[EFL][GTK][WK2] Fix UIProcess build with GStreamer and without VIDEO

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2016-01-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>

        Ensure that CF_AVAILABLE is undefined when building webkit-gtk

        https://bugs.webkit.org/show_bug.cgi?id=152720

        This change ensures that CF_AVAILABLE is correctly a no-op to
        address build failure that was observed when building on older
        versions of OSX.  Previously, CF_AVAILABLE may have been unexpectedly
        re-defined to the system header value based on include-order.

        Reviewed by Michael Catanzaro.

        * API/WebKitAvailability.h:

2016-01-17  Julien Brianceau  <jbriance@cisco.com>

        [mips] Fix regT2 and regT3 trampling in MacroAssembler
        https://bugs.webkit.org/show_bug.cgi?id=153131

        Mips $t2 and $t3 registers were used as temporary registers
        in MacroAssemblerMIPS.h, whereas they are mapped to regT2
        and regT3 in LLInt and GPRInfo.

        This patch rearranges register mapping for the mips architecture:
        - use $t0 and $t1 as temp registers in LLInt (as in MacroAssembler)
        - use $t7 and $t8 as temp registers in MacroAssembler (as in LLInt)
        - remove $t6 from temp registers list in LLInt
        - update GPRInfo.h accordingly
        - add mips macroScratchRegisters() list in RegisterSet.cpp

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerMIPS.h:
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toRegister):
        (JSC::GPRInfo::toIndex):
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::macroScratchRegisters):
        (JSC::RegisterSet::calleeSaveRegisters):
        * offlineasm/mips.rb:

2016-01-16  Skachkov Oleksandr  <gskachkov@gmail.com>

        [ES6] Arrow function syntax. Arrow function should support the destructuring parameters.
        https://bugs.webkit.org/show_bug.cgi?id=146934

        Reviewed by Saam Barati.
        
        Added support of destructuring parameters, before arrow function expect only simple parameters,
        e.g. (), (x), (x, y) or x in assigment expressio. To support destructuring parameters added
        additional check that check for destructuring paramters if check does not pass for simple parameters.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::isArrowFunctionParameters):
        (JSC::Parser<LexerType>::parseAssignmentExpression):
        * parser/Parser.h:

2016-01-15  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
        https://bugs.webkit.org/show_bug.cgi?id=153065

        Reviewed by Mark Lam.
        Reviewed by Filip Pizlo.

        On ARM64, we cannot use signed 32bits offset for memory addressing.
        There are two available addressing: signed 9bits and unsigned scaled 12bits.
        Air already knows about it.

        In this patch, the offsets are changed to something valid for ARM64
        prior to lowering. When an offset is invalid, it is just computed
        before the instruction and used as the base for addressing.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3Generate.cpp:
        (JSC::B3::generateToAir):
        * b3/B3LegalizeMemoryOffsets.cpp: Added.
        (JSC::B3::legalizeMemoryOffsets):
        * b3/B3LegalizeMemoryOffsets.h: Added.
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
        * b3/testb3.cpp:
        (JSC::B3::testLoadWithOffsetImpl):
        (JSC::B3::testLoadOffsetImm9Max):
        (JSC::B3::testLoadOffsetImm9MaxPlusOne):
        (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
        (JSC::B3::testLoadOffsetImm9Min):
        (JSC::B3::testLoadOffsetImm9MinMinusOne):
        (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
        (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
        (JSC::B3::run):

2016-01-15  Alex Christensen  <achristensen@webkit.org>

        Fix internal Windows build
        https://bugs.webkit.org/show_bug.cgi?id=153142

        Reviewed by Brent Fulgham.

        The internal Windows build builds JavaScriptCore from a directory that is not called JavaScriptCore.
        Searching for JavaScriptCore/API/APICast.h fails because it is in SomethingElse/API/APICast.h.
        Since we are including the JavaScriptCore directory, it is not necessary to have JavaScriptCore in
        the forwarding headers, but removing it allows builds form directories that are not named JavaScriptCore.

        * ForwardingHeaders/JavaScriptCore/APICast.h:
        * ForwardingHeaders/JavaScriptCore/JSBase.h:
        * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h:
        * ForwardingHeaders/JavaScriptCore/JSContextRef.h:
        * ForwardingHeaders/JavaScriptCore/JSObjectRef.h:
        * ForwardingHeaders/JavaScriptCore/JSRetainPtr.h:
        * ForwardingHeaders/JavaScriptCore/JSStringRef.h:
        * ForwardingHeaders/JavaScriptCore/JSStringRefCF.h:
        * ForwardingHeaders/JavaScriptCore/JSValueRef.h:
        * ForwardingHeaders/JavaScriptCore/JavaScript.h:
        * ForwardingHeaders/JavaScriptCore/JavaScriptCore.h:
        * ForwardingHeaders/JavaScriptCore/OpaqueJSString.h:
        * ForwardingHeaders/JavaScriptCore/WebKitAvailability.h:

2016-01-15  Per Arne Vollan  <peavo@outlook.com>

        [B3][Win64] Compile fixes.
        https://bugs.webkit.org/show_bug.cgi?id=153127

        Reviewed by Alex Christensen.

        MSVC have several overloads of fmod, pow, and ceil. We need to suggest to MSVC
        which one we want to use.

        * b3/B3LowerMacros.cpp:
        * b3/B3LowerMacrosAfterOptimizations.cpp:
        * b3/B3MathExtras.cpp:
        (JSC::B3::powDoubleInt32):
        * b3/B3ReduceStrength.cpp:

2016-01-15  Filip Pizlo  <fpizlo@apple.com>

        Air needs a Shuffle instruction
        https://bugs.webkit.org/show_bug.cgi?id=152952

        Reviewed by Saam Barati.

        This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
        multiple moves to perform arbitrary permutations over registers and memory. We call these
        rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
        c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
        use immediates as their source.

        Shuffle is added as a custom instruction, since it has a variable number of arguments. It
        takes any number of triplets of arguments, where each triplet describes one mapping of the
        shuffle. For example, to represent (a => b, b => c), we might say:

            Shuffle %a, %b, 64, %b, %c, 64

        Note the "64"s, those are width arguments that describe how many bits of the register are
        being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
        most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
        of the pairs in the example). For GP arguments, the width follows ZDef semantics.

        In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
        how to use it:

        - C calling convention argument marshalling. Previously we used move instructions. But that's
          problematic since it introduces artificial interference between the argument registers and
          the inputs. Using Shuffle removes that interference. This helps a bit.

        - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
          a cold path, then we want it to appear to the register allocator like it doesn't clobber
          any registers. Only after register allocation should we handle the clobbering by simply
          saving all of the live volatile registers to the stack. If you imagine the saving and the
          argument marshalling, you can see how before the call, we want to have a Shuffle that does
          both of those things. This is important. If argument marshalling was separate from the
          saving, then we'd still appear to clobber argument registers. Doing them together as one
          Shuffle means that the cold call doesn't appear to even clobber the argument registers.

        Unfortunately, I was wrong about cold C calls being the dominant problem with our register
        allocator right now. Fixing this revealed other problems in my current tuning benchmark,
        Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
        functionality we will need to implement other optimizations.

        Relanding after fixing production build.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        (JSC::isX86_64):
        (JSC::isIOS):
        (JSC::optimizeForARMv7IDIVSupported):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
        (JSC::MacroAssemblerX86Common::swap32):
        (JSC::MacroAssemblerX86Common::moveConditionally32):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
        (JSC::MacroAssemblerX86_64::swap64):
        (JSC::MacroAssemblerX86_64::move64ToDouble):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::xchgl_rr):
        (JSC::X86Assembler::xchgl_rm):
        (JSC::X86Assembler::xchgq_rr):
        (JSC::X86Assembler::xchgq_rm):
        (JSC::X86Assembler::movl_rr):
        * b3/B3CCallValue.h:
        * b3/B3Compilation.cpp:
        (JSC::B3::Compilation::Compilation):
        (JSC::B3::Compilation::~Compilation):
        * b3/B3Compilation.h:
        (JSC::B3::Compilation::code):
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::run):
        (JSC::B3::Air::LowerToAir::createSelect):
        (JSC::B3::Air::LowerToAir::lower):
        (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
        * b3/B3OpaqueByproducts.h:
        (JSC::B3::OpaqueByproducts::count):
        * b3/B3StackmapSpecial.cpp:
        (JSC::B3::StackmapSpecial::isArgValidForValue):
        (JSC::B3::StackmapSpecial::isArgValidForRep):
        * b3/air/AirArg.cpp:
        (JSC::B3::Air::Arg::isStackMemory):
        (JSC::B3::Air::Arg::isRepresentableAs):
        (JSC::B3::Air::Arg::usesTmp):
        (JSC::B3::Air::Arg::canRepresent):
        (JSC::B3::Air::Arg::isCompatibleType):
        (JSC::B3::Air::Arg::dump):
        (WTF::printInternal):
        * b3/air/AirArg.h:
        (JSC::B3::Air::Arg::forEachType):
        (JSC::B3::Air::Arg::isWarmUse):
        (JSC::B3::Air::Arg::cooled):
        (JSC::B3::Air::Arg::isEarlyUse):
        (JSC::B3::Air::Arg::imm64):
        (JSC::B3::Air::Arg::immPtr):
        (JSC::B3::Air::Arg::addr):
        (JSC::B3::Air::Arg::special):
        (JSC::B3::Air::Arg::widthArg):
        (JSC::B3::Air::Arg::operator==):
        (JSC::B3::Air::Arg::isImm64):
        (JSC::B3::Air::Arg::isSomeImm):
        (JSC::B3::Air::Arg::isAddr):
        (JSC::B3::Air::Arg::isIndex):
        (JSC::B3::Air::Arg::isMemory):
        (JSC::B3::Air::Arg::isRelCond):
        (JSC::B3::Air::Arg::isSpecial):
        (JSC::B3::Air::Arg::isWidthArg):
        (JSC::B3::Air::Arg::isAlive):
        (JSC::B3::Air::Arg::base):
        (JSC::B3::Air::Arg::hasOffset):
        (JSC::B3::Air::Arg::offset):
        (JSC::B3::Air::Arg::width):
        (JSC::B3::Air::Arg::isGPTmp):
        (JSC::B3::Air::Arg::isGP):
        (JSC::B3::Air::Arg::isFP):
        (JSC::B3::Air::Arg::isType):
        (JSC::B3::Air::Arg::isGPR):
        (JSC::B3::Air::Arg::isValidForm):
        (JSC::B3::Air::Arg::forEachTmpFast):
        * b3/air/AirBasicBlock.h:
        (JSC::B3::Air::BasicBlock::insts):
        (JSC::B3::Air::BasicBlock::appendInst):
        (JSC::B3::Air::BasicBlock::append):
        * b3/air/AirCCallingConvention.cpp: Added.
        (JSC::B3::Air::computeCCallingConvention):
        (JSC::B3::Air::cCallResult):
        (JSC::B3::Air::buildCCall):
        * b3/air/AirCCallingConvention.h: Added.
        * b3/air/AirCode.h:
        (JSC::B3::Air::Code::proc):
        * b3/air/AirCustom.cpp: Added.
        (JSC::B3::Air::CCallCustom::isValidForm):
        (JSC::B3::Air::CCallCustom::generate):
        (JSC::B3::Air::ShuffleCustom::isValidForm):
        (JSC::B3::Air::ShuffleCustom::generate):
        * b3/air/AirCustom.h:
        (JSC::B3::Air::PatchCustom::forEachArg):
        (JSC::B3::Air::PatchCustom::generate):
        (JSC::B3::Air::CCallCustom::forEachArg):
        (JSC::B3::Air::CCallCustom::isValidFormStatic):
        (JSC::B3::Air::CCallCustom::admitsStack):
        (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
        (JSC::B3::Air::ColdCCallCustom::forEachArg):
        (JSC::B3::Air::ShuffleCustom::forEachArg):
        (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
        (JSC::B3::Air::ShuffleCustom::admitsStack):
        (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
        * b3/air/AirEmitShuffle.cpp: Added.
        (JSC::B3::Air::ShufflePair::dump):
        (JSC::B3::Air::emitShuffle):
        * b3/air/AirEmitShuffle.h: Added.
        (JSC::B3::Air::ShufflePair::ShufflePair):
        (JSC::B3::Air::ShufflePair::src):
        (JSC::B3::Air::ShufflePair::dst):
        (JSC::B3::Air::ShufflePair::width):
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::prepareForGeneration):
        * b3/air/AirGenerate.h:
        * b3/air/AirInsertionSet.cpp:
        (JSC::B3::Air::InsertionSet::insertInsts):
        (JSC::B3::Air::InsertionSet::execute):
        * b3/air/AirInsertionSet.h:
        (JSC::B3::Air::InsertionSet::insertInst):
        (JSC::B3::Air::InsertionSet::insert):
        * b3/air/AirInst.h:
        (JSC::B3::Air::Inst::operator bool):
        (JSC::B3::Air::Inst::append):
        * b3/air/AirLowerAfterRegAlloc.cpp: Added.
        (JSC::B3::Air::lowerAfterRegAlloc):
        * b3/air/AirLowerAfterRegAlloc.h: Added.
        * b3/air/AirLowerMacros.cpp: Added.
        (JSC::B3::Air::lowerMacros):
        * b3/air/AirLowerMacros.h: Added.
        * b3/air/AirOpcode.opcodes:
        * b3/air/AirRegisterPriority.h:
        (JSC::B3::Air::regsInPriorityOrder):
        * b3/air/testair.cpp: Added.
        (hiddenTruthBecauseNoReturnIsStupid):
        (usage):
        (JSC::B3::Air::compile):
        (JSC::B3::Air::invoke):
        (JSC::B3::Air::compileAndRun):
        (JSC::B3::Air::testSimple):
        (JSC::B3::Air::loadConstantImpl):
        (JSC::B3::Air::loadConstant):
        (JSC::B3::Air::loadDoubleConstant):
        (JSC::B3::Air::testShuffleSimpleSwap):
        (JSC::B3::Air::testShuffleSimpleShift):
        (JSC::B3::Air::testShuffleLongShift):
        (JSC::B3::Air::testShuffleLongShiftBackwards):
        (JSC::B3::Air::testShuffleSimpleRotate):
        (JSC::B3::Air::testShuffleSimpleBroadcast):
        (JSC::B3::Air::testShuffleBroadcastAllRegs):
        (JSC::B3::Air::testShuffleTreeShift):
        (JSC::B3::Air::testShuffleTreeShiftBackward):
        (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
        (JSC::B3::Air::testShuffleMultipleShifts):
        (JSC::B3::Air::testShuffleRotateWithFringe):
        (JSC::B3::Air::testShuffleRotateWithLongFringe):
        (JSC::B3::Air::testShuffleMultipleRotates):
        (JSC::B3::Air::testShuffleShiftAndRotate):
        (JSC::B3::Air::testShuffleShiftAllRegs):
        (JSC::B3::Air::testShuffleRotateAllRegs):
        (JSC::B3::Air::testShuffleSimpleSwap64):
        (JSC::B3::Air::testShuffleSimpleShift64):
        (JSC::B3::Air::testShuffleSwapMixedWidth):
        (JSC::B3::Air::testShuffleShiftMixedWidth):
        (JSC::B3::Air::testShuffleShiftMemory):
        (JSC::B3::Air::testShuffleShiftMemoryLong):
        (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
        (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
        (JSC::B3::Air::combineHiLo):
        (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
        (JSC::B3::Air::testShuffleRotateMemory):
        (JSC::B3::Air::testShuffleRotateMemory64):
        (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
        (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
        (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
        (JSC::B3::Air::testShuffleSwapDouble):
        (JSC::B3::Air::testShuffleShiftDouble):
        (JSC::B3::Air::run):
        (run):
        (main):
        * b3/testb3.cpp:
        (JSC::B3::testCallSimple):
        (JSC::B3::testCallRare):
        (JSC::B3::testCallRareLive):
        (JSC::B3::testCallSimplePure):
        (JSC::B3::run):

2016-01-15  Andy VanWagoner  <thetalecrafter@gmail.com>

        [INTL] Implement Date.prototype.toLocaleString in ECMA-402
        https://bugs.webkit.org/show_bug.cgi?id=147611

        Reviewed by Benjamin Poulain.

        Expose dateProtoFuncGetTime as thisTimeValue for builtins.
        Remove unused code in DateTimeFormat toDateTimeOptions, and make the
        function specific to the call in initializeDateTimeFormat. Properly
        throw when the options parameter is null.
        Add toLocaleString in builtin JavaScript, with it's own specific branch
        of toDateTimeOptions.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/DatePrototype.js: Added.
        (toLocaleString.toDateTimeOptionsAnyAll):
        (toLocaleString):
        * runtime/CommonIdentifiers.h:
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::finishCreation):
        * runtime/DatePrototype.h:
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::toDateTimeOptionsAnyDate):
        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
        (JSC::toDateTimeOptions): Deleted.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):

2016-01-15  Konstantin Tokarev  <annulen@yandex.ru>

        [mips] Implemented emitFunctionPrologue/Epilogue
        https://bugs.webkit.org/show_bug.cgi?id=152947

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::popPair):
        (JSC::MacroAssemblerMIPS::pushPair):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitFunctionPrologue):
        (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
        (JSC::AssemblyHelpers::emitFunctionEpilogue):

2016-01-15  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r195084.
        https://bugs.webkit.org/show_bug.cgi?id=153132

        Broke Production build (Requested by ap on #webkit).

        Reverted changeset:

        "Air needs a Shuffle instruction"
        https://bugs.webkit.org/show_bug.cgi?id=152952
        http://trac.webkit.org/changeset/195084

2016-01-15  Julien Brianceau  <jbriance@cisco.com>

        [mips] Add countLeadingZeros32 implementation in macro assembler
        https://bugs.webkit.org/show_bug.cgi?id=152886

        Reviewed by Michael Saboff.

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::lui):
        (JSC::MIPSAssembler::clz):
        (JSC::MIPSAssembler::addiu):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::and32):
        (JSC::MacroAssemblerMIPS::countLeadingZeros32):
        (JSC::MacroAssemblerMIPS::lshift32):

2016-01-14  Filip Pizlo  <fpizlo@apple.com>

        Air needs a Shuffle instruction
        https://bugs.webkit.org/show_bug.cgi?id=152952

        Reviewed by Saam Barati.

        This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
        multiple moves to perform arbitrary permutations over registers and memory. We call these
        rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
        c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
        use immediates as their source.

        Shuffle is added as a custom instruction, since it has a variable number of arguments. It
        takes any number of triplets of arguments, where each triplet describes one mapping of the
        shuffle. For example, to represent (a => b, b => c), we might say:

            Shuffle %a, %b, 64, %b, %c, 64

        Note the "64"s, those are width arguments that describe how many bits of the register are
        being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
        most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
        of the pairs in the example). For GP arguments, the width follows ZDef semantics.

        In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
        how to use it:

        - C calling convention argument marshalling. Previously we used move instructions. But that's
          problematic since it introduces artificial interference between the argument registers and
          the inputs. Using Shuffle removes that interference. This helps a bit.

        - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
          a cold path, then we want it to appear to the register allocator like it doesn't clobber
          any registers. Only after register allocation should we handle the clobbering by simply
          saving all of the live volatile registers to the stack. If you imagine the saving and the
          argument marshalling, you can see how before the call, we want to have a Shuffle that does
          both of those things. This is important. If argument marshalling was separate from the
          saving, then we'd still appear to clobber argument registers. Doing them together as one
          Shuffle means that the cold call doesn't appear to even clobber the argument registers.

        Unfortunately, I was wrong about cold C calls being the dominant problem with our register
        allocator right now. Fixing this revealed other problems in my current tuning benchmark,
        Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
        functionality we will need to implement other optimizations.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        (JSC::isX86_64):
        (JSC::isIOS):
        (JSC::optimizeForARMv7IDIVSupported):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
        (JSC::MacroAssemblerX86Common::swap32):
        (JSC::MacroAssemblerX86Common::moveConditionally32):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
        (JSC::MacroAssemblerX86_64::swap64):
        (JSC::MacroAssemblerX86_64::move64ToDouble):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::xchgl_rr):
        (JSC::X86Assembler::xchgl_rm):
        (JSC::X86Assembler::xchgq_rr):
        (JSC::X86Assembler::xchgq_rm):
        (JSC::X86Assembler::movl_rr):
        * b3/B3CCallValue.h:
        * b3/B3Compilation.cpp:
        (JSC::B3::Compilation::Compilation):
        (JSC::B3::Compilation::~Compilation):
        * b3/B3Compilation.h:
        (JSC::B3::Compilation::code):
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::run):
        (JSC::B3::Air::LowerToAir::createSelect):
        (JSC::B3::Air::LowerToAir::lower):
        (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
        * b3/B3OpaqueByproducts.h:
        (JSC::B3::OpaqueByproducts::count):
        * b3/B3StackmapSpecial.cpp:
        (JSC::B3::StackmapSpecial::isArgValidForValue):
        (JSC::B3::StackmapSpecial::isArgValidForRep):
        * b3/air/AirArg.cpp:
        (JSC::B3::Air::Arg::isStackMemory):
        (JSC::B3::Air::Arg::isRepresentableAs):
        (JSC::B3::Air::Arg::usesTmp):
        (JSC::B3::Air::Arg::canRepresent):
        (JSC::B3::Air::Arg::isCompatibleType):
        (JSC::B3::Air::Arg::dump):
        (WTF::printInternal):
        * b3/air/AirArg.h:
        (JSC::B3::Air::Arg::forEachType):
        (JSC::B3::Air::Arg::isWarmUse):
        (JSC::B3::Air::Arg::cooled):
        (JSC::B3::Air::Arg::isEarlyUse):
        (JSC::B3::Air::Arg::imm64):
        (JSC::B3::Air::Arg::immPtr):
        (JSC::B3::Air::Arg::addr):
        (JSC::B3::Air::Arg::special):
        (JSC::B3::Air::Arg::widthArg):
        (JSC::B3::Air::Arg::operator==):
        (JSC::B3::Air::Arg::isImm64):
        (JSC::B3::Air::Arg::isSomeImm):
        (JSC::B3::Air::Arg::isAddr):
        (JSC::B3::Air::Arg::isIndex):
        (JSC::B3::Air::Arg::isMemory):
        (JSC::B3::Air::Arg::isRelCond):
        (JSC::B3::Air::Arg::isSpecial):
        (JSC::B3::Air::Arg::isWidthArg):
        (JSC::B3::Air::Arg::isAlive):
        (JSC::B3::Air::Arg::base):
        (JSC::B3::Air::Arg::hasOffset):
        (JSC::B3::Air::Arg::offset):
        (JSC::B3::Air::Arg::width):
        (JSC::B3::Air::Arg::isGPTmp):
        (JSC::B3::Air::Arg::isGP):
        (JSC::B3::Air::Arg::isFP):
        (JSC::B3::Air::Arg::isType):
        (JSC::B3::Air::Arg::isGPR):
        (JSC::B3::Air::Arg::isValidForm):
        (JSC::B3::Air::Arg::forEachTmpFast):
        * b3/air/AirBasicBlock.h:
        (JSC::B3::Air::BasicBlock::insts):
        (JSC::B3::Air::BasicBlock::appendInst):
        (JSC::B3::Air::BasicBlock::append):
        * b3/air/AirCCallingConvention.cpp: Added.
        (JSC::B3::Air::computeCCallingConvention):
        (JSC::B3::Air::cCallResult):
        (JSC::B3::Air::buildCCall):
        * b3/air/AirCCallingConvention.h: Added.
        * b3/air/AirCode.h:
        (JSC::B3::Air::Code::proc):
        * b3/air/AirCustom.cpp: Added.
        (JSC::B3::Air::CCallCustom::isValidForm):
        (JSC::B3::Air::CCallCustom::generate):
        (JSC::B3::Air::ShuffleCustom::isValidForm):
        (JSC::B3::Air::ShuffleCustom::generate):
        * b3/air/AirCustom.h:
        (JSC::B3::Air::PatchCustom::forEachArg):
        (JSC::B3::Air::PatchCustom::generate):
        (JSC::B3::Air::CCallCustom::forEachArg):
        (JSC::B3::Air::CCallCustom::isValidFormStatic):
        (JSC::B3::Air::CCallCustom::admitsStack):
        (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
        (JSC::B3::Air::ColdCCallCustom::forEachArg):
        (JSC::B3::Air::ShuffleCustom::forEachArg):
        (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
        (JSC::B3::Air::ShuffleCustom::admitsStack):
        (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
        * b3/air/AirEmitShuffle.cpp: Added.
        (JSC::B3::Air::ShufflePair::dump):
        (JSC::B3::Air::emitShuffle):
        * b3/air/AirEmitShuffle.h: Added.
        (JSC::B3::Air::ShufflePair::ShufflePair):
        (JSC::B3::Air::ShufflePair::src):
        (JSC::B3::Air::ShufflePair::dst):
        (JSC::B3::Air::ShufflePair::width):
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::prepareForGeneration):
        * b3/air/AirGenerate.h:
        * b3/air/AirInsertionSet.cpp:
        (JSC::B3::Air::InsertionSet::insertInsts):
        (JSC::B3::Air::InsertionSet::execute):
        * b3/air/AirInsertionSet.h:
        (JSC::B3::Air::InsertionSet::insertInst):
        (JSC::B3::Air::InsertionSet::insert):
        * b3/air/AirInst.h:
        (JSC::B3::Air::Inst::operator bool):
        (JSC::B3::Air::Inst::append):
        * b3/air/AirLowerAfterRegAlloc.cpp: Added.
        (JSC::B3::Air::lowerAfterRegAlloc):
        * b3/air/AirLowerAfterRegAlloc.h: Added.
        * b3/air/AirLowerMacros.cpp: Added.
        (JSC::B3::Air::lowerMacros):
        * b3/air/AirLowerMacros.h: Added.
        * b3/air/AirOpcode.opcodes:
        * b3/air/AirRegisterPriority.h:
        (JSC::B3::Air::regsInPriorityOrder):
        * b3/air/testair.cpp: Added.
        (hiddenTruthBecauseNoReturnIsStupid):
        (usage):
        (JSC::B3::Air::compile):
        (JSC::B3::Air::invoke):
        (JSC::B3::Air::compileAndRun):
        (JSC::B3::Air::testSimple):
        (JSC::B3::Air::loadConstantImpl):
        (JSC::B3::Air::loadConstant):
        (JSC::B3::Air::loadDoubleConstant):
        (JSC::B3::Air::testShuffleSimpleSwap):
        (JSC::B3::Air::testShuffleSimpleShift):
        (JSC::B3::Air::testShuffleLongShift):
        (JSC::B3::Air::testShuffleLongShiftBackwards):
        (JSC::B3::Air::testShuffleSimpleRotate):
        (JSC::B3::Air::testShuffleSimpleBroadcast):
        (JSC::B3::Air::testShuffleBroadcastAllRegs):
        (JSC::B3::Air::testShuffleTreeShift):
        (JSC::B3::Air::testShuffleTreeShiftBackward):
        (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
        (JSC::B3::Air::testShuffleMultipleShifts):
        (JSC::B3::Air::testShuffleRotateWithFringe):
        (JSC::B3::Air::testShuffleRotateWithLongFringe):
        (JSC::B3::Air::testShuffleMultipleRotates):
        (JSC::B3::Air::testShuffleShiftAndRotate):
        (JSC::B3::Air::testShuffleShiftAllRegs):
        (JSC::B3::Air::testShuffleRotateAllRegs):
        (JSC::B3::Air::testShuffleSimpleSwap64):
        (JSC::B3::Air::testShuffleSimpleShift64):
        (JSC::B3::Air::testShuffleSwapMixedWidth):
        (JSC::B3::Air::testShuffleShiftMixedWidth):
        (JSC::B3::Air::testShuffleShiftMemory):
        (JSC::B3::Air::testShuffleShiftMemoryLong):
        (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
        (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
        (JSC::B3::Air::combineHiLo):
        (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
        (JSC::B3::Air::testShuffleRotateMemory):
        (JSC::B3::Air::testShuffleRotateMemory64):
        (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
        (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
        (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
        (JSC::B3::Air::testShuffleSwapDouble):
        (JSC::B3::Air::testShuffleShiftDouble):
        (JSC::B3::Air::run):
        (run):
        (main):
        * b3/testb3.cpp:
        (JSC::B3::testCallSimple):
        (JSC::B3::testCallRare):
        (JSC::B3::testCallRareLive):
        (JSC::B3::testCallSimplePure):
        (JSC::B3::run):

2016-01-14  Keith Miller  <keith_miller@apple.com>

        Unreviewed mark passing es6 tests as no longer failing.

        * tests/es6.yaml:

2016-01-14  Keith Miller  <keith_miller@apple.com>

        [ES6] Support subclassing Function.
        https://bugs.webkit.org/show_bug.cgi?id=153081

        Reviewed by Geoffrey Garen.

        This patch enables subclassing the Function object. It also fixes an existing
        bug that prevented users from subclassing functions that have a function in
        the superclass's prototype property.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ClassExprNode::emitBytecode):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructWithFunctionConstructor):
        (JSC::constructFunction):
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionConstructor.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        * runtime/JSFunction.h:
        (JSC::JSFunction::createImpl):
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
        (JSC::JSFunction::JSFunction): Deleted.
        * tests/stress/class-subclassing-function.js: Added.

2016-01-13  Carlos Garcia Campos  <cgarcia@igalia.com>

        [CMake] Do not use LLVM static libraries for FTL JIT
        https://bugs.webkit.org/show_bug.cgi?id=151559

        Reviewed by Michael Catanzaro.

        Allow ports decide whether to prefer linking to llvm static or
        dynamic libraries. This patch only changes the behavior of the GTK
        port, other ports can change the default behavior by setting
        llvmForJSC_LIBRARIES in their platform specific cmake files.

        * CMakeLists.txt: Move llvmForJSC library definition after the
        WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS, to allow platform specific
        files to set their own llvmForJSC_LIBRARIES. When not set, it
        defaults to LLVM_STATIC_LIBRARIES. The command to create
        WebKitLLVMLibraryToken.h no longer depends on the static
        libraries, since we are going to make the build fail anyway when
        not found in case of linking to the static libraries. If platform
        specific file defined llvmForJSC_INSTALL_DIR llvmForJSC is also
        installed to the given destination.
        * PlatformGTK.cmake: Set llvmForJSC_LIBRARIES and
        llvmForJSC_INSTALL_DIR.

2016-01-13  Saam barati  <sbarati@apple.com>

        NativeExecutable should have a name field
        https://bugs.webkit.org/show_bug.cgi?id=153083

        Reviewed by Geoffrey Garen.

        This is going to help the SamplingProfiler come up
        with names for NativeExecutable objects it encounters.

        * jit/JITThunks.cpp:
        (JSC::JITThunks::finalize):
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITThunks.h:
        * runtime/Executable.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::create):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        (JSC::JSFunction::lookUpOrCreateNativeExecutable):
        * runtime/JSFunction.h:
        (JSC::JSFunction::createImpl):
        * runtime/JSNativeStdFunction.cpp:
        (JSC::JSNativeStdFunction::create):
        * runtime/VM.cpp:
        (JSC::thunkGeneratorForIntrinsic):
        (JSC::VM::getHostFunction):
        * runtime/VM.h:
        (JSC::VM::getCTIStub):
        (JSC::VM::exceptionOffset):

2016-01-13  Keith Miller  <keith_miller@apple.com>

        [ES6] Support subclassing the String builtin object
        https://bugs.webkit.org/show_bug.cgi?id=153068

        Reviewed by Michael Saboff.

        This patch adds subclassing of strings. Also, this patch fixes a bug where we could have
        the wrong indexing type for builtins constructed without storage.

        * runtime/PrototypeMap.cpp:
        (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
        * runtime/StringConstructor.cpp:
        (JSC::constructWithStringConstructor):
        * tests/stress/class-subclassing-string.js: Added.
        (test):

2016-01-13  Mark Lam  <mark.lam@apple.com>

        The StringFromCharCode DFG intrinsic should support untyped operands.
        https://bugs.webkit.org/show_bug.cgi?id=153046

        Reviewed by Geoffrey Garen.

        The current StringFromCharCode DFG intrinsic assumes that its operand charCode
        must be an Int32.  This results in 26000+ BadType OSR exits in the LongSpider
        crypto-aes benchmark.  With support for Untyped operands, the number of OSR
        exits drops to 202.

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileFromCharCode):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::toUInt32):

2016-01-13  Mark Lam  <mark.lam@apple.com>

        Use DFG Graph::binary/unaryArithShouldSpeculateInt32/MachineInt() functions consistently.
        https://bugs.webkit.org/show_bug.cgi?id=153080

        Reviewed by Geoffrey Garen.

        We currently have Graph::mulShouldSpeculateInt32/machineInt() and
        Graph::negateShouldSpeculateInt32/MachineInt() functions which are only used by
        the ArithMul and ArithNegate nodes.  However, the same tests need to be done for
        many other arith nodes in the DFG.  This patch renames these functions as
        Graph::binaryArithShouldSpeculateInt32/machineInt() and
        Graph::unaryArithShouldSpeculateInt32/MachineInt(), and uses them consistently
        in the DFG.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addShouldSpeculateMachineInt):
        (JSC::DFG::Graph::binaryArithShouldSpeculateInt32):
        (JSC::DFG::Graph::binaryArithShouldSpeculateMachineInt):
        (JSC::DFG::Graph::unaryArithShouldSpeculateInt32):
        (JSC::DFG::Graph::unaryArithShouldSpeculateMachineInt):
        (JSC::DFG::Graph::mulShouldSpeculateInt32): Deleted.
        (JSC::DFG::Graph::mulShouldSpeculateMachineInt): Deleted.
        (JSC::DFG::Graph::negateShouldSpeculateInt32): Deleted.
        (JSC::DFG::Graph::negateShouldSpeculateMachineInt): Deleted.
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):

2016-01-13  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Inspector should use the last sourceURL / sourceMappingURL directive
        https://bugs.webkit.org/show_bug.cgi?id=153072
        <rdar://problem/24168312>

        Reviewed by Timothy Hatcher.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::parseCommentDirective):
        Just keep overwriting the member variable so we end up with
        the last directive value.

2016-01-13  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r194969.
        https://bugs.webkit.org/show_bug.cgi?id=153075

        This change broke the iOS build (Requested by ryanhaddad on
        #webkit).

        Reverted changeset:

        "[JSC] Legalize Memory Offsets for ARM64 before lowering to
        Air"
        https://bugs.webkit.org/show_bug.cgi?id=153065
        http://trac.webkit.org/changeset/194969

2016-01-13  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
        https://bugs.webkit.org/show_bug.cgi?id=153065

        Reviewed by Mark Lam.
        Reviewed by Filip Pizlo.

        On ARM64, we cannot use signed 32bits offset for memory addressing.
        There are two available addressing: signed 9bits and unsigned scaled 12bits.
        Air already knows about it.

        In this patch, the offsets are changed to something valid for ARM64
        prior to lowering. When an offset is invalid, it is just computed
        before the instruction and used as the base for addressing.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3Generate.cpp:
        (JSC::B3::generateToAir):
        * b3/B3LegalizeMemoryOffsets.cpp: Added.
        (JSC::B3::legalizeMemoryOffsets):
        * b3/B3LegalizeMemoryOffsets.h: Added.
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
        * b3/testb3.cpp:
        (JSC::B3::testLoadWithOffsetImpl):
        (JSC::B3::testLoadOffsetImm9Max):
        (JSC::B3::testLoadOffsetImm9MaxPlusOne):
        (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
        (JSC::B3::testLoadOffsetImm9Min):
        (JSC::B3::testLoadOffsetImm9MinMinusOne):
        (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
        (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
        (JSC::B3::run):

2016-01-12  Per Arne Vollan  <peavo@outlook.com>

        [FTL][Win64] Compile error.
        https://bugs.webkit.org/show_bug.cgi?id=153031

        Reviewed by Brent Fulgham.

        The header file dlfcn.h does not exist on Windows.

        * ftl/FTLLowerDFGToLLVM.cpp:

2016-01-12  Ryosuke Niwa  <rniwa@webkit.org>

        Add a build flag for custom element
        https://bugs.webkit.org/show_bug.cgi?id=153005

        Reviewed by Alex Christensen.

        * Configurations/FeatureDefines.xcconfig:

2016-01-12  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Remove some invalid immediate instruction forms from ARM64 Air
        https://bugs.webkit.org/show_bug.cgi?id=153024

        Reviewed by Michael Saboff.

        * b3/B3BasicBlock.h:
        Export the symbols for testb3.

        * b3/air/AirOpcode.opcodes:
        We had 2 invalid opcodes:
        -Compare with immediate just does not exist.
        -Test64 with immediate exists but Air does not recognize
         the valid form of bit-immediates.

        * b3/testb3.cpp:
        (JSC::B3::genericTestCompare):
        (JSC::B3::testCompareImpl):
        Extend the tests to cover what was invalid.

2016-01-12  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] JSC does not build with FTL_USES_B3 on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=153011

        Reviewed by Saam Barati.

        Apparently the static const member can only be used for constexpr.
        C++ is weird.

        * jit/GPRInfo.cpp:
        * jit/GPRInfo.h:

2016-01-11  Johan K. Jensen  <jj@johanjensen.dk>

        Web Inspector: console.count() shouldn't show a colon in front of a number
        https://bugs.webkit.org/show_bug.cgi?id=152038

        Reviewed by Brian Burg.

        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::count):
        Do not include title and colon if the title is empty.

2016-01-11  Dan Bernstein  <mitz@apple.com>

        Reverted r194317.

        Reviewed by Joseph Pecoraro.

        r194317 did not contain a change log entry, did not explain the motivation, did not name a
        reviewer, and does not seem necessary.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2016-01-11  Joseph Pecoraro  <pecoraro@apple.com>

        keywords ("super", "delete", etc) should be valid method names
        https://bugs.webkit.org/show_bug.cgi?id=144281

        Reviewed by Ryosuke Niwa.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClass):
        - When parsing "static(" treat it as a method named "static" and not a static method.
        - When parsing a keyword treat it like a string method name (get and set are not keywords)
        - When parsing a getter / setter method name identifier, allow lookahead to be a keyword

        (JSC::Parser<LexerType>::parseGetterSetter):
        - When parsing the getter / setter's name, allow it to be a keyword.

2016-01-11  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Add Div/Mod and fix Mul for B3 ARM64
        https://bugs.webkit.org/show_bug.cgi?id=152978

        Reviewed by Filip Pizlo.

        Add the 3 operands forms of Mul.
        Remove the form taking immediate on ARM64, there are no such instruction.

        Add Div with sdiv.

        Unfortunately, I discovered ChillMod's division by zero
        makes it non-trivial on ARM64. I just made it into a macro like on x86.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::mul32):
        (JSC::MacroAssemblerARM64::mul64):
        (JSC::MacroAssemblerARM64::div32):
        (JSC::MacroAssemblerARM64::div64):
        * b3/B3LowerMacros.cpp:
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::lower):
        * b3/air/AirOpcode.opcodes:

2016-01-11  Keith Miller  <keith_miller@apple.com>

        Arrays should use the InternalFunctionAllocationProfile when constructing new Arrays
        https://bugs.webkit.org/show_bug.cgi?id=152949

        Reviewed by Michael Saboff.

        This patch updates Array constructors to use the new InternalFunctionAllocationProfile.

        * runtime/ArrayConstructor.cpp:
        (JSC::constructArrayWithSizeQuirk):
        (JSC::constructWithArrayConstructor):
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::createStructure):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
        (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
        (JSC::constructEmptyArray):
        (JSC::constructArray):
        (JSC::constructArrayNegativeIndexed):
        * runtime/PrototypeMap.cpp:
        (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
        * runtime/Structure.h:
        * runtime/StructureInlines.h:

2016-01-08  Keith Miller  <keith_miller@apple.com>

        Use a profile to store allocation structures for subclasses of InternalFunctions
        https://bugs.webkit.org/show_bug.cgi?id=152942

        Reviewed by Michael Saboff.

        This patch adds InternalFunctionAllocationProfile to FunctionRareData, which holds
        a cached structure that can be used to quickly allocate any derived class of an InternalFunction.
        InternalFunctionAllocationProfile ended up being distinct from ObjectAllocationProfile, due to
        constraints imposed by Reflect.construct. Reflect.construct allows the user to pass an arbitrary
        constructor as a new.target to any other constructor. This means that a user can pass some
        non-derived constructor to an InternalFunction (they can even pass another InternalFunction as the
        new.target). If we use the same profile for both InternalFunctions and JS allocations then we always
        need to check in both JS code and C++ code that the profiled structure has the same ClassInfo as the
        current constructor. By using different profiles, we only need to check the profile in InternalFunctions
        as all JS constructed objects share the same ClassInfo (JSFinalObject). This comes at the relatively
        low cost of using slightly more memory on FunctionRareData and being slightly more conceptually complex.

        Additionally, this patch adds subclassing to some omitted classes.

        * API/JSObjectRef.cpp:
        (JSObjectMakeDate):
        (JSObjectMakeRegExp):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/InternalFunctionAllocationProfile.h: Added.
        (JSC::InternalFunctionAllocationProfile::structure):
        (JSC::InternalFunctionAllocationProfile::clear):
        (JSC::InternalFunctionAllocationProfile::visitAggregate):
        (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_create_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_create_this):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/BooleanConstructor.cpp:
        (JSC::constructWithBooleanConstructor):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
        (JSC::constructWithDateConstructor):
        * runtime/DateConstructor.h:
        * runtime/ErrorConstructor.cpp:
        (JSC::Interpreter::constructWithErrorConstructor):
        * runtime/FunctionRareData.cpp:
        (JSC::FunctionRareData::create):
        (JSC::FunctionRareData::visitChildren):
        (JSC::FunctionRareData::FunctionRareData):
        (JSC::FunctionRareData::initializeObjectAllocationProfile):
        (JSC::FunctionRareData::clear):
        (JSC::FunctionRareData::finishCreation): Deleted.
        (JSC::FunctionRareData::initialize): Deleted.
        * runtime/FunctionRareData.h:
        (JSC::FunctionRareData::offsetOfObjectAllocationProfile):
        (JSC::FunctionRareData::objectAllocationProfile):
        (JSC::FunctionRareData::objectAllocationStructure):
        (JSC::FunctionRareData::allocationProfileWatchpointSet):
        (JSC::FunctionRareData::isObjectAllocationProfileInitialized):
        (JSC::FunctionRareData::internalFunctionAllocationStructure):
        (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
        (JSC::FunctionRareData::offsetOfAllocationProfile): Deleted.
        (JSC::FunctionRareData::allocationProfile): Deleted.
        (JSC::FunctionRareData::allocationStructure): Deleted.
        (JSC::FunctionRareData::isInitialized): Deleted.
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::createSubclassStructure):
        * runtime/InternalFunction.h:
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::constructArrayBuffer):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::allocateRareData):
        (JSC::JSFunction::allocateAndInitializeRareData):
        (JSC::JSFunction::initializeRareData):
        * runtime/JSFunction.h:
        (JSC::JSFunction::rareData):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayView):
        * runtime/JSObject.h:
        (JSC::JSFinalObject::typeInfo):
        (JSC::JSFinalObject::createStructure):
        * runtime/JSPromiseConstructor.cpp:
        (JSC::constructPromise):
        * runtime/JSPromiseConstructor.h:
        * runtime/JSWeakMap.cpp:
        * runtime/JSWeakSet.cpp:
        * runtime/MapConstructor.cpp:
        (JSC::constructMap):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::Interpreter::constructWithNativeErrorConstructor):
        * runtime/NumberConstructor.cpp:
        (JSC::constructWithNumberConstructor):
        * runtime/PrototypeMap.cpp:
        (JSC::PrototypeMap::createEmptyStructure):
        (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
        (JSC::PrototypeMap::emptyObjectStructureForPrototype):
        (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
        * runtime/PrototypeMap.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::getRegExpStructure):
        (JSC::constructRegExp):
        (JSC::constructWithRegExpConstructor):
        * runtime/RegExpConstructor.h:
        * runtime/SetConstructor.cpp:
        (JSC::constructSet):
        * runtime/WeakMapConstructor.cpp:
        (JSC::constructWeakMap):
        * runtime/WeakSetConstructor.cpp:
        (JSC::constructWeakSet):
        * tests/stress/class-subclassing-misc.js:
        (A):
        (D):
        (E):
        (WM):
        (WS):
        (test):
        * tests/stress/class-subclassing-typedarray.js: Added.
        (test):

2016-01-11  Per Arne Vollan  <peavo@outlook.com>

        [B3][Win64] Compile error.
        https://bugs.webkit.org/show_bug.cgi?id=152984

        Reviewed by Alex Christensen.

        Windows does not have bzero, use memset instead.

        * b3/air/AirIteratedRegisterCoalescing.cpp:

2016-01-11  Konstantin Tokarev  <annulen@yandex.ru>

        Fixed compilation of JavaScriptCore with GCC 4.8 on 32-bit platforms
        https://bugs.webkit.org/show_bug.cgi?id=152923

        Reviewed by Alex Christensen.

        * jit/CallFrameShuffler.h:
        (JSC::CallFrameShuffler::assumeCalleeIsCell):

2016-01-11  Csaba Osztrogonác  <ossy@webkit.org>

        [B3] Fix control reaches end of non-void function GCC warnings on Linux
        https://bugs.webkit.org/show_bug.cgi?id=152887

        Reviewed by Mark Lam.

        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::createBranch):
        (JSC::B3::Air::LowerToAir::createCompare):
        (JSC::B3::Air::LowerToAir::createSelect):
        * b3/B3Type.h:
        (JSC::B3::sizeofType):
        * b3/air/AirArg.cpp:
        (JSC::B3::Air::Arg::isRepresentableAs):
        * b3/air/AirArg.h:
        (JSC::B3::Air::Arg::isAnyUse):
        (JSC::B3::Air::Arg::isColdUse):
        (JSC::B3::Air::Arg::isEarlyUse):
        (JSC::B3::Air::Arg::isLateUse):
        (JSC::B3::Air::Arg::isAnyDef):
        (JSC::B3::Air::Arg::isEarlyDef):
        (JSC::B3::Air::Arg::isLateDef):
        (JSC::B3::Air::Arg::isZDef):
        (JSC::B3::Air::Arg::widthForB3Type):
        (JSC::B3::Air::Arg::isGP):
        (JSC::B3::Air::Arg::isFP):
        (JSC::B3::Air::Arg::isType):
        (JSC::B3::Air::Arg::isValidForm):
        * b3/air/AirCode.h:
        (JSC::B3::Air::Code::newTmp):
        (JSC::B3::Air::Code::numTmps):

2016-01-11  Filip Pizlo  <fpizlo@apple.com>

        Make it easier to introduce exotic instructions to Air
        https://bugs.webkit.org/show_bug.cgi?id=152953

        Reviewed by Benjamin Poulain.

        Currently, you can define new "opcodes" in Air using either:

        1) New opcode declared in AirOpcode.opcodes.
        2) Patch opcode with a new implementation of Air::Special.

        With (1), you are limited to fixed-argument-length instructions. There are other
        restrictions as well, like that you can only use the roles that the AirOpcode syntax
        supports.

        With (2), you can do anything you like, but the instruction will be harder to match
        since it will share the same opcode as any other Patch. Also, the instruction will have
        the Special argument, which means more busy-work when creating the instruction and
        validating it.

        This introduces an in-between facility called "custom". This replaces what AirOpcode
        previously called "special". A custom instruction is one whose behavior is defined by a
        FooCustom struct with some static methods. Calls to those methods are emitted by
        opcode_generator.rb.

        The "custom" facility is powerful enough to be used to implement Patch, with the caveat
        that we now treat the Patch instruction specially in a few places. Those places were
        already effectively treating it specially by assuming that only Patch instructions have
        a Special as their first argument.

        This will let me implement the Shuffle instruction (bug 152952), which I think is needed
        for performance work.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/air/AirCustom.h: Added.
        (JSC::B3::Air::PatchCustom::forEachArg):
        (JSC::B3::Air::PatchCustom::isValidFormStatic):
        (JSC::B3::Air::PatchCustom::isValidForm):
        (JSC::B3::Air::PatchCustom::admitsStack):
        (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
        (JSC::B3::Air::PatchCustom::generate):
        * b3/air/AirHandleCalleeSaves.cpp:
        (JSC::B3::Air::handleCalleeSaves):
        * b3/air/AirInst.h:
        * b3/air/AirInstInlines.h:
        (JSC::B3::Air::Inst::forEach):
        (JSC::B3::Air::Inst::extraClobberedRegs):
        (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
        (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
        (JSC::B3::Air::Inst::reportUsedRegisters):
        (JSC::B3::Air::Inst::hasSpecial): Deleted.
        * b3/air/AirOpcode.opcodes:
        * b3/air/AirReportUsedRegisters.cpp:
        (JSC::B3::Air::reportUsedRegisters):
        * b3/air/opcode_generator.rb:

2016-01-11  Filip Pizlo  <fpizlo@apple.com>

        Turn Check(true) into Patchpoint() followed by Oops
        https://bugs.webkit.org/show_bug.cgi?id=152968

        Reviewed by Benjamin Poulain.

        This is an obvious strength reduction to have, especially since if we discover that the
        input to the Check is true after some amount of B3 optimization, then stubbing out the rest
        of the basic block unlocks CFG simplification opportunities.

        It's also a proof-of-concept for the Check->Patchpoint conversion that I'll use once I
        implement sinking (bug 152162).

        * b3/B3ControlValue.cpp:
        (JSC::B3::ControlValue::convertToJump):
        (JSC::B3::ControlValue::convertToOops):
        (JSC::B3::ControlValue::dumpMeta):
        * b3/B3ControlValue.h:
        * b3/B3InsertionSet.h:
        (JSC::B3::InsertionSet::insertValue):
        * b3/B3InsertionSetInlines.h:
        (JSC::B3::InsertionSet::insert):
        * b3/B3ReduceStrength.cpp:
        * b3/B3StackmapValue.h:
        * b3/B3Value.h:
        * tests/stress/ftl-force-osr-exit.js: Added.

2016-01-11  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
        https://bugs.webkit.org/show_bug.cgi?id=152840

        Reviewed by Mark Lam.

        ARM64 has two kinds of addressing with immediates:
        -Signed 9bits direct (really only -256 to 255).
        -Unsigned 12bits scaled by the load/store size.

        When resolving the stack addresses, we easily run
        past -256 bytes from FP. Addressing from SP gives us more
        room to address the stack efficiently because we can
        use unsigned immediates.

        * b3/B3StackmapSpecial.cpp:
        (JSC::B3::StackmapSpecial::repForArg):
        * b3/air/AirAllocateStack.cpp:
        (JSC::B3::Air::allocateStack):

2016-01-10  Saam barati  <sbarati@apple.com>

        Implement a sampling profiler
        https://bugs.webkit.org/show_bug.cgi?id=151713

        Reviewed by Filip Pizlo.

        This patch implements a sampling profiler for JavaScriptCore
        that will be used in the Inspector UI. The implementation works as follows:
        We queue the sampling profiler to run a task on a background
        thread every 1ms. When the queued task executes, the sampling profiler
        will pause the JSC execution thread and attempt to take a stack trace. 
        The sampling profiler does everything it can to be very careful
        while taking this stack trace. Because it's reading arbitrary memory,
        the sampling profiler must validate every pointer it reads from.

        The sampling profiler tries to get an ExecutableBase for every call frame
        it reads. It first tries to read the CodeBlock slot. It does this because
        it can be 100% certain that a pointer is a CodeBlock while it's taking a
        stack trace. But, not every call frame will have a CodeBlock. So we must read
        the call frame's callee. For these stack traces where we read the callee, we
        must verify the callee pointer, and the pointer traversal to an ExecutableBase,
        on the main JSC execution thread, and not on the thread taking the stack
        trace. We do this verification either before we run the marking phase in
        GC, or when somebody asks the SamplingProfiler to materialize its data.

        The SamplingProfiler must also be careful to not grab any locks while the JSC execution
        thread is paused (this means it can't do anything that mallocs) because
        that could cause a deadlock. Therefore, the sampling profiler grabs
        locks for all data structures it consults before it pauses the JSC
        execution thread.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
        (JSC::CodeBlockSet::mark):
        * dfg/DFGNodeType.h:
        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::add):
        (JSC::CodeBlockSet::promoteYoungCodeBlocks):
        (JSC::CodeBlockSet::clearMarksForFullCollection):
        (JSC::CodeBlockSet::lastChanceToFinalize):
        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
        (JSC::CodeBlockSet::contains):
        (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
        (JSC::CodeBlockSet::remove): Deleted.
        * heap/CodeBlockSet.h:
        (JSC::CodeBlockSet::getLock):
        (JSC::CodeBlockSet::iterate):
        The sampling pofiler uses the heap's CodeBlockSet to validate
        CodeBlock pointers. This data structure must now be under a lock
        because we must be certain we're not pausing the JSC execution thread
        while it's manipulating this data structure.

        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::ConservativeRoots):
        (JSC::ConservativeRoots::grow):
        (JSC::ConservativeRoots::genericAddPointer):
        (JSC::ConservativeRoots::genericAddSpan):
        (JSC::ConservativeRoots::add):
        (JSC::CompositeMarkHook::CompositeMarkHook):
        (JSC::CompositeMarkHook::mark):
        * heap/ConservativeRoots.h:
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::visitHandleStack):
        (JSC::Heap::visitSamplingProfiler):
        (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
        (JSC::Heap::snapshotMarkedSpace):
        * heap/Heap.h:
        (JSC::Heap::structureIDTable):
        (JSC::Heap::codeBlockSet):
        * heap/MachineStackMarker.cpp:
        (pthreadSignalHandlerSuspendResume):
        (JSC::getCurrentPlatformThread):
        (JSC::MachineThreads::MachineThreads):
        (JSC::MachineThreads::~MachineThreads):
        (JSC::MachineThreads::Thread::createForCurrentThread):
        (JSC::MachineThreads::Thread::operator==):
        (JSC::isThreadInList):
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::machineThreadForCurrentThread):
        (JSC::MachineThreads::removeThread):
        (JSC::MachineThreads::gatherFromCurrentThread):
        (JSC::MachineThreads::Thread::Thread):
        (JSC::MachineThreads::Thread::~Thread):
        (JSC::MachineThreads::Thread::suspend):
        (JSC::MachineThreads::Thread::resume):
        (JSC::MachineThreads::Thread::getRegisters):
        (JSC::MachineThreads::Thread::Registers::stackPointer):
        (JSC::MachineThreads::Thread::Registers::framePointer):
        (JSC::MachineThreads::Thread::Registers::instructionPointer):
        (JSC::MachineThreads::Thread::freeRegisters):
        (JSC::MachineThreads::tryCopyOtherThreadStacks):
        (JSC::pthreadSignalHandlerSuspendResume): Deleted.
        (JSC::MachineThreads::Thread::operator!=): Deleted.
        * heap/MachineStackMarker.h:
        (JSC::MachineThreads::Thread::operator!=):
        (JSC::MachineThreads::getLock):
        (JSC::MachineThreads::threadsListHead):
        We can now ask a MachineThreads::Thread for its frame pointer
        and program counter on darwin and windows platforms. efl
        and gtk implementations will happen in another patch.

        * heap/MarkedBlockSet.h:
        (JSC::MarkedBlockSet::getLock):
        (JSC::MarkedBlockSet::add):
        (JSC::MarkedBlockSet::remove):
        (JSC::MarkedBlockSet::recomputeFilter):
        (JSC::MarkedBlockSet::filter):
        (JSC::MarkedBlockSet::set):
        * heap/MarkedSpace.cpp:
        (JSC::Free::Free):
        (JSC::Free::operator()):
        (JSC::FreeOrShrink::FreeOrShrink):
        (JSC::FreeOrShrink::operator()):
        (JSC::MarkedSpace::~MarkedSpace):
        (JSC::MarkedSpace::isPagedOut):
        (JSC::MarkedSpace::freeBlock):
        (JSC::MarkedSpace::freeOrShrinkBlock):
        (JSC::MarkedSpace::shrink):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::forEachLiveCell):
        (JSC::MarkedSpace::forEachDeadCell):
        * interpreter/CallFrame.h:
        (JSC::ExecState::calleeAsValue):
        (JSC::ExecState::callee):
        (JSC::ExecState::unsafeCallee):
        (JSC::ExecState::codeBlock):
        (JSC::ExecState::scope):
        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::dumpProfile):
        (JSC::ExecutableAllocator::getLock):
        (JSC::ExecutableAllocator::isValidExecutableMemory):
        * jit/ExecutableAllocator.h:
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::allocate):
        (JSC::ExecutableAllocator::isValidExecutableMemory):
        (JSC::ExecutableAllocator::getLock):
        (JSC::ExecutableAllocator::committedByteCount):
        The sampling profiler consults the ExecutableAllocator to check
        if the frame pointer it reads is in executable allocated memory.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionCheckModuleSyntax):
        (functionStartSamplingProfiler):
        (functionSamplingProfilerStackTraces):
        * llint/LLIntPCRanges.h: Added.
        (JSC::LLInt::isLLIntPC):
        * offlineasm/asm.rb:
        I added the ability to test whether the PC is executing
        LLInt code because this code is not part of the memory
        our executable allocator allocates.

        * runtime/Executable.h:
        (JSC::ExecutableBase::isModuleProgramExecutable):
        (JSC::ExecutableBase::isExecutableType):
        (JSC::ExecutableBase::isHostFunction):
        * runtime/JSLock.cpp:
        (JSC::JSLock::didAcquireLock):
        (JSC::JSLock::unlock):
        * runtime/Options.h:
        * runtime/SamplingProfiler.cpp: Added.
        (JSC::reportStats):
        (JSC::FrameWalker::FrameWalker):
        (JSC::FrameWalker::walk):
        (JSC::FrameWalker::wasValidWalk):
        (JSC::FrameWalker::advanceToParentFrame):
        (JSC::FrameWalker::isAtTop):
        (JSC::FrameWalker::resetAtMachineFrame):
        (JSC::FrameWalker::isValidFramePointer):
        (JSC::FrameWalker::isValidCodeBlock):
        (JSC::FrameWalker::tryToGetExecutableFromCallee):
        The FrameWalker class is used to walk the stack in a safe
        manner. It doesn't do anything that would deadlock, and it
        validates all pointers that it sees.

        (JSC::SamplingProfiler::SamplingProfiler):
        (JSC::SamplingProfiler::~SamplingProfiler):
        (JSC::SamplingProfiler::visit):
        (JSC::SamplingProfiler::shutdown):
        (JSC::SamplingProfiler::start):
        (JSC::SamplingProfiler::stop):
        (JSC::SamplingProfiler::pause):
        (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
        (JSC::SamplingProfiler::dispatchIfNecessary):
        (JSC::SamplingProfiler::dispatchFunction):
        (JSC::SamplingProfiler::noticeJSLockAcquisition):
        (JSC::SamplingProfiler::noticeVMEntry):
        (JSC::SamplingProfiler::observeStackTrace):
        (JSC::SamplingProfiler::clearData):
        (JSC::displayName):
        (JSC::startLine):
        (JSC::startColumn):
        (JSC::sourceID):
        (JSC::url):
        (JSC::SamplingProfiler::stacktracesAsJSON):
        * runtime/SamplingProfiler.h: Added.
        (JSC::SamplingProfiler::getLock):
        (JSC::SamplingProfiler::setTimingInterval):
        (JSC::SamplingProfiler::stackTraces):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        (JSC::VM::setLastStackTop):
        (JSC::VM::createContextGroup):
        (JSC::VM::ensureWatchdog):
        (JSC::VM::ensureSamplingProfiler):
        (JSC::thunkGeneratorForIntrinsic):
        * runtime/VM.h:
        (JSC::VM::watchdog):
        (JSC::VM::isSafeToRecurse):
        (JSC::VM::lastStackTop):
        (JSC::VM::scratchBufferForSize):
        (JSC::VM::samplingProfiler):
        (JSC::VM::setShouldRewriteConstAsVar):
        (JSC::VM::setLastStackTop): Deleted.
        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::VMEntryScope):
        * tests/stress/sampling-profiler: Added.
        * tests/stress/sampling-profiler-anonymous-function.js: Added.
        (foo):
        (baz):
        * tests/stress/sampling-profiler-basic.js: Added.
        (bar):
        (foo):
        (nothing):
        (top):
        (jaz):
        (kaz):
        (checkInlining):
        * tests/stress/sampling-profiler-deep-stack.js: Added.
        (foo):
        (hellaDeep):
        (start):
        * tests/stress/sampling-profiler-microtasks.js: Added.
        (testResults):
        (loop.jaz):
        (loop):
        * tests/stress/sampling-profiler/samplingProfiler.js: Added.
        (assert):
        (let.nodePrototype.makeChildIfNeeded):
        (makeNode):
        (updateCallingContextTree):
        (doesTreeHaveStackTrace):
        (makeTree):
        (runTest):
        (dumpTree):
        * tools/JSDollarVMPrototype.cpp:
        (JSC::JSDollarVMPrototype::isInObjectSpace):
        (JSC::JSDollarVMPrototype::isInStorageSpace):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateEnter):
        (JSC::Yarr::YarrGenerator::generateReturn):
        (JSC::Yarr::YarrGenerator::YarrGenerator):
        (JSC::Yarr::YarrGenerator::compile):
        (JSC::Yarr::jitCompile):
        We now have a boolean that's set to true when
        we're executing a RegExp, and to false otherwise.
        The boolean lives off of VM.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
        (JSC::CodeBlockSet::mark):
        * dfg/DFGNodeType.h:
        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::add):
        (JSC::CodeBlockSet::promoteYoungCodeBlocks):
        (JSC::CodeBlockSet::clearMarksForFullCollection):
        (JSC::CodeBlockSet::lastChanceToFinalize):
        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
        (JSC::CodeBlockSet::contains):
        (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
        (JSC::CodeBlockSet::remove): Deleted.
        * heap/CodeBlockSet.h:
        (JSC::CodeBlockSet::getLock):
        (JSC::CodeBlockSet::iterate):
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::ConservativeRoots):
        (JSC::ConservativeRoots::genericAddPointer):
        (JSC::ConservativeRoots::add):
        (JSC::CompositeMarkHook::CompositeMarkHook):
        (JSC::CompositeMarkHook::mark):
        * heap/ConservativeRoots.h:
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::visitHandleStack):
        (JSC::Heap::visitSamplingProfiler):
        (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
        * heap/Heap.h:
        (JSC::Heap::structureIDTable):
        (JSC::Heap::codeBlockSet):
        * heap/HeapInlines.h:
        (JSC::Heap::didFreeBlock):
        (JSC::Heap::isPointerGCObject):
        (JSC::Heap::isValueGCObject):
        * heap/MachineStackMarker.cpp:
        (pthreadSignalHandlerSuspendResume):
        (JSC::getCurrentPlatformThread):
        (JSC::MachineThreads::MachineThreads):
        (JSC::MachineThreads::~MachineThreads):
        (JSC::MachineThreads::Thread::createForCurrentThread):
        (JSC::MachineThreads::Thread::operator==):
        (JSC::isThreadInList):
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::machineThreadForCurrentThread):
        (JSC::MachineThreads::removeThread):
        (JSC::MachineThreads::gatherFromCurrentThread):
        (JSC::MachineThreads::Thread::Thread):
        (JSC::MachineThreads::Thread::~Thread):
        (JSC::MachineThreads::Thread::suspend):
        (JSC::MachineThreads::Thread::resume):
        (JSC::MachineThreads::Thread::getRegisters):
        (JSC::MachineThreads::Thread::Registers::stackPointer):
        (JSC::MachineThreads::Thread::Registers::framePointer):
        (JSC::MachineThreads::Thread::Registers::instructionPointer):
        (JSC::MachineThreads::Thread::freeRegisters):
        (JSC::pthreadSignalHandlerSuspendResume): Deleted.
        (JSC::MachineThreads::Thread::operator!=): Deleted.
        * heap/MachineStackMarker.h:
        (JSC::MachineThreads::Thread::operator!=):
        (JSC::MachineThreads::getLock):
        (JSC::MachineThreads::threadsListHead):
        * heap/MarkedBlockSet.h:
        * heap/MarkedSpace.cpp:
        (JSC::Free::Free):
        (JSC::Free::operator()):
        (JSC::FreeOrShrink::FreeOrShrink):
        (JSC::FreeOrShrink::operator()):
        * interpreter/CallFrame.h:
        (JSC::ExecState::calleeAsValue):
        (JSC::ExecState::callee):
        (JSC::ExecState::unsafeCallee):
        (JSC::ExecState::codeBlock):
        (JSC::ExecState::scope):
        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::dumpProfile):
        (JSC::ExecutableAllocator::getLock):
        (JSC::ExecutableAllocator::isValidExecutableMemory):
        * jit/ExecutableAllocator.h:
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::allocate):
        (JSC::ExecutableAllocator::isValidExecutableMemory):
        (JSC::ExecutableAllocator::getLock):
        (JSC::ExecutableAllocator::committedByteCount):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionCheckModuleSyntax):
        (functionPlatformSupportsSamplingProfiler):
        (functionStartSamplingProfiler):
        (functionSamplingProfilerStackTraces):
        * llint/LLIntPCRanges.h: Added.
        (JSC::LLInt::isLLIntPC):
        * offlineasm/asm.rb:
        * runtime/Executable.h:
        (JSC::ExecutableBase::isModuleProgramExecutable):
        (JSC::ExecutableBase::isExecutableType):
        (JSC::ExecutableBase::isHostFunction):
        * runtime/JSLock.cpp:
        (JSC::JSLock::didAcquireLock):
        (JSC::JSLock::unlock):
        * runtime/Options.h:
        * runtime/SamplingProfiler.cpp: Added.
        (JSC::reportStats):
        (JSC::FrameWalker::FrameWalker):
        (JSC::FrameWalker::walk):
        (JSC::FrameWalker::wasValidWalk):
        (JSC::FrameWalker::advanceToParentFrame):
        (JSC::FrameWalker::isAtTop):
        (JSC::FrameWalker::resetAtMachineFrame):
        (JSC::FrameWalker::isValidFramePointer):
        (JSC::FrameWalker::isValidCodeBlock):
        (JSC::SamplingProfiler::SamplingProfiler):
        (JSC::SamplingProfiler::~SamplingProfiler):
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        (JSC::SamplingProfiler::visit):
        (JSC::SamplingProfiler::shutdown):
        (JSC::SamplingProfiler::start):
        (JSC::SamplingProfiler::stop):
        (JSC::SamplingProfiler::pause):
        (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
        (JSC::SamplingProfiler::dispatchIfNecessary):
        (JSC::SamplingProfiler::dispatchFunction):
        (JSC::SamplingProfiler::noticeJSLockAcquisition):
        (JSC::SamplingProfiler::noticeVMEntry):
        (JSC::SamplingProfiler::clearData):
        (JSC::displayName):
        (JSC::SamplingProfiler::stacktracesAsJSON):
        (WTF::printInternal):
        * runtime/SamplingProfiler.h: Added.
        (JSC::SamplingProfiler::StackFrame::StackFrame):
        (JSC::SamplingProfiler::getLock):
        (JSC::SamplingProfiler::setTimingInterval):
        (JSC::SamplingProfiler::stackTraces):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        (JSC::VM::setLastStackTop):
        (JSC::VM::createContextGroup):
        (JSC::VM::ensureWatchdog):
        (JSC::VM::ensureSamplingProfiler):
        (JSC::thunkGeneratorForIntrinsic):
        * runtime/VM.h:
        (JSC::VM::watchdog):
        (JSC::VM::samplingProfiler):
        (JSC::VM::isSafeToRecurse):
        (JSC::VM::lastStackTop):
        (JSC::VM::scratchBufferForSize):
        (JSC::VM::setLastStackTop): Deleted.
        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::VMEntryScope):
        * tests/stress/sampling-profiler: Added.
        * tests/stress/sampling-profiler-anonymous-function.js: Added.
        (platformSupportsSamplingProfiler.foo):
        (platformSupportsSamplingProfiler.baz):
        (platformSupportsSamplingProfiler):
        * tests/stress/sampling-profiler-basic.js: Added.
        (platformSupportsSamplingProfiler.bar):
        (platformSupportsSamplingProfiler.foo):
        (platformSupportsSamplingProfiler.nothing):
        (platformSupportsSamplingProfiler.top):
        (platformSupportsSamplingProfiler.jaz):
        (platformSupportsSamplingProfiler.kaz):
        (platformSupportsSamplingProfiler.checkInlining):
        (platformSupportsSamplingProfiler):
        * tests/stress/sampling-profiler-deep-stack.js: Added.
        (platformSupportsSamplingProfiler.foo):
        (platformSupportsSamplingProfiler.let.hellaDeep):
        (platformSupportsSamplingProfiler.let.start):
        (platformSupportsSamplingProfiler):
        * tests/stress/sampling-profiler-microtasks.js: Added.
        (platformSupportsSamplingProfiler.testResults):
        (platformSupportsSamplingProfiler):
        (platformSupportsSamplingProfiler.loop.jaz):
        (platformSupportsSamplingProfiler.loop):
        * tests/stress/sampling-profiler/samplingProfiler.js: Added.
        (assert):
        (let.nodePrototype.makeChildIfNeeded):
        (makeNode):
        (updateCallingContextTree):
        (doesTreeHaveStackTrace):
        (makeTree):
        (runTest):
        (dumpTree):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateEnter):
        (JSC::Yarr::YarrGenerator::generateReturn):
        (JSC::Yarr::YarrGenerator::YarrGenerator):
        (JSC::Yarr::YarrGenerator::compile):
        (JSC::Yarr::jitCompile):

2016-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Iterating over a Set/Map is too slow
        https://bugs.webkit.org/show_bug.cgi?id=152691

        Reviewed by Saam Barati.

        Set#forEach and Set & for-of are very slow. There are 2 reasons.

        1. forEach is implemented in C++. And typically, taking JS callback and calling it from C++.

        C++ to JS transition seems costly. perf result in Linux machine shows this.

            Samples: 23K of event 'cycles', Event count (approx.): 21446074385
            34.04%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Interpreter::execute(JSC::CallFrameClosure&)
            20.48%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] vmEntryToJavaScript
             9.80%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
             7.95%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::setProtoFuncForEach(JSC::ExecState*)
             5.65%  jsc  perf-22854.map                      [.] 0x00007f5d2c204a6f

        Writing forEach in JS eliminates this.

            Samples: 23K of event 'cycles', Event count (approx.): 21255691651
            62.91%  jsc  perf-22890.map                      [.] 0x00007fd117c0a3b9
            24.89%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::privateFuncSetIteratorNext(JSC::ExecState*)
             0.29%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&)
             0.24%  jsc  [vdso]                              [.] 0x00000000000008e8
             0.22%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::predictedMachineCodeSize()
             0.16%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] WTF::MetaAllocator::currentStatistics()
             0.15%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Lexer<unsigned char>::lex(JSC::JSToken*, unsigned int, bool)

        2. Iterator result object allocation is costly.

        Iterator result object allocation is costly. Even if the (1) is solved, when executing Set & for-of, perf result shows very slow performance due to (2).

            Samples: 108K of event 'cycles', Event count (approx.): 95529273748
            18.02%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::createIteratorResultObject(JSC::ExecState*, JSC::JSValue, bool)
            15.68%  jsc  jsc                                 [.] JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int)
            14.18%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::PrototypeMap::emptyObjectStructureForPrototype(JSC::JSObject*, unsigned int)
            13.40%  jsc  perf-25420.map                      [.] 0x00007fce158006a1
             6.79%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::StructureTransitionTable::get(WTF::UniquedStringImpl*, unsigned int) const

        In the long term, we should implement SetIterator#next in JS and make the iterator result object allocation written in JS to encourage object allocation elimination in FTL.
        But seeing the perf result, we can find the easy to fix bottleneck in the current implementation.
        Every time createIteratorResultObject creates the empty object and use putDirect to store properties.
        The pre-baked Structure* with `done` and `value` properties makes this implementation fast.

        After these improvements, the micro benchmark[1] shows the following.

        old:
            Linked List x 212,776 ops/sec ±0.21% (162 runs sampled)
            Array x 376,156 ops/sec ±0.20% (162 runs sampled)
            Array forEach x 17,345 ops/sec ±0.99% (137 runs sampled)
            Array for-of x 16,518 ops/sec ±0.58% (160 runs sampled)
            Set forEach x 13,263 ops/sec ±0.20% (162 runs sampled)
            Set for-of x 4,732 ops/sec ±0.34% (123 runs sampled)

        new:
            Linked List x 210,833 ops/sec ±0.28% (161 runs sampled)
            Array x 371,347 ops/sec ±0.36% (162 runs sampled)
            Array forEach x 17,460 ops/sec ±0.84% (136 runs sampled)
            Array for-of x 16,188 ops/sec ±1.27% (158 runs sampled)
            Set forEach x 23,684 ops/sec ±2.46% (139 runs sampled)
            Set for-of x 12,176 ops/sec ±0.54% (157 runs sampled)

        Set#forEach becomes comparable to Array#forEach. And Set#forEach and Set & for-of are improved (1.79x, and 2.57x).
        After this optimizations, they are still much slower than linked list and array.
        This should be optimized in the long term.

        [1]: https://gist.github.com/Constellation/8db5f5b8f12fe7e283d0

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/MapPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
        (forEach):
        * builtins/SetPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
        (forEach):
        * runtime/CommonIdentifiers.h:
        * runtime/IteratorOperations.cpp:
        (JSC::createIteratorResultObjectStructure):
        (JSC::createIteratorResultObject):
        * runtime/IteratorOperations.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::iteratorResultObjectStructure):
        (JSC::JSGlobalObject::iteratorResultStructure): Deleted.
        (JSC::JSGlobalObject::iteratorResultStructureOffset): Deleted.
        * runtime/MapPrototype.cpp:
        (JSC::MapPrototype::getOwnPropertySlot):
        (JSC::privateFuncIsMap):
        (JSC::privateFuncMapIterator):
        (JSC::privateFuncMapIteratorNext):
        (JSC::MapPrototype::finishCreation): Deleted.
        (JSC::mapProtoFuncForEach): Deleted.
        * runtime/MapPrototype.h:
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::getOwnPropertySlot):
        (JSC::privateFuncIsSet):
        (JSC::privateFuncSetIterator):
        (JSC::privateFuncSetIteratorNext):
        (JSC::SetPrototype::finishCreation): Deleted.
        (JSC::setProtoFuncForEach): Deleted.
        * runtime/SetPrototype.h:

2016-01-10  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix ARM64 build.

        * b3/air/AirOpcode.opcodes:

2016-01-10  Filip Pizlo  <fpizlo@apple.com>

        B3 should reduce Trunc(BitOr(value, constant)) where !(constant & 0xffffffff) to Trunc(value)
        https://bugs.webkit.org/show_bug.cgi?id=152955

        Reviewed by Saam Barati.

        This happens when we box an int32 and then immediately unbox it.

        This makes an enormous difference on AsmBench/FloatMM. It's a 2x speed-up on that
        benchmark. It's neutral elsewhere.

        * b3/B3ReduceStrength.cpp:
        * b3/testb3.cpp:
        (JSC::B3::testPowDoubleByIntegerLoop):
        (JSC::B3::testTruncOrHigh):
        (JSC::B3::testTruncOrLow):
        (JSC::B3::testBitAndOrHigh):
        (JSC::B3::testBitAndOrLow):
        (JSC::B3::zero):
        (JSC::B3::run):

2016-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>

        [ES6] Arrow function syntax. Get rid of JSArrowFunction and use standard JSFunction class
        https://bugs.webkit.org/show_bug.cgi?id=149855

        Reviewed by Saam Barati.

        JSArrowFunction.h/cpp were removed from JavaScriptCore, because now is used new approach for storing 
        'this', 'arguments' and 'super'

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewFunction):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * ftl/FTLAbstractHeapRepository.cpp:
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
        * interpreter/Interpreter.cpp:
        * interpreter/Interpreter.h:
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LLIntSlowPaths.cpp:
        * runtime/JSArrowFunction.cpp: Removed.
        * runtime/JSArrowFunction.h: Removed.
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:

2016-01-10  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to run liveness over registers without also tracking Tmps
        https://bugs.webkit.org/show_bug.cgi?id=152963

        Reviewed by Saam Barati.

        This adds a RegLivenessAdapter so that we can run Liveness over registers. This makes it
        easier to write certain kinds of phases, like ReportUsedRegisters. I anticipate writing more
        code like that for handling cold function calls. It also makes code like that somewhat more
        scalable, since we're no longer using HashSets.

        Currently, the way we track sets of registers is with a BitVector. Normally, we use the
        RegisterSet class, which wraps BitVector, so that we can add()/contains() on Reg's. But in
        the liveness analysis, everything gets turned into an index. So, we want to use BitVector
        directly. To do that, I needed to make the BitVector API look a bit more like a set API. I
        think that this is good, because the lack of set methods (add/remove/contains) has caused
        bugs in the past. This makes BitVector have methods both for set operations on bits and array
        operations on bits. I think that's good, since BitVector gets used in both contexts.

        * b3/B3IndexSet.h:
        (JSC::B3::IndexSet::Iterable::iterator::iterator):
        (JSC::B3::IndexSet::Iterable::begin):
        (JSC::B3::IndexSet::dump):
        * b3/air/AirInstInlines.h:
        (JSC::B3::Air::ForEach<Tmp>::forEach):
        (JSC::B3::Air::ForEach<Arg>::forEach):
        (JSC::B3::Air::ForEach<Reg>::forEach):
        (JSC::B3::Air::Inst::forEach):
        * b3/air/AirLiveness.h:
        (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter):
        (JSC::B3::Air::RegLivenessAdapter::maxIndex):
        (JSC::B3::Air::RegLivenessAdapter::acceptsType):
        (JSC::B3::Air::RegLivenessAdapter::valueToIndex):
        (JSC::B3::Air::RegLivenessAdapter::indexToValue):
        * b3/air/AirReportUsedRegisters.cpp:
        (JSC::B3::Air::reportUsedRegisters):
        * jit/Reg.h:
        (JSC::Reg::next):
        (JSC::Reg::index):
        (JSC::Reg::maxIndex):
        (JSC::Reg::isSet):
        (JSC::Reg::operator bool):
        * jit/RegisterSet.h:
        (JSC::RegisterSet::forEach):

2016-01-10  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Make branchMul functional in ARM B3 and minor fixes
        https://bugs.webkit.org/show_bug.cgi?id=152889

        Reviewed by Mark Lam.

        ARM64 does not have a "S" version of MUL setting the flags.
        What we do is abstract that in the MacroAssembler. The problem
        is that form requires scratch registers.

        For simplicity, I just exposed the two scratch registers
        for Air. Filip already added the concept of Scratch role,
        all I needed was to expose it for opcodes.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branchMul32):
        (JSC::MacroAssemblerARM64::branchMul64):
        Expose a version with the scratch registers as arguments.

        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::lower):
        Add the new form of CheckMul lowering.

        * b3/air/AirOpcode.opcodes:
        Expose the new BranchMuls.
        Remove all the Test variants that use immediates
        since Air can't handle those immediates correctly yet.

        * b3/air/opcode_generator.rb:
        Expose the Scratch role.

        * b3/testb3.cpp:
        (JSC::B3::testPatchpointLotsOfLateAnys):
        Ooops, the scratch registers were not clobbered. We were just lucky
        on x86.

2016-01-10  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] B3 is unable to do function calls on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=152895

        Reviewed by Mark Lam.

        Apparently iOS does not follow the ARM64 ABI for function calls.
        Instead of giving each value a 8 bytes slot, it must be packed
        while preserving alignment.

        This patch adds a #ifdef to make function calls functional.

        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::marshallCCallArgument):
        (JSC::B3::Air::LowerToAir::lower):

2016-01-09  Filip Pizlo  <fpizlo@apple.com>

        Air should support Branch64 with immediates
        https://bugs.webkit.org/show_bug.cgi?id=152951

        Reviewed by Oliver Hunt.

        This doesn't significantly improve performance on any benchmarks, but it's great to get this
        obvious omission out of the way.

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::branch64):
        * b3/air/AirOpcode.opcodes:
        * b3/testb3.cpp:
        (JSC::B3::testPowDoubleByIntegerLoop):
        (JSC::B3::testBranch64Equal):
        (JSC::B3::testBranch64EqualImm):
        (JSC::B3::testBranch64EqualMem):
        (JSC::B3::testBranch64EqualMemImm):
        (JSC::B3::zero):
        (JSC::B3::run):

2016-01-09  Dan Bernstein  <mitz@apple.com>

        [Cocoa] Allow overriding the frameworks directory independently of using a staging install path
        https://bugs.webkit.org/show_bug.cgi?id=152926

        Reviewed by Tim Horton.

        Introduce a new build setting, WK_OVERRIDE_FRAMEWORKS_DIR. When not empty, it determines
        where the frameworks are installed. Setting USE_STAGING_INSTALL_PATH to YES sets
        WK_OVERRIDE_FRAMEWORKS_DIR to $(SYSTEM_LIBRARY_DIR)/StagedFrameworks/Safari.

        Account for the possibility of WK_OVERRIDE_FRAMEWORKS_DIR containing spaces.

        * Configurations/Base.xcconfig:
        - Replace STAGED_FRAMEWORKS_SEARCH_PATH in FRAMEWORK_SEARCH_PATHS with
          WK_OVERRIDE_FRAMEWORKS_DIR and add quotes to account for spaces.
        - Define JAVASCRIPTCORE_FRAMEWORKS_DIR based on WK_OVERRIDE_FRAMEWORKS_DIR.
        * Configurations/JSC.xcconfig:
          Add quotes to account for spaces.
        * Configurations/ToolExecutable.xcconfig:
          Ditto.
        * postprocess-headers.sh:
          Ditto.

2016-01-09  Mark Lam  <mark.lam@apple.com>

        The FTL allocated spill slots for BinaryOps is sometimes inaccurate.
        https://bugs.webkit.org/show_bug.cgi?id=152918

        Reviewed by Filip Pizlo and Saam Barati.

        * ftl/FTLCompile.cpp:
        - Updated a comment.
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::lower):
        - The code to compute maxNumberOfCatchSpills was unnecessarily allocating an
          extra slot for BinaryOps that don't have Untyped operands, and failing to
          allocate that extra slot for some binary ops.  This is now fixed.

        * tests/stress/ftl-shr-exception.js:
        * tests/stress/ftl-xor-exception.js:
        - Un-skipped these tests.  They now pass with this patch.

2016-01-09  Andreas Kling  <akling@apple.com>

        Use NeverDestroyed instead of DEPRECATED_DEFINE_STATIC_LOCAL
        <https://webkit.org/b/152902>

        Reviewed by Anders Carlsson.

        Mostly mechanical conversion to NeverDestroyed throughout JavaScriptCore.

        * API/JSAPIWrapperObject.mm:
        (jsAPIWrapperObjectHandleOwner):
        * API/JSManagedValue.mm:
        (managedValueHandleOwner):
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::objectGroupForBreakpointAction):
        * jit/ExecutableAllocator.cpp:
        (JSC::DemandExecutableAllocator::allocators):

2016-01-08  Filip Pizlo  <fpizlo@apple.com>

        FTL B3 should do varargs tail calls and stack overflows
        https://bugs.webkit.org/show_bug.cgi?id=152934

        Reviewed by Saam Barati.

        I was trying to get tail-call-varargs-no-stack-overflow.js.ftl-no-cjit-validate to work and
        at first I hit the stack overflow issue and then I hit the varargs tail call issue. That's
        why I have two fixes in one change. Now the test passes.

        This reduces the number of failures from 13 to 0.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::lower): Implement stack overflow handling.
        (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs): Varargs tail calls need to
        append an Oops (i.e. "unreachable").

2016-01-08  Filip Pizlo  <fpizlo@apple.com>

        B3 needs Neg()
        https://bugs.webkit.org/show_bug.cgi?id=152925

        Reviewed by Mark Lam.

        Previously we said that negation should be represented as Sub(0, x). That's wrong, since
        for floats, Sub(0, 0) == 0 while Neg(0) == -0.

        One way to solve this would be to say that anyone trying to say Neg(x) where x is a float
        should instead say BitXor(x, -0). That's actually correct, but I think that it would be odd
        to use bitops to represent floating point operations. Whatever cuteness this would have
        bought us would be outweighed by the annoyance of having to write code that matches
        Sub(0, x) for integer negation and BitXor(x, -0) for double negation. For example, this
        would mean strictly more code for anyone implementing a Neg(Neg(x))=>x strength reduction.
        Also, I suspect that the omission of Neg would cause others to make the mistake of using
        Sub to represent floating point negation.

        So, this introduces a proper Neg() opcode to B3. It's now the canonical way of saying
        negation for both ints and floats. For ints, we canonicalize Sub(0, x) to Neg(x). For
        floats, we lower it to BitXor(x, -0) on x86.

        This reduces the number of failures from 13 to 12.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::andFloat):
        (JSC::MacroAssemblerX86Common::xorDouble):
        (JSC::MacroAssemblerX86Common::xorFloat):
        (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
        * b3/B3LowerMacrosAfterOptimizations.cpp:
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::lower):
        * b3/B3Opcode.cpp:
        (WTF::printInternal):
        * b3/B3Opcode.h:
        * b3/B3ReduceStrength.cpp:
        * b3/B3Validate.cpp:
        * b3/B3Value.cpp:
        (JSC::B3::Value::effects):
        (JSC::B3::Value::key):
        (JSC::B3::Value::typeFor):
        * b3/air/AirOpcode.opcodes:
        * ftl/FTLB3Output.cpp:
        (JSC::FTL::Output::lockedStackSlot):
        (JSC::FTL::Output::neg):
        (JSC::FTL::Output::bitNot):
        * ftl/FTLB3Output.h:
        (JSC::FTL::Output::chillDiv):
        (JSC::FTL::Output::mod):
        (JSC::FTL::Output::chillMod):
        (JSC::FTL::Output::doubleAdd):
        (JSC::FTL::Output::doubleSub):
        (JSC::FTL::Output::doubleMul):
        (JSC::FTL::Output::doubleDiv):
        (JSC::FTL::Output::doubleMod):
        (JSC::FTL::Output::doubleNeg):
        (JSC::FTL::Output::bitAnd):
        (JSC::FTL::Output::bitOr):
        (JSC::FTL::Output::neg): Deleted.
        * tests/stress/ftl-negate-zero.js: Added. This was already covered by op_negate but since
        it's such a glaring bug, I thought having a test for it specifically would be good.

2016-01-08  Filip Pizlo  <fpizlo@apple.com>

        FTL B3 compile() doesn't clear exception handlers before we add FTL-specific ones
        https://bugs.webkit.org/show_bug.cgi?id=152922

        Reviewed by Saam Barati.

        FTL B3 was generating a handler table that first contained the old baseline handlers keyed
        by baseline's bytecode indices and then the FTL handlers keyed by FTL callsite index. That's
        wrong, since the FTL code block should not contain any baseline handlers. The fix is to
        clear the handlers before generation, sort of like FTL LLVM does.

        Also added some stuff to make it easier to inspect the handler table.

        This reduces the numbe rof failures from 25 to 13.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::dumpExceptionHandlers):
        (JSC::CodeBlock::beginDumpProfiling):
        * bytecode/CodeBlock.h:
        * ftl/FTLB3Compile.cpp:
        (JSC::FTL::compile):

2016-01-08  Filip Pizlo  <fpizlo@apple.com>

        B3 incorrectly turns NotEqual(bool, 1) into Equal(bool, 1) instead of Equal(bool, 0)
        https://bugs.webkit.org/show_bug.cgi?id=152916

        Reviewed by Mark Lam.

        This was causing a failure in an ancient DFG layout test. Thanks, ftl-eager-no-cjit!

        This reduces the number of failures from 27 to 25.

        * b3/B3ReduceStrength.cpp:

2016-01-08  Filip Pizlo  <fpizlo@apple.com>

        FTL B3 allocateCell() should not crash
        https://bugs.webkit.org/show_bug.cgi?id=152909

        Reviewed by Mark Lam.

        This code was crashing in some tests that forced GC slow paths because it was stubbed out
        due to the use of undef. B3 doesn't have undef. In this case, there's no good reason to use
        undef. We can just use zero. Since the path is dead anyway in that case, we weren't gaining
        any LLVM optimizations by using undef.

        This reduces the number of failures from 35 to 27.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):

2016-01-08  Filip Pizlo  <fpizlo@apple.com>

        FTL B3 fails to realize that binary snippets might choose to omit their fast path
        https://bugs.webkit.org/show_bug.cgi?id=152901

        Reviewed by Mark Lam.

        This reduces the number of failures from 99 to 35.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):

2016-01-08  Saam barati  <sbarati@apple.com>

        restoreCalleeSavesFromVMCalleeSavesBuffer should use the scratch register
        https://bugs.webkit.org/show_bug.cgi?id=152879

        Reviewed by Filip Pizlo.

        We were clobbering a register we needed when picking
        a scratch register inside an FTL OSR Exit.

        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrEntryThunkGenerator):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitRandomThunk):
        (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer):
        (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
        * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
        (foo):

2016-01-08  Mark Lam  <mark.lam@apple.com>

        Rolling out: Rename StringFromCharCode to StringFromSingleCharCode.
        https://bugs.webkit.org/show_bug.cgi?id=152897

        Not reviewed.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileFromCharCode):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/StringConstructor.cpp:
        (JSC::stringFromCharCode):
        (JSC::stringFromSingleCharCode): Deleted.
        * runtime/StringConstructor.h:

2016-01-08  Per Arne Vollan  <peavo@outlook.com>

        [JSC] Use std::call_once instead of pthread_once when initializing LLVM.
        https://bugs.webkit.org/show_bug.cgi?id=152893

        Reviewed by Mark Lam.

        Use std::call_once since pthreads is not present on all platforms.

        * llvm/InitializeLLVM.cpp:
        (JSC::initializeLLVMImpl):
        (JSC::initializeLLVM):

2016-01-08  Mark Lam  <mark.lam@apple.com>

        Rename StringFromCharCode to StringFromSingleCharCode.
        https://bugs.webkit.org/show_bug.cgi?id=152897

        Reviewed by Daniel Bates.

        StringFromSingleCharCode is a better name because the intrinsic it represents
        only applies when we are converting from a single char code.  This is purely
        a refactoring patch.  There is no semantic change.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileFromCharCode):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/StringConstructor.cpp:
        (JSC::stringFromCharCode):
        (JSC::stringFromSingleCharCode):
        * runtime/StringConstructor.h:

2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>

        [mips] Fixed unused parameter warnings
        https://bugs.webkit.org/show_bug.cgi?id=152885

        Reviewed by Mark Lam.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):

2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>

        [mips] Max value of immediate arg of logical ops is 0xffff
        https://bugs.webkit.org/show_bug.cgi?id=152884

        Reviewed by Michael Saboff.

        Replaced imm.m_value < 65535 checks with imm.m_value <= 65535

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::and32):
        (JSC::MacroAssemblerMIPS::or32):

2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>

        [mips] Add new or32 implementation after r194613
        https://bugs.webkit.org/show_bug.cgi?id=152865

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::or32):

2016-01-07  Filip Pizlo  <fpizlo@apple.com>

        FTL B3 lazy slow paths should do exceptions
        https://bugs.webkit.org/show_bug.cgi?id=152853

        Reviewed by Saam Barati.

        This reduces the number of JSC test failures to 97.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
        * tests/stress/ftl-new-negative-array-size.js: Added.
        (foo):

2016-01-07  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, skip more tests that fail.

        * tests/stress/ftl-shr-exception.js:
        (foo):
        * tests/stress/ftl-xor-exception.js:
        (foo):

2016-01-07  Filip Pizlo  <fpizlo@apple.com>

        FTL B3 binary snippets should do exceptions
        https://bugs.webkit.org/show_bug.cgi?id=152852

        Reviewed by Saam Barati.

        This reduces the number of JSC test failures to 110.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
        (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
        (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
        * tests/stress/ftl-shr-exception.js: Added.
        (foo):
        (result.foo.valueOf):
        * tests/stress/ftl-sub-exception.js: Added.
        (foo):
        (result.foo.valueOf):
        * tests/stress/ftl-xor-exception.js: Added.
        (foo):
        (result.foo.valueOf):

2016-01-07  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, skipping this test. Looks like LLVM can't handle this one, either.

        * tests/stress/ftl-call-varargs-bad-args-exception-interesting-live-state.js:
        (foo):

2016-01-07  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, skipping this test. Looks like LLVM can't handle it.

        * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
        (foo):

2016-01-07  Filip Pizlo  <fpizlo@apple.com>

        FTL B3 JS calls should do exceptions
        https://bugs.webkit.org/show_bug.cgi?id=152851

        Reviewed by Geoffrey Garen.

        This reduces the number of JSC test failures with FTL B3 to 111.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
        * tests/stress/ftl-call-bad-args-exception-interesting-live-state.js: Added.
        * tests/stress/ftl-call-bad-callee-exception-interesting-live-state.js: Added.
        * tests/stress/ftl-call-exception-interesting-live-state.js: Added.
        * tests/stress/ftl-call-exception-no-catch.js: Added.
        * tests/stress/ftl-call-exception.js: Added.
        * tests/stress/ftl-call-varargs-bad-callee-exception-interesting-live-state.js: Added.
        * tests/stress/ftl-call-varargs-exception-interesting-live-state.js: Added.
        * tests/stress/ftl-call-varargs-exception-no-catch.js: Added.
        * tests/stress/ftl-call-varargs-exception.js: Added.

2016-01-07  Filip Pizlo  <fpizlo@apple.com>

        FTL B3 PutById should do exceptions
        https://bugs.webkit.org/show_bug.cgi?id=152850

        Reviewed by Saam Barati.

        Implemented PutById exception handling by following the idiom used in GetById. Reduces the
        number of JSC test failures to 128.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
        * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js: Added.
        * tests/stress/ftl-put-by-id-setter-exception-no-catch.js: Added.
        * tests/stress/ftl-put-by-id-setter-exception.js: Added.
        * tests/stress/ftl-put-by-id-slow-exception-interesting-live-state.js: Added.
        * tests/stress/ftl-put-by-id-slow-exception-no-catch.js: Added.
        * tests/stress/ftl-put-by-id-slow-exception.js: Added.

2016-01-07  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r194714.
        https://bugs.webkit.org/show_bug.cgi?id=152864

        it broke many JSC tests when FTL B3 is enabled (Requested by
        pizlo on #webkit).

        Reverted changeset:

        "[JSC] When resolving Stack arguments, use addressing from SP
        when addressing from FP is invalid"
        https://bugs.webkit.org/show_bug.cgi?id=152840
        http://trac.webkit.org/changeset/194714

2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>

        [mips] Lower immediates of logical operations.
        https://bugs.webkit.org/show_bug.cgi?id=152693

        On MIPS immediate operands of andi, ori, and xori are required to be 16-bit
        non-negative numbers.

        Reviewed by Michael Saboff.

        * offlineasm/mips.rb:

2016-01-07  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Update testCheckSubBadImm() for ARM64
        https://bugs.webkit.org/show_bug.cgi?id=152846

        Reviewed by Mark Lam.

        * b3/testb3.cpp:
        (JSC::B3::testCheckSubBadImm):
        The test was assuming the constant can always be used
        as immediate. That's obviously not the case on ARM64.

2016-01-07  Filip Pizlo  <fpizlo@apple.com>

        FTL B3 getById() should do exceptions
        https://bugs.webkit.org/show_bug.cgi?id=152810

        Reviewed by Saam Barati.

        This adds abstractions for doing exceptions from patchpoints, and uses them to implement
        exceptions from GetById. This covers all of the following ways that a GetById might throw an
        exceptions:

        - Throw without try/catch from the vmCall() in a GetById(Untyped:)
        - Throw with try/catch from the vmCall() in a GetById(Untyped:)
        - Throw without try/catch from the callOperation() in the patchpoint of a GetById
        - Throw with try/catch from the callOperation() in the patchpoint of a GetById
        - Throw without try/catch from the Call IC generated in the patchpoint of a GetById
        - Throw with try/catch from the Call IC generated in the patchpoint of a GetById

        This requires having a default exception target in FTL-generated code, and ensuring that this
        target is generated regardless of whether we have branches to the B3 basic block of the
        default exception target. This also requires adding some extra arguments to a
        PatchpointValue, and then knowing that the arguments are used for OSR exit and not anything
        else. This also requires associating the CallSiteIndex of the patchpoint with the register
        set used for exit and with the OSR exit label for the unwind exit.

        All of the stuff that you have to worry about when wiring a patchpoint to exception handling
        is covered by the new PatchpointExceptionHandle object. You create one by calling
        preparePatchpointForExceptions(). This sets up the B3 IR representation of the patchpoint
        with stackmap arguments for the exceptional exit, and creates a PatchpointExceptionHandle
        object that can be used to create zero or more actual OSR exits. It can create both OSR exits
        for operation calls and OSR exits for unwind. You call the
        PatchpointExceptionHandle::scheduleExitCreationXXX() methods from the generator callback to
        actually get OSR exits.

        This API makes heavy use of Box<>, late paths, and link tasks. For example, you can use the
        PatchpointExceptionHandle to get a Box<JumpList> that you can append exception jumps to. When
        you use this API, it automatically registers a link task that will link the JumpList to the
        actual OSR exit label.

        This API is very flexible about how you get to the label of the OSR exit. You are encouraged
        to use the Box<JumpList> approach, but if you really just need the label, you can also get
        a RefPtr<ExceptionTarget> and rely on the fact that the ExceptionTarget object will be able
        to vend you the OSR exit label at link-time.

        This reduces the number of JSC test failures with FTL B3 from 186 to 133. It also adds a
        bunch of new tests specifically for all of the ways you might throw from GetById, and B3
        passes all of these new tests. Note that I'm not counting the new tests as part of the
        previous 186 test failures (FTL B3 failed all of the new tests prior to this change).

        After this change, it should be easy to make all of the other patchpoints also handle
        exceptions by just following the preparePatchpointForExceptions() idiom.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3StackmapValue.h:
        * b3/B3ValueRep.cpp:
        (JSC::B3::ValueRep::addUsedRegistersTo):
        (JSC::B3::ValueRep::usedRegisters):
        (JSC::B3::ValueRep::dump):
        * b3/B3ValueRep.h:
        (JSC::B3::ValueRep::doubleValue):
        (JSC::B3::ValueRep::withOffset):
        (JSC::B3::ValueRep::usedRegisters):
        * ftl/FTLB3Compile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLB3Output.h:
        (JSC::FTL::Output::unreachable):
        (JSC::FTL::Output::speculate):
        * ftl/FTLExceptionTarget.cpp: Added.
        (JSC::FTL::ExceptionTarget::~ExceptionTarget):
        (JSC::FTL::ExceptionTarget::label):
        (JSC::FTL::ExceptionTarget::jumps):
        (JSC::FTL::ExceptionTarget::ExceptionTarget):
        * ftl/FTLExceptionTarget.h: Added.
        * ftl/FTLJITCode.cpp:
        (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::lower):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
        (JSC::FTL::DFG::LowerDFGToLLVM::getById):
        (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
        (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
        (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
        (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
        (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
        (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
        (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
        (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
        * ftl/FTLPatchpointExceptionHandle.cpp: Added.
        (JSC::FTL::PatchpointExceptionHandle::create):
        (JSC::FTL::PatchpointExceptionHandle::defaultHandle):
        (JSC::FTL::PatchpointExceptionHandle::~PatchpointExceptionHandle):
        (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreation):
        (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
        (JSC::FTL::PatchpointExceptionHandle::PatchpointExceptionHandle):
        (JSC::FTL::PatchpointExceptionHandle::createHandle):
        * ftl/FTLPatchpointExceptionHandle.h: Added.
        * ftl/FTLState.cpp:
        * ftl/FTLState.h:
        (JSC::FTL::verboseCompilationEnabled):
        * tests/stress/ftl-get-by-id-getter-exception-interesting-live-state.js: Added.
        * tests/stress/ftl-get-by-id-getter-exception-no-catch.js: Added.
        * tests/stress/ftl-get-by-id-getter-exception.js: Added.
        * tests/stress/ftl-get-by-id-slow-exception-interesting-live-state.js: Added.
        * tests/stress/ftl-get-by-id-slow-exception-no-catch.js: Added.
        * tests/stress/ftl-get-by-id-slow-exception.js: Added.
        * tests/stress/ftl-operation-exception-interesting-live-state.js: Added.
        * tests/stress/ftl-operation-exception-no-catch.js: Added.

2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>

        [mips] Implemented missing branch patching methods.
        https://bugs.webkit.org/show_bug.cgi?id=152845

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranch32WithPatch):
        (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):

2016-01-07  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
        https://bugs.webkit.org/show_bug.cgi?id=152840

        Reviewed by Mark Lam.

        ARM64 has two kinds of addressing with immediates:
        -Signed 9bits direct (really only -256 to 255).
        -Unsigned 12bits scaled by the load/store size.

        When resolving the stack addresses, we easily run
        past -256 bytes from FP. Addressing from SP gives us more
        room to address the stack efficiently because we can
        use unsigned immediates.

        * b3/B3StackmapSpecial.cpp:
        (JSC::B3::StackmapSpecial::repForArg):
        * b3/air/AirAllocateStack.cpp:
        (JSC::B3::Air::allocateStack):

2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>

        [mips] Make repatchCall public to fix compilation.
        https://bugs.webkit.org/show_bug.cgi?id=152843

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::repatchCall):
        (JSC::MacroAssemblerMIPS::linkCall): Deleted.

2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>

        [mips] Replaced subi with addi in getHostCallReturnValue
        https://bugs.webkit.org/show_bug.cgi?id=152841

        Reviewed by Michael Saboff.

        MIPS architecture does not have subi instruction, addi with negative
        number should be used instead.

        * jit/JITOperations.cpp:

2016-01-07  Mark Lam  <mark.lam@apple.com>

        ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
        https://bugs.webkit.org/show_bug.cgi?id=152833

        Reviewed by Michael Saboff.

        Follow-up patch to fix illegal use of memoryTempRegister as the src for ARM64's
        store32.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::or32):
        (JSC::MacroAssemblerARM64::store):

2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>

        [mips] GPRInfo::toArgumentRegister missing
        https://bugs.webkit.org/show_bug.cgi?id=152838

        Reviewed by Michael Saboff.

        * jit/GPRInfo.h:
        (JSC::GPRInfo::toArgumentRegister):

2016-01-07  Mark Lam  <mark.lam@apple.com>

        ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
        https://bugs.webkit.org/show_bug.cgi?id=152833

        Reviewed by Benjamin Poulain.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::or32):
        - Added some assertions to make sure it is safe to use ARMRegisters::S0 as a temp.
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::or32):
        - Implement an optimization that avoids reloading the memoryTempRegister when
          the immediate is encodable as an instruction immediate.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::or32):
        - Added an assertion to make sure it is safe to use the dataTempRegister as a temp.
        - Implement an optimization that avoids reloading the memoryTempRegister when
          the immediate is encodable as an instruction immediate.  In the event that we
          cannot encode the immediate, we'll use the addressTempRegister as a temp, and
          reload it later.

2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>

        [CMake] JSC shell sources should include JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
        https://bugs.webkit.org/show_bug.cgi?id=152664

        Reviewed by Alex Christensen.

        * shell/CMakeLists.txt:

2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: CRASH Attempting to pause on CSP violation not inside of script
        https://bugs.webkit.org/show_bug.cgi?id=152825
        <rdar://problem/24021276>

        Reviewed by Timothy Hatcher.

        * debugger/Debugger.cpp:
        (JSC::Debugger::breakProgram):
        We cannot pause if we are not evaluating JavaScript, so bail.

2016-01-07  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Re-enable lea() in Air on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=152832

        Reviewed by Michael Saboff.

        Lea() on the MacroAssembler is not the full x86 Lea (the real one being
        x86Lea32()). Instead, it is a addPtr() with SP and a constant.

        The instruction is required to implement B3's StackSlot. It is not
        safe for big offsets but none of the stack operations are at the moment.

        * b3/air/AirOpcode.opcodes:

2016-01-07  Julien Brianceau  <jbriance@cisco.com>

        [mips] Add two missing abortWithReason implementations
        https://bugs.webkit.org/show_bug.cgi?id=136753

        Reviewed by Benjamin Poulain.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::memoryFence):
        (JSC::MacroAssemblerMIPS::abortWithReason):
        (JSC::MacroAssemblerMIPS::readCallTarget):

2016-01-07  Csaba Osztrogonác  <ossy@webkit.org>

        Add new or32 implementation to MacroAssemblerARM after r194613
        https://bugs.webkit.org/show_bug.cgi?id=152784

        Reviewed by Benjamin Poulain.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::or32):

2016-01-06  Mark Lam  <mark.lam@apple.com>

        REGRESSION(r194613): JITMulGenerator needs a scratch GPR on 32-bit too.
        https://bugs.webkit.org/show_bug.cgi?id=152805

        Reviewed by Michael Saboff.

        There aren't enough registers on x86 32-bit to allocate the needed scratch GPR.
        So, we'll continue to use one of the result registers as the scratch, and
        re-compute the result at the end.

        * jit/JITMulGenerator.cpp:
        (JSC::JITMulGenerator::generateFastPath):

2016-01-06  Anders Carlsson  <andersca@apple.com>

        Add a smart block pointer
        https://bugs.webkit.org/show_bug.cgi?id=152799

        Reviewed by Tim Horton.

        Get rid of RemoteTargetBlock and replace it with WTF::BlockPtr<void ()>.

        * inspector/remote/RemoteConnectionToTarget.h:
        (Inspector::RemoteTargetBlock::RemoteTargetBlock): Deleted.
        (Inspector::RemoteTargetBlock::~RemoteTargetBlock): Deleted.
        (Inspector::RemoteTargetBlock::operator=): Deleted.
        (Inspector::RemoteTargetBlock::operator()): Deleted.
        * inspector/remote/RemoteConnectionToTarget.mm:
        (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
        (Inspector::RemoteConnectionToTarget::queueTaskOnPrivateRunLoop):

2016-01-06  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] More B3 tests passing on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=152787

        Reviewed by Michael Saboff.

        Some more minor bugs.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::urshift64):
        The offset was being truncated. That code was just copied
        from the 32bits version of urshift.

        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::createGenericCompare):
        Very few instructions can encode -1 as immediate.
        TST certainly can't. The fallback works for ARM.

        * b3/air/AirOpcode.opcodes:
        Bit instructions have very specific immediate encoding.
        B3 cannot express that properly yet. I disabled those
        forms for now. Immediates encoding is something we'll really 
        have to look into at some point for B3 ARM64.

2016-01-06  Michael Catanzaro  <mcatanzaro@igalia.com>

        Silence -Wtautological-compare
        https://bugs.webkit.org/show_bug.cgi?id=152768

        Reviewed by Saam Barati.

        * runtime/Options.cpp:
        (JSC::Options::setAliasedOption):

2016-01-06  Filip Pizlo  <fpizlo@apple.com>

        Make sure that the basic throw-from-operation mode of throwing makes sense in FTL B3
        https://bugs.webkit.org/show_bug.cgi?id=152798

        Reviewed by Oliver Hunt.

        This really just contains one change: we inline emitBranchToOSRExitIfWillCatchException()
        into callCheck(), since that was its only caller. This makes it a bit more clear what is
        going on.

        It turns out that FTL B3 already handled this case properly. I added a test that I believe
        illustrates this. Note that although the test uses GetById, which ordinarily throws
        exceptions from inside a patchpoint, it uses it in such a way that the exception is thrown
        from the operation call for the non-cell bypass path of a GetById(UntypedUse:).

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
        (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
        (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
        (JSC::FTL::DFG::LowerDFGToLLVM::emitBranchToOSRExitIfWillCatchException): Deleted.
        * tests/stress/ftl-operation-exception.js: Added.
        (foo):

2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove duplicate check
        https://bugs.webkit.org/show_bug.cgi?id=152792

        Reviewed by Timothy Hatcher.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.RemoteObject.prototype._generatePreview): Deleted.
        This method is only called from one place, and it does an equivalent
        check before calling this function. Remove the duplicate check.

2016-01-06  Brian Burg  <bburg@apple.com>

        Add a WebKit SPI for registering an automation controller with RemoteInspector
        https://bugs.webkit.org/show_bug.cgi?id=151576

        Reviewed by Dan Bernstein and Joseph Pecoraro.

        Given a RemoteInspector endpoint that is instantiated in UIProcess, there
        should be a way to delegate automation-related functionality and policy to
        clients of WebKit.

        This class adds a RemoteInspector::Client interface that serves a delegate.
        This is ultimately delegated via _WKAutomationDelegate, which is an SPI
        that allows clients to install an Objective-C delegate for automation.

        The setting for whether remote automation is allowed is included in the
        listing that RemoteInspector sends out. It is updated when RemoteInspector::Client
        is assigned, or when the client signals that its capabilities have changed.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::setRemoteInspectorClient): Added.
        (Inspector::RemoteInspector::pushListingsNow):

            In the listing, include whether the application supports remote automation.

        * inspector/remote/RemoteInspectorConstants.h: Add a constant.

2016-01-05  Keith Miller  <keith_miller@apple.com>

        [ES6] Boolean, Number, Map, RegExp, and Set should be subclassable
        https://bugs.webkit.org/show_bug.cgi?id=152765

        Reviewed by Michael Saboff.

        This patch enables subclassing of five more builtins: Boolean, Number, Map, RegExp, and Set.

        * runtime/BooleanConstructor.cpp:
        (JSC::constructWithBooleanConstructor):
        (JSC::constructBoolean): Deleted.
        * runtime/BooleanConstructor.h:
        * runtime/MapConstructor.cpp:
        (JSC::constructMap):
        * runtime/NumberConstructor.cpp:
        (JSC::constructWithNumberConstructor):
        * runtime/RegExpConstructor.cpp:
        (JSC::getRegExpStructure):
        (JSC::constructRegExp):
        * runtime/SetConstructor.cpp:
        (JSC::constructSet):
        * tests/es6.yaml:
        * tests/stress/class-subclassing-misc.js: Added.
        (B):
        (N):
        (M):
        (R):
        (S):
        (test):

2016-01-06  Julien Brianceau  <jbriance@cisco.com>

        [mips] Fix branchTruncateDoubleToUint32 implementation in macro assembler
        https://bugs.webkit.org/show_bug.cgi?id=152782

        Reviewed by Benjamin Poulain.

        Already covered by LayoutTests/js/dfg-uint32array-overflow-values test.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):

2016-01-06  Julien Brianceau  <jbriance@cisco.com>

        [mips] Fix or32 implementation in macro assembler
        https://bugs.webkit.org/show_bug.cgi?id=152781

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::or32):

2016-01-06  Julien Brianceau  <jbriance@cisco.com>

        [mips] Add missing branchAdd32 implementation in macro assembler
        https://bugs.webkit.org/show_bug.cgi?id=152785

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::branchAdd32):

2016-01-06  Andy VanWagoner  <thetalecrafter@gmail.com>

        [ES6] Date.prototype should be a plain object
        https://bugs.webkit.org/show_bug.cgi?id=152574

        Reviewed by Benjamin Poulain.

        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::finishCreation):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::DatePrototype):
        * runtime/DatePrototype.h:
        * tests/mozilla/mozilla-tests.yaml: Expect errors from old Date.prototype as Date instance tests.

2016-01-06  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Get more of testb3 to pass on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=152737

        Reviewed by Geoffrey Garen.

        A bunch of minor bugs and missing function to make most of testb3
        run on ARM64.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::canEncodePImmOffset):
        (JSC::ARM64Assembler::canEncodeSImmOffset):
        (JSC::isInt9): Deleted.
        (JSC::isUInt12): Deleted.
        * assembler/ARMv7Assembler.h:
        * assembler/AssemblerCommon.h: Added.
        (JSC::isInt9):
        (JSC::isUInt12):
        (JSC::isValidScaledUImm12):
        (JSC::isValidSignedImm9):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
        (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
        (JSC::MacroAssemblerARM64::store16):
        (JSC::MacroAssemblerARM64::absFloat):
        (JSC::MacroAssemblerARM64::loadFloat):
        (JSC::MacroAssemblerARM64::storeFloat):
        (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate):
        (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate):
        (JSC::MacroAssemblerARM64::tryLoadSignedWithOffset):
        (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate<8>):
        (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate<16>):
        (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate<8>):
        (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate<16>):
        * assembler/X86Assembler.h:
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::effectiveAddr):
        (JSC::B3::Air::LowerToAir::lower):
        * b3/air/AirArg.h:
        (JSC::B3::Air::Arg::isValidImmForm):
        (JSC::B3::Air::Arg::isValidAddrForm):
        (JSC::B3::Air::Arg::isValidForm):
        * b3/air/AirOpcode.opcodes:

2016-01-05  Zan Dobersek  <zdobersek@igalia.com>

        [CMake] Remove USE_UDIS86 variable
        https://bugs.webkit.org/show_bug.cgi?id=152731

        Reviewed by Gyuyoung Kim.

        * CMakeLists.txt: Unconditionally build the Udis86-specific files.

2016-01-05  Filip Pizlo  <fpizlo@apple.com>

        FTL B3 fails cdjs-tests.yaml/red_black_tree_test.js.ftl-eager-no-cjit
        https://bugs.webkit.org/show_bug.cgi?id=152770

        Reviewed by Mark Lam.

        It turns out that liveness didn't know that the return value GPR or FPR is live at the
        return. Consequently, we can end up with code that clobbers the return value register after
        the move of the return value into that register. This could happen if we start with
        something like:

            Move 42(%tmp1), %tmp2
            Move 50(%tmp1), %tmp3
            Move %tmp3, 58(%tmp1)
            Move %tmp2, %rax
            Ret

        Then we might coalesce %tmp2 with %rax:

            Move 42(%tmp1), %rax
            Move 50(%tmp1), %tmp3
            Move %tmp3, 58(%tmp1)
            Ret

        But now there is no use of %rax after that first instruction, so %rax appears dead at the
        other two Move's. So, the register allocator could then do this:

            Move 42(%tmp1), %rax
            Move 50(%tmp1), %rax
            Move %rax, 58(%tmp1)
            Ret

        And that's clearly wrong. This patch solves this issue by replacing the old Ret instruction
        with Ret32, Ret64, RetFloat, and RetDouble. These all take the return value register as an
        argument. They also tell Air which parts of the return value register the caller will
        observe. That's great for width analysis.

        This resolves a test failure in the CDjs red_black_tree_test. This reduces the total number
        of JSC test failures from 217 to 191.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::oops):
        (JSC::MacroAssembler::ret32):
        (JSC::MacroAssembler::ret64):
        (JSC::MacroAssembler::retFloat):
        (JSC::MacroAssembler::retDouble):
        (JSC::MacroAssembler::shouldConsiderBlinding):
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::lower):
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::generate):
        * b3/air/AirHandleCalleeSaves.cpp:
        (JSC::B3::Air::handleCalleeSaves):
        * b3/air/AirOpcode.opcodes:
        * b3/air/opcode_generator.rb:

2016-01-05  Keith Miller  <keith_miller@apple.com>

        Unreviewed build fix. A symbol was being exported that should not have been.

        * runtime/Structure.h:

2016-01-05  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r194603.
        https://bugs.webkit.org/show_bug.cgi?id=152762

        This change introduced JSC test failures (Requested by
        ryanhaddad on #webkit).

        Reverted changeset:

        "[ES6] Date.prototype should be a plain object"
        https://bugs.webkit.org/show_bug.cgi?id=152574
        http://trac.webkit.org/changeset/194603

2016-01-05  Filip Pizlo  <fpizlo@apple.com>

        stress/v8-crypto-strict.js.ftl-eager-no-cjit in FTL B3 fails with an assertion in the callframe shuffler
        https://bugs.webkit.org/show_bug.cgi?id=152756

        Reviewed by Saam Barati.

        This fixes a really obvious and dumb tail call bug in FTL B3. I think that tail calls work
        for real now. I have no idea why I got any tail call tests to pass before this fix.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):

2016-01-04  Mark Lam  <mark.lam@apple.com>

        Profiling should detect when multiplication overflows but does not create negative zero.
        https://bugs.webkit.org/show_bug.cgi?id=132470

        Reviewed by Geoffrey Garen.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::or32):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::or32):
        - New or32 emitter needed by the mul snippet.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::resultProfileForBytecodeOffset):
        (JSC::CodeBlock::updateResultProfileForBytecodeOffset): Deleted.
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::ensureResultProfile):
        (JSC::CodeBlock::addResultProfile): Deleted.
        (JSC::CodeBlock::likelyToTakeDeepestSlowCase): Deleted.
        - Added a m_bytecodeOffsetToResultProfileIndexMap because we can now add result
          profiles in any order (based on runtime execution), not necessarily in bytecode
          order at baseline compilation time.

        * bytecode/ValueProfile.cpp:
        (WTF::printInternal):
        * bytecode/ValueProfile.h:
        (JSC::ResultProfile::didObserveInt52Overflow):
        (JSC::ResultProfile::setObservedInt52Overflow):
        - Add new Int52Overflow flags.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        - Now with more straightforward mapping of profiling info.

        * dfg/DFGCommon.h:
        - Fixed a typo in a comment.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::arithNodeFlags):
        (JSC::DFG::Node::mayHaveNonIntResult):
        (JSC::DFG::Node::hasConstantBuffer):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeFlags.h:
        (JSC::DFG::nodeMayOverflowInt52):
        (JSC::DFG::nodeCanSpeculateInt52):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        - We now have profiling info for whether the result was ever seen to be a non-Int.
          Use this to make a better prediction.

        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_div):
        (JSC::JIT::emit_op_mul):
        - Switch to using CodeBlock::ensureResultProfile().  ResultProfiles can now be
          created at any time (including the slow path), not just in bytecode order
          during baseline compilation.

        * jit/JITMulGenerator.cpp:
        (JSC::JITMulGenerator::generateFastPath):
        - Removed the fast path profiling code for NegZero because we'll go to the slow
          path anyway.  Let the slow path do the profiling for us.
        - Added profiling for NegZero and potential Int52 overflows in the fast path
          that does double math.

        * runtime/CommonSlowPaths.cpp:
        (JSC::updateResultProfileForBinaryArithOp):
        - Removed the RETURN_WITH_RESULT_PROFILING macro (2 less macros), and just use
          the RETURN_WITH_PROFILING macro instead with a call to
          updateResultProfileForBinaryArithOp().  This makes it clear what we're doing
          to do profiling in each case, and also allows us to do custom profiling for
          each opcode if needed.  However, so far, we always call
          updateResultProfileForBinaryArithOp().

2016-01-05  Keith Miller  <keith_miller@apple.com>

        [ES6] Arrays should be subclassable.
        https://bugs.webkit.org/show_bug.cgi?id=152706

        Reviewed by Benjamin Poulain.

        This patch enables full subclassing of Arrays. We do this by fetching the new.target's prototype property
        in the Array constructor and transitioning the old structure to have the new prototype. This method has
        two downsides. The first is that we clobber the transition watchpoint on the base structure. The second,
        which is currently very significant but should be fixed in a future patch, is that we allocate a new
        structure for each new derived class we allocate.

        * runtime/ArrayConstructor.cpp:
        (JSC::constructArrayWithSizeQuirk):
        (JSC::constructWithArrayConstructor):
        (JSC::callArrayConstructor):
        * runtime/ArrayConstructor.h:
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
        (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
        (JSC::constructEmptyArray):
        (JSC::constructArray):
        (JSC::constructArrayNegativeIndexed):
        * runtime/PrototypeMap.h:
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::createSubclassStructure):
        * tests/es6.yaml:
        * tests/stress/class-subclassing-array.js: Added.
        (A):
        (B.prototype.get 1):
        (B):
        (C):
        (test):

2016-01-05  Filip Pizlo  <fpizlo@apple.com>

        regress/script-tests/deltablue-varargs.js.ftl-no-cjit-no-put-stack-validate on FTL B3 gets a B3 validation failure
        https://bugs.webkit.org/show_bug.cgi?id=152754

        Reviewed by Geoffrey Garen and Saam Barati.

        It turns out that the FTL was creating orphans. Rather than making the FTL handle them by
        itself, I gave B3 the power to eliminate them for you. I also made the dumper print them
        since otherwise, you wouldn't know anything about the orphan when looking at a validation
        failure or other kind of procedure dump.

        * b3/B3IndexSet.h:
        (JSC::B3::IndexSet::add):
        (JSC::B3::IndexSet::addAll):
        (JSC::B3::IndexSet::remove):
        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::dump):
        (JSC::B3::Procedure::deleteValue):
        (JSC::B3::Procedure::deleteOrphans):
        (JSC::B3::Procedure::dominators):
        * b3/B3Procedure.h:
        (JSC::B3::Procedure::cfg):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::lower):

2015-12-24  Mark Lam  <mark.lam@apple.com>

        Re-landing: Add validation of JSC options to catch typos.
        https://bugs.webkit.org/show_bug.cgi?id=152549

        Reviewed by Benjamin Poulain.

        1. If a JSC_xxx option is found and xxx is not a valid option, we will now log
           an error message.
        2. If a --xxx jsc option is specified, but xxx is not a valid option, we will
           now log an error message.
        3. Added JSC_validateOptions, which if set to true will cause the VM to crash if
           an invalid option was seen during options parsing.

        In this version for re-landing, I removed the change where I disallowed -- options
        after the script name.  Apparently, we have some test harnesses that do append the
        -- options after the script name.

        * jsc.cpp:
        (CommandLine::parseArguments):
        * runtime/Options.cpp:
        (JSC::Options::initialize):
        * runtime/Options.h:

2016-01-05  Filip Pizlo  <fpizlo@apple.com>

        FTL B3 should do ArithNegate
        https://bugs.webkit.org/show_bug.cgi?id=152745

        Reviewed by Geoffrey Garen.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):

2016-01-05  Andy VanWagoner  <thetalecrafter@gmail.com>

        [ES6] Date.prototype should be a plain object
        https://bugs.webkit.org/show_bug.cgi?id=152574

        Reviewed by Benjamin Poulain.

        * runtime/DateConstructor.cpp: