regExpProtoFuncSplitFast should OOM before it swaps
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-05-27  Filip Pizlo  <fpizlo@apple.com>
2
3         regExpProtoFuncSplitFast should OOM before it swaps
4         https://bugs.webkit.org/show_bug.cgi?id=158157
5
6         Reviewed by Mark Lam.
7         
8         This is a huge speed-up on some jsfunfuzz test cases because it makes us realize much
9         sooner that running a regexp split will result in swapping. It uses the same basic
10         approach as http://trac.webkit.org/changeset/201451: if the result array crosses a certain
11         size threshold, we proceed with a dry run to see how big the array will get before
12         allocating anything else. This way, bogus uses of split that would have OOMed only after
13         killing the user's machine will now OOM before killing the user's machine.
14         
15         This is an enormous speed-up on some jsfunfuzz tests: they go from running for a long
16         time to running instantly.
17
18         * runtime/RegExpPrototype.cpp:
19         (JSC::advanceStringIndex):
20         (JSC::genericSplit):
21         (JSC::regExpProtoFuncSplitFast):
22         * runtime/StringObject.h:
23         (JSC::jsStringWithReuse):
24         (JSC::jsSubstring):
25         * tests/stress/big-split-captures.js: Added.
26         * tests/stress/big-split.js: Added.
27
28 2016-05-27  Saam barati  <sbarati@apple.com>
29
30         ShadowChicken/DebuggerCallFrame don't properly handle when the entry stack frame is a tail deleted frame
31         https://bugs.webkit.org/show_bug.cgi?id=158131
32
33         Reviewed by Yusuke Suzuki.
34
35         There were bugs both in DebuggerCallFrame and ShadowChicken when the entry stack
36         frame(s) are tail deleted.
37
38         DebuggerCallFrame had an assertion saying that the entry frame shouldn't be
39         tail deleted. This is clearly wrong. The following program proves that this assertion
40         was misguided:
41         ```
42         "use strict";
43         setTimeout(function foo() { return bar(); }, 0);
44         ```
45
46         ShadowChicken had a very subtle bug when creating the shadow stack when 
47         the entry frames of the stack were tail deleted. Because it places frames into its shadow
48         stack by walking the machine frame and looking up entries in the log,
49         the machine frame doesn't have any notion of those tail deleted frames
50         at the entry of execution. ShadowChicken would never find those frames
51         because it would look for tail deleted frames *before* consulting the
52         current machine frame. This is wrong because if the entry frames
53         are tail deleted, then there is no machine frame for them because there
54         is no machine frame before them! Therefore, we must search for tail deleted
55         frames *after* consulting a machine frame. This is sound because we will always
56         have at least one machine frame on the stack (when we are using StackVisitor on a valid ExecState).
57         So when we consult the machine frame that is the entry frame on the machine stack,
58         we will search for tail deleted frames that come before it in the shadow stack.
59         This will allow us to find those tail deleted frames that are the entry frames
60         for the shadow stack.
61
62         * debugger/DebuggerCallFrame.cpp:
63         (JSC::DebuggerCallFrame::create):
64         * interpreter/ShadowChicken.cpp:
65         (JSC::ShadowChicken::Packet::dump):
66         (JSC::ShadowChicken::update):
67         (JSC::ShadowChicken::dump):
68
69 2016-05-27  Chris Dumez  <cdumez@apple.com>
70
71         WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables
72         https://bugs.webkit.org/show_bug.cgi?id=158111
73
74         Reviewed by Darin Adler.
75
76         WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables.
77         These are often used cross-thread and copying the captured lambda variables can be
78         dangerous (e.g. we do not want to copy a String after calling isolatedCopy() upon
79         capture).
80
81         * runtime/Watchdog.cpp:
82         (JSC::Watchdog::startTimer):
83         (JSC::Watchdog::Watchdog): Deleted.
84         (JSC::Watchdog::setTimeLimit): Deleted.
85         * runtime/Watchdog.h:
86
87 2016-05-27  Konstantin Tokarev  <annulen@yandex.ru>
88
89         Removed unused headers from ExecutableAllocatorFixedVMPool.cpp.
90         https://bugs.webkit.org/show_bug.cgi?id=158159
91
92         Reviewed by Darin Adler.
93
94         * jit/ExecutableAllocatorFixedVMPool.cpp:
95
96 2016-05-27  Keith Miller  <keith_miller@apple.com>
97
98         get_by_id should support caching unset properties in the LLInt
99         https://bugs.webkit.org/show_bug.cgi?id=158136
100
101         Reviewed by Benjamin Poulain.
102
103         Recently, we started supporting prototype load caching for get_by_id
104         in the LLInt. This patch extends that to caching unset properties.
105         While it is uncommon in general for a program to see a single structure
106         without a given property, the Array.prototype.concat function needs to
107         lookup the Symbol.isConcatSpreadable property. For any existing code
108         That property will never be set as it did not exist prior to ES6.
109
110         Similarly to the get_by_id_proto_load bytecode, this patch adds a new
111         bytecode, get_by_id_unset that checks the structureID of the base and
112         assigns undefined to the result.
113
114         There are no new tests here since we already have many tests that
115         incidentally cover this change.
116
117         * bytecode/BytecodeList.json:
118         * bytecode/BytecodeUseDef.h:
119         (JSC::computeUsesForBytecodeOffset):
120         (JSC::computeDefsForBytecodeOffset):
121         * bytecode/CodeBlock.cpp:
122         (JSC::CodeBlock::printGetByIdOp):
123         (JSC::CodeBlock::dumpBytecode):
124         (JSC::CodeBlock::finalizeLLIntInlineCaches):
125         * bytecode/GetByIdStatus.cpp:
126         (JSC::GetByIdStatus::computeFromLLInt):
127         * dfg/DFGByteCodeParser.cpp:
128         (JSC::DFG::ByteCodeParser::parseBlock):
129         * dfg/DFGCapabilities.cpp:
130         (JSC::DFG::capabilityLevel):
131         * jit/JIT.cpp:
132         (JSC::JIT::privateCompileMainPass):
133         (JSC::JIT::privateCompileSlowCases):
134         * llint/LLIntSlowPaths.cpp:
135         (JSC::LLInt::setupGetByIdPrototypeCache):
136         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
137         * llint/LLIntSlowPaths.h:
138         * llint/LowLevelInterpreter32_64.asm:
139         * llint/LowLevelInterpreter64.asm:
140
141 2016-05-26  Filip Pizlo  <fpizlo@apple.com>
142
143         Bogus uses of regexp matching should realize that they will OOM before they start swapping
144         https://bugs.webkit.org/show_bug.cgi?id=158142
145
146         Reviewed by Michael Saboff.
147         
148         Refactored the RegExpObject::matchGlobal() code so that there is less duplication. Took
149         advantage of this to make the code more resilient in case of absurd situations: if the
150         result array gets large, it proceeds with a dry run to detect how many matches there will
151         be. This allows it to OOM before it starts swapping.
152         
153         This also improves the overall performance of the code by using lightweight substrings and
154         skipping the whole intermediate argument array.
155         
156         This makes some jsfunfuzz tests run a lot faster and use a lot less memory.
157         
158         * builtins/RegExpPrototype.js:
159         * CMakeLists.txt:
160         * JavaScriptCore.xcodeproj/project.pbxproj:
161         * runtime/MatchResult.cpp: Added.
162         (JSC::MatchResult::dump):
163         * runtime/MatchResult.h:
164         (JSC::MatchResult::empty):
165         (MatchResult::empty): Deleted.
166         * runtime/RegExpObject.cpp:
167         (JSC::RegExpObject::match):
168         (JSC::collectMatches):
169         (JSC::RegExpObject::matchGlobal):
170         * runtime/StringObject.h:
171         (JSC::jsStringWithReuse):
172         (JSC::jsSubstring):
173         * tests/stress/big-match.js: Added. Make sure that this optimization doesn't break big matches.
174
175 2016-05-26  Gavin & Ellie Barraclough  <barraclough@apple.com>
176
177         Static table property lookup should not require getOwnPropertySlot override.
178         https://bugs.webkit.org/show_bug.cgi?id=158059
179
180         Reviewed by Darin Adler.
181
182         Currently JSObject does not handle property lookup of entries in the static
183         table. Each subclass with static properties mut override getOwnPropertySlot,
184         and explicitly call the lookup functions. This has the following drawbacks:
185
186         - Performance: for any class with static properties, property acces becomes
187           virtual (via method table).
188         - Poor encapsulation: implementation detail of static property access is
189           spread throughout & cross projects, rather than being contained in JSObject.
190         - Code size: this results in a great many additional functions.
191         - Inconsistency: static table presence has to be be taken into account in many
192           other operations, e.g. presence of read-only properties for put.
193         - Memory: in order to avoid the virtual lookup, DOM prototypes eagerly reify
194           all properties. This is likely suboptimal.
195
196         Instead, JSObject::getPropertySlot / JSObject::getOwnPropertySlot should be
197         able to handle static properties.
198
199         This is actually a fairly small & simple change.
200
201         The common pattern is for subclasses of JObject to override getOwnPropertySlot
202         to first defer to JSObject for property storage lookup, and only if this fails
203         consult the static table. They just want the static tables to be consulted after
204         regular property storgae lookup. So just add a fast flag in TypeInfo for JSObject
205         to check, and where it is set, do so. Then it's just a question of switching
206         classes over to start setting this flag, and drop the override.
207
208         The new mechanism does change static table lookup order from oldest-ancestor
209         first to most-derived first. The new ordering makes more sense (means derived
210         class static tables can now override entries from parents), and shoudn't affect
211         any existing code (since overriding didn't previously work, there likely aren't
212         shadowing properties in more derived types).
213
214         This patch changes all classes in JavaScriptCore over to using the new mechanism,
215         except JSGlobalObject. I'll move classes in WebCore over as a separate patch
216         (this is also why I've not moved JSGlobalObject in this patch - doing so would
217         move JSDOMWindow, and I'd rather handle that separately).
218
219         * runtime/JSTypeInfo.h:
220         (JSC::TypeInfo::hasStaticPropertyTable):
221             - Add HasStaticPropertyTable flag.
222         * runtime/Lookup.cpp:
223         (JSC::setUpStaticFunctionSlot):
224             - Change setUpStaticFunctionSlot to take a VM&.
225         * runtime/Lookup.h:
226         (JSC::getStaticPropertySlotFromTable):
227             - Added helper function to perform static lookup alone.
228         (JSC::getStaticPropertySlot):
229         (JSC::getStaticFunctionSlot):
230             - setUpStaticFunctionSlot changed to take a VM&.
231         * runtime/JSObject.cpp:
232         (JSC::JSObject::getOwnStaticPropertySlot):
233             - Added, walks ClassInfo chain looking for static properties.
234         * runtime/JSObject.h:
235         (JSC::JSObject::getOwnNonIndexPropertySlot):
236             - getOwnNonIndexPropertySlot is used internally by getPropertySlot
237               & getOwnPropertySlot. If property is not present in storage array
238               then check the static table.
239         * runtime/ArrayConstructor.cpp:
240         (JSC::ArrayConstructor::finishCreation):
241         (JSC::constructArrayWithSizeQuirk):
242         (JSC::ArrayConstructor::getOwnPropertySlot): Deleted.
243         * runtime/ArrayConstructor.h:
244         (JSC::ArrayConstructor::create):
245         * runtime/ArrayIteratorPrototype.cpp:
246         (JSC::ArrayIteratorPrototype::finishCreation):
247         (JSC::ArrayIteratorPrototype::getOwnPropertySlot): Deleted.
248         * runtime/ArrayIteratorPrototype.h:
249         (JSC::ArrayIteratorPrototype::create):
250         (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype):
251         * runtime/BooleanPrototype.cpp:
252         (JSC::BooleanPrototype::finishCreation):
253         (JSC::booleanProtoFuncToString):
254         (JSC::BooleanPrototype::getOwnPropertySlot): Deleted.
255         * runtime/BooleanPrototype.h:
256         (JSC::BooleanPrototype::create):
257         * runtime/DateConstructor.cpp:
258         (JSC::DateConstructor::finishCreation):
259         (JSC::millisecondsFromComponents):
260         (JSC::DateConstructor::getOwnPropertySlot): Deleted.
261         * runtime/DateConstructor.h:
262         (JSC::DateConstructor::create):
263         * runtime/DatePrototype.cpp:
264         (JSC::DatePrototype::finishCreation):
265         (JSC::dateProtoFuncToString):
266         (JSC::DatePrototype::getOwnPropertySlot): Deleted.
267         * runtime/DatePrototype.h:
268         (JSC::DatePrototype::create):
269         * runtime/ErrorPrototype.cpp:
270         (JSC::ErrorPrototype::finishCreation):
271         (JSC::ErrorPrototype::getOwnPropertySlot): Deleted.
272         * runtime/ErrorPrototype.h:
273         (JSC::ErrorPrototype::create):
274         * runtime/GeneratorPrototype.cpp:
275         (JSC::GeneratorPrototype::finishCreation):
276         (JSC::GeneratorPrototype::getOwnPropertySlot): Deleted.
277         * runtime/GeneratorPrototype.h:
278         (JSC::GeneratorPrototype::create):
279         (JSC::GeneratorPrototype::createStructure):
280         (JSC::GeneratorPrototype::GeneratorPrototype):
281         * runtime/InspectorInstrumentationObject.cpp:
282         (JSC::InspectorInstrumentationObject::finishCreation):
283         (JSC::InspectorInstrumentationObject::isEnabled):
284         (JSC::InspectorInstrumentationObject::getOwnPropertySlot): Deleted.
285         * runtime/InspectorInstrumentationObject.h:
286         (JSC::InspectorInstrumentationObject::create):
287         (JSC::InspectorInstrumentationObject::createStructure):
288         * runtime/IntlCollatorConstructor.cpp:
289         (JSC::IntlCollatorConstructor::getCallData):
290         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
291         (JSC::IntlCollatorConstructor::getOwnPropertySlot): Deleted.
292         * runtime/IntlCollatorConstructor.h:
293         * runtime/IntlCollatorPrototype.cpp:
294         (JSC::IntlCollatorPrototype::finishCreation):
295         (JSC::IntlCollatorFuncCompare):
296         (JSC::IntlCollatorPrototype::getOwnPropertySlot): Deleted.
297         * runtime/IntlCollatorPrototype.h:
298         * runtime/IntlDateTimeFormatConstructor.cpp:
299         (JSC::IntlDateTimeFormatConstructor::getCallData):
300         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
301         (JSC::IntlDateTimeFormatConstructor::getOwnPropertySlot): Deleted.
302         * runtime/IntlDateTimeFormatConstructor.h:
303         * runtime/IntlDateTimeFormatPrototype.cpp:
304         (JSC::IntlDateTimeFormatPrototype::finishCreation):
305         (JSC::IntlDateTimeFormatFuncFormatDateTime):
306         (JSC::IntlDateTimeFormatPrototype::getOwnPropertySlot): Deleted.
307         * runtime/IntlDateTimeFormatPrototype.h:
308         * runtime/IntlNumberFormatConstructor.cpp:
309         (JSC::IntlNumberFormatConstructor::getCallData):
310         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
311         (JSC::IntlNumberFormatConstructor::getOwnPropertySlot): Deleted.
312         * runtime/IntlNumberFormatConstructor.h:
313         * runtime/IntlNumberFormatPrototype.cpp:
314         (JSC::IntlNumberFormatPrototype::finishCreation):
315         (JSC::IntlNumberFormatFuncFormatNumber):
316         (JSC::IntlNumberFormatPrototype::getOwnPropertySlot): Deleted.
317         * runtime/IntlNumberFormatPrototype.h:
318         * runtime/JSDataViewPrototype.cpp:
319         (JSC::JSDataViewPrototype::createStructure):
320         (JSC::getData):
321         (JSC::JSDataViewPrototype::getOwnPropertySlot): Deleted.
322         * runtime/JSDataViewPrototype.h:
323         * runtime/JSInternalPromiseConstructor.cpp:
324         (JSC::JSInternalPromiseConstructor::getCallData):
325         (JSC::JSInternalPromiseConstructor::getOwnPropertySlot): Deleted.
326         * runtime/JSInternalPromiseConstructor.h:
327         * runtime/JSONObject.cpp:
328         (JSC::Walker::Walker):
329         (JSC::JSONObject::getOwnPropertySlot): Deleted.
330         * runtime/JSONObject.h:
331         (JSC::JSONObject::create):
332         * runtime/JSPromiseConstructor.cpp:
333         (JSC::JSPromiseConstructor::getCallData):
334         (JSC::JSPromiseConstructor::getOwnPropertySlot): Deleted.
335         * runtime/JSPromiseConstructor.h:
336         * runtime/JSPromisePrototype.cpp:
337         (JSC::JSPromisePrototype::addOwnInternalSlots):
338         (JSC::JSPromisePrototype::getOwnPropertySlot): Deleted.
339         * runtime/JSPromisePrototype.h:
340         * runtime/MapPrototype.cpp:
341         (JSC::MapPrototype::finishCreation):
342         (JSC::getMap):
343         (JSC::MapPrototype::getOwnPropertySlot): Deleted.
344         * runtime/MapPrototype.h:
345         (JSC::MapPrototype::create):
346         (JSC::MapPrototype::MapPrototype):
347         * runtime/ModuleLoaderObject.cpp:
348         (JSC::ModuleLoaderObject::finishCreation):
349         (JSC::printableModuleKey):
350         (JSC::ModuleLoaderObject::getOwnPropertySlot): Deleted.
351         * runtime/ModuleLoaderObject.h:
352         * runtime/NumberPrototype.cpp:
353         (JSC::NumberPrototype::finishCreation):
354         (JSC::toThisNumber):
355         (JSC::NumberPrototype::getOwnPropertySlot): Deleted.
356         * runtime/NumberPrototype.h:
357         (JSC::NumberPrototype::create):
358         * runtime/ObjectConstructor.cpp:
359         (JSC::ObjectConstructor::addDefineProperty):
360         (JSC::constructObject):
361         (JSC::ObjectConstructor::getOwnPropertySlot): Deleted.
362         * runtime/ObjectConstructor.h:
363         (JSC::ObjectConstructor::create):
364         (JSC::ObjectConstructor::createStructure):
365         * runtime/ReflectObject.cpp:
366         (JSC::ReflectObject::finishCreation):
367         (JSC::ReflectObject::getOwnPropertySlot): Deleted.
368         * runtime/ReflectObject.h:
369         (JSC::ReflectObject::create):
370         (JSC::ReflectObject::createStructure):
371         * runtime/RegExpConstructor.cpp:
372         (JSC::RegExpConstructor::getRightContext):
373         (JSC::regExpConstructorDollar):
374         (JSC::RegExpConstructor::getOwnPropertySlot): Deleted.
375         * runtime/RegExpConstructor.h:
376         (JSC::RegExpConstructor::create):
377         (JSC::RegExpConstructor::createStructure):
378         * runtime/SetPrototype.cpp:
379         (JSC::SetPrototype::finishCreation):
380         (JSC::getSet):
381         (JSC::SetPrototype::getOwnPropertySlot): Deleted.
382         * runtime/SetPrototype.h:
383         (JSC::SetPrototype::create):
384         (JSC::SetPrototype::SetPrototype):
385         * runtime/StringConstructor.cpp:
386         (JSC::StringConstructor::finishCreation):
387         (JSC::stringFromCharCodeSlowCase):
388         (JSC::StringConstructor::getOwnPropertySlot): Deleted.
389         * runtime/StringConstructor.h:
390         (JSC::StringConstructor::create):
391         * runtime/StringIteratorPrototype.cpp:
392         (JSC::StringIteratorPrototype::finishCreation):
393         (JSC::StringIteratorPrototype::getOwnPropertySlot): Deleted.
394         * runtime/StringIteratorPrototype.h:
395         (JSC::StringIteratorPrototype::create):
396         (JSC::StringIteratorPrototype::StringIteratorPrototype):
397         * runtime/StringPrototype.cpp:
398         (JSC::StringPrototype::create):
399         (JSC::substituteBackreferencesSlow):
400         (JSC::StringPrototype::getOwnPropertySlot): Deleted.
401         * runtime/StringPrototype.h:
402         * runtime/SymbolConstructor.cpp:
403         (JSC::SymbolConstructor::finishCreation):
404         (JSC::callSymbol):
405         (JSC::SymbolConstructor::getOwnPropertySlot): Deleted.
406         * runtime/SymbolConstructor.h:
407         (JSC::SymbolConstructor::create):
408         * runtime/SymbolPrototype.cpp:
409         (JSC::SymbolPrototype::finishCreation):
410         (JSC::SymbolPrototype::getOwnPropertySlot): Deleted.
411         * runtime/SymbolPrototype.h:
412         (JSC::SymbolPrototype::create):
413             - remove getOwnPropertySlot, replace OverridesGetOwnPropertySlot flag with HasStaticPropertyTable.
414
415 2016-05-26  Commit Queue  <commit-queue@webkit.org>
416
417         Unreviewed, rolling out r201436.
418         https://bugs.webkit.org/show_bug.cgi?id=158143
419
420         Caused 30% regression on Dromaeo DOM core tests (Requested by
421         rniwa on #webkit).
422
423         Reverted changeset:
424
425         "REGRESSION: JSBench spends a lot of time transitioning
426         to/from dictionary"
427         https://bugs.webkit.org/show_bug.cgi?id=158045
428         http://trac.webkit.org/changeset/201436
429
430 2016-05-26  Geoffrey Garen  <ggaren@apple.com>
431
432         REGRESSION: JSBench spends a lot of time transitioning to/from dictionary
433         https://bugs.webkit.org/show_bug.cgi?id=158045
434
435         Reviewed by Saam Barati.
436
437         15% speedup on jsbench-amazon-firefox, possibly 5% speedup overall on jsbench.
438
439         This regression seems to have two parts:
440
441         (1) Transitioning the window object to/from dictionary is more expensive
442         than it used to be to because the window object has lots more properties.
443         The window object has more properties because, for WebIDL compatibility,
444         we reify DOM APIs as properties when you delete.
445
446         (2) DOM prototypes transition to/from dictionary upon creation
447         because, once again for WebIDL compatibility, we reify their static
448         APIs eagerly.
449
450         The solution is to chill out a bit on dictionary transitions.
451
452         * bytecode/ObjectPropertyConditionSet.cpp: Don't flatten a dictionary
453         if we've already done so before. This avoids pathological churn, and it
454         is our idiom in other places.
455
456         * interpreter/Interpreter.cpp:
457         (JSC::Interpreter::execute): Do flatten the global object unconditionally
458         if it is an uncacheable dictionary because the global object is super
459         important.
460
461         * runtime/BatchedTransitionOptimizer.h:
462         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
463         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer): Deleted.
464         Don't transition away from dictionary after a batched set of property
465         puts because normal dictionaries are cacheable and that's a perfectly
466         fine state to be in -- and the transition is expensive.
467
468         * runtime/JSGlobalObject.cpp:
469         (JSC::JSGlobalObject::init): Do start the global object out as a cacheable
470         dictionary because it will inevitably have enough properties to become
471         a dictionary.
472
473         * runtime/Operations.h:
474         (JSC::normalizePrototypeChain): Same as ObjectPropertyConditionSet.cpp.
475
476 2016-05-25  Geoffrey Garen  <ggaren@apple.com>
477
478         replaceable own properties seem to ignore replacement after property caching
479         https://bugs.webkit.org/show_bug.cgi?id=158091
480
481         Reviewed by Darin Adler.
482
483         * runtime/Lookup.h:
484         (JSC::replaceStaticPropertySlot): New helper function for replacing a
485         static property with a direct property. We need to do an attribute changed
486         transition because client code might have cached our static property.
487
488 2016-05-25  Benjamin Poulain  <benjamin@webkit.org>
489
490         [JSC] RegExp with deeply nested subexpressions overflow the stack in Yarr
491         https://bugs.webkit.org/show_bug.cgi?id=158011
492         rdar://problem/25946592
493
494         Reviewed by Saam Barati.
495
496         When generating the meta-data required for compilation,
497         Yarr uses a recursive function over the various expression in the pattern.
498
499         If you have many nested expressions, you can run out of stack
500         and crash the WebProcess.
501         This patch changes that into a soft failure. The expression is just
502         considered invalid.
503
504         * runtime/RegExp.cpp:
505         (JSC::RegExp::finishCreation):
506         (JSC::RegExp::compile):
507         (JSC::RegExp::compileMatchOnly):
508         * yarr/YarrPattern.cpp:
509         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
510         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
511         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
512         (JSC::Yarr::YarrPattern::compile):
513         (JSC::Yarr::YarrPattern::YarrPattern):
514         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets): Deleted.
515         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets): Deleted.
516         * yarr/YarrPattern.h:
517
518 2016-05-25  Alex Christensen  <achristensen@webkit.org>
519
520         Fix Win64 build after r201335
521         https://bugs.webkit.org/show_bug.cgi?id=158078
522
523         Reviewed by Mark Lam.
524
525         * offlineasm/x86.rb:
526         Add intel implementations for loadbs and loadhs
527
528 2016-05-25  Carlos Garcia Campos  <cgarcia@igalia.com>
529
530         REGRESSION(r201066): [GTK] Several intl tests started to fail in GTK+ bot after r201066
531         https://bugs.webkit.org/show_bug.cgi?id=158066
532
533         Reviewed by Darin Adler.
534
535         run-javascriptcore-tests does $ENV{LANG}="en_US.UTF-8"; but we are not actually honoring the environment
536         variables at all when using jsc binary. We are using setlocale() with a nullptr locale to get the current one, but
537         the current one is always "C", because to set the locale according to the environment variables we need to call
538         setlocale with an empty string as locale. That's done by gtk_init(), which is called by all our binaries (web
539         process, network process, etc.), but not by jsc (because jsc doesn't depend on GTK+). The reason why it has
540         always worked for EFL is because they call ecore_init() in jsc that calls setlocale.
541
542         * jsc.cpp:
543         (main): Call setlocale(LC_ALL, "") on GTK+.
544
545 2016-05-25  Csaba Osztrogonác  <ossy@webkit.org>
546
547         [ARM] Fix the Wcast-align warning in LinkBuffer.cpp
548         https://bugs.webkit.org/show_bug.cgi?id=157889
549
550         Reviewed by Darin Adler.
551
552         * assembler/LinkBuffer.cpp:
553         (JSC::recordLinkOffsets):
554
555 2016-05-24  Keith Miller  <keith_miller@apple.com>
556
557         TypedArray.prototype.slice should not throw if no arguments are provided
558         https://bugs.webkit.org/show_bug.cgi?id=158044
559         <rdar://problem/26433280>
560
561         Reviewed by Geoffrey Garen.
562
563         We were throwing an exception if the TypedArray.prototype.slice function
564         was not provided arguments. This was wrong. Instead we should just assume
565         the first argument was 0.
566
567         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
568         (JSC::genericTypedArrayViewProtoFuncSlice): Deleted.
569         * tests/stress/typedarray-slice.js:
570
571 2016-05-24  Keith Miller  <keith_miller@apple.com>
572
573         LLInt should be able to cache prototype loads for values in GetById
574         https://bugs.webkit.org/show_bug.cgi?id=158032
575
576         Reviewed by Filip Pizlo.
577
578         This patch adds prototype value caching to the LLInt for op_get_by_id.
579         Two previously unused words in the op_get_by_id bytecode have been
580         repurposed to hold extra information for the cache. The first is a
581         counter that records the number of get_by_ids that hit a cacheable value
582         on a prototype. When the counter is decremented from one to zero we
583         attempt to cache the prototype load, which will be discussed further
584         below. The second word is used to hold the prototype object when we have
585         started caching.
586
587         When the counter is decremented to zero we first attempt to generate and
588         watch the property conditions needed to ensure the validity of prototype
589         load. If the watchpoints are successfully created and installed we
590         replace the op_get_by_id opcode with the new op_get_by_id_proto_load
591         opcode, which tells the LLInt to use the cache prototype object for the
592         load rather than the base value.
593
594         Prior to this patch there was not LLInt specific data onCodeBlocks.
595         Since the CodeBlock needs to own the Watchpoints for the cache, a weak
596         map from each base structure to a bag of Watchpoints created for that
597         structure by some op_get_by_id has been added to the CodeBlock. During
598         GC, if we find that the a structure in the map has not been marked we
599         free the associated bag on the CodeBlock.
600
601         * JavaScriptCore.xcodeproj/project.pbxproj:
602         * bytecode/BytecodeList.json:
603         * bytecode/BytecodeUseDef.h:
604         (JSC::computeUsesForBytecodeOffset):
605         (JSC::computeDefsForBytecodeOffset):
606         * bytecode/CodeBlock.cpp:
607         (JSC::CodeBlock::printGetByIdOp):
608         (JSC::CodeBlock::printGetByIdCacheStatus):
609         (JSC::CodeBlock::dumpBytecode):
610         (JSC::CodeBlock::finalizeLLIntInlineCaches):
611         * bytecode/CodeBlock.h:
612         (JSC::CodeBlock::llintGetByIdWatchpointMap):
613         (JSC::clearLLIntGetByIdCache):
614         * bytecode/GetByIdStatus.cpp:
615         (JSC::GetByIdStatus::computeFromLLInt):
616         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Added.
617         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
618         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
619         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
620         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Added.
621         * bytecode/ObjectPropertyConditionSet.cpp:
622         (JSC::ObjectPropertyConditionSet::isValidAndWatchable):
623         * bytecode/ObjectPropertyConditionSet.h:
624         * bytecompiler/BytecodeGenerator.cpp:
625         (JSC::BytecodeGenerator::emitGetById):
626         * dfg/DFGByteCodeParser.cpp:
627         (JSC::DFG::ByteCodeParser::parseBlock):
628         * dfg/DFGCapabilities.cpp:
629         (JSC::DFG::capabilityLevel):
630         * jit/JIT.cpp:
631         (JSC::JIT::privateCompileMainPass):
632         (JSC::JIT::privateCompileSlowCases):
633         * llint/LLIntSlowPaths.cpp:
634         (JSC::LLInt::setupGetByIdPrototypeCache):
635         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
636         * llint/LLIntSlowPaths.h:
637         * llint/LowLevelInterpreter32_64.asm:
638         * llint/LowLevelInterpreter64.asm:
639         * runtime/Options.h:
640         * tests/stress/llint-get-by-id-cache-prototype-load-from-dictionary.js: Added.
641         (test):
642
643 2016-05-24  Keith Miller  <keith_miller@apple.com>
644
645         We should be able to use the sampling profiler with DRT/WTR.
646         https://bugs.webkit.org/show_bug.cgi?id=158041
647
648         Reviewed by Saam Barati.
649
650         This patch makes the sampling profiler use a new option, samplingProfilerPath, which
651         specifies the path to a directory to output sampling profiler data when the program
652         terminates or the VM is destroyed. Additionally, it fixes some other issues with the
653         bytecode profiler that would cause crashes on debug builds.
654
655         * profiler/ProfilerDatabase.cpp:
656         (JSC::Profiler::Database::ensureBytecodesFor):
657         (JSC::Profiler::Database::performAtExitSave):
658         * runtime/Options.h:
659         * runtime/SamplingProfiler.cpp:
660         (JSC::SamplingProfiler::registerForReportAtExit):
661         (JSC::SamplingProfiler::reportDataToOptionFile):
662         (JSC::SamplingProfiler::reportTopFunctions):
663         (JSC::SamplingProfiler::reportTopBytecodes):
664         * runtime/SamplingProfiler.h:
665         * runtime/VM.cpp:
666         (JSC::VM::VM):
667         (JSC::VM::~VM):
668
669 2016-05-24  Saam barati  <sbarati@apple.com>
670
671         We can cache lookups to JSScope::abstractResolve inside CodeBlock::finishCreation
672         https://bugs.webkit.org/show_bug.cgi?id=158036
673
674         Reviewed by Geoffrey Garen.
675
676         This patch implements a 1 item cache for JSScope::abstractResolve. I also tried
677         implementing the cache as a HashMap, but it seemed either less profitable on some
678         benchmarks or just as profitable on others. Therefore, it's cleaner to just
679         use a 1 item cache.
680
681         * bytecode/CodeBlock.cpp:
682         (JSC::CodeBlock::CodeBlock):
683         (JSC::AbstractResolveKey::AbstractResolveKey):
684         (JSC::AbstractResolveKey::operator==):
685         (JSC::AbstractResolveKey::isEmptyValue):
686         (JSC::CodeBlock::finishCreation):
687         * runtime/GetPutInfo.h:
688         (JSC::needsVarInjectionChecks):
689         (JSC::ResolveOp::ResolveOp):
690
691 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
692
693         Unreviwed, add a comment to describe the test's failure mode. Suggested by mlam.
694
695         * tests/stress/override-map-constructor.js:
696         (Map):
697
698 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
699
700         Map should not be in JSGlobalObject's static hashtable because it's initialized eagerly via FOR_EACH_SIMPLE_BUILTIN_TYPE_WITH_CONSTRUCTOR
701         https://bugs.webkit.org/show_bug.cgi?id=158031
702         rdar://problem/26353661
703
704         Reviewed by Geoffrey Garen.
705         
706         We were listing Map as being a lazy class structure. It's not. m_mapStructure is a WriteBarrier<>
707         not a LazyClassStructure<> and there is nothing lazy about it.
708
709         * runtime/JSGlobalObject.cpp: The fix is to remove Map here.
710         * runtime/Lookup.cpp: Add some dumping on the assert path.
711         (JSC::setUpStaticFunctionSlot):
712         * tests/stress/override-map-constructor.js: Added. This test used to crash.
713         (Map):
714
715 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
716
717         LLInt64 should have typed array fast paths for get_by_val
718         https://bugs.webkit.org/show_bug.cgi?id=157931
719
720         Reviewed by Keith Miller.
721
722         I think that the LLInt should be able to access typed arrays more quickly than it does now.
723         Ideally we would have fast paths for every major typed array operation and we would use
724         inline cache optimizations. I don't want to do this all in one go, so my plan is to
725         incrementally add support for this as time allows.
726         
727         This change just adds the easy typed array fast paths for get_by_val in the 64-bit version
728         of LLInt.
729         
730         Another bug, https://bugs.webkit.org/show_bug.cgi?id=157922, tracks the overall task of
731         adding all typed array fast paths to both versions of the LLInt.
732         
733         This is a 30% speed-up on typed array benchmarks in LLInt. This is not a speed-up when the
734         JITs are enabled.
735
736         * llint/LLIntData.cpp:
737         (JSC::LLInt::Data::performAssertions):
738         * llint/LLIntOffsetsExtractor.cpp:
739         * llint/LowLevelInterpreter.asm:
740         * llint/LowLevelInterpreter64.asm:
741         * offlineasm/backends.rb:
742         * runtime/JSArrayBufferView.h:
743         * runtime/JSType.h:
744
745 2016-05-24  Saam barati  <sbarati@apple.com> and Yusuke Suzuki <utatane.tea@gmail.com>
746
747         ThisTDZMode is no longer needed
748         https://bugs.webkit.org/show_bug.cgi?id=157209
749
750         Reviewed by Saam Barati.
751
752         ThisTDZMode is no longer needed because we have ConstructorKind
753         and DerivedContextType. The value of ThisTDZMode is strictly less
754         expressive than the combination of those two values. We were
755         using those values anyways, and this patch just makes it official
756         by removing ThisTDZMode.
757
758         This patch also cleans up caching keys. We extract SourceCodeFlags
759         from SourceCodeKey and use it in EvalCodeCache. It correctly
760         contains needed cache attributes: EvalContextType, DerivedContextType,
761         etc. Here, we still use specialized keys for EvalCodeCache instead
762         of SourceCodeKey for performance; it does not include name String and
763         does not allocate SourceCode.
764
765         * bytecode/EvalCodeCache.h:
766         (JSC::EvalCodeCache::CacheKey::CacheKey):
767         (JSC::EvalCodeCache::CacheKey::operator==):
768         (JSC::EvalCodeCache::CacheKey::Hash::equal):
769         (JSC::EvalCodeCache::tryGet):
770         (JSC::EvalCodeCache::getSlow):
771         * bytecompiler/NodesCodegen.cpp:
772         (JSC::ThisNode::emitBytecode): Deleted.
773         * debugger/DebuggerCallFrame.cpp:
774         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
775         * interpreter/Interpreter.cpp:
776         (JSC::eval):
777         * parser/ASTBuilder.h:
778         (JSC::ASTBuilder::createThisExpr):
779         * parser/NodeConstructors.h:
780         (JSC::ThisNode::ThisNode):
781         * parser/Nodes.h:
782         * parser/Parser.cpp:
783         (JSC::Parser<LexerType>::Parser):
784         (JSC::Parser<LexerType>::parsePrimaryExpression):
785         * parser/Parser.h:
786         (JSC::parse):
787         * parser/ParserModes.h:
788         * parser/SourceCodeKey.h:
789         (JSC::SourceCodeFlags::SourceCodeFlags):
790         (JSC::SourceCodeFlags::operator==):
791         (JSC::SourceCodeKey::SourceCodeKey):
792         (JSC::SourceCodeKey::Hash::hash):
793         (JSC::SourceCodeKey::Hash::equal):
794         (JSC::SourceCodeKey::HashTraits::isEmptyValue):
795         (JSC::SourceCodeKeyHash::hash): Deleted.
796         (JSC::SourceCodeKeyHash::equal): Deleted.
797         (JSC::SourceCodeKeyHashTraits::isEmptyValue): Deleted.
798         * parser/SyntaxChecker.h:
799         (JSC::SyntaxChecker::createThisExpr):
800         * runtime/CodeCache.cpp:
801         (JSC::CodeCache::getGlobalCodeBlock):
802         (JSC::CodeCache::getProgramCodeBlock):
803         (JSC::CodeCache::getEvalCodeBlock):
804         (JSC::CodeCache::getModuleProgramCodeBlock):
805         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
806         * runtime/CodeCache.h:
807         * runtime/Executable.cpp:
808         (JSC::EvalExecutable::create):
809         * runtime/Executable.h:
810         * runtime/JSGlobalObject.cpp:
811         (JSC::JSGlobalObject::createEvalCodeBlock):
812         * runtime/JSGlobalObject.h:
813         * runtime/JSGlobalObjectFunctions.cpp:
814         (JSC::globalFuncEval):
815         * tests/stress/code-cache-incorrect-caching.js: Added.
816         (shouldBe):
817         (hello):
818         (catch):
819         (shouldBe.test.hello):
820         (globalEval.ok):
821         (global.hello.hello):
822
823 2016-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>
824
825         Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
826         https://bugs.webkit.org/show_bug.cgi?id=157080
827
828         Reviewed by Saam Barati.
829
830         In custom accessor getter, the argument "thisValue" can be altered by using `Reflect.get`.
831         In this patch, we add a new parameter, "slotBase". This represents the base value offering
832         this custom getter. And use it in ProxyObject's performGet custom accessor getter.
833
834         * API/JSCallbackObject.h:
835         * API/JSCallbackObjectFunctions.h:
836         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
837         (JSC::JSCallbackObject<Parent>::callbackGetter):
838         * bytecode/PolymorphicAccess.cpp:
839         (JSC::AccessCase::generateImpl):
840         In PolymorphicAccess case, the thisValue and the slotBase are always cells.
841         This is because IC is enabled in the case that the base value is a cell.
842         And slotBase is always on the prototype chain from this base value.
843
844         * jit/CCallHelpers.h:
845         (JSC::CCallHelpers::setupArgumentsWithExecState):
846         * jsc.cpp:
847         (WTF::CustomGetter::customGetter):
848         (WTF::RuntimeArray::lengthGetter):
849         * runtime/CustomGetterSetter.cpp:
850         (JSC::callCustomSetter):
851         * runtime/JSBoundSlotBaseFunction.cpp:
852         (JSC::boundSlotBaseFunctionCall):
853         * runtime/JSFunction.cpp:
854         (JSC::JSFunction::argumentsGetter):
855         (JSC::JSFunction::callerGetter):
856         * runtime/JSFunction.h:
857         * runtime/JSModuleNamespaceObject.cpp:
858         (JSC::callbackGetter):
859         * runtime/PropertySlot.cpp:
860         (JSC::PropertySlot::customGetter):
861         * runtime/PropertySlot.h:
862         * runtime/ProxyObject.cpp:
863         (JSC::performProxyGet):
864         * runtime/RegExpConstructor.cpp:
865         (JSC::regExpConstructorDollar):
866         (JSC::regExpConstructorInput):
867         (JSC::regExpConstructorMultiline):
868         (JSC::regExpConstructorLastMatch):
869         (JSC::regExpConstructorLastParen):
870         (JSC::regExpConstructorLeftContext):
871         (JSC::regExpConstructorRightContext):
872         (JSC::regExpConstructorDollar1): Deleted.
873         (JSC::regExpConstructorDollar2): Deleted.
874         (JSC::regExpConstructorDollar3): Deleted.
875         (JSC::regExpConstructorDollar4): Deleted.
876         (JSC::regExpConstructorDollar5): Deleted.
877         (JSC::regExpConstructorDollar6): Deleted.
878         (JSC::regExpConstructorDollar7): Deleted.
879         (JSC::regExpConstructorDollar8): Deleted.
880         (JSC::regExpConstructorDollar9): Deleted.
881         * tests/stress/proxy-get-with-primitive-receiver.js: Added.
882         (shouldBe):
883
884 2016-05-23  Geoffrey Garen  <ggaren@apple.com>
885
886         REGRESSION (196374): deleting a global property is expensive
887         https://bugs.webkit.org/show_bug.cgi?id=158005
888
889         Reviewed by Chris Dumez.
890
891         * runtime/JSObject.cpp:
892         (JSC::JSObject::deleteProperty): We only need to reify static properties
893         if the name being deleted matches a static property. Otherwise, we can
894         be sure that delete won't observe any static properties.
895
896 2016-05-23  Saam barati  <sbarati@apple.com>
897
898         The baseline JIT crashes when compiling "(1,1)/1"
899         https://bugs.webkit.org/show_bug.cgi?id=157933
900
901         Reviewed by Benjamin Poulain.
902
903         op_div in the baseline JIT needed to better handle when both the lhs
904         and rhs are constants. It needs to make sure to load either the lhs or
905         the rhs into a register since the div generator can't handle both
906         the lhs and rhs being constants.
907
908         * jit/JITArithmetic.cpp:
909         (JSC::JIT::emit_op_div):
910         * tests/stress/jit-gracefully-handle-double-constants-in-math-operators.js: Added.
911         (assert):
912         (test):
913
914 2016-05-23  Saam barati  <sbarati@apple.com>
915
916         String template don't handle let initialization properly inside eval
917         https://bugs.webkit.org/show_bug.cgi?id=157991
918
919         Reviewed by Oliver Hunt.
920
921         The fix is to make sure we emit TDZ checks. 
922
923         * bytecompiler/NodesCodegen.cpp:
924         (JSC::TaggedTemplateNode::emitBytecode):
925         * tests/stress/tagged-template-tdz.js: Added.
926         (shouldThrowTDZ):
927         (test):
928
929 2016-05-22  Saam barati  <sbarati@apple.com>
930
931         Unreviewed. Fixed debug assertion failures from r201235.
932
933         * runtime/JSScope.cpp:
934         (JSC::abstractAccess):
935
936 2016-05-22  Brady Eidson  <beidson@apple.com>
937
938         Attempted Yosemite build fix after http://trac.webkit.org/changeset/201255
939
940         Suggested by and reviewed by Anders Carlsson.
941
942         * b3/B3CCallValue.h: Initialize the effects member more conventionally.
943
944 2016-05-22  Brady Eidson  <beidson@apple.com>
945
946         Move to C++14.
947         https://bugs.webkit.org/show_bug.cgi?id=157948
948
949         Reviewed by Michael Catanzaro.
950
951         * Configurations/Base.xcconfig:
952
953 2016-05-22  Saam barati  <sbarati@apple.com>
954
955         REGRESSION(r199075): String.prototype.replace fails after being used many times with different replace values
956         https://bugs.webkit.org/show_bug.cgi?id=157968
957         <rdar://problem/26404735>
958
959         Reviewed by Ryosuke Niwa and Filip Pizlo.
960
961         There was a bug in the DFG where we were checking a condition
962         on the wrong variable.
963
964         * dfg/DFGStrengthReductionPhase.cpp:
965         (JSC::DFG::StrengthReductionPhase::handleNode):
966
967 2016-05-22  Chris Dumez  <cdumez@apple.com>
968
969         Remove uses of PassRefPtr in JS bindings code
970         https://bugs.webkit.org/show_bug.cgi?id=157949
971
972         Reviewed by Andreas Kling.
973
974         Remove uses of PassRefPtr in JS bindings code.
975
976         * runtime/JSGlobalObject.cpp:
977         (JSC::JSGlobalObject::queueMicrotask):
978         * runtime/JSGlobalObject.h:
979
980 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
981
982         Remove LegacyProfiler
983         https://bugs.webkit.org/show_bug.cgi?id=153565
984
985         Reviewed by Mark Lam.
986
987         JavaScriptCore now provides a sampling profiler and it is enabled
988         by all ports. Web Inspector switched months ago to using the
989         sampling profiler and displaying its data. Remove the legacy
990         profiler, as it is no longer being used by anything other then
991         console.profile and tests. We will update console.profile's
992         behavior soon to have new behavior and use the sampling data.
993
994         * API/JSProfilerPrivate.cpp: Removed.
995         * API/JSProfilerPrivate.h: Removed.
996         * CMakeLists.txt:
997         * JavaScriptCore.xcodeproj/project.pbxproj:
998         * bytecode/BytecodeList.json:
999         * bytecode/BytecodeUseDef.h:
1000         (JSC::computeUsesForBytecodeOffset): Deleted.
1001         (JSC::computeDefsForBytecodeOffset): Deleted.
1002         * bytecode/CodeBlock.cpp:
1003         (JSC::CodeBlock::dumpBytecode): Deleted.
1004         * bytecode/UnlinkedFunctionExecutable.cpp:
1005         (JSC::generateUnlinkedFunctionCodeBlock):
1006         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1007         * bytecode/UnlinkedFunctionExecutable.h:
1008         * bytecompiler/BytecodeGenerator.cpp:
1009         (JSC::BytecodeGenerator::BytecodeGenerator):
1010         (JSC::BytecodeGenerator::emitCall):
1011         (JSC::BytecodeGenerator::emitCallVarargs):
1012         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
1013         (JSC::BytecodeGenerator::emitConstructVarargs):
1014         (JSC::BytecodeGenerator::emitConstruct):
1015         * bytecompiler/BytecodeGenerator.h:
1016         (JSC::CallArguments::profileHookRegister): Deleted.
1017         (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
1018         * bytecompiler/NodesCodegen.cpp:
1019         (JSC::CallFunctionCallDotNode::emitBytecode):
1020         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1021         (JSC::CallArguments::CallArguments): Deleted.
1022         * dfg/DFGAbstractInterpreterInlines.h:
1023         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
1024         * dfg/DFGByteCodeParser.cpp:
1025         (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
1026         * dfg/DFGCapabilities.cpp:
1027         (JSC::DFG::capabilityLevel): Deleted.
1028         * dfg/DFGClobberize.h:
1029         (JSC::DFG::clobberize): Deleted.
1030         * dfg/DFGDoesGC.cpp:
1031         (JSC::DFG::doesGC): Deleted.
1032         * dfg/DFGFixupPhase.cpp:
1033         (JSC::DFG::FixupPhase::fixupNode): Deleted.
1034         * dfg/DFGNodeType.h:
1035         * dfg/DFGPredictionPropagationPhase.cpp:
1036         * dfg/DFGSafeToExecute.h:
1037         (JSC::DFG::safeToExecute): Deleted.
1038         * dfg/DFGSpeculativeJIT32_64.cpp:
1039         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1040         * dfg/DFGSpeculativeJIT64.cpp:
1041         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1042         * inspector/InjectedScriptBase.cpp:
1043         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
1044         * interpreter/Interpreter.cpp:
1045         (JSC::UnwindFunctor::operator()): Deleted.
1046         (JSC::Interpreter::execute): Deleted.
1047         (JSC::Interpreter::executeCall): Deleted.
1048         (JSC::Interpreter::executeConstruct): Deleted.
1049         * jit/JIT.cpp:
1050         (JSC::JIT::privateCompileMainPass): Deleted.
1051         * jit/JIT.h:
1052         * jit/JITOpcodes.cpp:
1053         (JSC::JIT::emit_op_profile_will_call): Deleted.
1054         (JSC::JIT::emit_op_profile_did_call): Deleted.
1055         * jit/JITOpcodes32_64.cpp:
1056         (JSC::JIT::emit_op_profile_will_call): Deleted.
1057         (JSC::JIT::emit_op_profile_did_call): Deleted.
1058         * jit/JITOperations.cpp:
1059         * jit/JITOperations.h:
1060         * llint/LLIntSlowPaths.cpp:
1061         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
1062         * llint/LLIntSlowPaths.h:
1063         * llint/LowLevelInterpreter.asm:
1064         * parser/ParserModes.h:
1065         * profiler/CallIdentifier.h: Removed.
1066         * profiler/LegacyProfiler.cpp: Removed.
1067         * profiler/LegacyProfiler.h: Removed.
1068         * profiler/Profile.cpp: Removed.
1069         * profiler/Profile.h: Removed.
1070         * profiler/ProfileGenerator.cpp: Removed.
1071         * profiler/ProfileGenerator.h: Removed.
1072         * profiler/ProfileNode.cpp: Removed.
1073         * profiler/ProfileNode.h: Removed.
1074         * profiler/ProfilerJettisonReason.cpp:
1075         (WTF::printInternal): Deleted.
1076         * profiler/ProfilerJettisonReason.h:
1077         * runtime/CodeCache.cpp:
1078         (JSC::CodeCache::getGlobalCodeBlock):
1079         (JSC::CodeCache::getProgramCodeBlock):
1080         (JSC::CodeCache::getEvalCodeBlock):
1081         (JSC::CodeCache::getModuleProgramCodeBlock):
1082         * runtime/CodeCache.h:
1083         * runtime/Executable.cpp:
1084         (JSC::ScriptExecutable::newCodeBlockFor):
1085         * runtime/JSGlobalObject.cpp:
1086         (JSC::JSGlobalObject::createProgramCodeBlock):
1087         (JSC::JSGlobalObject::createEvalCodeBlock):
1088         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
1089         (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
1090         (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
1091         * runtime/JSGlobalObject.h:
1092         * runtime/Options.h:
1093         * runtime/VM.cpp:
1094         (JSC::VM::VM): Deleted.
1095         (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
1096         (JSC::VM::setEnabledProfiler): Deleted.
1097         * runtime/VM.h:
1098         (JSC::VM::enabledProfiler): Deleted.
1099         (JSC::VM::enabledProfilerAddress): Deleted.
1100
1101 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
1102
1103         Remove LegacyProfiler
1104         https://bugs.webkit.org/show_bug.cgi?id=153565
1105
1106         Reviewed by Saam Barati.
1107
1108         * inspector/protocol/Timeline.json:
1109         * jsc.cpp:
1110         * runtime/JSGlobalObject.cpp:
1111         (JSC::JSGlobalObject::hasLegacyProfiler):
1112         * runtime/JSGlobalObject.h:
1113         (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
1114
1115 2016-05-20  Saam barati  <sbarati@apple.com>
1116
1117         JSScope::abstractAccess doesn't need to copy the SymbolTableEntry, it can use it by reference
1118         https://bugs.webkit.org/show_bug.cgi?id=157956
1119
1120         Reviewed by Geoffrey Garen.
1121
1122         A SymbolTableEntry may be a FatEntry. Copying a FatEntry is slow because we have to
1123         malloc memory for it, then free the malloced memory once the entry goes out of
1124         scope. abstractAccess uses a SymbolTableEntry temporarily when performing scope
1125         accesses during bytecode linking. It copies out the SymbolTableEntry every time
1126         it does a SymbolTable lookup. This is not cheap when the entry happens to be a
1127         FatEntry. We should really just be using a reference to the entry because
1128         there is no need to copy it in such a scenario.
1129
1130         * runtime/JSScope.cpp:
1131         (JSC::abstractAccess):
1132
1133 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
1134
1135         Web Inspector: retained size for typed arrays does not count native backing store
1136         https://bugs.webkit.org/show_bug.cgi?id=157945
1137         <rdar://problem/26392238>
1138
1139         Reviewed by Geoffrey Garen.
1140
1141         * runtime/JSArrayBuffer.h:
1142         * runtime/JSArrayBuffer.cpp:
1143         (JSC::JSArrayBuffer::estimatedSize):
1144         Include an estimatedSize implementation for JSArrayBuffer.
1145         ArrayBuffer has a unique path, different from other data
1146         stored in the Heap.
1147
1148         * tests/heapProfiler/typed-array-sizes.js: Added.
1149         Test sizes of TypedArray with and without an ArrayBuffer.
1150         When the TypedArray is a view wrapping an ArrayBuffer, the
1151         ArrayBuffer has the size.
1152
1153 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
1154
1155         reifyAllStaticProperties makes two copies of every string
1156         https://bugs.webkit.org/show_bug.cgi?id=157953
1157
1158         Reviewed by Mark Lam.
1159
1160         Let's not do that.
1161
1162         * runtime/JSObject.cpp:
1163         (JSC::JSObject::reifyAllStaticProperties): Pass our Identifier to
1164         reifyStaticProperty so it doesn't have to make its own.
1165
1166         * runtime/Lookup.h:
1167         (JSC::reifyStaticProperty): No need to null check because callers never
1168         pass null anymore. No need to make an identifier because callers pass
1169         us one.
1170
1171         (JSC::reifyStaticProperties): Honor new interface.
1172
1173 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
1174
1175         JSBench regression: CodeBlock linking always copies the symbol table
1176         https://bugs.webkit.org/show_bug.cgi?id=157951
1177
1178         Reviewed by Saam Barati.
1179
1180         We always put a SymbolTable into the constant pool, even in simple
1181         functions in which it won't be used -- i.e., there's on eval and there
1182         are no captured variables and so on.
1183
1184         This is costly because linking must copy any provided symbol tables.
1185
1186         * bytecompiler/BytecodeGenerator.cpp:
1187         (JSC::BytecodeGenerator::BytecodeGenerator):
1188         (JSC::BytecodeGenerator::emitProfileType): Only add the symbol table
1189         as a constant if we will use it at runtime.
1190
1191 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
1192
1193         [JSC] Improve int->float conversion in FTL
1194         https://bugs.webkit.org/show_bug.cgi?id=157936
1195
1196         Reviewed by Filip Pizlo.
1197
1198         The integer -> floating point lowering was very barebone.
1199
1200         For example, converting a constant integer to double
1201         was doing:
1202             mov #const, %eax
1203             xor %xmm0, %xmm0
1204             cvtsi2sd %eax, %xmm0
1205
1206         Conversion from integer to float was also missing.
1207         We were always converting to double then rounding the double
1208         to float.
1209
1210         This patch adds the basics:
1211         -Constant folding.
1212         -Integer to Float opcode.
1213         -Reducing int->double to int->float when used by DoubleToFloat.
1214
1215         * assembler/MacroAssemblerX86Common.h:
1216         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
1217         * assembler/MacroAssemblerX86_64.h:
1218         (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
1219         (JSC::MacroAssemblerX86_64::convertInt64ToFloat):
1220         * assembler/X86Assembler.h:
1221         (JSC::X86Assembler::cvtsi2ss_rr):
1222         (JSC::X86Assembler::cvtsi2ssq_rr):
1223         (JSC::X86Assembler::cvtsi2sdq_mr):
1224         (JSC::X86Assembler::cvtsi2ssq_mr):
1225         (JSC::X86Assembler::cvtsi2ss_mr):
1226         * assembler/MacroAssemblerARM64.h:
1227         * b3/B3Const32Value.cpp:
1228         (JSC::B3::Const32Value::iToDConstant):
1229         (JSC::B3::Const32Value::iToFConstant):
1230         * b3/B3Const32Value.h:
1231         * b3/B3Const64Value.cpp:
1232         (JSC::B3::Const64Value::iToDConstant):
1233         (JSC::B3::Const64Value::iToFConstant):
1234         * b3/B3Const64Value.h:
1235         * b3/B3LowerToAir.cpp:
1236         (JSC::B3::Air::LowerToAir::lower):
1237         * b3/B3Opcode.cpp:
1238         (WTF::printInternal):
1239         * b3/B3Opcode.h:
1240         * b3/B3ReduceDoubleToFloat.cpp:
1241         * b3/B3ReduceStrength.cpp:
1242         * b3/B3Validate.cpp:
1243         * b3/B3Value.cpp:
1244         (JSC::B3::Value::iToDConstant):
1245         (JSC::B3::Value::iToFConstant):
1246         (JSC::B3::Value::isRounded):
1247         (JSC::B3::Value::effects):
1248         (JSC::B3::Value::key):
1249         (JSC::B3::Value::typeFor):
1250         * b3/B3Value.h:
1251         * b3/B3ValueKey.cpp:
1252         (JSC::B3::ValueKey::materialize):
1253         * b3/air/AirFixPartialRegisterStalls.cpp:
1254         * b3/air/AirOpcode.opcodes:
1255         * b3/testb3.cpp:
1256         (JSC::B3::int64Operands):
1257         (JSC::B3::testIToD64Arg):
1258         (JSC::B3::testIToF64Arg):
1259         (JSC::B3::testIToD32Arg):
1260         (JSC::B3::testIToF32Arg):
1261         (JSC::B3::testIToD64Mem):
1262         (JSC::B3::testIToF64Mem):
1263         (JSC::B3::testIToD32Mem):
1264         (JSC::B3::testIToF32Mem):
1265         (JSC::B3::testIToD64Imm):
1266         (JSC::B3::testIToF64Imm):
1267         (JSC::B3::testIToD32Imm):
1268         (JSC::B3::testIToF32Imm):
1269         (JSC::B3::testIToDReducedToIToF64Arg):
1270         (JSC::B3::testIToDReducedToIToF32Arg):
1271         (JSC::B3::run):
1272
1273 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
1274
1275         [JSC] FTL can crash on stack overflow
1276         https://bugs.webkit.org/show_bug.cgi?id=157881
1277         rdar://problem/24665964
1278
1279         Reviewed by Michael Saboff.
1280
1281         The VM's m_largestFTLStackSize was never set anywhere (updateFTLLargestStackSize()
1282         was never called). We forgot to change that when implementing B3.
1283
1284         Even when it is set, we still have a problem on OSR Exit.
1285         If the last frame is a FTL frame and it OSR Exits, the space required for
1286         that frame becomes significantly larger. What happens is we crash in the OSR Exit
1287         instead of the FTL frame (this is what happens in rdar://problem/24665964).
1288
1289         This patch changes the stack boundary checks in FTL to be the same as DFG:
1290         we verify that we have enough space for the current optimized function but
1291         also for the baseline version (including inlining) in case of exit.
1292
1293         * ftl/FTLLowerDFGToB3.cpp:
1294         (JSC::FTL::DFG::LowerDFGToB3::lower):
1295         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack): Deleted.
1296         * runtime/VM.cpp:
1297         (JSC::VM::VM): Deleted.
1298         (JSC::VM::updateStackLimit): Deleted.
1299         (JSC::VM::updateFTLLargestStackSize): Deleted.
1300         * runtime/VM.h:
1301         (JSC::VM::addressOfFTLStackLimit): Deleted.
1302
1303 2016-05-18  Filip Pizlo  <fpizlo@apple.com>
1304
1305         DFG::LICMPhase shouldn't hoist type checks unless it knows that the check will succeed at the loop pre-header
1306         https://bugs.webkit.org/show_bug.cgi?id=144527
1307
1308         Reviewed by Saam Barati.
1309         
1310         This adds a control flow equivalence analysis (called ControlEquivalenceAnalysis) based on
1311         dominator analysis over the backwards CFG. Two basic blocks are control flow equivalent if
1312         the execution of one implies that the other one must also execute. It means that the two
1313         blocks' forward and backward dominance are reciprocated: (A dom B and B backdom A) or (B dom
1314         A and A backdom B). LICM now uses it to become more conservative about hoisting checks, if
1315         this has caused problems in the past. If we hoist something that may exit from a block that
1316         was not control equivalent to the pre-header then it's possible that the node's speculation
1317         will fail even though it wouldn't have if it wasn't hoisted. So, we flag these nodes'
1318         origins as being "wasHoisted" and we track all of their exits as "HoistingFailed". LICM will
1319         turn off such speculative hoisting if the CodeBlock from which we are hoisting had the
1320         HoistingFailed exit kind.
1321         
1322         Note that this deliberately still allows us to hoist things that may exit even if they are
1323         not control equivalent to the pre-header. This is necessary because the profitability of
1324         hoisting is so huge in all of the cases that we're aware of that it's worth giving it a
1325         shot.
1326         
1327         This is neutral on macrobenchmarks since none of the benchmarks we track have a hoistable
1328         operation that would exit only if hoisted. I added microbenchmarks to illustrate the problem
1329         and two of them speed up by ~40% while one of them is neutral (Int52 saves us from having
1330         problems on that program even though LICM previously did the wrong thing).
1331
1332         * JavaScriptCore.xcodeproj/project.pbxproj:
1333         * bytecode/ExitKind.cpp:
1334         (JSC::exitKindToString):
1335         * bytecode/ExitKind.h:
1336         * dfg/DFGAtTailAbstractState.h:
1337         (JSC::DFG::AtTailAbstractState::operator bool):
1338         (JSC::DFG::AtTailAbstractState::initializeTo):
1339         * dfg/DFGBackwardsCFG.h: Added.
1340         (JSC::DFG::BackwardsCFG::BackwardsCFG):
1341         * dfg/DFGBackwardsDominators.h: Added.
1342         (JSC::DFG::BackwardsDominators::BackwardsDominators):
1343         * dfg/DFGCommon.h:
1344         (JSC::DFG::checkAndSet): Deleted.
1345         * dfg/DFGControlEquivalenceAnalysis.h: Added.
1346         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
1347         (JSC::DFG::ControlEquivalenceAnalysis::dominatesEquivalently):
1348         (JSC::DFG::ControlEquivalenceAnalysis::areEquivalent):
1349         * dfg/DFGGraph.cpp:
1350         (JSC::DFG::Graph::dump):
1351         (JSC::DFG::Graph::dumpBlockHeader):
1352         (JSC::DFG::Graph::invalidateCFG):
1353         (JSC::DFG::Graph::substituteGetLocal):
1354         (JSC::DFG::Graph::handleAssertionFailure):
1355         (JSC::DFG::Graph::ensureDominators):
1356         (JSC::DFG::Graph::ensurePrePostNumbering):
1357         (JSC::DFG::Graph::ensureNaturalLoops):
1358         (JSC::DFG::Graph::ensureBackwardsCFG):
1359         (JSC::DFG::Graph::ensureBackwardsDominators):
1360         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
1361         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1362         * dfg/DFGGraph.h:
1363         (JSC::DFG::Graph::hasDebuggerEnabled):
1364         * dfg/DFGInPlaceAbstractState.h:
1365         (JSC::DFG::InPlaceAbstractState::operator bool):
1366         (JSC::DFG::InPlaceAbstractState::createValueForNode):
1367         (JSC::DFG::InPlaceAbstractState::forNode):
1368         * dfg/DFGLICMPhase.cpp:
1369         (JSC::DFG::LICMPhase::run):
1370         (JSC::DFG::LICMPhase::attemptHoist):
1371         * dfg/DFGMayExit.cpp:
1372         (JSC::DFG::mayExit):
1373         * dfg/DFGMayExit.h:
1374         * dfg/DFGNode.h:
1375         * dfg/DFGNodeOrigin.cpp:
1376         (JSC::DFG::NodeOrigin::dump):
1377         * dfg/DFGNodeOrigin.h:
1378         (JSC::DFG::NodeOrigin::takeValidExit):
1379         (JSC::DFG::NodeOrigin::withWasHoisted):
1380         (JSC::DFG::NodeOrigin::forInsertingAfter):
1381         * dfg/DFGNullAbstractState.h: Added.
1382         (JSC::DFG::NullAbstractState::NullAbstractState):
1383         (JSC::DFG::NullAbstractState::operator bool):
1384         (JSC::DFG::NullAbstractState::forNode):
1385         * dfg/DFGOSRExit.cpp:
1386         (JSC::DFG::OSRExit::OSRExit):
1387         * dfg/DFGOSRExitBase.cpp:
1388         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
1389         * dfg/DFGOSRExitBase.h:
1390         (JSC::DFG::OSRExitBase::OSRExitBase):
1391         * dfg/DFGTypeCheckHoistingPhase.cpp:
1392         (JSC::DFG::TypeCheckHoistingPhase::run):
1393         * ftl/FTLOSRExit.cpp:
1394         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
1395         (JSC::FTL::OSRExit::OSRExit):
1396         * ftl/FTLOSRExit.h:
1397
1398 2016-05-19  Mark Lam  <mark.lam@apple.com>
1399
1400         Code that null checks the VM pointer before any use should ref the VM.
1401         https://bugs.webkit.org/show_bug.cgi?id=157864
1402
1403         Reviewed by Filip Pizlo and Keith Miller.
1404
1405         JSLock::willReleaseLock() and HeapTimer::timerDidFire() need to reference the VM
1406         through a RefPtr.  Otherwise, there's no guarantee that the VM won't be deleted
1407         after their null checks.
1408
1409         * bytecode/CodeBlock.h:
1410         (JSC::CodeBlock::vm):
1411         (JSC::CodeBlock::setVM): Deleted.
1412         - Not used, and suggests that it can be changed during the lifetime of the
1413           CodeBlock (which should not be).
1414
1415         * heap/HeapTimer.cpp:
1416         (JSC::HeapTimer::timerDidFire):
1417         * runtime/JSLock.cpp:
1418         (JSC::JSLock::willReleaseLock):
1419         - Store the VM pointer in a RefPtr first, and null check the RefPtr instead of
1420           the raw VM pointer.  This makes the null check a strong guarantee that the
1421           VM pointer is valid while these functions are using it.
1422
1423 2016-05-19  Saam barati  <sbarati@apple.com>
1424
1425         arrow function lexical environment should reuse the same environment as the function's lexical environment where possible
1426         https://bugs.webkit.org/show_bug.cgi?id=157908
1427
1428         Reviewed by Filip Pizlo.
1429
1430         We can safely combine these two environment when we have
1431         a simple parameter list (no default parameters, no destructring parameters).
1432
1433         * bytecompiler/BytecodeGenerator.cpp:
1434         (JSC::BytecodeGenerator::BytecodeGenerator):
1435         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1436         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1437         * bytecompiler/BytecodeGenerator.h:
1438
1439 2016-05-19  Michael Saboff  <msaboff@apple.com>
1440
1441         Unreviewed build fix.
1442
1443         Skipping this new test as it times out on the bots.
1444
1445         Issue tracked in https://bugs.webkit.org/show_bug.cgi?id=157903
1446
1447         * tests/stress/regress-157595.js:
1448         (MyRegExp):
1449
1450 2016-05-19  Guillaume Emont  <guijemont@igalia.com>
1451
1452         JSC: DFG::SpeculativeJIT::compile special case for MIPS for PutByValWithThis
1453         https://bugs.webkit.org/show_bug.cgi?id=157741
1454
1455         Reviewed by Saam Barati.
1456
1457         The PutByValWithThis case needs a special case for MIPS because we
1458         don't have enough registers. The special case needs to be different
1459         from the x86 one because we have a different ABI.
1460
1461         * dfg/DFGSpeculativeJIT32_64.cpp:
1462         (JSC::DFG::SpeculativeJIT::compile):
1463
1464 2016-05-19  Brian Burg  <bburg@apple.com>
1465
1466         Web Inspector: use a consistent prefix for injected scripts
1467         https://bugs.webkit.org/show_bug.cgi?id=157715
1468         <rdar://problem/26287188>
1469
1470         Reviewed by Timothy Hatcher.
1471
1472         * CMakeLists.txt:
1473         * DerivedSources.make:
1474         * inspector/InjectedScriptSource.js:
1475
1476 2016-05-19  Csaba Osztrogonác  <ossy@webkit.org>
1477
1478         [ARM] Remove redefined macro after r200606
1479         https://bugs.webkit.org/show_bug.cgi?id=157890
1480
1481         Reviewed by Michael Saboff.
1482
1483         * bytecode/PolymorphicAccess.cpp:
1484         * jit/CCallHelpers.h:
1485
1486 2016-05-18  Saam barati  <sbarati@apple.com>
1487
1488         Function with default parameter values that are arrow functions that capture this isn't working
1489         https://bugs.webkit.org/show_bug.cgi?id=157786
1490         <rdar://problem/26327329>
1491
1492         Reviewed by Geoffrey Garen.
1493
1494         To make the scopes ordered properly, I needed to initialize the arrow 
1495         function lexical environment before initializing default parameter values.
1496         I also made the code easier to reason about by never reusing the function's
1497         var lexical environment for the arrow function lexical environment. The
1498         reason for this is that that code was wrong, and we just didn't have code to
1499         that properly tested it. It was easy for that code to be wrong because
1500         sometimes the function's lexical environment isn't the top-most scope
1501         (namely, when a function's parameter list is non-simple) and sometimes
1502         it is (when the function's parameter list is simple).
1503
1504         Also, because a function's default parameter values may capture the
1505         'arguments' variable inside an arrow function, I needed to take care
1506         to initialize the 'arguments' variable as part of whichever scope
1507         is the top-most scope. It's either the function's var environment
1508         if the parameter list is simple, or it's the function's parameter
1509         environment if the parameter list is non-simple.
1510
1511         * bytecompiler/BytecodeGenerator.cpp:
1512         (JSC::BytecodeGenerator::BytecodeGenerator):
1513         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1514         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1515         (JSC::BytecodeGenerator::initializeParameters):
1516         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
1517         (JSC::BytecodeGenerator::visibleNameForParameter):
1518         * bytecompiler/BytecodeGenerator.h:
1519         * tests/stress/arrow-functions-as-default-parameter-values.js: Added.
1520         (assert):
1521         (test):
1522         (test.foo):
1523         * tests/stress/op-push-name-scope-crashes-profiler.js:
1524         (test):
1525
1526 2016-05-18  Michael Saboff  <msaboff@apple.com>
1527
1528         r199812 broke test262
1529         https://bugs.webkit.org/show_bug.cgi?id=157595
1530
1531         Reviewed by Filip Pizlo.
1532
1533         Added a reasonable limit to the size of the match result array to catch possible
1534         infinite loops when matching.
1535         Added a new tests that creates an infinite loop in RegExp.prototype.[Symbol.match]
1536         by creating a subclass of RegExp where the base RegExp's global flag is false and
1537         the subclass overrides .global with a getter that always returns true.
1538
1539         * builtins/RegExpPrototype.js:
1540         (match):
1541         * tests/stress/regress-157595.js: Added.
1542         (MyRegExp):
1543         (MyRegExp.prototype.get global):
1544         (test):
1545         (catch):
1546
1547 2016-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1548
1549         [ES6] Namespace object re-export should be handled as local export
1550         https://bugs.webkit.org/show_bug.cgi?id=157806
1551
1552         Reviewed by Mark Lam.
1553
1554         We align the implementation of ExportEntry to the spec; remove Type::Namespace.
1555         This Type::Namespace is used for re-exported namespace object binding. For example,
1556
1557             import * as namespace from "namespace.js"
1558             export { namespace }
1559
1560         In the above case, we used ExportEntry(Type::Namespace). In this patch, we drop this
1561         and use normal local export (Type::Local) instead because namespace object actually has
1562         the local binding in the above module environment. And this handling strictly meets the
1563         spec (Sec 15.2.1.16.1 step 11-a-ii-2-b).
1564
1565         And we also clean up the ExportEntry implementation; dropping unnecessary information.
1566         This change fixes the test262/test/language/module-code/instn-star-equality.js crash.
1567
1568         * parser/ModuleAnalyzer.cpp:
1569         (JSC::ModuleAnalyzer::exportVariable):
1570         * runtime/JSModuleRecord.cpp:
1571         (JSC::getExportedNames):
1572         (JSC::JSModuleRecord::dump): Deleted.
1573         * runtime/JSModuleRecord.h:
1574         * tests/modules/namespace-re-export.js: Added.
1575         * tests/modules/namespace-re-export/namespace-re-export-fixture.js: Added.
1576         * tests/modules/namespace-re-export/namespace-re-export.js: Added.
1577         * tests/modules/resources/assert.js:
1578         (export.shouldNotBe):
1579
1580 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
1581
1582         JSC should detect the right default locale even when it's not embedded in WebCore
1583         https://bugs.webkit.org/show_bug.cgi?id=157755
1584         rdar://problem/24665424
1585
1586         Reviewed by Keith Miller.
1587         
1588         This makes JSC try to use WTF's platform user preferred language detection if the DOM did
1589         not register a defaultLanguage callback. The result is that when JSC runs standalone it
1590         will detect the platform user preferred language almost the same way as when it's embedded
1591         in WebCore. The only difference is that WebCore may have its own additional overrides via
1592         the WK API. But in the absence of overrides, WebCore uses the same WTF logic that JSC falls
1593         back to.
1594         
1595         We first found this bug because on iOS, the intl tests would fail because ICU would report
1596         a somewhat bogus locale on that platform. Prior to this change, standalone JSC would fall
1597         back to ICU's locale detection. It turns out that the ICU default locale is also bogus on
1598         OS X, just less so. For example, setting things to Poland did not result in the jsc shell
1599         printing dates Polish-style. Now it will print them Polish-style if your system preferences
1600         say so. Also, the tests don't fail on iOS anymore.
1601         
1602         * runtime/IntlObject.cpp:
1603         (JSC::defaultLocale):
1604
1605 2016-05-17  Dean Jackson  <dino@apple.com>
1606
1607         Remove ES6_GENERATORS flag
1608         https://bugs.webkit.org/show_bug.cgi?id=157815
1609         <rdar://problem/26332894>
1610
1611         Reviewed by Geoffrey Garen.
1612
1613         This flag isn't needed. Generators are enabled everywhere and
1614         part of a stable specification.
1615
1616         * Configurations/FeatureDefines.xcconfig:
1617         * parser/Parser.cpp:
1618         (JSC::Parser<LexerType>::parseFunctionDeclaration): Deleted.
1619         (JSC::Parser<LexerType>::parseClass): Deleted.
1620         (JSC::Parser<LexerType>::parseExportDeclaration): Deleted.
1621         (JSC::Parser<LexerType>::parseAssignmentExpression): Deleted.
1622         (JSC::Parser<LexerType>::parseProperty): Deleted.
1623         (JSC::Parser<LexerType>::parseFunctionExpression): Deleted.
1624
1625 2016-05-17  Keith Miller  <keith_miller@apple.com>
1626
1627         Rollout r200426 since it causes PLT regressions.
1628         https://bugs.webkit.org/show_bug.cgi?id=157812
1629
1630         Unreviewed rollout of r200426 since the bots see a ~.6% PLT regression from the patch.
1631
1632 2016-05-17  Keith Miller  <keith_miller@apple.com>
1633
1634         Add test262 harness support code
1635         https://bugs.webkit.org/show_bug.cgi?id=157797
1636
1637         Reviewed by Filip Pizlo.
1638
1639         This patch adds some new tooling needed to run Test262 with the jsc
1640         CLI. There were three options that needed to be added for Test262:
1641
1642         1) "--test262-async" This option overrides the print function in the test runner to look for
1643         'Test262:AsyncTestComplete' instead of printing the passed text. If test262-async mode is on
1644         and that string is not passed then the test is marked as failing.
1645
1646         2) "--strict-file=<file>" This option appends `"use strict";\n` to the beginning of the
1647         passed file before passing the source code to the VM. This option can, in theory, be passed
1648         multiple times.
1649
1650         3) "--exception=<name>" This option asserts that at the end of the last script file passed
1651         the VM has an uncaught exception with its name property equal to the passed name.
1652
1653         * jsc.cpp:
1654         (Script::Script):
1655         (fillBufferWithContentsOfFile):
1656         (functionPrint):
1657         (checkUncaughtException):
1658         (runWithScripts):
1659         (printUsageStatement):
1660         (CommandLine::parseArguments):
1661         (runJSC):
1662
1663 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
1664
1665         WTF should know about Language
1666         https://bugs.webkit.org/show_bug.cgi?id=157756
1667
1668         Reviewed by Geoffrey Garen.
1669
1670         Teach our scripts that a ObjC class beginning with WTF is totally cool.
1671
1672         * JavaScriptCore.xcodeproj/project.pbxproj:
1673
1674 2016-05-17  Joseph Pecoraro  <pecoraro@apple.com>
1675
1676         console namespace breaks putting properties on console.__proto__
1677         https://bugs.webkit.org/show_bug.cgi?id=157782
1678         <rdar://problem/26250526>
1679
1680         Reviewed by Geoffrey Garen.
1681
1682         Some websites currently depend on console.__proto__ existing and being
1683         a separate object from Object.prototype. This patch adds back a basic
1684         console.__proto__ object, but all the console functions are left on
1685         the ConsoleObject itself.
1686
1687         * runtime/JSGlobalObject.cpp:
1688         (JSC::createConsoleProperty):
1689
1690 2016-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1691
1692         Unreviewed, dump more information when math-pow-stable-results.js failed
1693         https://bugs.webkit.org/show_bug.cgi?id=157168
1694
1695         * tests/stress/math-pow-stable-results.js:
1696
1697 2016-05-16  Saam barati  <sbarati@apple.com>
1698
1699         ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
1700         https://bugs.webkit.org/show_bug.cgi?id=157770
1701
1702         Reviewed by Filip Pizlo.
1703
1704         ShadowChicken was reading the scope from a half formed
1705         frame as it threw a stack overflow exception. The frame had
1706         a valid CodeBlock pointer, but it did not have a valid scope.
1707         The code in ShadowChicken's throw packet logging mechanism didn't
1708         account for this. The fix is to respect whether genericUnwind wants
1709         to unwind from the current frame or the caller's frame. For stack
1710         overflow errors, we always unwind the caller's frame.
1711
1712         * jit/JITExceptions.cpp:
1713         (JSC::genericUnwind):
1714
1715 2016-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1716
1717         REGRESSION(r200208): It made 2 JSC stress tests fail on x86
1718         https://bugs.webkit.org/show_bug.cgi?id=157168
1719
1720         Reviewed by Benjamin Poulain.
1721
1722         The fast path in operationMathPow produces different results between x87 and the other environments.
1723         This is because x87 calculates the double value in 80bit precision.
1724         The situation is the following: in x86 32bit environment, floating point operations are compiled to
1725         x87 operations by default even if we can use SSE2. But in DFG environment, we aggressively use SSE2
1726         if the cpuid reports SSE2 is available. As a result, the implementations differ between C runtime
1727         and DFG JIT code. The C runtime uses x87 while DFG JIT code uses SSE2. This causes a precision
1728         problem since x87 has 80bit precision while SSE2 has 64bit precision.
1729
1730         In this patch, in x86 32bit environment, we use `volatile double` if the `-mfpmath=sse and -msse2 (or later)`
1731         is not specified. This will round the x87 value into 64bit per multiplying. Note that this problem does not
1732         occur in OS X clang 32bit environment. This is because `-mfpmath=sse` is enabled by default in OS X clang 32bit.
1733
1734         * b3/B3MathExtras.cpp:
1735         (JSC::B3::powDoubleInt32):
1736         * runtime/MathCommon.cpp:
1737         (JSC::operationMathPow):
1738
1739 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
1740
1741         [JSC] "return this" in a constructor does not need a branch on isObject(this)
1742         https://bugs.webkit.org/show_bug.cgi?id=157775
1743
1744         Reviewed by Saam Barati and Ryosuke Niwa.
1745
1746         When returning "this" in a constructor, the bytecode generator was generating:
1747             is_object         locX, this
1748             jtrue             locX, 5(->second ret)
1749             ret               this
1750             ret               this
1751
1752         That code is eliminated in DFG but it is pretty costly lower tiers.
1753
1754         This patch changes bytecode generation to avoid the is_object test
1755         when possible and not generate two ret if they encode the same thing.
1756
1757         * bytecompiler/BytecodeGenerator.cpp:
1758         (JSC::BytecodeGenerator::emitReturn):
1759
1760 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
1761
1762         [JSC] Remove the index check from op_get_by_val/op_put_by_val when the index is constant
1763         https://bugs.webkit.org/show_bug.cgi?id=157766
1764
1765         Reviewed by Geoffrey Garen.
1766
1767         If the index is an integer constant, do not generate the index check.
1768
1769         * jit/JITPropertyAccess.cpp:
1770         (JSC::JIT::emit_op_get_by_val):
1771         (JSC::JIT::emitSlow_op_get_by_val):
1772         (JSC::JIT::emit_op_put_by_val):
1773         (JSC::JIT::emitSlow_op_put_by_val):
1774
1775 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
1776
1777         [JSC][DFG] Fill spilled Int32 as Int32 instead of JSInt32
1778         https://bugs.webkit.org/show_bug.cgi?id=157700
1779
1780         Reviewed by Michael Saboff.
1781
1782         In general, fillSpeculateInt32() originate from SpeculateInt32
1783         and the user does not care about the tag.
1784
1785         This is particularily obvious on Sunspider's math-spectral-norm.js.
1786         In that test, registers are frequently spilled because of x86's DIV.
1787
1788         When they are re-filled, they were always tagged.
1789         Since the loops are small, all the tagging adds up.
1790
1791         * dfg/DFGSpeculativeJIT64.cpp:
1792         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1793
1794 2016-05-16  Saam barati  <sbarati@apple.com>
1795
1796         Unreviewed Cloop build fix.
1797
1798         * bytecode/CodeBlock.cpp:
1799         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
1800
1801 2016-05-16  Saam barati  <sbarati@apple.com>
1802
1803         Hook up ShadowChicken to the debugger to show tail deleted frames
1804         https://bugs.webkit.org/show_bug.cgi?id=156685
1805         <rdar://problem/25770521>
1806
1807         Reviewed by Filip Pizlo and Mark Lam and Joseph Pecoraro.
1808
1809         The heart of this patch hooks up ShadowChicken to DebuggerCallFrame to
1810         allow the Web Inspector to display the ShadowChicken's shadow stack.
1811         This means the Web Inspector can now display tail deleted frames.
1812         To make this work, I made the necessary changes to ShadowChicken and
1813         DebuggerCallFrame to allow DebuggerCallFrame to keep the same API
1814         when representing both machine frames and tail deleted frames.
1815
1816         - ShadowChicken prologue packets now log the current scope. Tail packets
1817           log the current scope, the 'this' value, the CodeBlock, and the
1818           CallSiteIndex. This allows the inspector to not only show the
1819           tail deleted frame, but also show exactly where the tail call happened (line and column numbers),
1820           with which scope it executed, and with which 'this' value. This
1821           patch also allows DebuggerCallFrame to execute console statements
1822           in a tail deleted frame.
1823
1824         - I changed ShadowChicken's stack resizing algorithm. ShadowChicken
1825           now only keeps a maximum number of tail deleted frames in its shadow stack.
1826           It will happily represent all machine frames without limit. Right now, the
1827           maximum number of tail deleted frames I chose to keep alive is 128.
1828           We will keep frames alive starting from the top of the stack. This
1829           allows us to have a strong defense against runaway memory usage. We will only
1830           keep around at most 128 "shadow" frames that wouldn't have naturally been kept
1831           alive by the executing program. We can play around with this number
1832           if we find that 128 is either too many or too few frames.
1833
1834         - DebuggerCallFrame is no longer a cheap class to create. When it is created,
1835           we will eagerly create the entire virtual debugger stack. So I modified the
1836           existing code to lazily create DebuggerCallFrames only when necessary. We
1837           used to eagerly create them at each op_debug statement even though we would
1838           just throw them away if we didn't hit a breakpoint.
1839
1840         - A valid DebuggerCallFrame will always have a valid CallFrame* pointer
1841           into the stack. This pointer won't always refer to the logical frame
1842           that the DebuggerCallFrame represents because a DebuggerCallFrame can
1843           now represent a tail deleted frame. To do this, DebuggerCallFrame now
1844           has a ShadowChicken::Frame member variable. This allows DebuggerCallFrame
1845           to know when it represents a tail deleted frame and gives DebuggerCallFrame
1846           a mechanism to ask the tail deleted frame for interesting information
1847           (like its 'this' value, scope, CodeBlock, etc). A tail deleted frame's
1848           machine frame pointer will be the machine caller of the tail deleted frame
1849           (or the machine caller of the first of a series of consecutive tail calls).
1850
1851         - I added a new flag to UnlinkedCodeBlock to indicate when it is compiled
1852           with debugging opcodes. I did this because ShadowChicken may read a JSScope
1853           from the machine stack. This is only safe if the machine CodeBlock was
1854           compiled with debugging opcodes. This is safer than asking if the
1855           CodeBlock's global object has an interactive debugger enabled because
1856           it's theoretically possible for the debugger to be enabled while code
1857           compiled without a debugger is still live on the stack. This field is
1858           also now used to indicate to the DFGGraph that the interactive debugger
1859           is enabled.
1860
1861         - Finally, this patch adds a new field to the Inspector's CallFrame protocol
1862           object called 'isTailDeleted' to allow the Inspector to know when a
1863           CallFrame represents a tail deleted frame.
1864
1865         * JavaScriptCore.xcodeproj/project.pbxproj:
1866         * bytecode/BytecodeList.json:
1867         * bytecode/BytecodeUseDef.h:
1868         (JSC::computeUsesForBytecodeOffset):
1869         * bytecode/CodeBlock.cpp:
1870         (JSC::CodeBlock::dumpBytecode):
1871         (JSC::CodeBlock::findPC):
1872         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
1873         * bytecode/CodeBlock.h:
1874         (JSC::CodeBlock::clearDebuggerRequests):
1875         (JSC::CodeBlock::wasCompiledWithDebuggingOpcodes):
1876         * bytecode/UnlinkedCodeBlock.cpp:
1877         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1878         * bytecode/UnlinkedCodeBlock.h:
1879         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes):
1880         (JSC::UnlinkedCodeBlock::finishCreation):
1881         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
1882         * bytecode/UnlinkedFunctionExecutable.cpp:
1883         (JSC::generateUnlinkedFunctionCodeBlock):
1884         * bytecompiler/BytecodeGenerator.cpp:
1885         (JSC::BytecodeGenerator::generate):
1886         (JSC::BytecodeGenerator::BytecodeGenerator):
1887         (JSC::BytecodeGenerator::emitEnter):
1888         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
1889         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
1890         (JSC::BytecodeGenerator::emitCallDefineProperty):
1891         * debugger/Debugger.cpp:
1892         (JSC::DebuggerPausedScope::DebuggerPausedScope):
1893         (JSC::DebuggerPausedScope::~DebuggerPausedScope):
1894         (JSC::Debugger::didReachBreakpoint):
1895         (JSC::Debugger::currentDebuggerCallFrame):
1896         * debugger/Debugger.h:
1897         * debugger/DebuggerCallFrame.cpp:
1898         (JSC::LineAndColumnFunctor::operator()):
1899         (JSC::DebuggerCallFrame::create):
1900         (JSC::DebuggerCallFrame::DebuggerCallFrame):
1901         (JSC::DebuggerCallFrame::callerFrame):
1902         (JSC::DebuggerCallFrame::globalExec):
1903         (JSC::DebuggerCallFrame::vmEntryGlobalObject):
1904         (JSC::DebuggerCallFrame::sourceID):
1905         (JSC::DebuggerCallFrame::functionName):
1906         (JSC::DebuggerCallFrame::scope):
1907         (JSC::DebuggerCallFrame::type):
1908         (JSC::DebuggerCallFrame::thisValue):
1909         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1910         (JSC::DebuggerCallFrame::invalidate):
1911         (JSC::DebuggerCallFrame::currentPosition):
1912         (JSC::DebuggerCallFrame::positionForCallFrame):
1913         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1914         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor): Deleted.
1915         (JSC::FindCallerMidStackFunctor::operator()): Deleted.
1916         (JSC::FindCallerMidStackFunctor::getCallerFrame): Deleted.
1917         (JSC::DebuggerCallFrame::thisValueForCallFrame): Deleted.
1918         * debugger/DebuggerCallFrame.h:
1919         (JSC::DebuggerCallFrame::isValid):
1920         (JSC::DebuggerCallFrame::isTailDeleted):
1921         (JSC::DebuggerCallFrame::create): Deleted.
1922         (JSC::DebuggerCallFrame::exec): Deleted.
1923         * dfg/DFGByteCodeParser.cpp:
1924         (JSC::DFG::ByteCodeParser::parseBlock):
1925         * dfg/DFGFixupPhase.cpp:
1926         (JSC::DFG::FixupPhase::fixupNode):
1927         * dfg/DFGGraph.cpp:
1928         (JSC::DFG::Graph::Graph):
1929         (JSC::DFG::Graph::~Graph):
1930         * dfg/DFGJITCompiler.h:
1931         (JSC::DFG::JITCompiler::addCallSite):
1932         (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
1933         (JSC::DFG::JITCompiler::emitStoreCallSiteIndex):
1934         * dfg/DFGSpeculativeJIT32_64.cpp:
1935         (JSC::DFG::SpeculativeJIT::compile):
1936         * dfg/DFGSpeculativeJIT64.cpp:
1937         (JSC::DFG::SpeculativeJIT::compile):
1938         * ftl/FTLAbstractHeapRepository.h:
1939         * ftl/FTLLowerDFGToB3.cpp:
1940         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
1941         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
1942         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
1943         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1944         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
1945         (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket): Deleted.
1946         * inspector/InjectedScriptSource.js:
1947         (InjectedScript.CallFrameProxy):
1948         * inspector/JSJavaScriptCallFrame.cpp:
1949         (Inspector::JSJavaScriptCallFrame::thisObject):
1950         (Inspector::JSJavaScriptCallFrame::isTailDeleted):
1951         (Inspector::JSJavaScriptCallFrame::type):
1952         * inspector/JSJavaScriptCallFrame.h:
1953         * inspector/JSJavaScriptCallFramePrototype.cpp:
1954         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
1955         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
1956         (Inspector::jsJavaScriptCallFrameAttributeType):
1957         (Inspector::jsJavaScriptCallFrameIsTailDeleted):
1958         * inspector/JavaScriptCallFrame.h:
1959         (Inspector::JavaScriptCallFrame::type):
1960         (Inspector::JavaScriptCallFrame::scopeChain):
1961         (Inspector::JavaScriptCallFrame::vmEntryGlobalObject):
1962         (Inspector::JavaScriptCallFrame::isTailDeleted):
1963         (Inspector::JavaScriptCallFrame::thisValue):
1964         (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension):
1965         * inspector/ScriptDebugServer.cpp:
1966         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
1967         * inspector/protocol/Debugger.json:
1968         * interpreter/ShadowChicken.cpp:
1969         (JSC::ShadowChicken::update):
1970         (JSC::ShadowChicken::visitChildren):
1971         (JSC::ShadowChicken::reset):
1972         * interpreter/ShadowChicken.h:
1973         (JSC::ShadowChicken::Packet::throwMarker):
1974         (JSC::ShadowChicken::Packet::prologue):
1975         (JSC::ShadowChicken::Packet::tail):
1976         (JSC::ShadowChicken::Frame::Frame):
1977         (JSC::ShadowChicken::Frame::operator==):
1978         * jit/CCallHelpers.cpp:
1979         (JSC::CCallHelpers::logShadowChickenProloguePacket):
1980         (JSC::CCallHelpers::logShadowChickenTailPacket):
1981         (JSC::CCallHelpers::ensureShadowChickenPacket):
1982         (JSC::CCallHelpers::setupShadowChickenPacket): Deleted.
1983         * jit/CCallHelpers.h:
1984         * jit/JITOpcodes.cpp:
1985         (JSC::JIT::emit_op_profile_type):
1986         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1987         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1988         (JSC::JIT::emit_op_get_enumerable_length):
1989         (JSC::JIT::emit_op_resume):
1990         * jit/JITOpcodes32_64.cpp:
1991         (JSC::JIT::emit_op_profile_type):
1992         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1993         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1994         * jit/RegisterSet.cpp:
1995         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
1996         (JSC::RegisterSet::argumentGPRS):
1997         (JSC::RegisterSet::registersToNotSaveForJSCall):
1998         * jit/RegisterSet.h:
1999         * llint/LLIntData.cpp:
2000         (JSC::LLInt::Data::performAssertions):
2001         * llint/LLIntSlowPaths.cpp:
2002         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2003         * llint/LowLevelInterpreter.asm:
2004         * llint/LowLevelInterpreter32_64.asm:
2005         * llint/LowLevelInterpreter64.asm:
2006         * runtime/CodeCache.cpp:
2007         (JSC::CodeCache::getGlobalCodeBlock):
2008         * runtime/Options.h:
2009         * tests/stress/shadow-chicken-enabled.js:
2010         (test5a.foo):
2011         (test5a):
2012         (test5b.foo):
2013         (test5b):
2014         (test6.foo):
2015         (test6):
2016
2017 2016-05-16  Saam barati  <sbarati@apple.com>
2018
2019         TypeSet/StructureShape have a flawed sense of JS prototype chains
2020         https://bugs.webkit.org/show_bug.cgi?id=157760
2021
2022         Reviewed by Joseph Pecoraro.
2023
2024         There was an assumption that we would bottom out in "Object". This is
2025         not true for many reasons. JS objects may not end in Object.prototype.
2026         Also, our mechanism of grabbing an Object's class name may also not
2027         bottom out in "Object". We were seeing this in the JS objects we use
2028         in the InjectedScriptSource.js inspector script.
2029
2030         * runtime/TypeSet.cpp:
2031         (JSC::StructureShape::leastCommonAncestor):
2032         * tests/typeProfiler/weird-prototype-chain.js: Added.
2033         (wrapper.foo):
2034         (wrapper.let.o2):
2035         (wrapper):
2036
2037 2016-05-16  Joseph Pecoraro  <pecoraro@apple.com>
2038
2039         Unreviewed rollout r200924. Caused js/regress/string-replace-generic.html to fail.
2040
2041         * API/JSProfilerPrivate.cpp: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
2042         (JSStartProfiling):
2043         (JSEndProfiling):
2044         * API/JSProfilerPrivate.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
2045         * CMakeLists.txt:
2046         * JavaScriptCore.xcodeproj/project.pbxproj:
2047         * bytecode/BytecodeList.json:
2048         * bytecode/BytecodeUseDef.h:
2049         (JSC::computeUsesForBytecodeOffset):
2050         (JSC::computeDefsForBytecodeOffset):
2051         * bytecode/CodeBlock.cpp:
2052         (JSC::CodeBlock::dumpBytecode):
2053         * bytecode/UnlinkedFunctionExecutable.cpp:
2054         (JSC::generateUnlinkedFunctionCodeBlock):
2055         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2056         * bytecode/UnlinkedFunctionExecutable.h:
2057         * bytecompiler/BytecodeGenerator.cpp:
2058         (JSC::BytecodeGenerator::BytecodeGenerator):
2059         (JSC::BytecodeGenerator::emitCall):
2060         (JSC::BytecodeGenerator::emitCallVarargs):
2061         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
2062         (JSC::BytecodeGenerator::emitConstructVarargs):
2063         (JSC::BytecodeGenerator::emitConstruct):
2064         * bytecompiler/BytecodeGenerator.h:
2065         (JSC::CallArguments::profileHookRegister):
2066         (JSC::BytecodeGenerator::shouldEmitProfileHooks):
2067         * bytecompiler/NodesCodegen.cpp:
2068         (JSC::CallArguments::CallArguments):
2069         (JSC::CallFunctionCallDotNode::emitBytecode):
2070         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2071         * dfg/DFGAbstractInterpreterInlines.h:
2072         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2073         * dfg/DFGByteCodeParser.cpp:
2074         (JSC::DFG::ByteCodeParser::parseBlock):
2075         * dfg/DFGCapabilities.cpp:
2076         (JSC::DFG::capabilityLevel):
2077         * dfg/DFGClobberize.h:
2078         (JSC::DFG::clobberize):
2079         * dfg/DFGDoesGC.cpp:
2080         (JSC::DFG::doesGC):
2081         * dfg/DFGFixupPhase.cpp:
2082         (JSC::DFG::FixupPhase::fixupNode):
2083         * dfg/DFGNodeType.h:
2084         * dfg/DFGPredictionPropagationPhase.cpp:
2085         * dfg/DFGSafeToExecute.h:
2086         (JSC::DFG::safeToExecute):
2087         * dfg/DFGSpeculativeJIT32_64.cpp:
2088         (JSC::DFG::SpeculativeJIT::compile):
2089         * dfg/DFGSpeculativeJIT64.cpp:
2090         (JSC::DFG::SpeculativeJIT::compile):
2091         * inspector/InjectedScriptBase.cpp:
2092         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
2093         * inspector/protocol/Timeline.json:
2094         * interpreter/Interpreter.cpp:
2095         (JSC::UnwindFunctor::operator()):
2096         (JSC::Interpreter::execute):
2097         (JSC::Interpreter::executeCall):
2098         (JSC::Interpreter::executeConstruct):
2099         * jit/JIT.cpp:
2100         (JSC::JIT::privateCompileMainPass):
2101         * jit/JIT.h:
2102         * jit/JITOpcodes.cpp:
2103         (JSC::JIT::emit_op_profile_will_call):
2104         (JSC::JIT::emit_op_profile_did_call):
2105         * jit/JITOpcodes32_64.cpp:
2106         (JSC::JIT::emit_op_profile_will_call):
2107         (JSC::JIT::emit_op_profile_did_call):
2108         * jit/JITOperations.cpp:
2109         * jit/JITOperations.h:
2110         * jsc.cpp:
2111         * llint/LLIntSlowPaths.cpp:
2112         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2113         * llint/LLIntSlowPaths.h:
2114         * llint/LowLevelInterpreter.asm:
2115         * parser/ParserModes.h:
2116         * profiler/CallIdentifier.h: Added.
2117         (JSC::CallIdentifier::CallIdentifier):
2118         (JSC::CallIdentifier::functionName):
2119         (JSC::CallIdentifier::url):
2120         (JSC::CallIdentifier::lineNumber):
2121         (JSC::CallIdentifier::columnNumber):
2122         (JSC::CallIdentifier::operator==):
2123         (JSC::CallIdentifier::operator!=):
2124         (JSC::CallIdentifier::Hash::hash):
2125         (JSC::CallIdentifier::Hash::equal):
2126         (JSC::CallIdentifier::hash):
2127         (JSC::CallIdentifier::operator const char*):
2128         (JSC::CallIdentifier::c_str):
2129         (WTF::HashTraits<JSC::CallIdentifier>::constructDeletedValue):
2130         (WTF::HashTraits<JSC::CallIdentifier>::isDeletedValue):
2131         * profiler/LegacyProfiler.cpp: Added.
2132         (JSC::LegacyProfiler::profiler):
2133         (JSC::LegacyProfiler::startProfiling):
2134         (JSC::LegacyProfiler::stopProfiling):
2135         (JSC::callFunctionForProfilesWithGroup):
2136         (JSC::LegacyProfiler::suspendProfiling):
2137         (JSC::LegacyProfiler::unsuspendProfiling):
2138         (JSC::LegacyProfiler::willExecute):
2139         (JSC::LegacyProfiler::didExecute):
2140         (JSC::LegacyProfiler::exceptionUnwind):
2141         (JSC::LegacyProfiler::createCallIdentifier):
2142         (JSC::createCallIdentifierFromFunctionImp):
2143         * profiler/LegacyProfiler.h: Added.
2144         (JSC::LegacyProfiler::currentProfiles):
2145         * profiler/Profile.cpp: Added.
2146         (JSC::Profile::create):
2147         (JSC::Profile::Profile):
2148         (JSC::Profile::~Profile):
2149         (JSC::Profile::debugPrint):
2150         (JSC::functionNameCountPairComparator):
2151         (JSC::Profile::debugPrintSampleStyle):
2152         * profiler/Profile.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
2153         * profiler/ProfileGenerator.cpp: Added.
2154         (JSC::ProfileGenerator::create):
2155         (JSC::ProfileGenerator::ProfileGenerator):
2156         (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
2157         (JSC::AddParentForConsoleStartFunctor::foundParent):
2158         (JSC::AddParentForConsoleStartFunctor::operator()):
2159         (JSC::ProfileGenerator::addParentForConsoleStart):
2160         (JSC::ProfileGenerator::title):
2161         (JSC::ProfileGenerator::beginCallEntry):
2162         (JSC::ProfileGenerator::endCallEntry):
2163         (JSC::ProfileGenerator::willExecute):
2164         (JSC::ProfileGenerator::didExecute):
2165         (JSC::ProfileGenerator::exceptionUnwind):
2166         (JSC::ProfileGenerator::stopProfiling):
2167         (JSC::ProfileGenerator::removeProfileStart):
2168         (JSC::ProfileGenerator::removeProfileEnd):
2169         * profiler/ProfileGenerator.h: Added.
2170         (JSC::ProfileGenerator::profile):
2171         (JSC::ProfileGenerator::origin):
2172         (JSC::ProfileGenerator::profileGroup):
2173         (JSC::ProfileGenerator::setIsSuspended):
2174         * profiler/ProfileNode.cpp: Added.
2175         (JSC::ProfileNode::ProfileNode):
2176         (JSC::ProfileNode::addChild):
2177         (JSC::ProfileNode::removeChild):
2178         (JSC::ProfileNode::spliceNode):
2179         (JSC::ProfileNode::traverseNextNodePostOrder):
2180         (JSC::ProfileNode::debugPrint):
2181         (JSC::ProfileNode::debugPrintSampleStyle):
2182         (JSC::ProfileNode::debugPrintRecursively):
2183         (JSC::ProfileNode::debugPrintSampleStyleRecursively):
2184         * profiler/ProfileNode.h: Added.
2185         (JSC::ProfileNode::create):
2186         (JSC::ProfileNode::Call::Call):
2187         (JSC::ProfileNode::Call::startTime):
2188         (JSC::ProfileNode::Call::setStartTime):
2189         (JSC::ProfileNode::Call::elapsedTime):
2190         (JSC::ProfileNode::Call::setElapsedTime):
2191         (JSC::ProfileNode::operator==):
2192         (JSC::ProfileNode::callerCallFrame):
2193         (JSC::ProfileNode::callIdentifier):
2194         (JSC::ProfileNode::id):
2195         (JSC::ProfileNode::functionName):
2196         (JSC::ProfileNode::url):
2197         (JSC::ProfileNode::lineNumber):
2198         (JSC::ProfileNode::columnNumber):
2199         (JSC::ProfileNode::parent):
2200         (JSC::ProfileNode::setParent):
2201         (JSC::ProfileNode::calls):
2202         (JSC::ProfileNode::lastCall):
2203         (JSC::ProfileNode::appendCall):
2204         (JSC::ProfileNode::children):
2205         (JSC::ProfileNode::firstChild):
2206         (JSC::ProfileNode::lastChild):
2207         (JSC::ProfileNode::nextSibling):
2208         (JSC::ProfileNode::setNextSibling):
2209         (JSC::ProfileNode::forEachNodePostorder):
2210         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
2211         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
2212         * profiler/ProfilerJettisonReason.cpp:
2213         (WTF::printInternal):
2214         * profiler/ProfilerJettisonReason.h:
2215         * runtime/CodeCache.cpp:
2216         (JSC::CodeCache::getGlobalCodeBlock):
2217         (JSC::CodeCache::getProgramCodeBlock):
2218         (JSC::CodeCache::getEvalCodeBlock):
2219         (JSC::CodeCache::getModuleProgramCodeBlock):
2220         * runtime/CodeCache.h:
2221         * runtime/Executable.cpp:
2222         (JSC::ScriptExecutable::newCodeBlockFor):
2223         * runtime/JSGlobalObject.cpp:
2224         (JSC::JSGlobalObject::~JSGlobalObject):
2225         (JSC::JSGlobalObject::hasLegacyProfiler):
2226         (JSC::JSGlobalObject::createProgramCodeBlock):
2227         (JSC::JSGlobalObject::createEvalCodeBlock):
2228         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2229         * runtime/JSGlobalObject.h:
2230         (JSC::JSGlobalObject::supportsLegacyProfiling):
2231         * runtime/Options.h:
2232         * runtime/VM.cpp:
2233         (JSC::VM::VM):
2234         (JSC::SetEnabledProfilerFunctor::operator()):
2235         (JSC::VM::setEnabledProfiler):
2236         * runtime/VM.h:
2237         (JSC::VM::enabledProfiler):
2238         (JSC::VM::enabledProfilerAddress):
2239
2240 2016-05-16  Konstantin Tokarev  <annulen@yandex.ru>
2241
2242         Unreviewed, fixed typo in a comment.
2243
2244         * assembler/MacroAssembler.h: Replaced "onvenience" with
2245         "convenience".
2246
2247 2016-05-16  Filip Pizlo  <fpizlo@apple.com>
2248
2249         FixupPhase should be more eager to demote bit math to untyped
2250         https://bugs.webkit.org/show_bug.cgi?id=157746
2251
2252         Reviewed by Mark Lam.
2253         
2254         This just makes the logic for how we fixup bit math match the way we do it in other places.
2255         This doesn't affect performance on any major benchmark but it's a big win on new
2256         microbenchmarks added in this change.
2257         
2258         Details:
2259
2260         object-and                                     11.1610+-0.7602     ^      4.8105+-0.1690        ^ definitely 2.3201x faster
2261         object-or                                      11.0845+-0.2487     ^      4.7146+-0.0374        ^ definitely 2.3511x faster
2262         object-xor                                     10.2946+-0.9946     ^      4.7278+-0.0814        ^ definitely 2.1775x faster
2263         object-lshift                                  10.4896+-1.0867     ^      4.7699+-0.0721        ^ definitely 2.1991x faster
2264         object-rshift                                  11.1239+-0.5010     ^      4.7194+-0.0445        ^ definitely 2.3570x faster
2265         object-urshift                                 10.9745+-0.1315     ^      4.7848+-0.0479        ^ definitely 2.2936x faster
2266
2267         * dfg/DFGFixupPhase.cpp:
2268         (JSC::DFG::FixupPhase::fixupNode):
2269
2270 2016-05-15  Michael Saboff  <msaboff@apple.com>
2271
2272         RegExp /y flag incorrect handling of mixed-length alternation
2273         https://bugs.webkit.org/show_bug.cgi?id=157723
2274
2275         Reviewed by Filip Pizlo.
2276
2277         Previously for sticky patterns, we were bailing out and exiting when backtracking
2278         alternatives with dissimilar match lengths.  Deleted that code.  Instead, for
2279         sticky patterns we need to process the backtracking except for advancing to the
2280         next input index.
2281
2282         * yarr/YarrJIT.cpp:
2283         (JSC::Yarr::YarrGenerator::backtrack):
2284
2285 2016-05-15  Filip Pizlo  <fpizlo@apple.com>
2286
2287         DFG::Plan shouldn't read from its VM once it's been cancelled
2288         https://bugs.webkit.org/show_bug.cgi?id=157726
2289
2290         Reviewed by Saam Barati.
2291         
2292         Plan::vm was a reference, not a pointer, and so wasn't nulled by Plan::cancel(). So, a
2293         cancelled plan may have a dangling pointer to a VM: we could delete the VM after cancelling
2294         the plan.
2295         
2296         Prior to http://trac.webkit.org/changeset/200705, this was probably fine because nobody
2297         would read Plan::vm if the plan was cancelled. But r200705 changed that. It was a hard
2298         regression to spot because usually a cancelled plan will still refer to a valid VM.
2299         
2300         This change fixes the regression and makes it a lot easier to spot the regression in the
2301         future. Plan::vm is now a pointer and we null it in Plan::cancel(). Now if you make this
2302         mistake, you will get a crash anytime the Plan is cancelled, not just anytime the plan is
2303         cancelled and the VM gets deleted. Also, it's now very clear what to do when you want to
2304         use Plan::vm on the cancel path: you can null-check vm; if it's null, assume the worst.
2305         
2306         Because we null the VM of a cancelled plan, we cannot have Safepoint::vm() return the
2307         plan's VM anymore. That's because when we cancel a plan that is at a safepoint, we use the
2308         safepoint's VM to determine whether this is one of our safepoints *after* the plan is
2309         already cancelled. So, Safepoint now has its own copy of m_vm, and that copy gets nulled
2310         when the Safepoint is cancelled. The Safepoint's m_vm will be nulled moments after Plan's
2311         vm gets nulled (see Worklist::removeDeadPlans(), which has a cancel path for Plans in one
2312         loop and a cancel path for Safepoints in the loop after it).
2313
2314         * dfg/DFGJITFinalizer.cpp:
2315         (JSC::DFG::JITFinalizer::finalizeCommon):
2316         * dfg/DFGPlan.cpp:
2317         (JSC::DFG::Plan::Plan):
2318         (JSC::DFG::Plan::computeCompileTimes):
2319         (JSC::DFG::Plan::reportCompileTimes):
2320         (JSC::DFG::Plan::compileInThreadImpl):
2321         (JSC::DFG::Plan::reallyAdd):
2322         (JSC::DFG::Plan::notifyCompiling):
2323         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2324         (JSC::DFG::Plan::cancel):
2325         * dfg/DFGPlan.h:
2326         (JSC::DFG::Plan::canTierUpAndOSREnter):
2327         * dfg/DFGSafepoint.cpp:
2328         (JSC::DFG::Safepoint::cancel):
2329         (JSC::DFG::Safepoint::vm):
2330         * dfg/DFGSafepoint.h:
2331         * dfg/DFGWorklist.cpp:
2332         (JSC::DFG::Worklist::isActiveForVM):
2333         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
2334         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
2335         (JSC::DFG::Worklist::rememberCodeBlocks):
2336         (JSC::DFG::Worklist::visitWeakReferences):
2337         (JSC::DFG::Worklist::removeDeadPlans):
2338         (JSC::DFG::Worklist::runThread):
2339         * ftl/FTLJITFinalizer.cpp:
2340         (JSC::FTL::JITFinalizer::finalizeFunction):
2341
2342 2016-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2343
2344         Modernize Intl constructors; using InternalFunction::createSubclassStructure
2345         https://bugs.webkit.org/show_bug.cgi?id=157082
2346
2347         Reviewed by Darin Adler.
2348
2349         Previously, Intl constructors retrieve "prototype" to inherit the "new.target".
2350         At that time, this mis-assumed that getDirect() always returns meaningful JS value.
2351         Actually, it returns an empty value if a property does not exist.
2352
2353         Instead of fixing this assertion, we now use InternalFunction::createSubclassStructure
2354         in Intl constructors. It is modern and preferable way since it can cache the derived
2355         structures in InternalFunction.
2356
2357         This patch also cleans up the workaround in Intl.NumberFormat and Intl.DateTimeFormat.
2358         Those code are largely duplicate. This is now extracted into
2359         constructIntlInstanceWithWorkaroundForLegacyIntlConstructor. This clean up does not
2360         have any behavior changes. They are already tested in LayoutTests/js/intl-datetimeformat
2361         and LayoutTests/js/intl-numberformat.
2362
2363         * JavaScriptCore.xcodeproj/project.pbxproj:
2364         * runtime/IntlCollator.cpp:
2365         (JSC::IntlCollator::create):
2366         * runtime/IntlCollator.h:
2367         * runtime/IntlCollatorConstructor.cpp:
2368         (JSC::constructIntlCollator):
2369         (JSC::callIntlCollator):
2370         * runtime/IntlDateTimeFormat.cpp:
2371         (JSC::IntlDateTimeFormat::create):
2372         * runtime/IntlDateTimeFormat.h:
2373         * runtime/IntlDateTimeFormatConstructor.cpp:
2374         (JSC::constructIntlDateTimeFormat):
2375         (JSC::callIntlDateTimeFormat):
2376         * runtime/IntlDateTimeFormatPrototype.cpp:
2377         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2378         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
2379         * runtime/IntlNumberFormat.cpp:
2380         (JSC::IntlNumberFormat::create):
2381         * runtime/IntlNumberFormat.h:
2382         * runtime/IntlNumberFormatConstructor.cpp:
2383         (JSC::constructIntlNumberFormat):
2384         (JSC::callIntlNumberFormat):
2385         * runtime/IntlNumberFormatPrototype.cpp:
2386         (JSC::IntlNumberFormatPrototypeGetterFormat):
2387         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
2388         * runtime/IntlObjectInlines.h: Added.
2389         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
2390         * tests/stress/intl-constructors-with-proxy.js: Added.
2391         (shouldBe):
2392         (throw.new.Error.Empty):
2393         (throw.new.Error):
2394         (shouldBe.Empty):
2395
2396 2016-05-14  Joseph Pecoraro  <pecoraro@apple.com>
2397
2398         Remove LegacyProfiler
2399         https://bugs.webkit.org/show_bug.cgi?id=153565
2400
2401         Reviewed by Mark Lam.
2402
2403         JavaScriptCore now provides a sampling profiler and it is enabled
2404         by all ports. Web Inspector switched months ago to using the
2405         sampling profiler and displaying its data. Remove the legacy
2406         profiler, as it is no longer being used by anything other then
2407         console.profile and tests. We will update console.profile's
2408         behavior soon to have new behavior and use the sampling data.
2409
2410         * API/JSProfilerPrivate.cpp: Removed.
2411         * API/JSProfilerPrivate.h: Removed.
2412         * CMakeLists.txt:
2413         * JavaScriptCore.xcodeproj/project.pbxproj:
2414         * bytecode/BytecodeList.json:
2415         * bytecode/BytecodeUseDef.h:
2416         (JSC::computeUsesForBytecodeOffset): Deleted.
2417         (JSC::computeDefsForBytecodeOffset): Deleted.
2418         * bytecode/CodeBlock.cpp:
2419         (JSC::CodeBlock::dumpBytecode): Deleted.
2420         * bytecode/UnlinkedFunctionExecutable.cpp:
2421         (JSC::generateUnlinkedFunctionCodeBlock):
2422         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2423         * bytecode/UnlinkedFunctionExecutable.h:
2424         * bytecompiler/BytecodeGenerator.cpp:
2425         (JSC::BytecodeGenerator::BytecodeGenerator):
2426         (JSC::BytecodeGenerator::emitCall):
2427         (JSC::BytecodeGenerator::emitCallVarargs):
2428         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
2429         (JSC::BytecodeGenerator::emitConstructVarargs):
2430         (JSC::BytecodeGenerator::emitConstruct):
2431         * bytecompiler/BytecodeGenerator.h:
2432         (JSC::CallArguments::profileHookRegister): Deleted.
2433         (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
2434         * bytecompiler/NodesCodegen.cpp:
2435         (JSC::CallFunctionCallDotNode::emitBytecode):
2436         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2437         (JSC::CallArguments::CallArguments): Deleted.
2438         * dfg/DFGAbstractInterpreterInlines.h:
2439         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
2440         * dfg/DFGByteCodeParser.cpp:
2441         (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
2442         * dfg/DFGCapabilities.cpp:
2443         (JSC::DFG::capabilityLevel): Deleted.
2444         * dfg/DFGClobberize.h:
2445         (JSC::DFG::clobberize): Deleted.
2446         * dfg/DFGDoesGC.cpp:
2447         (JSC::DFG::doesGC): Deleted.
2448         * dfg/DFGFixupPhase.cpp:
2449         (JSC::DFG::FixupPhase::fixupNode): Deleted.
2450         * dfg/DFGNodeType.h:
2451         * dfg/DFGPredictionPropagationPhase.cpp:
2452         * dfg/DFGSafeToExecute.h:
2453         (JSC::DFG::safeToExecute): Deleted.
2454         * dfg/DFGSpeculativeJIT32_64.cpp:
2455         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2456         * dfg/DFGSpeculativeJIT64.cpp:
2457         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2458         * inspector/InjectedScriptBase.cpp:
2459         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
2460         * inspector/protocol/Timeline.json:
2461         * interpreter/Interpreter.cpp:
2462         (JSC::UnwindFunctor::operator()): Deleted.
2463         (JSC::Interpreter::execute): Deleted.
2464         (JSC::Interpreter::executeCall): Deleted.
2465         (JSC::Interpreter::executeConstruct): Deleted.
2466         * jit/JIT.cpp:
2467         (JSC::JIT::privateCompileMainPass): Deleted.
2468         * jit/JIT.h:
2469         * jit/JITOpcodes.cpp:
2470         (JSC::JIT::emit_op_profile_will_call): Deleted.
2471         (JSC::JIT::emit_op_profile_did_call): Deleted.
2472         * jit/JITOpcodes32_64.cpp:
2473         (JSC::JIT::emit_op_profile_will_call): Deleted.
2474         (JSC::JIT::emit_op_profile_did_call): Deleted.
2475         * jit/JITOperations.cpp:
2476         * jit/JITOperations.h:
2477         * jsc.cpp:
2478         * llint/LLIntSlowPaths.cpp:
2479         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
2480         * llint/LLIntSlowPaths.h:
2481         * llint/LowLevelInterpreter.asm:
2482         * parser/ParserModes.h:
2483         * profiler/CallIdentifier.h: Removed.
2484         * profiler/LegacyProfiler.cpp: Removed.
2485         * profiler/LegacyProfiler.h: Removed.
2486         * profiler/Profile.cpp: Removed.
2487         * profiler/Profile.h: Removed.
2488         * profiler/ProfileGenerator.cpp: Removed.
2489         * profiler/ProfileGenerator.h: Removed.
2490         * profiler/ProfileNode.cpp: Removed.
2491         * profiler/ProfileNode.h: Removed.
2492         * profiler/ProfilerJettisonReason.cpp:
2493         (WTF::printInternal): Deleted.
2494         * profiler/ProfilerJettisonReason.h:
2495         * runtime/CodeCache.cpp:
2496         (JSC::CodeCache::getGlobalCodeBlock):
2497         (JSC::CodeCache::getProgramCodeBlock):
2498         (JSC::CodeCache::getEvalCodeBlock):
2499         (JSC::CodeCache::getModuleProgramCodeBlock):
2500         * runtime/CodeCache.h:
2501         * runtime/Executable.cpp:
2502         (JSC::ScriptExecutable::newCodeBlockFor):
2503         * runtime/JSGlobalObject.cpp:
2504         (JSC::JSGlobalObject::createProgramCodeBlock):
2505         (JSC::JSGlobalObject::createEvalCodeBlock):
2506         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2507         (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
2508         (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
2509         * runtime/JSGlobalObject.h:
2510         (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
2511         * runtime/Options.h:
2512         * runtime/VM.cpp:
2513         (JSC::VM::VM): Deleted.
2514         (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
2515         (JSC::VM::setEnabledProfiler): Deleted.
2516         * runtime/VM.h:
2517         (JSC::VM::enabledProfiler): Deleted.
2518         (JSC::VM::enabledProfilerAddress): Deleted.
2519
2520 2016-05-13  Joseph Pecoraro  <pecoraro@apple.com>
2521
2522         jsc: samplingProfilerStackTraces() without starting sampling should not cause jsc to crash
2523         https://bugs.webkit.org/show_bug.cgi?id=157704
2524
2525         Reviewed by Saam Barati.
2526
2527         * jsc.cpp:
2528         (functionStartSamplingProfiler):
2529         (functionSamplingProfilerStackTraces):
2530         Throw an exception instead of crashing if we haven't started sampling.
2531
2532         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2533         (Inspector::InspectorScriptProfilerAgent::startTracking):
2534         * runtime/VM.h:
2535         * runtime/VM.cpp:
2536         (JSC::VM::ensureSamplingProfiler):
2537         Switch ensure to returning a reference, like most other ensures.
2538
2539 2016-05-13  Saam barati  <sbarati@apple.com>
2540
2541         DFG/FTL have a few bugs in their reasoning about the scope
2542         https://bugs.webkit.org/show_bug.cgi?id=157696
2543
2544         Reviewed by Benjamin Poulain.
2545
2546         1. When the debugger is enabled, it is easier for the DFG to reason
2547         about the scope register by simply claiming all nodes read the scope
2548         register. This prevents us from ever entering the runtime where we
2549         may take a stack trace but there isn't a scope on the stack.
2550
2551         2. This patch fixes a bug where the FTL compilation wasn't properly
2552         setting the CodeBlock register. It was only doing this when there
2553         was inline data, but when the debugger is enabled, we never inline.
2554         So this code just needed to be removed from that loop. It was never
2555         right for it to be inside the loop.
2556
2557         * dfg/DFGClobberize.h:
2558         (JSC::DFG::clobberize):
2559         * ftl/FTLCompile.cpp:
2560         (JSC::FTL::compile):
2561
2562 2016-05-13  Benjamin Poulain  <bpoulain@apple.com>
2563
2564         [JSC] SetLocal without exit do not need phantoms
2565         https://bugs.webkit.org/show_bug.cgi?id=157653
2566
2567         Reviewed by Filip Pizlo.
2568
2569         I made a mistake in r200498.
2570
2571         If a SetLocal cannot possibly exit, we were not clearing
2572         the source of the operand. As a result, we sometime kept
2573         a value alive up to the end of the block.
2574
2575         That's uncommon because SetLocal typically appear
2576         toward the end of blocks. That's probably why there was
2577         no perf impact with that fix.
2578
2579         * dfg/DFGPhantomInsertionPhase.cpp:
2580
2581 2016-05-13  Benjamin Poulain  <bpoulain@apple.com>
2582
2583         [JSC] Move the CheckTierUp function calls out of the main path
2584         https://bugs.webkit.org/show_bug.cgi?id=157668
2585
2586         Reviewed by Mark Lam.
2587
2588         If you have a tiny tiny loop (for example, Sunspider's bits-in-byte),
2589         the size of CheckTierUp is a problem.
2590
2591         On multi-issue CPUs, the node is so big that we do not
2592         get to run anything from the loop in the instruction fetch.
2593
2594         On x86, having a bigger loop also pushes us out of the LSD.
2595
2596         This is a 6% improvement on bits-in-byte. Other Sunspider tests
2597         only improves marginally.
2598
2599         * dfg/DFGSpeculativeJIT.cpp:
2600         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
2601         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
2602         * dfg/DFGSpeculativeJIT.h:
2603         (JSC::DFG::SpeculativeJIT::silentSpill):
2604         (JSC::DFG::SpeculativeJIT::silentFill):
2605         * dfg/DFGSpeculativeJIT64.cpp:
2606         (JSC::DFG::SpeculativeJIT::compile):
2607
2608 2016-05-13  Benjamin Poulain  <bpoulain@apple.com>
2609
2610         [JSC] Emit the loads of emitLoadWithStructureCheck() in the order they are used
2611         https://bugs.webkit.org/show_bug.cgi?id=157671
2612
2613         Reviewed by Mark Lam.
2614
2615         This improves the chances of having a value
2616         when issuing the TEST.
2617
2618         * jit/JITPropertyAccess.cpp:
2619         (JSC::JIT::emitLoadWithStructureCheck):
2620
2621 2016-05-13  Joseph Pecoraro  <pecoraro@apple.com>
2622
2623         Web Inspector: Inform augmenting client when inspector controller is destroyed
2624         https://bugs.webkit.org/show_bug.cgi?id=157688
2625         <rdar://problem/25832724>
2626
2627         Reviewed by Timothy Hatcher.
2628
2629         * inspector/JSGlobalObjectInspectorController.cpp:
2630         (Inspector::JSGlobalObjectInspectorController::~JSGlobalObjectInspectorController):
2631         * inspector/augmentable/AugmentableInspectorControllerClient.h:
2632         There is a weak relationship between the InspectorController and the
2633         AugmentingClient. Let the augmenting client know when the controller
2634         is destroyed so it doesn't try to use us anymore.
2635
2636 2016-05-13  Geoffrey Garen  <ggaren@apple.com>
2637
2638         Runaway malloc memory usage in this simple JSC program
2639         https://bugs.webkit.org/show_bug.cgi?id=157682
2640
2641         Reviewed by Mark Lam.
2642
2643         * heap/WeakSet.cpp:
2644         (JSC::WeakSet::sweep): Whenever we might add a block to
2645         m_logicallyEmptyWeakBlocks, be sure also to sweep a block in
2646         m_logicallyEmptyWeakBlocks. Otherwise, additions might outpace removals
2647         even when all memory is freed.
2648
2649         We do this whenever we *might* add a block and not just whenever we *do*
2650         add a block because we'd like to sweep the entries in
2651         m_logicallyEmptyWeakBlocks promptly even when it's not growing, and this
2652         is a reasonably rate-limited opportunity to do so.
2653
2654 2016-05-13  Mark Lam  <mark.lam@apple.com>
2655
2656         We should have one calleeSaveRegistersBuffer per VMEntryFrame, not one per VM.
2657         https://bugs.webkit.org/show_bug.cgi?id=157537
2658         <rdar://problem/24794845>
2659
2660         Reviewed by Michael Saboff.
2661
2662         The pre-existing code behaves this way:
2663
2664         1. When JS code throws an exception, it saves callee save registers in
2665            the VM calleeSaveRegistersBuffer.  These values are meant to be restored
2666            to the callee save registers later either at the catch handler or at the
2667            uncaught exception handler.
2668
2669         2. If the Inspector is enable, the VM will invoke inspector C++ code to inspect
2670            the exception.  That C++ code can change the values of the callee save
2671            registers.
2672
2673            The inspector code in turn re-enters the VM to execute JS inspector code.
2674
2675            The JS inspector code can run hot enough that we do an enterOptimizationCheck
2676            on it.  The enterOptimizationCheck first saves all callee save registers
2677            into the VM calleeSaveRegistersBuffer.
2678
2679            This effectively overwrites the values in the VM calleeSaveRegistersBuffer
2680            from (1).
2681
2682         3. Eventually, execution returns to the catch handler or the uncaught exception
2683            handler which restores the overwritten values in the VM
2684            calleeSaveRegistersBuffer to the callee save registers.
2685
2686            When execution returns to the C++ code that entered the VM before (1), the
2687            values in the callee registers are not what that code expects, and badness
2688            and/or crashes ensues.
2689
2690         This patch applies the following fix:
2691         
2692         1. Allocate space in the VMEntryFrame for the calleeSaveRegistersBuffer.
2693            This ensures that each VM entry session has its own buffer to use, and will
2694            not corrupt the one from the previous VM entry session.
2695
2696            Delete the VM calleeSaveRegistersBuffer.
2697
2698         2. Change all locations that uses the VM calleeSaveRegistersBuffer to use the
2699            calleeSaveRegistersBuffer in the current VMEntryFrame.
2700
2701         3. Renamed all uses of the term "VMCalleeSavesBuffer" to
2702            "VMEntryFrameCalleeSavesBuffer".
2703
2704         This fix has been tested on the following configurations:
2705         1. JSC and layout tests on a debug ASan build for 64-bit x86_64.
2706         2. JSC tests on a release ASan build for 32-bit x86.
2707         3. JSC tests on a release normal (non-ASan) build for ARM64.
2708         4. JSC tests on a release normal (non-ASan) build for ARMv7 and ARMv7s.
2709         5. JSC tests on a release ASan CLOOP build for x86_64.
2710
2711         These test runs did not produce any new crashes.  The ASan CLOOP has some
2712         pre-existing crashes which are not due to this patch.
2713
2714         This bug can be tested by running the inspector/debugger/regress-133182.html test
2715         on an ASan build.
2716
2717         * bytecode/PolymorphicAccess.cpp:
2718         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
2719         * dfg/DFGJITCompiler.cpp:
2720         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2721         * dfg/DFGOSREntry.cpp:
2722         (JSC::DFG::prepareOSREntry):
2723         * dfg/DFGOSRExitCompiler.cpp:
2724         * dfg/DFGOSRExitCompiler32_64.cpp:
2725         (JSC::DFG::OSRExitCompiler::compileExit):
2726         * dfg/DFGOSRExitCompiler64.cpp:
2727         (JSC::DFG::OSRExitCompiler::compileExit):
2728         * dfg/DFGThunks.cpp:
2729         (JSC::DFG::osrEntryThunkGenerator):
2730         * ftl/FTLCompile.cpp:
2731         (JSC::FTL::compile):
2732         * ftl/FTLLowerDFGToB3.cpp:
2733         (JSC::FTL::DFG::LowerDFGToB3::lower):
2734         * ftl/FTLOSRExitCompiler.cpp:
2735         (JSC::FTL::compileStub):
2736         * interpreter/Interpreter.cpp:
2737         (JSC::UnwindFunctor::operator()):
2738         (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2739         (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
2740         * interpreter/Interpreter.h:
2741         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2742         * interpreter/VMEntryRecord.h:
2743         (JSC::VMEntryRecord::calleeSaveRegistersBufferOffset):
2744         (JSC::VMEntryRecord::prevTopCallFrame):
2745         (JSC::VMEntryRecord::unsafePrevTopCallFrame):
2746         (JSC::VMEntryFrame::vmEntryRecordOffset):
2747         (JSC::VMEntryFrame::calleeSaveRegistersBufferOffset):
2748         * jit/AssemblyHelpers.cpp:
2749         (JSC::AssemblyHelpers::emitRandomThunk):
2750         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2751         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
2752         * jit/AssemblyHelpers.h:
2753         (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
2754         (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2755         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer):
2756         (JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
2757         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer): Deleted.
2758         * jit/JIT.cpp:
2759         (JSC::JIT::emitEnterOptimizationCheck):
2760         (JSC::JIT::privateCompileExceptionHandlers):
2761         * jit/JITOpcodes.cpp:
2762         (JSC::JIT::emit_op_throw):
2763         (JSC::JIT::emit_op_catch):
2764         (JSC::JIT::emitSlow_op_loop_hint):
2765         * jit/JITOpcodes32_64.cpp:
2766         (JSC::JIT::emit_op_throw):
2767         (JSC::JIT::emit_op_catch):
2768         * jit/ThunkGenerators.cpp:
2769         (JSC::throwExceptionFromCallSlowPathGenerator):
2770         (JSC::nativeForGenerator):
2771         * llint/LLIntThunks.cpp:
2772         (JSC::vmEntryRecord):
2773         * llint/LowLevelInterpreter.asm:
2774         * llint/LowLevelInterpreter32_64.asm:
2775         * llint/LowLevelInterpreter64.asm:
2776         * runtime/VM.h:
2777         (JSC::VM::getCTIStub):
2778         (JSC::VM::calleeSaveRegistersBufferOffset): Deleted.
2779         * wasm/WASMFunctionCompiler.h:
2780         (JSC::WASMFunctionCompiler::endFunction):
2781
2782 2016-05-13  Beth Dakin  <bdakin@apple.com>
2783
2784         Add dyldSPI.h for linked on or after checks, and add one for link preview
2785         https://bugs.webkit.org/show_bug.cgi?id=157401
2786         -and corresponding-
2787         rdar://problem/26253396
2788
2789         Reviewed by Darin Adler.
2790
2791         Import #import <wtf/spi/darwin/dyldSPI.h> which now declares all of the 
2792         needed dyld code.
2793         * API/JSWrapperMap.mm:
2794
2795 2016-05-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2796
2797         Assertion failure for direct eval in non-class method
2798         https://bugs.webkit.org/show_bug.cgi?id=157138
2799
2800         Reviewed by Saam Barati.
2801
2802         This assertion was incorrect. In method definitions in object literals,
2803         it can be sloppy mode, but its DerivedContextType may not be DerivedContextType::None.
2804
2805         * bytecode/EvalCodeCache.h:
2806         (JSC::EvalCodeCache::CacheKey::CacheKey):
2807         (JSC::EvalCodeCache::CacheKey::operator==):
2808         (JSC::EvalCodeCache::CacheKey::Hash::equal):
2809         (JSC::EvalCodeCache::tryGet):
2810         (JSC::EvalCodeCache::getSlow):
2811         * interpreter/Interpreter.cpp:
2812         (JSC::eval):
2813         * tests/stress/direct-eval-in-object-literal-methods.js: Added.
2814         (shouldBe):
2815         (throw.new.Error):
2816         (shouldBe.Parent.prototype.l):
2817         (shouldBe.Parent):
2818         (shouldBe.Derived.prototype.m):
2819         (shouldBe.Derived):
2820
2821 2016-05-13  Skachkov Oleksandr  <gskachkov@gmail.com>
2822
2823         Assertion failure for super() call in arrow function default parameters
2824         https://bugs.webkit.org/show_bug.cgi?id=157079
2825
2826         Reviewed by Saam Barati.
2827
2828         Root of the issue that in arrow function we load bounded variables this/super/new.target just after 
2829         input parameters were initialized, and did not covered case of default values for 
2830         function parameters. 
2831         Current patch tried to fix issue and allow to load bounded variables earlier, before the input 
2832         parameters are assigned by default values.
2833
2834         * bytecompiler/BytecodeGenerator.cpp:
2835         (JSC::BytecodeGenerator::BytecodeGenerator):
2836         * tests/stress/arrowfunction-lexical-bind-this-2.js:
2837
2838 2016-05-12  Mark Lam  <mark.lam@apple.com>
2839
2840         Baseline and DFG's JSC_report...CompileTimes needs CodeBlock hashes.
2841         https://bugs.webkit.org/show_bug.cgi?id=157643
2842
2843         Reviewed by Keith Miller.
2844
2845         * runtime/Options.cpp:
2846         (JSC::recomputeDependentOptions):
2847
2848 2016-05-12  Csaba Osztrogonác  <ossy@webkit.org>
2849
2850         Remove ENABLE(ES6_ARROWFUNCTION_SYNTAX) guards
2851         https://bugs.webkit.org/show_bug.cgi?id=157564
2852
2853         Reviewed by Darin Adler.
2854
2855         * Configurations/FeatureDefines.xcconfig:
2856         * parser/Parser.cpp:
2857
2858 2016-05-12  Joseph Pecoraro  <pecoraro@apple.com>
2859
2860         Web Inspector: CRASH getting internal properties of function with no bound arguments causes
2861         https://bugs.webkit.org/show_bug.cgi?id=157613
2862         <rdar://problem/26238754>
2863
2864         Reviewed by Timothy Hatcher.
2865
2866         * inspector/JSInjectedScriptHost.cpp:
2867         (Inspector::JSInjectedScriptHost::getInternalProperties):
2868         Gracefully handle a JSBoundFunction with no bound arguments.
2869         In this case boundArgs is JSValue() which we don't want to
2870         expose as the value of the internal property.
2871
2872 2016-05-11  Benjamin Poulain  <bpoulain@apple.com>
2873
2874         [JSC] Make sure StringRange is passed to Vector by register
2875         https://bugs.webkit.org/show_bug.cgi?id=157603
2876
2877         Reviewed by Darin Adler.
2878
2879         This is bizarre, but on my SDK, Vector::append(StringRange)
2880         is passing the values on the stack.
2881         The two integers are written to the stack, the address given
2882         to append(), then append() reads it back and store it.
2883
2884         This patch changes the code to use constructAndAppend(), ensuring
2885         the values are used directly.
2886
2887         On my machine, this helps Sunspider and Octane.
2888         This might be something wrong with my SDK but the fix is so easy
2889         that we might as well do this.
2890
2891         * runtime/StringPrototype.cpp:
2892         (JSC::removeUsingRegExpSearch):
2893         (JSC::replaceUsingRegExpSearch):
2894
2895 2016-05-11  Zan Dobersek  <zdobersek@igalia.com>
2896
2897         ARMv7Assembler: suppress a -Wnarrowing warning when compiling with GCC
2898         https://bugs.webkit.org/show_bug.cgi?id=157576
2899
2900         Reviewed by Csaba Osztrogonác.
2901
2902         * assembler/ARMv7Assembler.h:
2903         (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2): Explicitly cast the
2904         `OP_CMP_reg_T2 | left` value to uint16_t, avoiding a narrowing conversion
2905         warning that's being reported when compiling with GCC. The warning is sprung
2906         due to RegisterID (which is the type of `left`) being an enum based on int,
2907         even when the enum itself only declares 23 values.
2908
2909 2016-05-11  Joseph Pecoraro  <pecoraro@apple.com>
2910
2911         Web Inspector: `this` in Scope Chain Sidebar does not have preview, looks poor
2912         https://bugs.webkit.org/show_bug.cgi?id=157602
2913
2914         Reviewed by Timothy Hatcher.
2915
2916         * inspector/InjectedScriptSource.js:
2917         (InjectedScript.CallFrameProxy):
2918         Include a preview when creating the RemoteObject for `this`.
2919
2920 2016-05-11  Keith Miller  <keith_miller@apple.com>
2921
2922         Unreviewed, correct the title of the ChangeLog for r200667.
2923
2924 2016-05-11  Joseph Pecoraro  <pecoraro@apple.com>
2925
2926         JSC test stress/reflect-set.js failing after 200694
2927         https://bugs.webkit.org/show_bug.cgi?id=157586
2928
2929         Unreviewed test rebaseline.
2930
2931         * tests/stress/reflect-set.js:
2932         Update the expected error message. We are in strict mode, so the
2933         improved error message makes sense.
2934
2935 2016-05-11  Filip Pizlo  <fpizlo@apple.com>
2936
2937         Beef up JSC profiler event log
2938         https://bugs.webkit.org/show_bug.cgi?id=157584
2939
2940         Reviewed by Saam Barati.
2941         
2942         Also log more about compilation.
2943
2944         * bytecode/ExecutionCounter.cpp: Changed the meaning of codeBlock to be the codeBlock that is doing the profiling. This will now get the baseline version if it needs it. This is needed for logging the threshold checking event.
2945         (JSC::applyMemoryUsageHeuristics):
2946         (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
2947         * dfg/DFGJITCode.cpp: Pass the right codeBlock.
2948         (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
2949         (JSC::DFG::JITCode::optimizeNextInvocation):
2950         (JSC::DFG::JITCode::dontOptimizeAnytimeSoon):
2951         (JSC::DFG::JITCode::optimizeSoon):
2952         (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently):
2953         * dfg/DFGPlan.cpp: Log things about compile times and whether the compiler succeeded or failed.
2954         (JSC::DFG::Plan::computeCompileTimes):
2955         (JSC::DFG::Plan::reportCompileTimes):
2956         (JSC::DFG::Plan::compileInThread):
2957         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2958         * jit/ExecutableAllocatorFixedVMPool.cpp: Make it possible to look at memory usage, though separately from the log, for now.
2959         (JSC::ExecutableAllocator::allocate):
2960         * runtime/Options.h:
2961
2962 2016-05-11  Saam barati  <sbarati@apple.com>
2963
2964         Air may decide to put the result register of an arithmetic snippet in the tag register
2965         https://bugs.webkit.org/show_bug.cgi?id=157548
2966
2967         Reviewed by Filip Pizlo.
2968
2969         This patch adds a new ValueRep to B3 called LateRegister. The semantics
2970         are similar to Register in that it can be used to pin an argument to
2971         a particular register. It differs from ValueRep::Register in that the semantics of
2972         LateRegister are that it is used after the result of the node its an argument to
2973         is computed. This means that a LateRegister argument will interfere with the result
2974         of a node. LateRegister is not a valid result ValueRep.
2975
2976         This was needed because there was a bug where B3/Air would assign the
2977         result of a patchpoint to the TagTypeNumber register. This broke our
2978         code when we would box a double into a JSValue in a snippet when the
2979         result is the same as the TagTypeNumber register. To fix the issue,
2980         we pass TagMaskRegister and TagTypeNumberRegister as ValueRep::LateRegister
2981         arguments to various patchpoints.
2982
2983         * b3/B3LowerToAir.cpp:
2984         (JSC::B3::Air::LowerToAir::fillStackmap):
2985         * b3/B3PatchpointSpecial.cpp:
2986         (JSC::B3::PatchpointSpecial::admitsStack):
2987         * b3/B3StackmapSpecial.cpp:
2988         (JSC::B3::StackmapSpecial::forEachArgImpl):
2989         (JSC::B3::StackmapSpecial::isArgValidForRep):
2990         * b3/B3Validate.cpp:
2991         * b3/B3ValueRep.cpp:
2992         (JSC::B3::ValueRep::addUsedRegistersTo):
2993         (JSC::B3::ValueRep::dump):
2994         (JSC::B3::ValueRep::emitRestore):
2995         (JSC::B3::ValueRep::recoveryForJSValue):
2996         (WTF::printInternal):
2997         * b3/B3ValueRep.h:
2998         (JSC::B3::ValueRep::reg):
2999         (JSC::B3::ValueRep::lateReg):
3000         (JSC::B3::ValueRep::stack):
3001         (JSC::B3::ValueRep::operator==):
3002         (JSC::B3::ValueRep::isSomeRegister):
3003         (JSC::B3::ValueRep::isReg):
3004         * b3/testb3.cpp:
3005         (JSC::B3::testSpillUseLargerThanDef):
3006         (JSC::B3::testLateRegister):
3007         (JSC::B3::zero):
3008         (JSC::B3::run):
3009         * ftl/FTLLowerDFGToB3.cpp:
3010         (JSC::FTL::DFG::LowerDFGToB3::lower):
3011         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3012         (JSC::FTL::DFG::LowerDFGToB3::getById):
3013         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
3014         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
3015         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
3016
3017 2016-05-11  Joseph Pecoraro  <pecoraro@apple.com>
3018
3019         Improve error messages for accessing arguments.callee and similar getters in strict mode
3020         https://bugs.webkit.org/show_bug.cgi?id=157545
3021
3022         Reviewed by Mark Lam.
3023
3024         * runtime/ClonedArguments.cpp:
3025         (JSC::ClonedArguments::getOwnPropertySlot):
3026         (JSC::ClonedArguments::materializeSpecials):
3027         Provide better error GetterSetter in strict mode.
3028
3029         * runtime/JSFunction.cpp:
3030         (JSC::getThrowTypeErrorGetterSetter):
3031         (JSC::JSFunction::defineOwnProperty):
3032         Provide better error GetterSetter in strict mode.
3033
3034         * runtime/JSGlobalObject.cpp:
3035         (JSC::JSGlobalObject::init):
3036         (JSC::JSGlobalObject::visitChildren):
3037         * runtime/JSGlobalObject.h:
3038         (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
3039         (JSC::JSGlobalObject::throwTypeErrorCalleeAndCallerGetterSetter):
3040         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInStrictModeGetterSetter):
3041         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInClassContextGetterSetter):
3042         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerGetterSetter): Deleted.
3043         * runtime/JSGlobalObjectFunctions.cpp:
3044         (JSC::globalFuncThrowTypeErrorCalleeAndCaller):
3045         (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInStrictMode):
3046         (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInClassContext):
3047         (JSC::globalFuncThrowTypeErrorArgumentsAndCaller): Deleted.
3048         * runtime/JSGlobalObjectFunctions.h:
3049         Rename and expose new handles for new error getter setter native functions.
3050
3051 2016-05-11  Commit Queue  <commit-queue@webkit.org>
3052
3053         Unreviewed, rolling out r200481.
3054         https://bugs.webkit.org/show_bug.cgi?id=157573
3055
3056         it's bad news for asm.js (Requested by pizlo on #webkit).
3057
3058         Reverted changeset:
3059
3060         "Reduce maximum JIT pool size on X86_64."
3061         http://trac.webkit.org/changeset/200481
3062
3063 2016-05-10  Keith Miller  <keith_miller@apple.com>
3064
3065         TypedArray.prototype.slice should not use the byteLength of the passed array for memmove
3066         https://bugs.webkit.org/show_bug.cgi?id=157551
3067         <rdar://problem/26179914>
3068
3069         Reviewed by Michael Saboff.
3070
3071         The TypedArray.prototype.slice function would use the byteLength of the passed array
3072         to determine the amount of data to copy. It should have been using the passed length
3073         times the size of each element. This fixes a crash on JavaPoly.com
3074
3075         * runtime/JSGenericTypedArrayViewInlines.h:
3076         (JSC::JSGenericTypedArrayView<Adaptor>::set):
3077         * tests/stress/typedarray-slice.js:
3078
3079 2016-05-10  Michael Saboff  <msaboff@apple.com>
3080
3081         REGRESSION(r200447): Unable to build C_LOOP with clang version 800.0.12 or higher
3082         https://bugs.webkit.org/show_bug.cgi?id=157549
3083
3084         Reviewed by Keith Miller.
3085
3086         Disable debug annotations for C_LOOP builds.  They are inline assembly directives,
3087         unnecessary and they cause syntax errors.
3088
3089         * offlineasm/asm.rb:
3090
3091 2016-05-10  Filip Pizlo  <fpizlo@apple.com>
3092
3093         Internal JSC profiler should have a timestamped log of events for each code block
3094         https://bugs.webkit.org/show_bug.cgi?id=157538
3095
3096         Reviewed by Benjamin Poulain.
3097         
3098         For example, in 3d-cube, I can query the events for MMulti and I get:
3099
3100         1462917476.17083  MMulti#DTZ7qc                          installCode        
3101         1462917476.179663 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode        
3102         1462917476.179664 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline osrEntry           at bc#49
3103         1462917476.185651 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1011.214233/1717.000000, -707
3104         1462917476.187913 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG      installCode        
3105         1462917476.187917 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG      osrEntry           at bc#49
3106         1462917476.205365 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG      jettison           due to OSRExit, counting = true, detail = (null)
3107         1462917476.205368 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit       bc#65: BadCache/FromDFG
3108         1462917476.205369 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode        
3109         1462917476.205482 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1013.000000/3434.000000, -1000
3110         1462917476.211547 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 2013.000000/3434.000000, -1000
3111         1462917476.213721 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG      installCode        
3112         1462917476.213726 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG      osrEntry           at bc#49
3113         1462917476.223976 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG      jettison           due to OSRExit, counting = true, detail = (null)
3114         1462917476.223981 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit       bc#77: BadCache/FromDFG
3115         1462917476.223982 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit       bc#94: BadCache/FromDFG
3116         1462917476.223982 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode        
3117         1462917476.224064 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1013.000000/6868.000000, -1000
3118         1462917476.224151 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 2013.000000/6868.000000, -1000
3119         1462917476.224258 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 3013.000000/6868.000000, -1000
3120         1462917476.224337 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 4023.000000/6868.000000, -1000
3121         1462917476.224425 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 5023.000000/6868.000000, -1000
3122         1462917476.224785 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 6023.396484/6868.000000, -862
3123         1462917476.227669 MMulti#DTZ7qc MMulti#DTZ7qc-4-DFG      installCode        
3124         1462917476.227675 MMulti#DTZ7qc MMulti#DTZ7qc-4-DFG      osrEntry           at bc#0
3125         
3126         The output is ugly but useful. We can make it less ugly later.
3127
3128         * CMakeLists.txt:
3129         * JavaScriptCore.xcodeproj/project.pbxproj:
3130         * bytecode/CodeBlock.cpp:
3131         (JSC::CodeBlock::jettison):
3132         * bytecode/CodeBlock.h:
3133         (JSC::ScriptExecutable::forEachCodeBlock):
3134         * bytecode/DFGExitProfile.cpp:
3135         (JSC::DFG::ExitProfile::add):
3136         * dfg/DFGJITFinalizer.cpp:
3137         (JSC::DFG::JITFinalizer::finalizeCommon):
3138         * dfg/DFGOperations.cpp:
3139         * ftl/FTLJITFinalizer.cpp:
3140         (JSC::FTL::JITFinalizer::finalizeFunction):
3141         * jit/JIT.cpp:
3142         (JSC::JIT::privateCompile):
3143         * jit/JITOperations.cpp:
3144         * llint/LLIntSlowPaths.cpp:
3145         (JSC::LLInt::jitCompileAndSetHeuristics):
3146         (JSC::LLInt::entryOSR):
3147         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3148         * profiler/ProfilerCompilation.cpp:
3149         (JSC::Profiler::Compilation::Compilation):
3150         (JSC::Profiler::Compilation::setJettisonReason):
3151         (JSC::Profiler::Compilation::dump):
3152         (JSC::Profiler::Compilation::toJS):
3153         * profiler/ProfilerCompilation.h:
3154         (JSC::Profiler::Compilation::uid):
3155         * profiler/ProfilerDatabase.cpp:
3156         (JSC::Profiler::Database::ensureBytecodesFor):
3157         (JSC::Profiler::Database::notifyDestruction):
3158         (JSC::Profiler::Database::addCompilation):
3159         (JSC::Profiler::Database::toJS):
3160         (JSC::Profiler::Database::registerToSaveAtExit):
3161         (JSC::Profiler::Database::logEvent):
3162         (JSC::Profiler::Database::addDatabaseToAtExit):
3163         * profiler/ProfilerDatabase.h:
3164         * profiler/ProfilerEvent.cpp: Added.
3165         (JSC::Profiler::Event::dump):
3166         (JSC::Profiler::Event::toJS):
3167         * profiler/ProfilerEvent.h: Added.
3168         (JSC::Profiler::Event::Event):
3169         (JSC::Profiler::Event::operator bool):
3170         (JSC::Profiler::Event::time):
3171         (JSC::Profiler::Event::bytecodes):
3172         (JSC::Profiler::Event::compilation):
3173         (JSC::Profiler::Event::summary):
3174         (JSC::Profiler::Event::detail):
3175         * profiler/ProfilerUID.cpp: Added.
3176         (JSC::Profiler::UID::create):
3177         (JSC::Profiler::UID::dump):
3178         (JSC::Profiler::UID::toJS):
3179         * profiler/ProfilerUID.h: Added.
3180         (JSC::Profiler::UID::UID):
3181         (JSC::Profiler::UID::fromInt):
3182         (JSC::Profiler::UID::toInt):
3183         (JSC::Profiler::UID::operator==):
3184         (JSC::Profiler::UID::operator!=):
3185         (JSC::Profiler::UID::operator bool):
3186         (JSC::Profiler::UID::isHashTableDeletedValue):
3187         (JSC::Profiler::UID::hash):
3188         (JSC::Profiler::UIDHash::hash):
3189         (JSC::Profiler::UIDHash::equal):
3190         * runtime/CommonIdentifiers.h:
3191         * runtime/Executable.cpp:
3192         (JSC::ScriptExecutable::installCode):
3193         * runtime/VM.h:
3194         (JSC::VM::bytecodeIntrinsicRegistry):
3195         (JSC::VM::shadowChicken):
3196         * runtime/VMInlines.h:
3197         (JSC::VM::shouldTriggerTermination):
3198         (JSC::VM::logEvent):
3199
3200 2016-05-10  Joseph Pecoraro  <pecoraro@apple.com>
3201
3202         Web Inspector: Backend should initiate timeline recordings on page navigations to ensure nothing is missed
3203         https://bugs.webkit.org/show_bug.cgi?id=157504
3204         <rdar://problem/26188642>
3205
3206         Reviewed by Brian Burg.
3207
3208         * inspector/protocol/Timeline.json:
3209         Add protocol commands to enable/disable auto capture and list the
3210         instruments that should be enabled when auto capture starts.
3211         Add protocol event for when the backend starts an auto capture.
3212
3213 2016-05-10  Joseph Pecoraro  <pecoraro@apple.com>
3214
3215         Make the different evaluateWithScopeExtension implementations more consistent
3216         https://bugs.webkit.org/show_bug.cgi?id=157536
3217
3218         Reviewed by Timothy Hatcher.
3219
3220         * inspector/JSInjectedScriptHost.cpp:
3221         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
3222         Throw the exception consistent with JSJavaScriptCallFrame.
3223
3224         * inspector/JSJavaScriptCallFrame.cpp:
3225         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
3226         Better error message consistent with InjectedScriptHost.
3227
3228         * runtime/Completion.h:
3229         * runtime/Completion.cpp:
3230         (JSC::evaluateWithScopeExtension):
3231         Give this an Exception out parameter like other evaluations
3232         so the caller can decide what to do with it.
3233
3234 2016-05-10  Benjamin Poulain  <bpoulain@apple.com>
3235
3236         [JSC] FTL can produce GetByVal nodes without proper bounds checking
3237         https://bugs.webkit.org/show_bug.cgi?id=157502
3238         rdar://problem/26027027
3239
3240         Reviewed by Filip Pizlo.
3241
3242         It was possible for FTL to generates GetByVal on arbitrary offsets
3243         without any bounds checking.
3244
3245         The bug is caused by the order of optimization phases:
3246         -First, the Integer Range Optimization proves that a CheckInBounds
3247          test can never fail.
3248          This proof is based on control flow or preceeding instructions
3249          inside a loop.
3250         -The Loop Invariant Code Motion phase finds that the GetByVal does not
3251          depend on anything in the loop and hoist it out of the loop.
3252         -> As a result, the conditions that were necessary to eliminate
3253            the CheckInBounds are no longer met before the GetByVal.
3254
3255         This patch just moves the Integer Range Optimization phase after
3256         Loop Invariant Code Motion to make sure no code is moved after
3257         its integer ranges bounds proofs have been used.
3258
3259         * dfg/DFGPlan.cpp:
3260         (JSC::DFG::Plan::compileInThreadImpl):
3261         * tests/stress/bounds-check-not-eliminated-by-licm.js: Added.
3262         (testInLoopTests):
3263
3264 2016-05-10  Joseph Pecoraro  <pecoraro@apple.com>
3265
3266         Web Inspector: Eliminate the crazy code for evaluateOnCallFrame
3267         https://bugs.webkit.org/show_bug.cgi?id=157510
3268         <rdar://problem/26191332>
3269
3270         Reviewed by Timothy Hatcher.
3271
3272         * debugger/DebuggerCallFrame.cpp:
3273         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
3274         Set and clear an optional scope extension object.
3275
3276         * inspector/InjectedScriptSource.js:
3277         (InjectedScript.prototype.evaluate):
3278         (InjectedScript.prototype._evaluateOn):
3279         (InjectedScript.prototype.evaluateOnCallFrame):
3280         Unify the code to use the passed in evaluate function and object.
3281         When evaluating on a call frame the evaluate function ends up being
3282         DebuggerCallFrame::evaluateWithScopeExtension. When evaluating globally
3283         this ends up being JSInjectedScriptHost::evaluateWithScopeExtension.
3284         In both cases "object" is the preferred this object to use.
3285
3286         * debugger/DebuggerCallFrame.h:
3287         * inspector/JSJavaScriptCallFrame.cpp:
3288         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
3289         (Inspector::JSJavaScriptCallFrame::evaluate): Deleted.
3290         * inspector/JSJavaScriptCallFrame.h:
3291         * inspector/JSJavaScriptCallFramePrototype.cpp:
3292         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
3293         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
3294         * inspector/JavaScriptCallFrame.h:
3295         (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension):
3296         (Inspector::JavaScriptCallFrame::evaluate): Deleted.
3297         Pass through to DebuggerCallFrame with the proper arguments.
3298
3299         * debugger/Debugger.cpp:
3300         (JSC::Debugger::hasBreakpoint):
3301         * inspector/ScriptDebugServer.cpp:
3302         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
3303         Use the new evaluate on call frame method name and no scope extension object.
3304
3305 2016-05-10  Saam barati  <sbarati@apple.com>
3306
3307         Make super-property-access.js test run for less time because it was timing out in debug builds.
3308
3309         Rubber stamped by Filip Pizlo.
3310
3311         * tests/stress/super-property-access.js:
3312         (test):
3313         (test.value):
3314         (test.foo):
3315         (test.B.prototype.bar):
3316         (test.B):
3317
3318 2016-05-10  Csaba Osztrogonác  <ossy@webkit.org>
3319
3320         [JSC] Fix the !ENABLE(DFG_JIT) build
3321         https://bugs.webkit.org/show_bug.cgi?id=157512
3322
3323         Reviewed by Mark Lam.
3324
3325         * jit/Repatch.cpp:
3326
3327 2016-05-09  Joseph Pecoraro  <pecoraro@apple.com>
3328