CodeBlockSet::remove):
267         (JSC::CodeBlockSet::traceMarked):
268         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
269         (JSC::CodeBlockSet::dump):
270         * heap/CodeBlockSet.h:
271         * heap/Heap.cpp:
272         (JSC::Heap::markRoots):
273         (JSC::Heap::clearLivenessData):
274         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
275         (JSC::Heap::deleteAllCodeBlocks):
276         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
277         (JSC::Heap::clearUnmarkedExecutables):
278         (JSC::Heap::willStartCollection):
279         * interpreter/Interpreter.cpp:
280         (JSC::eval):
281         * jit/GCAwareJITStubRoutine.h:
282         * jit/JITCode.h:
283         (JSC::JITCode::isJIT):
284         (JSC::JITCode::timeToLive):
285         (JSC::JITCode::isLowerTier):
286         * jit/JITOpcodes.cpp:
287         (JSC::JIT::emit_op_enter):
288         * jit/JITOperations.cpp:
289         * jit/JITToDFGDeferredCompilationCallback.cpp:
290         (JSC::JITToDFGDeferredCompilationCallback::create):
291         (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
292         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
293         * jit/JITToDFGDeferredCompilationCallback.h:
294         * jit/Repatch.cpp:
295         (JSC::tryCacheGetByID):
296         (JSC::tryCachePutByID):
297         (JSC::tryRepatchIn):
298         (JSC::linkFor):
299         (JSC::linkPolymorphicCall):
300         * llint/LLIntSlowPaths.cpp:
301         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
302         (JSC::LLInt::setUpCall):
303         * runtime/CommonSlowPaths.cpp:
304         (JSC::SLOW_PATH_DECL):
305         * runtime/CommonSlowPaths.h:
306         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
307         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
308         * runtime/Executable.cpp:
309         (JSC::ExecutableBase::clearCode):
310         (JSC::ScriptExecutable::installCode):
311         (JSC::ScriptExecutable::newCodeBlockFor):
312         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
313         (JSC::ScriptExecutable::prepareForExecutionImpl):
314         (JSC::EvalExecutable::visitChildren):
315         (JSC::EvalExecutable::clearCode):
316         (JSC::ProgramExecutable::checkSyntax):
317         (JSC::ProgramExecutable::visitChildren):
318         (JSC::ProgramExecutable::clearCode):
319         (JSC::ModuleProgramExecutable::visitChildren):
320         (JSC::ModuleProgramExecutable::clearCode):
321         (JSC::FunctionExecutable::baselineCodeBlockFor):
322         (JSC::FunctionExecutable::visitChildren):
323         (JSC::FunctionExecutable::clearCode):
324         (JSC::FunctionExecutable::fromGlobalCode):
325         (JSC::WebAssemblyExecutable::visitChildren):
326         (JSC::WebAssemblyExecutable::clearCode):
327         (JSC::WebAssemblyExecutable::prepareForExecution):
328         * runtime/Executable.h:
329         (JSC::ExecutableBase::generatedJITCodeForCall):
330         (JSC::ScriptExecutable::prepareForExecution):
331         (JSC::ExecutableBase::clearCodeVirtual):
332         * runtime/VM.cpp:
333         (JSC::VM::VM):
334         * runtime/VM.h:
335
336 2015-10-01  Geoffrey Garen  <ggaren@apple.com>
337
338         CodeBlock should be a GC object
339         https://bugs.webkit.org/show_bug.cgi?id=149727
340
341         Reviewed by Filip Pizlo.
342
343         We want CodeBlock to be a GC object:
344
345         (1) Sane write barriers. Because CodeBlock wasn't a GC object, we couldn't
346         execute a write barrier on it. This caused us to do weird things that
347         were hard to reason about, like executing a barrier on a related executable
348         (even though the executable might stop pointing to the CodeBlock before
349         the next GC), or pretending that an object had written to itself. Now,
350         when we write to a CodeBlock, we barrier the CodeBlock, and that's that.
351
352         (2) Simpler marking and destruction logic. There's no need to have a
353         custom remembered set or a destruction fixpoint if we just obey normal
354         GC rules.
355
356         * bytecode/CodeBlock.cpp:
357         (JSC::FunctionCodeBlock::destroy):
358         (JSC::WebAssemblyCodeBlock::destroy):
359         (JSC::ProgramCodeBlock::destroy):
360         (JSC::ModuleProgramCodeBlock::destroy):
361         (JSC::EvalCodeBlock::destroy): Add ClassInfo and destroy functions
362         because our GC object model requires them.
363
364         Note that we do not set the needsDestruction flag. Since CodeBlock needs
365         eager destruction, it runs its destructors through CodeBlockSet,
366         and not through normal object sweeping.
367
368         (JSC::CodeBlock::finishCreation): Factor out finishCreation from the
369         constructor because our GC object model requires it. Change write
370         barriers to note the CodeBlock as the owner.
371
372         (JSC::CodeBlock::~CodeBlock): Refactor to use the shared
373         unlinkIncomingCalls() function instead of rolling a copy by hand.
374
375         (JSC::CodeBlock::visitWeakly): New helper function for owner executables
376         to do weak marking that might jettison a CodeBlock. Our new GC logic
377         says that a CodeBlock pointer is a strong reference by default, and
378         clients need to opt in if they want to allow a CodeBlock to jettison.
379         This is easier to get right because it means that only those
380         specific owners that want jettison behavior need to worry about it,
381         while all other pointers are valid by default.
382
383         (JSC::CodeBlock::visitChildren): The default visit function keeps
384         everything alive.
385
386         (JSC::CodeBlock::shouldVisitStrongly):
387         (JSC::CodeBlock::isKnownToBeLiveDuringGC): No need to keep special state
388         anymore. If we're marked, we're live -- just like any other object.
389
390         (JSC::timeToLive): Move this code into CodeBlock.cpp so you can mess
391         with it without recompiling, and also because it's really a CodeBlock
392         policy.
393
394         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
395         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Use
396         internal objects for virtual callbacks because GC objects can't have
397         vtables.
398
399         (JSC::CodeBlock::unlinkIncomingCalls): Remove a fast path check that does
400         not exist in the copy of this code in ~CodeBlock because it is not
401         actually an optimization.
402
403         (JSC::CodeBlock::replacement):
404         (JSC::CodeBlock::computeCapabilityLevel): Make these functions generic
405         instead of virtual because GC objects can't have vtables.
406
407         (JSC::CodeBlock::visitStrongly): Deleted.
408         (JSC::CodeBlock::visitAggregate): Deleted.
409         (JSC::CodeBlock::visitWeakReferences): Deleted.
410         (JSC::CodeBlock::finalizeUnconditionally): Deleted.
411         (JSC::ProgramCodeBlock::replacement): Deleted.
412         (JSC::ModuleProgramCodeBlock::replacement): Deleted.
413         (JSC::EvalCodeBlock::replacement): Deleted.
414         (JSC::FunctionCodeBlock::replacement): Deleted.
415         (JSC::ProgramCodeBlock::capabilityLevelInternal): Deleted.
416         (JSC::ModuleProgramCodeBlock::capabilityLevelInternal): Deleted.
417         (JSC::EvalCodeBlock::capabilityLevelInternal): Deleted.
418         (JSC::FunctionCodeBlock::capabilityLevelInternal): Deleted.
419         (JSC::WebAssemblyCodeBlock::replacement): Deleted.
420         (JSC::WebAssemblyCodeBlock::capabilityLevelInternal): Deleted.
421
422         * bytecode/CodeBlock.h:
423         (JSC::CodeBlock::unlinkedCodeBlock):
424         (JSC::CodeBlock::addressOfNumParameters):
425         (JSC::CodeBlock::offsetOfNumParameters):
426         (JSC::CodeBlock::alternative):
427         (JSC::CodeBlock::forEachRelatedCodeBlock):
428         (JSC::CodeBlock::specializationKind):
429         (JSC::CodeBlock::instructionCount):
430         (JSC::CodeBlock::setJITCode):
431         (JSC::CodeBlock::hasBaselineJITProfiling):
432         (JSC::CodeBlock::capabilityLevelState):
433         (JSC::CodeBlock::addConstant):
434         (JSC::CodeBlock::appendExceptionHandler):
435         (JSC::CodeBlock::setConstantRegisters):
436         (JSC::CodeBlock::replaceConstant):
437         (JSC::GlobalCodeBlock::GlobalCodeBlock):
438         (JSC::ProgramCodeBlock::create):
439         (JSC::ProgramCodeBlock::createStructure):
440         (JSC::ProgramCodeBlock::ProgramCodeBlock):
441         (JSC::ModuleProgramCodeBlock::create):
442         (JSC::ModuleProgramCodeBlock::createStructure):
443         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock):
444         (JSC::EvalCodeBlock::create):
445         (JSC::EvalCodeBlock::createStructure):
446         (JSC::EvalCodeBlock::variable):
447         (JSC::EvalCodeBlock::numVariables):
448         (JSC::EvalCodeBlock::EvalCodeBlock):
449         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock):
450         (JSC::FunctionCodeBlock::create):
451         (JSC::FunctionCodeBlock::createStructure):
452         (JSC::FunctionCodeBlock::FunctionCodeBlock):
453         (JSC::WebAssemblyCodeBlock::create):
454         (JSC::WebAssemblyCodeBlock::createStructure):
455         (JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock):
456         (JSC::ExecState::uncheckedR):
457         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
458         (JSC::CodeBlockSet::mark):
459         (JSC::ScriptExecutable::forEachCodeBlock):
460         (JSC::CodeBlock::setAlternative): Deleted.
461         (JSC::CodeBlock::clearMarks): Deleted. Lots of mechanical changes to
462         match the logic changes above.
463
464         * bytecode/DeferredCompilationCallback.cpp:
465         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
466         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
467         (JSC::DeferredCompilationCallback::compilationDidComplete):
468         * bytecode/DeferredCompilationCallback.h: Provide a profiledDFGCodeBlock
469         to all compilation callbacks instead of requiring the callback to
470         store the profiledDFGCodeBlock. This is how the rest of compilation
471         around the callback works anyway, and it is easier to do things this
472         way than to think about how a non-GC malloc'd object should keep its
473         CodeBlock alive.
474
475         * bytecode/EvalCodeCache.h:
476         (JSC::EvalCodeCache::tryGet):
477         (JSC::EvalCodeCache::getSlow):
478         * bytecode/PolymorphicAccess.cpp:
479         (JSC::AccessCase::generate):
480         (JSC::PolymorphicAccess::regenerate):
481         * bytecode/StructureStubInfo.cpp:
482         (JSC::StructureStubInfo::addAccessCase): Change the owner for write
483         barrier purposes to CodeBlock.
484
485         * dfg/DFGByteCodeParser.cpp:
486         (JSC::DFG::ByteCodeParser::parse):
487         * dfg/DFGDesiredTransitions.cpp:
488         (JSC::DFG::DesiredTransition::reallyAdd):
489         * dfg/DFGDesiredWeakReferences.cpp:
490         (JSC::DFG::DesiredWeakReferences::reallyAdd):
491         * dfg/DFGDriver.cpp:
492         (JSC::DFG::compile):
493         * dfg/DFGGraph.cpp:
494         (JSC::DFG::Graph::Graph): Ditto.
495
496         * dfg/DFGJITCode.h:
497         (JSC::DFG::JITCode::osrEntryBlock):
498         (JSC::DFG::JITCode::setOSREntryBlock):
499         (JSC::DFG::JITCode::clearOSREntryBlock): Use helper functions for 
500         accessing osrEntryBlock to help with write barrier stuff.
501
502         * dfg/DFGJITFinalizer.cpp:
503         (JSC::DFG::JITFinalizer::finalize):
504         (JSC::DFG::JITFinalizer::finalizeFunction):
505         (JSC::DFG::JITFinalizer::finalizeCommon):
506         * dfg/DFGOSRExitCompilerCommon.cpp:
507         (JSC::DFG::adjustAndJumpToTarget): Use CodeBlock as owner instead of
508         executable.
509
510         * dfg/DFGOperations.cpp:
511         * dfg/DFGPlan.cpp:
512         (JSC::DFG::Plan::Plan):
513         (JSC::DFG::Plan::reallyAdd):
514         (JSC::DFG::Plan::notifyReady):
515         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
516         (JSC::DFG::Plan::finalizeAndNotifyCallback):
517         (JSC::DFG::Plan::key):
518         (JSC::DFG::Plan::rememberCodeBlocks):
519         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
520         (JSC::DFG::Plan::clearCodeBlockMarks): Deleted.
521         * dfg/DFGPlan.h: Use normal GC write barrier concepts to model the fact
522         that the compiler writes to CodeBlocks.
523
524         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
525         (JSC::DFG::ToFTLDeferredCompilationCallback::ToFTLDeferredCompilationCallback):
526         (JSC::DFG::ToFTLDeferredCompilationCallback::~ToFTLDeferredCompilationCallback):
527         (JSC::DFG::ToFTLDeferredCompilationCallback::create):
528         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
529         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
530         * dfg/DFGToFTLDeferredCompilationCallback.h:
531         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
532         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback):
533         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::~ToFTLForOSREntryDeferredCompilationCallback):
534         (JSC::DFG::Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create):
535         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
536         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
537         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h: We always have
538         a profiledDFGCodeBlock passed to use -- see above.
539
540         * dfg/DFGWorklist.cpp:
541         (JSC::DFG::Worklist::completeAllPlansForVM):
542         (JSC::DFG::Worklist::rememberCodeBlocks):
543         (JSC::DFG::completeAllPlansForVM):
544         (JSC::DFG::rememberCodeBlocks):
545         (JSC::DFG::Worklist::clearCodeBlockMarks): Deleted.
546         (JSC::DFG::clearCodeBlockMarks): Deleted.
547         * dfg/DFGWorklist.h:
548         (JSC::DFG::worklistForIndexOrNull): Renamed to use remembered set terminology.
549
550         * ftl/FTLJITFinalizer.cpp:
551         (JSC::FTL::JITFinalizer::finalizeFunction):
552
553         * heap/CodeBlockSet.cpp:
554         (JSC::CodeBlockSet::~CodeBlockSet):
555         (JSC::CodeBlockSet::add):
556         (JSC::CodeBlockSet::clearMarksForFullCollection):
557         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): No need for a fixpoint
558         anymore since the GC can tell us if we are live.
559
560         (JSC::CodeBlockSet::remove):
561         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
562         (JSC::CodeBlockSet::dump):
563         (JSC::CodeBlockSet::clearMarksForEdenCollection): Deleted. No need for
564         this logic anymore since the GC will clear our mark bit.
565
566         (JSC::CodeBlockSet::traceMarked): Deleted. No need for this marking
567         fixpoint anymore either.
568
569         * heap/CodeBlockSet.h:
570
571         * heap/Heap.cpp:
572         (JSC::Heap::markRoots): Moved some of this logic around to make the
573         algorithm clearer. 
574
575         (JSC::Heap::deleteAllCodeBlocks): Deleting CodeBlocks can only clear
576         pointers immediately; they won't fully delete until the next GC and sweep.
577
578         * interpreter/Interpreter.cpp:
579         (JSC::eval):
580         * jit/GCAwareJITStubRoutine.h: CodeBlock is owner now.
581
582         * jit/JITCode.h:
583         (JSC::JITCode::isJIT):
584         (JSC::JITCode::isLowerTier):
585         (JSC::JITCode::timeToLive): Deleted.
586
587         * jit/JITOpcodes.cpp:
588         (JSC::JIT::emit_op_enter): CodeBlock is owner now.
589
590         * jit/JITOperations.cpp:
591         * jit/JITToDFGDeferredCompilationCallback.cpp:
592         (JSC::JITToDFGDeferredCompilationCallback::create):
593         (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
594         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
595         * jit/JITToDFGDeferredCompilationCallback.h:
596
597         * jit/Repatch.cpp:
598         (JSC::tryCacheGetByID):
599         (JSC::tryCachePutByID):
600         (JSC::tryRepatchIn):
601         (JSC::linkFor):
602         (JSC::linkPolymorphicCall):
603         * llint/LLIntSlowPaths.cpp:
604         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
605         (JSC::LLInt::setUpCall):
606         * runtime/CommonSlowPaths.cpp:
607         (JSC::SLOW_PATH_DECL): 
608         * runtime/CommonSlowPaths.h:
609         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
610         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal): CodeBlock is owner now.
611
612         * runtime/Executable.cpp:
613         (JSC::ExecutableBase::clearCode): Provide a generic clearCode() so that
614         it can be used on any Executable. This fixes a very subtle bug where
615         deleteAllCode() does not remove CodeBlocks from non-function executables
616         that have been saved in stack traces.
617
618         (JSC::ScriptExecutable::installCode): WriteBarrier requires special
619         handling for pointers that may be null.
620
621         (JSC::ScriptExecutable::newCodeBlockFor):
622         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
623         (JSC::ScriptExecutable::prepareForExecutionImpl): Update for interface
624         changes.
625
626         (JSC::EvalExecutable::visitChildren):
627         (JSC::ProgramExecutable::visitChildren):
628         (JSC::ModuleProgramExecutable::visitChildren):
629         (JSC::FunctionExecutable::visitChildren):
630         (JSC::WebAssemblyExecutable::visitChildren): Visit weakly because we want
631         to participate in jettisoning.
632
633         (JSC::WebAssemblyExecutable::prepareForExecution):
634         (JSC::EvalExecutable::clearCode): Deleted.
635         (JSC::ProgramExecutable::clearCode): Deleted.
636         (JSC::ModuleProgramExecutable::clearCode): Deleted.
637         (JSC::FunctionExecutable::clearCode): Deleted.
638         (JSC::WebAssemblyExecutable::clearCode): Deleted.
639
640         * runtime/Executable.h:
641         (JSC::ExecutableBase::generatedJITCodeForCall):
642         (JSC::ScriptExecutable::prepareForExecution):
643         (JSC::ExecutableBase::clearCodeVirtual): Deleted.
644
645         * runtime/VM.cpp:
646         (JSC::VM::VM):
647         * runtime/VM.h: Provide structures because our GC requires it.
648
649 2015-10-01  Mark Lam  <mark.lam@apple.com>
650
651         Remove unnecessary SpecialFastCaseProfiles.
652         https://bugs.webkit.org/show_bug.cgi?id=149729
653
654         Reviewed by Saam Barati.
655
656         The current baseline code creates special fast case profiles records for
657         bytecodes that don't need them.  This was done to keep the DFG from crashing when
658         it searches for such a profile and don't find one.  Instead, we will fix the code
659         to check for the existence of the profile before dereferencing it to get a count.
660
661         * bytecode/CodeBlock.h:
662         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset):
663         (JSC::CodeBlock::couldTakeSpecialFastCase):
664         (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
665         (JSC::CodeBlock::numberOfArrayProfiles):
666         (JSC::CodeBlock::arrayProfiles):
667         (JSC::CodeBlock::addArrayProfile):
668         (JSC::CodeBlock::likelyToTakeSpecialFastCase): Deleted.  Not used.
669         (JSC::CodeBlock::likelyToTakeAnySlowCase): Deleted.   Not used.
670         * jit/JITArithmetic.cpp:
671
672         (JSC::JIT::compileBinaryArithOp):
673         - Only op_mul needs the profile.  So, only allocate it in the op_mul case.
674
675         (JSC::JIT::emit_op_mul):
676         - These op_mul cases create the profile but never increments its counter.
677           Hence, we can get rid of these.
678
679 2015-10-01  Keith Miller  <keith_miller@apple.com>
680
681         [ES6] Add TypedArray.prototype functionality.
682         https://bugs.webkit.org/show_bug.cgi?id=148035
683
684         Reviewed by Geoffrey Garen.
685
686         This patch should add most of the functionality for
687         the prototype properties of TypedArray objects in ES6.
688         There are a few exceptions to this, which will be added
689         in upcoming patches:
690
691         1) First we do not use the species constructor for some
692         of the TypedArray prototype functions (namely: map, filter,
693         slice, and subarray). That will need to be added when
694         species constructors are finished.
695
696         2) TypedArrays still have a length, byteOffset, byteLength,
697         and buffer are still attached to the TypedArray instance (in
698         the spec they are on the TypedArray.prototype instance object)
699         since the JIT currently assumes those properties are fixed.
700
701         3) The TypedArray.constructor property is not added yet
702         as it should point to the TypedArray instance object,
703         which will be added in a future patch.
704
705         * CMakeLists.txt:
706         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
707         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
708         * JavaScriptCore.xcodeproj/project.pbxproj:
709         * builtins/TypedArray.prototype.js: Added.
710         (every):
711         (find):
712         (findIndex):
713         (forEach):
714         (some):
715         (sort.min):
716         (sort.merge):
717         (sort.mergeSort):
718         (sort):
719         (reduce):
720         (reduceRight):
721         (map):
722         (filter):
723         (toLocaleString):
724         * runtime/ArrayPrototype.cpp:
725         * runtime/ArrayPrototype.h:
726         * runtime/CommonIdentifiers.h:
727         * runtime/JSGenericTypedArrayView.h:
728         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue):
729         (JSC::JSGenericTypedArrayView::setRangeToValue):
730         (JSC::JSGenericTypedArrayView::sort):
731         (JSC::JSGenericTypedArrayView::purifyArray):
732         (JSC::JSGenericTypedArrayView::sortComparison):
733         (JSC::JSGenericTypedArrayView::sortFloat):
734         * runtime/JSGenericTypedArrayViewInlines.h:
735         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: Added.
736         (JSC::argumentClampedIndexFromStartOrEnd):
737         (JSC::genericTypedArrayViewProtoFuncSet):
738         (JSC::genericTypedArrayViewProtoFuncEntries):
739         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
740         (JSC::genericTypedArrayViewProtoFuncFill):
741         (JSC::genericTypedArrayViewProtoFuncIndexOf):
742         (JSC::genericTypedArrayViewProtoFuncJoin):
743         (JSC::genericTypedArrayViewProtoFuncKeys):
744         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
745         (JSC::genericTypedArrayViewProtoGetterFuncLength):
746         (JSC::genericTypedArrayViewProtoGetterFuncByteLength):
747         (JSC::genericTypedArrayViewProtoGetterFuncByteOffset):
748         (JSC::genericTypedArrayViewProtoFuncReverse):
749         (JSC::genericTypedArrayViewPrivateFuncSort):
750         (JSC::genericTypedArrayViewProtoFuncSlice):
751         (JSC::genericTypedArrayViewProtoFuncSubarray):
752         (JSC::typedArrayViewProtoFuncValues):
753         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
754         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
755         (JSC::genericTypedArrayViewProtoFuncSet): Deleted.
756         (JSC::genericTypedArrayViewProtoFuncSubarray): Deleted.
757         * runtime/JSGlobalObject.cpp:
758         (JSC::JSGlobalObject::init):
759         * runtime/JSObject.h:
760         * runtime/JSTypedArrayPrototypes.cpp:
761         * runtime/JSTypedArrayPrototypes.h:
762         * runtime/JSTypedArrayViewPrototype.cpp: Added.
763         (JSC::typedArrayViewPrivateFuncLength):
764         (JSC::typedArrayViewPrivateFuncSort):
765         (JSC::typedArrayViewProtoFuncSet):
766         (JSC::typedArrayViewProtoFuncEntries):
767         (JSC::typedArrayViewProtoFuncCopyWithin):
768         (JSC::typedArrayViewProtoFuncFill):
769         (JSC::typedArrayViewProtoFuncLastIndexOf):
770         (JSC::typedArrayViewProtoFuncIndexOf):
771         (JSC::typedArrayViewProtoFuncJoin):
772         (JSC::typedArrayViewProtoFuncKeys):
773         (JSC::typedArrayViewProtoGetterFuncLength):
774         (JSC::typedArrayViewProtoGetterFuncByteLength):
775         (JSC::typedArrayViewProtoGetterFuncByteOffset):
776         (JSC::typedArrayViewProtoFuncReverse):
777         (JSC::typedArrayViewProtoFuncSubarray):
778         (JSC::typedArrayViewProtoFuncSlice):
779         (JSC::typedArrayViewProtoFuncValues):
780         (JSC::JSTypedArrayViewPrototype::JSTypedArrayViewPrototype):
781         (JSC::JSTypedArrayViewPrototype::finishCreation):
782         (JSC::JSTypedArrayViewPrototype::create):
783         (JSC::JSTypedArrayViewPrototype::createStructure):
784         * runtime/JSTypedArrayViewPrototype.h: Copied from Source/JavaScriptCore/runtime/JSTypedArrayPrototypes.cpp.
785         * tests/es6.yaml:
786         * tests/stress/resources/standalone-pre.js: Added.
787         (description):
788         (debug):
789         (escapeString):
790         (testPassed):
791         (testFailed):
792         (areNumbersEqual):
793         (areArraysEqual):
794         (isMinusZero):
795         (isTypedArray):
796         (isResultCorrect):
797         (stringify):
798         (shouldBe):
799         (dfgShouldBe):
800         (shouldBeType):
801         (shouldBeTrue):
802         (shouldBeFalse):
803         (shouldBeNaN):
804         (shouldBeNull):
805         (shouldBeEqualToString):
806         (shouldBeUndefined):
807         (shouldNotThrow):
808         (shouldThrow):
809         (dfgCompiled):
810         (dfgIncrement):
811         (noInline):
812         (finishJSTest):
813         * tests/stress/resources/typedarray-test-helper-functions.js: Added.
814         (forEachTypedArray):
815         (isSameFunctionForEachTypedArrayPrototype.eq):
816         (isSameFunctionForEachTypedArrayPrototype):
817         (hasSameValues):
818         (foo):
819         (testPrototypeFunctionHelper):
820         (testPrototypeFunctionOnSigned):
821         (testPrototypeFunctionOnFloat):
822         (testPrototypeFunction):
823         (tester):
824         (testPrototypeReceivesArray):
825         * tests/stress/typedarray-copyWithin.js: Added.
826         * tests/stress/typedarray-every.js: Added.
827         (isBigEnough):
828         (isBigEnoughAndChange):
829         (isBigEnoughAndException):
830         * tests/stress/typedarray-fill.js: Added.
831         * tests/stress/typedarray-filter.js: Added.
832         (keepEven):
833         (keepEvenAndChange):
834         (isBigEnoughAndException):
835         * tests/stress/typedarray-find.js: Added.
836         (keepEven):
837         (keepEvenAndChange):
838         (isBigEnoughAndException):
839         * tests/stress/typedarray-findIndex.js: Added.
840         (keepEven):
841         (keepEvenAndChange):
842         (isBigEnoughAndException):
843         * tests/stress/typedarray-forEach.js: Added.
844         (checkCorrect.let.list):
845         (checkCorrect):
846         (createChecker):
847         (foo):
848         (changeArray):
849         (isBigEnoughAndException):
850         * tests/stress/typedarray-indexOf.js: Added.
851         (keepEven):
852         * tests/stress/typedarray-lastIndexOf.js: Added.
853         * tests/stress/typedarray-map.js: Added.
854         (even):
855         (evenAndChange):
856         (isBigEnoughAndException):
857         * tests/stress/typedarray-reduce.js: Added.
858         (createArray):
859         (sum):
860         (createArrayAndChange):
861         (isBigEnoughAndException):
862         * tests/stress/typedarray-reduceRight.js: Added.
863         (createArray):
864         (sum):
865         (createArrayAndChange):
866         (isBigEnoughAndException):
867         * tests/stress/typedarray-slice.js: Added.
868         * tests/stress/typedarray-some.js: Added.
869         (isBigEnough):
870         (isBigEnoughAndChange):
871         (isBigEnoughAndException):
872         * tests/stress/typedarray-sort.js: Added.
873         (sortBackwards):
874         (compareException):
875
876 2015-10-01  Yusuke Suzuki  <utatane.tea@gmail.com>
877
878         Introduce SymbolUse optimization into CompareEq and CompareStrictEq
879         https://bugs.webkit.org/show_bug.cgi?id=149616
880
881         Reviewed by Saam Barati.
882
883         Since ES6 Symbols are used as an enum value[1] (And WebKit inspector do so for Esprima's type of nodes),
884         optimizing equality comparison for symbols makes much sense.
885
886         This patch leverages SymbolUse for CompareEq and CompareStrictEq.
887         Optimizations for both DFG and FTL are implemented.
888
889         [1]: http://www.2ality.com/2014/12/es6-symbols.html
890
891         * dfg/DFGAbstractInterpreterInlines.h:
892         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
893         * dfg/DFGFixupPhase.cpp:
894         (JSC::DFG::FixupPhase::fixupNode):
895         * dfg/DFGNode.h:
896         (JSC::DFG::Node::shouldSpeculateSymbol):
897         * dfg/DFGSpeculativeJIT.cpp:
898         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
899         (JSC::DFG::SpeculativeJIT::compare):
900         (JSC::DFG::SpeculativeJIT::compileStrictEq):
901         (JSC::DFG::SpeculativeJIT::extractStringImplFromBinarySymbols):
902         (JSC::DFG::SpeculativeJIT::compileSymbolEquality):
903         (JSC::DFG::SpeculativeJIT::compilePeepHoleSymbolEquality):
904         * dfg/DFGSpeculativeJIT.h:
905         * ftl/FTLCapabilities.cpp:
906         (JSC::FTL::canCompile):
907         * ftl/FTLLowerDFGToLLVM.cpp:
908         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
909         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
910         * tests/stress/symbol-equality.js: Added.
911         (shouldBe):
912         (equal):
913         (strictEqual):
914         (list.forEach.result.set 1):
915
916 2015-10-01  Youenn Fablet  <youenn.fablet@crf.canon.fr>
917
918         [Streams API] Add support for private WebCore JS builtins functions
919         https://bugs.webkit.org/show_bug.cgi?id=149518
920
921         Reviewed by Darin Adler.
922
923         Adding API to add private identifiers on the fly.
924         This is used to support private JS Builtin functions/private JS Builtin names in WebCore.
925
926         * builtins/BuiltinNames.h:
927         (JSC::BuiltinNames::appendExternalName):
928         * runtime/CommonIdentifiers.cpp:
929         (JSC::CommonIdentifiers::appendExternalName):
930         * runtime/CommonIdentifiers.h:
931
932 2015-09-30  Jaehun Lim  <ljaehun.lim@samsung.com>
933
934         Unreviewed, cleanup after r190385
935
936         TypedArray.prototype.js is removed at r190385.
937         Remove it from CMakeLists.txt as well.
938
939         * CMakeLists.txt:
940
941 2015-09-30  Commit Queue  <commit-queue@webkit.org>
942
943         Unreviewed, rolling out r190367 and r190373.
944         https://bugs.webkit.org/show_bug.cgi?id=149694
945
946         Windows build broken (Requested by smfr on #webkit).
947
948         Reverted changesets:
949
950         "[ES6] Add TypedArray.prototype functionality."
951         https://bugs.webkit.org/show_bug.cgi?id=148035
952         http://trac.webkit.org/changeset/190367
953
954         "Unreviewed Windows buildfix."
955         http://trac.webkit.org/changeset/190373
956
957 2015-09-30  Keith Miller  <keith_miller@apple.com>
958
959         Unreviewed Windows buildfix.
960
961         * CMakeLists.txt:
962
963 2015-09-30  Michael Saboff  <msaboff@apple.com>
964
965         Relanding r190289 with the following two fixes:
966
967          1. REGRESSION(r190289): It made Speedometer/Full.html performance test fail
968             https://bugs.webkit.org/show_bug.cgi?id=149621
969
970             Reviewed by Saam Barati.
971
972             We need to restore callee saves for both the fast and slow paths before making a
973             tail call in the FTL.
974
975             * ftl/FTLJSCallBase.cpp:
976             (JSC::FTL::JSCallBase::emit):
977
978          2. [ARM] REGRESSION(r190289): It made 374 tests crash on 32 bit ARM Linux
979             https://bugs.webkit.org/show_bug.cgi?id=149619
980
981             Reviewed by Filip Pizlo.
982
983             Need to check for ARMv7_TRADITIONAL and ARMv7 in addition to ARM in "if"
984             statement to handle platforms with a link register.
985             
986             * llint/LowLevelInterpreter.asm:
987             (prepareForTailCall):
988
989 2015-09-30  Keith Miller  <keith_miller@apple.com>
990
991         [ES6] Add TypedArray.prototype functionality.
992         https://bugs.webkit.org/show_bug.cgi?id=148035
993
994         Reviewed by Geoffrey Garen.
995
996         This patch should add most of the functionality for
997         the prototype properties of TypedArray objects in ES6.
998         There are a few exceptions to this, which will be added
999         in upcoming patches:
1000
1001         1) First we do not use the species constructor for some
1002         of the TypedArray prototype functions (namely: map, filter,
1003         slice, and subarray). That will need to be added when
1004         species constructors are finished.
1005
1006         2) TypedArrays still have a length, byteOffset, byteLength,
1007         and buffer are still attached to the TypedArray instance (in
1008         the spec they are on the TypedArray.prototype instance object)
1009         since the JIT currently assumes those properties are fixed.
1010
1011         3) The TypedArray.constructor property is not added yet
1012         as it should point to the TypedArray instance object,
1013         which will be added in a future patch.
1014
1015         * CMakeLists.txt:
1016         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1017         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1018         * JavaScriptCore.xcodeproj/project.pbxproj:
1019         * builtins/TypedArray.prototype.js: Added.
1020         (every):
1021         (find):
1022         (findIndex):
1023         (forEach):
1024         (some):
1025         (sort.min):
1026         (sort.merge):
1027         (sort.mergeSort):
1028         (sort):
1029         (reduce):
1030         (reduceRight):
1031         (map):
1032         (filter):
1033         (toLocaleString):
1034         * runtime/ArrayPrototype.cpp:
1035         * runtime/ArrayPrototype.h:
1036         * runtime/CommonIdentifiers.h:
1037         * runtime/JSGenericTypedArrayView.h:
1038         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue):
1039         (JSC::JSGenericTypedArrayView::setRangeToValue):
1040         (JSC::JSGenericTypedArrayView::sort):
1041         (JSC::JSGenericTypedArrayView::purifyArray):
1042         (JSC::JSGenericTypedArrayView::sortComparison):
1043         (JSC::JSGenericTypedArrayView::sortFloat):
1044         * runtime/JSGenericTypedArrayViewInlines.h:
1045         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: Added.
1046         (JSC::argumentClampedIndexFromStartOrEnd):
1047         (JSC::genericTypedArrayViewProtoFuncSet):
1048         (JSC::genericTypedArrayViewProtoFuncEntries):
1049         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
1050         (JSC::genericTypedArrayViewProtoFuncFill):
1051         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1052         (JSC::genericTypedArrayViewProtoFuncJoin):
1053         (JSC::genericTypedArrayViewProtoFuncKeys):
1054         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1055         (JSC::genericTypedArrayViewProtoGetterFuncLength):
1056         (JSC::genericTypedArrayViewProtoGetterFuncByteLength):
1057         (JSC::genericTypedArrayViewProtoGetterFuncByteOffset):
1058         (JSC::genericTypedArrayViewProtoFuncReverse):
1059         (JSC::genericTypedArrayViewPrivateFuncSort):
1060         (JSC::genericTypedArrayViewProtoFuncSlice):
1061         (JSC::genericTypedArrayViewProtoFuncSubarray):
1062         (JSC::typedArrayViewProtoFuncValues):
1063         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
1064         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
1065         (JSC::genericTypedArrayViewProtoFuncSet): Deleted.
1066         (JSC::genericTypedArrayViewProtoFuncSubarray): Deleted.
1067         * runtime/JSGlobalObject.cpp:
1068         (JSC::JSGlobalObject::init):
1069         * runtime/JSObject.h:
1070         * runtime/JSTypedArrayPrototypes.cpp:
1071         * runtime/JSTypedArrayPrototypes.h:
1072         * runtime/JSTypedArrayViewPrototype.cpp: Added.
1073         (JSC::typedArrayViewPrivateFuncLength):
1074         (JSC::typedArrayViewPrivateFuncSort):
1075         (JSC::typedArrayViewProtoFuncSet):
1076         (JSC::typedArrayViewProtoFuncEntries):
1077         (JSC::typedArrayViewProtoFuncCopyWithin):
1078         (JSC::typedArrayViewProtoFuncFill):
1079         (JSC::typedArrayViewProtoFuncLastIndexOf):
1080         (JSC::typedArrayViewProtoFuncIndexOf):
1081         (JSC::typedArrayViewProtoFuncJoin):
1082         (JSC::typedArrayViewProtoFuncKeys):
1083         (JSC::typedArrayViewProtoGetterFuncLength):
1084         (JSC::typedArrayViewProtoGetterFuncByteLength):
1085         (JSC::typedArrayViewProtoGetterFuncByteOffset):
1086         (JSC::typedArrayViewProtoFuncReverse):
1087         (JSC::typedArrayViewProtoFuncSubarray):
1088         (JSC::typedArrayViewProtoFuncSlice):
1089         (JSC::typedArrayViewProtoFuncValues):
1090         (JSC::JSTypedArrayViewPrototype::JSTypedArrayViewPrototype):
1091         (JSC::JSTypedArrayViewPrototype::finishCreation):
1092         (JSC::JSTypedArrayViewPrototype::create):
1093         (JSC::JSTypedArrayViewPrototype::createStructure):
1094         * runtime/JSTypedArrayViewPrototype.h: Copied from Source/JavaScriptCore/runtime/JSTypedArrayPrototypes.cpp.
1095         * tests/stress/resources/standalone-pre.js: Added.
1096         (description):
1097         (debug):
1098         (escapeString):
1099         (testPassed):
1100         (testFailed):
1101         (areNumbersEqual):
1102         (areArraysEqual):
1103         (isMinusZero):
1104         (isTypedArray):
1105         (isResultCorrect):
1106         (stringify):
1107         (shouldBe):
1108         (dfgShouldBe):
1109         (shouldBeType):
1110         (shouldBeTrue):
1111         (shouldBeFalse):
1112         (shouldBeNaN):
1113         (shouldBeNull):
1114         (shouldBeEqualToString):
1115         (shouldBeUndefined):
1116         (shouldNotThrow):
1117         (shouldThrow):
1118         (dfgCompiled):
1119         (dfgIncrement):
1120         (noInline):
1121         (finishJSTest):
1122         * tests/stress/resources/typedarray-test-helper-functions.js: Added.
1123         (forEachTypedArray):
1124         (isSameFunctionForEachTypedArrayPrototype.eq):
1125         (isSameFunctionForEachTypedArrayPrototype):
1126         (hasSameValues):
1127         (.foo):
1128         (testPrototypeFunctionHelper):
1129         (testPrototypeFunctionOnSigned):
1130         (testPrototypeFunctionOnFloat):
1131         (testPrototypeFunction):
1132         (.tester):
1133         (testPrototypeReceivesArray):
1134         * tests/stress/typedarray-copyWithin.js: Added.
1135         * tests/stress/typedarray-every.js: Added.
1136         (isBigEnough):
1137         (isBigEnoughAndChange):
1138         (isBigEnoughAndException):
1139         * tests/stress/typedarray-fill.js: Added.
1140         * tests/stress/typedarray-filter.js: Added.
1141         (keepEven):
1142         (keepEvenAndChange):
1143         (isBigEnoughAndException):
1144         * tests/stress/typedarray-find.js: Added.
1145         (keepEven):
1146         (keepEvenAndChange):
1147         (isBigEnoughAndException):
1148         * tests/stress/typedarray-findIndex.js: Added.
1149         (keepEven):
1150         (keepEvenAndChange):
1151         (isBigEnoughAndException):
1152         * tests/stress/typedarray-forEach.js: Added.
1153         (.checkCorrect.let.list):
1154         (.checkCorrect):
1155         (createChecker):
1156         (foo):
1157         (changeArray):
1158         (isBigEnoughAndException):
1159         * tests/stress/typedarray-indexOf.js: Added.
1160         (keepEven):
1161         * tests/stress/typedarray-lastIndexOf.js: Added.
1162         * tests/stress/typedarray-map.js: Added.
1163         (even):
1164         (evenAndChange):
1165         (isBigEnoughAndException):
1166         * tests/stress/typedarray-reduce.js: Added.
1167         (createArray):
1168         (sum):
1169         (createArrayAndChange):
1170         (isBigEnoughAndException):
1171         * tests/stress/typedarray-reduceRight.js: Added.
1172         (createArray):
1173         (sum):
1174         (createArrayAndChange):
1175         (isBigEnoughAndException):
1176         * tests/stress/typedarray-slice.js: Added.
1177         * tests/stress/typedarray-some.js: Added.
1178         (isBigEnough):
1179         (isBigEnoughAndChange):
1180         (isBigEnoughAndException):
1181         * tests/stress/typedarray-sort.js: Added.
1182         (sortBackwards):
1183         (compareException):
1184
1185 2015-09-30  Commit Queue  <commit-queue@webkit.org>
1186
1187         Unreviewed, rolling out r190324.
1188         https://bugs.webkit.org/show_bug.cgi?id=149671
1189
1190         Caused flaky crashes, rdar://problem/22916304 (Requested by ap
1191         on #webkit).
1192
1193         Reverted changeset:
1194
1195         "ParallelHelperPool::runFunctionInParallel() shouldn't
1196         allocate, and ParallelHelperPool.h shouldn't be included
1197         everywhere"
1198         https://bugs.webkit.org/show_bug.cgi?id=149635
1199         http://trac.webkit.org/changeset/190324
1200
1201 2015-09-29  Commit Queue  <commit-queue@webkit.org>
1202
1203         Unreviewed, rolling out r190289.
1204         https://bugs.webkit.org/show_bug.cgi?id=149647
1205
1206         Crashing speedometer and some ARM32 tests (Requested by
1207         msaboff on #webkit).
1208
1209         Reverted changeset:
1210
1211         "[ES6] Implement tail calls in the FTL"
1212         https://bugs.webkit.org/show_bug.cgi?id=148664
1213         http://trac.webkit.org/changeset/190289
1214
1215 2015-09-29  Filip Pizlo  <fpizlo@apple.com>
1216
1217         ParallelHelperPool::runFunctionInParallel() shouldn't allocate, and ParallelHelperPool.h shouldn't be included everywhere
1218         https://bugs.webkit.org/show_bug.cgi?id=149635
1219
1220         Reviewed by Saam Barati.
1221
1222         It bugged me that this change caused a whole-world recompile. So, I changed the code so
1223         that ParallelHelperPool.h is only included by Heap.cpp and not by Heap.h.
1224
1225         * heap/Heap.cpp:
1226         (JSC::Heap::Heap):
1227         (JSC::Heap::markRoots):
1228         (JSC::Heap::copyBackingStores):
1229         * heap/Heap.h:
1230
1231 2015-09-29  Filip Pizlo  <fpizlo@apple.com>
1232
1233         GC copy phase spans too many files
1234         https://bugs.webkit.org/show_bug.cgi?id=149586
1235
1236         Reviewed by Andreas Kling.
1237
1238         This puts the core logic of the copy phase into Heap::copyBackingStores(). Now, instead of
1239         using many helpers in many places, the actual algorithm is all in one place.
1240
1241         This lets me do a lot of simplification.
1242
1243         - CopyVisitor no longer requires that you call startCopying() before, and doneCopying() and
1244           WTF::releaseFastMallocFreeMemoryForThisThread() after. The constructor and destructor now
1245           do this for you.
1246
1247         - CopyVisitor no longer contains the algorithm that drives copying. That's all in
1248           Heap::copyBackingStores() now. Basically, copyBackingStores() glues together the new
1249           WTF::ParallelVectorIterator with the copying algorithm that we used to have in
1250           CopyVisitor::copyFromShared().
1251
1252         - Lots of stuff that was in headers is now in .cpp files. That includes all non-hot-path
1253           code in CopyVisitor. Also, the code for copying in HeapInlines.h is now in
1254           ParallelVectorVisotor, and it's only included by Heap.cpp.
1255
1256         Overall, I like this direction for the GC. I don't think it's useful for Heap.cpp to have
1257         calls to algorithms in some other file, unless those algorithms are either reusable or just
1258         very dense. That's not actually true for the copy phase, and it's probably not true for
1259         some other stuff like marking. I'll probably do the same refactoring for marking in another
1260         bug.
1261
1262         This should have no effect on performance.
1263
1264         * heap/CopyVisitor.cpp:
1265         (JSC::CopyVisitor::CopyVisitor):
1266         (JSC::CopyVisitor::~CopyVisitor):
1267         (JSC::CopyVisitor::copyFromShared): Deleted.
1268         * heap/CopyVisitor.h:
1269         * heap/CopyVisitorInlines.h:
1270         (JSC::CopyVisitor::checkIfShouldCopy):
1271         (JSC::CopyVisitor::allocateNewSpaceSlow):
1272         (JSC::CopyVisitor::didCopy):
1273         (JSC::CopyVisitor::visitItem): Deleted.
1274         (JSC::CopyVisitor::startCopying): Deleted.
1275         (JSC::CopyVisitor::doneCopying): Deleted.
1276         * heap/Heap.cpp:
1277         (JSC::Heap::copyBackingStores):
1278         * heap/Heap.h:
1279         * heap/HeapInlines.h:
1280         (JSC::Heap::unregisterWeakGCMap):
1281         (JSC::Heap::getNextBlocksToCopy): Deleted.
1282
1283 2015-09-29  Youenn Fablet  <youenn.fablet@crf.canon.fr>
1284
1285         Add support for WebIDL JSBuiltin attributes
1286         https://bugs.webkit.org/show_bug.cgi?id=149554
1287
1288         Reviewed by Darin Adler.
1289
1290         * runtime/Lookup.cpp:
1291         (JSC::reifyStaticAccessor): Adding support for creating attribute getter from JS builtin functions.
1292         * runtime/Lookup.h:
1293         (JSC::HashTableValue::builtinAccessorGetterGenerator):
1294         (JSC::HashTableValue::builtinAccessorSetterGenerator):
1295         (JSC::reifyStaticProperties): Ensuring that builtin attributes are not treated as Builtin functions.
1296
1297 2015-09-28  Joseph Pecoraro  <pecoraro@apple.com>
1298
1299         Remove unused parseMemoryAmount
1300         https://bugs.webkit.org/show_bug.cgi?id=149611
1301
1302         Reviewed by Mark Lam.
1303
1304         * heap/HeapStatistics.cpp:
1305         (JSC::HeapStatistics::parseMemoryAmount): Deleted.
1306         * heap/HeapStatistics.h:
1307
1308 2015-09-28  Joseph Pecoraro  <pecoraro@apple.com>
1309
1310         Web Inspector: JSGlobalRuntimeAgent unintentionally overrides InspectorRuntimeAgent destruction handling
1311         https://bugs.webkit.org/show_bug.cgi?id=149537
1312
1313         Reviewed by Darin Adler.
1314
1315         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1316         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1317         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend): Deleted.
1318         Do not override method, super class implementation is sufficient.
1319
1320         * JavaScriptCore.xcodeproj/project.pbxproj:
1321         Fix file ordering.
1322
1323         * inspector/agents/InspectorDebuggerAgent.h:
1324         Remove unused member variable.
1325
1326 2015-09-28  basile_clement@apple.com  <basile_clement@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
1327
1328         [ES6] Implement tail calls in the FTL
1329         https://bugs.webkit.org/show_bug.cgi?id=148664
1330
1331         Reviewed by Filip Pizlo.
1332
1333         This patch implements the tail call opcodes in the FTL, making tail
1334         calls available through all tiers. The changes are relatively
1335         straightforward, although the frame shuffler had to be extended to
1336         handle the possibility of running out of stack when spilling or
1337         building a slow path frame. The other tiers always ensure that we have
1338         enough stack space to build the new frame at the bottom of the old one,
1339         but that is not true for the FTL.
1340
1341         Moreover, for efficiency, this adds to the shuffler the ability to
1342         record the state of the TagTypeNumber, and to re-use the same register
1343         when doing several consecutive integer boxings with no spilling in
1344         between.
1345
1346         * JavaScriptCore.xcodeproj/project.pbxproj:
1347         * bytecode/ValueRecovery.h:
1348         (JSC::ValueRecovery::inRegister):
1349         * dfg/DFGByteCodeParser.cpp:
1350         (JSC::DFG::ByteCodeParser::handleInlining):
1351         (JSC::DFG::ByteCodeParser::parseBlock):
1352         * dfg/DFGClobberize.h:
1353         (JSC::DFG::clobberize):
1354         * dfg/DFGNode.h:
1355         (JSC::DFG::Node::isFunctionTerminal):
1356         * dfg/DFGSpeculativeJIT64.cpp:
1357         (JSC::DFG::SpeculativeJIT::emitCall):
1358         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1359         (JSC::DFG::TierUpCheckInjectionPhase::run):
1360         * ftl/FTLCapabilities.cpp:
1361         (JSC::FTL::canCompile):
1362         * ftl/FTLCompile.cpp:
1363         (JSC::FTL::mmAllocateDataSection):
1364         * ftl/FTLInlineCacheSize.cpp:
1365         (JSC::FTL::sizeOfTailCallVarargs):
1366         (JSC::FTL::sizeOfTailCallForwardVarargs):
1367         (JSC::FTL::sizeOfICFor):
1368         * ftl/FTLInlineCacheSize.h:
1369         * ftl/FTLJSCall.cpp:
1370         (JSC::FTL::JSCall::JSCall):
1371         * ftl/FTLJSCallBase.cpp:
1372         (JSC::FTL::JSCallBase::emit):
1373         (JSC::FTL::JSCallBase::link):
1374         * ftl/FTLJSCallBase.h:
1375         * ftl/FTLJSCallVarargs.cpp:
1376         (JSC::FTL::JSCallVarargs::JSCallVarargs):
1377         (JSC::FTL::JSCallVarargs::emit):
1378         * ftl/FTLJSTailCall.cpp: Added.
1379         (JSC::FTL::getRegisterWithAddend):
1380         (JSC::FTL::recoveryFor):
1381         (JSC::FTL::sizeFor):
1382         (JSC::FTL::JSTailCall::JSTailCall):
1383         (JSC::FTL::m_instructionOffset):
1384         (JSC::FTL::JSTailCall::emit):
1385         * ftl/FTLJSTailCall.h: Copied from Source/JavaScriptCore/ftl/FTLJSCallBase.h.
1386         (JSC::FTL::JSTailCall::stackmapID):
1387         (JSC::FTL::JSTailCall::estimatedSize):
1388         (JSC::FTL::JSTailCall::numArguments):
1389         (JSC::FTL::JSTailCall::operator<):
1390         * ftl/FTLLocation.h:
1391         (JSC::FTL::Location::operator bool):
1392         (JSC::FTL::Location::operator!):
1393         * ftl/FTLLowerDFGToLLVM.cpp:
1394         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1395         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1396         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
1397         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1398         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
1399         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForTailCall):
1400         * ftl/FTLState.h:
1401         * jit/AssemblyHelpers.cpp:
1402         (JSC::AssemblyHelpers::emitExceptionCheck):
1403         * jit/CallFrameShuffleData.h:
1404         * jit/CallFrameShuffler.cpp:
1405         (JSC::CallFrameShuffler::CallFrameShuffler):
1406         (JSC::CallFrameShuffler::dump):
1407         (JSC::CallFrameShuffler::spill):
1408         (JSC::CallFrameShuffler::extendFrameIfNeeded):
1409         (JSC::CallFrameShuffler::prepareForSlowPath):
1410         (JSC::CallFrameShuffler::prepareAny):
1411         * jit/CallFrameShuffler.h:
1412         (JSC::CallFrameShuffler::restoreGPR):
1413         (JSC::CallFrameShuffler::getFreeRegister):
1414         (JSC::CallFrameShuffler::getFreeTempGPR):
1415         (JSC::CallFrameShuffler::ensureTempGPR):
1416         (JSC::CallFrameShuffler::addNew):
1417         * jit/CallFrameShuffler64.cpp:
1418         (JSC::CallFrameShuffler::emitBox):
1419         (JSC::CallFrameShuffler::tryAcquireTagTypeNumber):
1420         * jit/JITCall.cpp:
1421         (JSC::JIT::compileOpCall):
1422         * jit/Reg.h:
1423         (JSC::Reg::Reg):
1424         (JSC::Reg::isHashTableDeletedValue):
1425         (JSC::Reg::deleted):
1426         (JSC::RegHash::hash):
1427         (JSC::RegHash::equal):
1428         * test/es6.yaml:
1429
1430 2015-09-28  Keith Miller  <keith_miller@apple.com>
1431
1432         ObjectPropertyConditionSet::mergedWith does not produce a minimal intersection.
1433         https://bugs.webkit.org/show_bug.cgi?id=149598
1434
1435         Reviewed by Michael Saboff.
1436
1437         mergedWith sometimes creates duplicates of an ObjectPropertyCondition, which causes GetByIdVariant
1438         in believe that the condition has more than one slotBaseCondition when only one was necessary.
1439
1440         * bytecode/ObjectPropertyConditionSet.cpp:
1441         (JSC::ObjectPropertyConditionSet::mergedWith):
1442
1443 2015-09-26  Filip Pizlo  <fpizlo@apple.com>
1444
1445         Unreviewed, fix debug tests. Before marking, we need to call registerGCThreads().
1446
1447         * heap/Heap.cpp:
1448         (JSC::Heap::markRoots):
1449
1450 2015-09-24  Filip Pizlo  <fpizlo@apple.com>
1451
1452         VMs should share GC threads
1453         https://bugs.webkit.org/show_bug.cgi?id=149433
1454         rdar://problem/12859344
1455
1456         Reviewed by Geoffrey Garen.
1457
1458         This changes the GC to use a new WTF abstraction for parallelism called ParallelHelperPool.
1459         This allows us to remove GCThread and all of the GCPhase machinery. This kills a lot of
1460         code and also gives our GC magical thread sharing powers. If two GCs in two different VMs
1461         fire at the same time, then they will both get a random subset of the available shared GC
1462         threads. If one GC happens before the other, then it will probably get all of the available
1463         threads. If a GC happens while another VM already started GCing, then it will probably not
1464         get any helper threads. This is probably fine, since in multi-VM scenarios we have no
1465         reason to optimize for anything other than total throughput.
1466
1467         The GC has one static helper pool. This pool is available via JSC::heapHelperPool(). It
1468         would be OK for other parts of JSC to use it in the future for parallel tasks. Each Heap
1469         instance has a helper client attached to the pool.
1470
1471         The marking phase tells the ParallelHelperClient to asynchronously run a function that
1472         joins parallel marking and finishes once marking reaches termination. It uses the
1473         client.setFunction() idiom where the threads share work with each other using a specialized
1474         worklist. The ParallelHelperPool is not involved in deciding when threads should terminate.
1475
1476         The copying phase tells the ParallelHelperClient to run a copying function in parallel. It
1477         uses the client.runFunctionInParallel() idiom. The copying function gets work from the
1478         m_blocksToCopy worklist inside Heap.
1479
1480         To test that multiple VMs work properly, this adds a multi-VM test to testapi.mm. This test
1481         creates five concurrent VMs and has each of them allocate about 30MB of memory before doing
1482         a full GC. I've confirmed that this tests uses only 6 total GC threads on my 8-core
1483         computer (this is correct since we are currently configured for 7-way parallelism).
1484
1485         This shouldn't affect performance on benchmarks, but it will sure help apps with a lot of
1486         VM instances.
1487
1488         * CMakeLists.txt:
1489         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1490         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1491         * JavaScriptCore.xcodeproj/project.pbxproj:
1492         * assembler/AbstractMacroAssembler.h:
1493         * heap/GCThread.cpp: Removed.
1494         * heap/GCThread.h: Removed.
1495         * heap/Heap.cpp:
1496         (JSC::Heap::Heap):
1497         (JSC::Heap::~Heap):
1498         (JSC::Heap::isPagedOut):
1499         (JSC::Heap::markRoots):
1500         (JSC::Heap::copyBackingStores):
1501         (JSC::Heap::resetVisitors):
1502         (JSC::Heap::threadVisitCount):
1503         (JSC::Heap::threadBytesVisited):
1504         (JSC::Heap::threadBytesCopied):
1505         (JSC::Heap::startNextPhase): Deleted.
1506         (JSC::Heap::endCurrentPhase): Deleted.
1507         * heap/Heap.h:
1508         * heap/HeapHelperPool.cpp: Added.
1509         (JSC::heapHelperPool):
1510         * heap/HeapHelperPool.h: Added.
1511         * heap/MarkStack.cpp:
1512         (JSC::MarkStackArray::stealSomeCellsFrom):
1513         * heap/SlotVisitor.cpp:
1514         (JSC::SlotVisitor::didStartMarking):
1515         (JSC::SlotVisitor::reset):
1516         (JSC::SlotVisitor::drainFromShared):
1517         * jit/BinarySwitch.h:
1518         * runtime/CodeCache.h:
1519         * runtime/VM.h:
1520         * runtime/WeakRandom.h: Removed.
1521         * API/tests/testapi.mm:
1522
1523 2015-09-25  Saam barati  <sbarati@apple.com>
1524
1525         DFG should use PhantomLocal instead of Flush as liveness preservation mechanism in LiveCatchVariablesPreservationPhase
1526         https://bugs.webkit.org/show_bug.cgi?id=149575
1527
1528         Reviewed by Geoffrey Garen.
1529
1530         LiveCatchVariablesPreservationPhase is no longer forcing all live-at-catch 
1531         variables to be flushed to the stack. They are now kept alive to OSR exit 
1532         through PhantomLocal. This gives us a speed improvement for try-catch 
1533         programs (especially those that don't throw errors very often) because
1534         we can keep locals in registers instead of forcing them onto the stack.
1535
1536         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1537         (JSC::DFG::LiveCatchVariablePreservationPhase::LiveCatchVariablePreservationPhase):
1538         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
1539         (JSC::DFG::performLiveCatchVariablePreservationPhase):
1540         (JSC::DFG::FlushLiveCatchVariablesInsertionPhase::FlushLiveCatchVariablesInsertionPhase): Deleted.
1541         (JSC::DFG::FlushLiveCatchVariablesInsertionPhase::handleBlock): Deleted.
1542
1543 2015-09-25  Michael Saboff  <msaboff@apple.com>
1544
1545         FTLOSRExitCompiler incorrectly excludes FPR registers in callee saves loop
1546         https://bugs.webkit.org/show_bug.cgi?id=149540
1547
1548         Reviewed by Saam Barati.
1549
1550         Eliminated the incorrect check that callee saves registers are only GPRs.
1551
1552         * ftl/FTLOSRExitCompiler.cpp:
1553         (JSC::FTL::compileStub):
1554
1555 2015-09-25  Alex Christensen  <achristensen@webkit.org>
1556
1557         [Win] Switch to CMake
1558         https://bugs.webkit.org/show_bug.cgi?id=148111
1559
1560         Reviewed by Brent Fulgham.
1561
1562         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1563
1564 2015-09-24  Mark Lam  <mark.lam@apple.com>
1565
1566         Remove the use of "Immediate" in JIT function names.
1567         https://bugs.webkit.org/show_bug.cgi?id=149542
1568
1569         Reviewed by Geoffrey Garen.
1570
1571         We will rename the following:
1572             isOperandConstantImmediateDouble => isOperandConstantDouble
1573             isOperandConstantImmediateInt => isOperandConstantInt
1574             isOperandConstantImmediateChar => isOperandConstantChar
1575
1576             getOperandConstantImmediateInt => getOperandConstantInt
1577             getConstantOperandImmediateInt => getOperandConstantInt
1578
1579             emitJumpIfImmediateInteger => emitJumpIfInt
1580             emitJumpIfNotImmediateInteger => emitJumpIfNotInt
1581             emitJumpIfNotImmediateIntegers => emitJumpIfNotInt
1582             emitPatchableJumpIfNotImmediateInteger => emitPatchableJumpIfNotInt
1583             emitJumpSlowCaseIfNotImmediateInteger => emitJumpSlowCaseIfNotInt
1584             emitJumpSlowCaseIfNotImmediateNumber => emitJumpSlowCaseIfNotNumber
1585             emitJumpSlowCaseIfNotImmediateIntegers => emitJumpSlowCaseIfNotInt
1586             emitFastArithReTagImmediate => emitTagInt
1587             emitTagAsBoolImmediate => emitTagBool
1588             emitJumpIfImmediateNumber => emitJumpIfNumber
1589             emitJumpIfNotImmediateNumber => emitJumpIfNotNumber
1590             emitFastArithImmToInt - Deleted because this is an empty function.
1591             emitFastArithIntToImmNoCheck => emitTagInt
1592             emitPutImmediateToCallFrameHeader => emitPutToCallFrameHeader
1593
1594         This is purely a refactoring patch to do the renaming.  There is no behavior
1595         change.
1596
1597         * dfg/DFGJITCompiler.cpp:
1598         (JSC::DFG::JITCompiler::compileEntry):
1599         (JSC::DFG::JITCompiler::compileSetupRegistersForEntry):
1600         * jit/AssemblyHelpers.h:
1601         (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
1602         (JSC::AssemblyHelpers::emitPutImmediateToCallFrameHeader): Deleted.
1603         * jit/JIT.cpp:
1604         (JSC::JIT::privateCompile):
1605         * jit/JIT.h:
1606         (JSC::JIT::emitStoreCell):
1607         (JSC::JIT::getSlowCase):
1608         * jit/JITArithmetic.cpp:
1609         (JSC::JIT::emit_op_negate):
1610         (JSC::JIT::emit_op_lshift):
1611         (JSC::JIT::emit_op_rshift):
1612         (JSC::JIT::emitSlow_op_rshift):
1613         (JSC::JIT::emit_op_urshift):
1614         (JSC::JIT::emitSlow_op_urshift):
1615         (JSC::JIT::emit_op_unsigned):
1616         (JSC::JIT::emit_compareAndJump):
1617         (JSC::JIT::emit_compareAndJumpSlow):
1618         (JSC::JIT::emit_op_bitand):
1619         (JSC::JIT::emit_op_inc):
1620         (JSC::JIT::emit_op_dec):
1621         (JSC::JIT::emit_op_mod):
1622         (JSC::JIT::compileBinaryArithOp):
1623         (JSC::JIT::compileBinaryArithOpSlowCase):
1624         (JSC::JIT::emit_op_add):
1625         (JSC::JIT::emitSlow_op_add):
1626         (JSC::JIT::emit_op_mul):
1627         (JSC::JIT::emitSlow_op_mul):
1628         (JSC::JIT::emit_op_div):
1629         (JSC::JIT::emitSlow_op_div):
1630         * jit/JITArithmetic32_64.cpp:
1631         (JSC::JIT::emit_compareAndJump):
1632         (JSC::JIT::emit_compareAndJumpSlow):
1633         (JSC::JIT::emit_op_lshift):
1634         (JSC::JIT::emitSlow_op_lshift):
1635         (JSC::JIT::emitRightShift):
1636         (JSC::JIT::emitRightShiftSlowCase):
1637         (JSC::JIT::emit_op_bitand):
1638         (JSC::JIT::emitSlow_op_bitand):
1639         (JSC::JIT::emit_op_bitor):
1640         (JSC::JIT::emitSlow_op_bitor):
1641         (JSC::JIT::emit_op_bitxor):
1642         (JSC::JIT::emitSlow_op_bitxor):
1643         (JSC::JIT::emit_op_add):
1644         (JSC::JIT::emitSlow_op_add):
1645         (JSC::JIT::emit_op_sub):
1646         (JSC::JIT::emitSlow_op_sub):
1647         * jit/JITInlines.h:
1648         (JSC::JIT::emitArrayStorageGetByVal):
1649         (JSC::JIT::isOperandConstantDouble):
1650         (JSC::JIT::isOperandConstantChar):
1651         (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
1652         (JSC::JIT::isOperandConstantInt):
1653         (JSC::JIT::getOperandConstantInt):
1654         (JSC::JIT::emitGetVirtualRegisters):
1655         (JSC::JIT::emitLoadInt32ToDouble):
1656         (JSC::JIT::emitJumpIfInt):
1657         (JSC::JIT::emitJumpIfNotInt):
1658         (JSC::JIT::emitPatchableJumpIfNotInt):
1659         (JSC::JIT::emitJumpSlowCaseIfNotInt):
1660         (JSC::JIT::emitJumpSlowCaseIfNotNumber):
1661         (JSC::JIT::emitTagBool):
1662         (JSC::JIT::isOperandConstantImmediateDouble): Deleted.
1663         (JSC::JIT::isOperandConstantImmediateChar): Deleted.
1664         (JSC::JIT::isOperandConstantImmediateInt): Deleted.
1665         (JSC::JIT::getOperandConstantImmediateInt): Deleted.
1666         (JSC::JIT::getConstantOperandImmediateInt): Deleted.
1667         (JSC::JIT::emitJumpIfImmediateInteger): Deleted.
1668         (JSC::JIT::emitJumpIfNotImmediateInteger): Deleted.
1669         (JSC::JIT::emitPatchableJumpIfNotImmediateInteger): Deleted.
1670         (JSC::JIT::emitJumpIfNotImmediateIntegers): Deleted.
1671         (JSC::JIT::emitJumpSlowCaseIfNotImmediateInteger): Deleted.
1672         (JSC::JIT::emitJumpSlowCaseIfNotImmediateIntegers): Deleted.
1673         (JSC::JIT::emitJumpSlowCaseIfNotImmediateNumber): Deleted.
1674         (JSC::JIT::emitFastArithReTagImmediate): Deleted.
1675         (JSC::JIT::emitTagAsBoolImmediate): Deleted.
1676         * jit/JITOpcodes.cpp:
1677         (JSC::JIT::emit_op_is_undefined):
1678         (JSC::JIT::emit_op_is_boolean):
1679         (JSC::JIT::emit_op_is_number):
1680         (JSC::JIT::emit_op_is_string):
1681         (JSC::JIT::emit_op_is_object):
1682         (JSC::JIT::emit_op_jfalse):
1683         (JSC::JIT::emit_op_eq):
1684         (JSC::JIT::emit_op_jtrue):
1685         (JSC::JIT::emit_op_neq):
1686         (JSC::JIT::emit_op_bitxor):
1687         (JSC::JIT::emit_op_bitor):
1688         (JSC::JIT::compileOpStrictEq):
1689         (JSC::JIT::emit_op_to_number):
1690         (JSC::JIT::emit_op_eq_null):
1691         (JSC::JIT::emit_op_neq_null):
1692         (JSC::JIT::emitSlow_op_eq):
1693         (JSC::JIT::emitSlow_op_neq):
1694         (JSC::JIT::emit_op_profile_type):
1695         * jit/JITOpcodes32_64.cpp:
1696         (JSC::JIT::privateCompileCTINativeCall):
1697         * jit/JITPropertyAccess.cpp:
1698         (JSC::JIT::emit_op_get_by_val):
1699         (JSC::JIT::emit_op_put_by_val):
1700         (JSC::JIT::emitGenericContiguousPutByVal):
1701         (JSC::JIT::emit_op_put_by_id):
1702         (JSC::JIT::emitIntTypedArrayPutByVal):
1703         (JSC::JIT::emitFloatTypedArrayPutByVal):
1704         * jit/JSInterfaceJIT.h:
1705         (JSC::JSInterfaceJIT::emitJumpIfNotJSCell):
1706         (JSC::JSInterfaceJIT::emitJumpIfNumber):
1707         (JSC::JSInterfaceJIT::emitJumpIfNotNumber):
1708         (JSC::JSInterfaceJIT::emitLoadDouble):
1709         (JSC::JSInterfaceJIT::emitTagInt):
1710         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
1711         (JSC::JSInterfaceJIT::emitJumpIfImmediateNumber): Deleted.
1712         (JSC::JSInterfaceJIT::emitJumpIfNotImmediateNumber): Deleted.
1713         (JSC::JSInterfaceJIT::emitFastArithImmToInt): Deleted.
1714         (JSC::JSInterfaceJIT::emitFastArithIntToImmNoCheck): Deleted.
1715         (JSC::JSInterfaceJIT::emitPutImmediateToCallFrameHeader): Deleted.
1716         * jit/ThunkGenerators.cpp:
1717         (JSC::nativeForGenerator):
1718         * wasm/WASMFunctionCompiler.h:
1719         (JSC::WASMFunctionCompiler::startFunction):
1720         (JSC::WASMFunctionCompiler::endFunction):
1721
1722 2015-09-24  Michael Saboff  <msaboff@apple.com>
1723
1724         [ES6] Implement tail calls in the DFG
1725         https://bugs.webkit.org/show_bug.cgi?id=148663
1726
1727         Reviewed by Filip Pizlo.
1728
1729         jsc-tailcall: Implement the tail call opcodes in the DFG
1730         https://bugs.webkit.org/show_bug.cgi?id=146850
1731
1732         This patch adds support for tail calls in the DFG. This requires a slightly high number of nodes:
1733
1734          - TailCall and TailCallVarargs are straightforward. They are terminal
1735            nodes and have the semantics of an actual tail call.
1736
1737          - TailCallInlinedCaller and TailCallVarargsInlinedCaller are here to perform a
1738            tail call inside an inlined function. They are non terminal nodes,
1739            and are performing the call as a regular call after popping an
1740            appropriate number of inlined tail call frames.
1741
1742          - TailCallForwardVarargs and TailCallForwardVarargsInlinedCaller are the
1743            extension of TailCallVarargs and TailCallVarargsInlinedCaller to enable
1744            the varargs forwarding optimization so that we don't lose
1745            performance with a tail call instead of a regular call.
1746
1747         This also required two broad kind of changes:
1748
1749          - Changes in the JIT itself (DFGSpeculativeJIT) are pretty
1750            straightforward since they are just an extension of the baseline JIT
1751            changes introduced previously.
1752
1753          - Changes in the runtime are mostly related with handling inline call
1754            frames. The idea here is that we have a special TailCall type for
1755            call frames that indicates to the various pieces of code walking the
1756            inline call frame that they should (recursively) skip the caller in
1757            their analysis.
1758
1759         * bytecode/CallMode.h:
1760         (JSC::specializationKindFor):
1761         * bytecode/CodeOrigin.cpp:
1762         (JSC::CodeOrigin::inlineDepthForCallFrame):
1763         (JSC::CodeOrigin::isApproximatelyEqualTo):
1764         (JSC::CodeOrigin::approximateHash):
1765         (JSC::CodeOrigin::inlineStack):
1766         * bytecode/CodeOrigin.h:
1767         * bytecode/InlineCallFrame.cpp:
1768         (JSC::InlineCallFrame::dumpInContext):
1769         (WTF::printInternal):
1770         * bytecode/InlineCallFrame.h:
1771         (JSC::InlineCallFrame::callModeFor):
1772         (JSC::InlineCallFrame::kindFor):
1773         (JSC::InlineCallFrame::varargsKindFor):
1774         (JSC::InlineCallFrame::specializationKindFor):
1775         (JSC::InlineCallFrame::isVarargs):
1776         (JSC::InlineCallFrame::isTail):
1777         (JSC::InlineCallFrame::computeCallerSkippingDeadFrames):
1778         (JSC::InlineCallFrame::getCallerSkippingDeadFrames):
1779         (JSC::InlineCallFrame::getCallerInlineFrameSkippingDeadFrames):
1780         * dfg/DFGAbstractInterpreterInlines.h:
1781         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1782         * dfg/DFGArgumentsEliminationPhase.cpp:
1783         * dfg/DFGBasicBlock.h:
1784         (JSC::DFG::BasicBlock::findTerminal):
1785         * dfg/DFGByteCodeParser.cpp:
1786         (JSC::DFG::ByteCodeParser::inlineCallFrame):
1787         (JSC::DFG::ByteCodeParser::allInlineFramesAreTailCalls):
1788         (JSC::DFG::ByteCodeParser::currentCodeOrigin):
1789         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
1790         (JSC::DFG::ByteCodeParser::addCall):
1791         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1792         (JSC::DFG::ByteCodeParser::getPrediction):
1793         (JSC::DFG::ByteCodeParser::handleCall):
1794         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1795         (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
1796         (JSC::DFG::ByteCodeParser::inliningCost):
1797         (JSC::DFG::ByteCodeParser::inlineCall):
1798         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1799         (JSC::DFG::ByteCodeParser::parseBlock):
1800         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1801         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1802         * dfg/DFGCapabilities.cpp:
1803         (JSC::DFG::capabilityLevel):
1804         * dfg/DFGClobberize.h:
1805         (JSC::DFG::clobberize):
1806         * dfg/DFGDoesGC.cpp:
1807         (JSC::DFG::doesGC):
1808         * dfg/DFGFixupPhase.cpp:
1809         (JSC::DFG::FixupPhase::fixupNode):
1810         * dfg/DFGGraph.cpp:
1811         (JSC::DFG::Graph::isLiveInBytecode):
1812         * dfg/DFGGraph.h:
1813         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
1814         * dfg/DFGInPlaceAbstractState.cpp:
1815         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
1816         * dfg/DFGJITCompiler.cpp:
1817         (JSC::DFG::JITCompiler::willCatchExceptionInMachineFrame):
1818         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1819         (JSC::DFG::FlushLiveCatchVariablesInsertionPhase::willCatchException):
1820         * dfg/DFGNode.h:
1821         (JSC::DFG::Node::hasCallVarargsData):
1822         (JSC::DFG::Node::isTerminal):
1823         (JSC::DFG::Node::hasHeapPrediction):
1824         * dfg/DFGNodeType.h:
1825         * dfg/DFGOSRExitCompilerCommon.cpp:
1826         (JSC::DFG::handleExitCounts):
1827         (JSC::DFG::reifyInlinedCallFrames):
1828         (JSC::DFG::osrWriteBarrier):
1829         * dfg/DFGOSRExitPreparation.cpp:
1830         (JSC::DFG::prepareCodeOriginForOSRExit):
1831         * dfg/DFGOperations.cpp:
1832         * dfg/DFGPreciseLocalClobberize.h:
1833         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1834         * dfg/DFGPredictionPropagationPhase.cpp:
1835         (JSC::DFG::PredictionPropagationPhase::propagate):
1836         * dfg/DFGSafeToExecute.h:
1837         (JSC::DFG::safeToExecute):
1838         * dfg/DFGSpeculativeJIT32_64.cpp:
1839         (JSC::DFG::SpeculativeJIT::emitCall):
1840         (JSC::DFG::SpeculativeJIT::compile):
1841         * dfg/DFGSpeculativeJIT64.cpp:
1842         (JSC::DFG::SpeculativeJIT::emitCall):
1843         (JSC::DFG::SpeculativeJIT::compile):
1844         * dfg/DFGValidate.cpp:
1845         (JSC::DFG::Validate::validateSSA):
1846         * dfg/DFGVarargsForwardingPhase.cpp:
1847         * interpreter/CallFrame.cpp:
1848         (JSC::CallFrame::bytecodeOffset):
1849         * interpreter/StackVisitor.cpp:
1850         (JSC::StackVisitor::gotoNextFrame):
1851
1852 2015-09-23  Filip Pizlo  <fpizlo@apple.com>
1853
1854         Remove special case code for the no-parallel-GC case
1855         https://bugs.webkit.org/show_bug.cgi?id=149512
1856
1857         Reviewed by Mark Lam.
1858
1859         Make serial GC just a parallel GC where the helper threads don't do anything. Also make the
1860         idle thread calculation a bit more explicit.
1861
1862         The main outcome is that we no longer use Options::numberOfGCMarkers() as much, so the code is
1863         resilient against the number of GC markers changing.
1864
1865         * heap/Heap.h:
1866         * heap/SlotVisitor.cpp:
1867         (JSC::SlotVisitor::donateKnownParallel):
1868         (JSC::SlotVisitor::drain):
1869         (JSC::SlotVisitor::drainFromShared):
1870
1871 2015-09-23  Filip Pizlo  <fpizlo@apple.com>
1872
1873         PolymorphicAccess should remember that it checked an ObjectPropertyCondition with a check on some structure
1874         https://bugs.webkit.org/show_bug.cgi?id=149514
1875
1876         Reviewed by Oliver Hunt.
1877
1878         When we checked an ObjectPropertyCondition using an explicit structure check, we would forget to
1879         note the structure in any weak reference table and we would attempt to regenerate the condition
1880         check even if the condition became invalid.
1881
1882         We need to account for this better and we need to prune AccessCases that have an invalid condition
1883         set. This change does both.
1884
1885         * bytecode/PolymorphicAccess.cpp:
1886         (JSC::AccessGenerationState::addWatchpoint):
1887         (JSC::AccessCase::alternateBase):
1888         (JSC::AccessCase::couldStillSucceed):
1889         (JSC::AccessCase::canReplace):
1890         (JSC::AccessCase::generate):
1891         (JSC::PolymorphicAccess::regenerateWithCases):
1892         (JSC::PolymorphicAccess::visitWeak):
1893         (JSC::PolymorphicAccess::regenerate):
1894         * bytecode/PolymorphicAccess.h:
1895         (JSC::AccessCase::callLinkInfo):
1896         * tests/stress/make-dictionary-repatch.js: Added. This used to crash on a release assert. If we removed the release assert, this would return bad results.
1897
1898 2015-09-24  Mark Lam  <mark.lam@apple.com>
1899
1900         We should only expect a RareCaseProfile to exist if the rare case actually exists.
1901         https://bugs.webkit.org/show_bug.cgi?id=149531
1902
1903         Reviewed by Saam Barati.
1904
1905         The current code that calls rareCaseProfileForBytecodeOffset() assumes that it
1906         will always return a non-null RareCaseProfile.  As a result, op_add in the
1907         baseline JIT is forced to add a dummy slow case that will never be taken, only to
1908         ensure that the RareCaseProfile for that bytecode is created.  This profile will
1909         always produce a counter value of 0 (since that path will never be taken).
1910
1911         Instead, we'll make the callers of rareCaseProfileForBytecodeOffset() check if
1912         the profile actually exist before dereferencing it.
1913
1914         * bytecode/CodeBlock.cpp:
1915         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
1916         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
1917         (JSC::CodeBlock::capabilityLevel):
1918         * bytecode/CodeBlock.h:
1919         (JSC::CodeBlock::addRareCaseProfile):
1920         (JSC::CodeBlock::numberOfRareCaseProfiles):
1921         (JSC::CodeBlock::likelyToTakeSlowCase):
1922         (JSC::CodeBlock::couldTakeSlowCase):
1923         (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
1924         (JSC::CodeBlock::likelyToTakeAnySlowCase):
1925         (JSC::CodeBlock::rareCaseProfile): Deleted.
1926         * jit/JITArithmetic.cpp:
1927         (JSC::JIT::emit_op_add):
1928         (JSC::JIT::emitSlow_op_add):
1929         * jit/JITArithmetic32_64.cpp:
1930         (JSC::JIT::emit_op_add):
1931         (JSC::JIT::emitSlow_op_add):
1932
1933 2015-09-24  Ryosuke Niwa  <rniwa@webkit.org>
1934
1935         Ran sort-Xcode-project-file.
1936
1937         * JavaScriptCore.xcodeproj/project.pbxproj:
1938
1939 2015-09-24  Youenn Fablet  <youenn.fablet@crf.canon.fr>
1940
1941         [Streams API] Add support for JS builtins constructor
1942         https://bugs.webkit.org/show_bug.cgi?id=149497
1943
1944         Reviewed by Darin Adler.
1945
1946         * runtime/JSFunction.h: exporting createBuiltinFunction.
1947
1948 2015-09-23  Saam barati  <sbarati@apple.com>
1949
1950         JSC allows invalid var declarations when the declared name is the same as a let/const variable
1951         https://bugs.webkit.org/show_bug.cgi?id=147600
1952
1953         Reviewed by Yusuke Suzuki.
1954
1955         We had an ordering bug where if you first declared a "let"
1956         variable then a "var" variable with the same name, you wouldn't
1957         get a syntax error. But, if you did it in the reverse order,
1958         you would. This patch fixes this syntax error to be order independent.
1959
1960         * parser/Parser.cpp:
1961         (JSC::Parser<LexerType>::parseVariableDeclarationList):
1962         (JSC::Parser<LexerType>::createBindingPattern):
1963         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1964         * parser/Parser.h:
1965         (JSC::Scope::declareVariable):
1966
1967 2015-09-23  Filip Pizlo  <fpizlo@apple.com>
1968
1969         Parallel copy phase synchronization should be simplified
1970         https://bugs.webkit.org/show_bug.cgi?id=149509
1971
1972         Reviewed by Mark Lam.
1973
1974         Before this change, we didn't wait for the copy phase to finish before starting to do things to
1975         copied space that presumed that copying was done. Copied space would "detect" that nobody was
1976         copying anymore by waiting for all loaned blocks to be returned. But that would succeed if some
1977         thread had not yet started copying. So, we had weird hacks to ensure that a block was loaned
1978         before any threads started. It also meant that we had two separate mechanisms for waiting for
1979         copying threads to finish - one mechanism in the Heap phase logic and another in the
1980         CopiedSpace::doneCopying() method.
1981
1982         We can get rid of a lot of the weirdness by just having a sound shutdown sequence:
1983
1984         1) Threads concur on when there is no more work. We already have this; once
1985            Heap::getNextBlocksToCopy() returns no work in any thread, it will also return no work in
1986            any other thread that asks for work.
1987         2) Main thread waits for the threads to not be copying anymore.
1988         3) Do whatever we need to do after copying finishes.
1989
1990         Currently, we do (3) before (2) and so we have weird problems. This just changes the code to do
1991         (3) after (2), and so we can get rid of the synchronization in doneCopying() and we can safely
1992         call startCopying() inside GCThread. This also means that we don't need to make CopyVisitor a
1993         property of GCThread. Instead, GCThread just instantiates its own CopyVisitor when it needs to.
1994
1995         * heap/CopiedSpace.cpp:
1996         (JSC::CopiedSpace::doneCopying):
1997         * heap/GCThread.cpp:
1998         (JSC::GCThread::GCThread):
1999         (JSC::GCThread::slotVisitor):
2000         (JSC::GCThread::waitForNextPhase):
2001         (JSC::GCThread::gcThreadMain):
2002         (JSC::GCThread::copyVisitor): Deleted.
2003         * heap/GCThread.h:
2004         * heap/Heap.cpp:
2005         (JSC::Heap::Heap):
2006         (JSC::Heap::copyBackingStores):
2007         (JSC::Heap::gatherStackRoots):
2008
2009 2015-09-23  Joseph Pecoraro  <pecoraro@apple.com>
2010
2011         Remove unimplemented method Heap::showStatistics
2012         https://bugs.webkit.org/show_bug.cgi?id=149507
2013
2014         Reviewed by Darin Adler.
2015
2016         * heap/Heap.h:
2017
2018 2015-09-23  Tim Horton  <timothy_horton@apple.com>
2019
2020         Hopefully fix the production build.
2021
2022         * JavaScriptCore.xcodeproj/project.pbxproj:
2023         * PlatformWin.cmake:
2024
2025 2015-09-23  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2026
2027         [Streams API] Implement ReadableStream pipeThrough
2028         https://bugs.webkit.org/show_bug.cgi?id=147556
2029
2030         Reviewed by Darin Adler.
2031
2032         Updating BuiltIns infrastructure to make it reusable from WebCore.
2033         Extracting macros from BuiltinNames and createBuiltinExecutable from BuiltinExecutables.
2034         Updated generate-js-builtins to allow generating builtin CPP/H files in WebCore namespace.
2035
2036         * JavaScriptCore.xcodeproj/project.pbxproj:
2037         * builtins/BuiltinExecutables.cpp:
2038         (JSC::BuiltinExecutables::createDefaultConstructor):
2039         (JSC::BuiltinExecutables::createBuiltinExecutable):
2040         (JSC::createBuiltinExecutable):
2041         (JSC::createExecutableInternal):
2042         * builtins/BuiltinExecutables.h:
2043         * builtins/BuiltinNames.h:
2044         (JSC::BuiltinNames::BuiltinNames): Deleted.
2045         * builtins/BuiltinUtils.h: Extracting code from BuiltinNames and BuiltinExecutables.h.
2046         * bytecode/UnlinkedFunctionExecutable.h:
2047         * generate-js-builtins:
2048         (getFunctions):
2049         (writeIncludeDirectives):
2050
2051 2015-09-22  Mark Lam  <mark.lam@apple.com>
2052
2053         Gardening: speculative non-JIT build fix after r189999.
2054
2055         Not reviewed.
2056
2057         * bytecode/ValueRecovery.h:
2058         (JSC::ValueRecovery::jsValueRegs):
2059
2060 2015-09-22  Filip Pizlo  <fpizlo@apple.com>
2061
2062         GCThreadSharedData is just a bad way of saying Heap
2063         https://bugs.webkit.org/show_bug.cgi?id=149435
2064
2065         Reviewed by Mark Lam.
2066
2067         This removes the GCThreadSharedData class and moves its members into Heap. This is a net
2068         simplification since GCThreadSharedData had a 1-to-1 mapping to Heap and the two classes had a
2069         vast contract with a lot of interdependencies. Heap would call a lot of GCThreadSharedData
2070         methods; now a lot of those are inlined since they were only called from the one place in Heap.
2071         This makes it a lot easier to see what is going on. For example, you no longer have to look at
2072         code in two places (Heap and GCThreadSharedData) to figure out the timing and synchronization
2073         of GC phases - all of that code is in Heap now.
2074
2075         This also removes weird indirections in other places. It used to be that a lot of GC helper
2076         classes woud have a pointer to GCThreadSharedData, and then would use that to get to Heap, VM,
2077         and the visitors. Now these helpers just point to Heap.
2078
2079         I think that GCThreadSharedData was only useful for defining the set of things that we need to
2080         know to collect garbage. That's how we decided if something would go into GCThreadSharedData
2081         instead of Heap. But I think that separating things into multiple classes usually makes the
2082         code less hackable, so there should be a very high bar for doing this in a way that produces a
2083         1-to-1 mapping between two classes - where one instance of one of the classes is always paired
2084         with exactly one instance of the other class and vice-versa.
2085
2086         * CMakeLists.txt:
2087         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2088         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2089         * JavaScriptCore.xcodeproj/project.pbxproj:
2090         * heap/CopiedSpace.h:
2091         * heap/CopyVisitor.cpp:
2092         (JSC::CopyVisitor::CopyVisitor):
2093         (JSC::CopyVisitor::copyFromShared):
2094         * heap/CopyVisitor.h:
2095         * heap/CopyVisitorInlines.h:
2096         (JSC::CopyVisitor::allocateNewSpaceSlow):
2097         (JSC::CopyVisitor::startCopying):
2098         (JSC::CopyVisitor::doneCopying):
2099         (JSC::CopyVisitor::didCopy):
2100         * heap/GCThread.cpp:
2101         (JSC::GCThread::GCThread):
2102         (JSC::GCThread::waitForNextPhase):
2103         (JSC::GCThread::gcThreadMain):
2104         * heap/GCThread.h:
2105         * heap/GCThreadSharedData.cpp: Removed.
2106         * heap/GCThreadSharedData.h: Removed.
2107         * heap/Heap.cpp:
2108         (JSC::Heap::Heap):
2109         (JSC::Heap::~Heap):
2110         (JSC::Heap::isPagedOut):
2111         (JSC::Heap::markRoots):
2112         (JSC::Heap::copyBackingStores):
2113         (JSC::Heap::updateObjectCounts):
2114         (JSC::Heap::resetVisitors):
2115         (JSC::Heap::objectCount):
2116         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock):
2117         (JSC::Heap::threadVisitCount):
2118         (JSC::Heap::threadBytesVisited):
2119         (JSC::Heap::threadBytesCopied):
2120         (JSC::Heap::startNextPhase):
2121         (JSC::Heap::endCurrentPhase):
2122         * heap/Heap.h:
2123         * heap/HeapInlines.h:
2124         (JSC::Heap::unregisterWeakGCMap):
2125         (JSC::Heap::getNextBlocksToCopy):
2126         * heap/ListableHandler.h:
2127         * heap/SlotVisitor.cpp:
2128         (JSC::SlotVisitor::SlotVisitor):
2129         (JSC::SlotVisitor::didStartMarking):
2130         (JSC::SlotVisitor::reset):
2131         (JSC::SlotVisitor::donateKnownParallel):
2132         (JSC::SlotVisitor::drain):
2133         (JSC::SlotVisitor::drainFromShared):
2134         (JSC::SlotVisitor::mergeOpaqueRoots):
2135         (JSC::SlotVisitor::harvestWeakReferences):
2136         (JSC::SlotVisitor::finalizeUnconditionalFinalizers):
2137         * heap/SlotVisitor.h:
2138         (JSC::SlotVisitor::markStack):
2139         (JSC::SlotVisitor::isEmpty):
2140         (JSC::SlotVisitor::sharedData): Deleted.
2141         * heap/SlotVisitorInlines.h:
2142         (JSC::SlotVisitor::addWeakReferenceHarvester):
2143         (JSC::SlotVisitor::addUnconditionalFinalizer):
2144         (JSC::SlotVisitor::addOpaqueRoot):
2145         (JSC::SlotVisitor::containsOpaqueRoot):
2146         (JSC::SlotVisitor::containsOpaqueRootTriState):
2147         (JSC::SlotVisitor::opaqueRootCount):
2148         (JSC::SlotVisitor::mergeOpaqueRootsIfNecessary):
2149         (JSC::SlotVisitor::copyLater):
2150         (JSC::SlotVisitor::heap):
2151         (JSC::SlotVisitor::vm):
2152
2153 2015-09-22  Saam barati  <sbarati@apple.com>
2154
2155         Web Inspector: [ES6] Improve Type Profiler Support for Arrow Functions
2156         https://bugs.webkit.org/show_bug.cgi?id=143171
2157
2158         Reviewed by Joseph Pecoraro.
2159
2160         We now need to take into account TypeProfilerSearchDescriptor when
2161         hashing results for type profiler queries. Before, we've gotten
2162         away with not doing this because before we would never have a text 
2163         collision between a return type text offset and a normal expression text
2164         offset. But, with arrow functions, we will have collisions when
2165         the arrow function doesn't have parens around its single parameter.
2166         I.e: "param => { ... };"
2167
2168         * runtime/TypeProfiler.cpp:
2169         (JSC::TypeProfiler::findLocation):
2170         * runtime/TypeProfiler.h:
2171         (JSC::QueryKey::QueryKey):
2172         (JSC::QueryKey::isHashTableDeletedValue):
2173         (JSC::QueryKey::operator==):
2174         (JSC::QueryKey::hash):
2175         * tests/typeProfiler/arrow-functions.js: Added.
2176
2177 2015-09-22  Filip Pizlo  <fpizlo@apple.com>
2178
2179         Get rid of ENABLE(PARALLEL_GC)
2180         https://bugs.webkit.org/show_bug.cgi?id=149436
2181
2182         Reviewed by Mark Lam.
2183
2184         We always enable parallel GC everywhere but Windows, and it doesn't look like it was disabled
2185         there for any good reason. So, get rid of the flag.
2186
2187         The only effect of this change is that parallel GC will now be enabled on Windows, provided
2188         that the CPU detection finds more than one.
2189
2190         * heap/GCThread.cpp:
2191         (JSC::GCThread::gcThreadMain):
2192         * heap/GCThreadSharedData.cpp:
2193         (JSC::GCThreadSharedData::resetChildren):
2194         (JSC::GCThreadSharedData::childBytesCopied):
2195         (JSC::GCThreadSharedData::GCThreadSharedData):
2196         (JSC::GCThreadSharedData::~GCThreadSharedData):
2197         (JSC::GCThreadSharedData::reset):
2198         (JSC::GCThreadSharedData::didStartMarking):
2199         * heap/Heap.cpp:
2200         (JSC::Heap::converge):
2201         (JSC::Heap::visitWeakHandles):
2202         (JSC::Heap::updateObjectCounts):
2203         (JSC::Heap::resetVisitors):
2204         * heap/MarkedBlock.h:
2205         * heap/SlotVisitor.cpp:
2206         (JSC::SlotVisitor::didStartMarking):
2207         (JSC::SlotVisitor::reset):
2208         (JSC::SlotVisitor::drain):
2209         (JSC::SlotVisitor::drainFromShared):
2210         (JSC::SlotVisitor::mergeOpaqueRoots):
2211         (JSC::JSString::tryHashConsLock):
2212         (JSC::JSString::releaseHashConsLock):
2213         * heap/SlotVisitorInlines.h:
2214         (JSC::SlotVisitor::addOpaqueRoot):
2215         (JSC::SlotVisitor::containsOpaqueRoot):
2216         (JSC::SlotVisitor::containsOpaqueRootTriState):
2217         (JSC::SlotVisitor::opaqueRootCount):
2218         (JSC::SlotVisitor::mergeOpaqueRootsIfNecessary):
2219         * runtime/Options.cpp:
2220         (JSC::computeNumberOfGCMarkers):
2221
2222 2015-09-22  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2223
2224         Implement min and max instructions in WebAssembly
2225         https://bugs.webkit.org/show_bug.cgi?id=149454
2226
2227         Reviewed by Geoffrey Garen.
2228
2229         This patch implements min and max instructions in WebAssembly.
2230
2231         * tests/stress/wasm-arithmetic-float64.js:
2232         * tests/stress/wasm-arithmetic-int32.js:
2233         * tests/stress/wasm/arithmetic-float64.wasm:
2234         * tests/stress/wasm/arithmetic-int32.wasm:
2235         * wasm/WASMFunctionCompiler.h:
2236         (JSC::WASMFunctionCompiler::buildMinOrMaxI32):
2237         (JSC::WASMFunctionCompiler::buildMinOrMaxF64):
2238         * wasm/WASMFunctionParser.cpp:
2239         (JSC::WASMFunctionParser::parseExpressionI32):
2240         (JSC::WASMFunctionParser::parseMinOrMaxExpressionI32):
2241         (JSC::WASMFunctionParser::parseExpressionF64):
2242         (JSC::WASMFunctionParser::parseMinOrMaxExpressionF64):
2243         * wasm/WASMFunctionParser.h:
2244         * wasm/WASMFunctionSyntaxChecker.h:
2245         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxI32):
2246         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxF64):
2247
2248 2015-09-22  Filip Pizlo  <fpizlo@apple.com>
2249
2250         Get rid of ENABLE(GGC)
2251         https://bugs.webkit.org/show_bug.cgi?id=149472
2252
2253         Reviewed by Mark Hahnenberg and Mark Lam.
2254
2255         Getting rid of this feature flag allows us to remove a lot of yuck.
2256
2257         * bytecode/CodeBlock.h:
2258         (JSC::CodeBlockSet::mark):
2259         (JSC::ScriptExecutable::forEachCodeBlock):
2260         * bytecode/PolymorphicAccess.cpp:
2261         (JSC::AccessCase::generate):
2262         * dfg/DFGOSRExitCompilerCommon.cpp:
2263         (JSC::DFG::reifyInlinedCallFrames):
2264         (JSC::DFG::osrWriteBarrier):
2265         (JSC::DFG::adjustAndJumpToTarget):
2266         * dfg/DFGSpeculativeJIT.cpp:
2267         (JSC::DFG::SpeculativeJIT::linkBranches):
2268         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
2269         (JSC::DFG::SpeculativeJIT::writeBarrier):
2270         * dfg/DFGSpeculativeJIT.h:
2271         (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
2272         (JSC::DFG::SpeculativeJIT::selectScratchGPR):
2273         * dfg/DFGSpeculativeJIT32_64.cpp:
2274         (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
2275         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2276         (JSC::DFG::SpeculativeJIT::compile):
2277         (JSC::DFG::SpeculativeJIT::writeBarrier):
2278         (JSC::DFG::SpeculativeJIT::moveTrueTo):
2279         * dfg/DFGSpeculativeJIT64.cpp:
2280         (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
2281         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2282         (JSC::DFG::SpeculativeJIT::compile):
2283         (JSC::DFG::SpeculativeJIT::writeBarrier):
2284         (JSC::DFG::SpeculativeJIT::moveTrueTo):
2285         * ftl/FTLLowerDFGToLLVM.cpp:
2286         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
2287         * heap/CodeBlockSet.cpp:
2288         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
2289         (JSC::CodeBlockSet::dump):
2290         * heap/Heap.cpp:
2291         (JSC::Heap::Heap):
2292         (JSC::Heap::markRoots):
2293         (JSC::Heap::clearRememberedSet):
2294         (JSC::Heap::updateObjectCounts):
2295         (JSC::Heap::flushWriteBarrierBuffer):
2296         (JSC::Heap::shouldDoFullCollection):
2297         (JSC::Heap::addLogicallyEmptyWeakBlock):
2298         * heap/HeapInlines.h:
2299         (JSC::Heap::isWriteBarrierEnabled):
2300         (JSC::Heap::writeBarrier):
2301         (JSC::Heap::reportExtraMemoryAllocated):
2302         (JSC::Heap::reportExtraMemoryVisited):
2303         * heap/MarkedBlock.cpp:
2304         (JSC::MarkedBlock::clearMarks):
2305         * heap/MarkedSpace.cpp:
2306         (JSC::MarkedSpace::resetAllocators):
2307         (JSC::MarkedSpace::visitWeakSets):
2308         * heap/MarkedSpace.h:
2309         (JSC::MarkedSpace::didAllocateInBlock):
2310         (JSC::MarkedSpace::objectCount):
2311         * jit/JITPropertyAccess.cpp:
2312         (JSC::JIT::emitWriteBarrier):
2313         (JSC::JIT::emitIdentifierCheck):
2314         (JSC::JIT::privateCompilePutByVal):
2315         * llint/LLIntOfflineAsmConfig.h:
2316         * llint/LowLevelInterpreter32_64.asm:
2317         * llint/LowLevelInterpreter64.asm:
2318
2319 2015-09-22  Saam barati  <sbarati@apple.com>
2320
2321         the toInt32 operation inside DFGSpeculativeJIT.cpp can't throw so we shouldn't emit an exceptionCheck after it.
2322         https://bugs.webkit.org/show_bug.cgi?id=149467
2323
2324         Reviewed by Mark Lam.
2325
2326         The callOperation for toInt32 won't store a call site index in the call frame.
2327         Therefore, if this is the first callOperation in the current compilation, 
2328         and we emit an exception check inside a try block, we will hit an assertion 
2329         saying that we must have DFGCommonData::codeOrigins.size() be > 0 inside
2330         DFGCommonData::lastCallSite(). Therefore, it is imperative that we don't 
2331         emit exception checks for callOperations that don't throw exceptions and 
2332         don't store a call site index in the call frame.
2333
2334         * dfg/DFGCommonData.cpp:
2335         (JSC::DFG::CommonData::lastCallSite):
2336         * dfg/DFGSpeculativeJIT.cpp:
2337         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2338         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2339
2340 2015-09-22  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2341
2342         Implement the conditional instruction in WebAssembly
2343         https://bugs.webkit.org/show_bug.cgi?id=149451
2344
2345         Reviewed by Geoffrey Garen.
2346
2347         This patch implements the conditional (ternary) instruction in WebAssembly.
2348         This is basically "condition ? exp1 : exp2" in JavaScript.
2349         
2350         The use of context.discard() in WASMFunctionParser::parseConditional()
2351         is not ideal. We don't discard anything. We just use it to decrement the
2352         stack top in the WebAssembly baseline JIT. When we optimize the JIT by
2353         storing results directly into the destination like the JavaScript
2354         baseline JIT, the code will look like this:
2355
2356             ContextExpression temp = context.newTemporary();
2357             ContextExpression condition = parseExpressionI32(context);
2358             context.jumpToTargetIf(Context::JumpCondition::Zero, condition, elseTarget);
2359
2360             parseExpression(context, temp, expressionType);
2361             context.jumpToTarget(end);
2362
2363             context.linkTarget(elseTarget);
2364             parseExpression(context, temp, expressionType);
2365             context.linkTarget(end);
2366
2367             return temp;
2368
2369         which looks cleaner than using discard().
2370
2371         * tests/stress/wasm-control-flow.js:
2372         * tests/stress/wasm/control-flow.wasm:
2373         * wasm/WASMFunctionParser.cpp:
2374         (JSC::WASMFunctionParser::parseExpressionI32):
2375         (JSC::WASMFunctionParser::parseExpressionF32):
2376         (JSC::WASMFunctionParser::parseExpressionF64):
2377         (JSC::WASMFunctionParser::parseConditional):
2378         * wasm/WASMFunctionParser.h:
2379
2380 2015-09-22  Commit Queue  <commit-queue@webkit.org>
2381
2382         Unreviewed, rolling out r189616.
2383         https://bugs.webkit.org/show_bug.cgi?id=149456
2384
2385         suspected cause of multiple regressions (Requested by kling on
2386         #webkit).
2387
2388         Reverted changeset:
2389
2390         "[JSC] Weak should only accept cell pointees."
2391         https://bugs.webkit.org/show_bug.cgi?id=148955
2392         http://trac.webkit.org/changeset/189616
2393
2394 2015-09-22  Saam barati  <sbarati@apple.com>
2395
2396         Web Inspector: Basic Block Annotations and Type Profiler annotations wrong for script with "class" with default constructor
2397         https://bugs.webkit.org/show_bug.cgi?id=149248
2398
2399         Reviewed by Mark Lam.
2400
2401         We keep track of which functions have and have not
2402         executed so we can show visually, inside the inspector,
2403         which functions have and have not executed. With a default
2404         constructor, our parser parses code that isn't in the actual
2405         JavaScript source code of the user. Our parser would then
2406         give us a range of starting at "1" to "1 + default constructor length"
2407         as being the text range of a function. But, this would then pollute
2408         actual source code that was at these ranges.
2409
2410         Therefore, we should treat these default constructor source 
2411         codes as having "invalid" ranges. We use [UINT_MAX, UINT_MAX] 
2412         as the invalid range. This range has the effect of not polluting 
2413         valid ranges inside the source code.
2414
2415         * bytecode/UnlinkedFunctionExecutable.cpp:
2416         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2417         (JSC::UnlinkedFunctionExecutable::setInvalidTypeProfilingOffsets):
2418         * bytecode/UnlinkedFunctionExecutable.h:
2419         * bytecompiler/BytecodeGenerator.cpp:
2420         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
2421
2422 2015-09-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2423
2424         Implement the comma instruction in WebAssembly
2425         https://bugs.webkit.org/show_bug.cgi?id=149425
2426
2427         Reviewed by Geoffrey Garen.
2428
2429         This patch implements the comma instruction in WebAssembly. The comma
2430         instruction evaluates the left operand and then the right operand and
2431         returns the value of the right operand.
2432
2433         * tests/stress/wasm-comma.js: Added.
2434         (shouldBe):
2435         * wasm/WASMFunctionCompiler.h:
2436         (JSC::WASMFunctionCompiler::discard):
2437         * wasm/WASMFunctionParser.cpp:
2438         (JSC::WASMFunctionParser::parseExpressionI32):
2439         (JSC::WASMFunctionParser::parseExpressionF32):
2440         (JSC::WASMFunctionParser::parseExpressionF64):
2441         (JSC::WASMFunctionParser::parseComma):
2442         * wasm/WASMFunctionParser.h:
2443         * wasm/WASMFunctionSyntaxChecker.h:
2444         (JSC::WASMFunctionSyntaxChecker::discard):
2445
2446 2015-09-21  Filip Pizlo  <fpizlo@apple.com>
2447
2448         Always use the compiler's CAS implementation and get rid of ENABLE(COMPARE_AND_SWAP)
2449         https://bugs.webkit.org/show_bug.cgi?id=149438
2450
2451         Reviewed by Mark Lam.
2452
2453         * heap/HeapInlines.h:
2454         (JSC::Heap::reportExtraMemoryVisited):
2455         (JSC::Heap::deprecatedReportExtraMemory):
2456
2457 2015-09-21  Saam barati  <sbarati@apple.com>
2458
2459         functionProtoFuncToString should not rely on typeProfilingEndOffset()
2460         https://bugs.webkit.org/show_bug.cgi?id=149429
2461
2462         Reviewed by Geoffrey Garen.
2463
2464         We should be able to freely change typeProfilingEndOffset()
2465         without worrying we will break Function.prototype.toString.
2466
2467         * runtime/FunctionPrototype.cpp:
2468         (JSC::functionProtoFuncToString):
2469
2470 2015-09-21  Commit Queue  <commit-queue@webkit.org>
2471
2472         Unreviewed, rolling out r190086.
2473         https://bugs.webkit.org/show_bug.cgi?id=149427
2474
2475         Broke LayoutTests/inspector/model/remote-object.htm (Requested
2476         by saamyjoon on #webkit).
2477
2478         Reverted changeset:
2479
2480         "Web Inspector: Basic Block Annotations and Type Profiler
2481         annotations wrong for script with "class" with default
2482         constructor"
2483         https://bugs.webkit.org/show_bug.cgi?id=149248
2484         http://trac.webkit.org/changeset/190086
2485
2486 2015-09-21  Saam barati  <sbarati@apple.com>
2487
2488         Web Inspector: Basic Block Annotations and Type Profiler annotations wrong for script with "class" with default constructor
2489         https://bugs.webkit.org/show_bug.cgi?id=149248
2490
2491         Reviewed by Mark Lam.
2492
2493         We keep track of which functions have and have not
2494         executed so we can show visually, inside the inspector,
2495         which functions have and have not executed. With a default
2496         constructor, our parser parses code that isn't in the actual
2497         JavaScript source code of the user. Our parser would then
2498         give us a range of starting at "1" to "1 + default constructor length"
2499         as being the text range of a function. But, this would then pollute
2500         actual source code that was at these ranges.
2501
2502         Therefore, we should treat these default constructor source 
2503         codes as having "invalid" ranges. We use [UINT_MAX, UINT_MAX] 
2504         as the invalid range. This range has the effect of not polluting 
2505         valid ranges inside the source code.
2506
2507         * bytecode/UnlinkedFunctionExecutable.cpp:
2508         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2509         (JSC::UnlinkedFunctionExecutable::setInvalidTypeProfilingOffsets):
2510         * bytecode/UnlinkedFunctionExecutable.h:
2511         * bytecompiler/BytecodeGenerator.cpp:
2512         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
2513
2514 2015-09-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2515
2516         Implement call statements and call expressions of type void in WebAssembly
2517         https://bugs.webkit.org/show_bug.cgi?id=149411
2518
2519         Reviewed by Mark Lam.
2520
2521         Call instructions in WebAssembly can be both statements and expressions.
2522         This patch implements call statements. It also implements call
2523         expressions of type void. The only place where call expressions of type
2524         void can occur is the left-hand side of the comma (,) operator, which
2525         will be implemented in a subsequent patch. The comma operator requires
2526         both of its operands to be expressions.
2527
2528         * tests/stress/wasm-calls.js:
2529         * tests/stress/wasm/calls.wasm:
2530         * wasm/WASMConstants.h:
2531         * wasm/WASMFunctionParser.cpp:
2532         (JSC::WASMFunctionParser::parseStatement):
2533         (JSC::WASMFunctionParser::parseExpression):
2534         (JSC::WASMFunctionParser::parseExpressionI32):
2535         (JSC::WASMFunctionParser::parseExpressionF32):
2536         (JSC::WASMFunctionParser::parseExpressionF64):
2537         (JSC::WASMFunctionParser::parseExpressionVoid):
2538         (JSC::WASMFunctionParser::parseCallInternal):
2539         (JSC::WASMFunctionParser::parseCallIndirect):
2540         (JSC::WASMFunctionParser::parseCallImport):
2541         * wasm/WASMFunctionParser.h:
2542         * wasm/WASMReader.cpp:
2543         (JSC::WASMReader::readOpExpressionVoid):
2544         * wasm/WASMReader.h:
2545
2546 2015-09-21  Filip Pizlo  <fpizlo@apple.com>
2547
2548         JSC should infer property types
2549         https://bugs.webkit.org/show_bug.cgi?id=148610
2550
2551         Reviewed by Geoffrey Garen.
2552
2553         This change brings recursive type inference to JavaScript object properties in JSC. We check that a
2554         value being stored into a property obeys a property's type before we do the store. If it doesn't,
2555         we broaden the property's type to include the new value. If optimized code was relying on the old
2556         type, we deoptimize that code.
2557
2558         The type system that this supports includes important primitive types like Int32 and Boolean. But
2559         it goes further and also includes a type kind called ObjectWithStructure, which means that we
2560         expect the property to always point to objects with a particular structure. This only works for
2561         leaf structures (i.e. structures that have a valid transition watchpoint set). Invalidation of the
2562         transition set causes the property type to become Object (meaning an object with any structure).
2563         This capability gives us recursive type inference. It's possible for an expression like "o.f.g.h"
2564         to execute without any type checks if .f and .g are both ObjectWithStructure.
2565
2566         The type inference of a property is tracked by an InferredType instance, which is a JSCell. This
2567         means that it manages its own memory. That's convenient. For example, when the DFG is interested in
2568         one of these, it can just list the InferredType as a weak reference in addition to setting a
2569         watchpoint. This ensures that even if the InferredType is dropped by the owning structure, the DFG
2570         won't read a dangling pointer. A mapping from property name to InferredType is implemented by
2571         InferredTypeTable, which is also a JSCell. Each Structure may point to some InferredTypeTable.
2572
2573         This feature causes programs to be happier (run faster without otherwise doing bad things like
2574         using lots of memory) when four conditions hold:
2575
2576         1) A property converges to one of the types that we support.
2577         2) The property is loaded from more frequently than it is stored to.
2578         3) The stores are all cached, so that we statically emit a type check.
2579         4) We don't allocate a lot of meta-data for the property's type.
2580
2581         We maximize the likelihood of (1) by having a rich type system. But having a rich type system means
2582         that a reflective put to a property has to have a large switch over the inferred type to decide how
2583         to do the type check. That's why we need (3). We ensure (3) by having every reflective property
2584         store (i.e. putDirectInternal in any context that isn't PutById) force the inferred type to become
2585         Top. We don't really worry about ensuring (2); this is statistically true for most programs
2586         already.
2587
2588         Probably the most subtle trickery goes into (4). Logically we'd like to say that each
2589         (Structure, Property) maps to its own InferredType. If structure S1 has a transition edge to S2,
2590         then we could ensure that the InferredType I1 where (S1, Property)->I1 has a data flow constraint
2591         to I2 where (S2, Property)->I2. That would work, but it would involve a lot of memory. And when I1
2592         gets invalidated in some way, it would have to tell I2 about it, and then I2 might tell other
2593         InferredType objects downstream. That's madness. So, the first major compromise that we make here
2594         is to say that if some property has some InferredType at some Structure, then anytime we
2595         transition from that Structure, the new Structure shares the same InferredType for that property.
2596         This unifies the type of the property over the entire transition tree starting at the Structure at
2597         which the property was added. But this would still mean that each Structure would have its own
2598         InferredTypeTable. We don't want that because experience with PropertyTable shows that this can be
2599         a major memory hog. So, we don't create an InferredTypeTable until someone adds a property that is
2600         subject to type inference (i.e. it was added non-reflectively), and we share that InferredTypeTable
2601         with the entire structure transition tree rooted at the Structure that had the first inferred
2602         property. We also drop the InferredTypeTable anytime that we do a dictionary transition, and we
2603         don't allow further property type inference if a structure had ever been a dictionary.
2604
2605         This is a 3% speed-up on Octane and a 12% speed-up on Kraken on my setup. It's not a significant
2606         slow-down on any benchmark I ran.
2607
2608         * CMakeLists.txt:
2609         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2610         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2611         * JavaScriptCore.xcodeproj/project.pbxproj:
2612         * assembler/MacroAssemblerARM64.h:
2613         (JSC::MacroAssemblerARM64::branchTest64):
2614         * assembler/MacroAssemblerX86_64.h:
2615         (JSC::MacroAssemblerX86_64::branchTest64):
2616         (JSC::MacroAssemblerX86_64::test64):
2617         * bytecode/PolymorphicAccess.cpp:
2618         (JSC::AccessCase::generate):
2619         * bytecode/PutByIdFlags.cpp:
2620         (WTF::printInternal):
2621         * bytecode/PutByIdFlags.h:
2622         (JSC::encodeStructureID):
2623         (JSC::decodeStructureID):
2624         * bytecode/PutByIdStatus.cpp:
2625         (JSC::PutByIdStatus::computeFromLLInt):
2626         (JSC::PutByIdStatus::computeFor):
2627         (JSC::PutByIdStatus::computeForStubInfo):
2628         * bytecode/PutByIdVariant.cpp:
2629         (JSC::PutByIdVariant::operator=):
2630         (JSC::PutByIdVariant::replace):
2631         (JSC::PutByIdVariant::transition):
2632         (JSC::PutByIdVariant::setter):
2633         (JSC::PutByIdVariant::attemptToMerge):
2634         (JSC::PutByIdVariant::dumpInContext):
2635         * bytecode/PutByIdVariant.h:
2636         (JSC::PutByIdVariant::newStructure):
2637         (JSC::PutByIdVariant::requiredType):
2638         * bytecode/UnlinkedCodeBlock.h:
2639         (JSC::UnlinkedInstruction::UnlinkedInstruction):
2640         * bytecode/Watchpoint.h:
2641         (JSC::InlineWatchpointSet::touch):
2642         (JSC::InlineWatchpointSet::isBeingWatched):
2643         * bytecompiler/BytecodeGenerator.cpp:
2644         (JSC::BytecodeGenerator::addConstantValue):
2645         (JSC::BytecodeGenerator::emitPutById):
2646         (JSC::BytecodeGenerator::emitDirectPutById):
2647         * dfg/DFGAbstractInterpreter.h:
2648         (JSC::DFG::AbstractInterpreter::filter):
2649         (JSC::DFG::AbstractInterpreter::filterByValue):
2650         * dfg/DFGAbstractInterpreterInlines.h:
2651         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2652         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filter):
2653         * dfg/DFGAbstractValue.cpp:
2654         (JSC::DFG::AbstractValue::setType):
2655         (JSC::DFG::AbstractValue::set):
2656         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2657         (JSC::DFG::AbstractValue::mergeOSREntryValue):
2658         (JSC::DFG::AbstractValue::isType):
2659         (JSC::DFG::AbstractValue::filter):
2660         (JSC::DFG::AbstractValue::filterValueByType):
2661         * dfg/DFGAbstractValue.h:
2662         (JSC::DFG::AbstractValue::setType):
2663         (JSC::DFG::AbstractValue::isType):
2664         (JSC::DFG::AbstractValue::validate):
2665         * dfg/DFGByteCodeParser.cpp:
2666         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2667         (JSC::DFG::ByteCodeParser::handleGetByOffset):
2668         (JSC::DFG::ByteCodeParser::handlePutByOffset):
2669         (JSC::DFG::ByteCodeParser::load):
2670         (JSC::DFG::ByteCodeParser::store):
2671         (JSC::DFG::ByteCodeParser::handleGetById):
2672         (JSC::DFG::ByteCodeParser::handlePutById):
2673         * dfg/DFGClobbersExitState.cpp:
2674         (JSC::DFG::clobbersExitState):
2675         * dfg/DFGConstantFoldingPhase.cpp:
2676         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2677         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2678         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2679         (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
2680         * dfg/DFGDesiredInferredType.h: Added.
2681         (JSC::DFG::DesiredInferredType::DesiredInferredType):
2682         (JSC::DFG::DesiredInferredType::operator bool):
2683         (JSC::DFG::DesiredInferredType::object):
2684         (JSC::DFG::DesiredInferredType::expected):
2685         (JSC::DFG::DesiredInferredType::isStillValid):
2686         (JSC::DFG::DesiredInferredType::add):
2687         (JSC::DFG::DesiredInferredType::operator==):
2688         (JSC::DFG::DesiredInferredType::operator!=):
2689         (JSC::DFG::DesiredInferredType::isHashTableDeletedValue):
2690         (JSC::DFG::DesiredInferredType::hash):
2691         (JSC::DFG::DesiredInferredType::dumpInContext):
2692         (JSC::DFG::DesiredInferredType::dump):
2693         (JSC::DFG::DesiredInferredTypeHash::hash):
2694         (JSC::DFG::DesiredInferredTypeHash::equal):
2695         * dfg/DFGDesiredWatchpoints.cpp:
2696         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
2697         (JSC::DFG::InferredTypeAdaptor::add):
2698         (JSC::DFG::DesiredWatchpoints::DesiredWatchpoints):
2699         (JSC::DFG::DesiredWatchpoints::~DesiredWatchpoints):
2700         (JSC::DFG::DesiredWatchpoints::addLazily):
2701         (JSC::DFG::DesiredWatchpoints::consider):
2702         (JSC::DFG::DesiredWatchpoints::reallyAdd):
2703         (JSC::DFG::DesiredWatchpoints::areStillValid):
2704         (JSC::DFG::DesiredWatchpoints::dumpInContext):
2705         * dfg/DFGDesiredWatchpoints.h:
2706         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::dumpInContext):
2707         (JSC::DFG::InferredTypeAdaptor::hasBeenInvalidated):
2708         (JSC::DFG::InferredTypeAdaptor::dumpInContext):
2709         (JSC::DFG::DesiredWatchpoints::isWatched):
2710         * dfg/DFGFixupPhase.cpp:
2711         (JSC::DFG::FixupPhase::fixupNode):
2712         * dfg/DFGGraph.cpp:
2713         (JSC::DFG::Graph::dump):
2714         (JSC::DFG::Graph::isSafeToLoad):
2715         (JSC::DFG::Graph::inferredTypeFor):
2716         (JSC::DFG::Graph::livenessFor):
2717         (JSC::DFG::Graph::tryGetConstantProperty):
2718         (JSC::DFG::Graph::inferredValueForProperty):
2719         (JSC::DFG::Graph::tryGetConstantClosureVar):
2720         * dfg/DFGGraph.h:
2721         (JSC::DFG::Graph::registerInferredType):
2722         (JSC::DFG::Graph::inferredTypeForProperty):
2723         * dfg/DFGInferredTypeCheck.cpp: Added.
2724         (JSC::DFG::insertInferredTypeCheck):
2725         * dfg/DFGInferredTypeCheck.h: Added.
2726         * dfg/DFGNode.h:
2727         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2728         * dfg/DFGPropertyTypeKey.h: Added.
2729         (JSC::DFG::PropertyTypeKey::PropertyTypeKey):
2730         (JSC::DFG::PropertyTypeKey::operator bool):
2731         (JSC::DFG::PropertyTypeKey::structure):
2732         (JSC::DFG::PropertyTypeKey::uid):
2733         (JSC::DFG::PropertyTypeKey::operator==):
2734         (JSC::DFG::PropertyTypeKey::operator!=):
2735         (JSC::DFG::PropertyTypeKey::hash):
2736         (JSC::DFG::PropertyTypeKey::isHashTableDeletedValue):
2737         (JSC::DFG::PropertyTypeKey::dumpInContext):
2738         (JSC::DFG::PropertyTypeKey::dump):
2739         (JSC::DFG::PropertyTypeKey::deletedUID):
2740         (JSC::DFG::PropertyTypeKeyHash::hash):
2741         (JSC::DFG::PropertyTypeKeyHash::equal):
2742         * dfg/DFGSafeToExecute.h:
2743         (JSC::DFG::SafeToExecuteEdge::operator()):
2744         (JSC::DFG::safeToExecute):
2745         * dfg/DFGSpeculativeJIT.cpp:
2746         (JSC::DFG::SpeculativeJIT::compileTypeOf):
2747         (JSC::DFG::SpeculativeJIT::compileCheckStructure):
2748         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2749         (JSC::DFG::SpeculativeJIT::speculateCell):
2750         (JSC::DFG::SpeculativeJIT::speculateCellOrOther):
2751         (JSC::DFG::SpeculativeJIT::speculateObject):
2752         (JSC::DFG::SpeculativeJIT::speculate):
2753         * dfg/DFGSpeculativeJIT.h:
2754         * dfg/DFGSpeculativeJIT32_64.cpp:
2755         (JSC::DFG::SpeculativeJIT::compile):
2756         * dfg/DFGSpeculativeJIT64.cpp:
2757         (JSC::DFG::SpeculativeJIT::compile):
2758         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2759         * dfg/DFGStructureAbstractValue.h:
2760         (JSC::DFG::StructureAbstractValue::at):
2761         (JSC::DFG::StructureAbstractValue::operator[]):
2762         (JSC::DFG::StructureAbstractValue::onlyStructure):
2763         (JSC::DFG::StructureAbstractValue::forEach):
2764         * dfg/DFGUseKind.cpp:
2765         (WTF::printInternal):
2766         * dfg/DFGUseKind.h:
2767         (JSC::DFG::typeFilterFor):
2768         * dfg/DFGValidate.cpp:
2769         (JSC::DFG::Validate::validate):
2770         * ftl/FTLCapabilities.cpp:
2771         (JSC::FTL::canCompile):
2772         * ftl/FTLLowerDFGToLLVM.cpp:
2773         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckStructure):
2774         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckCell):
2775         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiPutByOffset):
2776         (JSC::FTL::DFG::LowerDFGToLLVM::numberOrNotCellToInt32):
2777         (JSC::FTL::DFG::LowerDFGToLLVM::checkInferredType):
2778         (JSC::FTL::DFG::LowerDFGToLLVM::loadProperty):
2779         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
2780         (JSC::FTL::DFG::LowerDFGToLLVM::speculateCell):
2781         (JSC::FTL::DFG::LowerDFGToLLVM::speculateCellOrOther):
2782         (JSC::FTL::DFG::LowerDFGToLLVM::speculateMachineInt):
2783         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2784         * jit/AssemblyHelpers.cpp:
2785         (JSC::AssemblyHelpers::decodedCodeMapFor):
2786         (JSC::AssemblyHelpers::branchIfNotType):
2787         (JSC::AssemblyHelpers::purifyNaN):
2788         * jit/AssemblyHelpers.h:
2789         (JSC::AssemblyHelpers::branchIfEqual):
2790         (JSC::AssemblyHelpers::branchIfNotCell):
2791         (JSC::AssemblyHelpers::branchIfCell):
2792         (JSC::AssemblyHelpers::branchIfNotOther):
2793         (JSC::AssemblyHelpers::branchIfInt32):
2794         (JSC::AssemblyHelpers::branchIfNotInt32):
2795         (JSC::AssemblyHelpers::branchIfNumber):
2796         (JSC::AssemblyHelpers::branchIfNotNumber):
2797         (JSC::AssemblyHelpers::branchIfEmpty):
2798         (JSC::AssemblyHelpers::branchStructure):
2799         * jit/Repatch.cpp:
2800         (JSC::tryCachePutByID):
2801         * llint/LLIntSlowPaths.cpp:
2802         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2803         * llint/LowLevelInterpreter.asm:
2804         * llint/LowLevelInterpreter32_64.asm:
2805         * llint/LowLevelInterpreter64.asm:
2806         * runtime/InferredType.cpp: Added.
2807         (JSC::InferredType::create):
2808         (JSC::InferredType::destroy):
2809         (JSC::InferredType::createStructure):
2810         (JSC::InferredType::visitChildren):
2811         (JSC::InferredType::kindForFlags):
2812         (JSC::InferredType::Descriptor::forValue):
2813         (JSC::InferredType::Descriptor::forFlags):
2814         (JSC::InferredType::Descriptor::putByIdFlags):
2815         (JSC::InferredType::Descriptor::merge):
2816         (JSC::InferredType::Descriptor::removeStructure):
2817         (JSC::InferredType::Descriptor::subsumes):
2818         (JSC::InferredType::Descriptor::dumpInContext):
2819         (JSC::InferredType::Descriptor::dump):
2820         (JSC::InferredType::InferredType):
2821         (JSC::InferredType::~InferredType):
2822         (JSC::InferredType::canWatch):
2823         (JSC::InferredType::addWatchpoint):
2824         (JSC::InferredType::dump):
2825         (JSC::InferredType::willStoreValueSlow):
2826         (JSC::InferredType::makeTopSlow):
2827         (JSC::InferredType::set):
2828         (JSC::InferredType::removeStructure):
2829         (JSC::InferredType::InferredStructureWatchpoint::fireInternal):
2830         (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally):
2831         (JSC::InferredType::InferredStructure::InferredStructure):
2832         (WTF::printInternal):
2833         * runtime/InferredType.h: Added.
2834         * runtime/InferredTypeTable.cpp: Added.
2835         (JSC::InferredTypeTable::create):
2836         (JSC::InferredTypeTable::destroy):
2837         (JSC::InferredTypeTable::createStructure):
2838         (JSC::InferredTypeTable::visitChildren):
2839         (JSC::InferredTypeTable::get):
2840         (JSC::InferredTypeTable::willStoreValue):
2841         (JSC::InferredTypeTable::makeTop):
2842         (JSC::InferredTypeTable::InferredTypeTable):
2843         (JSC::InferredTypeTable::~InferredTypeTable):
2844         * runtime/InferredTypeTable.h: Added.
2845         * runtime/JSObject.h:
2846         (JSC::JSObject::putDirectInternal):
2847         (JSC::JSObject::putDirectWithoutTransition):
2848         * runtime/Structure.cpp:
2849         (JSC::Structure::materializePropertyMap):
2850         (JSC::Structure::addPropertyTransition):
2851         (JSC::Structure::removePropertyTransition):
2852         (JSC::Structure::startWatchingInternalProperties):
2853         (JSC::Structure::willStoreValueSlow):
2854         (JSC::Structure::visitChildren):
2855         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2856         * runtime/Structure.h:
2857         (JSC::PropertyMapEntry::PropertyMapEntry):
2858         * runtime/StructureInlines.h:
2859         (JSC::Structure::get):
2860         * runtime/VM.cpp:
2861         (JSC::VM::VM):
2862         * runtime/VM.h:
2863         * tests/stress/prop-type-boolean-then-string.js: Added.
2864         * tests/stress/prop-type-int32-then-string.js: Added.
2865         * tests/stress/prop-type-number-then-string.js: Added.
2866         * tests/stress/prop-type-object-or-other-then-string.js: Added.
2867         * tests/stress/prop-type-object-then-string.js: Added.
2868         * tests/stress/prop-type-other-then-string.js: Added.
2869         * tests/stress/prop-type-string-then-object.js: Added.
2870         * tests/stress/prop-type-struct-or-other-then-string.js: Added.
2871         * tests/stress/prop-type-struct-then-object.js: Added.
2872         * tests/stress/prop-type-struct-then-object-opt.js: Added.
2873         * tests/stress/prop-type-struct-then-object-opt-fold.js: Added.
2874         * tests/stress/prop-type-struct-then-object-opt-multi.js: Added.
2875
2876 2015-09-21  Filip Pizlo  <fpizlo@apple.com>
2877
2878         WebCore shouldn't have to include DFG headers
2879         https://bugs.webkit.org/show_bug.cgi?id=149337
2880
2881         Reviewed by Michael Saboff.
2882
2883         This does some simple rewiring and outlining of CodeBlock/Heap functionality so that
2884         those headers don't have to include DFG headers. As a result, WebCore no longer includes
2885         DFG headers, except for two fairly innocent ones (DFGCommon.h and DFGCompilationMode.h).
2886         This also changes the Xcode project file so that all but those two headers are Project
2887         rather than Private. So, if WebCore accidentally includes any of them, we'll get a build
2888         error.
2889
2890         The main group of headers that this prevents WebCore from including are the DFGDesired*.h
2891         files and whatever those include. Those headers used to be fairly simple, but now they
2892         are growing in complexity (especially with things like http://webkit.org/b/148610). So,
2893         it makes sense to make sure they don't leak out of JSC.
2894
2895         * JavaScriptCore.xcodeproj/project.pbxproj:
2896         * bytecode/CallLinkInfo.cpp:
2897         (JSC::CallLinkInfo::CallLinkInfo):
2898         (JSC::CallLinkInfo::~CallLinkInfo):
2899         (JSC::CallLinkInfo::clearStub):
2900         (JSC::CallLinkInfo::visitWeak):
2901         (JSC::CallLinkInfo::setFrameShuffleData):
2902         * bytecode/CallLinkInfo.h:
2903         (JSC::CallLinkInfo::isVarargsCallType):
2904         (JSC::CallLinkInfo::specializationKindFor):
2905         (JSC::CallLinkInfo::frameShuffleData):
2906         (JSC::CallLinkInfo::CallLinkInfo): Deleted.
2907         (JSC::CallLinkInfo::~CallLinkInfo): Deleted.
2908         (JSC::CallLinkInfo::setFrameShuffleData): Deleted.
2909         * bytecode/CodeBlock.cpp:
2910         (JSC::CodeBlock::getOrAddArrayProfile):
2911         (JSC::CodeBlock::codeOrigins):
2912         (JSC::CodeBlock::numberOfDFGIdentifiers):
2913         (JSC::CodeBlock::identifier):
2914         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2915         * bytecode/CodeBlock.h:
2916         (JSC::CodeBlock::hasExpressionInfo):
2917         (JSC::CodeBlock::hasCodeOrigins):
2918         (JSC::CodeBlock::numberOfIdentifiers):
2919         (JSC::CodeBlock::identifier):
2920         (JSC::CodeBlock::codeOrigins): Deleted.
2921         (JSC::CodeBlock::numberOfDFGIdentifiers): Deleted.
2922         * bytecode/CodeOrigin.h:
2923         * dfg/DFGDesiredIdentifiers.cpp:
2924         * heap/Heap.cpp:
2925         (JSC::Heap::didFinishIterating):
2926         (JSC::Heap::completeAllDFGPlans):
2927         (JSC::Heap::markRoots):
2928         (JSC::Heap::deleteAllCodeBlocks):
2929         * heap/Heap.h:
2930         * heap/HeapInlines.h:
2931         (JSC::Heap::deprecatedReportExtraMemory):
2932         (JSC::Heap::forEachCodeBlock):
2933         (JSC::Heap::forEachProtectedCell):
2934         * runtime/Executable.h:
2935         * runtime/JSCInlines.h:
2936         (JSC::Heap::forEachCodeBlock): Deleted.
2937
2938 2015-09-21 Aleksandr Skachkov   <gskachkov@gmail.com>
2939
2940         Web Inspector: arrow function names are never inferred, call frames are labeled (anonymous function)
2941         https://bugs.webkit.org/show_bug.cgi?id=148318
2942
2943         Reviewed by Saam Barati.
2944
2945         Tiny change to support of the inferred name in arrow function
2946  
2947         * parser/ASTBuilder.h:
2948         (JSC::ASTBuilder::createAssignResolve):
2949
2950 2015-09-19 Aleksandr Skachkov   <gskachkov@gmail.com>
2951
2952         New tests introduced in r188545 fail on 32 bit ARM
2953         https://bugs.webkit.org/show_bug.cgi?id=148376
2954
2955         Reviewed by Saam Barati.
2956
2957         Added correct support of the ARM CPU in JIT functions that are related to arrow function.
2958
2959
2960         * dfg/DFGSpeculativeJIT.cpp:
2961         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2962         * dfg/DFGSpeculativeJIT.h:
2963         (JSC::DFG::SpeculativeJIT::callOperation):
2964         * jit/JIT.h:
2965         * jit/JITInlines.h:
2966         (JSC::JIT::callOperation):
2967         * jit/JITOpcodes.cpp:
2968         (JSC::JIT::emitNewFuncExprCommon):
2969
2970 2015-09-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2971
2972         Implement Store expressions in WebAssembly
2973         https://bugs.webkit.org/show_bug.cgi?id=149395
2974
2975         Reviewed by Geoffrey Garen.
2976
2977         The Store instruction in WebAssembly stores a value in the linear memory
2978         at the given index. It can be both a statement and an expression. When
2979         it is an expression, it returns the assigned value. This patch
2980         implements Store as an expression.
2981
2982         Since Store uses two operands, which are the index and the value, we
2983         need to pop the two operands from the stack and push the value back to
2984         the stack. We can simply implement this by copying the value to where
2985         the index is in the stack.
2986
2987         * tests/stress/wasm-linear-memory.js:
2988         * wasm/WASMFunctionCompiler.h:
2989         (JSC::WASMFunctionCompiler::buildStore):
2990         * wasm/WASMFunctionParser.cpp:
2991         (JSC::WASMFunctionParser::parseStatement):
2992         (JSC::WASMFunctionParser::parseExpressionI32):
2993         (JSC::WASMFunctionParser::parseExpressionF32):
2994         (JSC::WASMFunctionParser::parseExpressionF64):
2995         (JSC::WASMFunctionParser::parseStore):
2996         * wasm/WASMFunctionParser.h:
2997         * wasm/WASMFunctionSyntaxChecker.h:
2998         (JSC::WASMFunctionSyntaxChecker::buildStore):
2999
3000 2015-09-20  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3001
3002         Implement SetLocal and SetGlobal expressions in WebAssembly
3003         https://bugs.webkit.org/show_bug.cgi?id=149383
3004
3005         Reviewed by Saam Barati.
3006
3007         SetLocal and SetGlobal in WebAssembly can be both statements and
3008         expressions. We have implemented the statement version. This patch
3009         implements the expression version.
3010
3011         SetLocal and SetGlobal expressions return the assigned value.
3012         Since SetLocal and SetGlobal use only one operand, which is the assigned
3013         value, we can simply implement them by not removing the value from the
3014         top of the stack.
3015
3016         * tests/stress/wasm-globals.js:
3017         * tests/stress/wasm-locals.js:
3018         * tests/stress/wasm/globals.wasm:
3019         * tests/stress/wasm/locals.wasm:
3020         * wasm/WASMConstants.h:
3021         * wasm/WASMFunctionCompiler.h:
3022         (JSC::WASMFunctionCompiler::buildSetLocal):
3023         (JSC::WASMFunctionCompiler::buildSetGlobal):
3024         * wasm/WASMFunctionParser.cpp:
3025         (JSC::WASMFunctionParser::parseStatement):
3026         (JSC::WASMFunctionParser::parseExpressionI32):
3027         (JSC::WASMFunctionParser::parseExpressionF32):
3028         (JSC::WASMFunctionParser::parseExpressionF64):
3029         (JSC::WASMFunctionParser::parseSetLocal):
3030         (JSC::WASMFunctionParser::parseSetGlobal):
3031         (JSC::WASMFunctionParser::parseSetLocalStatement): Deleted.
3032         (JSC::WASMFunctionParser::parseSetGlobalStatement): Deleted.
3033         * wasm/WASMFunctionParser.h:
3034         * wasm/WASMFunctionSyntaxChecker.h:
3035         (JSC::WASMFunctionSyntaxChecker::buildSetLocal):
3036         (JSC::WASMFunctionSyntaxChecker::buildSetGlobal):
3037
3038 2015-09-19 Aleksandr Skachkov    <gskachkov@gmail.com>
3039
3040         [ES6] Added controlFlowProfiler test for arrow function
3041         https://bugs.webkit.org/show_bug.cgi?id=145638
3042
3043         Reviewed by Saam Barati.
3044
3045         * Source/JavaScriptCore/tests/controlFlowProfiler/arrowfunction-expression.js: added
3046
3047 2015-09-20  Youenn Fablet  <youenn.fablet@crf.canon.fr>
3048
3049         Remove XHR_TIMEOUT compilation guard
3050         https://bugs.webkit.org/show_bug.cgi?id=149260
3051
3052         Reviewed by Benjamin Poulain.
3053
3054         * Configurations/FeatureDefines.xcconfig:
3055
3056 2015-09-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3057
3058         [GTK] Unreviewed, should check the result of fread
3059         https://bugs.webkit.org/show_bug.cgi?id=148917
3060
3061         Suppress the build warning on GTK with GCC.
3062
3063         * jsc.cpp:
3064         (fillBufferWithContentsOfFile):
3065         (fetchModuleFromLocalFileSystem):
3066
3067 2015-09-19  Saam barati  <sbarati@apple.com>
3068
3069         VariableEnvironmentNode should inherit from ParserArenaDeletable because VariableEnvironment's must have their destructors run
3070         https://bugs.webkit.org/show_bug.cgi?id=149359
3071
3072         Reviewed by Andreas Kling.
3073
3074         VariableEnvironment must have its destructor run.
3075         Therefore, VariableEnvironmentNode should inherit from ParserArenaDeletable.
3076         Also, anything that inherits from VariableEnvironmentNode must use
3077         ParserArenaDeletable's operator new. Also, any other nodes that own
3078         a VariableEnvironment must also have their destructors run.
3079
3080         * parser/Nodes.h:
3081         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
3082
3083 2015-09-18  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3084
3085         Remove duplicate code in the WebAssembly parser
3086         https://bugs.webkit.org/show_bug.cgi?id=149361
3087
3088         Reviewed by Saam Barati.
3089
3090         Refactor the methods for parsing GetLocal and GetGlobal in WebAssembly
3091         to remove duplicate code.
3092
3093         * wasm/WASMFunctionParser.cpp:
3094         (JSC::nameOfType):
3095         (JSC::WASMFunctionParser::parseExpressionI32):
3096         (JSC::WASMFunctionParser::parseExpressionF32):
3097         (JSC::WASMFunctionParser::parseExpressionF64):
3098         (JSC::WASMFunctionParser::parseUnaryExpressionF64):
3099         (JSC::WASMFunctionParser::parseBinaryExpressionF64):
3100         (JSC::WASMFunctionParser::parseGetLocalExpression):
3101         (JSC::WASMFunctionParser::parseGetGlobalExpression):
3102         (JSC::WASMFunctionParser::parseGetLocalExpressionI32): Deleted.
3103         (JSC::WASMFunctionParser::parseGetGlobalExpressionI32): Deleted.
3104         (JSC::WASMFunctionParser::parseGetLocalExpressionF32): Deleted.
3105         (JSC::WASMFunctionParser::parseGetGlobalExpressionF32): Deleted.
3106         (JSC::WASMFunctionParser::parseGetLocalExpressionF64): Deleted.
3107         (JSC::WASMFunctionParser::parseGetGlobalExpressionF64): Deleted.
3108         * wasm/WASMFunctionParser.h:
3109
3110 2015-09-18  Saam barati  <sbarati@apple.com>
3111
3112         Refactor common code between GetCatchHandlerFunctor and UnwindFunctor
3113         https://bugs.webkit.org/show_bug.cgi?id=149276
3114
3115         Reviewed by Mark Lam.
3116
3117         There is currently code copy-pasted between these
3118         two functors. Lets not do that. It's better to write
3119         a function, even if the function is small.
3120
3121         I also did a bit of renaming to make the intent of the
3122         unwindCallFrame function clear. The name of the function
3123         didn't really indicate what it did. It decided if it was
3124         okay to unwind further, and it also notified the debugger.
3125         I've renamed the function to notifyDebuggerOfUnwinding.
3126         And I've inlined the logic of deciding if it's okay
3127         to unwind further into UnwindFunctor itself.
3128
3129         * interpreter/Interpreter.cpp:
3130         (JSC::Interpreter::isOpcode):
3131         (JSC::getStackFrameCodeType):
3132         (JSC::Interpreter::stackTraceAsString):
3133         (JSC::findExceptionHandler):
3134         (JSC::GetCatchHandlerFunctor::GetCatchHandlerFunctor):
3135         (JSC::GetCatchHandlerFunctor::operator()):
3136         (JSC::notifyDebuggerOfUnwinding):
3137         (JSC::UnwindFunctor::UnwindFunctor):
3138         (JSC::UnwindFunctor::operator()):
3139         (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
3140         (JSC::unwindCallFrame): Deleted.
3141
3142 2015-09-18  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3143
3144         Implement the arithmetic instructions for doubles in WebAssembly
3145         https://bugs.webkit.org/show_bug.cgi?id=148945
3146
3147         Reviewed by Geoffrey Garen.
3148
3149         This patch implements the arithmetic instructions for doubles (float64)
3150         in WebAssembly.
3151
3152         * tests/stress/wasm-arithmetic-float64.js:
3153         * tests/stress/wasm/arithmetic-float64.wasm:
3154         * wasm/WASMFunctionCompiler.h:
3155         (JSC::WASMFunctionCompiler::buildUnaryF64):
3156         (JSC::WASMFunctionCompiler::buildBinaryF64):
3157         (JSC::WASMFunctionCompiler::callOperation):
3158         * wasm/WASMFunctionParser.cpp:
3159         (JSC::WASMFunctionParser::parseExpressionF64):
3160         (JSC::WASMFunctionParser::parseUnaryExpressionF64):
3161         (JSC::WASMFunctionParser::parseBinaryExpressionF64):
3162         * wasm/WASMFunctionParser.h:
3163         * wasm/WASMFunctionSyntaxChecker.h:
3164         (JSC::WASMFunctionSyntaxChecker::buildUnaryF64):
3165         (JSC::WASMFunctionSyntaxChecker::buildBinaryF32):
3166         (JSC::WASMFunctionSyntaxChecker::buildBinaryF64):
3167
3168 2015-09-18  Basile Clement  <basile_clement@apple.com>
3169
3170         [ES6] Tail call fast path should efficiently reuse the frame's stack space
3171         https://bugs.webkit.org/show_bug.cgi?id=148662
3172
3173         Reviewed by Geoffrey Garen.
3174
3175         This introduces a new class (CallFrameShuffler) that is responsible for
3176         efficiently building the new frames when performing a tail call. In
3177         order for Repatch to know about the position of arguments on the
3178         stack/registers (e.g. for polymorphic call inline caches), we store a
3179         CallFrameShuffleData in the CallLinkInfo. Otherwise, the JIT and DFG
3180         compiler are now using CallFrameShuffler instead of
3181         CCallHelpers::prepareForTailCallSlow() to build the frame for a tail
3182         call.
3183
3184         When taking a slow path, we still build the frame as if doing a regular
3185         call, because we could throw an exception and need the caller's frame
3186         at that point. This means that for virtual calls, we don't benefit from
3187         the efficient frame move for now.
3188
3189         * CMakeLists.txt:
3190         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3191         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3192         * JavaScriptCore.xcodeproj/project.pbxproj:
3193         * assembler/ARMv7Assembler.h:
3194         (JSC::ARMv7Assembler::firstRegister):
3195         (JSC::ARMv7Assembler::lastRegister):
3196         (JSC::ARMv7Assembler::firstFPRegister):
3197         (JSC::ARMv7Assembler::lastFPRegister):
3198         * assembler/AbortReason.h:
3199         * bytecode/CallLinkInfo.h:
3200         (JSC::CallLinkInfo::setFrameShuffleData):
3201         (JSC::CallLinkInfo::frameShuffleData):
3202         * bytecode/ValueRecovery.h:
3203         (JSC::ValueRecovery::inRegister):
3204         * dfg/DFGGenerationInfo.h:
3205         (JSC::DFG::GenerationInfo::recovery):
3206         * jit/CachedRecovery.cpp: Added.
3207         (JSC::CachedRecovery::loadsIntoFPR):
3208         (JSC::CachedRecovery::loadsIntoGPR):
3209         * jit/CachedRecovery.h: Added.
3210         (JSC::CachedRecovery::CachedRecovery):
3211         (JSC::CachedRecovery::targets):
3212         (JSC::CachedRecovery::addTarget):
3213         (JSC::CachedRecovery::removeTarget):
3214         (JSC::CachedRecovery::clearTargets):
3215         (JSC::CachedRecovery::setWantedJSValueRegs):
3216         (JSC::CachedRecovery::setWantedFPR):
3217         (JSC::CachedRecovery::boxingRequiresGPR):
3218         (JSC::CachedRecovery::boxingRequiresFPR):
3219         (JSC::CachedRecovery::recovery):
3220         (JSC::CachedRecovery::setRecovery):
3221         (JSC::CachedRecovery::wantedJSValueRegs):
3222         (JSC::CachedRecovery::wantedFPR):
3223         * jit/CallFrameShuffleData.cpp: Added.
3224         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
3225         * jit/CallFrameShuffleData.h: Added.
3226         * jit/CallFrameShuffler.cpp: Added.
3227         (JSC::CallFrameShuffler::CallFrameShuffler):
3228         (JSC::CallFrameShuffler::dump):
3229         (JSC::CallFrameShuffler::getCachedRecovery):
3230         (JSC::CallFrameShuffler::setCachedRecovery):
3231         (JSC::CallFrameShuffler::spill):
3232         (JSC::CallFrameShuffler::emitDeltaCheck):
3233         (JSC::CallFrameShuffler::prepareForSlowPath):
3234         (JSC::CallFrameShuffler::prepareForTailCall):
3235         (JSC::CallFrameShuffler::tryWrites):
3236         (JSC::CallFrameShuffler::performSafeWrites):
3237         (JSC::CallFrameShuffler::prepareAny):
3238         * jit/CallFrameShuffler.h: Added.
3239         (JSC::CallFrameShuffler::lockGPR):
3240         (JSC::CallFrameShuffler::acquireGPR):
3241         (JSC::CallFrameShuffler::releaseGPR):
3242         (JSC::CallFrameShuffler::snapshot):
3243         (JSC::CallFrameShuffler::setCalleeJSValueRegs):
3244         (JSC::CallFrameShuffler::assumeCalleeIsCell):
3245         (JSC::CallFrameShuffler::canBox):
3246         (JSC::CallFrameShuffler::ensureBox):
3247         (JSC::CallFrameShuffler::ensureLoad):
3248         (JSC::CallFrameShuffler::canLoadAndBox):
3249         (JSC::CallFrameShuffler::updateRecovery):
3250         (JSC::CallFrameShuffler::clearCachedRecovery):
3251         (JSC::CallFrameShuffler::addCachedRecovery):
3252         (JSC::CallFrameShuffler::numLocals):
3253         (JSC::CallFrameShuffler::getOld):
3254         (JSC::CallFrameShuffler::setOld):
3255         (JSC::CallFrameShuffler::firstOld):
3256         (JSC::CallFrameShuffler::lastOld):
3257         (JSC::CallFrameShuffler::isValidOld):
3258         (JSC::CallFrameShuffler::argCount):
3259         (JSC::CallFrameShuffler::getNew):
3260         (JSC::CallFrameShuffler::setNew):
3261         (JSC::CallFrameShuffler::addNew):
3262         (JSC::CallFrameShuffler::firstNew):
3263         (JSC::CallFrameShuffler::lastNew):
3264         (JSC::CallFrameShuffler::isValidNew):
3265         (JSC::CallFrameShuffler::newAsOld):
3266         (JSC::CallFrameShuffler::getFreeRegister):
3267         (JSC::CallFrameShuffler::getFreeGPR):
3268         (JSC::CallFrameShuffler::getFreeFPR):
3269         (JSC::CallFrameShuffler::hasFreeRegister):
3270         (JSC::CallFrameShuffler::ensureRegister):
3271         (JSC::CallFrameShuffler::ensureGPR):
3272         (JSC::CallFrameShuffler::ensureFPR):
3273         (JSC::CallFrameShuffler::addressForOld):
3274         (JSC::CallFrameShuffler::isUndecided):
3275         (JSC::CallFrameShuffler::isSlowPath):
3276         (JSC::CallFrameShuffler::addressForNew):
3277         (JSC::CallFrameShuffler::dangerFrontier):
3278         (JSC::CallFrameShuffler::isDangerNew):
3279         (JSC::CallFrameShuffler::updateDangerFrontier):
3280         (JSC::CallFrameShuffler::hasOnlySafeWrites):
3281         * jit/CallFrameShuffler32_64.cpp: Added.
3282         (JSC::CallFrameShuffler::emitStore):
3283         (JSC::CallFrameShuffler::emitBox):
3284         (JSC::CallFrameShuffler::emitLoad):
3285         (JSC::CallFrameShuffler::canLoad):
3286         (JSC::CallFrameShuffler::emitDisplace):
3287         * jit/CallFrameShuffler64.cpp: Added.
3288         (JSC::CallFrameShuffler::emitStore):
3289         (JSC::CallFrameShuffler::emitBox):
3290         (JSC::CallFrameShuffler::emitLoad):
3291         (JSC::CallFrameShuffler::canLoad):
3292         (JSC::CallFrameShuffler::emitDisplace):
3293         * jit/JITCall.cpp:
3294         (JSC::JIT::compileOpCall):
3295         (JSC::JIT::compileOpCallSlowCase):
3296         * jit/RegisterMap.cpp:
3297         (JSC::RegisterMap::RegisterMap):
3298         (JSC::GPRMap::GPRMap):
3299         (JSC::FPRMap::FPRMap):
3300         * jit/Repatch.cpp:
3301         (JSC::linkPolymorphicCall):
3302
3303 2015-09-18  Saam barati  <sbarati@apple.com>
3304
3305         Implement try/catch in the DFG.
3306         https://bugs.webkit.org/show_bug.cgi?id=147374
3307
3308         Reviewed by Filip Pizlo.
3309
3310         This patch implements try/catch inside the DFG JIT.
3311         It also prevents tier up to the FTL for any functions
3312         that have an op_catch in them that are DFG compiled.
3313
3314         This patch accomplishes implementing try/catch inside
3315         the DFG by OSR exiting to op_catch when an exception is thrown.
3316         We can OSR exit from an exception inside the DFG in two ways:
3317         1) We have a JS call (can also be via implicit getter/setter in GetById/PutById)
3318         2) We have an exception when returing from a callOperation
3319
3320         In the case of (1), we get to the OSR exit from genericUnwind because
3321         the exception was thrown in a child call frame. This means these
3322         OSR exits must act as defacto op_catches (even though we will still OSR
3323         exit to a baseline op_catch). That means they must restore the stack pointer
3324         and call frame.
3325
3326         In the case of (2), we can skip genericUnwind because we know the exception 
3327         check will take us to a particular OSR exit. Instead, we link these
3328         exception checks as jumps to a particular OSR exit.
3329
3330         Both types of OSR exits will exit into op_catch inside the baseline JIT.
3331         Because they exit to op_catch, these OSR exits must set callFrameForCatch
3332         to the proper call frame pointer.
3333
3334         We "handle" all exceptions inside the machine frame of the DFG code
3335         block. This means the machine code block is responsible for "catching"
3336         exceptions of any inlined frames' try/catch. OSR exit will then exit to 
3337         the proper baseline CodeBlock after reifying the inlined frames
3338         (DFG::OSRExit::m_codeOrigin corresponds to the op_catch we will exit to). 
3339         Also, genericUnwind will never consult an inlined call frame's CodeBlock to 
3340         see if they can catch the exception because they can't. We always unwind to the 
3341         next machine code block frame. The DFG CodeBlock changes how the exception 
3342         handler table is keyed: it is now keyed by CallSiteIndex for DFG code blocks. 
3343
3344         So, when consulting call sites that throw, we keep track of the CallSiteIndex,
3345         and the HandlerInfo for the corresponding baseline exception handler for
3346         that particular CallSiteIndex (if an exception at that call site will be caught). 
3347         Then, when we're inside DFG::JITCompiler::link(), we install new HandlerInfo's
3348         inside the DFG CodeBlock and key it by the corresponding CallSiteIndex.
3349         (The CodeBlock only has HandlerInfos for the OSR exits that are to be arrived
3350         at from genericUnwind).
3351
3352         Also, each OSR exit will know if it acting as an exception handler, and
3353         whether or not it will be arrived at from genericUnwind. When we know we 
3354         will arrive at an OSR exit from genericUnwind, we set the corresponding 
3355      &nb