Make it easier to use NoLockingNecessary
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-06-02  Filip Pizlo  <fpizlo@apple.com>
2
3         Make it easier to use NoLockingNecessary
4         https://bugs.webkit.org/show_bug.cgi?id=158306
5
6         Reviewed by Keith Miller.
7         
8         Adapt to the new NoLockingNecessary API. More details in the WTF ChangeLog.
9
10         * bytecompiler/BytecodeGenerator.cpp:
11         (JSC::BytecodeGenerator::BytecodeGenerator):
12         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
13         (JSC::BytecodeGenerator::instantiateLexicalVariables):
14         (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
15         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
16         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
17         (JSC::BytecodeGenerator::popLexicalScopeInternal):
18         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
19         (JSC::BytecodeGenerator::variable):
20         (JSC::BytecodeGenerator::createVariable):
21         (JSC::BytecodeGenerator::emitResolveScope):
22         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
23         * runtime/ConcurrentJITLock.h:
24         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
25         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
26
27 2016-06-01  Filip Pizlo  <fpizlo@apple.com>
28
29         Structure::previousID() races with Structure::allocateRareData()
30         https://bugs.webkit.org/show_bug.cgi?id=158280
31
32         Reviewed by Mark Lam.
33         
34         The problem is that previousID() would test hasRareData() and then either load the
35         previous Structure from the rare data, or load it directly. allocateRareData() would set
36         the hasRareData() bit separately from moving the Structure pointer into the rare data. So
37         we'd have a race that would cause previousID() to sometimes return the rarae data instead
38         of the previous Structure.
39
40         The fix is to get rid of the hasRareData bit. We can use the structureID of the
41         previousOrRareData cell to determine if it's the previousID or the RareData. This fixes the
42         race and it's probably not any slower.
43
44         * runtime/Structure.cpp:
45         (JSC::Structure::Structure):
46         (JSC::Structure::allocateRareData):
47         * runtime/Structure.h:
48
49 2016-06-01  Michael Saboff  <msaboff@apple.com>
50
51         Runaway WebContent process CPU & memory @ foxnews.com
52         https://bugs.webkit.org/show_bug.cgi?id=158290
53
54         Reviewed by Mark Lam.
55
56         Clear the thrown value at the end of the catch block so that the stack scanner won't
57         find the value during GC.
58
59         Added a new stress test.
60
61         * bytecompiler/NodesCodegen.cpp:
62         (JSC::TryNode::emitBytecode):
63         * tests/stress/recursive-try-catch.js: Added.
64         (logError):
65         (tryCallingBadFunction):
66         (recurse):
67         (test):
68
69 2016-06-01  Benjamin Poulain  <bpoulain@apple.com>
70
71         [JSC] Some setters for components of Date do not timeClip() their result
72         https://bugs.webkit.org/show_bug.cgi?id=158278
73         rdar://problem/25131426
74
75         Reviewed by Geoffrey Garen.
76
77         Many of the setters where not doing timeClip() on the computed UTC
78         time since Epoch.
79
80         See http://www.ecma-international.org/ecma-262/6.0/#sec-date.prototype.setdate
81         and the following sections for the definition.
82
83         * runtime/DatePrototype.cpp:
84         (JSC::setNewValueFromTimeArgs):
85         (JSC::setNewValueFromDateArgs):
86
87 2016-06-01  Keith Miller  <keith_miller@apple.com>
88
89         canOptimizeStringObjectAccess should use ObjectPropertyConditions rather than structure watchpoints
90         https://bugs.webkit.org/show_bug.cgi?id=158291
91
92         Reviewed by Benjamin Poulain.
93
94         The old StringObject primitive access code used structure watchpoints. This meant that
95         if you set a watchpoint on String.prototype prior to tiering up to the DFG then added
96         a new property to String.prototype then we would never use StringObject optimizations.
97         This made property caching in the LLInt bad because it meant we would watchpoint
98         String.prototype very early in the program, which hurt date-format-xpab.js since that
99         benchmark relies on the StringObject optimizations.
100
101         This patch also extends ObjectPropertyConditionSet to be able to handle a slotBase
102         equivalence condition. Since that makes the code for generating the DFG watchpoints
103         significantly cleaner.
104
105         * bytecode/ObjectPropertyCondition.cpp:
106         (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint):
107         * bytecode/ObjectPropertyConditionSet.cpp:
108         (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition):
109         (JSC::ObjectPropertyConditionSet::slotBaseCondition):
110         (JSC::generateConditionsForPrototypeEquivalenceConcurrently):
111         * bytecode/ObjectPropertyConditionSet.h:
112         * dfg/DFGGraph.cpp:
113         (JSC::DFG::Graph::isStringPrototypeMethodSane):
114         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
115         * dfg/DFGGraph.h:
116
117 2016-06-01  Geoffrey Garen  <ggaren@apple.com>
118
119         Unreviewed, rolling in r201436.
120         https://bugs.webkit.org/show_bug.cgi?id=158143
121
122         r201562 should haved fixed the Dromaeo DOM core regression.
123
124         Restored changeset:
125
126         "REGRESSION: JSBench spends a lot of time transitioning
127         to/from dictionary"
128         https://bugs.webkit.org/show_bug.cgi?id=158045
129         http://trac.webkit.org/changeset/201436
130
131
132 2016-06-01  Commit Queue  <commit-queue@webkit.org>
133
134         Unreviewed, rolling out r201488.
135         https://bugs.webkit.org/show_bug.cgi?id=158268
136
137         Caused 23% regression on JetStream's crypto-md5 (Requested by
138         rniwa on #webkit).
139
140         Reverted changeset:
141
142         "[ESNext] Support trailing commas in function param lists"
143         https://bugs.webkit.org/show_bug.cgi?id=158020
144         http://trac.webkit.org/changeset/201488
145
146 2016-05-31  Geoffrey Garen  <ggaren@apple.com>
147
148         Dictionary property access should be fast
149         https://bugs.webkit.org/show_bug.cgi?id=158250
150
151         Reviewed by Keith Miller.
152
153         We have some remnant code that unnecessarily takes a slow path for
154         dictionaries. This caused the Dromaeo regression in r201436. Let's fix
155         that.
156
157         * jit/Repatch.cpp:
158         (JSC::tryCacheGetByID): Attempt to flatten a dictionary if necessary, but
159         not too much. This is our idiom in other places.
160
161         (JSC::tryCachePutByID): See tryCacheGetByID.
162
163         * llint/LLIntSlowPaths.cpp:
164         (JSC::LLInt::setupGetByIdPrototypeCache): See tryCacheGetByID.
165
166         * runtime/JSObject.cpp:
167         (JSC::JSObject::fillGetterPropertySlot):
168         * runtime/JSObject.h:
169         (JSC::JSObject::fillCustomGetterPropertySlot): The rules for caching a
170         getter are the same as the rules for caching anything else: We're
171         allowed to cache even in dictionaries, as long as they're cacheable
172         dictionaries. Any transition that would change to/from getter/setter
173         or change other attributes requires a structure transition.
174
175 2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
176
177         [JSC] Drop "replace" from JSC_COMMON_PRIVATE_IDENTIFIERS_EACH_WELL_KNOWN_SYMBOL_NOT_IMPLEMENTED_YET
178         https://bugs.webkit.org/show_bug.cgi?id=158223
179
180         Reviewed by Darin Adler.
181
182         This list maintains "not implemented yet" well-known symbols.
183         `Symbol.replace` is already implemented.
184
185         * runtime/CommonIdentifiers.h:
186
187 2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
188
189         Unreviewed, roll out r201481, r201523: 0.3% regression in Octane code-load
190         https://bugs.webkit.org/show_bug.cgi?id=158249
191
192         * API/JSScriptRef.cpp:
193         (parseScript):
194         * CMakeLists.txt:
195         * DerivedSources.make:
196         * JavaScriptCore.xcodeproj/project.pbxproj:
197         * builtins/AsyncFunctionPrototype.js: Removed.
198         (asyncFunctionResume): Deleted.
199         * builtins/BuiltinExecutables.cpp:
200         (JSC::BuiltinExecutables::createExecutable):
201         * bytecode/BytecodeList.json:
202         * bytecode/BytecodeUseDef.h:
203         (JSC::computeUsesForBytecodeOffset): Deleted.
204         (JSC::computeDefsForBytecodeOffset): Deleted.
205         * bytecode/CodeBlock.cpp:
206         (JSC::CodeBlock::finishCreation):
207         (JSC::CodeBlock::dumpBytecode): Deleted.
208         * bytecode/UnlinkedCodeBlock.h:
209         (JSC::UnlinkedCodeBlock::isArrowFunction):
210         (JSC::UnlinkedCodeBlock::isOrdinaryArrowFunction): Deleted.
211         (JSC::UnlinkedCodeBlock::isAsyncArrowFunction): Deleted.
212         * bytecode/UnlinkedFunctionExecutable.cpp:
213         (JSC::generateUnlinkedFunctionCodeBlock):
214         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
215         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
216         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
217         * bytecode/UnlinkedFunctionExecutable.h:
218         * bytecompiler/BytecodeGenerator.cpp:
219         (JSC::BytecodeGenerator::BytecodeGenerator):
220         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
221         (JSC::BytecodeGenerator::emitNewMethodDefinition):
222         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
223         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon): Deleted.
224         (JSC::BytecodeGenerator::emitNewFunction): Deleted.
225         * bytecompiler/BytecodeGenerator.h:
226         (JSC::BytecodeGenerator::makeFunction):
227         * bytecompiler/NodesCodegen.cpp:
228         (JSC::FunctionNode::emitBytecode): Deleted.
229         * inspector/agents/InspectorRuntimeAgent.cpp:
230         (Inspector::InspectorRuntimeAgent::parse):
231         * jit/JIT.cpp:
232         (JSC::JIT::privateCompileMainPass): Deleted.
233         * jit/JIT.h:
234         * jit/JITOpcodes.cpp:
235         (JSC::JIT::emitNewFuncCommon): Deleted.
236         (JSC::JIT::emit_op_new_async_func): Deleted.
237         (JSC::JIT::emitNewFuncExprCommon): Deleted.
238         (JSC::JIT::emit_op_new_async_func_exp): Deleted.
239         * jit/JITOperations.cpp:
240         * jit/JITOperations.h:
241         * jsc.cpp:
242         (runInteractive):
243         (printUsageStatement): Deleted.
244         * llint/LLIntSlowPaths.cpp:
245         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
246         * llint/LLIntSlowPaths.h:
247         * llint/LowLevelInterpreter.asm:
248         * parser/ASTBuilder.h:
249         (JSC::ASTBuilder::createAsyncFunctionBody): Deleted.
250         * parser/Keywords.table:
251         * parser/Parser.cpp:
252         (JSC::Parser<LexerType>::Parser):
253         (JSC::Parser<LexerType>::parseInner):
254         (JSC::Parser<LexerType>::isArrowFunctionParameters):
255         (JSC::Parser<LexerType>::parseStatementListItem):
256         (JSC::Parser<LexerType>::parseStatement):
257         (JSC::Parser<LexerType>::parseFunctionParameters):
258         (JSC::Parser<LexerType>::parseFunctionInfo):
259         (JSC::Parser<LexerType>::parseClass):
260         (JSC::Parser<LexerType>::parseImportClauseItem):
261         (JSC::Parser<LexerType>::parseImportDeclaration):
262         (JSC::Parser<LexerType>::parseExportDeclaration):
263         (JSC::Parser<LexerType>::parseAssignmentExpression):
264         (JSC::Parser<LexerType>::parseProperty):
265         (JSC::Parser<LexerType>::parsePropertyMethod):
266         (JSC::Parser<LexerType>::parsePrimaryExpression):
267         (JSC::Parser<LexerType>::parseMemberExpression):
268         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
269         (JSC::Parser<LexerType>::printUnexpectedTokenText):
270         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements): Deleted.
271         (JSC::Parser<LexerType>::parseVariableDeclarationList): Deleted.
272         (JSC::Parser<LexerType>::parseDestructuringPattern): Deleted.
273         (JSC::Parser<LexerType>::parseFunctionDeclarationStatement): Deleted.
274         (JSC::Parser<LexerType>::parseFormalParameters): Deleted.
275         (JSC::stringForFunctionMode): Deleted.
276         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration): Deleted.
277         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement): Deleted.
278         (JSC::Parser<LexerType>::parseAwaitExpression): Deleted.
279         (JSC::Parser<LexerType>::parseAsyncFunctionExpression): Deleted.
280         (JSC::Parser<LexerType>::parseUnaryExpression): Deleted.
281         * parser/Parser.h:
282         (JSC::Scope::Scope):
283         (JSC::Parser::ExpressionErrorClassifier::propagateExpressionErrorClass):
284         (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
285         (JSC::Parser::pushScope):
286         (JSC::Parser::popScopeInternal):
287         (JSC::Parser::matchSpecIdentifier):
288         (JSC::parse):
289         (JSC::Scope::setSourceParseMode): Deleted.
290         (JSC::Scope::isAsyncFunction): Deleted.
291         (JSC::Scope::isAsyncFunctionBoundary): Deleted.
292         (JSC::Scope::isModule): Deleted.
293         (JSC::Scope::setIsFunction): Deleted.
294         (JSC::Scope::setIsAsyncArrowFunction): Deleted.
295         (JSC::Scope::setIsAsyncFunction): Deleted.
296         (JSC::Scope::setIsAsyncFunctionBody): Deleted.
297         (JSC::Scope::setIsAsyncArrowFunctionBody): Deleted.
298         (JSC::Parser::ExpressionErrorClassifier::forceClassifyExpressionError): Deleted.
299         (JSC::Parser::ExpressionErrorClassifier::indicatesPossibleAsyncArrowFunction): Deleted.
300         (JSC::Parser::forceClassifyExpressionError): Deleted.
301         (JSC::Parser::declarationTypeToVariableKind): Deleted.
302         (JSC::Parser::upperScope): Deleted.
303         (JSC::Parser::isDisallowedIdentifierAwait): Deleted.
304         (JSC::Parser::disallowedIdentifierAwaitReason): Deleted.
305         * parser/ParserModes.h:
306         (JSC::isFunctionParseMode):
307         (JSC::isModuleParseMode):
308         (JSC::isProgramParseMode):
309         (JSC::SourceParseModeSet::SourceParseModeSet): Deleted.
310         (JSC::SourceParseModeSet::contains): Deleted.
311         (JSC::SourceParseModeSet::mergeSourceParseModes): Deleted.
312         (JSC::isAsyncFunctionParseMode): Deleted.
313         (JSC::isAsyncArrowFunctionParseMode): Deleted.
314         (JSC::isAsyncFunctionWrapperParseMode): Deleted.
315         (JSC::isAsyncFunctionBodyParseMode): Deleted.
316         (JSC::constructAbilityForParseMode): Deleted.
317         * parser/ParserTokens.h:
318         * parser/SourceCodeKey.h:
319         (JSC::SourceCodeKey::SourceCodeKey):
320         (JSC::SourceCodeKey::operator==):
321         (JSC::SourceCodeKey::runtimeFlags): Deleted.
322         * parser/SyntaxChecker.h:
323         (JSC::SyntaxChecker::createAsyncFunctionBody): Deleted.
324         * runtime/AsyncFunctionConstructor.cpp: Removed.
325         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor): Deleted.
326         (JSC::AsyncFunctionConstructor::finishCreation): Deleted.
327         (JSC::callAsyncFunctionConstructor): Deleted.
328         (JSC::constructAsyncFunctionConstructor): Deleted.
329         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
330         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
331         * runtime/AsyncFunctionConstructor.h: Removed.
332         (JSC::AsyncFunctionConstructor::create): Deleted.
333         (JSC::AsyncFunctionConstructor::createStructure): Deleted.
334         * runtime/AsyncFunctionPrototype.cpp: Removed.
335         (JSC::AsyncFunctionPrototype::AsyncFunctionPrototype): Deleted.
336         (JSC::AsyncFunctionPrototype::finishCreation): Deleted.
337         * runtime/AsyncFunctionPrototype.h: Removed.
338         (JSC::AsyncFunctionPrototype::create): Deleted.
339         (JSC::AsyncFunctionPrototype::createStructure): Deleted.
340         * runtime/CodeCache.cpp:
341         (JSC::CodeCache::getGlobalCodeBlock):
342         (JSC::CodeCache::getProgramCodeBlock):
343         (JSC::CodeCache::getEvalCodeBlock):
344         (JSC::CodeCache::getModuleProgramCodeBlock):
345         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
346         * runtime/CodeCache.h:
347         * runtime/CommonIdentifiers.h:
348         * runtime/Completion.cpp:
349         (JSC::checkSyntax):
350         (JSC::checkModuleSyntax):
351         * runtime/Completion.h:
352         * runtime/Executable.cpp:
353         (JSC::ScriptExecutable::newCodeBlockFor):
354         (JSC::ProgramExecutable::checkSyntax):
355         * runtime/Executable.h:
356         * runtime/FunctionConstructor.cpp:
357         (JSC::constructFunctionSkippingEvalEnabledCheck):
358         * runtime/FunctionConstructor.h:
359         * runtime/JSAsyncFunction.cpp: Removed.
360         (JSC::JSAsyncFunction::JSAsyncFunction): Deleted.
361         (JSC::JSAsyncFunction::createImpl): Deleted.
362         (JSC::JSAsyncFunction::create): Deleted.
363         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint): Deleted.
364         * runtime/JSAsyncFunction.h: Removed.
365         (JSC::JSAsyncFunction::allocationSize): Deleted.
366         (JSC::JSAsyncFunction::createStructure): Deleted.
367         * runtime/JSFunction.cpp:
368         (JSC::JSFunction::getOwnPropertySlot):
369         * runtime/JSGlobalObject.cpp:
370         (JSC::JSGlobalObject::createProgramCodeBlock):
371         (JSC::JSGlobalObject::createEvalCodeBlock):
372         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
373         (JSC::JSGlobalObject::init): Deleted.
374         * runtime/JSGlobalObject.h:
375         (JSC::JSGlobalObject::asyncFunctionPrototype): Deleted.
376         (JSC::JSGlobalObject::asyncFunctionStructure): Deleted.
377         * runtime/ModuleLoaderObject.cpp:
378         (JSC::moduleLoaderObjectParseModule):
379         * runtime/RuntimeFlags.h:
380         (JSC::RuntimeFlags::operator==): Deleted.
381         (JSC::RuntimeFlags::operator!=): Deleted.
382         * tests/stress/async-await-basic.js: Removed.
383         (shouldBe): Deleted.
384         (shouldBeAsync): Deleted.
385         (shouldThrow): Deleted.
386         (shouldThrowAsync): Deleted.
387         (shouldThrowSyntaxError): Deleted.
388         (let.AsyncFunction.async): Deleted.
389         (async.asyncFunctionForProto): Deleted.
390         (Object.getPrototypeOf.async): Deleted.
391         (Object.getPrototypeOf.async.method): Deleted.
392         (async): Deleted.
393         (async.method): Deleted.
394         (async.asyncNonConstructorDecl): Deleted.
395         (shouldThrow.new.async): Deleted.
396         (shouldThrow.new.async.nonConstructor): Deleted.
397         (async.asyncDecl): Deleted.
398         (async.f): Deleted.
399         (MyError): Deleted.
400         (async.asyncDeclThrower): Deleted.
401         (shouldThrowAsync.async): Deleted.
402         (resolveLater): Deleted.
403         (rejectLater): Deleted.
404         (async.resumeAfterNormal): Deleted.
405         (O.async.resumeAfterNormal): Deleted.
406         (resumeAfterNormalArrow.async): Deleted.
407         (async.resumeAfterThrow): Deleted.
408         (O.async.resumeAfterThrow): Deleted.
409         (resumeAfterThrowArrow.async): Deleted.
410         (catch): Deleted.
411         * tests/stress/async-await-module-reserved-word.js: Removed.
412         (shouldThrow): Deleted.
413         (SyntaxError.Canstring_appeared_hereawait.checkModuleSyntaxError.String.raw.await): Deleted.
414         (checkModuleSyntaxError.String.raw.await): Deleted.
415         (checkModuleSyntaxError.String.raw.async.await): Deleted.
416         (SyntaxError.Cannot.declare.named): Deleted.
417         * tests/stress/async-await-mozilla.js: Removed.
418         (shouldBe): Deleted.
419         (shouldBeAsync): Deleted.
420         (shouldThrow): Deleted.
421         (shouldThrowAsync): Deleted.
422         (assert): Deleted.
423         (shouldThrowSyntaxError): Deleted.
424         (mozSemantics.async.empty): Deleted.
425         (mozSemantics.async.simpleReturn): Deleted.
426         (mozSemantics.async.simpleAwait): Deleted.
427         (mozSemantics.async.simpleAwaitAsync): Deleted.
428         (mozSemantics.async.returnOtherAsync): Deleted.
429         (mozSemantics.async.simpleThrower): Deleted.
430         (mozSemantics.async.delegatedThrower): Deleted.
431         (mozSemantics.async.tryCatch): Deleted.
432         (mozSemantics.async.tryCatchThrow): Deleted.
433         (mozSemantics.async.wellFinally): Deleted.
434         (mozSemantics.async.finallyMayFail): Deleted.
435         (mozSemantics.async.embedded.async.inner): Deleted.
436         (mozSemantics.async.embedded): Deleted.
437         (mozSemantics.async.fib): Deleted.
438         (mozSemantics.async.isOdd.async.isEven): Deleted.
439         (mozSemantics.async.isOdd): Deleted.
440         (mozSemantics.hardcoreFib.async.fib2): Deleted.
441         (mozSemantics.namedAsyncExpr.async.simple): Deleted.
442         (mozSemantics.async.executionOrder.async.first): Deleted.
443         (mozSemantics.async.executionOrder.async.second): Deleted.
444         (mozSemantics.async.executionOrder.async.third): Deleted.
445         (mozSemantics.async.executionOrder): Deleted.
446         (mozSemantics.async.miscellaneous): Deleted.
447         (mozSemantics.thrower): Deleted.
448         (mozSemantics.async.defaultArgs): Deleted.
449         (mozSemantics.shouldThrow): Deleted.
450         (mozSemantics): Deleted.
451         (mozMethods.X): Deleted.
452         (mozMethods.X.prototype.async.getValue): Deleted.
453         (mozMethods.X.prototype.setValue): Deleted.
454         (mozMethods.X.prototype.async.increment): Deleted.
455         (mozMethods.X.prototype.async.getBaseClassName): Deleted.
456         (mozMethods.X.async.getStaticValue): Deleted.
457         (mozMethods.Y.prototype.async.getBaseClassName): Deleted.
458         (mozMethods.Y): Deleted.
459         (mozFunctionNameInferrence.async.test): Deleted.
460         (mozSyntaxErrors): Deleted.
461         * tests/stress/async-await-reserved-word.js: Removed.
462         (assert): Deleted.
463         (shouldThrowSyntaxError): Deleted.
464         (AsyncFunction.async): Deleted.
465         * tests/stress/async_arrow_functions_lexical_arguments_binding.js: Removed.
466         (shouldBe): Deleted.
467         (shouldBeAsync): Deleted.
468         (shouldThrowAsync): Deleted.
469         (noArgumentsArrow2.async): Deleted.
470         * tests/stress/async_arrow_functions_lexical_new.target_binding.js: Removed.
471         (shouldBe): Deleted.
472         (shouldBeAsync): Deleted.
473         (shouldThrowAsync): Deleted.
474         (C1): Deleted.
475         (C2): Deleted.
476         (shouldThrowAsync.async): Deleted.
477         * tests/stress/async_arrow_functions_lexical_super_binding.js: Removed.
478         (shouldBe): Deleted.
479         (shouldBeAsync): Deleted.
480         (BaseClass.prototype.baseClassValue): Deleted.
481         (BaseClass.prototype.get property): Deleted.
482         (BaseClass): Deleted.
483         (ChildClass.prototype.asyncSuperProp): Deleted.
484         (ChildClass.prototype.asyncSuperProp2): Deleted.
485         (ChildClass): Deleted.
486         (ChildClass2): Deleted.
487         * tests/stress/async_arrow_functions_lexical_this_binding.js: Removed.
488         (shouldBe): Deleted.
489         (shouldBeAsync): Deleted.
490         (d.y): Deleted.
491
492 2016-05-31  Commit Queue  <commit-queue@webkit.org>
493
494         Unreviewed, rolling out r201363 and r201456.
495         https://bugs.webkit.org/show_bug.cgi?id=158240
496
497         "40% regression on date-format-xparb" (Requested by
498         keith_miller on #webkit).
499
500         Reverted changesets:
501
502         "LLInt should be able to cache prototype loads for values in
503         GetById"
504         https://bugs.webkit.org/show_bug.cgi?id=158032
505         http://trac.webkit.org/changeset/201363
506
507         "get_by_id should support caching unset properties in the
508         LLInt"
509         https://bugs.webkit.org/show_bug.cgi?id=158136
510         http://trac.webkit.org/changeset/201456
511
512 2016-05-31  Commit Queue  <commit-queue@webkit.org>
513
514         Unreviewed, rolling out r201359.
515         https://bugs.webkit.org/show_bug.cgi?id=158238
516
517         "It was not a speedup on anything" (Requested by saamyjoon on
518         #webkit).
519
520         Reverted changeset:
521
522         "We can cache lookups to JSScope::abstractResolve inside
523         CodeBlock::finishCreation"
524         https://bugs.webkit.org/show_bug.cgi?id=158036
525         http://trac.webkit.org/changeset/201359
526
527 2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
528
529         [JSC] Recover parser performance regression by async support
530         https://bugs.webkit.org/show_bug.cgi?id=158228
531
532         Reviewed by Saam Barati.
533
534         This patch recovers parser performance regression caused in r201481.
535
536         Compared to the version that reverts r201481, still ~1% regression remains.
537         But compared to ToT, this patch significantly improves the code-load performance.
538
539         In Linux x64 JSCOnly port, with GCC 5.3.1.
540
541         reverted v.s. patched.
542                                  reverted                  patched
543
544         closure              0.61805+-0.00376    ?     0.62280+-0.00525       ?
545         jquery               8.03778+-0.02114          8.03453+-0.04646
546
547         <geometric>          2.22883+-0.00836    ?     2.23688+-0.00995       ? might be 1.0036x slower
548
549         ToT v.s. patched.
550                                  baseline                  patched
551
552         closure              0.65490+-0.00351    ^     0.62473+-0.00363       ^ definitely 1.0483x faster
553         jquery               8.25373+-0.06256    ^     8.04701+-0.03455       ^ definitely 1.0257x faster
554
555         <geometric>          2.32488+-0.00921    ^     2.24210+-0.00592       ^ definitely 1.0369x faster
556
557         * bytecode/UnlinkedFunctionExecutable.cpp:
558         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
559         * bytecode/UnlinkedFunctionExecutable.h:
560         Extend SourceParseMode.
561
562         * parser/Parser.cpp:
563         (JSC::Parser<LexerType>::parseInner):
564         (JSC::Parser<LexerType>::isArrowFunctionParameters):
565         Do not call `matchSpecIdentifier()` as much as we can. This greatly improves the performance.
566
567         (JSC::Parser<LexerType>::parseStatementListItem):
568         (JSC::Parser<LexerType>::parseStatement):
569         (JSC::Parser<LexerType>::parseFunctionParameters):
570         (JSC::Parser<LexerType>::parseFunctionInfo):
571         Do not touch `currentScope()->isGenerator()` even if it is unnecessary in parseFunctionInfo.
572         And accidental `syntaxChecker => context` changes are fixed.
573
574         (JSC::Parser<LexerType>::parseClass):
575         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
576         (JSC::Parser<LexerType>::parseImportClauseItem):
577         (JSC::Parser<LexerType>::parseExportDeclaration):
578         (JSC::Parser<LexerType>::parseAssignmentExpression):
579         Do not use matchSpecIdentifier() in the hot paths.
580
581         (JSC::Parser<LexerType>::parseProperty):
582         (JSC::Parser<LexerType>::parsePrimaryExpression):
583         (JSC::Parser<LexerType>::parseMemberExpression):
584         (JSC::Parser<LexerType>::parseUnaryExpression):
585         (JSC::Parser<LexerType>::printUnexpectedTokenText): Deleted.
586         * parser/Parser.h:
587         (JSC::isIdentifierOrKeyword):
588         AWAIT shoud be one of the keywords. This AWAIT check is unnecessary.
589
590         (JSC::Parser::upperScope):
591         (JSC::Parser::matchSpecIdentifier):
592         Touching currentScope() and its member causes significant performance degradation.
593         We carefully remove the above access in the hot paths.
594
595         (JSC::Parser::isDisallowedIdentifierAwait):
596         * parser/ParserModes.h:
597         (JSC::SourceParseModeSet::SourceParseModeSet):
598         (JSC::SourceParseModeSet::contains):
599         (JSC::SourceParseModeSet::mergeSourceParseModes):
600         (JSC::isFunctionParseMode):
601         (JSC::isAsyncFunctionParseMode):
602         (JSC::isAsyncArrowFunctionParseMode):
603         (JSC::isAsyncFunctionWrapperParseMode):
604         (JSC::isAsyncFunctionBodyParseMode):
605         (JSC::isModuleParseMode):
606         (JSC::isProgramParseMode):
607         (JSC::constructAbilityForParseMode):
608         The parser frequently checks SourceParseMode. And variety of SourceParseMode becomes many.
609         So using switch onto SourceParseMode degrades the performance. Instead, we use bit tests to guard against
610         many SourceParseModes. We expect that this will be efficiently compiled into test & jmp.
611
612         * parser/ParserTokens.h:
613         Change AWAIT to one of the keywords, as the same to YIELD / LET.
614
615 2016-05-31  Saam Barati  <sbarati@apple.com>
616
617         Web Inspector: capturing with Allocations timeline causes GC to take 100x longer and cause frame drops
618         https://bugs.webkit.org/show_bug.cgi?id=158054
619         <rdar://problem/25280762>
620
621         Reviewed by Joseph Pecoraro.
622
623         HeapSnapshot::sweepCell was taking a long time on 
624         http://bl.ocks.org/syntagmatic/6c149c08fc9cde682635
625         because it has to do a binary search to find if
626         an item is or is not in the list. 90% of the binary searches
627         would not find anything. This resulted in a lot of wasted time.
628
629         This patch adds a TinyBloomFilter member variable to HeapSnapshot.
630         We use this filter to try to bypass doing a binary search when the
631         filter tells us that a particular JSCell is definitely not in our
632         list. This is a 2x speedup on the steady state GC of the above
633         website.
634
635         * heap/HeapSnapshot.cpp:
636         (JSC::HeapSnapshot::appendNode):
637         (JSC::HeapSnapshot::sweepCell):
638         (JSC::HeapSnapshot::shrinkToFit):
639         (JSC::HeapSnapshot::nodeForCell):
640         * heap/HeapSnapshot.h:
641
642 2016-05-29  Saam barati  <sbarati@apple.com>
643
644         Stack overflow crashes with deep or cyclic proxy prototype chains
645         https://bugs.webkit.org/show_bug.cgi?id=157087
646
647         Reviewed by Filip Pizlo and Mark Lam.
648
649         Because a Proxy can call back into the JS runtime in arbitrary
650         ways, we may have effectively cyclic prototype chains and property lookups
651         by using a Proxy. We may also have arbitrarily long Proxy chains
652         where we call into a C frame for each link in the Proxy chain.
653         This means that every Proxy hook must be aware that it can stack overflow.
654         Before, only certain hooks were aware of this fact. That was a bug,
655         all hooks must assume they can stack overflow.
656
657         Also, because we may have effectively cyclic prototype chains, we
658         compile ProxyObject.cpp with -fno-optimize-sibling-calls. This prevents
659         tail call optimization from happening on any of the calls from
660         ProxyObject.cpp. We do this because we rely on the machine stack
661         growing for throwing a stack overflow error. It's better for developers
662         to be able to see a stack overflow error than to have their program
663         infinite loop because the compiler performed TCO.
664
665         This patch also fixes a couple call sites of various methods
666         where we didn't check for an exception.
667
668         * CMakeLists.txt:
669         * JavaScriptCore.xcodeproj/project.pbxproj:
670         * interpreter/Interpreter.cpp:
671         (JSC::sizeOfVarargs):
672         * runtime/InternalFunction.cpp:
673         (JSC::InternalFunction::createSubclassStructure):
674         * runtime/JSArray.h:
675         (JSC::getLength):
676         * runtime/ObjectPrototype.cpp:
677         (JSC::objectProtoFuncToString):
678         * runtime/ProxyObject.cpp:
679         (JSC::performProxyGet):
680         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
681         (JSC::ProxyObject::performHasProperty):
682         (JSC::ProxyObject::getOwnPropertySlotCommon):
683         (JSC::ProxyObject::performPut):
684         (JSC::performProxyCall):
685         (JSC::performProxyConstruct):
686         (JSC::ProxyObject::performDelete):
687         (JSC::ProxyObject::performPreventExtensions):
688         (JSC::ProxyObject::performIsExtensible):
689         (JSC::ProxyObject::performDefineOwnProperty):
690         (JSC::ProxyObject::performGetOwnPropertyNames):
691         (JSC::ProxyObject::getOwnPropertyNames):
692         (JSC::ProxyObject::getPropertyNames):
693         (JSC::ProxyObject::getOwnNonIndexPropertyNames):
694         (JSC::ProxyObject::performSetPrototype):
695         (JSC::ProxyObject::performGetPrototype):
696         * runtime/ProxyObject.h:
697         (JSC::ProxyObject::create):
698         * tests/stress/proxy-stack-overflow-exceptions.js: Added.
699         (shouldThrowStackOverflow):
700         (const.emptyFunction):
701         (makeLongProxyChain):
702         (shouldThrowStackOverflow.longProxyChain):
703         (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain1):
704         (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain2):
705         (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain3):
706         (shouldThrowStackOverflow.longProxyChainBind):
707         (shouldThrowStackOverflow.longProxyChainPropertyAccess):
708         (shouldThrowStackOverflow.longProxyChainReflectConstruct):
709         (shouldThrowStackOverflow.longProxyChainReflectSet):
710         (shouldThrowStackOverflow.longProxyChainReflectOwnKeys):
711         (shouldThrowStackOverflow.longProxyChainGetPrototypeOf):
712         (shouldThrowStackOverflow.longProxyChainSetPrototypeOf):
713         (shouldThrowStackOverflow.longProxyChainGetOwnPropertyDescriptor):
714         (shouldThrowStackOverflow.longProxyChainDefineProperty):
715         (shouldThrowStackOverflow.longProxyChainIsExtensible):
716         (shouldThrowStackOverflow.longProxyChainPreventExtensions):
717         (shouldThrowStackOverflow.longProxyChainDeleteProperty):
718         (shouldThrowStackOverflow.longProxyChainWithScope):
719         (shouldThrowStackOverflow.longProxyChainWithScope2):
720         (shouldThrowStackOverflow.longProxyChainWithScope3):
721         (shouldThrowStackOverflow.longProxyChainArrayPrototypePush):
722         (shouldThrowStackOverflow.longProxyChainWithScope4):
723         (shouldThrowStackOverflow.longProxyChainCall):
724         (shouldThrowStackOverflow.longProxyChainConstruct):
725         (shouldThrowStackOverflow.longProxyChainHas):
726
727 2016-05-28  Andreas Kling  <akling@apple.com>
728
729         JSGlobalLexicalEnvironment leaks SegmentedVector due to lack of destructor.
730         <https://webkit.org/b/158186>
731
732         Reviewed by Saam Barati.
733
734         Give JSGlobalLexicalEnvironment a destroy() and set up a finalizer for it
735         like we do with JSGlobalObject. (This is needed because they don't inherit
736         from JSDestructibleObjects and thus can't use JSCell::needsDestruction to
737         ask for allocation in destructor space.)
738
739         This stops us from leaking all the SegmentedVector backing stores.
740
741         * runtime/JSGlobalLexicalEnvironment.cpp:
742         (JSC::JSGlobalLexicalEnvironment::destroy):
743         * runtime/JSGlobalLexicalEnvironment.h:
744         (JSC::JSGlobalLexicalEnvironment::create):
745
746 2016-05-28  Skachkov Oleksandr  <gskachkov@gmail.com>
747         [ESNext] Trailing commas in function parameters.
748         https://bugs.webkit.org/show_bug.cgi?id=158020
749
750         Reviewed by Keith Miller.
751
752         ESNext allow to add trailing commas in function parameters and function arguments.
753         Link to spec - https://jeffmo.github.io/es-trailing-function-commas 
754         Example of using - (function (a, b,) { return a + b; })(1,2,);
755
756         * parser/Parser.cpp:
757         (JSC::Parser<LexerType>::parseFormalParameters):
758         (JSC::Parser<LexerType>::parseArguments):
759         * tests/stress/trailing-comma-in-function-paramters.js: Added.
760
761 2016-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
762
763         [JSC] op_new_arrow_func_exp is no longer necessary
764         https://bugs.webkit.org/show_bug.cgi?id=158180
765
766         Reviewed by Saam Barati.
767
768         This patch removes op_new_arrow_func_exp bytecode since
769         what op_new_arrow_func_exp is doing is completely the same to op_new_func_exp.
770
771         * bytecode/BytecodeList.json:
772         * bytecode/BytecodeUseDef.h:
773         (JSC::computeUsesForBytecodeOffset): Deleted.
774         (JSC::computeDefsForBytecodeOffset): Deleted.
775         * bytecode/CodeBlock.cpp:
776         (JSC::CodeBlock::dumpBytecode): Deleted.
777         * bytecompiler/BytecodeGenerator.cpp:
778         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
779         * dfg/DFGByteCodeParser.cpp:
780         (JSC::DFG::ByteCodeParser::parseBlock):
781         * dfg/DFGCapabilities.cpp:
782         (JSC::DFG::capabilityLevel): Deleted.
783         * jit/JIT.cpp:
784         (JSC::JIT::privateCompileMainPass): Deleted.
785         * jit/JIT.h:
786         * jit/JITOpcodes.cpp:
787         (JSC::JIT::emitNewFuncExprCommon):
788         (JSC::JIT::emit_op_new_arrow_func_exp): Deleted.
789         * llint/LLIntSlowPaths.cpp:
790         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
791         * llint/LLIntSlowPaths.h:
792         * llint/LowLevelInterpreter.asm:
793
794 2016-05-27  Caitlin Potter  <caitp@igalia.com>
795
796         [JSC] implement async functions proposal
797         https://bugs.webkit.org/show_bug.cgi?id=156147
798
799         Reviewed by Yusuke Suzuki.
800
801         Adds support for `async` functions, proposed in https://tc39.github.io/ecmascript-asyncawait/.
802
803         On the front-end side, "await" becomes a contextual keyword when used within an async function,
804         which triggers parsing an AwaitExpression. "await" becomes an illegal identifier name within
805         these contexts. The bytecode generated from an "await" expression is identical to that generated
806         in a "yield" expression in a Generator, as AsyncFunction reuses generator's state machine mechanism.
807
808         There are numerous syntactic forms for language features, including a variation on ArrowFunctions,
809         requiring the keyword `async` to precede ArrowFormalParameters, and similarly, MethodDefinitions,
810         which are ordinary MethodDefinitions preceded by the keyword `async`.
811
812         An async function desugars to the following:
813
814         ```
815         async function asyncFn() {
816         }
817
818         becomes:
819
820         function asyncFn() {
821             let generator = {
822                 @generatorNext: function(@generator, @generatorState, @generatorValue, @generatorResumeMode) {
823                   // generator state machine stuff here
824                 },
825                 @generatorState: 0,
826                 @generatorThis: this,
827                 @generatorFrame: null
828             };
829             return @asyncFunctionResume(generator, undefined, GeneratorResumeMode::NormalMode);
830         }
831         ```
832
833         `@asyncFunctionResume()` is similar to `@generatorResume`, with the exception that it will wrap the
834         result of invoking `@generatorNext()` in a Promise, and will avoid allocating an iterator result
835         object.
836
837         If the generator has yielded (an AwaitExpression has occurred), resumption will occur automatically
838         once the await-expression operand is finished, via Promise chaining.
839
840         * API/JSScriptRef.cpp:
841         (parseScript):
842         * CMakeLists.txt:
843         * DerivedSources.make:
844         * JavaScriptCore.xcodeproj/project.pbxproj:
845         * builtins/AsyncFunctionPrototype.js: Added.
846         (asyncFunctionResume):
847         * builtins/BuiltinExecutables.cpp:
848         (JSC::BuiltinExecutables::createExecutable):
849         * bytecode/BytecodeList.json:
850         * bytecode/BytecodeUseDef.h:
851         (JSC::computeUsesForBytecodeOffset):
852         (JSC::computeDefsForBytecodeOffset):
853         * bytecode/CodeBlock.cpp:
854         (JSC::CodeBlock::dumpBytecode):
855         (JSC::CodeBlock::finishCreation):
856         * bytecode/UnlinkedCodeBlock.h:
857         (JSC::UnlinkedCodeBlock::isArrowFunction):
858         (JSC::UnlinkedCodeBlock::isOrdinaryArrowFunction):
859         (JSC::UnlinkedCodeBlock::isAsyncArrowFunction):
860         * bytecode/UnlinkedFunctionExecutable.cpp:
861         (JSC::generateUnlinkedFunctionCodeBlock):
862         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
863         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
864         * bytecode/UnlinkedFunctionExecutable.h:
865         * bytecompiler/BytecodeGenerator.cpp:
866         (JSC::BytecodeGenerator::BytecodeGenerator):
867         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
868         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
869         (JSC::BytecodeGenerator::emitNewMethodDefinition):
870         (JSC::BytecodeGenerator::emitNewFunction):
871         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
872         * bytecompiler/BytecodeGenerator.h:
873         (JSC::BytecodeGenerator::makeFunction):
874         * bytecompiler/NodesCodegen.cpp:
875         (JSC::FunctionNode::emitBytecode):
876         * inspector/agents/InspectorRuntimeAgent.cpp:
877         (Inspector::InspectorRuntimeAgent::parse):
878         * jit/JIT.cpp:
879         (JSC::JIT::privateCompileMainPass):
880         * jit/JIT.h:
881         * jit/JITOpcodes.cpp:
882         (JSC::JIT::emitNewFuncCommon):
883         (JSC::JIT::emit_op_new_async_func):
884         (JSC::JIT::emitNewFuncExprCommon):
885         (JSC::JIT::emit_op_new_async_func_exp):
886         * jit/JITOperations.cpp:
887         * jit/JITOperations.h:
888         * jsc.cpp:
889         (runInteractive):
890         (printUsageStatement):
891         * llint/LLIntSlowPaths.cpp:
892         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
893         * llint/LLIntSlowPaths.h:
894         * llint/LowLevelInterpreter.asm:
895         * parser/ASTBuilder.h:
896         (JSC::ASTBuilder::createAsyncFunctionBody):
897         * parser/Keywords.table:
898         * parser/Parser.cpp:
899         (JSC::Parser<LexerType>::Parser):
900         (JSC::Parser<LexerType>::parseInner):
901         (JSC::Parser<LexerType>::isArrowFunctionParameters):
902         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
903         (JSC::Parser<LexerType>::parseStatementListItem):
904         (JSC::Parser<LexerType>::parseVariableDeclarationList):
905         (JSC::Parser<LexerType>::parseDestructuringPattern):
906         (JSC::Parser<LexerType>::parseStatement):
907         (JSC::Parser<LexerType>::parseFunctionDeclarationStatement):
908         (JSC::Parser<LexerType>::parseFormalParameters):
909         (JSC::stringForFunctionMode):
910         (JSC::Parser<LexerType>::parseFunctionParameters):
911         (JSC::Parser<LexerType>::parseFunctionInfo):
912         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
913         (JSC::Parser<LexerType>::parseClass):
914         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
915         (JSC::Parser<LexerType>::parseImportClauseItem):
916         (JSC::Parser<LexerType>::parseImportDeclaration):
917         (JSC::Parser<LexerType>::parseExportDeclaration):
918         (JSC::Parser<LexerType>::parseAssignmentExpression):
919         (JSC::Parser<LexerType>::parseAwaitExpression):
920         (JSC::Parser<LexerType>::parseProperty):
921         (JSC::Parser<LexerType>::parsePropertyMethod):
922         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
923         (JSC::Parser<LexerType>::parsePrimaryExpression):
924         (JSC::Parser<LexerType>::parseMemberExpression):
925         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
926         (JSC::Parser<LexerType>::parseUnaryExpression):
927         (JSC::Parser<LexerType>::printUnexpectedTokenText):
928         * parser/Parser.h:
929         (JSC::isIdentifierOrKeyword):
930         (JSC::Scope::Scope):
931         (JSC::Scope::setSourceParseMode):
932         (JSC::Scope::isAsyncFunction):
933         (JSC::Scope::isAsyncFunctionBoundary):
934         (JSC::Scope::isModule):
935         (JSC::Scope::setIsFunction):
936         (JSC::Scope::setIsAsyncArrowFunction):
937         (JSC::Scope::setIsAsyncFunction):
938         (JSC::Scope::setIsAsyncFunctionBody):
939         (JSC::Scope::setIsAsyncArrowFunctionBody):
940         (JSC::Parser::ExpressionErrorClassifier::forceClassifyExpressionError):
941         (JSC::Parser::ExpressionErrorClassifier::propagateExpressionErrorClass):
942         (JSC::Parser::ExpressionErrorClassifier::indicatesPossibleAsyncArrowFunction):
943         (JSC::Parser::forceClassifyExpressionError):
944         (JSC::Parser::declarationTypeToVariableKind):
945         (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
946         (JSC::Parser::pushScope):
947         (JSC::Parser::popScopeInternal):
948         (JSC::Parser::matchSpecIdentifier):
949         (JSC::Parser::isDisallowedIdentifierAwait):
950         (JSC::Parser::disallowedIdentifierAwaitReason):
951         (JSC::parse):
952         * parser/ParserModes.h:
953         (JSC::isFunctionParseMode):
954         (JSC::isAsyncFunctionParseMode):
955         (JSC::isAsyncArrowFunctionParseMode):
956         (JSC::isAsyncFunctionWrapperParseMode):
957         (JSC::isAsyncFunctionBodyParseMode):
958         (JSC::isModuleParseMode):
959         (JSC::isProgramParseMode):
960         (JSC::constructAbilityForParseMode):
961         * parser/ParserTokens.h:
962         * parser/SourceCodeKey.h:
963         (JSC::SourceCodeKey::SourceCodeKey):
964         (JSC::SourceCodeKey::runtimeFlags):
965         (JSC::SourceCodeKey::operator==):
966         * parser/SyntaxChecker.h:
967         (JSC::SyntaxChecker::createAsyncFunctionBody):
968         * runtime/AsyncFunctionConstructor.cpp: Added.
969         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
970         (JSC::AsyncFunctionConstructor::finishCreation):
971         (JSC::callAsyncFunctionConstructor):
972         (JSC::constructAsyncFunctionConstructor):
973         (JSC::AsyncFunctionConstructor::getCallData):
974         (JSC::AsyncFunctionConstructor::getConstructData):
975         * runtime/AsyncFunctionConstructor.h: Added.
976         (JSC::AsyncFunctionConstructor::create):
977         (JSC::AsyncFunctionConstructor::createStructure):
978         * runtime/AsyncFunctionPrototype.cpp: Added.
979         (JSC::AsyncFunctionPrototype::AsyncFunctionPrototype):
980         (JSC::AsyncFunctionPrototype::finishCreation):
981         * runtime/AsyncFunctionPrototype.h: Added.
982         (JSC::AsyncFunctionPrototype::create):
983         (JSC::AsyncFunctionPrototype::createStructure):
984         * runtime/CodeCache.cpp:
985         (JSC::CodeCache::getGlobalCodeBlock):
986         (JSC::CodeCache::getProgramCodeBlock):
987         (JSC::CodeCache::getEvalCodeBlock):
988         (JSC::CodeCache::getModuleProgramCodeBlock):
989         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
990         * runtime/CodeCache.h:
991         * runtime/CommonIdentifiers.h:
992         * runtime/Completion.cpp:
993         (JSC::checkSyntax):
994         (JSC::checkModuleSyntax):
995         * runtime/Completion.h:
996         * runtime/Executable.cpp:
997         (JSC::ScriptExecutable::newCodeBlockFor):
998         (JSC::ProgramExecutable::checkSyntax):
999         * runtime/Executable.h:
1000         * runtime/FunctionConstructor.cpp:
1001         (JSC::constructFunctionSkippingEvalEnabledCheck):
1002         * runtime/FunctionConstructor.h:
1003         * runtime/JSAsyncFunction.cpp: Added.
1004         (JSC::JSAsyncFunction::JSAsyncFunction):
1005         (JSC::JSAsyncFunction::createImpl):
1006         (JSC::JSAsyncFunction::create):
1007         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
1008         * runtime/JSAsyncFunction.h: Added.
1009         (JSC::JSAsyncFunction::allocationSize):
1010         (JSC::JSAsyncFunction::createStructure):
1011         * runtime/JSFunction.cpp:
1012         (JSC::JSFunction::getOwnPropertySlot):
1013         * runtime/JSGlobalObject.cpp:
1014         (JSC::JSGlobalObject::init):
1015         (JSC::JSGlobalObject::createProgramCodeBlock):
1016         (JSC::JSGlobalObject::createEvalCodeBlock):
1017         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
1018         * runtime/JSGlobalObject.h:
1019         (JSC::JSGlobalObject::asyncFunctionPrototype):
1020         (JSC::JSGlobalObject::asyncFunctionStructure):
1021         * runtime/ModuleLoaderObject.cpp:
1022         (JSC::moduleLoaderObjectParseModule):
1023         * runtime/RuntimeFlags.h:
1024         (JSC::RuntimeFlags::operator==):
1025         (JSC::RuntimeFlags::operator!=):
1026         * tests/stress/async-await-basic.js: Added.
1027         (shouldBe):
1028         (shouldBeAsync):
1029         (shouldThrow):
1030         (shouldThrowAsync):
1031         (let.AsyncFunction.async):
1032         (async.asyncFunctionForProto):
1033         (Object.getPrototypeOf.async):
1034         (Object.getPrototypeOf.async.method):
1035         (async):
1036         (async.method):
1037         (async.asyncNonConstructorDecl):
1038         (shouldThrow.new.async):
1039         (shouldThrow.new.async.nonConstructor):
1040         (async.asyncDecl):
1041         (async.f):
1042         (MyError):
1043         (async.asyncDeclThrower):
1044         (shouldThrowAsync.async):
1045         (resolveLater):
1046         (rejectLater):
1047         (async.resumeAfterNormal):
1048         (O.async.resumeAfterNormal):
1049         (resumeAfterNormalArrow.async):
1050         (async.resumeAfterThrow):
1051         (O.async.resumeAfterThrow):
1052         (resumeAfterThrowArrow.async):
1053         (catch):
1054         * tests/stress/async-await-module-reserved-word.js: Added.
1055         (shouldThrow):
1056         (SyntaxError.Canstring_appeared_hereawait.checkModuleSyntaxError.String.raw.await):
1057         (checkModuleSyntaxError.String.raw.await):
1058         (checkModuleSyntaxError.String.raw.async.await):
1059         (SyntaxError.Cannot.declare.named):
1060         * tests/stress/async-await-mozilla.js: Added.
1061         (shouldBe):
1062         (shouldBeAsync):
1063         (shouldThrow):
1064         (shouldThrowAsync):
1065         (assert):
1066         (shouldThrowSyntaxError):
1067         (mozSemantics.async.empty):
1068         (mozSemantics.async.simpleReturn):
1069         (mozSemantics.async.simpleAwait):
1070         (mozSemantics.async.simpleAwaitAsync):
1071         (mozSemantics.async.returnOtherAsync):
1072         (mozSemantics.async.simpleThrower):
1073         (mozSemantics.async.delegatedThrower):
1074         (mozSemantics.async.tryCatch):
1075         (mozSemantics.async.tryCatchThrow):
1076         (mozSemantics.async.wellFinally):
1077         (mozSemantics.async.finallyMayFail):
1078         (mozSemantics.async.embedded.async.inner):
1079         (mozSemantics.async.embedded):
1080         (mozSemantics.async.fib):
1081         (mozSemantics.async.isOdd.async.isEven):
1082         (mozSemantics.async.isOdd):
1083         (mozSemantics.hardcoreFib.async.fib2):
1084         (mozSemantics.namedAsyncExpr.async.simple):
1085         (mozSemantics.async.executionOrder.async.first):
1086         (mozSemantics.async.executionOrder.async.second):
1087         (mozSemantics.async.executionOrder.async.third):
1088         (mozSemantics.async.executionOrder):
1089         (mozSemantics.async.miscellaneous):
1090         (mozSemantics.thrower):
1091         (mozSemantics.async.defaultArgs):
1092         (mozSemantics.shouldThrow):
1093         (mozSemantics):
1094         (mozMethods.X):
1095         (mozMethods.X.prototype.async.getValue):
1096         (mozMethods.X.prototype.setValue):
1097         (mozMethods.X.prototype.async.increment):
1098         (mozMethods.X.prototype.async.getBaseClassName):
1099         (mozMethods.X.async.getStaticValue):
1100         (mozMethods.Y.prototype.async.getBaseClassName):
1101         (mozMethods.Y):
1102         (mozFunctionNameInferrence.async.test):
1103         (mozSyntaxErrors):
1104         * tests/stress/async-await-reserved-word.js: Added.
1105         (assert):
1106         (shouldThrowSyntaxError):
1107         (AsyncFunction.async):
1108         * tests/stress/async_arrow_functions_lexical_arguments_binding.js: Added.
1109         (shouldBe):
1110         (shouldBeAsync):
1111         (shouldThrowAsync):
1112         (noArgumentsArrow2.async):
1113         * tests/stress/async_arrow_functions_lexical_new.target_binding.js: Added.
1114         (shouldBe):
1115         (shouldBeAsync):
1116         (shouldThrowAsync):
1117         (C1):
1118         (C2):
1119         (shouldThrowAsync.async):
1120         * tests/stress/async_arrow_functions_lexical_super_binding.js: Added.
1121         (shouldBe):
1122         (shouldBeAsync):
1123         (BaseClass.prototype.baseClassValue):
1124         (BaseClass):
1125         (ChildClass.prototype.asyncSuperProp):
1126         (ChildClass.prototype.asyncSuperProp2):
1127         (ChildClass):
1128         * tests/stress/async_arrow_functions_lexical_this_binding.js: Added.
1129         (shouldBe):
1130         (shouldBeAsync):
1131         (d.y):
1132
1133 2016-05-27  Saam barati  <sbarati@apple.com>
1134
1135         DebuggerCallFrame crashes when updated with the globalExec because neither ShadowChicken's algorithm nor StackVisitor's algorithm reasons about the globalExec
1136         https://bugs.webkit.org/show_bug.cgi?id=158104
1137
1138         Reviewed by Filip Pizlo.
1139
1140         I think globalExec is a special enough case that it should be handled
1141         at the layers above ShadowChicken and StackVisitor. Those APIs should
1142         deal with real stack frames on the machine stack, not a heap constructed frame.
1143
1144         This patch makes DebuggerCallFrame::create aware that it may be
1145         created with the globalObject->globalExec() by having it construct
1146         a single DebuggerCallFrame that wraps the globalExec.
1147
1148         This fixes a crasher because we will construct a DebuggerCallFrame
1149         with the globalExec when the Inspector is set to pause on all uncaught
1150         exceptions and the JS program has a syntax error. Because the program
1151         hasn't begun execution, there is no machine JS stack frame yet. So
1152         DebuggerCallFrame is created with globalExec, which will cause it
1153         to hit an assertion that dictates that the stack have size greater
1154         than zero.
1155
1156         * debugger/DebuggerCallFrame.cpp:
1157         (JSC::DebuggerCallFrame::create):
1158
1159 2016-05-27  Filip Pizlo  <fpizlo@apple.com>
1160
1161         DFG::LazyJSValue::tryGetStringImpl() crashes for empty values
1162         https://bugs.webkit.org/show_bug.cgi?id=158170
1163
1164         Reviewed by Michael Saboff.
1165
1166         The problem here is that jsDynamicCast<>() is evil! It avoids checking for the empty
1167         value, presumably because this makes it soooper fast. In DFG IR, empty values can appear
1168         anywhere because of TDZ.
1169         
1170         This patch doesn't change jsDynamicCast<>(), but it hardens our wrappers for it in the DFG
1171         and it has the affected code use one of those wrappers.
1172         
1173         * dfg/DFGFrozenValue.h:
1174         (JSC::DFG::FrozenValue::dynamicCast): Harden this.
1175         (JSC::DFG::FrozenValue::cast):
1176         * dfg/DFGLazyJSValue.cpp:
1177         (JSC::DFG::LazyJSValue::tryGetStringImpl): Use the hardened wrapper.
1178         * tests/stress/strcat-emtpy.js: Added. This used to crash every time.
1179         (foo):
1180         (i.catch):
1181
1182 2016-05-27  Filip Pizlo  <fpizlo@apple.com>
1183
1184         regExpProtoFuncSplitFast should OOM before it swaps
1185         https://bugs.webkit.org/show_bug.cgi?id=158157
1186
1187         Reviewed by Mark Lam.
1188         
1189         This is a huge speed-up on some jsfunfuzz test cases because it makes us realize much
1190         sooner that running a regexp split will result in swapping. It uses the same basic
1191         approach as http://trac.webkit.org/changeset/201451: if the result array crosses a certain
1192         size threshold, we proceed with a dry run to see how big the array will get before
1193         allocating anything else. This way, bogus uses of split that would have OOMed only after
1194         killing the user's machine will now OOM before killing the user's machine.
1195         
1196         This is an enormous speed-up on some jsfunfuzz tests: they go from running for a long
1197         time to running instantly.
1198
1199         * runtime/RegExpPrototype.cpp:
1200         (JSC::advanceStringIndex):
1201         (JSC::genericSplit):
1202         (JSC::regExpProtoFuncSplitFast):
1203         * runtime/StringObject.h:
1204         (JSC::jsStringWithReuse):
1205         (JSC::jsSubstring):
1206         * tests/stress/big-split-captures.js: Added.
1207         * tests/stress/big-split.js: Added.
1208
1209 2016-05-27  Saam barati  <sbarati@apple.com>
1210
1211         ShadowChicken/DebuggerCallFrame don't properly handle when the entry stack frame is a tail deleted frame
1212         https://bugs.webkit.org/show_bug.cgi?id=158131
1213
1214         Reviewed by Yusuke Suzuki.
1215
1216         There were bugs both in DebuggerCallFrame and ShadowChicken when the entry stack
1217         frame(s) are tail deleted.
1218
1219         DebuggerCallFrame had an assertion saying that the entry frame shouldn't be
1220         tail deleted. This is clearly wrong. The following program proves that this assertion
1221         was misguided:
1222         ```
1223         "use strict";
1224         setTimeout(function foo() { return bar(); }, 0);
1225         ```
1226
1227         ShadowChicken had a very subtle bug when creating the shadow stack when 
1228         the entry frames of the stack were tail deleted. Because it places frames into its shadow
1229         stack by walking the machine frame and looking up entries in the log,
1230         the machine frame doesn't have any notion of those tail deleted frames
1231         at the entry of execution. ShadowChicken would never find those frames
1232         because it would look for tail deleted frames *before* consulting the
1233         current machine frame. This is wrong because if the entry frames
1234         are tail deleted, then there is no machine frame for them because there
1235         is no machine frame before them! Therefore, we must search for tail deleted
1236         frames *after* consulting a machine frame. This is sound because we will always
1237         have at least one machine frame on the stack (when we are using StackVisitor on a valid ExecState).
1238         So when we consult the machine frame that is the entry frame on the machine stack,
1239         we will search for tail deleted frames that come before it in the shadow stack.
1240         This will allow us to find those tail deleted frames that are the entry frames
1241         for the shadow stack.
1242
1243         * debugger/DebuggerCallFrame.cpp:
1244         (JSC::DebuggerCallFrame::create):
1245         * interpreter/ShadowChicken.cpp:
1246         (JSC::ShadowChicken::Packet::dump):
1247         (JSC::ShadowChicken::update):
1248         (JSC::ShadowChicken::dump):
1249
1250 2016-05-27  Chris Dumez  <cdumez@apple.com>
1251
1252         WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables
1253         https://bugs.webkit.org/show_bug.cgi?id=158111
1254
1255         Reviewed by Darin Adler.
1256
1257         WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables.
1258         These are often used cross-thread and copying the captured lambda variables can be
1259         dangerous (e.g. we do not want to copy a String after calling isolatedCopy() upon
1260         capture).
1261
1262         * runtime/Watchdog.cpp:
1263         (JSC::Watchdog::startTimer):
1264         (JSC::Watchdog::Watchdog): Deleted.
1265         (JSC::Watchdog::setTimeLimit): Deleted.
1266         * runtime/Watchdog.h:
1267
1268 2016-05-27  Konstantin Tokarev  <annulen@yandex.ru>
1269
1270         Removed unused headers from ExecutableAllocatorFixedVMPool.cpp.
1271         https://bugs.webkit.org/show_bug.cgi?id=158159
1272
1273         Reviewed by Darin Adler.
1274
1275         * jit/ExecutableAllocatorFixedVMPool.cpp:
1276
1277 2016-05-27  Keith Miller  <keith_miller@apple.com>
1278
1279         get_by_id should support caching unset properties in the LLInt
1280         https://bugs.webkit.org/show_bug.cgi?id=158136
1281
1282         Reviewed by Benjamin Poulain.
1283
1284         Recently, we started supporting prototype load caching for get_by_id
1285         in the LLInt. This patch extends that to caching unset properties.
1286         While it is uncommon in general for a program to see a single structure
1287         without a given property, the Array.prototype.concat function needs to
1288         lookup the Symbol.isConcatSpreadable property. For any existing code
1289         That property will never be set as it did not exist prior to ES6.
1290
1291         Similarly to the get_by_id_proto_load bytecode, this patch adds a new
1292         bytecode, get_by_id_unset that checks the structureID of the base and
1293         assigns undefined to the result.
1294
1295         There are no new tests here since we already have many tests that
1296         incidentally cover this change.
1297
1298         * bytecode/BytecodeList.json:
1299         * bytecode/BytecodeUseDef.h:
1300         (JSC::computeUsesForBytecodeOffset):
1301         (JSC::computeDefsForBytecodeOffset):
1302         * bytecode/CodeBlock.cpp:
1303         (JSC::CodeBlock::printGetByIdOp):
1304         (JSC::CodeBlock::dumpBytecode):
1305         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1306         * bytecode/GetByIdStatus.cpp:
1307         (JSC::GetByIdStatus::computeFromLLInt):
1308         * dfg/DFGByteCodeParser.cpp:
1309         (JSC::DFG::ByteCodeParser::parseBlock):
1310         * dfg/DFGCapabilities.cpp:
1311         (JSC::DFG::capabilityLevel):
1312         * jit/JIT.cpp:
1313         (JSC::JIT::privateCompileMainPass):
1314         (JSC::JIT::privateCompileSlowCases):
1315         * llint/LLIntSlowPaths.cpp:
1316         (JSC::LLInt::setupGetByIdPrototypeCache):
1317         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1318         * llint/LLIntSlowPaths.h:
1319         * llint/LowLevelInterpreter32_64.asm:
1320         * llint/LowLevelInterpreter64.asm:
1321
1322 2016-05-26  Filip Pizlo  <fpizlo@apple.com>
1323
1324         Bogus uses of regexp matching should realize that they will OOM before they start swapping
1325         https://bugs.webkit.org/show_bug.cgi?id=158142
1326
1327         Reviewed by Michael Saboff.
1328         
1329         Refactored the RegExpObject::matchGlobal() code so that there is less duplication. Took
1330         advantage of this to make the code more resilient in case of absurd situations: if the
1331         result array gets large, it proceeds with a dry run to detect how many matches there will
1332         be. This allows it to OOM before it starts swapping.
1333         
1334         This also improves the overall performance of the code by using lightweight substrings and
1335         skipping the whole intermediate argument array.
1336         
1337         This makes some jsfunfuzz tests run a lot faster and use a lot less memory.
1338         
1339         * builtins/RegExpPrototype.js:
1340         * CMakeLists.txt:
1341         * JavaScriptCore.xcodeproj/project.pbxproj:
1342         * runtime/MatchResult.cpp: Added.
1343         (JSC::MatchResult::dump):
1344         * runtime/MatchResult.h:
1345         (JSC::MatchResult::empty):
1346         (MatchResult::empty): Deleted.
1347         * runtime/RegExpObject.cpp:
1348         (JSC::RegExpObject::match):
1349         (JSC::collectMatches):
1350         (JSC::RegExpObject::matchGlobal):
1351         * runtime/StringObject.h:
1352         (JSC::jsStringWithReuse):
1353         (JSC::jsSubstring):
1354         * tests/stress/big-match.js: Added. Make sure that this optimization doesn't break big matches.
1355
1356 2016-05-26  Gavin & Ellie Barraclough  <barraclough@apple.com>
1357
1358         Static table property lookup should not require getOwnPropertySlot override.
1359         https://bugs.webkit.org/show_bug.cgi?id=158059
1360
1361         Reviewed by Darin Adler.
1362
1363         Currently JSObject does not handle property lookup of entries in the static
1364         table. Each subclass with static properties mut override getOwnPropertySlot,
1365         and explicitly call the lookup functions. This has the following drawbacks:
1366
1367         - Performance: for any class with static properties, property acces becomes
1368           virtual (via method table).
1369         - Poor encapsulation: implementation detail of static property access is
1370           spread throughout & cross projects, rather than being contained in JSObject.
1371         - Code size: this results in a great many additional functions.
1372         - Inconsistency: static table presence has to be be taken into account in many
1373           other operations, e.g. presence of read-only properties for put.
1374         - Memory: in order to avoid the virtual lookup, DOM prototypes eagerly reify
1375           all properties. This is likely suboptimal.
1376
1377         Instead, JSObject::getPropertySlot / JSObject::getOwnPropertySlot should be
1378         able to handle static properties.
1379
1380         This is actually a fairly small & simple change.
1381
1382         The common pattern is for subclasses of JObject to override getOwnPropertySlot
1383         to first defer to JSObject for property storage lookup, and only if this fails
1384         consult the static table. They just want the static tables to be consulted after
1385         regular property storgae lookup. So just add a fast flag in TypeInfo for JSObject
1386         to check, and where it is set, do so. Then it's just a question of switching
1387         classes over to start setting this flag, and drop the override.
1388
1389         The new mechanism does change static table lookup order from oldest-ancestor
1390         first to most-derived first. The new ordering makes more sense (means derived
1391         class static tables can now override entries from parents), and shoudn't affect
1392         any existing code (since overriding didn't previously work, there likely aren't
1393         shadowing properties in more derived types).
1394
1395         This patch changes all classes in JavaScriptCore over to using the new mechanism,
1396         except JSGlobalObject. I'll move classes in WebCore over as a separate patch
1397         (this is also why I've not moved JSGlobalObject in this patch - doing so would
1398         move JSDOMWindow, and I'd rather handle that separately).
1399
1400         * runtime/JSTypeInfo.h:
1401         (JSC::TypeInfo::hasStaticPropertyTable):
1402             - Add HasStaticPropertyTable flag.
1403         * runtime/Lookup.cpp:
1404         (JSC::setUpStaticFunctionSlot):
1405             - Change setUpStaticFunctionSlot to take a VM&.
1406         * runtime/Lookup.h:
1407         (JSC::getStaticPropertySlotFromTable):
1408             - Added helper function to perform static lookup alone.
1409         (JSC::getStaticPropertySlot):
1410         (JSC::getStaticFunctionSlot):
1411             - setUpStaticFunctionSlot changed to take a VM&.
1412         * runtime/JSObject.cpp:
1413         (JSC::JSObject::getOwnStaticPropertySlot):
1414             - Added, walks ClassInfo chain looking for static properties.
1415         * runtime/JSObject.h:
1416         (JSC::JSObject::getOwnNonIndexPropertySlot):
1417             - getOwnNonIndexPropertySlot is used internally by getPropertySlot
1418               & getOwnPropertySlot. If property is not present in storage array
1419               then check the static table.
1420         * runtime/ArrayConstructor.cpp:
1421         (JSC::ArrayConstructor::finishCreation):
1422         (JSC::constructArrayWithSizeQuirk):
1423         (JSC::ArrayConstructor::getOwnPropertySlot): Deleted.
1424         * runtime/ArrayConstructor.h:
1425         (JSC::ArrayConstructor::create):
1426         * runtime/ArrayIteratorPrototype.cpp:
1427         (JSC::ArrayIteratorPrototype::finishCreation):
1428         (JSC::ArrayIteratorPrototype::getOwnPropertySlot): Deleted.
1429         * runtime/ArrayIteratorPrototype.h:
1430         (JSC::ArrayIteratorPrototype::create):
1431         (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype):
1432         * runtime/BooleanPrototype.cpp:
1433         (JSC::BooleanPrototype::finishCreation):
1434         (JSC::booleanProtoFuncToString):
1435         (JSC::BooleanPrototype::getOwnPropertySlot): Deleted.
1436         * runtime/BooleanPrototype.h:
1437         (JSC::BooleanPrototype::create):
1438         * runtime/DateConstructor.cpp:
1439         (JSC::DateConstructor::finishCreation):
1440         (JSC::millisecondsFromComponents):
1441         (JSC::DateConstructor::getOwnPropertySlot): Deleted.
1442         * runtime/DateConstructor.h:
1443         (JSC::DateConstructor::create):
1444         * runtime/DatePrototype.cpp:
1445         (JSC::DatePrototype::finishCreation):
1446         (JSC::dateProtoFuncToString):
1447         (JSC::DatePrototype::getOwnPropertySlot): Deleted.
1448         * runtime/DatePrototype.h:
1449         (JSC::DatePrototype::create):
1450         * runtime/ErrorPrototype.cpp:
1451         (JSC::ErrorPrototype::finishCreation):
1452         (JSC::ErrorPrototype::getOwnPropertySlot): Deleted.
1453         * runtime/ErrorPrototype.h:
1454         (JSC::ErrorPrototype::create):
1455         * runtime/GeneratorPrototype.cpp:
1456         (JSC::GeneratorPrototype::finishCreation):
1457         (JSC::GeneratorPrototype::getOwnPropertySlot): Deleted.
1458         * runtime/GeneratorPrototype.h:
1459         (JSC::GeneratorPrototype::create):
1460         (JSC::GeneratorPrototype::createStructure):
1461         (JSC::GeneratorPrototype::GeneratorPrototype):
1462         * runtime/InspectorInstrumentationObject.cpp:
1463         (JSC::InspectorInstrumentationObject::finishCreation):
1464         (JSC::InspectorInstrumentationObject::isEnabled):
1465         (JSC::InspectorInstrumentationObject::getOwnPropertySlot): Deleted.
1466         * runtime/InspectorInstrumentationObject.h:
1467         (JSC::InspectorInstrumentationObject::create):
1468         (JSC::InspectorInstrumentationObject::createStructure):
1469         * runtime/IntlCollatorConstructor.cpp:
1470         (JSC::IntlCollatorConstructor::getCallData):
1471         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1472         (JSC::IntlCollatorConstructor::getOwnPropertySlot): Deleted.
1473         * runtime/IntlCollatorConstructor.h:
1474         * runtime/IntlCollatorPrototype.cpp:
1475         (JSC::IntlCollatorPrototype::finishCreation):
1476         (JSC::IntlCollatorFuncCompare):
1477         (JSC::IntlCollatorPrototype::getOwnPropertySlot): Deleted.
1478         * runtime/IntlCollatorPrototype.h:
1479         * runtime/IntlDateTimeFormatConstructor.cpp:
1480         (JSC::IntlDateTimeFormatConstructor::getCallData):
1481         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1482         (JSC::IntlDateTimeFormatConstructor::getOwnPropertySlot): Deleted.
1483         * runtime/IntlDateTimeFormatConstructor.h:
1484         * runtime/IntlDateTimeFormatPrototype.cpp:
1485         (JSC::IntlDateTimeFormatPrototype::finishCreation):
1486         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1487         (JSC::IntlDateTimeFormatPrototype::getOwnPropertySlot): Deleted.
1488         * runtime/IntlDateTimeFormatPrototype.h:
1489         * runtime/IntlNumberFormatConstructor.cpp:
1490         (JSC::IntlNumberFormatConstructor::getCallData):
1491         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1492         (JSC::IntlNumberFormatConstructor::getOwnPropertySlot): Deleted.
1493         * runtime/IntlNumberFormatConstructor.h:
1494         * runtime/IntlNumberFormatPrototype.cpp:
1495         (JSC::IntlNumberFormatPrototype::finishCreation):
1496         (JSC::IntlNumberFormatFuncFormatNumber):
1497         (JSC::IntlNumberFormatPrototype::getOwnPropertySlot): Deleted.
1498         * runtime/IntlNumberFormatPrototype.h:
1499         * runtime/JSDataViewPrototype.cpp:
1500         (JSC::JSDataViewPrototype::createStructure):
1501         (JSC::getData):
1502         (JSC::JSDataViewPrototype::getOwnPropertySlot): Deleted.
1503         * runtime/JSDataViewPrototype.h:
1504         * runtime/JSInternalPromiseConstructor.cpp:
1505         (JSC::JSInternalPromiseConstructor::getCallData):
1506         (JSC::JSInternalPromiseConstructor::getOwnPropertySlot): Deleted.
1507         * runtime/JSInternalPromiseConstructor.h:
1508         * runtime/JSONObject.cpp:
1509         (JSC::Walker::Walker):
1510         (JSC::JSONObject::getOwnPropertySlot): Deleted.
1511         * runtime/JSONObject.h:
1512         (JSC::JSONObject::create):
1513         * runtime/JSPromiseConstructor.cpp:
1514         (JSC::JSPromiseConstructor::getCallData):
1515         (JSC::JSPromiseConstructor::getOwnPropertySlot): Deleted.
1516         * runtime/JSPromiseConstructor.h:
1517         * runtime/JSPromisePrototype.cpp:
1518         (JSC::JSPromisePrototype::addOwnInternalSlots):
1519         (JSC::JSPromisePrototype::getOwnPropertySlot): Deleted.
1520         * runtime/JSPromisePrototype.h:
1521         * runtime/MapPrototype.cpp:
1522         (JSC::MapPrototype::finishCreation):
1523         (JSC::getMap):
1524         (JSC::MapPrototype::getOwnPropertySlot): Deleted.
1525         * runtime/MapPrototype.h:
1526         (JSC::MapPrototype::create):
1527         (JSC::MapPrototype::MapPrototype):
1528         * runtime/ModuleLoaderObject.cpp:
1529         (JSC::ModuleLoaderObject::finishCreation):
1530         (JSC::printableModuleKey):
1531         (JSC::ModuleLoaderObject::getOwnPropertySlot): Deleted.
1532         * runtime/ModuleLoaderObject.h:
1533         * runtime/NumberPrototype.cpp:
1534         (JSC::NumberPrototype::finishCreation):
1535         (JSC::toThisNumber):
1536         (JSC::NumberPrototype::getOwnPropertySlot): Deleted.
1537         * runtime/NumberPrototype.h:
1538         (JSC::NumberPrototype::create):
1539         * runtime/ObjectConstructor.cpp:
1540         (JSC::ObjectConstructor::addDefineProperty):
1541         (JSC::constructObject):
1542         (JSC::ObjectConstructor::getOwnPropertySlot): Deleted.
1543         * runtime/ObjectConstructor.h:
1544         (JSC::ObjectConstructor::create):
1545         (JSC::ObjectConstructor::createStructure):
1546         * runtime/ReflectObject.cpp:
1547         (JSC::ReflectObject::finishCreation):
1548         (JSC::ReflectObject::getOwnPropertySlot): Deleted.
1549         * runtime/ReflectObject.h:
1550         (JSC::ReflectObject::create):
1551         (JSC::ReflectObject::createStructure):
1552         * runtime/RegExpConstructor.cpp:
1553         (JSC::RegExpConstructor::getRightContext):
1554         (JSC::regExpConstructorDollar):
1555         (JSC::RegExpConstructor::getOwnPropertySlot): Deleted.
1556         * runtime/RegExpConstructor.h:
1557         (JSC::RegExpConstructor::create):
1558         (JSC::RegExpConstructor::createStructure):
1559         * runtime/SetPrototype.cpp:
1560         (JSC::SetPrototype::finishCreation):
1561         (JSC::getSet):
1562         (JSC::SetPrototype::getOwnPropertySlot): Deleted.
1563         * runtime/SetPrototype.h:
1564         (JSC::SetPrototype::create):
1565         (JSC::SetPrototype::SetPrototype):
1566         * runtime/StringConstructor.cpp:
1567         (JSC::StringConstructor::finishCreation):
1568         (JSC::stringFromCharCodeSlowCase):
1569         (JSC::StringConstructor::getOwnPropertySlot): Deleted.
1570         * runtime/StringConstructor.h:
1571         (JSC::StringConstructor::create):
1572         * runtime/StringIteratorPrototype.cpp:
1573         (JSC::StringIteratorPrototype::finishCreation):
1574         (JSC::StringIteratorPrototype::getOwnPropertySlot): Deleted.
1575         * runtime/StringIteratorPrototype.h:
1576         (JSC::StringIteratorPrototype::create):
1577         (JSC::StringIteratorPrototype::StringIteratorPrototype):
1578         * runtime/StringPrototype.cpp:
1579         (JSC::StringPrototype::create):
1580         (JSC::substituteBackreferencesSlow):
1581         (JSC::StringPrototype::getOwnPropertySlot): Deleted.
1582         * runtime/StringPrototype.h:
1583         * runtime/SymbolConstructor.cpp:
1584         (JSC::SymbolConstructor::finishCreation):
1585         (JSC::callSymbol):
1586         (JSC::SymbolConstructor::getOwnPropertySlot): Deleted.
1587         * runtime/SymbolConstructor.h:
1588         (JSC::SymbolConstructor::create):
1589         * runtime/SymbolPrototype.cpp:
1590         (JSC::SymbolPrototype::finishCreation):
1591         (JSC::SymbolPrototype::getOwnPropertySlot): Deleted.
1592         * runtime/SymbolPrototype.h:
1593         (JSC::SymbolPrototype::create):
1594             - remove getOwnPropertySlot, replace OverridesGetOwnPropertySlot flag with HasStaticPropertyTable.
1595
1596 2016-05-26  Commit Queue  <commit-queue@webkit.org>
1597
1598         Unreviewed, rolling out r201436.
1599         https://bugs.webkit.org/show_bug.cgi?id=158143
1600
1601         Caused 30% regression on Dromaeo DOM core tests (Requested by
1602         rniwa on #webkit).
1603
1604         Reverted changeset:
1605
1606         "REGRESSION: JSBench spends a lot of time transitioning
1607         to/from dictionary"
1608         https://bugs.webkit.org/show_bug.cgi?id=158045
1609         http://trac.webkit.org/changeset/201436
1610
1611 2016-05-26  Geoffrey Garen  <ggaren@apple.com>
1612
1613         REGRESSION: JSBench spends a lot of time transitioning to/from dictionary
1614         https://bugs.webkit.org/show_bug.cgi?id=158045
1615
1616         Reviewed by Saam Barati.
1617
1618         15% speedup on jsbench-amazon-firefox, possibly 5% speedup overall on jsbench.
1619
1620         This regression seems to have two parts:
1621
1622         (1) Transitioning the window object to/from dictionary is more expensive
1623         than it used to be to because the window object has lots more properties.
1624         The window object has more properties because, for WebIDL compatibility,
1625         we reify DOM APIs as properties when you delete.
1626
1627         (2) DOM prototypes transition to/from dictionary upon creation
1628         because, once again for WebIDL compatibility, we reify their static
1629         APIs eagerly.
1630
1631         The solution is to chill out a bit on dictionary transitions.
1632
1633         * bytecode/ObjectPropertyConditionSet.cpp: Don't flatten a dictionary
1634         if we've already done so before. This avoids pathological churn, and it
1635         is our idiom in other places.
1636
1637         * interpreter/Interpreter.cpp:
1638         (JSC::Interpreter::execute): Do flatten the global object unconditionally
1639         if it is an uncacheable dictionary because the global object is super
1640         important.
1641
1642         * runtime/BatchedTransitionOptimizer.h:
1643         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1644         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer): Deleted.
1645         Don't transition away from dictionary after a batched set of property
1646         puts because normal dictionaries are cacheable and that's a perfectly
1647         fine state to be in -- and the transition is expensive.
1648
1649         * runtime/JSGlobalObject.cpp:
1650         (JSC::JSGlobalObject::init): Do start the global object out as a cacheable
1651         dictionary because it will inevitably have enough properties to become
1652         a dictionary.
1653
1654         * runtime/Operations.h:
1655         (JSC::normalizePrototypeChain): Same as ObjectPropertyConditionSet.cpp.
1656
1657 2016-05-25  Geoffrey Garen  <ggaren@apple.com>
1658
1659         replaceable own properties seem to ignore replacement after property caching
1660         https://bugs.webkit.org/show_bug.cgi?id=158091
1661
1662         Reviewed by Darin Adler.
1663
1664         * runtime/Lookup.h:
1665         (JSC::replaceStaticPropertySlot): New helper function for replacing a
1666         static property with a direct property. We need to do an attribute changed
1667         transition because client code might have cached our static property.
1668
1669 2016-05-25  Benjamin Poulain  <benjamin@webkit.org>
1670
1671         [JSC] RegExp with deeply nested subexpressions overflow the stack in Yarr
1672         https://bugs.webkit.org/show_bug.cgi?id=158011
1673         rdar://problem/25946592
1674
1675         Reviewed by Saam Barati.
1676
1677         When generating the meta-data required for compilation,
1678         Yarr uses a recursive function over the various expression in the pattern.
1679
1680         If you have many nested expressions, you can run out of stack
1681         and crash the WebProcess.
1682         This patch changes that into a soft failure. The expression is just
1683         considered invalid.
1684
1685         * runtime/RegExp.cpp:
1686         (JSC::RegExp::finishCreation):
1687         (JSC::RegExp::compile):
1688         (JSC::RegExp::compileMatchOnly):
1689         * yarr/YarrPattern.cpp:
1690         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
1691         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
1692         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
1693         (JSC::Yarr::YarrPattern::compile):
1694         (JSC::Yarr::YarrPattern::YarrPattern):
1695         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets): Deleted.
1696         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets): Deleted.
1697         * yarr/YarrPattern.h:
1698
1699 2016-05-25  Alex Christensen  <achristensen@webkit.org>
1700
1701         Fix Win64 build after r201335
1702         https://bugs.webkit.org/show_bug.cgi?id=158078
1703
1704         Reviewed by Mark Lam.
1705
1706         * offlineasm/x86.rb:
1707         Add intel implementations for loadbs and loadhs
1708
1709 2016-05-25  Carlos Garcia Campos  <cgarcia@igalia.com>
1710
1711         REGRESSION(r201066): [GTK] Several intl tests started to fail in GTK+ bot after r201066
1712         https://bugs.webkit.org/show_bug.cgi?id=158066
1713
1714         Reviewed by Darin Adler.
1715
1716         run-javascriptcore-tests does $ENV{LANG}="en_US.UTF-8"; but we are not actually honoring the environment
1717         variables at all when using jsc binary. We are using setlocale() with a nullptr locale to get the current one, but
1718         the current one is always "C", because to set the locale according to the environment variables we need to call
1719         setlocale with an empty string as locale. That's done by gtk_init(), which is called by all our binaries (web
1720         process, network process, etc.), but not by jsc (because jsc doesn't depend on GTK+). The reason why it has
1721         always worked for EFL is because they call ecore_init() in jsc that calls setlocale.
1722
1723         * jsc.cpp:
1724         (main): Call setlocale(LC_ALL, "") on GTK+.
1725
1726 2016-05-25  Csaba Osztrogon√°c  <ossy@webkit.org>
1727
1728         [ARM] Fix the Wcast-align warning in LinkBuffer.cpp
1729         https://bugs.webkit.org/show_bug.cgi?id=157889
1730
1731         Reviewed by Darin Adler.
1732
1733         * assembler/LinkBuffer.cpp:
1734         (JSC::recordLinkOffsets):
1735
1736 2016-05-24  Keith Miller  <keith_miller@apple.com>
1737
1738         TypedArray.prototype.slice should not throw if no arguments are provided
1739         https://bugs.webkit.org/show_bug.cgi?id=158044
1740         <rdar://problem/26433280>
1741
1742         Reviewed by Geoffrey Garen.
1743
1744         We were throwing an exception if the TypedArray.prototype.slice function
1745         was not provided arguments. This was wrong. Instead we should just assume
1746         the first argument was 0.
1747
1748         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1749         (JSC::genericTypedArrayViewProtoFuncSlice): Deleted.
1750         * tests/stress/typedarray-slice.js:
1751
1752 2016-05-24  Keith Miller  <keith_miller@apple.com>
1753
1754         LLInt should be able to cache prototype loads for values in GetById
1755         https://bugs.webkit.org/show_bug.cgi?id=158032
1756
1757         Reviewed by Filip Pizlo.
1758
1759         This patch adds prototype value caching to the LLInt for op_get_by_id.
1760         Two previously unused words in the op_get_by_id bytecode have been
1761         repurposed to hold extra information for the cache. The first is a
1762         counter that records the number of get_by_ids that hit a cacheable value
1763         on a prototype. When the counter is decremented from one to zero we
1764         attempt to cache the prototype load, which will be discussed further
1765         below. The second word is used to hold the prototype object when we have
1766         started caching.
1767
1768         When the counter is decremented to zero we first attempt to generate and
1769         watch the property conditions needed to ensure the validity of prototype
1770         load. If the watchpoints are successfully created and installed we
1771         replace the op_get_by_id opcode with the new op_get_by_id_proto_load
1772         opcode, which tells the LLInt to use the cache prototype object for the
1773         load rather than the base value.
1774
1775         Prior to this patch there was not LLInt specific data onCodeBlocks.
1776         Since the CodeBlock needs to own the Watchpoints for the cache, a weak
1777         map from each base structure to a bag of Watchpoints created for that
1778         structure by some op_get_by_id has been added to the CodeBlock. During
1779         GC, if we find that the a structure in the map has not been marked we
1780         free the associated bag on the CodeBlock.
1781
1782         * JavaScriptCore.xcodeproj/project.pbxproj:
1783         * bytecode/BytecodeList.json:
1784         * bytecode/BytecodeUseDef.h:
1785         (JSC::computeUsesForBytecodeOffset):
1786         (JSC::computeDefsForBytecodeOffset):
1787         * bytecode/CodeBlock.cpp:
1788         (JSC::CodeBlock::printGetByIdOp):
1789         (JSC::CodeBlock::printGetByIdCacheStatus):
1790         (JSC::CodeBlock::dumpBytecode):
1791         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1792         * bytecode/CodeBlock.h:
1793         (JSC::CodeBlock::llintGetByIdWatchpointMap):
1794         (JSC::clearLLIntGetByIdCache):
1795         * bytecode/GetByIdStatus.cpp:
1796         (JSC::GetByIdStatus::computeFromLLInt):
1797         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Added.
1798         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
1799         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
1800         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1801         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Added.
1802         * bytecode/ObjectPropertyConditionSet.cpp:
1803         (JSC::ObjectPropertyConditionSet::isValidAndWatchable):
1804         * bytecode/ObjectPropertyConditionSet.h:
1805         * bytecompiler/BytecodeGenerator.cpp:
1806         (JSC::BytecodeGenerator::emitGetById):
1807         * dfg/DFGByteCodeParser.cpp:
1808         (JSC::DFG::ByteCodeParser::parseBlock):
1809         * dfg/DFGCapabilities.cpp:
1810         (JSC::DFG::capabilityLevel):
1811         * jit/JIT.cpp:
1812         (JSC::JIT::privateCompileMainPass):
1813         (JSC::JIT::privateCompileSlowCases):
1814         * llint/LLIntSlowPaths.cpp:
1815         (JSC::LLInt::setupGetByIdPrototypeCache):
1816         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1817         * llint/LLIntSlowPaths.h:
1818         * llint/LowLevelInterpreter32_64.asm:
1819         * llint/LowLevelInterpreter64.asm:
1820         * runtime/Options.h:
1821         * tests/stress/llint-get-by-id-cache-prototype-load-from-dictionary.js: Added.
1822         (test):
1823
1824 2016-05-24  Keith Miller  <keith_miller@apple.com>
1825
1826         We should be able to use the sampling profiler with DRT/WTR.
1827         https://bugs.webkit.org/show_bug.cgi?id=158041
1828
1829         Reviewed by Saam Barati.
1830
1831         This patch makes the sampling profiler use a new option, samplingProfilerPath, which
1832         specifies the path to a directory to output sampling profiler data when the program
1833         terminates or the VM is destroyed. Additionally, it fixes some other issues with the
1834         bytecode profiler that would cause crashes on debug builds.
1835
1836         * profiler/ProfilerDatabase.cpp:
1837         (JSC::Profiler::Database::ensureBytecodesFor):
1838         (JSC::Profiler::Database::performAtExitSave):
1839         * runtime/Options.h:
1840         * runtime/SamplingProfiler.cpp:
1841         (JSC::SamplingProfiler::registerForReportAtExit):
1842         (JSC::SamplingProfiler::reportDataToOptionFile):
1843         (JSC::SamplingProfiler::reportTopFunctions):
1844         (JSC::SamplingProfiler::reportTopBytecodes):
1845         * runtime/SamplingProfiler.h:
1846         * runtime/VM.cpp:
1847         (JSC::VM::VM):
1848         (JSC::VM::~VM):
1849
1850 2016-05-24  Saam barati  <sbarati@apple.com>
1851
1852         We can cache lookups to JSScope::abstractResolve inside CodeBlock::finishCreation
1853         https://bugs.webkit.org/show_bug.cgi?id=158036
1854
1855         Reviewed by Geoffrey Garen.
1856
1857         This patch implements a 1 item cache for JSScope::abstractResolve. I also tried
1858         implementing the cache as a HashMap, but it seemed either less profitable on some
1859         benchmarks or just as profitable on others. Therefore, it's cleaner to just
1860         use a 1 item cache.
1861
1862         * bytecode/CodeBlock.cpp:
1863         (JSC::CodeBlock::CodeBlock):
1864         (JSC::AbstractResolveKey::AbstractResolveKey):
1865         (JSC::AbstractResolveKey::operator==):
1866         (JSC::AbstractResolveKey::isEmptyValue):
1867         (JSC::CodeBlock::finishCreation):
1868         * runtime/GetPutInfo.h:
1869         (JSC::needsVarInjectionChecks):
1870         (JSC::ResolveOp::ResolveOp):
1871
1872 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
1873
1874         Unreviwed, add a comment to describe the test's failure mode. Suggested by mlam.
1875
1876         * tests/stress/override-map-constructor.js:
1877         (Map):
1878
1879 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
1880
1881         Map should not be in JSGlobalObject's static hashtable because it's initialized eagerly via FOR_EACH_SIMPLE_BUILTIN_TYPE_WITH_CONSTRUCTOR
1882         https://bugs.webkit.org/show_bug.cgi?id=158031
1883         rdar://problem/26353661
1884
1885         Reviewed by Geoffrey Garen.
1886         
1887         We were listing Map as being a lazy class structure. It's not. m_mapStructure is a WriteBarrier<>
1888         not a LazyClassStructure<> and there is nothing lazy about it.
1889
1890         * runtime/JSGlobalObject.cpp: The fix is to remove Map here.
1891         * runtime/Lookup.cpp: Add some dumping on the assert path.
1892         (JSC::setUpStaticFunctionSlot):
1893         * tests/stress/override-map-constructor.js: Added. This test used to crash.
1894         (Map):
1895
1896 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
1897
1898         LLInt64 should have typed array fast paths for get_by_val
1899         https://bugs.webkit.org/show_bug.cgi?id=157931
1900
1901         Reviewed by Keith Miller.
1902
1903         I think that the LLInt should be able to access typed arrays more quickly than it does now.
1904         Ideally we would have fast paths for every major typed array operation and we would use
1905         inline cache optimizations. I don't want to do this all in one go, so my plan is to
1906         incrementally add support for this as time allows.
1907         
1908         This change just adds the easy typed array fast paths for get_by_val in the 64-bit version
1909         of LLInt.
1910         
1911         Another bug, https://bugs.webkit.org/show_bug.cgi?id=157922, tracks the overall task of
1912         adding all typed array fast paths to both versions of the LLInt.
1913         
1914         This is a 30% speed-up on typed array benchmarks in LLInt. This is not a speed-up when the
1915         JITs are enabled.
1916
1917         * llint/LLIntData.cpp:
1918         (JSC::LLInt::Data::performAssertions):
1919         * llint/LLIntOffsetsExtractor.cpp:
1920         * llint/LowLevelInterpreter.asm:
1921         * llint/LowLevelInterpreter64.asm:
1922         * offlineasm/backends.rb:
1923         * runtime/JSArrayBufferView.h:
1924         * runtime/JSType.h:
1925
1926 2016-05-24  Saam barati  <sbarati@apple.com> and Yusuke Suzuki <utatane.tea@gmail.com>
1927
1928         ThisTDZMode is no longer needed
1929         https://bugs.webkit.org/show_bug.cgi?id=157209
1930
1931         Reviewed by Saam Barati.
1932
1933         ThisTDZMode is no longer needed because we have ConstructorKind
1934         and DerivedContextType. The value of ThisTDZMode is strictly less
1935         expressive than the combination of those two values. We were
1936         using those values anyways, and this patch just makes it official
1937         by removing ThisTDZMode.
1938
1939         This patch also cleans up caching keys. We extract SourceCodeFlags
1940         from SourceCodeKey and use it in EvalCodeCache. It correctly
1941         contains needed cache attributes: EvalContextType, DerivedContextType,
1942         etc. Here, we still use specialized keys for EvalCodeCache instead
1943         of SourceCodeKey for performance; it does not include name String and
1944         does not allocate SourceCode.
1945
1946         * bytecode/EvalCodeCache.h:
1947         (JSC::EvalCodeCache::CacheKey::CacheKey):
1948         (JSC::EvalCodeCache::CacheKey::operator==):
1949         (JSC::EvalCodeCache::CacheKey::Hash::equal):
1950         (JSC::EvalCodeCache::tryGet):
1951         (JSC::EvalCodeCache::getSlow):
1952         * bytecompiler/NodesCodegen.cpp:
1953         (JSC::ThisNode::emitBytecode): Deleted.
1954         * debugger/DebuggerCallFrame.cpp:
1955         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1956         * interpreter/Interpreter.cpp:
1957         (JSC::eval):
1958         * parser/ASTBuilder.h:
1959         (JSC::ASTBuilder::createThisExpr):
1960         * parser/NodeConstructors.h:
1961         (JSC::ThisNode::ThisNode):
1962         * parser/Nodes.h:
1963         * parser/Parser.cpp:
1964         (JSC::Parser<LexerType>::Parser):
1965         (JSC::Parser<LexerType>::parsePrimaryExpression):
1966         * parser/Parser.h:
1967         (JSC::parse):
1968         * parser/ParserModes.h:
1969         * parser/SourceCodeKey.h:
1970         (JSC::SourceCodeFlags::SourceCodeFlags):
1971         (JSC::SourceCodeFlags::operator==):
1972         (JSC::SourceCodeKey::SourceCodeKey):
1973         (JSC::SourceCodeKey::Hash::hash):
1974         (JSC::SourceCodeKey::Hash::equal):
1975         (JSC::SourceCodeKey::HashTraits::isEmptyValue):
1976         (JSC::SourceCodeKeyHash::hash): Deleted.
1977         (JSC::SourceCodeKeyHash::equal): Deleted.
1978         (JSC::SourceCodeKeyHashTraits::isEmptyValue): Deleted.
1979         * parser/SyntaxChecker.h:
1980         (JSC::SyntaxChecker::createThisExpr):
1981         * runtime/CodeCache.cpp:
1982         (JSC::CodeCache::getGlobalCodeBlock):
1983         (JSC::CodeCache::getProgramCodeBlock):
1984         (JSC::CodeCache::getEvalCodeBlock):
1985         (JSC::CodeCache::getModuleProgramCodeBlock):
1986         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1987         * runtime/CodeCache.h:
1988         * runtime/Executable.cpp:
1989         (JSC::EvalExecutable::create):
1990         * runtime/Executable.h:
1991         * runtime/JSGlobalObject.cpp:
1992         (JSC::JSGlobalObject::createEvalCodeBlock):
1993         * runtime/JSGlobalObject.h:
1994         * runtime/JSGlobalObjectFunctions.cpp:
1995         (JSC::globalFuncEval):
1996         * tests/stress/code-cache-incorrect-caching.js: Added.
1997         (shouldBe):
1998         (hello):
1999         (catch):
2000         (shouldBe.test.hello):
2001         (globalEval.ok):
2002         (global.hello.hello):
2003
2004 2016-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2005
2006         Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
2007         https://bugs.webkit.org/show_bug.cgi?id=157080
2008
2009         Reviewed by Saam Barati.
2010
2011         In custom accessor getter, the argument "thisValue" can be altered by using `Reflect.get`.
2012         In this patch, we add a new parameter, "slotBase". This represents the base value offering
2013         this custom getter. And use it in ProxyObject's performGet custom accessor getter.
2014
2015         * API/JSCallbackObject.h:
2016         * API/JSCallbackObjectFunctions.h:
2017         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2018         (JSC::JSCallbackObject<Parent>::callbackGetter):
2019         * bytecode/PolymorphicAccess.cpp:
2020         (JSC::AccessCase::generateImpl):
2021         In PolymorphicAccess case, the thisValue and the slotBase are always cells.
2022         This is because IC is enabled in the case that the base value is a cell.
2023         And slotBase is always on the prototype chain from this base value.
2024
2025         * jit/CCallHelpers.h:
2026         (JSC::CCallHelpers::setupArgumentsWithExecState):
2027         * jsc.cpp:
2028         (WTF::CustomGetter::customGetter):
2029         (WTF::RuntimeArray::lengthGetter):
2030         * runtime/CustomGetterSetter.cpp:
2031         (JSC::callCustomSetter):
2032         * runtime/JSBoundSlotBaseFunction.cpp:
2033         (JSC::boundSlotBaseFunctionCall):
2034         * runtime/JSFunction.cpp:
2035         (JSC::JSFunction::argumentsGetter):
2036         (JSC::JSFunction::callerGetter):
2037         * runtime/JSFunction.h:
2038         * runtime/JSModuleNamespaceObject.cpp:
2039         (JSC::callbackGetter):
2040         * runtime/PropertySlot.cpp:
2041         (JSC::PropertySlot::customGetter):
2042         * runtime/PropertySlot.h:
2043         * runtime/ProxyObject.cpp:
2044         (JSC::performProxyGet):
2045         * runtime/RegExpConstructor.cpp:
2046         (JSC::regExpConstructorDollar):
2047         (JSC::regExpConstructorInput):
2048         (JSC::regExpConstructorMultiline):
2049         (JSC::regExpConstructorLastMatch):
2050         (JSC::regExpConstructorLastParen):
2051         (JSC::regExpConstructorLeftContext):
2052         (JSC::regExpConstructorRightContext):
2053         (JSC::regExpConstructorDollar1): Deleted.
2054         (JSC::regExpConstructorDollar2): Deleted.
2055         (JSC::regExpConstructorDollar3): Deleted.
2056         (JSC::regExpConstructorDollar4): Deleted.
2057         (JSC::regExpConstructorDollar5): Deleted.
2058         (JSC::regExpConstructorDollar6): Deleted.
2059         (JSC::regExpConstructorDollar7): Deleted.
2060         (JSC::regExpConstructorDollar8): Deleted.
2061         (JSC::regExpConstructorDollar9): Deleted.
2062         * tests/stress/proxy-get-with-primitive-receiver.js: Added.
2063         (shouldBe):
2064
2065 2016-05-23  Geoffrey Garen  <ggaren@apple.com>
2066
2067         REGRESSION (196374): deleting a global property is expensive
2068         https://bugs.webkit.org/show_bug.cgi?id=158005
2069
2070         Reviewed by Chris Dumez.
2071
2072         * runtime/JSObject.cpp:
2073         (JSC::JSObject::deleteProperty): We only need to reify static properties
2074         if the name being deleted matches a static property. Otherwise, we can
2075         be sure that delete won't observe any static properties.
2076
2077 2016-05-23  Saam barati  <sbarati@apple.com>
2078
2079         The baseline JIT crashes when compiling "(1,1)/1"
2080         https://bugs.webkit.org/show_bug.cgi?id=157933
2081
2082         Reviewed by Benjamin Poulain.
2083
2084         op_div in the baseline JIT needed to better handle when both the lhs
2085         and rhs are constants. It needs to make sure to load either the lhs or
2086         the rhs into a register since the div generator can't handle both
2087         the lhs and rhs being constants.
2088
2089         * jit/JITArithmetic.cpp:
2090         (JSC::JIT::emit_op_div):
2091         * tests/stress/jit-gracefully-handle-double-constants-in-math-operators.js: Added.
2092         (assert):
2093         (test):
2094
2095 2016-05-23  Saam barati  <sbarati@apple.com>
2096
2097         String template don't handle let initialization properly inside eval
2098         https://bugs.webkit.org/show_bug.cgi?id=157991
2099
2100         Reviewed by Oliver Hunt.
2101
2102         The fix is to make sure we emit TDZ checks. 
2103
2104         * bytecompiler/NodesCodegen.cpp:
2105         (JSC::TaggedTemplateNode::emitBytecode):
2106         * tests/stress/tagged-template-tdz.js: Added.
2107         (shouldThrowTDZ):
2108         (test):
2109
2110 2016-05-22  Saam barati  <sbarati@apple.com>
2111
2112         Unreviewed. Fixed debug assertion failures from r201235.
2113
2114         * runtime/JSScope.cpp:
2115         (JSC::abstractAccess):
2116
2117 2016-05-22  Brady Eidson  <beidson@apple.com>
2118
2119         Attempted Yosemite build fix after http://trac.webkit.org/changeset/201255
2120
2121         Suggested by and reviewed by Anders Carlsson.
2122
2123         * b3/B3CCallValue.h: Initialize the effects member more conventionally.
2124
2125 2016-05-22  Brady Eidson  <beidson@apple.com>
2126
2127         Move to C++14.
2128         https://bugs.webkit.org/show_bug.cgi?id=157948
2129
2130         Reviewed by Michael Catanzaro.
2131
2132         * Configurations/Base.xcconfig:
2133
2134 2016-05-22  Saam barati  <sbarati@apple.com>
2135
2136         REGRESSION(r199075): String.prototype.replace fails after being used many times with different replace values
2137         https://bugs.webkit.org/show_bug.cgi?id=157968
2138         <rdar://problem/26404735>
2139
2140         Reviewed by Ryosuke Niwa and Filip Pizlo.
2141
2142         There was a bug in the DFG where we were checking a condition
2143         on the wrong variable.
2144
2145         * dfg/DFGStrengthReductionPhase.cpp:
2146         (JSC::DFG::StrengthReductionPhase::handleNode):
2147
2148 2016-05-22  Chris Dumez  <cdumez@apple.com>
2149
2150         Remove uses of PassRefPtr in JS bindings code
2151         https://bugs.webkit.org/show_bug.cgi?id=157949
2152
2153         Reviewed by Andreas Kling.
2154
2155         Remove uses of PassRefPtr in JS bindings code.
2156
2157         * runtime/JSGlobalObject.cpp:
2158         (JSC::JSGlobalObject::queueMicrotask):
2159         * runtime/JSGlobalObject.h:
2160
2161 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
2162
2163         Remove LegacyProfiler
2164         https://bugs.webkit.org/show_bug.cgi?id=153565
2165
2166         Reviewed by Mark Lam.
2167
2168         JavaScriptCore now provides a sampling profiler and it is enabled
2169         by all ports. Web Inspector switched months ago to using the
2170         sampling profiler and displaying its data. Remove the legacy
2171         profiler, as it is no longer being used by anything other then
2172         console.profile and tests. We will update console.profile's
2173         behavior soon to have new behavior and use the sampling data.
2174
2175         * API/JSProfilerPrivate.cpp: Removed.
2176         * API/JSProfilerPrivate.h: Removed.
2177         * CMakeLists.txt:
2178         * JavaScriptCore.xcodeproj/project.pbxproj:
2179         * bytecode/BytecodeList.json:
2180         * bytecode/BytecodeUseDef.h:
2181         (JSC::computeUsesForBytecodeOffset): Deleted.
2182         (JSC::computeDefsForBytecodeOffset): Deleted.
2183         * bytecode/CodeBlock.cpp:
2184         (JSC::CodeBlock::dumpBytecode): Deleted.
2185         * bytecode/UnlinkedFunctionExecutable.cpp:
2186         (JSC::generateUnlinkedFunctionCodeBlock):
2187         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2188         * bytecode/UnlinkedFunctionExecutable.h:
2189         * bytecompiler/BytecodeGenerator.cpp:
2190         (JSC::BytecodeGenerator::BytecodeGenerator):
2191         (JSC::BytecodeGenerator::emitCall):
2192         (JSC::BytecodeGenerator::emitCallVarargs):
2193         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
2194         (JSC::BytecodeGenerator::emitConstructVarargs):
2195         (JSC::BytecodeGenerator::emitConstruct):
2196         * bytecompiler/BytecodeGenerator.h:
2197         (JSC::CallArguments::profileHookRegister): Deleted.
2198         (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
2199         * bytecompiler/NodesCodegen.cpp:
2200         (JSC::CallFunctionCallDotNode::emitBytecode):
2201         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2202         (JSC::CallArguments::CallArguments): Deleted.
2203         * dfg/DFGAbstractInterpreterInlines.h:
2204         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
2205         * dfg/DFGByteCodeParser.cpp:
2206         (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
2207         * dfg/DFGCapabilities.cpp:
2208         (JSC::DFG::capabilityLevel): Deleted.
2209         * dfg/DFGClobberize.h:
2210         (JSC::DFG::clobberize): Deleted.
2211         * dfg/DFGDoesGC.cpp:
2212         (JSC::DFG::doesGC): Deleted.
2213         * dfg/DFGFixupPhase.cpp:
2214         (JSC::DFG::FixupPhase::fixupNode): Deleted.
2215         * dfg/DFGNodeType.h:
2216         * dfg/DFGPredictionPropagationPhase.cpp:
2217         * dfg/DFGSafeToExecute.h:
2218         (JSC::DFG::safeToExecute): Deleted.
2219         * dfg/DFGSpeculativeJIT32_64.cpp:
2220         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2221         * dfg/DFGSpeculativeJIT64.cpp:
2222         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2223         * inspector/InjectedScriptBase.cpp:
2224         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
2225         * interpreter/Interpreter.cpp:
2226         (JSC::UnwindFunctor::operator()): Deleted.
2227         (JSC::Interpreter::execute): Deleted.
2228         (JSC::Interpreter::executeCall): Deleted.
2229         (JSC::Interpreter::executeConstruct): Deleted.
2230         * jit/JIT.cpp:
2231         (JSC::JIT::privateCompileMainPass): Deleted.
2232         * jit/JIT.h:
2233         * jit/JITOpcodes.cpp:
2234         (JSC::JIT::emit_op_profile_will_call): Deleted.
2235         (JSC::JIT::emit_op_profile_did_call): Deleted.
2236         * jit/JITOpcodes32_64.cpp:
2237         (JSC::JIT::emit_op_profile_will_call): Deleted.
2238         (JSC::JIT::emit_op_profile_did_call): Deleted.
2239         * jit/JITOperations.cpp:
2240         * jit/JITOperations.h:
2241         * llint/LLIntSlowPaths.cpp:
2242         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
2243         * llint/LLIntSlowPaths.h:
2244         * llint/LowLevelInterpreter.asm:
2245         * parser/ParserModes.h:
2246         * profiler/CallIdentifier.h: Removed.
2247         * profiler/LegacyProfiler.cpp: Removed.
2248         * profiler/LegacyProfiler.h: Removed.
2249         * profiler/Profile.cpp: Removed.
2250         * profiler/Profile.h: Removed.
2251         * profiler/ProfileGenerator.cpp: Removed.
2252         * profiler/ProfileGenerator.h: Removed.
2253         * profiler/ProfileNode.cpp: Removed.
2254         * profiler/ProfileNode.h: Removed.
2255         * profiler/ProfilerJettisonReason.cpp:
2256         (WTF::printInternal): Deleted.
2257         * profiler/ProfilerJettisonReason.h:
2258         * runtime/CodeCache.cpp:
2259         (JSC::CodeCache::getGlobalCodeBlock):
2260         (JSC::CodeCache::getProgramCodeBlock):
2261         (JSC::CodeCache::getEvalCodeBlock):
2262         (JSC::CodeCache::getModuleProgramCodeBlock):
2263         * runtime/CodeCache.h:
2264         * runtime/Executable.cpp:
2265         (JSC::ScriptExecutable::newCodeBlockFor):
2266         * runtime/JSGlobalObject.cpp:
2267         (JSC::JSGlobalObject::createProgramCodeBlock):
2268         (JSC::JSGlobalObject::createEvalCodeBlock):
2269         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2270         (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
2271         (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
2272         * runtime/JSGlobalObject.h:
2273         * runtime/Options.h:
2274         * runtime/VM.cpp:
2275         (JSC::VM::VM): Deleted.
2276         (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
2277         (JSC::VM::setEnabledProfiler): Deleted.
2278         * runtime/VM.h:
2279         (JSC::VM::enabledProfiler): Deleted.
2280         (JSC::VM::enabledProfilerAddress): Deleted.
2281
2282 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
2283
2284         Remove LegacyProfiler
2285         https://bugs.webkit.org/show_bug.cgi?id=153565
2286
2287         Reviewed by Saam Barati.
2288
2289         * inspector/protocol/Timeline.json:
2290         * jsc.cpp:
2291         * runtime/JSGlobalObject.cpp:
2292         (JSC::JSGlobalObject::hasLegacyProfiler):
2293         * runtime/JSGlobalObject.h:
2294         (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
2295
2296 2016-05-20  Saam barati  <sbarati@apple.com>
2297
2298         JSScope::abstractAccess doesn't need to copy the SymbolTableEntry, it can use it by reference
2299         https://bugs.webkit.org/show_bug.cgi?id=157956
2300
2301         Reviewed by Geoffrey Garen.
2302
2303         A SymbolTableEntry may be a FatEntry. Copying a FatEntry is slow because we have to
2304         malloc memory for it, then free the malloced memory once the entry goes out of
2305         scope. abstractAccess uses a SymbolTableEntry temporarily when performing scope
2306         accesses during bytecode linking. It copies out the SymbolTableEntry every time
2307         it does a SymbolTable lookup. This is not cheap when the entry happens to be a
2308         FatEntry. We should really just be using a reference to the entry because
2309         there is no need to copy it in such a scenario.
2310
2311         * runtime/JSScope.cpp:
2312         (JSC::abstractAccess):
2313
2314 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
2315
2316         Web Inspector: retained size for typed arrays does not count native backing store
2317         https://bugs.webkit.org/show_bug.cgi?id=157945
2318         <rdar://problem/26392238>
2319
2320         Reviewed by Geoffrey Garen.
2321
2322         * runtime/JSArrayBuffer.h:
2323         * runtime/JSArrayBuffer.cpp:
2324         (JSC::JSArrayBuffer::estimatedSize):
2325         Include an estimatedSize implementation for JSArrayBuffer.
2326         ArrayBuffer has a unique path, different from other data
2327         stored in the Heap.
2328
2329         * tests/heapProfiler/typed-array-sizes.js: Added.
2330         Test sizes of TypedArray with and without an ArrayBuffer.
2331         When the TypedArray is a view wrapping an ArrayBuffer, the
2332         ArrayBuffer has the size.
2333
2334 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
2335
2336         reifyAllStaticProperties makes two copies of every string
2337         https://bugs.webkit.org/show_bug.cgi?id=157953
2338
2339         Reviewed by Mark Lam.
2340
2341         Let's not do that.
2342
2343         * runtime/JSObject.cpp:
2344         (JSC::JSObject::reifyAllStaticProperties): Pass our Identifier to
2345         reifyStaticProperty so it doesn't have to make its own.
2346
2347         * runtime/Lookup.h:
2348         (JSC::reifyStaticProperty): No need to null check because callers never
2349         pass null anymore. No need to make an identifier because callers pass
2350         us one.
2351
2352         (JSC::reifyStaticProperties): Honor new interface.
2353
2354 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
2355
2356         JSBench regression: CodeBlock linking always copies the symbol table
2357         https://bugs.webkit.org/show_bug.cgi?id=157951
2358
2359         Reviewed by Saam Barati.
2360
2361         We always put a SymbolTable into the constant pool, even in simple
2362         functions in which it won't be used -- i.e., there's on eval and there
2363         are no captured variables and so on.
2364
2365         This is costly because linking must copy any provided symbol tables.
2366
2367         * bytecompiler/BytecodeGenerator.cpp:
2368         (JSC::BytecodeGenerator::BytecodeGenerator):
2369         (JSC::BytecodeGenerator::emitProfileType): Only add the symbol table
2370         as a constant if we will use it at runtime.
2371
2372 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
2373
2374         [JSC] Improve int->float conversion in FTL
2375         https://bugs.webkit.org/show_bug.cgi?id=157936
2376
2377         Reviewed by Filip Pizlo.
2378
2379         The integer -> floating point lowering was very barebone.
2380
2381         For example, converting a constant integer to double
2382         was doing:
2383             mov #const, %eax
2384             xor %xmm0, %xmm0
2385             cvtsi2sd %eax, %xmm0
2386
2387         Conversion from integer to float was also missing.
2388         We were always converting to double then rounding the double
2389         to float.
2390
2391         This patch adds the basics:
2392         -Constant folding.
2393         -Integer to Float opcode.
2394         -Reducing int->double to int->float when used by DoubleToFloat.
2395
2396         * assembler/MacroAssemblerX86Common.h:
2397         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
2398         * assembler/MacroAssemblerX86_64.h:
2399         (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
2400         (JSC::MacroAssemblerX86_64::convertInt64ToFloat):
2401         * assembler/X86Assembler.h:
2402         (JSC::X86Assembler::cvtsi2ss_rr):
2403         (JSC::X86Assembler::cvtsi2ssq_rr):
2404         (JSC::X86Assembler::cvtsi2sdq_mr):
2405         (JSC::X86Assembler::cvtsi2ssq_mr):
2406         (JSC::X86Assembler::cvtsi2ss_mr):
2407         * assembler/MacroAssemblerARM64.h:
2408         * b3/B3Const32Value.cpp:
2409         (JSC::B3::Const32Value::iToDConstant):
2410         (JSC::B3::Const32Value::iToFConstant):
2411         * b3/B3Const32Value.h:
2412         * b3/B3Const64Value.cpp:
2413         (JSC::B3::Const64Value::iToDConstant):
2414         (JSC::B3::Const64Value::iToFConstant):
2415         * b3/B3Const64Value.h:
2416         * b3/B3LowerToAir.cpp:
2417         (JSC::B3::Air::LowerToAir::lower):
2418         * b3/B3Opcode.cpp:
2419         (WTF::printInternal):
2420         * b3/B3Opcode.h:
2421         * b3/B3ReduceDoubleToFloat.cpp:
2422         * b3/B3ReduceStrength.cpp:
2423         * b3/B3Validate.cpp:
2424         * b3/B3Value.cpp:
2425         (JSC::B3::Value::iToDConstant):
2426         (JSC::B3::Value::iToFConstant):
2427         (JSC::B3::Value::isRounded):
2428         (JSC::B3::Value::effects):
2429         (JSC::B3::Value::key):
2430         (JSC::B3::Value::typeFor):
2431         * b3/B3Value.h:
2432         * b3/B3ValueKey.cpp:
2433         (JSC::B3::ValueKey::materialize):
2434         * b3/air/AirFixPartialRegisterStalls.cpp:
2435         * b3/air/AirOpcode.opcodes:
2436         * b3/testb3.cpp:
2437         (JSC::B3::int64Operands):
2438         (JSC::B3::testIToD64Arg):
2439         (JSC::B3::testIToF64Arg):
2440         (JSC::B3::testIToD32Arg):
2441         (JSC::B3::testIToF32Arg):
2442         (JSC::B3::testIToD64Mem):
2443         (JSC::B3::testIToF64Mem):
2444         (JSC::B3::testIToD32Mem):
2445         (JSC::B3::testIToF32Mem):
2446         (JSC::B3::testIToD64Imm):
2447         (JSC::B3::testIToF64Imm):
2448         (JSC::B3::testIToD32Imm):
2449         (JSC::B3::testIToF32Imm):
2450         (JSC::B3::testIToDReducedToIToF64Arg):
2451         (JSC::B3::testIToDReducedToIToF32Arg):
2452         (JSC::B3::run):
2453
2454 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
2455
2456         [JSC] FTL can crash on stack overflow
2457         https://bugs.webkit.org/show_bug.cgi?id=157881
2458         rdar://problem/24665964
2459
2460         Reviewed by Michael Saboff.
2461
2462         The VM's m_largestFTLStackSize was never set anywhere (updateFTLLargestStackSize()
2463         was never called). We forgot to change that when implementing B3.
2464
2465         Even when it is set, we still have a problem on OSR Exit.
2466         If the last frame is a FTL frame and it OSR Exits, the space required for
2467         that frame becomes significantly larger. What happens is we crash in the OSR Exit
2468         instead of the FTL frame (this is what happens in rdar://problem/24665964).
2469
2470         This patch changes the stack boundary checks in FTL to be the same as DFG:
2471         we verify that we have enough space for the current optimized function but
2472         also for the baseline version (including inlining) in case of exit.
2473
2474         * ftl/FTLLowerDFGToB3.cpp:
2475         (JSC::FTL::DFG::LowerDFGToB3::lower):
2476         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack): Deleted.
2477         * runtime/VM.cpp:
2478         (JSC::VM::VM): Deleted.
2479         (JSC::VM::updateStackLimit): Deleted.
2480         (JSC::VM::updateFTLLargestStackSize): Deleted.
2481         * runtime/VM.h:
2482         (JSC::VM::addressOfFTLStackLimit): Deleted.
2483
2484 2016-05-18  Filip Pizlo  <fpizlo@apple.com>
2485
2486         DFG::LICMPhase shouldn't hoist type checks unless it knows that the check will succeed at the loop pre-header
2487         https://bugs.webkit.org/show_bug.cgi?id=144527
2488
2489         Reviewed by Saam Barati.
2490         
2491         This adds a control flow equivalence analysis (called ControlEquivalenceAnalysis) based on
2492         dominator analysis over the backwards CFG. Two basic blocks are control flow equivalent if
2493         the execution of one implies that the other one must also execute. It means that the two
2494         blocks' forward and backward dominance are reciprocated: (A dom B and B backdom A) or (B dom
2495         A and A backdom B). LICM now uses it to become more conservative about hoisting checks, if
2496         this has caused problems in the past. If we hoist something that may exit from a block that
2497         was not control equivalent to the pre-header then it's possible that the node's speculation
2498         will fail even though it wouldn't have if it wasn't hoisted. So, we flag these nodes'
2499         origins as being "wasHoisted" and we track all of their exits as "HoistingFailed". LICM will
2500         turn off such speculative hoisting if the CodeBlock from which we are hoisting had the
2501         HoistingFailed exit kind.
2502         
2503         Note that this deliberately still allows us to hoist things that may exit even if they are
2504         not control equivalent to the pre-header. This is necessary because the profitability of
2505         hoisting is so huge in all of the cases that we're aware of that it's worth giving it a
2506         shot.
2507         
2508         This is neutral on macrobenchmarks since none of the benchmarks we track have a hoistable
2509         operation that would exit only if hoisted. I added microbenchmarks to illustrate the problem
2510         and two of them speed up by ~40% while one of them is neutral (Int52 saves us from having
2511         problems on that program even though LICM previously did the wrong thing).
2512
2513         * JavaScriptCore.xcodeproj/project.pbxproj:
2514         * bytecode/ExitKind.cpp:
2515         (JSC::exitKindToString):
2516         * bytecode/ExitKind.h:
2517         * dfg/DFGAtTailAbstractState.h:
2518         (JSC::DFG::AtTailAbstractState::operator bool):
2519         (JSC::DFG::AtTailAbstractState::initializeTo):
2520         * dfg/DFGBackwardsCFG.h: Added.
2521         (JSC::DFG::BackwardsCFG::BackwardsCFG):
2522         * dfg/DFGBackwardsDominators.h: Added.
2523         (JSC::DFG::BackwardsDominators::BackwardsDominators):
2524         * dfg/DFGCommon.h:
2525         (JSC::DFG::checkAndSet): Deleted.
2526         * dfg/DFGControlEquivalenceAnalysis.h: Added.
2527         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
2528         (JSC::DFG::ControlEquivalenceAnalysis::dominatesEquivalently):
2529         (JSC::DFG::ControlEquivalenceAnalysis::areEquivalent):
2530         * dfg/DFGGraph.cpp:
2531         (JSC::DFG::Graph::dump):
2532         (JSC::DFG::Graph::dumpBlockHeader):
2533         (JSC::DFG::Graph::invalidateCFG):
2534         (JSC::DFG::Graph::substituteGetLocal):
2535         (JSC::DFG::Graph::handleAssertionFailure):
2536         (JSC::DFG::Graph::ensureDominators):
2537         (JSC::DFG::Graph::ensurePrePostNumbering):
2538         (JSC::DFG::Graph::ensureNaturalLoops):
2539         (JSC::DFG::Graph::ensureBackwardsCFG):
2540         (JSC::DFG::Graph::ensureBackwardsDominators):
2541         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
2542         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2543         * dfg/DFGGraph.h:
2544         (JSC::DFG::Graph::hasDebuggerEnabled):
2545         * dfg/DFGInPlaceAbstractState.h:
2546         (JSC::DFG::InPlaceAbstractState::operator bool):
2547         (JSC::DFG::InPlaceAbstractState::createValueForNode):
2548         (JSC::DFG::InPlaceAbstractState::forNode):
2549         * dfg/DFGLICMPhase.cpp:
2550         (JSC::DFG::LICMPhase::run):
2551         (JSC::DFG::LICMPhase::attemptHoist):
2552         * dfg/DFGMayExit.cpp:
2553         (JSC::DFG::mayExit):
2554         * dfg/DFGMayExit.h:
2555         * dfg/DFGNode.h:
2556         * dfg/DFGNodeOrigin.cpp:
2557         (JSC::DFG::NodeOrigin::dump):
2558         * dfg/DFGNodeOrigin.h:
2559         (JSC::DFG::NodeOrigin::takeValidExit):
2560         (JSC::DFG::NodeOrigin::withWasHoisted):
2561         (JSC::DFG::NodeOrigin::forInsertingAfter):
2562         * dfg/DFGNullAbstractState.h: Added.
2563         (JSC::DFG::NullAbstractState::NullAbstractState):
2564         (JSC::DFG::NullAbstractState::operator bool):
2565         (JSC::DFG::NullAbstractState::forNode):
2566         * dfg/DFGOSRExit.cpp:
2567         (JSC::DFG::OSRExit::OSRExit):
2568         * dfg/DFGOSRExitBase.cpp:
2569         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
2570         * dfg/DFGOSRExitBase.h:
2571         (JSC::DFG::OSRExitBase::OSRExitBase):
2572         * dfg/DFGTypeCheckHoistingPhase.cpp:
2573         (JSC::DFG::TypeCheckHoistingPhase::run):
2574         * ftl/FTLOSRExit.cpp:
2575         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
2576         (JSC::FTL::OSRExit::OSRExit):
2577         * ftl/FTLOSRExit.h:
2578
2579 2016-05-19  Mark Lam  <mark.lam@apple.com>
2580
2581         Code that null checks the VM pointer before any use should ref the VM.
2582         https://bugs.webkit.org/show_bug.cgi?id=157864
2583
2584         Reviewed by Filip Pizlo and Keith Miller.
2585
2586         JSLock::willReleaseLock() and HeapTimer::timerDidFire() need to reference the VM
2587         through a RefPtr.  Otherwise, there's no guarantee that the VM won't be deleted
2588         after their null checks.
2589
2590         * bytecode/CodeBlock.h:
2591         (JSC::CodeBlock::vm):
2592         (JSC::CodeBlock::setVM): Deleted.
2593         - Not used, and suggests that it can be changed during the lifetime of the
2594           CodeBlock (which should not be).
2595
2596         * heap/HeapTimer.cpp:
2597         (JSC::HeapTimer::timerDidFire):
2598         * runtime/JSLock.cpp:
2599         (JSC::JSLock::willReleaseLock):
2600         - Store the VM pointer in a RefPtr first, and null check the RefPtr instead of
2601           the raw VM pointer.  This makes the null check a strong guarantee that the
2602           VM pointer is valid while these functions are using it.
2603
2604 2016-05-19  Saam barati  <sbarati@apple.com>
2605
2606         arrow function lexical environment should reuse the same environment as the function's lexical environment where possible
2607         https://bugs.webkit.org/show_bug.cgi?id=157908
2608
2609         Reviewed by Filip Pizlo.
2610
2611         We can safely combine these two environment when we have
2612         a simple parameter list (no default parameters, no destructring parameters).
2613
2614         * bytecompiler/BytecodeGenerator.cpp:
2615         (JSC::BytecodeGenerator::BytecodeGenerator):
2616         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2617         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2618         * bytecompiler/BytecodeGenerator.h:
2619
2620 2016-05-19  Michael Saboff  <msaboff@apple.com>
2621
2622         Unreviewed build fix.
2623
2624         Skipping this new test as it times out on the bots.
2625
2626         Issue tracked in https://bugs.webkit.org/show_bug.cgi?id=157903
2627
2628         * tests/stress/regress-157595.js:
2629         (MyRegExp):
2630
2631 2016-05-19  Guillaume Emont  <guijemont@igalia.com>
2632
2633         JSC: DFG::SpeculativeJIT::compile special case for MIPS for PutByValWithThis
2634         https://bugs.webkit.org/show_bug.cgi?id=157741
2635
2636         Reviewed by Saam Barati.
2637
2638         The PutByValWithThis case needs a special case for MIPS because we
2639         don't have enough registers. The special case needs to be different
2640         from the x86 one because we have a different ABI.
2641
2642         * dfg/DFGSpeculativeJIT32_64.cpp:
2643         (JSC::DFG::SpeculativeJIT::compile):
2644
2645 2016-05-19  Brian Burg  <bburg@apple.com>
2646
2647         Web Inspector: use a consistent prefix for injected scripts
2648         https://bugs.webkit.org/show_bug.cgi?id=157715
2649         <rdar://problem/26287188>
2650
2651         Reviewed by Timothy Hatcher.
2652
2653         * CMakeLists.txt:
2654         * DerivedSources.make:
2655         * inspector/InjectedScriptSource.js:
2656
2657 2016-05-19  Csaba Osztrogon√°c  <ossy@webkit.org>
2658
2659         [ARM] Remove redefined macro after r200606
2660         https://bugs.webkit.org/show_bug.cgi?id=157890
2661
2662         Reviewed by Michael Saboff.
2663
2664         * bytecode/PolymorphicAccess.cpp:
2665         * jit/CCallHelpers.h:
2666
2667 2016-05-18  Saam barati  <sbarati@apple.com>
2668
2669         Function with default parameter values that are arrow functions that capture this isn't working
2670         https://bugs.webkit.org/show_bug.cgi?id=157786
2671         <rdar://problem/26327329>
2672
2673         Reviewed by Geoffrey Garen.
2674
2675         To make the scopes ordered properly, I needed to initialize the arrow 
2676         function lexical environment before initializing default parameter values.
2677         I also made the code easier to reason about by never reusing the function's
2678         var lexical environment for the arrow function lexical environment. The
2679         reason for this is that that code was wrong, and we just didn't have code to
2680         that properly tested it. It was easy for that code to be wrong because
2681         sometimes the function's lexical environment isn't the top-most scope
2682         (namely, when a function's parameter list is non-simple) and sometimes
2683         it is (when the function's parameter list is simple).
2684
2685         Also, because a function's default parameter values may capture the
2686         'arguments' variable inside an arrow function, I needed to take care
2687         to initialize the 'arguments' variable as part of whichever scope
2688         is the top-most scope. It's either the function's var environment
2689         if the parameter list is simple, or it's the function's parameter
2690         environment if the parameter list is non-simple.
2691
2692         * bytecompiler/BytecodeGenerator.cpp:
2693         (JSC::BytecodeGenerator::BytecodeGenerator):
2694         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2695         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2696         (JSC::BytecodeGenerator::initializeParameters):
2697         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
2698         (JSC::BytecodeGenerator::visibleNameForParameter):
2699         * bytecompiler/BytecodeGenerator.h:
2700         * tests/stress/arrow-functions-as-default-parameter-values.js: Added.
2701         (assert):
2702         (test):
2703         (test.foo):
2704         * tests/stress/op-push-name-scope-crashes-profiler.js:
2705         (test):
2706
2707 2016-05-18  Michael Saboff  <msaboff@apple.com>
2708
2709         r199812 broke test262
2710         https://bugs.webkit.org/show_bug.cgi?id=157595
2711
2712         Reviewed by Filip Pizlo.
2713
2714         Added a reasonable limit to the size of the match result array to catch possible
2715         infinite loops when matching.
2716         Added a new tests that creates an infinite loop in RegExp.prototype.[Symbol.match]
2717         by creating a subclass of RegExp where the base RegExp's global flag is false and
2718         the subclass overrides .global with a getter that always returns true.
2719
2720         * builtins/RegExpPrototype.js:
2721         (match):
2722         * tests/stress/regress-157595.js: Added.
2723         (MyRegExp):
2724         (MyRegExp.prototype.get global):
2725         (test):
2726         (catch):
2727
2728 2016-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2729
2730         [ES6] Namespace object re-export should be handled as local export
2731         https://bugs.webkit.org/show_bug.cgi?id=157806
2732
2733         Reviewed by Mark Lam.
2734
2735         We align the implementation of ExportEntry to the spec; remove Type::Namespace.
2736         This Type::Namespace is used for re-exported namespace object binding. For example,
2737
2738             import * as namespace from "namespace.js"
2739             export { namespace }
2740
2741         In the above case, we used ExportEntry(Type::Namespace). In this patch, we drop this
2742         and use normal local export (Type::Local) instead because namespace object actually has
2743         the local binding in the above module environment. And this handling strictly meets the
2744         spec (Sec 15.2.1.16.1 step 11-a-ii-2-b).
2745
2746         And we also clean up the ExportEntry implementation; dropping unnecessary information.
2747         This change fixes the test262/test/language/module-code/instn-star-equality.js crash.
2748
2749         * parser/ModuleAnalyzer.cpp:
2750         (JSC::ModuleAnalyzer::exportVariable):
2751         * runtime/JSModuleRecord.cpp:
2752         (JSC::getExportedNames):
2753         (JSC::JSModuleRecord::dump): Deleted.
2754         * runtime/JSModuleRecord.h:
2755         * tests/modules/namespace-re-export.js: Added.
2756         * tests/modules/namespace-re-export/namespace-re-export-fixture.js: Added.
2757         * tests/modules/namespace-re-export/namespace-re-export.js: Added.
2758         * tests/modules/resources/assert.js:
2759         (export.shouldNotBe):
2760
2761 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
2762
2763         JSC should detect the right default locale even when it's not embedded in WebCore
2764         https://bugs.webkit.org/show_bug.cgi?id=157755
2765         rdar://problem/24665424
2766
2767         Reviewed by Keith Miller.
2768         
2769         This makes JSC try to use WTF's platform user preferred language detection if the DOM did
2770         not register a defaultLanguage callback. The result is that when JSC runs standalone it
2771         will detect the platform user preferred language almost the same way as when it's embedded
2772         in WebCore. The only difference is that WebCore may have its own additional overrides via
2773         the WK API. But in the absence of overrides, WebCore uses the same WTF logic that JSC falls
2774         back to.
2775         
2776         We first found this bug because on iOS, the intl tests would fail because ICU would report
2777         a somewhat bogus locale on that platform. Prior to this change, standalone JSC would fall
2778         back to ICU's locale detection. It turns out that the ICU default locale is also bogus on
2779         OS X, just less so. For example, setting things to Poland did not result in the jsc shell
2780         printing dates Polish-style. Now it will print them Polish-style if your system preferences
2781         say so. Also, the tests don't fail on iOS anymore.
2782         
2783         * runtime/IntlObject.cpp:
2784         (JSC::defaultLocale):
2785
2786 2016-05-17  Dean Jackson  <dino@apple.com>
2787
2788         Remove ES6_GENERATORS flag
2789         https://bugs.webkit.org/show_bug.cgi?id=157815
2790         <rdar://problem/26332894>
2791
2792         Reviewed by Geoffrey Garen.
2793
2794         This flag isn't needed. Generators are enabled everywhere and
2795         part of a stable specification.
2796
2797         * Configurations/FeatureDefines.xcconfig:
2798         * parser/Parser.cpp:
2799         (JSC::Parser<LexerType>::parseFunctionDeclaration): Deleted.
2800         (JSC::Parser<LexerType>::parseClass): Deleted.
2801         (JSC::Parser<LexerType>::parseExportDeclaration): Deleted.
2802         (JSC::Parser<LexerType>::parseAssignmentExpression): Deleted.
2803         (JSC::Parser<LexerType>::parseProperty): Deleted.
2804         (JSC::Parser<LexerType>::parseFunctionExpression): Deleted.
2805
2806 2016-05-17  Keith Miller  <keith_miller@apple.com>
2807
2808         Rollout r200426 since it causes PLT regressions.
2809         https://bugs.webkit.org/show_bug.cgi?id=157812
2810
2811         Unreviewed rollout of r200426 since the bots see a ~.6% PLT regression from the patch.
2812
2813 2016-05-17  Keith Miller  <keith_miller@apple.com>
2814
2815         Add test262 harness support code
2816         https://bugs.webkit.org/show_bug.cgi?id=157797
2817
2818         Reviewed by Filip Pizlo.
2819
2820         This patch adds some new tooling needed to run Test262 with the jsc
2821         CLI. There were three options that needed to be added for Test262:
2822
2823         1) "--test262-async" This option overrides the print function in the test runner to look for
2824         'Test262:AsyncTestComplete' instead of printing the passed text. If test262-async mode is on
2825         and that string is not passed then the test is marked as failing.
2826
2827         2) "--strict-file=<file>" This option appends `"use strict";\n` to the beginning of the
2828         passed file before passing the source code to the VM. This option can, in theory, be passed
2829         multiple times.
2830
2831         3) "--exception=<name>" This option asserts that at the end of the last script file passed
2832         the VM has an uncaught exception with its name property equal to the passed name.
2833
2834         * jsc.cpp:
2835         (Script::Script):
2836         (fillBufferWithContentsOfFile):
2837         (functionPrint):
2838         (checkUncaughtException):
2839         (runWithScripts):
2840         (printUsageStatement):
2841         (CommandLine::parseArguments):
2842         (runJSC):
2843
2844 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
2845
2846         WTF should know about Language
2847         https://bugs.webkit.org/show_bug.cgi?id=157756
2848
2849         Reviewed by Geoffrey Garen.
2850
2851         Teach our scripts that a ObjC class beginning with WTF is totally cool.
2852
2853         * JavaScriptCore.xcodeproj/project.pbxproj:
2854
2855 2016-05-17  Joseph Pecoraro  <pecoraro@apple.com>
2856
2857         console namespace breaks putting properties on console.__proto__
2858         https://bugs.webkit.org/show_bug.cgi?id=157782
2859         <rdar://problem/26250526>
2860
2861         Reviewed by Geoffrey Garen.
2862
2863         Some websites currently depend on console.__proto__ existing and being
2864         a separate object from Object.prototype. This patch adds back a basic
2865         console.__proto__ object, but all the console functions are left on
2866         the ConsoleObject itself.
2867
2868         * runtime/JSGlobalObject.cpp:
2869         (JSC::createConsoleProperty):
2870
2871 2016-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2872
2873         Unreviewed, dump more information when math-pow-stable-results.js failed
2874         https://bugs.webkit.org/show_bug.cgi?id=157168
2875
2876         * tests/stress/math-pow-stable-results.js:
2877
2878 2016-05-16  Saam barati  <sbarati@apple.com>
2879
2880         ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
2881         https://bugs.webkit.org/show_bug.cgi?id=157770
2882
2883         Reviewed by Filip Pizlo.
2884
2885         ShadowChicken was reading the scope from a half formed
2886         frame as it threw a stack overflow exception. The frame had
2887         a valid CodeBlock pointer, but it did not have a valid scope.
2888         The code in ShadowChicken's throw packet logging mechanism didn't
2889         account for this. The fix is to respect whether genericUnwind wants
2890         to unwind from the current frame or the caller's frame. For stack
2891         overflow errors, we always unwind the caller's frame.
2892
2893         * jit/JITExceptions.cpp:
2894         (JSC::genericUnwind):
2895
2896 2016-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2897
2898         REGRESSION(r200208): It made 2 JSC stress tests fail on x86
2899         https://bugs.webkit.org/show_bug.cgi?id=157168
2900
2901         Reviewed by Benjamin Poulain.
2902
2903         The fast path in operationMathPow produces different results between x87 and the other environments.
2904         This is because x87 calculates the double value in 80bit precision.
2905         The situation is the following: in x86 32bit environment, floating point operations are compiled to
2906         x87 operations by default even if we can use SSE2. But in DFG environment, we aggressively use SSE2
2907         if the cpuid reports SSE2 is available. As a result, the implementations differ between C runtime
2908         and DFG JIT code. The C runtime uses x87 while DFG JIT code uses SSE2. This causes a precision
2909         problem since x87 has 80bit precision while SSE2 has 64bit precision.
2910
2911         In this patch, in x86 32bit environment, we use `volatile double` if the `-mfpmath=sse and -msse2 (or later)`
2912         is not specified. This will round the x87 value into 64bit per multiplying. Note that this problem does not
2913         occur in OS X clang 32bit environment. This is because `-mfpmath=sse` is enabled by default in OS X clang 32bit.
2914
2915         * b3/B3MathExtras.cpp:
2916         (JSC::B3::powDoubleInt32):
2917         * runtime/MathCommon.cpp:
2918         (JSC::operationMathPow):
2919
2920 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
2921
2922         [JSC] "return this" in a constructor does not need a branch on isObject(this)
2923         https://bugs.webkit.org/show_bug.cgi?id=157775
2924
2925         Reviewed by Saam Barati and Ryosuke Niwa.
2926
2927         When returning "this" in a constructor, the bytecode generator was generating:
2928             is_object         locX, this
2929             jtrue             locX, 5(->second ret)
2930             ret               this
2931             ret               this
2932
2933         That code is eliminated in DFG but it is pretty costly lower tiers.
2934
2935         This patch changes bytecode generation to avoid the is_object test
2936         when possible and not generate two ret if they encode the same thing.
2937
2938         * bytecompiler/BytecodeGenerator.cpp:
2939         (JSC::BytecodeGenerator::emitReturn):
2940
2941 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
2942
2943         [JSC] Remove the index check from op_get_by_val/op_put_by_val when the index is constant
2944         https://bugs.webkit.org/show_bug.cgi?id=157766
2945
2946         Reviewed by Geoffrey Garen.
2947
2948         If the index is an integer constant, do not generate the index check.
2949
2950         * jit/JITPropertyAccess.cpp:
2951         (JSC::JIT::emit_op_get_by_val):
2952         (JSC::JIT::emitSlow_op_get_by_val):
2953         (JSC::JIT::emit_op_put_by_val):
2954         (JSC::JIT::emitSlow_op_put_by_val):
2955
2956 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
2957
2958         [JSC][DFG] Fill spilled Int32 as Int32 instead of JSInt32
2959         https://bugs.webkit.org/show_bug.cgi?id=157700
2960
2961         Reviewed by Michael Saboff.
2962
2963         In general, fillSpeculateInt32() originate from SpeculateInt32
2964         and the user does not care about the tag.
2965
2966         This is particularily obvious on Sunspider's math-spectral-norm.js.
2967         In that test, registers are frequently spilled because of x86's DIV.
2968
2969         When they are re-filled, they were always tagged.
2970         Since the loops are small, all the tagging adds up.
2971
2972         * dfg/DFGSpeculativeJIT64.cpp:
2973         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2974
2975 2016-05-16  Saam barati  <sbarati@apple.com>
2976
2977         Unreviewed Cloop build fix.
2978
2979         * bytecode/CodeBlock.cpp:
2980         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
2981
2982 2016-05-16  Saam barati  <sbarati@apple.com>
2983
2984         Hook up ShadowChicken to the debugger to show tail deleted frames
2985         https://bugs.webkit.org/show_bug.cgi?id=156685
2986         <rdar://problem/25770521>
2987
2988         Reviewed by Filip Pizlo and Mark Lam and Joseph Pecoraro.
2989
2990         The heart of this patch hooks up ShadowChicken to DebuggerCallFrame to
2991         allow the Web Inspector to display the ShadowChicken's shadow stack.
2992         This means the Web Inspector can now display tail deleted frames.
2993         To make this work, I made the necessary changes to ShadowChicken and
2994         DebuggerCallFrame to allow DebuggerCallFrame to keep the same API
2995         when representing both machine frames and tail deleted frames.
2996
2997         - ShadowChicken prologue packets now log the current scope. Tail packets
2998           log the current scope, the 'this' value, the CodeBlock, and the
2999           CallSiteIndex. This allows the inspector to not only show the
3000           tail deleted frame, but also show exactly where the tail call happened (line and column numbers),
3001           with which scope it executed, and with which 'this' value. This
3002           patch also allows DebuggerCallFrame to execute console statements
3003           in a tail deleted frame.
3004
3005         - I changed ShadowChicken's stack resizing algorithm. ShadowChicken
3006           now only keeps a maximum number of tail deleted frames in its shadow stack.
3007           It will happily represent all machine frames without limit. Right now, the
3008           maximum number of tail deleted frames I chose to keep alive is 128.
3009           We will keep frames alive starting from the top of the stack. This
3010           allows us to have a strong defense against runaway memory usage. We will only
3011           keep around at most 128 "shadow" frames that wouldn't have naturally been kept
3012           alive by the executing program. We can play around with this number
3013           if we find that 128 is either too many or too few frames.
3014
3015         - DebuggerCallFrame is no longer a cheap class to create. When it is created,
3016           we will eagerly create the entire virtual debugger stack. So I modified the
3017           existing code to lazily create DebuggerCallFrames only when necessary. We
3018           used to eagerly create them at each op_debug statement even though we would
3019           just throw them away if we didn't hit a breakpoint.
3020
3021         - A valid DebuggerCallFrame will always have a valid CallFrame* pointer
3022           into the stack. This pointer won't always refer to the logical frame
3023           that the DebuggerCallFrame represents because a DebuggerCallFrame can
3024           now represent a tail deleted frame. To do this, DebuggerCallFrame now
3025           has a ShadowChicken::Frame member variable. This allows DebuggerCallFrame
3026           to know when it represents a tail deleted frame and gives DebuggerCallFrame
3027           a mechanism to ask the tail deleted frame for interesting information
3028           (like its 'this' value, scope, CodeBlock, etc). A tail deleted frame's
3029           machine frame pointer will be the machine caller of the tail deleted frame
3030           (or the machine caller of the first of a series of consecutive tail calls).
3031
3032         - I added a new flag to UnlinkedCodeBlock to indicate when it is compiled
3033           with debugging opcodes. I did this because ShadowChicken may read a JSScope
3034           from the machine stack. This is only safe if the machine CodeBlock was
3035           compiled with debugging opcodes. This is safer than asking if the
3036           CodeBlock's global object has an interactive debugger enabled because
3037           it's theoretically possible for the debugger to be enabled while code
3038           compiled without a debugger is still live on the stack. This field is
3039           also now used to indicate to the DFGGraph that the interactive debugger
3040           is enabled.
3041
3042         - Finally, this patch adds a new field to the Inspector's CallFrame protocol
3043           object called 'isTailDeleted' to allow the Inspector to know when a
3044           CallFrame represents a tail deleted frame.
3045
3046         * JavaScriptCore.xcodeproj/project.pbxproj:
3047         * bytecode/BytecodeList.json:
3048         * bytecode/BytecodeUseDef.h:
3049         (JSC::computeUsesForBytecodeOffset):
3050         * bytecode/CodeBlock.cpp:
3051         (JSC::CodeBlock::dumpBytecode):
3052         (JSC::CodeBlock::findPC):
3053         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
3054         * bytecode/CodeBlock.h:
3055         (JSC::CodeBlock::clearDebuggerRequests):
3056         (JSC::CodeBlock::wasCompiledWithDebuggingOpcodes):
3057         * bytecode/UnlinkedCodeBlock.cpp:
3058         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3059         * bytecode/UnlinkedCodeBlock.h:
3060         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes):
3061         (JSC::UnlinkedCodeBlock::finishCreation):
3062         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
3063         * bytecode/UnlinkedFunctionExecutable.cpp:
3064         (JSC::generateUnlinkedFunctionCodeBlock):
3065         * bytecompiler/BytecodeGenerator.cpp:
3066         (JSC::BytecodeGenerator::generate):
3067         (JSC::BytecodeGenerator::BytecodeGenerator):
3068         (JSC::BytecodeGenerator::emitEnter):
3069         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
3070         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
3071         (JSC::BytecodeGenerator::emitCallDefineProperty):
3072         * debugger/Debugger.cpp:
3073         (JSC::DebuggerPausedScope::DebuggerPausedScope):
3074         (JSC::DebuggerPausedScope::~DebuggerPausedScope):
3075         (JSC::Debugger::didReachBreakpoint):
3076         (JSC::Debugger::currentDebuggerCallFrame):
3077         * debugger/Debugger.h:
3078         * debugger/DebuggerCallFrame.cpp:
3079         (JSC::LineAndColumnFunctor::operator()):
3080         (JSC::DebuggerCallFrame::create):
3081         (JSC::DebuggerCallFrame::DebuggerCallFrame):
3082         (JSC::DebuggerCallFrame::callerFrame):
3083         (JSC::DebuggerCallFrame::globalExec):
3084         (JSC::DebuggerCallFrame::vmEntryGlobalObject):
3085         (JSC::DebuggerCallFrame::sourceID):
3086         (JSC::DebuggerCallFrame::functionName):
3087         (JSC::DebuggerCallFrame::scope):
3088         (JSC::DebuggerCallFrame::type):
3089         (JSC::DebuggerCallFrame::thisValue):
3090         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
3091         (JSC::DebuggerCallFrame::invalidate):
3092         (JSC::DebuggerCallFrame::currentPosition):
3093         (JSC::DebuggerCallFrame::positionForCallFrame):
3094         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
3095         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor): Deleted.
3096         (JSC::FindCallerMidStackFunctor::operator()): Deleted.
3097         (JSC::FindCallerMidStackFunctor::getCallerFrame): Deleted.
3098         (JSC::DebuggerCallFrame::thisValueForCallFrame): Deleted.
3099         * debugger/DebuggerCallFrame.h:
3100         (JSC::DebuggerCallFrame::isValid):
3101         (JSC::DebuggerCallFrame::isTailDeleted):
3102         (JSC::DebuggerCallFrame::create): Deleted.
3103         (JSC::DebuggerCallFrame::exec): Deleted.
3104         * dfg/DFGByteCodeParser.cpp:
3105         (JSC::DFG::ByteCodeParser::parseBlock):
3106         * dfg/DFGFixupPhase.cpp:
3107         (JSC::DFG::FixupPhase::fixupNode):
3108         * dfg/DFGGraph.cpp:
3109         (JSC::DFG::Graph::Graph):
3110         (JSC::DFG::Graph::~Graph):
3111         * dfg/DFGJITCompiler.h:
3112         (JSC::DFG::JITCompiler::addCallSite):
3113         (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
3114         (JSC::DFG::JITCompiler::emitStoreCallSiteIndex):
3115         * dfg/DFGSpeculativeJIT32_64.cpp:
3116         (JSC::DFG::SpeculativeJIT::compile):
3117         * dfg/DFGSpeculativeJIT64.cpp:
3118         (JSC::DFG::SpeculativeJIT::compile):
3119         * ftl/FTLAbstractHeapRepository.h:
3120         * ftl/FTLLowerDFGToB3.cpp:
3121         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
3122         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
3123         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3124         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
3125         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3126         (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket): Deleted.
3127         * inspector/InjectedScriptSource.js:
3128         (InjectedScript.CallFrameProxy):
3129         * inspector/JSJavaScriptCallFrame.cpp:
3130         (Inspector::JSJavaScriptCallFrame::thisObject):
3131         (Inspector::JSJavaScriptCallFrame::isTailDeleted):
3132         (Inspector::JSJavaScriptCallFrame::type):
3133         * inspector/JSJavaScriptCallFrame.h:
3134         * inspector/JSJavaScriptCallFramePrototype.cpp:
3135         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
3136         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
3137         (Inspector::jsJavaScriptCallFrameAttributeType):
3138         (Inspector::jsJavaScriptCallFrameIsTailDeleted):
3139         * inspector/JavaScriptCallFrame.h:
3140         (Inspector::JavaScriptCallFrame::type):
3141         (Inspector::JavaScriptCallFrame::scopeChain):
3142         (Inspector::JavaScriptCallFrame::vmEntryGlobalObject):
3143         (Inspector::JavaScriptCallFrame::isTailDeleted):
3144         (Inspector::JavaScriptCallFrame::thisValue):
3145         (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension):
3146         * inspector/ScriptDebugServer.cpp:
3147         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
3148         * inspector/protocol/Debugger.json:
3149         * interpreter/ShadowChicken.cpp:
3150         (JSC::ShadowChicken::update):
3151         (JSC::ShadowChicken::visitChildren):
3152         (JSC::ShadowChicken::reset):
3153         * interpreter/ShadowChicken.h:
3154         (JSC::ShadowChicken::Packet::throwMarker):
3155         (JSC::ShadowChicken::Packet::prologue):
3156         (JSC::ShadowChicken::Packet::tail):
3157         (JSC::ShadowChicken::Frame::Frame):
3158         (JSC::ShadowChicken::Frame::operator==):
3159         * jit/CCallHelpers.cpp:
3160         (JSC::CCallHelpers::logShadowChickenProloguePacket):
3161         (JSC::CCallHelpers::logShadowChickenTailPacket):
3162         (JSC::CCallHelpers::ensureShadowChickenPacket):
3163         (JSC::CCallHelpers::setupShadowChickenPacket): Deleted.
3164         * jit/CCallHelpers.h:
3165         * jit/JITOpcodes.cpp:
3166         (JSC::JIT::emit_op_profile_type):
3167         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3168         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3169         (JSC::JIT::emit_op_get_enumerable_length):
3170         (JSC::JIT::emit_op_resume):
3171         * jit/JITOpcodes32_64.cpp:
3172         (JSC::JIT::emit_op_profile_type):
3173         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3174         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3175         * jit/RegisterSet.cpp:
3176         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
3177         (JSC::RegisterSet::argumentGPRS):
3178         (JSC::RegisterSet::registersToNotSaveForJSCall):
3179         * jit/RegisterSet.h:
3180         * llint/LLIntData.cpp:
3181         (JSC::LLInt::Data::performAssertions):
3182         * llint/LLIntSlowPaths.cpp:
3183         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3184         * llint/LowLevelInterpreter.asm:
3185         * llint/LowLevelInterpreter32_64.asm:
3186         * llint/LowLevelInterpreter64.asm:
3187         * runtime/CodeCache.cpp:
3188         (JSC::CodeCache::getGlobalCodeBlock):
3189         * runtime/Options.h:
3190         * tests/stress/shadow-chicken-enabled.js:
3191         (test5a.foo):
3192         (test5a):
3193         (test5b.foo):
3194         (test5b):
3195         (test6.foo):
3196         (test6):
3197
3198 2016-05-16  Saam barati  <sbarati@apple.com>
3199
3200         TypeSet/StructureShape have a flawed sense of JS prototype chains
3201         https://bugs.webkit.org/show_bug.cgi?id=157760
3202
3203         Reviewed by Joseph Pecoraro.
3204
3205         There was an assumption that we would bottom out in "Object". This is
3206         not true for many reasons. JS objects may not end in Object.prototype.
3207         Also, our mechanism of grabbing an Object's class name may also not
3208         bottom out in "Object". We were seeing this in the JS objects we use
3209         in the InjectedScriptSource.js inspector script.
3210
3211         * runtime/TypeSet.cpp:
3212         (JSC::StructureShape::leastCommonAncestor):
3213         * tests/typeProfiler/weird-prototype-chain.js: Added.
3214         (wrapper.foo):
3215         (wrapper.let.o2):
3216         (wrapper):
3217
3218 2016-05-16  Joseph Pecoraro  <pecoraro@apple.com>
3219
3220         Unreviewed rollout r200924. Caused js/regress/string-replace-generic.html to fail.
3221
3222         * API/JSProfilerPrivate.cpp: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
3223         (JSStartProfiling):
3224         (JSEndProfiling):
3225         * API/JSProfilerPrivate.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
3226         * CMakeLists.txt:
3227         * JavaScriptCore.xcodeproj/project.pbxproj:
3228         * bytecode/BytecodeList.json:
3229         * bytecode/BytecodeUseDef.h:
3230         (JSC::computeUsesForBytecodeOffset):
3231         (JSC::computeDefsForBytecodeOffset):
3232         * bytecode/CodeBlock.cpp:
3233         (JSC::CodeBlock::dumpBytecode):
3234         * bytecode/UnlinkedFunctionExecutable.cpp:
3235         (JSC::generateUnlinkedFunctionCodeBlock):
3236         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3237         * bytecode/UnlinkedFunctionExecutable.h:
3238         * bytecompiler/BytecodeGenerator.cpp:
3239         (JSC::BytecodeGenerator::BytecodeGenerator):
3240         (JSC::BytecodeGenerator::emitCall):
3241         (JSC::BytecodeGenerator::emitCallVarargs):
3242         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
3243         (JSC::BytecodeGenerator::emitConstructVarargs):
3244         (JSC::BytecodeGenerator::emitConstruct):
3245         * bytecompiler/BytecodeGenerator.h:
3246         (JSC::CallArguments::profileHookRegister):
3247         (JSC::BytecodeGenerator::shouldEmitProfileHooks):
3248         * bytecompiler/NodesCodegen.cpp:
3249         (JSC::CallArguments::CallArguments):
3250         (JSC::CallFunctionCallDotNode::emitBytecode):
3251         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3252         * dfg/DFGAbstractInterpreterInlines.h:
3253         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3254         * dfg/DFGByteCodeParser.cpp:
3255         (JSC::DFG::ByteCodeParser::parseBlock):
3256         * dfg/DFGCapabilities.cpp:
3257         (JSC::DFG::capabilityLevel):
3258         * dfg/DFGClobberize.h:
3259         (JSC::DFG::clobberize):
3260         * dfg/DFGDoesGC.cpp:
3261         (JSC::DFG::doesGC):
3262         * dfg/DFGFixupPhase.cpp:
3263         (JSC::DFG::FixupPhase::fixupNode):
3264         * dfg/DFGNodeType.h:
3265         * dfg/DFGPredictionPropagationPhase.cpp:
3266         * dfg/DFGSafeToExecute.h:
3267         (JSC::DFG::safeToExecute):
3268         * dfg/DFGSpeculativeJIT32_64.cpp:
3269         (JSC::DFG::SpeculativeJIT::compile):
3270         * dfg/DFGSpeculativeJIT64.cpp:
3271         (JSC::DFG::SpeculativeJIT::compile):
3272         * inspector/InjectedScriptBase.cpp:
3273         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
3274         * inspector/protocol/Timeline.json:
3275         * interpreter/Interpreter.cpp:
3276         (JSC::UnwindFunctor::operator()):
3277         (JSC::Interpreter::execute):
3278         (JSC::Interpreter::executeCall):
3279         (JSC::Interpreter::executeConstruct):
3280         * jit/JIT.cpp:
3281         (JSC::JIT::privateCompileMainPass):
3282         * jit/JIT.h:
3283         * jit/JITOpcodes.cpp:
3284         (JSC::JIT::emit_op_profile_will_call):
3285         (JSC::JIT::emit_op_profile_did_call):
3286         * jit/JITOpcodes32_64.cpp:
3287         (JSC::JIT::emit_op_profile_will_call):
3288         (JSC::JIT::emit_op_profile_did_call):
3289         * jit/JITOperations.cpp:
3290         * jit/JITOperations.h:
3291         * jsc.cpp:
3292         * llint/LLIntSlowPaths.cpp:
3293         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3294         * llint/LLIntSlowPaths.h:
3295         * llint/LowLevelInterpreter.asm:
3296         * parser/ParserModes.h:
3297         * profiler/CallIdentifier.h: Added.
3298         (JSC::CallIdentifier::CallIdentifier):
3299         (JSC::CallIdentifier::functionName):
3300         (JSC::CallIdentifier::url):
3301         (JSC::CallIdentifier::lineNumber):
3302         (JSC::CallIdentifier::columnNumber):
3303         (JSC::CallIdentifier::operator==):
3304         (JSC::CallIdentifier::operator!=):
3305         (JSC::CallIdentifier::Hash::hash):
3306         (JSC::CallIdentifier::Hash::equal):
3307         (JSC::CallIdentifier::hash):
3308         (JSC::CallIdentifier::operator const char*):
3309         (JSC::CallIdentifier::c_str):
3310         (WTF::HashTraits<JSC::CallIdentifier>::constructDeletedValue):
3311         (WTF::HashTraits<JSC::CallIdentifier>::isDeletedValue):
3312         * profiler/LegacyProfiler.cpp: Added.
3313         (JSC::LegacyProfiler::profiler):
3314         (JSC::LegacyProfiler::startProfiling):
3315         (JSC::LegacyProfiler::stopProfiling):
3316         (JSC::callFunctionForProfilesWithGroup):
3317         (JSC::LegacyProfiler::suspendProfiling):
3318         (JSC::LegacyProfiler::unsuspendProfiling):
3319         (JSC::LegacyProfiler::willExecute):
3320         (JSC::LegacyProfiler::didExecute):
3321         (JSC::LegacyProfiler::exceptionUnwind):
3322         (JSC::LegacyProfiler::createCallIdentifier):
3323         (JSC::createCallIdentifierFromFunctionImp):
3324         * profiler/LegacyProfiler.h: Added.
3325         (JSC::LegacyProfiler::currentProfiles):
3326         * profiler/Profile.cpp: Added.
3327         (JSC::Profile::create):
3328         (JSC::Profile::Profile):
3329         (JSC::Profile::~Profile):
3330         (JSC::Profile::debugPrint):
3331         (JSC::functionNameCountPairComparator):
3332         (JSC::Profile::debugPrintSampleStyle):
3333         * profiler/Profile.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
3334         * profiler/ProfileGenerator.cpp: Added.
3335         (JSC::ProfileGenerator::create):