4811bf1fe0c1ede2dc3b88b1bdbd02a52aa737c3
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-12-26  Mark Lam  <mark.lam@apple.com>
2
3         Rename NodeMayOverflowInXXX to NodeMayOverflowInt32InXXX.
4         https://bugs.webkit.org/show_bug.cgi?id=152555
5
6         Reviewed by Alex Christensen.
7
8         That's because the NodeMayOverflowInBaseline and NodeMayOverflowInDFG flags only
9         indicates potential overflowing of Int32 values.  We'll be adding overflow
10         profiling for Int52 values later, and we should disambiguate between the 2 types.
11
12         This is purely a renaming patch.  There are no semantic changes.
13
14         * dfg/DFGByteCodeParser.cpp:
15         (JSC::DFG::ByteCodeParser::makeSafe):
16         (JSC::DFG::ByteCodeParser::makeDivSafe):
17         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
18         * dfg/DFGNodeFlags.cpp:
19         (JSC::DFG::dumpNodeFlags):
20         * dfg/DFGNodeFlags.h:
21         (JSC::DFG::nodeMayOverflowInt32):
22         (JSC::DFG::nodeCanSpeculateInt32):
23         (JSC::DFG::nodeMayOverflow): Deleted.
24
25 2015-12-23  Andreas Kling  <akling@apple.com>
26
27         jsc CLI tool crashes on EOF.
28         <https://webkit.org/b/152522>
29
30         Reviewed by Benjamin Poulain.
31
32         SourceProvider should treat String() like the empty string for hashing purposes.
33         This was a subtle behavior change in r194017 due to how zero-length strings are
34         treated by StringImpl::createSubstringSharingImpl().
35
36         I made these SourceProviders store a Ref<StringImpl> internally instead of a
37         String, to codify the fact that these strings can't be null strings.
38
39         I couldn't find a way to cause this crash through the API.
40
41         * API/JSScriptRef.cpp:
42         (OpaqueJSScript::OpaqueJSScript):
43         * parser/SourceProvider.h:
44         (JSC::StringSourceProvider::StringSourceProvider):
45
46 2015-12-23  Filip Pizlo  <fpizlo@apple.com>
47
48         FTL B3 should be able to run crypto-sha1 in eager mode
49         https://bugs.webkit.org/show_bug.cgi?id=152539
50
51         Reviewed by Saam Barati.
52
53         This patch contains one real bug fix and some other fixes that are primarily there for sanity
54         because I don't believe they are symptomatic.
55
56         The real fix is the instruction selector's handling of Phi. It was assuming that the correct
57         lowering of Phi is to do nothing and the correct lowering of Upsilon is to store into the tmp
58         that the Phi uses. But this fails for code patterns like:
59
60             @a = Phi()
61             Upsilon(@x, ^a)
62             use(@a) // this should see the value that @a had at the point that "@a = Phi()" executed.
63
64         This arises when we have a lot of Upsilons in a row and they are trying to perform a
65         shuffling. Prior to this change, "use(@a)" would see the new value of @a, i.e. @x. That's
66         wrong. So, this changes the lowering to make each Phi have a special shadow Tmp, and Upsilon
67         stores to it while Phi loads from it. Most of these assignments get copy-propagated by IRC,
68         so it doesn't really hurt us. I couldn't find any benchmarks that slowed down because of
69         this. In fact, I believe that the only time that this would lead to extra interference or
70         extra assignments is when it's actually needed to be correct.
71
72         This also contains other fixes, which are probably not for real bugs, but they make me feel
73         all warm and fuzzy:
74
75         - spillEverything() works again.  Previously, it didn't have all of IRC's smarts for handling
76           a spill of a ZDef.  I fixed this by creating a helper phase that finds all subwidth ZDefs
77           to spill slots and amends them with zero-fills of the top bits.
78
79         - IRC no longer requires precise TmpWidth analysis.  Previously, if TmpWidth gave pessimistic
80           results, the subwidth ZDef bug would return.  That probably means that it was never fixed
81           to begin with, since it's totally cool for just a single def or use of a tmp to cause it
82           to become pessimistic. But there may still have been some subwidth ZDefs.  The way that I
83           fixed this bug is to have IRC also run the ZDef fixup code that spillEverything() uses.
84           This is abstracted behind the beautifully named Air::fixSpillSlotZDef().
85
86         - B3::validate() does dominance checks!  So, if you shoot yourself in the foot by using
87           something before defining it, validate() will tell you.
88
89         - Air::TmpWidth is now easy to "turn off" - i.e. to make it go fully conservative. It's not
90           an Option; you have to hack code. But that's better than nothing, and it's consistent with
91           what we do for other super-internal compiler options that we use rarely.
92
93         - You can now run spillEverything() without hacking code.  Just use
94           Options::airSpillSeverything().
95
96         * JavaScriptCore.xcodeproj/project.pbxproj:
97         * b3/B3LowerToAir.cpp:
98         (JSC::B3::Air::LowerToAir::LowerToAir):
99         (JSC::B3::Air::LowerToAir::run):
100         (JSC::B3::Air::LowerToAir::lower):
101         * b3/B3Validate.cpp:
102         * b3/air/AirCode.h:
103         (JSC::B3::Air::Code::specials):
104         (JSC::B3::Air::Code::forAllTmps):
105         (JSC::B3::Air::Code::isFastTmp):
106         * b3/air/AirFixSpillSlotZDef.h: Added.
107         (JSC::B3::Air::fixSpillSlotZDef):
108         * b3/air/AirGenerate.cpp:
109         (JSC::B3::Air::prepareForGeneration):
110         * b3/air/AirIteratedRegisterCoalescing.cpp:
111         * b3/air/AirSpillEverything.cpp:
112         (JSC::B3::Air::spillEverything):
113         * b3/air/AirTmpWidth.cpp:
114         (JSC::B3::Air::TmpWidth::recompute):
115         * jit/JITOperations.cpp:
116         * runtime/Options.h:
117
118 2015-12-23  Filip Pizlo  <fpizlo@apple.com>
119
120         Need a story for platform-specific Args
121         https://bugs.webkit.org/show_bug.cgi?id=152529
122
123         Reviewed by Michael Saboff.
124
125         This teaches Arg that some Arg forms are not valid on some targets. The instruction selector now
126         uses this to avoid immediates and addresses that the target wouldn't like.
127
128         This shouldn't change code generation on X86, but is meant as a step towards ARM64 support.
129
130         * b3/B3LowerToAir.cpp:
131         (JSC::B3::Air::LowerToAir::crossesInterference):
132         (JSC::B3::Air::LowerToAir::effectiveAddr):
133         (JSC::B3::Air::LowerToAir::addr):
134         (JSC::B3::Air::LowerToAir::loadPromise):
135         (JSC::B3::Air::LowerToAir::imm):
136         (JSC::B3::Air::LowerToAir::lower):
137         * b3/air/AirAllocateStack.cpp:
138         (JSC::B3::Air::allocateStack):
139         * b3/air/AirArg.h:
140         (JSC::B3::Air::Arg::Arg):
141         (JSC::B3::Air::Arg::imm):
142         (JSC::B3::Air::Arg::imm64):
143         (JSC::B3::Air::Arg::callArg):
144         (JSC::B3::Air::Arg::isValidScale):
145         (JSC::B3::Air::Arg::tmpIndex):
146         (JSC::B3::Air::Arg::withOffset):
147         (JSC::B3::Air::Arg::isValidImmForm):
148         (JSC::B3::Air::Arg::isValidAddrForm):
149         (JSC::B3::Air::Arg::isValidIndexForm):
150         (JSC::B3::Air::Arg::isValidForm):
151         (JSC::B3::Air::Arg::forEachTmpFast):
152         * b3/air/opcode_generator.rb:
153
154 2015-12-23  Keith Miller  <keith_miller@apple.com>
155
156         [JSC] Bugfix for intrinsic getters with dictionary structures.
157         https://bugs.webkit.org/show_bug.cgi?id=152538
158
159         Reviewed by Mark Lam.
160
161         Intrinsic getters did not check if an object was a dictionary. This meant, if a property on
162         the prototype chain of a dictionary was an intrinsic getter we would IC it. Later, if a
163         property is added to the dictionary the IC would still return the result of the intrinsic.
164         The fix is to no longer IC intrinsic getters if the base object is a dictionary.
165
166         * jit/Repatch.cpp:
167         (JSC::tryCacheGetByID):
168         * tests/stress/typedarray-length-dictionary.js: Added.
169         (len):
170
171 2015-12-23  Andy VanWagoner  <andy@instructure.com>
172
173         [INTL] Implement DateTime Format Functions
174         https://bugs.webkit.org/show_bug.cgi?id=147606
175
176         Reviewed by Benjamin Poulain.
177
178         Initialize a UDateFormat from the generated pattern. Use udat_format()
179         to format the value. Make sure that the UDateFormat is cleaned up when
180         the DateTimeFormat is deconstructed.
181
182         * runtime/IntlDateTimeFormat.cpp:
183         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat):
184         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
185         (JSC::IntlDateTimeFormat::format):
186         * runtime/IntlDateTimeFormat.h:
187
188 2015-12-23  Andy VanWagoner  <thetalecrafter@gmail.com>
189
190         [INTL] Implement String.prototype.localeCompare in ECMA-402
191         https://bugs.webkit.org/show_bug.cgi?id=147607
192
193         Reviewed by Benjamin Poulain.
194
195         Add localeCompare in builtin JavaScript that delegates comparing to Intl.Collator.
196         Keep existing native implementation for use if INTL flag is disabled.
197         For the common case where no locale or options are specified, avoid creating
198         a new collator and just use the prototype which is initialized with the defaults.
199
200         * CMakeLists.txt:
201         * DerivedSources.make:
202         * JavaScriptCore.xcodeproj/project.pbxproj:
203         * builtins/StringPrototype.js: Added.
204         (localeCompare):
205         * runtime/StringPrototype.cpp:
206         (JSC::StringPrototype::finishCreation):
207
208 2015-12-23  Benjamin Poulain  <benjamin@webkit.org>
209
210         Fix x86_64 after r194388
211
212         * b3/B3LowerToAir.cpp:
213         (JSC::B3::Air::LowerToAir::appendShift):
214         (JSC::B3::Air::LowerToAir::lower):
215         (JSC::B3::Air::LowerToAir::lowerX86Div):
216
217 2015-12-23  Benjamin Poulain  <bpoulain@apple.com>
218
219         [JSC] Get the JavaScriptCore framework to build on ARM64 with B3 enabled
220         https://bugs.webkit.org/show_bug.cgi?id=152503
221
222         Reviewed by Filip Pizlo.
223
224         It is not working but it builds.
225
226         * assembler/ARM64Assembler.h:
227         (JSC::ARM64Assembler::vand):
228         (JSC::ARM64Assembler::vectorDataProcessing2Source):
229         * assembler/MacroAssemblerARM64.h:
230         (JSC::MacroAssemblerARM64::add32):
231         (JSC::MacroAssemblerARM64::add64):
232         (JSC::MacroAssemblerARM64::countLeadingZeros64):
233         (JSC::MacroAssemblerARM64::not32):
234         (JSC::MacroAssemblerARM64::not64):
235         (JSC::MacroAssemblerARM64::zeroExtend16To32):
236         (JSC::MacroAssemblerARM64::signExtend16To32):
237         (JSC::MacroAssemblerARM64::zeroExtend8To32):
238         (JSC::MacroAssemblerARM64::signExtend8To32):
239         (JSC::MacroAssemblerARM64::addFloat):
240         (JSC::MacroAssemblerARM64::ceilFloat):
241         (JSC::MacroAssemblerARM64::branchDouble):
242         (JSC::MacroAssemblerARM64::branchFloat):
243         (JSC::MacroAssemblerARM64::divFloat):
244         (JSC::MacroAssemblerARM64::moveZeroToDouble):
245         (JSC::MacroAssemblerARM64::moveFloatTo32):
246         (JSC::MacroAssemblerARM64::move32ToFloat):
247         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
248         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
249         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
250         (JSC::MacroAssemblerARM64::mulFloat):
251         (JSC::MacroAssemblerARM64::andDouble):
252         (JSC::MacroAssemblerARM64::andFloat):
253         (JSC::MacroAssemblerARM64::sqrtFloat):
254         (JSC::MacroAssemblerARM64::subFloat):
255         (JSC::MacroAssemblerARM64::signExtend32ToPtr):
256         (JSC::MacroAssemblerARM64::moveConditionally32):
257         (JSC::MacroAssemblerARM64::moveConditionally64):
258         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
259         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
260         (JSC::MacroAssemblerARM64::test32):
261         (JSC::MacroAssemblerARM64::setCarry):
262         (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
263         * assembler/MacroAssemblerX86.h:
264         (JSC::MacroAssemblerX86::moveDoubleToInts):
265         (JSC::MacroAssemblerX86::moveIntsToDouble):
266         * assembler/MacroAssemblerX86Common.h:
267         (JSC::MacroAssemblerX86Common::move32ToFloat):
268         (JSC::MacroAssemblerX86Common::moveFloatTo32):
269         (JSC::MacroAssemblerX86Common::moveInt32ToPacked): Deleted.
270         (JSC::MacroAssemblerX86Common::movePackedToInt32): Deleted.
271         * b3/B3LowerToAir.cpp:
272         (JSC::B3::Air::LowerToAir::appendShift):
273         (JSC::B3::Air::LowerToAir::lower):
274         * b3/air/AirInstInlines.h:
275         (JSC::B3::Air::isX86DivHelperValid):
276         * b3/air/AirOpcode.opcodes:
277         * jit/AssemblyHelpers.h:
278         (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
279         (JSC::AssemblyHelpers::emitFunctionEpilogue):
280         * jit/FPRInfo.h:
281         (JSC::FPRInfo::toArgumentRegister):
282
283 2015-12-23  Andy VanWagoner  <andy@instructure.com>
284
285         [INTL] Implement Intl.DateTimeFormat.prototype.resolvedOptions ()
286         https://bugs.webkit.org/show_bug.cgi?id=147603
287
288         Reviewed by Benjamin Poulain.
289
290         Implements InitializeDateTimeFormat and related abstract operations
291         using ICU. Lazy initialization is used for DateTimeFormat.prototype.
292         Refactor to align with Collator work.
293
294         * icu/unicode/udatpg.h: Added.
295         * icu/unicode/unumsys.h: Added.
296         * runtime/CommonIdentifiers.h:
297         * runtime/IntlDateTimeFormat.cpp:
298         (JSC::defaultTimeZone):
299         (JSC::canonicalizeTimeZoneName):
300         (JSC::localeData):
301         (JSC::toDateTimeOptions):
302         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
303         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
304         (JSC::IntlDateTimeFormat::weekdayString):
305         (JSC::IntlDateTimeFormat::eraString):
306         (JSC::IntlDateTimeFormat::yearString):
307         (JSC::IntlDateTimeFormat::monthString):
308         (JSC::IntlDateTimeFormat::dayString):
309         (JSC::IntlDateTimeFormat::hourString):
310         (JSC::IntlDateTimeFormat::minuteString):
311         (JSC::IntlDateTimeFormat::secondString):
312         (JSC::IntlDateTimeFormat::timeZoneNameString):
313         (JSC::IntlDateTimeFormat::resolvedOptions):
314         (JSC::IntlDateTimeFormat::format):
315         (JSC::IntlDateTimeFormatFuncFormatDateTime): Deleted.
316         * runtime/IntlDateTimeFormat.h:
317         * runtime/IntlDateTimeFormatConstructor.cpp:
318         (JSC::constructIntlDateTimeFormat):
319         (JSC::callIntlDateTimeFormat):
320         * runtime/IntlDateTimeFormatPrototype.cpp:
321         (JSC::IntlDateTimeFormatFuncFormatDateTime):
322         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
323         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
324         * runtime/IntlObject.cpp:
325         (JSC::resolveLocale):
326         (JSC::getNumberingSystemsForLocale):
327         * runtime/IntlObject.h:
328
329 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
330
331         REGRESSION(194382): FTL B3 no longer runs V8/encrypt
332         https://bugs.webkit.org/show_bug.cgi?id=152519
333
334         Reviewed by Saam Barati.
335
336         A "Move Imm, Tmp" instruction should turn into "Move32 Imm, Tmp" if the Tmp is spilled to a
337         32-bit slot. Changing where we check isTmp() achieves this. Since all of the logic is only
338         relevant to when we spill without introducing a Tmp, and since a Move does not have a "Move Addr,
339         Addr" form, this code ensures that the logic only happens for "Tmp, Tmp" and "Imm, Tmp".
340
341         * b3/air/AirIteratedRegisterCoalescing.cpp:
342         * dfg/DFGOperations.cpp:
343
344 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
345
346         FTL B3 should use the right type for comparison slow paths
347         https://bugs.webkit.org/show_bug.cgi?id=152521
348
349         Reviewed by Saam Barati.
350
351         Fixes a small goof that was leading to B3 validation failures.
352
353         * ftl/FTLLowerDFGToLLVM.cpp:
354         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
355
356 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
357
358         FTL B3 should be able to run richards
359         https://bugs.webkit.org/show_bug.cgi?id=152514
360
361         Reviewed by Michael Saboff.
362
363         This came down to a liveness bug and a register allocation bug.
364
365         The liveness bug was that the code that determined whether we should go around the fixpoint
366         assumed that BitVector::quickSet() would return true if the bit changed state from false to
367         true. That's not how it works. It returns the old value of the bit, so it will return false
368         if the bit changed from false to true. Since there is already a lot of code that relies on
369         this behavior, I fixed Liveness instead of changing BitVector.
370
371         The register allocation bug was that we weren't guarding some checks of tmp()'s with checks
372         that the Arg isTmp().
373
374         The liveness took a long time to track down, and I needed to add a lot of dumping to do it.
375         It's now possible to dump more of the liveness states, including liveAtHead. I found this
376         extremely helpful, so I removed the code that cleared liveAtHead.
377
378         * b3/air/AirIteratedRegisterCoalescing.cpp:
379         * b3/air/AirLiveness.h:
380         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
381         (JSC::B3::Air::AbstractLiveness::Iterable::Iterable):
382         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::iterator):
383         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator*):
384         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator++):
385         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator==):
386         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator!=):
387         (JSC::B3::Air::AbstractLiveness::Iterable::begin):
388         (JSC::B3::Air::AbstractLiveness::Iterable::end):
389         (JSC::B3::Air::AbstractLiveness::liveAtHead):
390         (JSC::B3::Air::AbstractLiveness::liveAtTail):
391         * b3/air/AirStackSlot.h:
392         (WTF::printInternal):
393         * ftl/FTLOSRExitCompiler.cpp:
394         (JSC::FTL::compileFTLOSRExit):
395
396 2015-12-22  Saam barati  <sbarati@apple.com>
397
398         Cloop build fix after https://bugs.webkit.org/show_bug.cgi?id=152511.
399
400         Unreviewed build fix.
401
402         * runtime/Options.cpp:
403         (JSC::recomputeDependentOptions):
404
405 2015-12-22  Saam barati  <sbarati@apple.com>
406
407         Work around issue in bug #152510
408         https://bugs.webkit.org/show_bug.cgi?id=152511
409
410         Reviewed by Filip Pizlo.
411
412         * runtime/Options.cpp:
413         (JSC::recomputeDependentOptions):
414
415 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
416
417         FTL B3 does not logicalNot correctly
418         https://bugs.webkit.org/show_bug.cgi?id=152512
419
420         Reviewed by Saam Barati.
421
422         I'm working on a bug where V8/richards does not run correctly. I noticed that the codegen was
423         doing a log of Not32's followed by branches, which smelled like badness. To debug this, I
424         needed B3's origins to dump as something other than a hexed pointer to a node. The node index
425         would be better. So, I added the notion of an origin printer to Procedure.
426
427         The bug was easy enough to fix. This introduces Output::logicalNot(). In LLVM, it's the same
428         as bitNot(). In B3, it's compiled to Equal(value, 0). We could have also compiled it to
429         BitXor(value, 1), except that B3 will strength-reduce to that anyway whenever it's safe. It's
430         sort of nice that right now, you could use logicalNot() on non-bool values and get C-like
431         behavior.
432
433         Richards still doesn't run, though. There are more bugs!
434
435         * JavaScriptCore.xcodeproj/project.pbxproj:
436         * b3/B3BasicBlock.cpp:
437         (JSC::B3::BasicBlock::dump):
438         (JSC::B3::BasicBlock::deepDump):
439         * b3/B3BasicBlock.h:
440         (JSC::B3::BasicBlock::frequency):
441         (JSC::B3::DeepBasicBlockDump::DeepBasicBlockDump):
442         (JSC::B3::DeepBasicBlockDump::dump):
443         (JSC::B3::deepDump):
444         * b3/B3LowerToAir.cpp:
445         (JSC::B3::Air::LowerToAir::run):
446         (JSC::B3::Air::LowerToAir::lower):
447         * b3/B3Origin.h:
448         (JSC::B3::Origin::data):
449         * b3/B3OriginDump.h: Added.
450         (JSC::B3::OriginDump::OriginDump):
451         (JSC::B3::OriginDump::dump):
452         * b3/B3Procedure.cpp:
453         (JSC::B3::Procedure::~Procedure):
454         (JSC::B3::Procedure::printOrigin):
455         (JSC::B3::Procedure::addBlock):
456         (JSC::B3::Procedure::dump):
457         * b3/B3Procedure.h:
458         (JSC::B3::Procedure::setOriginPrinter):
459         * b3/B3Value.cpp:
460         (JSC::B3::Value::dumpChildren):
461         (JSC::B3::Value::deepDump):
462         * b3/B3Value.h:
463         (JSC::B3::DeepValueDump::DeepValueDump):
464         (JSC::B3::DeepValueDump::dump):
465         (JSC::B3::deepDump):
466         * ftl/FTLB3Output.cpp:
467         (JSC::FTL::Output::lockedStackSlot):
468         (JSC::FTL::Output::bitNot):
469         (JSC::FTL::Output::logicalNot):
470         (JSC::FTL::Output::load):
471         * ftl/FTLB3Output.h:
472         (JSC::FTL::Output::aShr):
473         (JSC::FTL::Output::lShr):
474         (JSC::FTL::Output::ctlz32):
475         (JSC::FTL::Output::addWithOverflow32):
476         (JSC::FTL::Output::lessThanOrEqual):
477         (JSC::FTL::Output::doubleEqual):
478         (JSC::FTL::Output::doubleEqualOrUnordered):
479         (JSC::FTL::Output::doubleNotEqualOrUnordered):
480         (JSC::FTL::Output::doubleLessThan):
481         (JSC::FTL::Output::doubleLessThanOrEqual):
482         (JSC::FTL::Output::doubleGreaterThan):
483         (JSC::FTL::Output::doubleGreaterThanOrEqual):
484         (JSC::FTL::Output::doubleNotEqualAndOrdered):
485         (JSC::FTL::Output::doubleLessThanOrUnordered):
486         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
487         (JSC::FTL::Output::doubleGreaterThanOrUnordered):
488         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
489         (JSC::FTL::Output::isZero32):
490         (JSC::FTL::Output::notZero32):
491         (JSC::FTL::Output::addIncomingToPhi):
492         (JSC::FTL::Output::bitCast):
493         (JSC::FTL::Output::bitNot): Deleted.
494         * ftl/FTLLowerDFGToLLVM.cpp:
495         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckArray):
496         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
497         (JSC::FTL::DFG::LowerDFGToLLVM::compileLogicalNot):
498         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
499         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
500         (JSC::FTL::DFG::LowerDFGToLLVM::compileCountExecution):
501         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
502         (JSC::FTL::DFG::LowerDFGToLLVM::isMisc):
503         (JSC::FTL::DFG::LowerDFGToLLVM::isNotBoolean):
504         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean):
505         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean):
506         (JSC::FTL::DFG::LowerDFGToLLVM::isNotType):
507         (JSC::FTL::DFG::LowerDFGToLLVM::speculateObject):
508         * ftl/FTLOutput.h:
509         (JSC::FTL::Output::aShr):
510         (JSC::FTL::Output::lShr):
511         (JSC::FTL::Output::bitNot):
512         (JSC::FTL::Output::logicalNot):
513         (JSC::FTL::Output::insertElement):
514         * ftl/FTLState.cpp:
515         (JSC::FTL::State::State):
516
517 2015-12-22  Keith Miller  <keith_miller@apple.com>
518
519         Remove OverridesHasInstance from TypeInfoFlags
520         https://bugs.webkit.org/show_bug.cgi?id=152005
521
522         Reviewed by Saam Barati.
523
524         Currently, we have three TypeInfo flags associated with instanceof behavior,
525         ImplementsHasInstance, ImplementDefaultHasInstance, and OverridesHasInstance. This patch
526         removes the third and moves the first to the out of line flags. In theory, we should only
527         need one flag but removing ImplementsHasInstance is more involved and should be done in a
528         separate patch.
529
530         * API/JSCallbackConstructor.h:
531         * API/JSCallbackObject.h:
532         * jit/JITOpcodes.cpp:
533         (JSC::JIT::emit_op_overrides_has_instance):
534         * jit/JITOpcodes32_64.cpp:
535         (JSC::JIT::emit_op_overrides_has_instance):
536         * llint/LLIntData.cpp:
537         (JSC::LLInt::Data::performAssertions):
538         * llint/LowLevelInterpreter.asm:
539         * runtime/InternalFunction.h:
540         * runtime/JSBoundFunction.h:
541         * runtime/JSCallee.h:
542         * runtime/JSTypeInfo.h:
543         (JSC::TypeInfo::implementsHasInstance):
544         (JSC::TypeInfo::TypeInfo): Deleted.
545         (JSC::TypeInfo::overridesHasInstance): Deleted.
546         * runtime/NumberConstructor.h:
547
548 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
549
550         FTL B3 should do tail calls
551         https://bugs.webkit.org/show_bug.cgi?id=152494
552
553         Reviewed by Michael Saboff.
554
555         OMG this was so easy.
556
557         The only shady part is that I broke a layering rule that we had so far been following: B3 was
558         sitting below the JSC runtime, and did not use JS-specific types. No more, since B3::ValueRep
559         can now turn itself into a ValueRecovery for a JSValue. This small feature makes a huge
560         difference for the readability of tail call code: it makes it plain that the call frame
561         shuffler is basically just directly consuming the stackmap generation params, and insofar as
562         there is any data transformation, it's just because it uses different classes to say the same
563         thing.
564
565         I think we should avoid adding too many JS-specific things to B3. But, so long as it's still
566         possible to use B3 to compile things that aren't JS, I think we'll be fine.
567
568         * b3/B3ValueRep.cpp:
569         (JSC::B3::ValueRep::dump):
570         (JSC::B3::ValueRep::emitRestore):
571         (JSC::B3::ValueRep::recoveryForJSValue):
572         * b3/B3ValueRep.h:
573         * ftl/FTLLowerDFGToLLVM.cpp:
574         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
575         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
576         * test/stress/ftl-tail-call.js: Added.
577
578 2015-12-21  Mark Lam  <mark.lam@apple.com>
579
580         Snippefy op_negate for the baseline JIT.
581         https://bugs.webkit.org/show_bug.cgi?id=152447
582
583         Reviewed by Benjamin Poulain.
584
585         * CMakeLists.txt:
586         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
587         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
588         * JavaScriptCore.xcodeproj/project.pbxproj:
589         * jit/JITArithmetic.cpp:
590         (JSC::JIT::emit_op_unsigned):
591         (JSC::JIT::emit_op_negate):
592         (JSC::JIT::emitSlow_op_negate):
593         (JSC::JIT::emitBitBinaryOpFastPath):
594         * jit/JITArithmetic32_64.cpp:
595         (JSC::JIT::emit_compareAndJump):
596         (JSC::JIT::emit_op_negate): Deleted.
597         (JSC::JIT::emitSlow_op_negate): Deleted.
598         * jit/JITNegGenerator.cpp: Added.
599         (JSC::JITNegGenerator::generateFastPath):
600         * jit/JITNegGenerator.h: Added.
601         (JSC::JITNegGenerator::JITNegGenerator):
602         (JSC::JITNegGenerator::didEmitFastPath):
603         (JSC::JITNegGenerator::endJumpList):
604         (JSC::JITNegGenerator::slowPathJumpList):
605
606 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
607
608         Address review feedback from Saam.  I should have landed it in r194354.
609
610         * b3/testb3.cpp:
611         (JSC::B3::testStore16Arg):
612
613 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
614
615         B3 should be able to compile Store16
616         https://bugs.webkit.org/show_bug.cgi?id=152493
617
618         Reviewed by Saam Barati.
619
620         This adds comprehensive Store16 support to our assembler, Air, and B3->Air lowering.
621
622         * assembler/MacroAssemblerX86Common.h:
623         (JSC::MacroAssemblerX86Common::store16):
624         * assembler/X86Assembler.h:
625         (JSC::X86Assembler::movb_rm):
626         (JSC::X86Assembler::movw_rm):
627         * b3/B3LowerToAir.cpp:
628         (JSC::B3::Air::LowerToAir::lower):
629         * b3/air/AirOpcode.opcodes:
630         * b3/testb3.cpp:
631         (JSC::B3::testStorePartial8BitRegisterOnX86):
632         (JSC::B3::testStore16Arg):
633         (JSC::B3::testStore16Imm):
634         (JSC::B3::testTrunc):
635         (JSC::B3::run):
636
637 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
638
639         Unreviewed, remove highBitsAreZero(), it's unused.
640
641         * b3/B3LowerToAir.cpp:
642         (JSC::B3::Air::LowerToAir::run):
643         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
644         (JSC::B3::Air::LowerToAir::highBitsAreZero): Deleted.
645
646 2015-12-21  Csaba Osztrogonác  <ossy@webkit.org>
647
648         Unreviewed, fix the !FTL_USES_B3 build after r194334.
649
650         * ftl/FTLLowerDFGToLLVM.cpp: Mark forwarding unused variable.
651         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
652
653 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
654
655         FTL B3 should do doubleToInt32
656         https://bugs.webkit.org/show_bug.cgi?id=152484
657
658         Reviewed by Saam Barati.
659
660         We used to have a DToI32 opcode in B3 that we never implemented. This removes that opcode,
661         since double-to-int conversion has dramatically different semantics on different
662         architectures. We let FTL get the conversion instruction it wants by using a patchpoint.
663
664         * b3/B3Opcode.cpp:
665         (WTF::printInternal):
666         * b3/B3Opcode.h:
667         * b3/B3Validate.cpp:
668         * b3/B3Value.cpp:
669         (JSC::B3::Value::effects):
670         (JSC::B3::Value::key):
671         (JSC::B3::Value::typeFor):
672         * b3/B3ValueKey.cpp:
673         (JSC::B3::ValueKey::materialize):
674         * ftl/FTLB3Output.cpp:
675         (JSC::FTL::Output::Output):
676         (JSC::FTL::Output::appendTo):
677         (JSC::FTL::Output::lockedStackSlot):
678         (JSC::FTL::Output::load):
679         (JSC::FTL::Output::doublePowi):
680         (JSC::FTL::Output::hasSensibleDoubleToInt):
681         (JSC::FTL::Output::doubleToInt):
682         (JSC::FTL::Output::doubleToUInt):
683         (JSC::FTL::Output::load8SignExt32):
684         (JSC::FTL::Output::load8ZeroExt32):
685         (JSC::FTL::Output::load16SignExt32):
686         (JSC::FTL::Output::load16ZeroExt32):
687         (JSC::FTL::Output::store):
688         (JSC::FTL::Output::store32As8):
689         (JSC::FTL::Output::store32As16):
690         (JSC::FTL::Output::branch):
691         * ftl/FTLB3Output.h:
692         (JSC::FTL::Output::doubleLog):
693         (JSC::FTL::Output::signExt32To64):
694         (JSC::FTL::Output::zeroExt):
695         (JSC::FTL::Output::zeroExtPtr):
696         (JSC::FTL::Output::intToDouble):
697         (JSC::FTL::Output::unsignedToDouble):
698         (JSC::FTL::Output::castToInt32):
699         (JSC::FTL::Output::hasSensibleDoubleToInt): Deleted.
700         (JSC::FTL::Output::sensibleDoubleToInt): Deleted.
701         (JSC::FTL::Output::fpToInt32): Deleted.
702         (JSC::FTL::Output::fpToUInt32): Deleted.
703         * ftl/FTLLowerDFGToLLVM.cpp:
704         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithPow):
705         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutByVal):
706         (JSC::FTL::DFG::LowerDFGToLLVM::compileSwitch):
707         (JSC::FTL::DFG::LowerDFGToLLVM::doubleToInt32):
708         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
709         (JSC::FTL::DFG::LowerDFGToLLVM::convertDoubleToInt32):
710         * ftl/FTLOutput.h:
711         (JSC::FTL::Output::hasSensibleDoubleToInt):
712         (JSC::FTL::Output::doubleToInt):
713         (JSC::FTL::Output::doubleToUInt):
714         (JSC::FTL::Output::signExt32To64):
715         (JSC::FTL::Output::zeroExt):
716
717 2015-12-21  Skachkov Oleksandr  <gskachkov@gmail.com>
718
719         Unexpected exception assigning to this._property inside arrow function
720         https://bugs.webkit.org/show_bug.cgi?id=152028
721
722         Reviewed by Saam Barati.
723
724         The issue appeared in case if in arrow function created base-level lexical envioronment, and in this case 
725         |this| value was loaded from wrong scope. The problem was that loading of the |this| happened too early when
726         compiling bytecode because the bytecode generators's scope stack wasn't in sync with runtime scope stack.
727         To fix issue loading of |this| was moved after initializeDefaultParameterValuesAndSetupFunctionScopeStack 
728         in BytecodeGenerator.cpp   
729
730         * bytecompiler/BytecodeGenerator.cpp:
731         (JSC::BytecodeGenerator::BytecodeGenerator):
732         * tests/stress/arrowfunction-lexical-bind-this-2.js:
733
734 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
735
736         FTL B3 should do vararg calls
737         https://bugs.webkit.org/show_bug.cgi?id=152468
738
739         Reviewed by Benjamin Poulain.
740
741         This adds FTL->B3 lowering of all kinds of varargs calls - forwarding or not, tail or not,
742         and construct or not. Like all other such lowerings, all of the code is in one place in
743         FTLLower.
744
745         I removed code for varargs and exception spill slots from the B3 path, since it won't need
746         it. The plan is to rely on B3 doing the spilling for us by using some combination of early
747         clobber and late use.
748
749         This adds ValueRep::emitRestore(), a helpful method for emitting code to restore any ValueRep
750         into any 64-bit Reg (FPR or GPR).
751
752         I wrote new tests for vararg calls, because I wasn't sure which of the existing ones we can
753         run. These are short-running tests, so I'm not worried about bloating our test suite.
754
755         * b3/B3ValueRep.cpp:
756         (JSC::B3::ValueRep::dump):
757         (JSC::B3::ValueRep::emitRestore):
758         * b3/B3ValueRep.h:
759         * ftl/FTLLowerDFGToLLVM.cpp:
760         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
761         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
762         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
763         * ftl/FTLState.h:
764         * tests/stress/varargs-no-forward.js: Added.
765         * tests/stress/varargs-simple.js: Added.
766         * tests/stress/varargs-two-level.js: Added.
767
768 2015-12-18  Mark Lam  <mark.lam@apple.com>
769
770         Add unary operator tests to compare JIT and LLINT results.
771         https://bugs.webkit.org/show_bug.cgi?id=152453
772
773         Reviewed by Benjamin Poulain.
774
775         Also fixed a few things in the binary-op-test.js.
776
777         * tests/stress/op_negate.js: Added.
778         (o1.valueOf):
779         * tests/stress/op_postdec.js: Added.
780         (o1.valueOf):
781         * tests/stress/op_postinc.js: Added.
782         (o1.valueOf):
783         * tests/stress/op_predec.js: Added.
784         (o1.valueOf):
785         * tests/stress/op_preinc.js: Added.
786         (o1.valueOf):
787         * tests/stress/resources/binary-op-test.js:
788         (stringifyIfNeeded):
789         (isIdentical):
790         (run):
791         * tests/stress/resources/unary-op-test.js: Added.
792         (stringifyIfNeeded):
793         (generateBinaryTests):
794         (isIdentical):
795         (runTest):
796         (run):
797
798 2015-12-21  Ryan Haddad  <ryanhaddad@apple.com>
799
800         Unreviewed, rolling out r194328.
801
802         This change appears to have caused failures in JSC tests
803
804         Reverted changeset:
805
806         "[INTL] Implement String.prototype.localeCompare in ECMA-402"
807         https://bugs.webkit.org/show_bug.cgi?id=147607
808         http://trac.webkit.org/changeset/194328
809
810 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
811
812         B3->Air lowering incorrectly copy-propagates over ZExt32's
813         https://bugs.webkit.org/show_bug.cgi?id=152365
814
815         Reviewed by Benjamin Poulain.
816
817         The instruction selector thinks that Value's that return Int32's are going to always be lowered
818         to instructions that zero-extend the destination. But this isn't actually true. If you have an
819         Add32 with a destination on the stack (i.e. spilled) then it only writes 4 bytes. Then, the
820         filler will load 8 bytes from the stack at the point of use. So, the use of the Add32 will see
821         garbage in the high bits.
822
823         The fact that the spiller chose to use 8 bytes for a Tmp that gets defined by an Add32 is a
824         pretty sad bug, but:
825
826         - It's entirely up to the spiller to decide how many bytes to use for a Tmp, since we do not
827           ascribe a type to Tmps. We could ascribe types to Tmps, but then coalescing would become
828           harder. Our goal is to fix the bug while still enabling coalescing in cases like "a[i]" where
829           "i" is a 32-bit integer that is computed using operations that already do zero-extension.
830
831         - More broadly, it's strange that the instruction selector decides whether a Value will be
832           lowered to something that zero-extends. That's too constraining, since the most optimal
833           instruction selection might involve something that doesn't zero-extend in cases of spilling, so
834           the zero-extension should only happen if it's actually needed. This means that we need to
835           understand which Air instructions cause zero-extensions.
836
837         - If we know which Air instructions cause zero-extensions, then we don't need the instruction
838           selector to copy-propagate ZExt32's. We have copy-propagation in Air thanks to the register
839           allocator.
840
841         In fact, the register allocator is exactly where all of the pieces come together. It's there that
842         we want to know which operations zero-extend and which don't. It also wants to know how many bits
843         of a Tmp each instruction reads. Armed with that information, the register allocator can emit
844         more optimal spill code, use less stack space for spill slots, and coalesce Move32's. As a bonus,
845         on X86, it replaces Move's with Move32's whenever it can. On X86, Move32 is cheaper.
846
847         This fixes a crash bug in V8/encrypt. After fixing this, I only needed two minor fixes to get
848         V8/encrypt to run. We're about 10% behind LLVM on steady state throughput on this test. It
849         appears to be mostly due to excessive spilling caused by CCall slow paths. That's fixable: we
850         could make CCalls on slow paths use a variant of CCallSpecial that promises not to clobber any
851         registers, and then have it emit spill code around the call itself. LLVM probably gets this
852         optimization from its live range splitting.
853
854         I tried writing a regression test. The problem is that you need garbage on the stack for this to
855         work, and I didn't feel like writing a flaky test. It appears that running V8/encrypt will cover
856         this, so we do have coverage.
857
858         * CMakeLists.txt:
859         * JavaScriptCore.xcodeproj/project.pbxproj:
860         * assembler/AbstractMacroAssembler.h:
861         (JSC::isX86):
862         (JSC::isX86_64):
863         (JSC::optimizeForARMv7IDIVSupported):
864         (JSC::optimizeForX86):
865         (JSC::optimizeForX86_64):
866         * b3/B3LowerToAir.cpp:
867         (JSC::B3::Air::LowerToAir::highBitsAreZero):
868         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
869         (JSC::B3::Air::LowerToAir::lower):
870         * b3/B3PatchpointSpecial.cpp:
871         (JSC::B3::PatchpointSpecial::forEachArg):
872         * b3/B3StackmapSpecial.cpp:
873         (JSC::B3::StackmapSpecial::forEachArgImpl):
874         * b3/B3Value.h:
875         * b3/air/AirAllocateStack.cpp:
876         (JSC::B3::Air::allocateStack):
877         * b3/air/AirArg.cpp:
878         (WTF::printInternal):
879         * b3/air/AirArg.h:
880         (JSC::B3::Air::Arg::pointerWidth):
881         (JSC::B3::Air::Arg::isAnyUse):
882         (JSC::B3::Air::Arg::isColdUse):
883         (JSC::B3::Air::Arg::isEarlyUse):
884         (JSC::B3::Air::Arg::isDef):
885         (JSC::B3::Air::Arg::isZDef):
886         (JSC::B3::Air::Arg::widthForB3Type):
887         (JSC::B3::Air::Arg::conservativeWidth):
888         (JSC::B3::Air::Arg::minimumWidth):
889         (JSC::B3::Air::Arg::bytes):
890         (JSC::B3::Air::Arg::widthForBytes):
891         (JSC::B3::Air::Arg::Arg):
892         (JSC::B3::Air::Arg::forEachTmp):
893         * b3/air/AirCCallSpecial.cpp:
894         (JSC::B3::Air::CCallSpecial::forEachArg):
895         * b3/air/AirEliminateDeadCode.cpp:
896         (JSC::B3::Air::eliminateDeadCode):
897         * b3/air/AirFixPartialRegisterStalls.cpp:
898         (JSC::B3::Air::fixPartialRegisterStalls):
899         * b3/air/AirInst.cpp:
900         (JSC::B3::Air::Inst::hasArgEffects):
901         * b3/air/AirInst.h:
902         (JSC::B3::Air::Inst::forEachTmpFast):
903         (JSC::B3::Air::Inst::forEachTmp):
904         * b3/air/AirInstInlines.h:
905         (JSC::B3::Air::Inst::forEachTmpWithExtraClobberedRegs):
906         * b3/air/AirIteratedRegisterCoalescing.cpp:
907         * b3/air/AirLiveness.h:
908         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
909         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
910         * b3/air/AirOpcode.opcodes:
911         * b3/air/AirSpillEverything.cpp:
912         (JSC::B3::Air::spillEverything):
913         * b3/air/AirTmpWidth.cpp: Added.
914         (JSC::B3::Air::TmpWidth::TmpWidth):
915         (JSC::B3::Air::TmpWidth::~TmpWidth):
916         * b3/air/AirTmpWidth.h: Added.
917         (JSC::B3::Air::TmpWidth::width):
918         (JSC::B3::Air::TmpWidth::defWidth):
919         (JSC::B3::Air::TmpWidth::useWidth):
920         (JSC::B3::Air::TmpWidth::Widths::Widths):
921         * b3/air/AirUseCounts.h:
922         (JSC::B3::Air::UseCounts::UseCounts):
923         * b3/air/opcode_generator.rb:
924         * b3/testb3.cpp:
925         (JSC::B3::testCheckMegaCombo):
926         (JSC::B3::testCheckTrickyMegaCombo):
927         (JSC::B3::testCheckTwoMegaCombos):
928         (JSC::B3::run):
929
930 2015-12-21  Andy VanWagoner  <thetalecrafter@gmail.com>
931
932         [INTL] Implement String.prototype.localeCompare in ECMA-402
933         https://bugs.webkit.org/show_bug.cgi?id=147607
934
935         Reviewed by Darin Adler.
936
937         Add localeCompare in builtin JavaScript that delegates comparing to Intl.Collator.
938         Keep existing native implementation for use if INTL flag is disabled.
939
940         * CMakeLists.txt:
941         * DerivedSources.make:
942         * JavaScriptCore.xcodeproj/project.pbxproj:
943         * builtins/StringPrototype.js: Added.
944         (localeCompare):
945         * runtime/StringPrototype.cpp:
946         (JSC::StringPrototype::finishCreation):
947
948 2015-12-18  Filip Pizlo  <fpizlo@apple.com>
949
950         Implement compareDouble in B3/Air
951         https://bugs.webkit.org/show_bug.cgi?id=150903
952
953         Reviewed by Benjamin Poulain.
954
955         A hole in our coverage is that we don't fuse a double comparison into a branch, then we will
956         crash in the instruction selector. Obviously, we *really* want to fuse double comparisons,
957         but we can't guarantee that this will always happen.
958
959         This also removes all uses of WTF::Dominators verification, since it's extremely slow even in
960         a release build. This speeds up testb3 with validateGraphAtEachPhase=true by an order of
961         magnitude.
962
963         * assembler/MacroAssembler.h:
964         (JSC::MacroAssembler::moveDoubleConditionallyFloat):
965         (JSC::MacroAssembler::compareDouble):
966         (JSC::MacroAssembler::compareFloat):
967         (JSC::MacroAssembler::lea):
968         * b3/B3Dominators.h:
969         (JSC::B3::Dominators::Dominators):
970         * b3/B3LowerToAir.cpp:
971         (JSC::B3::Air::LowerToAir::createCompare):
972         (JSC::B3::Air::LowerToAir::lower):
973         * b3/air/AirOpcode.opcodes:
974         * b3/testb3.cpp:
975         (JSC::B3::testCompare):
976         (JSC::B3::testEqualDouble):
977         (JSC::B3::simpleFunction):
978         (JSC::B3::run):
979         * dfg/DFGDominators.h:
980         (JSC::DFG::Dominators::Dominators):
981
982 2015-12-19  Dan Bernstein  <mitz@apple.com>
983
984         [Mac] WebKit contains dead source code for OS X Mavericks and earlier
985         https://bugs.webkit.org/show_bug.cgi?id=152462
986
987         Reviewed by Alexey Proskuryakov.
988
989         - Removed build setting definitions for OS X 10.9 and earlier, and simplified defintions
990           that became uniform across all OS X versions as a result:
991
992         * Configurations/DebugRelease.xcconfig:
993         * Configurations/FeatureDefines.xcconfig:
994         * Configurations/Version.xcconfig:
995
996         * API/JSBase.h: Removed check against __MAC_OS_X_VERSION_MIN_REQUIRED that was always true.
997
998 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
999
1000         [JSC] Streamline Tmp indexing inside the register allocator
1001         https://bugs.webkit.org/show_bug.cgi?id=152420
1002
1003         Reviewed by Filip Pizlo.
1004
1005         AirIteratedRegisterCoalescing has been accumulating a bit of mess over time.
1006
1007         When it started, every map addressed by Tmp was using Tmp hashing.
1008         That caused massive performance problems. Everything perf sensitive was moved
1009         to direct array addressing by the absolute Tmp index. This left the code
1010         with half of the function using Tmp, the other half using indices.
1011
1012         With this patch, almost everything is moved to absolute indexing.
1013         There are a few advantages to this:
1014         -No more conversion churn for Floating Point registers.
1015         -Most of the functions can now be shared between GP and FP.
1016         -A bit of clean up since the core algorithm only deals with integers now.
1017
1018         This patch also changes the index type to be a template argument.
1019         That will allow future specialization of "m_interferenceEdges" based
1020         on the expected problem size.
1021
1022         Finally, the code related to the program modification (register assignment
1023         and spilling) was moved to the wrapper "IteratedRegisterCoalescing".
1024
1025         The current split is:
1026         -AbstractColoringAllocator: common core. Share as much as possible between
1027          GP and FP.
1028         -ColoringAllocator: the remaining parts of the algorithm, everything that
1029          is specific to GP, FP.
1030         -IteratedRegisterCoalescing: the "iterated" part of the algorithm.
1031          Try to allocate and modify the code as needed.
1032
1033         The long term plan is:
1034         -Move selectSpill() and the coloring loop to AbstractColoringAllocator.
1035         -Specialize m_interferenceEdges to make it faster.
1036
1037         * b3/air/AirIteratedRegisterCoalescing.cpp:
1038         * b3/air/AirTmpInlines.h:
1039         (JSC::B3::Air::AbsoluteTmpMapper<Arg::GP>::lastMachineRegisterIndex):
1040         (JSC::B3::Air::AbsoluteTmpMapper<Arg::FP>::lastMachineRegisterIndex):
1041
1042 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1043
1044         [JSC] FTLB3Output generates some invalid ZExt32
1045         https://bugs.webkit.org/show_bug.cgi?id=151905
1046
1047         Reviewed by Filip Pizlo.
1048
1049         FTLLowerDFGToLLVM calls zeroExt() to int32 in some cases.
1050         We were generating ZExt32 with Int32 as return type :(
1051
1052         * ftl/FTLB3Output.h:
1053         (JSC::FTL::Output::zeroExt):
1054
1055 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1056
1057         [JSC] Add EqualOrUnordered to B3
1058         https://bugs.webkit.org/show_bug.cgi?id=152425
1059
1060         Reviewed by Mark Lam.
1061
1062         Add EqualOrUnordered to B3 and use it to implements
1063         FTL::Output's NotEqualAndOrdered.
1064
1065         * b3/B3ConstDoubleValue.cpp:
1066         (JSC::B3::ConstDoubleValue::equalOrUnordered):
1067         * b3/B3ConstDoubleValue.h:
1068         * b3/B3LowerToAir.cpp:
1069         (JSC::B3::Air::LowerToAir::createGenericCompare):
1070         (JSC::B3::Air::LowerToAir::lower):
1071         * b3/B3Opcode.cpp:
1072         (WTF::printInternal):
1073         * b3/B3Opcode.h:
1074         * b3/B3ReduceDoubleToFloat.cpp:
1075         (JSC::B3::reduceDoubleToFloat):
1076         * b3/B3ReduceStrength.cpp:
1077         * b3/B3Validate.cpp:
1078         * b3/B3Value.cpp:
1079         (JSC::B3::Value::equalOrUnordered):
1080         (JSC::B3::Value::returnsBool):
1081         (JSC::B3::Value::effects):
1082         (JSC::B3::Value::key):
1083         (JSC::B3::Value::typeFor):
1084         * b3/B3Value.h:
1085         * b3/testb3.cpp:
1086         (JSC::B3::testBranchEqualOrUnorderedArgs):
1087         (JSC::B3::testBranchNotEqualAndOrderedArgs):
1088         (JSC::B3::testBranchEqualOrUnorderedDoubleArgImm):
1089         (JSC::B3::testBranchEqualOrUnorderedFloatArgImm):
1090         (JSC::B3::testBranchEqualOrUnorderedDoubleImms):
1091         (JSC::B3::testBranchEqualOrUnorderedFloatImms):
1092         (JSC::B3::testBranchEqualOrUnorderedFloatWithUselessDoubleConversion):
1093         (JSC::B3::run):
1094         * ftl/FTLB3Output.h:
1095         (JSC::FTL::Output::doubleNotEqualAndOrdered):
1096         (JSC::FTL::Output::doubleNotEqual): Deleted.
1097         * ftl/FTLLowerDFGToLLVM.cpp:
1098         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
1099         * ftl/FTLOutput.h:
1100         (JSC::FTL::Output::doubleNotEqualAndOrdered):
1101         (JSC::FTL::Output::doubleNotEqual): Deleted.
1102
1103 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1104
1105         [JSC] B3: Add indexed addressing when lowering BitwiseCast
1106         https://bugs.webkit.org/show_bug.cgi?id=152432
1107
1108         Reviewed by Geoffrey Garen.
1109
1110         The MacroAssembler supports it, we should use it.
1111
1112         * b3/air/AirOpcode.opcodes:
1113         * b3/testb3.cpp:
1114         (JSC::B3::testBitwiseCastOnDoubleInMemoryIndexed):
1115         (JSC::B3::testBitwiseCastOnInt64InMemoryIndexed):
1116
1117 2015-12-18  Andreas Kling  <akling@apple.com>
1118
1119         Make JSString::SafeView less of a footgun.
1120         <https://webkit.org/b/152376>
1121
1122         Reviewed by Darin Adler.
1123
1124         Remove the "operator StringView()" convenience helper on JSString::SafeString since that
1125         made it possible to casually turn the return value from JSString::view() into an unsafe
1126         StringView local on the stack with this pattern:
1127
1128             StringView view = someJSValue.toString(exec)->view(exec);
1129
1130         The JSString* returned by toString() above will go out of scope by the end of the statement
1131         and does not stick around to protect itself from garbage collection.
1132
1133         It will now look like this instead:
1134
1135             JSString::SafeView view = someJSValue.toString(exec)->view(exec);
1136
1137         To be extra clear, the following is not safe:
1138
1139             StringView view = someJSValue.toString(exec)->view(exec).get();
1140
1141         By the end of that statement, the JSString::SafeView goes out of scope, and the JSString*
1142         is no longer protected from GC.
1143
1144         I added a couple of forwarding helpers to the SafeView class, and if you need a StringView
1145         object from it, you can call .get() just like before.
1146
1147         Finally I also removed the JSString::SafeView() constructor, since nobody was instantiating
1148         empty SafeView objects anyway. This way we don't have to worry about null members.
1149
1150         * runtime/ArrayPrototype.cpp:
1151         (JSC::arrayProtoFuncJoin):
1152         * runtime/FunctionConstructor.cpp:
1153         (JSC::constructFunctionSkippingEvalEnabledCheck):
1154         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1155         (JSC::genericTypedArrayViewProtoFuncJoin):
1156         * runtime/JSGlobalObjectFunctions.cpp:
1157         (JSC::decode):
1158         (JSC::globalFuncParseInt):
1159         (JSC::globalFuncParseFloat):
1160         (JSC::globalFuncEscape):
1161         (JSC::globalFuncUnescape):
1162         * runtime/JSONObject.cpp:
1163         (JSC::JSONProtoFuncParse):
1164         * runtime/JSString.cpp:
1165         (JSC::JSString::getPrimitiveNumber):
1166         (JSC::JSString::toNumber):
1167         * runtime/JSString.h:
1168         (JSC::JSString::SafeView::is8Bit):
1169         (JSC::JSString::SafeView::length):
1170         (JSC::JSString::SafeView::characters8):
1171         (JSC::JSString::SafeView::characters16):
1172         (JSC::JSString::SafeView::operator[]):
1173         (JSC::JSString::SafeView::SafeView):
1174         (JSC::JSString::SafeView::get):
1175         (JSC::JSString::SafeView::operator StringView): Deleted.
1176         * runtime/StringPrototype.cpp:
1177         (JSC::stringProtoFuncCharAt):
1178         (JSC::stringProtoFuncCharCodeAt):
1179         (JSC::stringProtoFuncIndexOf):
1180         (JSC::stringProtoFuncNormalize):
1181
1182 2015-12-18  Saam barati  <sbarati@apple.com>
1183
1184         BytecodeGenerator::pushLexicalScopeInternal and pushLexicalScope should use enums instead of bools
1185         https://bugs.webkit.org/show_bug.cgi?id=152450
1186
1187         Reviewed by Geoffrey Garen and Joseph Pecoraro.
1188
1189         This makes comprehending the call sites of these functions
1190         easier without looking up the header of the function.
1191
1192         * bytecompiler/BytecodeGenerator.cpp:
1193         (JSC::BytecodeGenerator::BytecodeGenerator):
1194         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1195         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1196         (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
1197         (JSC::BytecodeGenerator::pushLexicalScope):
1198         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1199         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1200         (JSC::BytecodeGenerator::emitPushCatchScope):
1201         * bytecompiler/BytecodeGenerator.h:
1202         (JSC::BytecodeGenerator::lastOpcodeID):
1203         * bytecompiler/NodesCodegen.cpp:
1204         (JSC::BlockNode::emitBytecode):
1205         (JSC::ForNode::emitBytecode):
1206         (JSC::ForInNode::emitMultiLoopBytecode):
1207         (JSC::ForOfNode::emitBytecode):
1208         (JSC::SwitchNode::emitBytecode):
1209         (JSC::ClassExprNode::emitBytecode):
1210
1211 2015-12-18  Michael Catanzaro  <mcatanzaro@igalia.com>
1212
1213         Avoid triggering clang's -Wundefined-bool-conversion
1214         https://bugs.webkit.org/show_bug.cgi?id=152408
1215
1216         Reviewed by Mark Lam.
1217
1218         Add ASSERT_THIS_GC_OBJECT_LOOKS_VALID and ASSERT_THIS_GC_OBJECT_INHERITS to avoid use of
1219         ASSERT(this) by ASSERT_GC_OBJECT_LOOKS_VALID and ASSERT_GC_OBJECT_INHERITS.
1220
1221         * heap/GCAssertions.h:
1222
1223 2015-12-18  Mark Lam  <mark.lam@apple.com>
1224
1225         Replace SpecialFastCase profiles with ResultProfiles.
1226         https://bugs.webkit.org/show_bug.cgi?id=152433
1227
1228         Reviewed by Saam Barati.
1229
1230         This is in preparation for upcoming work to enhance the DFG predictions to deal
1231         with untyped operands.
1232
1233         This patch also enhances some of the arithmetic slow paths (for the LLINT and
1234         baseline JIT) to collect result profiling info.  This profiling info is not put
1235         to use yet. 
1236
1237         * CMakeLists.txt:
1238         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1239         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1240         * JavaScriptCore.xcodeproj/project.pbxproj:
1241         * bytecode/CodeBlock.cpp:
1242         (JSC::CodeBlock::dumpRareCaseProfile):
1243         (JSC::CodeBlock::dumpResultProfile):
1244         (JSC::CodeBlock::printLocationAndOp):
1245         (JSC::CodeBlock::dumpBytecode):
1246         (JSC::CodeBlock::shrinkToFit):
1247         (JSC::CodeBlock::dumpValueProfiles):
1248         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
1249         (JSC::CodeBlock::resultProfileForBytecodeOffset):
1250         (JSC::CodeBlock::updateResultProfileForBytecodeOffset):
1251         (JSC::CodeBlock::capabilityLevel):
1252         * bytecode/CodeBlock.h:
1253         (JSC::CodeBlock::couldTakeSlowCase):
1254         (JSC::CodeBlock::addResultProfile):
1255         (JSC::CodeBlock::numberOfResultProfiles):
1256         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset):
1257         (JSC::CodeBlock::couldTakeSpecialFastCase):
1258         (JSC::CodeBlock::addSpecialFastCaseProfile): Deleted.
1259         (JSC::CodeBlock::numberOfSpecialFastCaseProfiles): Deleted.
1260         (JSC::CodeBlock::specialFastCaseProfile): Deleted.
1261         (JSC::CodeBlock::specialFastCaseProfileForBytecodeOffset): Deleted.
1262         * bytecode/ValueProfile.cpp: Added.
1263         (WTF::printInternal):
1264         * bytecode/ValueProfile.h:
1265         (JSC::getRareCaseProfileBytecodeOffset):
1266         (JSC::ResultProfile::ResultProfile):
1267         (JSC::ResultProfile::bytecodeOffset):
1268         (JSC::ResultProfile::specialFastPathCount):
1269         (JSC::ResultProfile::didObserveNonInt32):
1270         (JSC::ResultProfile::didObserveDouble):
1271         (JSC::ResultProfile::didObserveNonNegZeroDouble):
1272         (JSC::ResultProfile::didObserveNegZeroDouble):
1273         (JSC::ResultProfile::didObserveNonNumber):
1274         (JSC::ResultProfile::didObserveInt32Overflow):
1275         (JSC::ResultProfile::setObservedNonNegZeroDouble):
1276         (JSC::ResultProfile::setObservedNegZeroDouble):
1277         (JSC::ResultProfile::setObservedNonNumber):
1278         (JSC::ResultProfile::setObservedInt32Overflow):
1279         (JSC::ResultProfile::addressOfFlags):
1280         (JSC::ResultProfile::addressOfSpecialFastPathCount):
1281         (JSC::ResultProfile::hasBits):
1282         (JSC::ResultProfile::setBit):
1283         (JSC::getResultProfileBytecodeOffset):
1284         * jit/JITArithmetic.cpp:
1285         (JSC::JIT::emit_op_div):
1286         (JSC::JIT::emit_op_mul):
1287         * jit/JITDivGenerator.cpp:
1288         (JSC::JITDivGenerator::generateFastPath):
1289         * jit/JITDivGenerator.h:
1290         (JSC::JITDivGenerator::JITDivGenerator):
1291         * jit/JITMulGenerator.cpp:
1292         (JSC::JITMulGenerator::generateFastPath):
1293         * jit/JITMulGenerator.h:
1294         (JSC::JITMulGenerator::JITMulGenerator):
1295         * runtime/CommonSlowPaths.cpp:
1296         (JSC::SLOW_PATH_DECL):
1297
1298 2015-12-18  Keith Miller  <keith_miller@apple.com>
1299
1300         verboseDFGByteCodeParsing option should show the bytecode it is parsing.
1301         https://bugs.webkit.org/show_bug.cgi?id=152434
1302
1303         Reviewed by Michael Saboff.
1304
1305         * dfg/DFGByteCodeParser.cpp:
1306         (JSC::DFG::ByteCodeParser::parseBlock):
1307
1308 2015-12-18  Csaba Osztrogonác  <ossy@webkit.org>
1309
1310         [ARM] Add the missing setupArgumentsWithExecState functions after r193974
1311         https://bugs.webkit.org/show_bug.cgi?id=152214
1312
1313         Reviewed by Mark Lam.
1314
1315         Relanding r194007 after r194248.
1316
1317         * jit/CCallHelpers.h:
1318         (JSC::CCallHelpers::setupArgumentsWithExecState):
1319
1320 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
1321
1322         Web Inspector: Remove "local" scope type from the protocol
1323         https://bugs.webkit.org/show_bug.cgi?id=152409
1324
1325         Reviewed by Timothy Hatcher.
1326
1327         After r194251 the backend no longer sends this scope type.
1328         So remove it from the protocol.
1329
1330         The concept of a Local Scope should be calculatable by the
1331         frontend. In fact the way the backend used to do this could
1332         easily be done by the frontend. To be done in a follow-up.
1333
1334         * inspector/InjectedScriptSource.js:
1335         * inspector/JSJavaScriptCallFrame.h:
1336         * inspector/protocol/Debugger.json:
1337
1338 2015-12-17  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1339
1340         [INTL] Implement Collator Compare Functions
1341         https://bugs.webkit.org/show_bug.cgi?id=147604
1342
1343         Reviewed by Darin Adler.
1344
1345         This patch implements Intl.Collator.prototype.compare() according
1346         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
1347
1348         * runtime/IntlCollator.cpp:
1349         (JSC::IntlCollator::~IntlCollator):
1350         (JSC::sortLocaleData):
1351         (JSC::searchLocaleData):
1352         (JSC::IntlCollator::initializeCollator):
1353         (JSC::IntlCollator::createCollator):
1354         (JSC::IntlCollator::compareStrings):
1355         (JSC::IntlCollator::usageString):
1356         (JSC::IntlCollator::sensitivityString):
1357         (JSC::IntlCollator::resolvedOptions):
1358         (JSC::IntlCollator::setBoundCompare):
1359         (JSC::IntlCollatorFuncCompare): Deleted.
1360         * runtime/IntlCollator.h:
1361         (JSC::IntlCollator::usage): Deleted.
1362         (JSC::IntlCollator::setUsage): Deleted.
1363         (JSC::IntlCollator::locale): Deleted.
1364         (JSC::IntlCollator::setLocale): Deleted.
1365         (JSC::IntlCollator::collation): Deleted.
1366         (JSC::IntlCollator::setCollation): Deleted.
1367         (JSC::IntlCollator::numeric): Deleted.
1368         (JSC::IntlCollator::setNumeric): Deleted.
1369         (JSC::IntlCollator::sensitivity): Deleted.
1370         (JSC::IntlCollator::setSensitivity): Deleted.
1371         (JSC::IntlCollator::ignorePunctuation): Deleted.
1372         (JSC::IntlCollator::setIgnorePunctuation): Deleted.
1373         * runtime/IntlCollatorConstructor.cpp:
1374         (JSC::constructIntlCollator):
1375         (JSC::callIntlCollator):
1376         (JSC::sortLocaleData): Deleted.
1377         (JSC::searchLocaleData): Deleted.
1378         (JSC::initializeCollator): Deleted.
1379         * runtime/IntlCollatorPrototype.cpp:
1380         (JSC::IntlCollatorFuncCompare):
1381         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1382         * runtime/IntlObject.cpp:
1383         (JSC::defaultLocale):
1384         (JSC::convertICULocaleToBCP47LanguageTag):
1385         (JSC::intlStringOption):
1386         (JSC::resolveLocale):
1387         (JSC::supportedLocales):
1388         * runtime/IntlObject.h:
1389         * runtime/JSGlobalObject.cpp:
1390         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
1391         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
1392         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
1393
1394 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
1395
1396         Provide a way to distinguish a nested lexical block from a function's lexical block
1397         https://bugs.webkit.org/show_bug.cgi?id=152361
1398
1399         Reviewed by Saam Barati.
1400
1401         * bytecompiler/BytecodeGenerator.h:
1402         * bytecompiler/BytecodeGenerator.cpp:
1403         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1404         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1405         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1406         (JSC::BytecodeGenerator::emitPushCatchScope):
1407         Each of these are specialized scopes. They are not nested lexical scopes.
1408         
1409         (JSC::BytecodeGenerator::pushLexicalScope):
1410         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1411         Include an extra parameter to mark the SymbolTable as a nested lexical or not.
1412
1413         * bytecompiler/NodesCodegen.cpp:
1414         (JSC::BlockNode::emitBytecode):
1415         (JSC::ForNode::emitBytecode):
1416         (JSC::ForInNode::emitMultiLoopBytecode):
1417         (JSC::ForOfNode::emitBytecode):
1418         (JSC::SwitchNode::emitBytecode):
1419         (JSC::ClassExprNode::emitBytecode):
1420         Each of these are cases of non-function nested lexical scopes.
1421         So mark the SymbolTable as nested.
1422
1423         * inspector/protocol/Debugger.json:
1424         * inspector/InjectedScriptSource.js:
1425         Include a new scope type.
1426
1427         * inspector/JSJavaScriptCallFrame.h:
1428         * inspector/JSJavaScriptCallFrame.cpp:
1429         (Inspector::JSJavaScriptCallFrame::scopeType):
1430         Use the new "NestedLexical" scope type for nested, non-function,
1431         lexical scopes. The Inspector can use this to better describe
1432         this scope in the frontend.
1433
1434         * debugger/DebuggerScope.cpp:
1435         (JSC::DebuggerScope::isNestedLexicalScope):
1436         * debugger/DebuggerScope.h:
1437         * runtime/JSScope.cpp:
1438         (JSC::JSScope::isNestedLexicalScope):
1439         * runtime/JSScope.h:
1440         * runtime/SymbolTable.cpp:
1441         (JSC::SymbolTable::SymbolTable):
1442         (JSC::SymbolTable::cloneScopePart):
1443         * runtime/SymbolTable.h:
1444         Access the isNestedLexicalScope bit.
1445
1446 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
1447
1448         Unreviewed EFL Build Fix after r194247.
1449
1450         * interpreter/CallFrame.cpp:
1451         (JSC::CallFrame::friendlyFunctionName):
1452         Handle compilers that don't realize the switch handles all cases.
1453
1454 2015-12-17  Keith Miller  <keith_miller@apple.com>
1455
1456         [ES6] Add support for Symbol.hasInstance
1457         https://bugs.webkit.org/show_bug.cgi?id=151839
1458
1459         Reviewed by Saam Barati.
1460
1461         Fixed version of r193986, r193983, and r193974.
1462
1463         This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
1464         regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
1465         when executing an instanceof expression we would emit three bytecodes: overrides_has_instance, get_by_id,
1466         then instanceof. As the spec has changed, we emit a more complicated set of bytecodes in addition to some
1467         new ones. First the role of overrides_has_instance and its corresponding DFG node have changed. Now it returns
1468         a js-boolean indicating whether the RHS of the instanceof expression (from here on called the constructor for simplicity)
1469         needs non-default behavior for resolving the expression. i.e. The constructor has a Symbol.hasInstance that differs from the one on
1470         Function.prototype[Symbol.hasInstance] or is a bound/C-API function. Once we get to the DFG this node is generally eliminated as
1471         we can prove the value of Symbol.hasInstance is a constant. The second new bytecode is instanceof_custom. insntanceof_custom, just
1472         emits a call to slow path code that computes the result.
1473
1474         In the DFG, there is also a new node, CheckTypeInfoFlags, which checks the type info flags are consistent with the ones provided and
1475         OSR exits if the flags are not. Additionally, we attempt to prove that the result of CheckHasValue will be a constant and transform
1476         it into a CheckTypeInfoFlags followed by a JSConstant.
1477
1478         * API/JSCallbackObject.h:
1479         * builtins/FunctionPrototype.js:
1480         (symbolHasInstance):
1481         * bytecode/BytecodeBasicBlock.cpp:
1482         (JSC::isBranch): Deleted.
1483         * bytecode/BytecodeList.json:
1484         * bytecode/BytecodeUseDef.h:
1485         (JSC::computeUsesForBytecodeOffset):
1486         (JSC::computeDefsForBytecodeOffset):
1487         * bytecode/CodeBlock.cpp:
1488         (JSC::CodeBlock::dumpBytecode):
1489         * bytecode/ExitKind.cpp:
1490         (JSC::exitKindToString):
1491         * bytecode/ExitKind.h:
1492         * bytecode/PreciseJumpTargets.cpp:
1493         (JSC::getJumpTargetsForBytecodeOffset): Deleted.
1494         * bytecompiler/BytecodeGenerator.cpp:
1495         (JSC::BytecodeGenerator::emitOverridesHasInstance):
1496         (JSC::BytecodeGenerator::emitInstanceOfCustom):
1497         (JSC::BytecodeGenerator::emitCheckHasInstance): Deleted.
1498         * bytecompiler/BytecodeGenerator.h:
1499         * bytecompiler/NodesCodegen.cpp:
1500         (JSC::InstanceOfNode::emitBytecode):
1501         * dfg/DFGAbstractInterpreterInlines.h:
1502         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1503         * dfg/DFGByteCodeParser.cpp:
1504         (JSC::DFG::ByteCodeParser::parseBlock):
1505         * dfg/DFGCapabilities.cpp:
1506         (JSC::DFG::capabilityLevel):
1507         * dfg/DFGClobberize.h:
1508         (JSC::DFG::clobberize):
1509         * dfg/DFGDoesGC.cpp:
1510         (JSC::DFG::doesGC):
1511         * dfg/DFGFixupPhase.cpp:
1512         (JSC::DFG::FixupPhase::fixupNode):
1513         * dfg/DFGHeapLocation.cpp:
1514         (WTF::printInternal):
1515         * dfg/DFGHeapLocation.h:
1516         * dfg/DFGNode.h:
1517         (JSC::DFG::Node::hasCellOperand):
1518         (JSC::DFG::Node::hasTypeInfoOperand):
1519         (JSC::DFG::Node::typeInfoOperand):
1520         * dfg/DFGNodeType.h:
1521         * dfg/DFGPredictionPropagationPhase.cpp:
1522         (JSC::DFG::PredictionPropagationPhase::propagate):
1523         * dfg/DFGSafeToExecute.h:
1524         (JSC::DFG::safeToExecute):
1525         * dfg/DFGSpeculativeJIT.cpp:
1526         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
1527         (JSC::DFG::SpeculativeJIT::compileInstanceOfCustom):
1528         * dfg/DFGSpeculativeJIT.h:
1529         (JSC::DFG::SpeculativeJIT::callOperation):
1530         * dfg/DFGSpeculativeJIT32_64.cpp:
1531         (JSC::DFG::SpeculativeJIT::compile):
1532         * dfg/DFGSpeculativeJIT64.cpp:
1533         (JSC::DFG::SpeculativeJIT::compile):
1534         * ftl/FTLCapabilities.cpp:
1535         (JSC::FTL::canCompile):
1536         * ftl/FTLIntrinsicRepository.h:
1537         * ftl/FTLLowerDFGToLLVM.cpp:
1538         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1539         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance):
1540         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckTypeInfoFlags):
1541         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
1542         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance): Deleted.
1543         * jit/JIT.cpp:
1544         (JSC::JIT::privateCompileMainPass):
1545         (JSC::JIT::privateCompileSlowCases):
1546         * jit/JIT.h:
1547         * jit/JITInlines.h:
1548         (JSC::JIT::callOperation):
1549         * jit/JITOpcodes.cpp:
1550         (JSC::JIT::emit_op_overrides_has_instance):
1551         (JSC::JIT::emit_op_instanceof):
1552         (JSC::JIT::emit_op_instanceof_custom):
1553         (JSC::JIT::emitSlow_op_instanceof):
1554         (JSC::JIT::emitSlow_op_instanceof_custom):
1555         (JSC::JIT::emit_op_check_has_instance): Deleted.
1556         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
1557         * jit/JITOpcodes32_64.cpp:
1558         (JSC::JIT::emit_op_overrides_has_instance):
1559         (JSC::JIT::emit_op_instanceof):
1560         (JSC::JIT::emit_op_instanceof_custom):
1561         (JSC::JIT::emitSlow_op_instanceof_custom):
1562         (JSC::JIT::emit_op_check_has_instance): Deleted.
1563         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
1564         * jit/JITOperations.cpp:
1565         * jit/JITOperations.h:
1566         * llint/LLIntData.cpp:
1567         (JSC::LLInt::Data::performAssertions):
1568         * llint/LLIntSlowPaths.cpp:
1569         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1570         * llint/LLIntSlowPaths.h:
1571         * llint/LowLevelInterpreter32_64.asm:
1572         * llint/LowLevelInterpreter64.asm:
1573         * runtime/CommonIdentifiers.h:
1574         * runtime/ExceptionHelpers.cpp:
1575         (JSC::invalidParameterInstanceofSourceAppender):
1576         (JSC::invalidParameterInstanceofNotFunctionSourceAppender):
1577         (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender):
1578         (JSC::createInvalidInstanceofParameterErrorNotFunction):
1579         (JSC::createInvalidInstanceofParameterErrorhasInstanceValueNotFunction):
1580         (JSC::createInvalidInstanceofParameterError): Deleted.
1581         * runtime/ExceptionHelpers.h:
1582         * runtime/FunctionPrototype.cpp:
1583         (JSC::FunctionPrototype::addFunctionProperties):
1584         * runtime/FunctionPrototype.h:
1585         * runtime/JSBoundFunction.cpp:
1586         (JSC::isBoundFunction):
1587         (JSC::hasInstanceBoundFunction):
1588         * runtime/JSBoundFunction.h:
1589         * runtime/JSGlobalObject.cpp:
1590         (JSC::JSGlobalObject::init):
1591         (JSC::JSGlobalObject::visitChildren):
1592         * runtime/JSGlobalObject.h:
1593         (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
1594         * runtime/JSObject.cpp:
1595         (JSC::JSObject::hasInstance):
1596         (JSC::objectPrivateFuncInstanceOf):
1597         * runtime/JSObject.h:
1598         * runtime/JSTypeInfo.h:
1599         (JSC::TypeInfo::TypeInfo):
1600         (JSC::TypeInfo::overridesHasInstance):
1601         * runtime/WriteBarrier.h:
1602         (JSC::WriteBarrierBase<Unknown>::slot):
1603         * tests/es6.yaml:
1604         * tests/stress/instanceof-custom-hasinstancesymbol.js: Added.
1605         (Constructor):
1606         (value):
1607         (instanceOf):
1608         (body):
1609         * tests/stress/symbol-hasInstance.js: Added.
1610         (Constructor):
1611         (value):
1612         (ObjectClass.Symbol.hasInstance):
1613         (NumberClass.Symbol.hasInstance):
1614
1615 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
1616
1617         Web Inspector: Improve names in Debugger Call Stack section when paused
1618         https://bugs.webkit.org/show_bug.cgi?id=152398
1619
1620         Reviewed by Brian Burg.
1621
1622         * debugger/DebuggerCallFrame.cpp:
1623         (JSC::DebuggerCallFrame::functionName):
1624         Provide a better name from the underlying CallFrame.
1625
1626         * inspector/InjectedScriptSource.js:
1627         (InjectedScript.CallFrameProxy):
1628         Just call functionName, it will provide a better
1629         than nothing function name.
1630
1631         * runtime/JSFunction.cpp:
1632         (JSC::getCalculatedDisplayName):
1633         Use emptyString().
1634
1635         * interpreter/CallFrame.h:
1636         * interpreter/CallFrame.cpp:
1637         (JSC::CallFrame::friendlyFunctionName):
1638         This is the third similiar implementation of this,
1639         but all other cases use other "StackFrame" objects.
1640         Use the expected names for program code.
1641
1642 2015-12-16  Joseph Pecoraro  <pecoraro@apple.com>
1643
1644         Web Inspector: Add JSContext Script Profiling
1645         https://bugs.webkit.org/show_bug.cgi?id=151899
1646
1647         Reviewed by Brian Burg.
1648
1649         Extend JSC::Debugger to include a profiling client interface
1650         that the Inspector can implement to be told about script execution
1651         entry and exit points. Add new profiledCall/Evaluate/Construct
1652         methods that are entry points that will notify the profiling
1653         client if it exists.
1654
1655         By putting the profiling client on Debugger it avoids having
1656         special code paths for a JSGlobalObject being JSContext inspected
1657         or a JSGlobalObject in a Page being Web inspected. In either case
1658         the JSGlobalObject can go through its debugger() which always
1659         reaches the correct inspector instance.
1660
1661         * CMakeLists.txt:
1662         * DerivedSources.make:
1663         * JavaScriptCore.xcodeproj/project.pbxproj:
1664         Handle new files.
1665
1666         * runtime/CallData.cpp:
1667         (JSC::profiledCall):
1668         * runtime/CallData.h:
1669         * runtime/Completion.cpp:
1670         (JSC::profiledEvaluate):
1671         * runtime/Completion.h:
1672         (JSC::profiledEvaluate):
1673         * runtime/ConstructData.cpp:
1674         (JSC::profiledConstruct):
1675         * runtime/ConstructData.h:
1676         (JSC::profiledConstruct):
1677         Create profiled versions of interpreter entry points. If a profiler client is
1678         available, this will automatically inform it of entry/exit. Include a reason
1679         why this is being profiled. Currently all reasons in JavaScriptCore are enumerated
1680         (API, Microtask) and Other is to be used by WebCore or future clients.
1681
1682         * debugger/ScriptProfilingScope.h: Added.
1683         (JSC::ScriptProfilingScope::ScriptProfilingScope):
1684         (JSC::ScriptProfilingScope::~ScriptProfilingScope):
1685         (JSC::ScriptProfilingScope::shouldStartProfile):
1686         (JSC::ScriptProfilingScope::shouldEndProfile):
1687         At profiled entry points inform the profiling client if needed.
1688
1689         * API/JSBase.cpp:
1690         (JSEvaluateScript):
1691         * API/JSObjectRef.cpp:
1692         (JSObjectCallAsFunction):
1693         (JSObjectCallAsConstructor):
1694         * runtime/JSJob.cpp:
1695         (JSC::JSJobMicrotask::run):
1696         Use the profiled functions for API and Microtask execution entry points.
1697
1698         * runtime/JSGlobalObject.cpp:
1699         (JSC::JSGlobalObject::hasProfiler):
1700         * runtime/JSGlobalObject.h:
1701         (JSC::JSGlobalObject::hasProfiler):
1702         Extend hasProfiler to also check the new Debugger script profiler.
1703
1704         * debugger/Debugger.cpp:
1705         (JSC::Debugger::setProfilingClient):
1706         (JSC::Debugger::willEvaluateScript):
1707         (JSC::Debugger::didEvaluateScript):
1708         * debugger/Debugger.h:
1709         Pass through to the profiling client.
1710
1711         * inspector/protocol/ScriptProfiler.json: Added.
1712         * inspector/agents/InspectorScriptProfilerAgent.cpp: Added.
1713         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
1714         (Inspector::InspectorScriptProfilerAgent::~InspectorScriptProfilerAgent):
1715         (Inspector::InspectorScriptProfilerAgent::didCreateFrontendAndBackend):
1716         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
1717         (Inspector::InspectorScriptProfilerAgent::startTracking):
1718         (Inspector::InspectorScriptProfilerAgent::stopTracking):
1719         (Inspector::InspectorScriptProfilerAgent::isAlreadyProfiling):
1720         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
1721         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
1722         (Inspector::toProtocol):
1723         (Inspector::InspectorScriptProfilerAgent::addEvent):
1724         (Inspector::buildAggregateCallInfoInspectorObject):
1725         (Inspector::buildInspectorObject):
1726         (Inspector::buildProfileInspectorObject):
1727         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1728         * inspector/agents/InspectorScriptProfilerAgent.h: Added.
1729         New ScriptProfiler domain to just turn on / off script profiling.
1730         It introduces a start/update/complete event model which we want
1731         to include in new domains.
1732
1733         * inspector/InspectorEnvironment.h:
1734         * inspector/InjectedScriptBase.cpp:
1735         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
1736         Simplify this now that we want it to be the same for all clients.
1737
1738         * inspector/JSGlobalObjectInspectorController.h:
1739         * inspector/JSGlobalObjectInspectorController.cpp:
1740         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1741         Create the new agent.
1742
1743         * inspector/InspectorProtocolTypes.h:
1744         (Inspector::Protocol::Array::addItem):
1745         Allow pushing a double onto a Protocol::Array.
1746
1747 2015-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1748
1749         [ES6] Handle new_generator_func / new_generator_func_exp in DFG / FTL
1750         https://bugs.webkit.org/show_bug.cgi?id=152227
1751
1752         Reviewed by Saam Barati.
1753
1754         This patch introduces new_generator_func / new_generator_func_exp into DFG and FTL.
1755         We add a new DFG Node, NewGeneratorFunction. It will construct a function with GeneratorFunction's structure.
1756         The structure of GeneratorFunction is different from one of Function because GeneratorFunction has the different __proto__.
1757
1758         Instead of extending NewFunction / PhantomNewFunction, we just added new DFG nodes, NewGeneratorFunction and PhantomNewGeneratorFunction.
1759         This is because NewGeneratorFunction will generate an object that has different class info from JSFunction (And if JSGeneratorFunction is extended, its size will become different from JSFunction).
1760         So, rather than extending NewFunction with generator flag, just adding new DFG nodes seems cleaner.
1761
1762         Object allocation sinking phase will change NewGeneratorFunction to PhantomNewGeneratorFunction and defer or eliminate its actual materialization.
1763         It is completely the same to NewFunction and PhantomNewFunction.
1764         And when OSR exit occurs, we need to execute deferred NewGeneratorFunction since Baseline JIT does not consider it.
1765         So in FTL operation, we should create JSGeneratorFunction if we see PhantomNewGeneratorFunction materialization.
1766
1767         * dfg/DFGAbstractInterpreterInlines.h:
1768         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1769         * dfg/DFGByteCodeParser.cpp:
1770         (JSC::DFG::ByteCodeParser::parseBlock):
1771         * dfg/DFGCapabilities.cpp:
1772         (JSC::DFG::capabilityLevel):
1773         * dfg/DFGClobberize.h:
1774         (JSC::DFG::clobberize):
1775         * dfg/DFGClobbersExitState.cpp:
1776         (JSC::DFG::clobbersExitState):
1777         * dfg/DFGDoesGC.cpp:
1778         (JSC::DFG::doesGC):
1779         * dfg/DFGFixupPhase.cpp:
1780         (JSC::DFG::FixupPhase::fixupNode):
1781         * dfg/DFGMayExit.cpp:
1782         (JSC::DFG::mayExit):
1783         * dfg/DFGNode.h:
1784         (JSC::DFG::Node::convertToPhantomNewFunction):
1785         (JSC::DFG::Node::convertToPhantomNewGeneratorFunction):
1786         (JSC::DFG::Node::hasCellOperand):
1787         (JSC::DFG::Node::isFunctionAllocation):
1788         (JSC::DFG::Node::isPhantomFunctionAllocation):
1789         (JSC::DFG::Node::isPhantomAllocation):
1790         * dfg/DFGNodeType.h:
1791         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1792         * dfg/DFGPredictionPropagationPhase.cpp:
1793         (JSC::DFG::PredictionPropagationPhase::propagate):
1794         * dfg/DFGSafeToExecute.h:
1795         (JSC::DFG::safeToExecute):
1796         * dfg/DFGSpeculativeJIT.cpp:
1797         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1798         * dfg/DFGSpeculativeJIT32_64.cpp:
1799         (JSC::DFG::SpeculativeJIT::compile):
1800         * dfg/DFGSpeculativeJIT64.cpp:
1801         (JSC::DFG::SpeculativeJIT::compile):
1802         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1803         * dfg/DFGStructureRegistrationPhase.cpp:
1804         (JSC::DFG::StructureRegistrationPhase::run):
1805         * dfg/DFGValidate.cpp:
1806         (JSC::DFG::Validate::validateCPS):
1807         (JSC::DFG::Validate::validateSSA):
1808         * ftl/FTLCapabilities.cpp:
1809         (JSC::FTL::canCompile):
1810         * ftl/FTLLowerDFGToLLVM.cpp:
1811         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1812         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
1813         * ftl/FTLOperations.cpp:
1814         (JSC::FTL::operationPopulateObjectInOSR):
1815         (JSC::FTL::operationMaterializeObjectInOSR):
1816         * tests/stress/generator-function-create-optimized.js: Added.
1817         (shouldBe):
1818         (g):
1819         (test.return.gen):
1820         (test):
1821         (test2.gen):
1822         (test2):
1823         * tests/stress/generator-function-declaration-sinking-no-double-allocate.js: Added.
1824         (shouldBe):
1825         (GeneratorFunctionPrototype):
1826         (call):
1827         (f):
1828         (sink):
1829         * tests/stress/generator-function-declaration-sinking-osrexit.js: Added.
1830         (shouldBe):
1831         (GeneratorFunctionPrototype):
1832         (g):
1833         (f):
1834         (sink):
1835         * tests/stress/generator-function-declaration-sinking-put.js: Added.
1836         (shouldBe):
1837         (GeneratorFunctionPrototype):
1838         (g):
1839         (f):
1840         (sink):
1841         * tests/stress/generator-function-expression-sinking-no-double-allocate.js: Added.
1842         (shouldBe):
1843         (GeneratorFunctionPrototype):
1844         (call):
1845         (f):
1846         (sink):
1847         * tests/stress/generator-function-expression-sinking-osrexit.js: Added.
1848         (shouldBe):
1849         (GeneratorFunctionPrototype):
1850         (g):
1851         (sink):
1852         * tests/stress/generator-function-expression-sinking-put.js: Added.
1853         (shouldBe):
1854         (GeneratorFunctionPrototype):
1855         (g):
1856         (sink):
1857
1858 2015-12-16  Michael Saboff  <msaboff@apple.com>
1859
1860         ARM64 MacroAssembler improperly reuses data temp register in test32() and test8() calls
1861         https://bugs.webkit.org/show_bug.cgi?id=152370
1862
1863         Reviewed by Benjamin Poulain.
1864
1865         Changed the test8/32(Address, Register) flavors to use the memoryTempRegister for loading the value
1866         att Address so that it doesn't collide with the subsequent use of dataTempRegister by the
1867         test32(Register, Register) function.
1868
1869         * assembler/MacroAssemblerARM64.h:
1870         (JSC::MacroAssemblerARM64::test32):
1871         (JSC::MacroAssemblerARM64::test8):
1872
1873 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
1874
1875         FTL B3 should support switches
1876         https://bugs.webkit.org/show_bug.cgi?id=152360
1877
1878         Reviewed by Geoffrey Garen.
1879
1880         I implemented this because I was hoping it would less us run V8/crypto, but instead it just led
1881         me to file a fun bug: https://bugs.webkit.org/show_bug.cgi?id=152365.
1882
1883         * ftl/FTLB3Output.h:
1884         (JSC::FTL::Output::check):
1885         (JSC::FTL::Output::switchInstruction):
1886         (JSC::FTL::Output::ret):
1887         * ftl/FTLLowerDFGToLLVM.cpp:
1888         (JSC::FTL::DFG::ftlUnreachable):
1889         (JSC::FTL::DFG::LowerDFGToLLVM::crash):
1890
1891 2015-12-16  Alex Christensen  <achristensen@webkit.org>
1892
1893         Fix internal Windows build
1894         https://bugs.webkit.org/show_bug.cgi?id=152364
1895
1896         Reviewed by Tim Horton.
1897
1898         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1899
1900 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
1901
1902         Improve JSObject::put performance
1903         https://bugs.webkit.org/show_bug.cgi?id=152347
1904
1905         Reviewed by Geoffrey Garen.
1906
1907         This adds a new benchmark called dynbench, which just uses the C++ API to create, modify, and
1908         query objects. This also adds some optimizations to make the JSObject::put code faster by making
1909         it inlinable in places that really need the performance, like JITOperations and LLIntSlowPaths.
1910         Inlining it is optional because the put() method is large. If you want it inlined, call
1911         putInline(). There's a putInline() variant of both JSObject::put() and JSValue::put().
1912
1913         This is up to a 20% improvement for JSObject::put calls that get inlined all the way (like from
1914         JITOperations and the new benchmark) and it's also a speed-up, albeit a smaller one, for
1915         JSObject::put calls that don't get inlined (i.e. those from the DOM and the JSC C++ library code).
1916         Specific speed-ups are as follows. Note that "dynamic context" means that we told PutPropertySlot
1917         that we're not a static put_by_id, which turns off some type inference.
1918
1919         Get By Id: 2% faster
1920         Put By Id Replace: 23% faster
1921         Put By Id Transition + object allocation: 11% faster
1922         Get By Id w/ dynamic context: 5% faster
1923         Put By Id Replace w/ dynamic context: 25% faster
1924         Put By Id Transition + object allocation w/ dynamic context: 10% faster
1925
1926         * JavaScriptCore.xcodeproj/project.pbxproj:
1927         * dynbench.cpp: Added.
1928         (JSC::benchmarkImpl):
1929         (main):
1930         * jit/CallFrameShuffler32_64.cpp:
1931         * jit/CallFrameShuffler64.cpp:
1932         * jit/JITOperations.cpp:
1933         * llint/LLIntSlowPaths.cpp:
1934         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1935         * runtime/ClassInfo.h:
1936         (JSC::ClassInfo::hasStaticProperties):
1937         * runtime/ConsoleClient.cpp:
1938         * runtime/CustomGetterSetter.h:
1939         * runtime/ErrorInstance.cpp:
1940         (JSC::ErrorInstance::finishCreation):
1941         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
1942         * runtime/GetterSetter.h:
1943         (JSC::asGetterSetter):
1944         * runtime/JSCInlines.h:
1945         * runtime/JSCJSValue.h:
1946         * runtime/JSCJSValueInlines.h:
1947         (JSC::JSValue::put):
1948         (JSC::JSValue::putInternal):
1949         (JSC::JSValue::putByIndex):
1950         * runtime/JSObject.cpp:
1951         (JSC::JSObject::put):
1952         (JSC::JSObject::putByIndex):
1953         * runtime/JSObject.h:
1954         (JSC::JSObject::getVectorLength):
1955         (JSC::JSObject::inlineGetOwnPropertySlot):
1956         (JSC::JSObject::get):
1957         (JSC::JSObject::putDirectInternal):
1958
1959 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
1960
1961         Work around a bug in LLVM by flipping the unification order
1962         https://bugs.webkit.org/show_bug.cgi?id=152341
1963         rdar://problem/23920749
1964
1965         Reviewed by Mark Lam.
1966
1967         * dfg/DFGUnificationPhase.cpp:
1968         (JSC::DFG::UnificationPhase::run):
1969
1970 2015-12-16  Saam barati  <sbarati@apple.com>
1971
1972         Add "explicit operator bool" to ScratchRegisterAllocator::PreservedState
1973         https://bugs.webkit.org/show_bug.cgi?id=152337
1974
1975         Reviewed by Mark Lam.
1976
1977         If we have a default constructor, we should also have a way
1978         to tell if a PreservedState is invalid.
1979
1980         * jit/ScratchRegisterAllocator.cpp:
1981         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
1982         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
1983         * jit/ScratchRegisterAllocator.h:
1984         (JSC::ScratchRegisterAllocator::PreservedState::PreservedState):
1985         (JSC::ScratchRegisterAllocator::PreservedState::operator bool):
1986
1987 2015-12-16  Caitlin Potter  <caitp@igalia.com>
1988
1989         [JSC] fix error message for eval/arguments CoverInitializedName in strict code
1990         https://bugs.webkit.org/show_bug.cgi?id=152304
1991
1992         Reviewed by Darin Adler.
1993
1994         Because the error was originally classified as indicating a Pattern, the
1995         error in AssignmentPattern parsing causes the reported message to revert to
1996         the original Expression error message, which in this case is incorrect.
1997
1998         This change modifies the implementation of the strict code
1999         error slightly, and reclassifies the error to prevent the message revert,
2000         which improves the clarity of the message overall.
2001
2002         * parser/Parser.cpp:
2003         (JSC::Parser<LexerType>::parseAssignmentElement):
2004         (JSC::Parser<LexerType>::parseDestructuringPattern):
2005         * parser/Parser.h:
2006         (JSC::Parser::ExpressionErrorClassifier::reclassifyExpressionError):
2007         (JSC::Parser::reclassifyExpressionError):
2008         * tests/stress/destructuring-assignment-syntax.js:
2009
2010 2015-12-16  Joseph Pecoraro  <pecoraro@apple.com>
2011
2012         Builtin source should be minified more
2013         https://bugs.webkit.org/show_bug.cgi?id=152290
2014
2015         Reviewed by Darin Adler.
2016
2017         * Scripts/builtins/builtins_model.py:
2018         (BuiltinFunction.fromString):
2019         Remove primarily empty lines that would just introduce clutter.
2020         We only do the minification in non-Debug configurations, which
2021         is determined by the CONFIGURATION environment variable. You can
2022         see how tests would generate differently, like so:
2023         shell> CONFIGURATION=Release ./Tools/Scripts/run-builtins-generator-tests
2024
2025 2015-12-16  Commit Queue  <commit-queue@webkit.org>
2026
2027         Unreviewed, rolling out r194135.
2028         https://bugs.webkit.org/show_bug.cgi?id=152333
2029
2030         due to missing OSR exit materialization support in FTL
2031         (Requested by yusukesuzuki on #webkit).
2032
2033         Reverted changeset:
2034
2035         "[ES6] Handle new_generator_func / new_generator_func_exp in
2036         DFG / FTL"
2037         https://bugs.webkit.org/show_bug.cgi?id=152227
2038         http://trac.webkit.org/changeset/194135
2039
2040 2015-12-16  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2041
2042         [Fetch API] Add fetch API compile time flag
2043         https://bugs.webkit.org/show_bug.cgi?id=152254
2044
2045         Reviewed by Darin Adler.
2046
2047         * Configurations/FeatureDefines.xcconfig:
2048
2049 2015-12-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2050
2051         [ES6] Handle new_generator_func / new_generator_func_exp in DFG / FTL
2052         https://bugs.webkit.org/show_bug.cgi?id=152227
2053
2054         Reviewed by Saam Barati.
2055
2056         This patch introduces new_generator_func / new_generator_func_exp into DFG and FTL.
2057         We add a new DFG Node, NewGeneratorFunction. It will construct a function with GeneratorFunction's structure.
2058         The structure of GeneratorFunction is different from one of Function because GeneratorFunction has the different __proto__.
2059
2060         * dfg/DFGAbstractInterpreterInlines.h:
2061         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2062         * dfg/DFGByteCodeParser.cpp:
2063         (JSC::DFG::ByteCodeParser::parseBlock):
2064         * dfg/DFGCapabilities.cpp:
2065         (JSC::DFG::capabilityLevel):
2066         * dfg/DFGClobberize.h:
2067         (JSC::DFG::clobberize):
2068         * dfg/DFGClobbersExitState.cpp:
2069         (JSC::DFG::clobbersExitState):
2070         * dfg/DFGDoesGC.cpp:
2071         (JSC::DFG::doesGC):
2072         * dfg/DFGFixupPhase.cpp:
2073         (JSC::DFG::FixupPhase::fixupNode):
2074         * dfg/DFGMayExit.cpp:
2075         (JSC::DFG::mayExit):
2076         * dfg/DFGNode.h:
2077         (JSC::DFG::Node::convertToPhantomNewFunction):
2078         (JSC::DFG::Node::hasCellOperand):
2079         (JSC::DFG::Node::isFunctionAllocation):
2080         * dfg/DFGNodeType.h:
2081         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2082         * dfg/DFGPredictionPropagationPhase.cpp:
2083         (JSC::DFG::PredictionPropagationPhase::propagate):
2084         * dfg/DFGSafeToExecute.h:
2085         (JSC::DFG::safeToExecute):
2086         * dfg/DFGSpeculativeJIT.cpp:
2087         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2088         * dfg/DFGSpeculativeJIT32_64.cpp:
2089         (JSC::DFG::SpeculativeJIT::compile):
2090         * dfg/DFGSpeculativeJIT64.cpp:
2091         (JSC::DFG::SpeculativeJIT::compile):
2092         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2093         * dfg/DFGStructureRegistrationPhase.cpp:
2094         (JSC::DFG::StructureRegistrationPhase::run):
2095         * ftl/FTLCapabilities.cpp:
2096         (JSC::FTL::canCompile):
2097         * ftl/FTLLowerDFGToLLVM.cpp:
2098         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2099         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2100         * tests/stress/generator-function-create-optimized.js: Added.
2101         (shouldBe):
2102         (g):
2103         (test.return.gen):
2104         (test):
2105         (test2.gen):
2106         (test2):
2107         * tests/stress/generator-function-declaration-sinking-no-double-allocate.js: Added.
2108         (shouldBe):
2109         (GeneratorFunctionPrototype):
2110         (call):
2111         (f):
2112         (sink):
2113         * tests/stress/generator-function-declaration-sinking-osrexit.js: Added.
2114         (shouldBe):
2115         (GeneratorFunctionPrototype):
2116         (g):
2117         (f):
2118         (sink):
2119         * tests/stress/generator-function-declaration-sinking-put.js: Added.
2120         (shouldBe):
2121         (GeneratorFunctionPrototype):
2122         (g):
2123         (f):
2124         (sink):
2125         * tests/stress/generator-function-expression-sinking-no-double-allocate.js: Added.
2126         (shouldBe):
2127         (GeneratorFunctionPrototype):
2128         (call):
2129         (f):
2130         (sink):
2131         * tests/stress/generator-function-expression-sinking-osrexit.js: Added.
2132         (shouldBe):
2133         (GeneratorFunctionPrototype):
2134         (g):
2135         (sink):
2136         * tests/stress/generator-function-expression-sinking-put.js: Added.
2137         (shouldBe):
2138         (GeneratorFunctionPrototype):
2139         (g):
2140         (sink):
2141
2142 2015-12-15  Mark Lam  <mark.lam@apple.com>
2143
2144         Gardening: fix broken 32-bit JSC tests.  Just need to assign a scratch register.
2145         https://bugs.webkit.org/show_bug.cgi?id=152191 
2146
2147         Not reviewed.
2148
2149         * jit/JITArithmetic.cpp:
2150         (JSC::JIT::emitBitBinaryOpFastPath):
2151
2152 2015-12-15  Mark Lam  <mark.lam@apple.com>
2153
2154         Introducing ScratchRegisterAllocator::PreservedState.
2155         https://bugs.webkit.org/show_bug.cgi?id=152315
2156
2157         Reviewed by Geoffrey Garen.
2158
2159         restoreReusedRegistersByPopping() should always be called with 2 values that
2160         matches the expectation of preserveReusedRegistersByPushing().  Those 2 values
2161         are the number of bytes preserved and the ExtraStackSpace requirement.  By
2162         encapsulating them in a ScratchRegisterAllocator::PreservedState, we can make
2163         it less error prone when calling restoreReusedRegistersByPopping().  Now, we only
2164         need to pass it the appropriate PreservedState that its matching
2165         preserveReusedRegistersByPushing() returned.
2166
2167         * bytecode/PolymorphicAccess.cpp:
2168         (JSC::AccessGenerationState::restoreScratch):
2169         (JSC::AccessCase::generate):
2170         (JSC::PolymorphicAccess::regenerate):
2171         * bytecode/PolymorphicAccess.h:
2172         (JSC::AccessGenerationState::AccessGenerationState):
2173         * ftl/FTLCompileBinaryOp.cpp:
2174         (JSC::FTL::generateBinaryBitOpFastPath):
2175         (JSC::FTL::generateRightShiftFastPath):
2176         (JSC::FTL::generateBinaryArithOpFastPath):
2177         * ftl/FTLLazySlowPath.cpp:
2178         (JSC::FTL::LazySlowPath::generate):
2179         * ftl/FTLLowerDFGToLLVM.cpp:
2180         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
2181         * jit/ScratchRegisterAllocator.cpp:
2182         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
2183         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
2184         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2185         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2186         * jit/ScratchRegisterAllocator.h:
2187         (JSC::ScratchRegisterAllocator::usedRegisters):
2188         (JSC::ScratchRegisterAllocator::PreservedState::PreservedState):
2189
2190 2015-12-15  Mark Lam  <mark.lam@apple.com>
2191
2192         Polymorphic operand types for DFG and FTL bit operators.
2193         https://bugs.webkit.org/show_bug.cgi?id=152191
2194
2195         Reviewed by Saam Barati.
2196
2197         * bytecode/SpeculatedType.h:
2198         (JSC::isUntypedSpeculationForBitOps):
2199         * dfg/DFGAbstractInterpreterInlines.h:
2200         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2201         * dfg/DFGNode.h:
2202         (JSC::DFG::Node::shouldSpeculateUntypedForBitOps):
2203         - Added check for types not supported by ValueToInt32, and therefore should be
2204           treated as untyped for bitops.
2205
2206         * dfg/DFGClobberize.h:
2207         (JSC::DFG::clobberize):
2208         * dfg/DFGFixupPhase.cpp:
2209         (JSC::DFG::FixupPhase::fixupNode):
2210         - Handled untyped operands.
2211
2212         * dfg/DFGOperations.cpp:
2213         * dfg/DFGOperations.h:
2214         - Added DFG slow path functions for bitops.
2215
2216         * dfg/DFGSpeculativeJIT.cpp:
2217         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
2218         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
2219         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
2220         (JSC::DFG::SpeculativeJIT::compileShiftOp):
2221         * dfg/DFGSpeculativeJIT.h:
2222         - Added DFG backend support untyped operands for bitops.
2223
2224         * dfg/DFGStrengthReductionPhase.cpp:
2225         (JSC::DFG::StrengthReductionPhase::handleNode):
2226         - Limit bitops strength reduction only to when we don't have untyped operands.
2227           This is because values that are not int32s need to be converted to int32.
2228           Without untyped operands, the ValueToInt32 node takes care of this.
2229           With untyped operands, we cannot use ValueToInt32, and need to do the conversion
2230           in the code emitted for the bitop node itself.  For example:
2231
2232               5.5 | 0; // yields 5 because ValueToInt32 converts the 5.5 to a 5.
2233               "abc" | 0; // would yield "abc" instead of the expected 0 if we let
2234                          // strength reduction do its thing.
2235
2236         * ftl/FTLCompileBinaryOp.cpp:
2237         (JSC::FTL::generateBinaryBitOpFastPath):
2238         (JSC::FTL::generateRightShiftFastPath):
2239         (JSC::FTL::generateBinaryOpFastPath):
2240
2241         * ftl/FTLInlineCacheDescriptor.h:
2242         (JSC::FTL::BitAndDescriptor::BitAndDescriptor):
2243         (JSC::FTL::BitAndDescriptor::icSize):
2244         (JSC::FTL::BitAndDescriptor::nodeType):
2245         (JSC::FTL::BitAndDescriptor::opName):
2246         (JSC::FTL::BitAndDescriptor::slowPathFunction):
2247         (JSC::FTL::BitAndDescriptor::nonNumberSlowPathFunction):
2248         (JSC::FTL::BitOrDescriptor::BitOrDescriptor):
2249         (JSC::FTL::BitOrDescriptor::icSize):
2250         (JSC::FTL::BitOrDescriptor::nodeType):
2251         (JSC::FTL::BitOrDescriptor::opName):
2252         (JSC::FTL::BitOrDescriptor::slowPathFunction):
2253         (JSC::FTL::BitOrDescriptor::nonNumberSlowPathFunction):
2254         (JSC::FTL::BitXorDescriptor::BitXorDescriptor):
2255         (JSC::FTL::BitXorDescriptor::icSize):
2256         (JSC::FTL::BitXorDescriptor::nodeType):
2257         (JSC::FTL::BitXorDescriptor::opName):
2258         (JSC::FTL::BitXorDescriptor::slowPathFunction):
2259         (JSC::FTL::BitXorDescriptor::nonNumberSlowPathFunction):
2260         (JSC::FTL::BitLShiftDescriptor::BitLShiftDescriptor):
2261         (JSC::FTL::BitLShiftDescriptor::icSize):
2262         (JSC::FTL::BitLShiftDescriptor::nodeType):
2263         (JSC::FTL::BitLShiftDescriptor::opName):
2264         (JSC::FTL::BitLShiftDescriptor::slowPathFunction):
2265         (JSC::FTL::BitLShiftDescriptor::nonNumberSlowPathFunction):
2266         (JSC::FTL::BitRShiftDescriptor::BitRShiftDescriptor):
2267         (JSC::FTL::BitRShiftDescriptor::icSize):
2268         (JSC::FTL::BitRShiftDescriptor::nodeType):
2269         (JSC::FTL::BitRShiftDescriptor::opName):
2270         (JSC::FTL::BitRShiftDescriptor::slowPathFunction):
2271         (JSC::FTL::BitRShiftDescriptor::nonNumberSlowPathFunction):
2272         (JSC::FTL::BitURShiftDescriptor::BitURShiftDescriptor):
2273         (JSC::FTL::BitURShiftDescriptor::icSize):
2274         (JSC::FTL::BitURShiftDescriptor::nodeType):
2275         (JSC::FTL::BitURShiftDescriptor::opName):
2276         (JSC::FTL::BitURShiftDescriptor::slowPathFunction):
2277         (JSC::FTL::BitURShiftDescriptor::nonNumberSlowPathFunction):
2278         - Added support for bitop ICs.
2279
2280         * ftl/FTLInlineCacheSize.cpp:
2281         (JSC::FTL::sizeOfBitAnd):
2282         (JSC::FTL::sizeOfBitOr):
2283         (JSC::FTL::sizeOfBitXor):
2284         (JSC::FTL::sizeOfBitLShift):
2285         (JSC::FTL::sizeOfBitRShift):
2286         (JSC::FTL::sizeOfBitURShift):
2287         * ftl/FTLInlineCacheSize.h:
2288         - Added new bitop IC sizes.  These are just estimates for now that work adequately,
2289           and are shown to not impact performance on benchmarks.  We will re-tune these
2290           sizes values later in another patch once all snippet ICs have been added.
2291
2292         * ftl/FTLLowerDFGToLLVM.cpp:
2293         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
2294         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
2295         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
2296         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
2297         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
2298         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
2299         - Added support for bitop ICs.
2300
2301         * jit/JITLeftShiftGenerator.cpp:
2302         (JSC::JITLeftShiftGenerator::generateFastPath):
2303         * jit/JITLeftShiftGenerator.h:
2304         (JSC::JITLeftShiftGenerator::JITLeftShiftGenerator):
2305         * jit/JITRightShiftGenerator.cpp:
2306         (JSC::JITRightShiftGenerator::generateFastPath):
2307         - The shift MASM operatons need to ensure that the shiftAmount is not in the same
2308           register as the destination register.  With the baselineJIT and DFG, this is
2309           ensured in how we allocate these registers, and hence, the bug does not manifest.
2310           With the FTL, these registers are not guaranteed to be unique.  Hence, we need
2311           to fix the shift op snippet code to compensate for this. 
2312
2313 2015-12-15  Caitlin Potter  <caitp@igalia.com>
2314
2315         [JSC] SyntaxError if AssignmentElement is `eval` or `arguments` in strict code
2316         https://bugs.webkit.org/show_bug.cgi?id=152302
2317
2318         Reviewed by Mark Lam.
2319
2320         `eval` and `arguments` must not be assigned to in strict code. This
2321         change fixes `language/expressions/assignment/destructuring/obj-id-simple-strict.js`
2322         in Test262, as well as a variety of other similar tests.
2323
2324         * parser/Parser.cpp:
2325         (JSC::Parser<LexerType>::parseAssignmentElement):
2326         (JSC::Parser<LexerType>::parseDestructuringPattern):
2327         * tests/stress/destructuring-assignment-syntax.js:
2328
2329 2015-12-15  Csaba Osztrogonác  <ossy@webkit.org>
2330
2331         URTBF after 194062.
2332
2333         * assembler/MacroAssemblerARM.h:
2334         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Added.
2335         (JSC::MacroAssemblerARM::ceilDouble): Added.
2336
2337 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2338
2339         FTL B3 should account for localsOffset
2340         https://bugs.webkit.org/show_bug.cgi?id=152288
2341
2342         Reviewed by Saam Barati.
2343
2344         The DFG will build up some data structures that expect to know about offsets from FP. Those data
2345         structures may slide by some offset when the low-level compiler (either LLVM or B3) does stack
2346         allocation. So, the LLVM FTL modifies those data structures based on the real offset that it gets
2347         from LLVM's stackmaps. The B3 code needs to do the same.
2348
2349         I had previously vowed to never put more stuff into FTLB3Compile.cpp, because I didn't want it to
2350         look like FTLCompile.cpp. Up until now, I was successful because I used lambdas installed by
2351         FTLLower. But in this case, I actually think that having code that just does this explicitly in
2352         FTLB3Compile.cpp is least confusing. There is no particular place in FTLLower that would want to
2353         care about this, and we need to ensure that we do this fixup before we run any of the stackmap
2354         generators. In other words, it needs to happen before we call B3::generate(). The ordering
2355         constraints seem like a good reason to have this done explicitly rather than through lambdas.
2356
2357         I wrote a test. The test was failing in trunk because the B3 meaning of anchor().value() is
2358         different from the LLVM meaning. This caused breakage when we used this idiom:
2359
2360             ValueFromBlock foo = m_out.anchor(things);
2361             ...(foo.value()) // we were expecting that foo.value() == things
2362
2363         I never liked this idiom to begin with, so instead of trying to change B3's anchor(), I changed
2364         the idiom to:
2365
2366             LValue fooValue = things;
2367             ValueFromBlock foo = m_out.anchor(fooValue);
2368             ...(fooValue)
2369
2370         This is probably a good idea, since eventually we want B3's anchor() to just return the
2371         UpsilonValue*. To get there, we want to eliminate any situations where code assumes that
2372         ValueFromBlock is an actual object and not just a typedef for a pointer.
2373
2374         * ftl/FTLB3Compile.cpp:
2375         (JSC::FTL::compile):
2376         * ftl/FTLB3Output.cpp:
2377         (JSC::FTL::Output::appendTo):
2378         (JSC::FTL::Output::lockedStackSlot):
2379         * ftl/FTLB3Output.h:
2380         (JSC::FTL::Output::framePointer):
2381         (JSC::FTL::Output::constBool):
2382         (JSC::FTL::Output::constInt32):
2383         * ftl/FTLLowerDFGToLLVM.cpp:
2384         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2385         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2386         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
2387         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateDirectArguments):
2388         (JSC::FTL::DFG::LowerDFGToLLVM::compileStringCharAt):
2389         (JSC::FTL::DFG::LowerDFGToLLVM::compileForwardVarargs):
2390         (JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty):
2391         (JSC::FTL::DFG::LowerDFGToLLVM::allocateJSArray):
2392         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
2393         * ftl/FTLState.h:
2394         (JSC::FTL::verboseCompilationEnabled):
2395         * tests/stress/ftl-function-dot-arguments-with-callee-saves.js: Added.
2396
2397 2015-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2398
2399         Math.random should have an intrinsic thunk and it should be later handled as a DFG Node
2400         https://bugs.webkit.org/show_bug.cgi?id=152133
2401
2402         Reviewed by Geoffrey Garen.
2403
2404         In this patch, we implement new RandomIntrinsic. It emits a machine code to generate random numbers efficiently.
2405         And later it will be recognized by DFG and converted to ArithRandom node.
2406         It provides type information SpecDoubleReal since Math.random only generates a number within [0, 1.0).
2407
2408         Currently, only 64bit version is supported. On 32bit environment, ArithRandom will be converted to callOperation.
2409         While it emits a function call, ArithRandom node on 32bit still represents SpecDoubleReal as a result type.
2410
2411         * dfg/DFGAbstractHeap.h:
2412         * dfg/DFGAbstractInterpreterInlines.h:
2413         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2414         * dfg/DFGByteCodeParser.cpp:
2415         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2416         * dfg/DFGClobberize.h:
2417         (JSC::DFG::clobberize):
2418         * dfg/DFGDoesGC.cpp:
2419         (JSC::DFG::doesGC):
2420         * dfg/DFGFixupPhase.cpp:
2421         (JSC::DFG::FixupPhase::fixupNode):
2422         * dfg/DFGNodeType.h:
2423         * dfg/DFGOperations.cpp:
2424         * dfg/DFGOperations.h:
2425         * dfg/DFGPredictionPropagationPhase.cpp:
2426         (JSC::DFG::PredictionPropagationPhase::propagate):
2427         * dfg/DFGSafeToExecute.h:
2428         (JSC::DFG::safeToExecute):
2429         * dfg/DFGSpeculativeJIT.h:
2430         (JSC::DFG::SpeculativeJIT::callOperation):
2431         * dfg/DFGSpeculativeJIT32_64.cpp:
2432         (JSC::DFG::SpeculativeJIT::compile):
2433         (JSC::DFG::SpeculativeJIT::compileArithRandom):
2434         * dfg/DFGSpeculativeJIT64.cpp:
2435         (JSC::DFG::SpeculativeJIT::compile):
2436         (JSC::DFG::SpeculativeJIT::compileArithRandom):
2437         * ftl/FTLCapabilities.cpp:
2438         (JSC::FTL::canCompile):
2439         * ftl/FTLLowerDFGToLLVM.cpp:
2440         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2441         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRandom):
2442         * jit/AssemblyHelpers.cpp:
2443         (JSC::emitRandomThunkImpl):
2444         (JSC::AssemblyHelpers::emitRandomThunk):
2445         * jit/AssemblyHelpers.h:
2446         * jit/JITOperations.h:
2447         * jit/ThunkGenerators.cpp:
2448         (JSC::randomThunkGenerator):
2449         * jit/ThunkGenerators.h:
2450         * runtime/Intrinsic.h:
2451         * runtime/JSGlobalObject.h:
2452         (JSC::JSGlobalObject::weakRandomOffset):
2453         * runtime/MathObject.cpp:
2454         (JSC::MathObject::finishCreation):
2455         * runtime/VM.cpp:
2456         (JSC::thunkGeneratorForIntrinsic):
2457         * tests/stress/random-53bit.js: Added.
2458         (test):
2459         * tests/stress/random-in-range.js: Added.
2460         (test):
2461
2462 2015-12-14  Benjamin Poulain  <benjamin@webkit.org>
2463
2464         Rename FTL::Output's ceil64() to doubleCeil()
2465
2466         Rubber-stamped by Filip Pizlo.
2467
2468         ceil64() was a bad name, that's the name convention we use for integers.
2469
2470         * ftl/FTLB3Output.h:
2471         (JSC::FTL::Output::doubleCeil):
2472         (JSC::FTL::Output::ceil64): Deleted.
2473         * ftl/FTLLowerDFGToLLVM.cpp:
2474         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRound):
2475
2476 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2477
2478         FTL B3 should be able to run n-body.js
2479         https://bugs.webkit.org/show_bug.cgi?id=152281
2480
2481         Reviewed by Benjamin Poulain.
2482
2483         Fix a bug where m_captured was pointing to the start of the captured vars slot rather than the
2484         end, like the rest of the FTL expected.
2485
2486         * ftl/FTLLowerDFGToLLVM.cpp:
2487         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2488
2489 2015-12-14  Benjamin Poulain  <bpoulain@apple.com>
2490
2491         Fix bad copy-paste in r194062
2492
2493         * ftl/FTLB3Output.h:
2494         (JSC::FTL::Output::ceil64):
2495
2496 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2497
2498         Unreviewed, fix cloop build.
2499
2500         * jit/GPRInfo.cpp:
2501
2502 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2503
2504         FTL B3 should do PutById
2505         https://bugs.webkit.org/show_bug.cgi?id=152268
2506
2507         Reviewed by Saam Barati.
2508
2509         * CMakeLists.txt:
2510         * JavaScriptCore.xcodeproj/project.pbxproj:
2511         * b3/B3LowerToAir.cpp:
2512         (JSC::B3::Air::LowerToAir::createGenericCompare): I realized that we were missing some useful matching rules.
2513         * b3/testb3.cpp: Added a bunch of tests.
2514         * ftl/FTLLowerDFGToLLVM.cpp:
2515         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById): Do the things.
2516         * jit/GPRInfo.cpp: Added. I had to do this yucky thing because clang was having issues compiling references to this from deeply nested lambdas.
2517         * jit/GPRInfo.h: Added a comment about how patchpointScratchRegister is bizarre and should probably die.
2518
2519 2015-12-14  Benjamin Poulain  <bpoulain@apple.com>
2520
2521         [JSC] Add ceil() support for x86 and expose it to B3
2522         https://bugs.webkit.org/show_bug.cgi?id=152231
2523
2524         Reviewed by Geoffrey Garen.
2525
2526         Most x86 CPUs we care about support ceil() natively
2527         with the round instruction.
2528
2529         This patch expose that behind a runtime flag, use it
2530         in the Math.ceil() thunk and expose it to B3.
2531
2532         * assembler/MacroAssemblerARM64.h:
2533         (JSC::MacroAssemblerARM64::supportsFloatingPointCeil):
2534         * assembler/MacroAssemblerARMv7.h:
2535         (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil):
2536         * assembler/MacroAssemblerMIPS.h:
2537         (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil):
2538         * assembler/MacroAssemblerSH4.h:
2539         (JSC::MacroAssemblerSH4::supportsFloatingPointCeil):
2540         * assembler/MacroAssemblerX86Common.cpp:
2541         * assembler/MacroAssemblerX86Common.h:
2542         (JSC::MacroAssemblerX86Common::ceilDouble):
2543         (JSC::MacroAssemblerX86Common::ceilFloat):
2544         (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil):
2545         (JSC::MacroAssemblerX86Common::supportsLZCNT):
2546         * assembler/X86Assembler.h:
2547         (JSC::X86Assembler::roundss_rr):
2548         (JSC::X86Assembler::roundss_mr):
2549         (JSC::X86Assembler::roundsd_rr):
2550         (JSC::X86Assembler::roundsd_mr):
2551         (JSC::X86Assembler::mfence):
2552         (JSC::X86Assembler::X86InstructionFormatter::threeByteOp):
2553         * b3/B3ConstDoubleValue.cpp:
2554         (JSC::B3::ConstDoubleValue::ceilConstant):
2555         * b3/B3ConstDoubleValue.h:
2556         * b3/B3ConstFloatValue.cpp:
2557         (JSC::B3::ConstFloatValue::ceilConstant):
2558         * b3/B3ConstFloatValue.h:
2559         * b3/B3LowerMacrosAfterOptimizations.cpp:
2560         * b3/B3LowerToAir.cpp:
2561         (JSC::B3::Air::LowerToAir::lower):
2562         * b3/B3Opcode.cpp:
2563         (WTF::printInternal):
2564         * b3/B3Opcode.h:
2565         * b3/B3ReduceDoubleToFloat.cpp:
2566         * b3/B3ReduceStrength.cpp:
2567         * b3/B3Validate.cpp:
2568         * b3/B3Value.cpp:
2569         (JSC::B3::Value::ceilConstant):
2570         (JSC::B3::Value::effects):
2571         (JSC::B3::Value::key):
2572         (JSC::B3::Value::typeFor):
2573         * b3/B3Value.h:
2574         * b3/air/AirOpcode.opcodes:
2575         * b3/testb3.cpp:
2576         (JSC::B3::testCeilArg):
2577         (JSC::B3::testCeilImm):
2578         (JSC::B3::testCeilMem):
2579         (JSC::B3::testCeilCeilArg):
2580         (JSC::B3::testCeilIToD64):
2581         (JSC::B3::testCeilIToD32):
2582         (JSC::B3::testCeilArgWithUselessDoubleConversion):
2583         (JSC::B3::testCeilArgWithEffectfulDoubleConversion):
2584         (JSC::B3::populateWithInterestingValues):
2585         (JSC::B3::run):
2586         * ftl/FTLB3Output.h:
2587         (JSC::FTL::Output::ceil64):
2588         * jit/ThunkGenerators.cpp:
2589         (JSC::ceilThunkGenerator):
2590
2591 2015-12-14  Andreas Kling  <akling@apple.com>
2592
2593         ResourceUsageOverlay should show GC timers.
2594         <https://webkit.org/b/152151>
2595
2596         Reviewed by Darin Adler.
2597
2598         Expose the next fire time (in WTF timestamp style) of a GCActivityCallback.
2599
2600         * heap/GCActivityCallback.cpp:
2601         (JSC::GCActivityCallback::scheduleTimer):
2602         (JSC::GCActivityCallback::cancelTimer):
2603         * heap/GCActivityCallback.h:
2604
2605 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2606
2607         Unreviewed, fix merge issue in a test.
2608
2609         * b3/testb3.cpp:
2610         (JSC::B3::testCheckTwoMegaCombos):
2611         (JSC::B3::testCheckTwoNonRedundantMegaCombos):
2612
2613 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2614
2615         B3 should not give ValueReps for the non-stackmap children of a CheckValue to the generator callback
2616         https://bugs.webkit.org/show_bug.cgi?id=152224
2617
2618         Reviewed by Geoffrey Garen.
2619
2620         Previously, a stackmap generator for a Check had to know how many children the B3 value for the
2621         Check had at the time of code generation. That meant that B3 could not change the kind of Check
2622         that it was - for example it cannot turn a Check into a Patchpoint and it cannot turn a CheckAdd
2623         into a Check. But just changing the contract so that the stackmap generation params only get the
2624         stackmap children of the check means that B3 can transform Checks as it likes.
2625
2626         This is meant to aid sinking values into checks.
2627
2628         Also, I found that the effects of a Check did not include HeapRange::top(). I think it's best if
2629         exitsSideways does not imply reading top, the way that it does in DFG. In the DFG, that makes
2630         sense because the exit analysis is orthogonal, so the clobber analysis tells you about the reads
2631         not counting OSR exit - if you need to you can conditionally merge that with World based on a
2632         separate exit analysis. But in B3, the Effects object tells you about both exiting and reading,
2633         and it's computed by one analysis. Prior to this change, Check was not setting reads to top() so
2634         we were effectively saying that Effects::reads is meaningless when exitsSideways is true. It
2635         seems more sensible to instead force the analysis to set reads to top() when setting
2636         exitsSideways to true, not least because we only have one such analysis and many users. But it
2637         also makes sense for another reason: it allows us to bound the set of things that the program
2638         will read after it exits. That might not be useful to us now, but it's a nice feature to get for
2639         free. I've seen language features that have behave like exitsSideways that don't also read top,
2640         like an array bounds check that causes sudden termination without making any promises about how
2641         pretty the crash dump will look.
2642
2643         * b3/B3CheckSpecial.cpp:
2644         (JSC::B3::CheckSpecial::generate):
2645         * b3/B3Opcode.h:
2646         * b3/B3Value.cpp:
2647         (JSC::B3::Value::effects):
2648         * b3/testb3.cpp:
2649         (JSC::B3::testSimpleCheck):
2650         (JSC::B3::testCheckLessThan):
2651         (JSC::B3::testCheckMegaCombo):
2652         (JSC::B3::testCheckAddImm):
2653         (JSC::B3::testCheckAddImmCommute):
2654         (JSC::B3::testCheckAddImmSomeRegister):
2655         (JSC::B3::testCheckAdd):
2656         (JSC::B3::testCheckAdd64):
2657         (JSC::B3::testCheckSubImm):
2658         (JSC::B3::testCheckSubBadImm):
2659         (JSC::B3::testCheckSub):
2660         (JSC::B3::testCheckSub64):
2661         (JSC::B3::testCheckNeg):
2662         (JSC::B3::testCheckNeg64):
2663         (JSC::B3::testCheckMul):
2664         (JSC::B3::testCheckMulMemory):
2665         (JSC::B3::testCheckMul2):
2666         (JSC::B3::testCheckMul64):
2667         * ftl/FTLLowerDFGToLLVM.cpp:
2668         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
2669
2670 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2671
2672         Air: Support Architecture-specific forms and Opcodes
2673         https://bugs.webkit.org/show_bug.cgi?id=151736
2674
2675         Reviewed by Benjamin Poulain.
2676
2677         This adds really awesome architecture selection to the AirOpcode.opcodes file. If an opcode or
2678         opcode form is unavailable on some architecture, you can still mention its name in C++ code (it'll
2679         still be a member of the enum) but isValidForm() and all other reflective queries will tell you
2680         that it doesn't exist. This will make the instruction selector steer clear of it, and it will
2681         also ensure that the spiller doesn't try to use any unavailable architecture-specific address
2682         forms.
2683
2684         The new capability is documented extensively in a comment in AirOpcode.opcodes.
2685
2686         * b3/air/AirOpcode.opcodes:
2687         * b3/air/opcode_generator.rb:
2688
2689 2015-12-14  Mark Lam  <mark.lam@apple.com>
2690
2691         Misc. small fixes in snippet related code.
2692         https://bugs.webkit.org/show_bug.cgi?id=152259
2693
2694         Reviewed by Saam Barati.
2695
2696         * dfg/DFGSpeculativeJIT.cpp:
2697         (JSC::DFG::SpeculativeJIT::compileArithMul):
2698         - When loading a constant JSValue for a node, use the one that the node already
2699           provides instead of reconstructing it.  This is not a bug, but the fix makes
2700           the code cleaner.
2701
2702         * jit/JITBitAndGenerator.cpp:
2703         (JSC::JITBitAndGenerator::generateFastPath):
2704         - No need to do a bitand with a constant int 0xffffffff operand.
2705
2706         * jit/JITBitOrGenerator.cpp:
2707         (JSC::JITBitOrGenerator::generateFastPath):
2708         - Fix comments: bitor is '|', not '&'.
2709         - No need to do a bitor with a constant int 0 operand.
2710
2711         * jit/JITBitXorGenerator.cpp:
2712         (JSC::JITBitXorGenerator::generateFastPath):
2713         - Fix comments: bitxor is '^', not '&'.
2714
2715         * jit/JITRightShiftGenerator.cpp:
2716         (JSC::JITRightShiftGenerator::generateFastPath):
2717         - Renamed a jump target name to be clearer about its purpose.
2718
2719 2015-12-14  Mark Lam  <mark.lam@apple.com>
2720
2721         We should not employ the snippet code in the DFG if no OSR exit was previously encountered.
2722         https://bugs.webkit.org/show_bug.cgi?id=152255
2723
2724         Reviewed by Saam Barati.
2725
2726         * dfg/DFGFixupPhase.cpp:
2727         (JSC::DFG::FixupPhase::fixupNode):
2728
2729 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2730
2731         B3->Air compare-branch fusion should fuse even if the result of the comparison is used more than once
2732         https://bugs.webkit.org/show_bug.cgi?id=152198
2733
2734         Reviewed by Benjamin Poulain.
2735
2736         If we have a comparison operation that is branched on from multiple places, then we were
2737         previously executing the comparison to get a boolean result in a register and then we were
2738         testing/branching on that register in multiple places. This is actually less efficient than
2739         just fusing the compare/branch multiple times, even though this means that the comparison
2740         executes multiple times. This would only be bad if the comparison fused loads multiple times,
2741         since duplicating loads is both wrong and inefficient. So, this adds the notion of sharing to
2742         compare/branch fusion. If a compare is shared by multiple branches, then we refuse to fuse
2743         the load.
2744
2745         To write the test, I needed to zero-extend 8 to 32. In the process of thinking about how to
2746         do this, I realized that we needed lowerings for SExt8/SExt16. And I realized that the
2747         lowerings for the other extension operations were not fully fleshed out; for example they
2748         were incapable of load fusion. This patch fixes this and also adds some smart strength
2749         reductions for BitAnd(@x, 0xff/0xffff/0xffffffff) - all of which should be lowered to a zero
2750         extension.
2751
2752         This is a big win on asm.js code. It's not enough to bridge the gap to LLVM, but it's a huge
2753         step in that direction.
2754
2755         * assembler/MacroAssemblerX86Common.h:
2756         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
2757         (JSC::MacroAssemblerX86Common::zeroExtend8To32):
2758         (JSC::MacroAssemblerX86Common::signExtend8To32):
2759         (JSC::MacroAssemblerX86Common::load16):
2760         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
2761         (JSC::MacroAssemblerX86Common::zeroExtend16To32):
2762         (JSC::MacroAssemblerX86Common::signExtend16To32):
2763         (JSC::MacroAssemblerX86Common::store32WithAddressOffsetPatch):
2764         * assembler/X86Assembler.h:
2765         (JSC::X86Assembler::movzbl_rr):
2766         (JSC::X86Assembler::movsbl_rr):
2767         (JSC::X86Assembler::movzwl_rr):
2768         (JSC::X86Assembler::movswl_rr):
2769         (JSC::X86Assembler::cmovl_rr):
2770         * b3/B3LowerToAir.cpp:
2771         (JSC::B3::Air::LowerToAir::createGenericCompare):
2772         (JSC::B3::Air::LowerToAir::lower):
2773         * b3/B3ReduceStrength.cpp:
2774         * b3/air/AirOpcode.opcodes:
2775         * b3/testb3.cpp:
2776         (JSC::B3::testCheckMegaCombo):
2777         (JSC::B3::testCheckTwoMegaCombos):
2778         (JSC::B3::testCheckTwoNonRedundantMegaCombos):
2779         (JSC::B3::testCheckAddImm):
2780         (JSC::B3::testTruncSExt32):
2781         (JSC::B3::testSExt8):
2782         (JSC::B3::testSExt8Fold):
2783         (JSC::B3::testSExt8SExt8):
2784         (JSC::B3::testSExt8SExt16):
2785         (JSC::B3::testSExt8BitAnd):
2786         (JSC::B3::testBitAndSExt8):
2787         (JSC::B3::testSExt16):
2788         (JSC::B3::testSExt16Fold):
2789         (JSC::B3::testSExt16SExt16):
2790         (JSC::B3::testSExt16SExt8):
2791         (JSC::B3::testSExt16BitAnd):
2792         (JSC::B3::testBitAndSExt16):
2793         (JSC::B3::testSExt32BitAnd):
2794         (JSC::B3::testBitAndSExt32):
2795         (JSC::B3::testBasicSelect):
2796         (JSC::B3::run):
2797
2798 2015-12-14  Chris Dumez  <cdumez@apple.com>
2799
2800         Roll out r193974 and follow-up fixes as it caused JSC crashes
2801         https://bugs.webkit.org/show_bug.cgi?id=152256
2802
2803         Unreviewed, Roll out r193974 and follow-up fixes as it caused JSC crashes.
2804
2805         * API/JSCallbackObject.h:
2806         * builtins/FunctionPrototype.js:
2807         * bytecode/BytecodeBasicBlock.cpp:
2808         (JSC::isBranch):
2809         * bytecode/BytecodeList.json:
2810         * bytecode/BytecodeUseDef.h:
2811         (JSC::computeUsesForBytecodeOffset):
2812         (JSC::computeDefsForBytecodeOffset):
2813         * bytecode/CodeBlock.cpp:
2814         (JSC::CodeBlock::dumpBytecode):
2815         * bytecode/ExitKind.cpp:
2816         (JSC::exitKindToString): Deleted.
2817         * bytecode/ExitKind.h:
2818         * bytecode/PreciseJumpTargets.cpp:
2819         (JSC::getJumpTargetsForBytecodeOffset):
2820         * bytecompiler/BytecodeGenerator.cpp:
2821         (JSC::BytecodeGenerator::emitCheckHasInstance):
2822         (JSC::BytecodeGenerator::emitGetById): Deleted.
2823         * bytecompiler/BytecodeGenerator.h:
2824         (JSC::BytecodeGenerator::emitTypeOf): Deleted.
2825         * bytecompiler/NodesCodegen.cpp:
2826         (JSC::InstanceOfNode::emitBytecode):
2827         (JSC::LogicalOpNode::emitBytecode): Deleted.
2828         (JSC::LogicalOpNode::emitBytecodeInConditionContext): Deleted.
2829         * dfg/DFGAbstractInterpreterInlines.h:
2830         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2831         * dfg/DFGByteCodeParser.cpp:
2832         (JSC::DFG::ByteCodeParser::parseBlock):
2833         * dfg/DFGCapabilities.cpp:
2834         (JSC::DFG::capabilityLevel):
2835         * dfg/DFGClobberize.h:
2836         (JSC::DFG::clobberize):
2837         * dfg/DFGDoesGC.cpp:
2838         (JSC::DFG::doesGC):
2839         * dfg/DFGFixupPhase.cpp:
2840         (JSC::DFG::FixupPhase::fixupNode):
2841         * dfg/DFGHeapLocation.cpp:
2842         (WTF::printInternal):
2843         * dfg/DFGHeapLocation.h:
2844         * dfg/DFGNode.h:
2845         (JSC::DFG::Node::hasCellOperand): Deleted.
2846         (JSC::DFG::Node::hasTransition): Deleted.
2847         * dfg/DFGNodeType.h:
2848         * dfg/DFGPredictionPropagationPhase.cpp:
2849         (JSC::DFG::PredictionPropagationPhase::propagate):
2850         * dfg/DFGSafeToExecute.h:
2851         (JSC::DFG::safeToExecute):
2852         * dfg/DFGSpeculativeJIT.cpp:
2853         (JSC::DFG::SpeculativeJIT::compileInstanceOf): Deleted.
2854         (JSC::DFG::SpeculativeJIT::compileArithAdd): Deleted.
2855         * dfg/DFGSpeculativeJIT.h:
2856         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
2857         * dfg/DFGSpeculativeJIT32_64.cpp:
2858         (JSC::DFG::SpeculativeJIT::compile):
2859         * dfg/DFGSpeculativeJIT64.cpp:
2860         (JSC::DFG::SpeculativeJIT::compile):
2861         * ftl/FTLCapabilities.cpp:
2862         (JSC::FTL::canCompile):
2863         * ftl/FTLIntrinsicRepository.h:
2864         * ftl/FTLLowerDFGToLLVM.cpp:
2865         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2866         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance):
2867         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOf): Deleted.
2868         (JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty): Deleted.
2869         * jit/CCallHelpers.h:
2870         (JSC::CCallHelpers::setupArguments): Deleted.
2871         (JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.
2872         * jit/JIT.cpp:
2873         (JSC::JIT::privateCompileMainPass):
2874         (JSC::JIT::privateCompileSlowCases):
2875         * jit/JIT.h:
2876         * jit/JITInlines.h:
2877         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
2878         (JSC::JIT::callOperation): Deleted.
2879         * jit/JITOpcodes.cpp:
2880         (JSC::JIT::emit_op_check_has_instance):
2881         (JSC::JIT::emit_op_instanceof):
2882         (JSC::JIT::emitSlow_op_check_has_instance):
2883         (JSC::JIT::emitSlow_op_instanceof):
2884         (JSC::JIT::emit_op_is_undefined): Deleted.
2885         (JSC::JIT::emitSlow_op_to_number): Deleted.
2886         (JSC::JIT::emitSlow_op_to_string): Deleted.
2887         * jit/JITOpcodes32_64.cpp:
2888         (JSC::JIT::emit_op_check_has_instance):
2889         (JSC::JIT::emit_op_instanceof):
2890         (JSC::JIT::emitSlow_op_check_has_instance):
2891         (JSC::JIT::emitSlow_op_instanceof):
2892         (JSC::JIT::emit_op_is_undefined): Deleted.
2893         * jit/JITOperations.cpp:
2894         * jit/JITOperations.h:
2895         * llint/LLIntData.cpp:
2896         (JSC::LLInt::Data::performAssertions): Deleted.
2897         * llint/LLIntSlowPaths.cpp:
2898         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2899         * llint/LLIntSlowPaths.h:
2900         * llint/LowLevelInterpreter32_64.asm:
2901         * llint/LowLevelInterpreter64.asm:
2902         * runtime/CommonIdentifiers.h:
2903         * runtime/ExceptionHelpers.cpp:
2904         (JSC::invalidParameterInstanceofSourceAppender):
2905         (JSC::createInvalidInstanceofParameterError):
2906         (JSC::createError): Deleted.
2907         (JSC::createNotAFunctionError): Deleted.
2908         (JSC::createNotAnObjectError): Deleted.
2909         * runtime/ExceptionHelpers.h:
2910         * runtime/FunctionPrototype.cpp:
2911         (JSC::FunctionPrototype::addFunctionProperties):
2912         * runtime/FunctionPrototype.h:
2913         * runtime/JSBoundFunction.cpp:
2914         (JSC::JSBoundFunction::create): Deleted.
2915         (JSC::JSBoundFunction::customHasInstance): Deleted.
2916         * runtime/JSBoundFunction.h:
2917         * runtime/JSGlobalObject.cpp:
2918         (JSC::JSGlobalObject::init):
2919         (JSC::JSGlobalObject::visitChildren): Deleted.
2920         * runtime/JSGlobalObject.h:
2921         (JSC::JSGlobalObject::throwTypeErrorGetterSetter): Deleted.
2922         * runtime/JSObject.cpp:
2923         (JSC::JSObject::hasInstance):
2924         (JSC::JSObject::defaultHasInstance): Deleted.
2925         (JSC::JSObject::getPropertyNames): Deleted.
2926         (JSC::JSObject::getOwnPropertyNames): Deleted.
2927         * runtime/JSObject.h:
2928         (JSC::JSFinalObject::create): Deleted.
2929         * runtime/JSTypeInfo.h:
2930         (JSC::TypeInfo::TypeInfo):
2931         (JSC::TypeInfo::overridesHasInstance):
2932         * runtime/WriteBarrier.h:
2933         (JSC::WriteBarrierBase<Unknown>::slot):
2934         * tests/es6.yaml:
2935         * tests/stress/instanceof-custom-hasinstancesymbol.js: Removed.
2936         * tests/stress/symbol-hasInstance.js: Removed.
2937
2938 2015-12-13  Benjamin Poulain  <bpoulain@apple.com>
2939
2940         [JSC] Remove FTL::Output's doubleEqualOrUnordered()
2941         https://bugs.webkit.org/show_bug.cgi?id=152234
2942
2943         Reviewed by Sam Weinig.
2944
2945         It is unused, one less thing to worry about.
2946
2947         * ftl/FTLB3Output.h:
2948         (JSC::FTL::Output::doubleEqualOrUnordered): Deleted.
2949         * ftl/FTLOutput.h:
2950         (JSC::FTL::Output::doubleEqualOrUnordered): Deleted.
2951
2952 2015-12-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2953
2954         [JSC] Should not emit get_by_id for indexed property access
2955         https://bugs.webkit.org/show_bug.cgi?id=151354
2956
2957         Reviewed by Darin Adler.
2958
2959         Before this patch, `a["1"]` is converted to `a.1` get_by_id operation in the bytecode compiler.
2960         get_by_id emits IC. IC rely on the fact that Structure transition occur when adding / removing object's properties.
2961         However, it's not true for indexed element properties. They are stored in the element storage and Structure transition does not occur.
2962
2963         For example, in the following case,
2964
2965              function getOne(a) { return a['1']; }
2966
2967              for (var i = 0; i < 36; ++i)
2968                  getOne({2: true});
2969
2970              if (!getOne({1: true}))
2971                  throw new Error("OUT");
2972
2973         In this case, `a['1']` creates get_by_id. `getOne({2: true})` calls makes getOne's get_by_id to create IC says that,
2974         "when comming this structure chain, there is no property in "1", so we should return `undefined`".
2975
2976         After that, we call `getOne({1: true})`. But in this case, `{2: true}` and `{1: true}` have the same structure chain,
2977         because indexed property addition does not occur structure transition.
2978         So previous IC fast path is used and return `undefined`. But the correct answer is returning `true`.
2979
2980         This patch fixes the above issue. When there is string bracket access, we only emits get_by_id if the given string is not an index.
2981         There are bugs in get_by_id, put_by_id, put_by_id (direct). But only get_by_id poses user observable issue.
2982         Because in the put_by_id case, the generic path just says "this put is uncacheable".
2983
2984         * bytecompiler/BytecodeGenerator.cpp:
2985         (JSC::BytecodeGenerator::emitGetById):
2986         (JSC::BytecodeGenerator::emitPutById):
2987         (JSC::BytecodeGenerator::emitDirectPutById):
2988         * bytecompiler/NodesCodegen.cpp:
2989         (JSC::isNonIndexStringElement):
2990         (JSC::BracketAccessorNode::emitBytecode):
2991         (JSC::FunctionCallBracketNode::emitBytecode):
2992         (JSC::AssignBracketNode::emitBytecode):
2993         (JSC::ObjectPatternNode::bindValue):
2994         * tests/stress/element-property-get-should-not-handled-with-get-by-id.js: Added.
2995         (getOne):
2996
2997 2015-12-13  Andreas Kling  <akling@apple.com>
2998
2999         CachedScript could have a copy-free path for all-ASCII scripts.
3000         <https://webkit.org/b/152203>
3001
3002         Reviewed by Antti Koivisto.
3003
3004         Make SourceProvider vend a StringView instead of a String.
3005         This relaxes the promises that providers have to make about string lifetimes.
3006
3007         This means that on the WebCore side, CachedScript is free to cache a String
3008         internally, while only ever exposing it as a temporary StringView.
3009
3010         A few extra copies (CPU, not memory) are introduced, none of them on hot paths.
3011
3012         * API/JSScriptRef.cpp:
3013         * bytecode/CodeBlock.cpp:
3014         (JSC::CodeBlock::sourceCodeForTools):
3015         (JSC::CodeBlock::dumpSource):
3016         * inspector/ScriptDebugServer.cpp:
3017         (Inspector::ScriptDebugServer::dispatchDidParseSource):
3018         (Inspector::ScriptDebugServer::dispatchFailedToParseSource):
3019         * interpreter/Interpreter.cpp:
3020         (JSC::Interpreter::execute):
3021         * jsc.cpp:
3022         (functionFindTypeForExpression):
3023         (functionHasBasicBlockExecuted):
3024         (functionBasicBlockExecutionCount):
3025         * parser/Lexer.cpp:
3026         (JSC::Lexer<T>::setCode):
3027         * parser/Lexer.h:
3028         (JSC::Lexer<LChar>::setCodeStart):
3029         (JSC::Lexer<UChar>::setCodeStart):
3030         * parser/Parser.h:
3031         (JSC::Parser::getToken):
3032         * parser/SourceCode.cpp:
3033         (JSC::SourceCode::toUTF8):
3034         * parser/SourceCode.h:
3035         (JSC::SourceCode::hash):
3036         (JSC::SourceCode::view):
3037         (JSC::SourceCode::toString): Deleted.
3038         * parser/SourceCodeKey.h:
3039         (JSC::SourceCodeKey::SourceCodeKey):
3040         (JSC::SourceCodeKey::string):
3041         * parser/SourceProvider.h:
3042         (JSC::SourceProvider::getRange):
3043         * runtime/Completion.cpp:
3044         (JSC::loadAndEvaluateModule):
3045         (JSC::loadModule):
3046         * runtime/ErrorInstance.cpp:
3047         (JSC::appendSourceToError):
3048         * runtime/FunctionPrototype.cpp:
3049         (JSC::functionProtoFuncToString):
3050         * tools/FunctionOverrides.cpp:
3051         (JSC::initializeOverrideInfo):
3052         (JSC::FunctionOverrides::initializeOverrideFor):
3053
3054 2015-12-12  Benjamin Poulain  <benjamin@webkit.org>
3055
3056         [JSC] Add lowering for B3's Store8 opcode
3057         https://bugs.webkit.org/show_bug.cgi?id=152208
3058
3059         Reviewed by Geoffrey Garen.
3060
3061         B3 has an opcode to store 8bit values but it had
3062         no lowering.
3063
3064         * b3/B3LowerToAir.cpp:
3065         (JSC::B3::Air::LowerToAir::createStore):
3066         (JSC::B3::Air::LowerToAir::lower):
3067         * b3/air/AirOpcode.opcodes:
3068         * b3/testb3.cpp:
3069         (JSC::B3::testStore8Arg):
3070         (JSC::B3::testStore8Imm):
3071         (JSC::B3::testStorePartial8BitRegisterOnX86):
3072         (JSC::B3::run):
3073
3074 2015-12-12  Csaba Osztrogonác  <ossy@webkit.org>
3075
3076         [ARM] Add the missing setupArgumentsWithExecState functions after r193974
3077         https://bugs.webkit.org/show_bug.cgi?id=152214
3078
3079         Reviewed by Mark Lam.
3080
3081         * jit/CCallHelpers.h:
3082         (JSC::CCallHelpers::setupArgumentsWithExecState):
3083
3084 2015-12-11  Joseph Pecoraro  <pecoraro@apple.com>
3085
3086         Web Inspector: Too many derefs when RemoteInspectorXPCConnection fails to validate connection
3087         https://bugs.webkit.org/show_bug.cgi?id=152213
3088
3089         Rubber-stamped by Ryosuke Niwa.
3090
3091         * inspector/remote/RemoteInspectorXPCConnection.mm:
3092         (Inspector::RemoteInspectorXPCConnection::handleEvent):
3093         We should just close the XPC connection triggering XPC_ERROR_CONNECTION_INVALID
3094         which will then graceful teardown the connection as expected.
3095
3096 2015-12-11  Benjamin Poulain  <bpoulain@apple.com>
3097
3098         [JSC] Add Floating Point Abs() to B3
3099         https://bugs.webkit.org/show_bug.cgi?id=152176
3100
3101         Reviewed by Geoffrey Garen.
3102
3103         This patch adds an Abs() operation for floating point.
3104
3105         On x86, Abs() is implemented by masking the top bit
3106         of the floating point value. On ARM64, there is a builtin
3107         abs opcode.
3108
3109         To account for those differences, B3 use "Abs" as
3110         the cannonical operation. When we are about to lower
3111         to Air, Abs is extended on x86 to get a clean handling
3112         of the mask constants.
3113
3114         This patch has one cool thing related to FTL.
3115         If you do:
3116            @1 = unboxDouble(@0)
3117            @2 = abs(@1)
3118            @3 = boxDouble(@2)
3119
3120         B3ReduceStrength completely eliminate the Double-Integer
3121         conversion.
3122
3123         The strength reduction of Abs is aware that it can do a bit
3124         mask over the bitcast used by unboxing.
3125         If even works if you use floats by forcing fround: reduceDoubleToFloat()
3126         elminiates the useless conversions, followed by ReduceStrength
3127         that removes the switch from GP to FP.
3128
3129         * CMakeLists.txt:
3130         * JavaScriptCore.xcodeproj/project.pbxproj:
3131         * assembler/MacroAssemblerX86Common.h:
3132         (JSC::MacroAssemblerX86Common::andDouble):
3133         (JSC::MacroAssemblerX86Common::andFloat):
3134         * assembler/X86Assembler.h:
3135         (JSC::X86Assembler::andps_rr):
3136         * b3/B3ConstDoubleValue.cpp:
3137         (JSC::B3::ConstDoubleValue::bitAndConstant):
3138         (JSC::B3::ConstDoubleValue::absConstant):
3139         * b3/B3ConstDoubleValue.h:
3140         * b3/B3ConstFloatValue.cpp:
3141         (JSC::B3::ConstFloatValue::bitAndConstant):
3142         (JSC::B3::ConstFloatValue::absConstant):
3143         * b3/B3ConstFloatValue.h:
3144         * b3/B3Generate.cpp:
3145         (JSC::B3::generateToAir):
3146         * b3/B3LowerMacrosAfterOptimizations.cpp: Added.
3147         (JSC::B3::lowerMacrosAfterOptimizations):
3148         * b3/B3LowerMacrosAfterOptimizations.h: Added.
3149         * b3/B3LowerToAir.cpp:
3150         (JSC::B3::Air::LowerToAir::lower):
3151         * b3/B3Opcode.cpp:
3152         (WTF::printInternal):
3153         * b3/B3Opcode.h:
3154         * b3/B3ReduceDoubleToFloat.cpp:
3155         * b3/B3ReduceStrength.cpp:
3156         * b3/B3Validate.cpp:
3157         * b3/B3Value.cpp:
3158         (JSC::B3::Value::absConstant):
3159         (JSC::B3::Value::effects):
3160         (JSC::B3::Value::key):
3161         (JSC::B3::Value::typeFor):
3162         * b3/B3Value.h:
3163         * b3/air/AirOpcode.opcodes:
3164         * b3/testb3.cpp:
3165         (JSC::B3::bitAndDouble):
3166         (JSC::B3::testBitAndArgDouble):
3167         (JSC::B3::testBitAndArgsDouble):
3168         (JSC::B3::testBitAndArgImmDouble):
3169         (JSC::B3::testBitAndImmsDouble):
3170         (JSC::B3::bitAndFloat):
3171         (JSC::B3::testBitAndArgFloat):
3172         (JSC::B3::testBitAndArgsFloat):
3173         (JSC::B3::testBitAndArgImmFloat):
3174         (JSC::B3::testBitAndImmsFloat):
3175         (JSC::B3::testBitAndArgsFloatWithUselessDoubleConversion):
3176         (JSC::B3::testAbsArg):
3177         (JSC::B3::testAbsImm):
3178         (JSC::B3::testAbsMem):
3179         (JSC::B3::testAbsAbsArg):
3180         (JSC::B3::testAbsBitwiseCastArg):
3181         (JSC::B3::testBitwiseCastAbsBitwiseCastArg):
3182         (JSC::B3::testAbsArgWithUselessDoubleConversion):
3183         (JSC::B3::testAbsArgWithEffectfulDoubleConversion):
3184         (JSC::B3::run):
3185         * ftl/FTLB3Output.h:
3186         (JSC::FTL::Output::doubleAbs):
3187
3188 2015-12-11  Mark Lam  <mark.lam@apple.com>
3189
3190         Removed some dead code, and simplified some code in the baseline JIT.
3191         https://bugs.webkit.org/show_bug.cgi?id=152199
3192
3193         Reviewed by Benjamin Poulain.
3194
3195         * jit/JIT.h:
3196         * jit/JITArithmetic.cpp:
3197         (JSC::JIT::emitBitBinaryOpFastPath):
3198         (JSC::JIT::emit_op_bitand):
3199         (JSC::JIT::emitSlow_op_lshift):
3200         (JSC::JIT::emitRightShiftFastPath):
3201         (JSC::JIT::emit_op_rshift):
3202         (JSC::JIT::emitSlow_op_rshift):
3203         (JSC::JIT::emit_op_urshift):
3204         (JSC::JIT::emitSlow_op_urshift):
3205
3206 2015-12-11  Filip Pizlo  <fpizlo@apple.com>
3207
3208         B3::reduceStrength should remove redundant Phi's
3209         https://bugs.webkit.org/show_bug.cgi?id=152184
3210
3211         Reviewed by Benjamin Poulain.
3212
3213         This adds redundant Phi removal using Aycock and Horspools SSA simplification algorithm. This
3214         is needed because even in simple asm.js code, we see a lot of CFG simplification that leaves
3215         behind totally useless Phi's.
3216
3217         * b3/B3PhiChildren.cpp:
3218         (JSC::B3::PhiChildren::PhiChildren):
3219         * b3/B3PhiChildren.h:
3220         (JSC::B3::PhiChildren::at):
3221         (JSC::B3::PhiChildren::operator[]):
3222         (JSC::B3::PhiChildren::phis):
3223         * b3/B3ReduceStrength.cpp:
3224
3225 2015-12-11  Benjamin Poulain  <benjamin@webkit.org>
3226
3227         [JSC] Add an implementation of pow() taking an integer exponent to B3
3228         https://bugs.webkit.org/show_bug.cgi?id=152165
3229
3230         Reviewed by Mark Lam.
3231
3232         LLVM has this really neat optimized opcode for
3233         raising the power of something by an integer exponent.
3234
3235         There is no such native instruction so we need to extend
3236         the existing FTLOutput API to something efficient.
3237
3238         DFG has a pretty competitive implementation. In this patch,
3239         I added a version of it to B3.
3240         I created powDoubleInt32() instead of putting the code directly
3241         in FTL for easier testing and optimization.
3242
3243         * CMakeLists.txt:
3244         * JavaScriptCore.xcodeproj/project.pbxproj:
3245         * b3/B3MathExtras.cpp: Added.
3246         (JSC::B3::powDoubleInt32):
3247         * b3/B3MathExtras.h: Added.
3248         * b3/B3MemoryValue.h:
3249         * b3/testb3.cpp:
3250         (JSC::B3::testPowDoubleByIntegerLoop):
3251         (JSC::B3::run):
3252         * dfg/DFGSpeculativeJIT.cpp:
3253         (JSC::DFG::compileArithPowIntegerFastPath):
3254         * ftl/FTLB3Output.cpp:
3255         (JSC::FTL::Output::doublePowi):
3256         * ftl/FTLB3Output.h:
3257         (JSC::FTL::Output::doublePowi): Deleted.
3258
3259 2015-12-11  Filip Pizlo  <fpizlo@apple.com>
3260
3261         B3 should have CSE
3262         https://bugs.webkit.org/show_bug.cgi?id=150961
3263
3264         Reviewed by Benjamin Poulain.
3265
3266         This implements a very simple CSE for pure values. I need this as a prerequisite for other
3267         optimizations that I'm implementing. For now, this is neutral on imaging-gaussian-blur but a
3268         slow-down on asm.js code. I suspect that the asm.js slow-down is because of other things that are
3269         still going wrong, and anyway, I need CSE to be able to do even the most basic asm.js strength
3270         reductions.
3271
3272         * b3/B3ReduceStrength.cpp:
3273         * b3/B3ReduceStrength.h:
3274         * b3/B3Value.cpp:
3275         (JSC::B3::Value::replaceWithIdentity):
3276         (JSC::B3::Value::key):
3277
3278 2015-12-11  Mark Lam  <mark.lam@apple.com>
3279
3280         Refactoring to reduce potential cut-paste errors with the FTL ICs.
3281         https://bugs.webkit.org/show_bug.cgi?id=152185
3282
3283         Reviewed by Saam Barati.
3284
3285         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3286         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3287         * JavaScriptCore.xcodeproj/project.pbxproj:
3288
3289         * ftl/FTLCompile.cpp:
3290         - ICs now have their own names.  GetById and PutByID fast path ICs no longer just
3291           say "inline cache fast path".
3292
3293         * ftl/FTLCompileBinaryOp.cpp:
3294         (JSC::FTL::generateBinaryArithOpFastPath):
3295         - Fixed an indentation.
3296
3297         * ftl/FTLInlineCacheDescriptor.h:
3298         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
3299         (JSC::FTL::InlineCacheDescriptor::name):
3300         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
3301         (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
3302         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
3303         (JSC::FTL::BinaryOpDescriptor::nodeType):
3304         (JSC::FTL::BinaryOpDescriptor::size):
3305         (JSC::FTL::BinaryOpDescriptor::slowPathFunction):
3306         (JSC::FTL::BinaryOpDescriptor::leftOperand):
3307         (JSC::FTL::BinaryOpDescriptor::BinaryOpDescriptor):
3308         (JSC::FTL::ArithDivDescriptor::ArithDivDescriptor):
3309         (JSC::FTL::ArithDivDescriptor::icSize):
3310         (JSC::FTL::ArithDivDescriptor::nodeType):
3311         (JSC::FTL::ArithDivDescriptor::opName):
3312         (JSC::FTL::ArithDivDescriptor::slowPathFunction):
3313         (JSC::FTL::ArithDivDescriptor::nonNumberSlowPathFunction):
3314         (JSC::FTL::ArithMulDescriptor::ArithMulDescriptor):
3315         (JSC::FTL::ArithMulDescriptor::icSize):
3316         (JSC::FTL::ArithMulDescriptor::nodeType):
3317         (JSC::FTL::ArithMulDescriptor::opName):
3318         (JSC::FTL::ArithMulDescriptor::slowPathFunction):
3319         (JSC::FTL::ArithMulDescriptor::nonNumberSlowPathFunction):
3320         (JSC::FTL::ArithSubDescriptor::ArithSubDescriptor):
3321         (JSC::FTL::ArithSubDescriptor::icSize):
3322         (JSC::FTL::ArithSubDescriptor::nodeType):
3323         (JSC::FTL::ArithSubDescriptor::opName):
3324         (JSC::FTL::ArithSubDescriptor::slowPathFunction):
3325         (JSC::FTL::ArithSubDescriptor::nonNumberSlowPathFunction):
3326         (JSC::FTL::ValueAddDescriptor::ValueAddDescriptor):
3327         (JSC::FTL::ValueAddDescriptor::icSize):
3328         (JSC::FTL::ValueAddDescriptor::nodeType):
3329         (JSC::FTL::ValueAddDescriptor::opName):
3330         (JSC::FTL::ValueAddDescriptor::slowPathFunction):
3331         (JSC::FTL::ValueAddDescriptor::nonNumberSlowPathFunction):
3332         (JSC::FTL::LazySlowPathDescriptor::LazySlowPathDescriptor):
3333         (JSC::FTL::ProbeDescriptor::ProbeDescriptor):
3334         (JSC::FTL::BinaryOpDescriptor::name): Deleted.
3335         (JSC::FTL::BinaryOpDescriptor::fastPathICName): Deleted.
3336         * ftl/FTLInlineCacheDescriptorInlines.h: Removed.
3337         - Consolidate the number of places where we have to fill in a data about new
3338           snippet ICs.  It is all done in FTLInlineCacheDescriptor.h now.   
3339
3340         * ftl/FTLJITFinalizer.cpp:
3341         (JSC::FTL::JITFinalizer::finalizeFunction):
3342
3343         * ftl/FTLLowerDFGToLLVM.cpp:
3344         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp):
3345         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
3346         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
3347         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
3348         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
3349         - Introduced a compileUntypedBinaryOp() template and use that at all the FTL
3350           places that need to use a snippet.  This reduces the amount of cut and paste
3351           code.
3352
3353         * ftl/FTLState.h:
3354         - Removed a bad #include.
3355
3356 2015-12-11  Keith Miller  <keith_miller@apple.com>
3357
3358         Overrides has instance should not move ValueFalse to a register then immediately to the stack in the LLInt.
3359         https://bugs.webkit.org/show_bug.cgi?id=152188
3360
3361         Reviewed by Mark Lam.
3362
3363         This fixes a minor issue with the code for the overrides_has_instance in the LLInt. Old code had an extra move,
3364         which is both slow and breaks the build on cloop.
3365
3366         * llint/LowLevelInterpreter64.asm:
3367
3368 2015-12-11  Keith Miller  <keith_miller@apple.com>
3369
3370         [ES6] Add support for Symbol.hasInstance
3371         https://bugs.webkit.org/show_bug.cgi?id=151839
3372
3373         Reviewed by Saam Barati.
3374
3375         This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
3376         regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
3377         when executing an&n