Make @Array(size) a bytecode intrinsic
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-08-18  Saam Barati  <sbarati@apple.com>
2
3         Make @Array(size) a bytecode intrinsic
4         https://bugs.webkit.org/show_bug.cgi?id=160867
5
6         Reviewed by Mark Lam.
7
8         There were a few places in the code where we were emitting `@Array(size)`
9         or `new @Array(size)`. Since we have a bytecode operation that already
10         represents this, called new_array_with_size, it's faster to just make a
11         bytecode intrinsic for the this operation. This patch does that and
12         the intrinsic is called `@newArrayWithSize`. This might be around a
13         1% speedup on ES6 sample bench, but it's within the noise. This is just
14         a good bytecode operation to have because it's common enough to
15         create arrays and it's good to make that fast in all tiers.
16
17         * builtins/ArrayConstructor.js:
18         (of):
19         (from):
20         * builtins/ArrayPrototype.js:
21         (filter):
22         (map):
23         (sort.stringSort):
24         (sort):
25         (concatSlowPath):
26         * bytecode/BytecodeIntrinsicRegistry.h:
27         * bytecompiler/NodesCodegen.cpp:
28         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
29         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newArrayWithSize):
30
31 2016-08-18  Rawinder Singh  <rawinder.singh-webkit@cisra.canon.com.au>
32
33         [web-animations] Add Animatable, AnimationEffect, KeyframeEffect and Animation interface
34         https://bugs.webkit.org/show_bug.cgi?id=156096
35
36         Reviewed by Dean Jackson.
37
38         Adds:
39         - Animatable interface and implementation of getAnimations in Element.
40         - Interface and implementation for Document getAnimations method.
41         - AnimationEffect interface and class stub.
42         - KeyframeEffect interface and constructor implementation.
43         - 'Animation' interface, constructor and query methods for effect and timeline.
44         - Remove runtime condition on Web animation interfaces (compile time flag is specified).
45
46         * runtime/CommonIdentifiers.h:
47
48 2016-08-17  Keith Miller  <keith_miller@apple.com>
49
50         Add WASM support for i64 simple opcodes.
51         https://bugs.webkit.org/show_bug.cgi?id=160928
52
53         Reviewed by Michael Saboff.
54
55         This patch also removes the unsigned int32 mod operator, which is not supported by B3 yet.
56
57         * wasm/WASMB3IRGenerator.cpp:
58         (JSC::WASM::toB3Op):
59         (JSC::WASM::B3IRGenerator::unaryOp):
60         * wasm/WASMFunctionParser.h:
61         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
62         * wasm/WASMOps.h:
63
64 2016-08-17  JF Bastien  <jfbastien@apple.com>
65
66         We allow assignments to const variables when in a for-in/for-of loop
67         https://bugs.webkit.org/show_bug.cgi?id=156673
68
69         Reviewed by Filip Pizlo.
70
71         for-in and for-of weren't checking whether iteration variable from
72         parent scopes were const. Assigning to such variables should
73         throw, but used not to.
74
75         * bytecompiler/NodesCodegen.cpp:
76         (JSC::ForInNode::emitLoopHeader):
77         (JSC::ForOfNode::emitBytecode):
78
79 2016-08-17  Geoffrey Garen  <ggaren@apple.com>
80
81         Fixed a potential bug in MarkedArgumentBuffer.
82         https://bugs.webkit.org/show_bug.cgi?id=160948
83         <rdar://problem/27889416>
84
85         Reviewed by Oliver Hunt.
86
87         I haven't been able to produce an observable test case after some trying.
88
89         * runtime/ArgList.cpp:
90         (JSC::MarkedArgumentBuffer::addMarkSet): New helper function -- I broke
91         this out from existing code for clarity, but the behavior is the same.
92
93         (JSC::MarkedArgumentBuffer::expandCapacity): Ditto.
94
95         (JSC::MarkedArgumentBuffer::slowAppend): Always addMarkSet() on the slow
96         path. This is faster than the old linear scan, and I think it might
97         avoid cases the old scan could miss.
98
99         * runtime/ArgList.h:
100         (JSC::MarkedArgumentBuffer::append): Account for the case where someone
101         has called clear() or removeLast().
102
103         (JSC::MarkedArgumentBuffer::mallocBase): No behavior change -- but it's
104         clearer to test the buffers directly instead of inferring what they
105         might be based on capacity.
106
107 2016-08-17  Mark Lam  <mark.lam@apple.com>
108
109         Remove an invalid assertion in the DFG backend's GetById emitter.
110         https://bugs.webkit.org/show_bug.cgi?id=160925
111         <rdar://problem/27248961>
112
113         Reviewed by Filip Pizlo.
114
115         The DFG backend's GetById assertion that the node's prediction not be SpecNone
116         is just plain wrong.  It assumes that we can never have a GetById node without a
117         type prediction, but this is not true.  The following test case proves otherwise:
118
119             function foo() {
120                 "use strict";
121                 return --arguments["callee"];
122             }
123
124         Will remove the assertion.  Nothing else needs to change as the DFG is working
125         correctly without the assertion.
126
127         * dfg/DFGSpeculativeJIT32_64.cpp:
128         (JSC::DFG::SpeculativeJIT::compile):
129         * dfg/DFGSpeculativeJIT64.cpp:
130         (JSC::DFG::SpeculativeJIT::compile):
131
132 2016-08-16  Mark Lam  <mark.lam@apple.com>
133
134         Heap::collectAllGarbage() should work with JSC_useImmortalObjects=true.
135         https://bugs.webkit.org/show_bug.cgi?id=160917
136
137         Reviewed by Filip Pizlo.
138
139         If we do an synchronous GC when JSC_useImmortalObjects=true, we'll get a
140         RELEASE_ASSERT failure:
141
142             $ JSC_useImmortalObjects=true jsc
143             >>> gc()
144             Trace/BPT trap: 5
145
146         This is because Heap::collectAllGarbage() is doing an explicit sweep of the
147         MarkedSpace, and the sweeper is expecting to see no RetiredBlocks.  However, we
148         make objects immortal by retiring their blocks.  As a result, there is a mismatch
149         in expectancy.
150
151         The fix is simply to not run the sweeper when JSC_useImmortalObjects=true.
152
153         * heap/Heap.cpp:
154         (JSC::Heap::collectAllGarbage):
155
156 2016-08-16  Keith Miller  <keith_miller@apple.com>
157
158         Add WASM I32 simple operators.
159         https://bugs.webkit.org/show_bug.cgi?id=160914
160
161         Reviewed by Benjamin Poulain.
162
163         This patch adds support for the i32 simple binary operators.
164
165         * wasm/WASMB3IRGenerator.cpp:
166         (JSC::WASM::toB3Op):
167         (JSC::WASM::B3IRGenerator::binaryOp):
168         * wasm/WASMFunctionParser.h:
169         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
170         * wasm/WASMOps.h:
171
172 2016-08-15  Ryosuke Niwa  <rniwa@webkit.org>
173
174         Conversion to sequence<T> is broken for iterable objects
175         https://bugs.webkit.org/show_bug.cgi?id=160801
176
177         Reviewed by Darin Adler.
178
179         Export functions used to iterate over iterable objects.
180
181         * runtime/IteratorOperations.h:
182         (JSC::forEachInIterable):
183
184 2016-08-15  Benjamin Poulain  <bpoulain@apple.com>
185
186         [Regression 204203-204210] 32-bit ASSERTION FAILED: !m_data[index].name.isValid()
187         https://bugs.webkit.org/show_bug.cgi?id=160881
188
189         Reviewed by Mark Lam.
190
191         * dfg/DFGSpeculativeJIT32_64.cpp:
192         (JSC::DFG::SpeculativeJIT::compile):
193         We were trying to set the result of the Identity node to the same
194         value as the source of the Identity.
195         That is pretty messed up.
196
197 2016-08-15  Saam Barati  <sbarati@apple.com>
198
199         Web Inspector: Introduce a method to enable code coverage profiler without enabling type profiler
200         https://bugs.webkit.org/show_bug.cgi?id=160750
201         <rdar://problem/27793469>
202
203         Reviewed by Joseph Pecoraro.
204
205         * inspector/agents/InspectorRuntimeAgent.cpp:
206         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
207         (Inspector::InspectorRuntimeAgent::enableControlFlowProfiler):
208         (Inspector::InspectorRuntimeAgent::disableControlFlowProfiler):
209         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
210         (Inspector::InspectorRuntimeAgent::setControlFlowProfilerEnabledState):
211         * inspector/agents/InspectorRuntimeAgent.h:
212         * inspector/protocol/Runtime.json:
213
214 2016-08-15  Saam Barati  <sbarati@apple.com>
215
216         Array.prototype.map builtin should go on the fast path when constructor===@Array
217         https://bugs.webkit.org/show_bug.cgi?id=160836
218
219         Reviewed by Keith Miller.
220
221         In the FTL, we were not compiling the result array in Array.prototype.map
222         efficiently when the result array should use the Array constructor
223         (which is the common case). We used to compile it as:
224         x: JSConstant(Array)
225         y: Construct(@x, ...)
226         instead of
227         y: NewArrayWithSize(...)
228
229         This patch changes the builtin to go down the fast path when certain
230         conditions are met. Often, the check to go down the fast path will
231         be constant folded because we always create a normal array from the
232         Array constructor.
233
234         This is around a 5% speedup on ES6 Sample Bench.
235
236         I also made similar changes for Array.prototype.filter
237         and Array.prototype.concat on its slow path.
238
239         * builtins/ArrayPrototype.js:
240
241 2016-08-15  Mark Lam  <mark.lam@apple.com>
242
243         Make JSValue::strictEqual() handle failures to resolve JSRopeStrings.
244         https://bugs.webkit.org/show_bug.cgi?id=160832
245         <rdar://problem/27577556>
246
247         Reviewed by Geoffrey Garen.
248
249         Currently, JSValue::strictEqualSlowCaseInline() (and peers) will blindly try to
250         access the StringImpl of a JSRopeString that fails to resolve its rope.  As a
251         result, we'll crash with null pointer dereferences.
252
253         We can fix this by introducing a JSString::equal() method that will do the
254         equality comparison, but is aware of the potential failures to resolve ropes.
255         JSValue::strictEqualSlowCaseInline() (and peers) will now call JSString::equal()
256         instead of accessing the underlying StringImpl directly.
257
258         Also added some exception checks.
259
260         * JavaScriptCore.xcodeproj/project.pbxproj:
261         * jit/JITOperations.cpp:
262         * runtime/ArrayPrototype.cpp:
263         (JSC::arrayProtoFuncIndexOf):
264         (JSC::arrayProtoFuncLastIndexOf):
265         * runtime/JSCJSValueInlines.h:
266         (JSC::JSValue::equalSlowCaseInline):
267         (JSC::JSValue::strictEqualSlowCaseInline):
268         * runtime/JSString.cpp:
269         (JSC::JSString::equalSlowCase):
270         * runtime/JSString.h:
271         * runtime/JSStringInlines.h: Added.
272         (JSC::JSString::equal):
273
274 2016-08-15  Keith Miller  <keith_miller@apple.com>
275
276         Implement WASM Parser and B3 IR generator
277         https://bugs.webkit.org/show_bug.cgi?id=160681
278
279         Reviewed by Benjamin Poulain.
280
281         This patch adds the skeleton for a WebAssembly pipeline. The
282         pipeline is designed in order to make it easy to have as much of
283         the compilation process threaded as possible. The flow of the
284         pipeline roughly goes as follows:
285
286         1) Create a WASMPlan with the VM and a Vector of the
287         assembly. Currently the plan will process all the work
288         synchronously, however, in the future this can be offloaded to
289         other threads.
290
291         2) The plan will run the WASMModuleParser, which collates all the
292         information needed to compile each module function
293         independently. Since, we are still in the early phases, the only
294         information is the starting and ending byte of the function's
295         body. The module parser, however, still scans both and
296         semi-validates the type and the function sections.
297
298         3) Each function is decoded and compiled. In the future this
299         should also include a opcode validation phase. The
300         WASMFunctionParser is templatized so that a validator should be
301         able to use most of the same code the B3 IR generator does.
302
303         4) When the plan has finished it will fill a Vector of
304         B3::Compilation objects that correspond to the respective function
305         in the WASM module.
306
307
308         The current testing plan for the modules is to inline the the
309         binary generated by the spec's OCaml prototype. The inlined binary
310         is passed to a WASMPlan then invoked to check the result of the
311         function. In the future we should add a more robust testing
312         infrastructure.
313
314         * JavaScriptCore.xcodeproj/project.pbxproj:
315         * testWASM.cpp:
316         (printUsageStatement):
317         (CommandLine::parseArguments):
318         (invoke):
319         (runWASMTests):
320         (main):
321         * wasm/JSWASMModule.h:
322         (JSC::JSWASMModule::globalVariableTypes):
323         * wasm/WASMB3IRGenerator.cpp: Added.
324         (JSC::WASM::B3IRGenerator::B3IRGenerator):
325         (JSC::WASM::B3IRGenerator::addLocal):
326         (JSC::WASM::B3IRGenerator::binaryOp):
327         (JSC::WASM::B3IRGenerator::addConstant):
328         (JSC::WASM::B3IRGenerator::addBlock):
329         (JSC::WASM::B3IRGenerator::endBlock):
330         (JSC::WASM::B3IRGenerator::addReturn):
331         (JSC::WASM::B3IRGenerator::unify):
332         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
333         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel):
334         (JSC::WASM::B3IRGenerator::stackForControlLevel):
335         (JSC::WASM::B3IRGenerator::blockForControlLevel):
336         (JSC::WASM::parseAndCompile):
337         * wasm/WASMB3IRGenerator.h: Copied from Source/WTF/wtf/DataLog.h.
338         * wasm/WASMFormat.h:
339         * wasm/WASMFunctionParser.h: Added.
340         (JSC::WASM::WASMFunctionParser<Context>::WASMFunctionParser):
341         (JSC::WASM::WASMFunctionParser<Context>::parse):
342         (JSC::WASM::WASMFunctionParser<Context>::parseBlock):
343         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
344         * wasm/WASMModuleParser.cpp: Added.
345         (JSC::WASM::WASMModuleParser::parse):
346         (JSC::WASM::WASMModuleParser::parseFunctionTypes):
347         (JSC::WASM::WASMModuleParser::parseFunctionSignatures):
348         (JSC::WASM::WASMModuleParser::parseFunctionDefinitions):
349         * wasm/WASMModuleParser.h: Copied from Source/WTF/wtf/DataLog.h.
350         (JSC::WASM::WASMModuleParser::WASMModuleParser):
351         (JSC::WASM::WASMModuleParser::functionInformation):
352         * wasm/WASMOps.h: Copied from Source/WTF/wtf/DataLog.h.
353         * wasm/WASMParser.h: Added.
354         (JSC::WASM::WASMParser::parseVarUInt32):
355         (JSC::WASM::WASMParser::WASMParser):
356         (JSC::WASM::WASMParser::consumeCharacter):
357         (JSC::WASM::WASMParser::consumeString):
358         (JSC::WASM::WASMParser::parseUInt32):
359         (JSC::WASM::WASMParser::parseUInt7):
360         (JSC::WASM::WASMParser::parseVarUInt1):
361         (JSC::WASM::WASMParser::parseValueType):
362         * wasm/WASMPlan.cpp: Copied from Source/WTF/wtf/DataLog.h.
363         (JSC::WASM::Plan::Plan):
364         * wasm/WASMPlan.h: Copied from Source/WTF/wtf/DataLog.h.
365         * wasm/WASMSections.cpp: Copied from Source/WTF/wtf/DataLog.h.
366         (JSC::WASM::WASMSections::lookup):
367         * wasm/WASMSections.h: Copied from Source/WTF/wtf/DataLog.h.
368         (JSC::WASM::WASMSections::validateOrder):
369
370 2016-08-15  Benjamin Poulain  <bpoulain@apple.com>
371
372         [JSC] B3 Neg opcode should support float
373         https://bugs.webkit.org/show_bug.cgi?id=160795
374
375         Reviewed by Geoffrey Garen.
376
377         This is required to implement WASM f32.neg opcode.
378
379         * assembler/MacroAssemblerARM64.h:
380         (JSC::MacroAssemblerARM64::negateFloat):
381         * b3/B3LowerToAir.cpp:
382         (JSC::B3::Air::LowerToAir::lower):
383         * b3/B3ReduceDoubleToFloat.cpp:
384         * b3/air/AirOpcode.opcodes:
385         * b3/testb3.cpp:
386         (JSC::B3::testNegDouble):
387         (JSC::B3::testNegFloat):
388         (JSC::B3::testNegFloatWithUselessDoubleConversion):
389         (JSC::B3::run):
390
391 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
392
393         Use #pragma once in inspector headers
394         https://bugs.webkit.org/show_bug.cgi?id=160861
395
396         Reviewed by Mark Lam.
397
398         * inspector/*.h:
399
400 2016-08-15  Daniel Bates  <dabates@apple.com>
401
402         Cannot build WebKit for iOS device using Xcode 7.3/iOS 9.3 public SDK due to missing
403         private frameworks and libraries
404         https://bugs.webkit.org/show_bug.cgi?id=155931
405         <rdar://problem/25807989>
406
407         Reviewed by Dan Bernstein.
408
409         Add directory WebKitLibraries/WebKitPrivateFrameworkStubs/iOS/X to the framework search path
410         where X is the major version of the active iOS SDK.
411
412         * Configurations/Base.xcconfig:
413
414 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
415
416         Reduce includes of Debugger.h
417         https://bugs.webkit.org/show_bug.cgi?id=160827
418
419         Reviewed by Mark Lam.
420
421         * API/JSTypedArray.cpp:
422         * bytecode/UnlinkedCodeBlock.h:
423         * bytecode/UnlinkedFunctionExecutable.cpp:
424         * bytecode/UnlinkedFunctionExecutable.h:
425         * bytecompiler/BytecodeGenerator.h:
426         * bytecompiler/NodesCodegen.cpp:
427         * dfg/DFGPlan.cpp:
428         * dfg/DFGSpeculativeJIT32_64.cpp:
429         * dfg/DFGSpeculativeJIT64.cpp:
430         * ftl/FTLJITCode.h:
431         * inspector/ScriptCallStackFactory.cpp:
432         * inspector/agents/InspectorDebuggerAgent.h:
433         * jit/JITOpcodes.cpp:
434         * jit/JITOpcodes32_64.cpp:
435         * jit/JITOperations.cpp:
436         * llint/LLIntOffsetsExtractor.cpp:
437         * parser/Nodes.cpp:
438         * parser/Parser.cpp:
439         * parser/Parser.h:
440         * runtime/Completion.cpp:
441         * runtime/Executable.cpp:
442         * runtime/Executable.h:
443         * runtime/FunctionConstructor.cpp:
444         * runtime/SamplingProfiler.cpp:
445         * runtime/SamplingProfiler.h:
446         * runtime/VMEntryScope.cpp:
447
448 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
449
450         Remove unused includes of wtf headers
451         https://bugs.webkit.org/show_bug.cgi?id=160839
452
453         Reviewed by Alex Christensen.
454
455         * Lots of files.
456
457 2016-08-13  Per Arne Vollan  <pvollan@apple.com>
458
459         [Win] Warning fixes.
460         https://bugs.webkit.org/show_bug.cgi?id=160803
461
462         Reviewed by Brent Fulgham.
463
464         Initialize local variables.
465
466         * jit/JIT.cpp:
467         (JSC::JIT::compileWithoutLinking):
468         * runtime/Error.cpp:
469         (JSC::addErrorInfoAndGetBytecodeOffset):
470
471 2016-08-12  Joseph Pecoraro  <pecoraro@apple.com>
472
473         Remove always true JSC::Debugger::needPauseHandling virtual method
474         https://bugs.webkit.org/show_bug.cgi?id=160822
475
476         Reviewed by Mark Lam.
477
478         All subclasses return true for this method. Just remove the method.
479
480         * debugger/Debugger.cpp:
481         (JSC::Debugger::pauseIfNeeded):
482         * inspector/ScriptDebugServer.h:
483
484 2016-08-12  Saam Barati  <sbarati@apple.com>
485
486         Inline store loop for CopyRest in DFG and FTL for certain array modes
487         https://bugs.webkit.org/show_bug.cgi?id=159612
488
489         Reviewed by Filip Pizlo.
490
491         This patch changes the old copy_rest bytecode to actually allocate the rest array itself.
492         The bytecode is now called create_rest with an analogous CreateRest node in the DFG/FTL.
493         This allows the bytecode to be in control of what type of indexingType the array is allocated
494         with. We always allocate using ArrayWithContiguous storage unless we're havingABadTime().
495         This also makes allocating and writing into the array fast. On the fast path, the DFG/FTL
496         JIT will fast allocate the array and its storage, and we will do a memmove from the rest
497         region of arguments into the array's storage.
498
499         I'm seeing a 1-2% speedup on ES6SampleBench, and about a 2x speedup
500         on micro benchmarks that just test rest creation speed.
501
502         * bytecode/BytecodeList.json:
503         * bytecode/BytecodeUseDef.h:
504         (JSC::computeUsesForBytecodeOffset):
505         (JSC::computeDefsForBytecodeOffset):
506         * bytecode/CodeBlock.cpp:
507         (JSC::CodeBlock::dumpBytecode):
508         * bytecompiler/BytecodeGenerator.cpp:
509         (JSC::BytecodeGenerator::emitRestParameter):
510         * dfg/DFGAbstractInterpreterInlines.h:
511         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
512         * dfg/DFGByteCodeParser.cpp:
513         (JSC::DFG::ByteCodeParser::parseBlock):
514         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
515         (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
516         * dfg/DFGCapabilities.cpp:
517         (JSC::DFG::capabilityLevel):
518         * dfg/DFGClobberize.h:
519         (JSC::DFG::clobberize):
520         * dfg/DFGDoesGC.cpp:
521         (JSC::DFG::doesGC):
522         * dfg/DFGFixupPhase.cpp:
523         (JSC::DFG::FixupPhase::fixupNode):
524         * dfg/DFGGraph.h:
525         (JSC::DFG::Graph::uses):
526         (JSC::DFG::Graph::isWatchingHavingABadTimeWatchpoint):
527         (JSC::DFG::Graph::compilation):
528         * dfg/DFGNode.h:
529         (JSC::DFG::Node::numberOfArgumentsToSkip):
530         * dfg/DFGNodeType.h:
531         * dfg/DFGOperations.cpp:
532         * dfg/DFGOperations.h:
533         * dfg/DFGPredictionPropagationPhase.cpp:
534         * dfg/DFGSafeToExecute.h:
535         (JSC::DFG::safeToExecute):
536         * dfg/DFGSpeculativeJIT.cpp:
537         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
538         (JSC::DFG::SpeculativeJIT::compileCreateRest):
539         (JSC::DFG::SpeculativeJIT::compileGetRestLength):
540         (JSC::DFG::SpeculativeJIT::compileCopyRest): Deleted.
541         * dfg/DFGSpeculativeJIT.h:
542         (JSC::DFG::SpeculativeJIT::callOperation):
543         * dfg/DFGSpeculativeJIT32_64.cpp:
544         (JSC::DFG::SpeculativeJIT::compile):
545         (JSC::DFG::SpeculativeJIT::compileArithRandom):
546         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
547         * dfg/DFGSpeculativeJIT64.cpp:
548         (JSC::DFG::SpeculativeJIT::compile):
549         (JSC::DFG::SpeculativeJIT::compileArithRandom):
550         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
551         * ftl/FTLCapabilities.cpp:
552         (JSC::FTL::canCompile):
553         * ftl/FTLLowerDFGToB3.cpp:
554         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
555         (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
556         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
557         (JSC::FTL::DFG::LowerDFGToB3::compileGetRestLength):
558         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
559         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize):
560         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
561         (JSC::FTL::DFG::LowerDFGToB3::compileCopyRest): Deleted.
562         * interpreter/CallFrame.h:
563         (JSC::ExecState::addressOfArgumentsStart):
564         (JSC::ExecState::argument):
565         * jit/JIT.cpp:
566         (JSC::JIT::privateCompileMainPass):
567         * jit/JIT.h:
568         * jit/JITOpcodes.cpp:
569         (JSC::JIT::emit_op_argument_count):
570         (JSC::JIT::emit_op_create_rest):
571         (JSC::JIT::emit_op_copy_rest): Deleted.
572         * jit/JITOperations.h:
573         * llint/LowLevelInterpreter.asm:
574         * runtime/CommonSlowPaths.cpp:
575         (JSC::SLOW_PATH_DECL):
576         * runtime/CommonSlowPaths.h:
577
578 2016-08-12  Ryosuke Niwa  <rniwa@webkit.org>
579
580         Add a helper class for enumerating elements in an iterable object
581         https://bugs.webkit.org/show_bug.cgi?id=160800
582
583         Reviewed by Benjamin Poulain.
584
585         Added iteratorForIterable which provides an abstraction for iterating over an iterable object,
586         and deployed it in the constructors of Set, WeakSet, Map, and WeakMap.
587
588         Also added a helper function iteratorForIterable, which retrieves the iterator out of an iterable object.
589
590         * runtime/IteratorOperations.cpp:
591         (JSC::iteratorForIterable): Added.
592         * runtime/IteratorOperations.h:
593         (JSC::forEachInIterable): Added.
594         * runtime/MapConstructor.cpp:
595         (JSC::constructMap):
596         * runtime/SetConstructor.cpp:
597         (JSC::constructSet):
598         * runtime/WeakMapConstructor.cpp:
599         (JSC::constructWeakMap):
600         * runtime/WeakSetConstructor.cpp:
601         (JSC::constructWeakSet):
602
603 2016-08-12  Joseph Pecoraro  <pecoraro@apple.com>
604
605         Remove unused includes of RefCountedLeakCounter.h
606         https://bugs.webkit.org/show_bug.cgi?id=160817
607
608         Reviewed by Mark Lam.
609
610         * parser/Nodes.cpp:
611         * runtime/Structure.cpp:
612
613 2016-08-12  Pranjal Jumde  <pjumde@apple.com>
614
615         ASSERTION FAILED: : line >= firstLine in BytecodeGenerator::emitExpressionInfo.
616         https://bugs.webkit.org/show_bug.cgi?id=160535
617         <rdar://problem/27328151>
618         
619         Reviewed by Saam Barati.
620
621         lineNumber from the savePoint was not being restored before calling next() causing discrepancy in the offset and line for the token
622
623         * parser/Parser.h:
624         (JSC::Parser::restoreLexerState):
625
626 2016-08-12  Skachkov Oleksandr  <gskachkov@gmail.com>
627
628         [ES2016] Implement Object.entries
629         https://bugs.webkit.org/show_bug.cgi?id=160412
630
631         Reviewed by Saam Barati.
632
633         This patch adds entries function to Object that returns list of 
634         key+values pairs. Patch did according to the point of
635         spec https://tc39.github.io/ecma262/#sec-object.entries
636
637         * builtins/ObjectConstructor.js:
638         (globalPrivate.enumerableOwnProperties):
639         (entries):
640         * runtime/ObjectConstructor.cpp:
641
642 2016-08-11  Mark Lam  <mark.lam@apple.com>
643
644         OverridesHasInstance should not branch across register allocations.
645         https://bugs.webkit.org/show_bug.cgi?id=160792
646         <rdar://problem/27361778>
647
648         Reviewed by Benjamin Poulain.
649
650         The OverrideHasInstance node has a branch test that is emitted conditionally.
651         It also has a bug where it allocated a register after this branch, which is not
652         allowed and would fail an assertion introduced in https://trac.webkit.org/r145931.
653         From the ChangeLog for r145931:
654
655         "This [assertion that register allocations are not branched around] protects
656         against the case where an allocation could have spilled register contents to free
657         up a register and that spill only occurs on one path of many through the code.
658         A subsequent fill of the spilled register may load garbage."
659
660         Because the branch isn't always emitted, this bug has gone unnoticed until now.
661         This patch fixes this issue by pre-allocating the registers before emitting the
662         branch in OverrideHasInstance.
663
664         Note: this issue is only present in DFGSpeculativeJIT64.cpp.  The 32-bit version
665         is doing it right.
666
667         * dfg/DFGSpeculativeJIT64.cpp:
668         (JSC::DFG::SpeculativeJIT::compile):
669
670 2016-08-11  Benjamin Poulain  <bpoulain@apple.com>
671
672         [JSC] Make B3 Return opcode work without arguments
673         https://bugs.webkit.org/show_bug.cgi?id=160787
674
675         Reviewed by Keith Miller.
676
677         We need a way to create functions that do not return values.
678
679         * assembler/MacroAssembler.h:
680         (JSC::MacroAssembler::retVoid):
681         * b3/B3BasicBlock.cpp:
682         (JSC::B3::BasicBlock::appendNewControlValue):
683         * b3/B3LowerToAir.cpp:
684         (JSC::B3::Air::LowerToAir::lower):
685         * b3/B3Validate.cpp:
686         * b3/B3Value.h:
687         * b3/air/AirOpcode.opcodes:
688         * b3/testb3.cpp:
689         (JSC::B3::testReturnVoid):
690         (JSC::B3::run):
691
692 2016-08-11  Mark Lam  <mark.lam@apple.com>
693
694         Gardening: fix gcc builds after r204387. 
695
696         Not reviewed.
697
698         Apparently, gcc is not sophisticated enough to realize that the end of the
699         function is unreachable, and is wrongly complaining about "control reaches end of
700         non-void function".  I'm restoring the RELEASE_ASSERT_NOT_REACHED() and return
701         statement at the end of MarkedBlock::sweepHelper() to appease gcc.
702
703         * heap/MarkedBlock.cpp:
704         (JSC::MarkedBlock::sweepHelper):
705
706 2016-08-11  Alex Christensen  <achristensen@webkit.org>
707
708         Use StringBuilder::appendLiteral when possible don't append result of makeString
709         https://bugs.webkit.org/show_bug.cgi?id=160772
710
711         Reviewed by Sam Weinig.
712
713         * API/tests/ExecutionTimeLimitTest.cpp:
714         (testExecutionTimeLimit):
715         * API/tests/PingPongStackOverflowTest.cpp:
716         (PingPongStackOverflowObject_hasInstance):
717         * bytecompiler/NodesCodegen.cpp:
718         (JSC::ArrayPatternNode::toString):
719         (JSC::RestParameterNode::toString):
720         * runtime/ErrorInstance.cpp:
721         (JSC::ErrorInstance::sanitizedToString):
722         * runtime/Options.cpp:
723         (JSC::Options::dumpOption):
724
725 2016-08-11  Benjamin Poulain  <bpoulain@apple.com>
726
727         [JSC] Revert most of r203808
728         https://bugs.webkit.org/show_bug.cgi?id=160784
729
730         Reviewed by Geoffrey Garen.
731
732         Switching to fastMalloc() caused regressions on Jetstream and Octane
733         on MacBook Air. I was able to get back some of it in the following
734         patches but the tests that never go to FTL are still regressed.
735
736         This patch revert r203808 except of the node index.
737         Nodes are allocated with the custom allocator like before but they are
738         now also kept in a table, addressed by the node index.
739
740         * CMakeLists.txt:
741         * JavaScriptCore.xcodeproj/project.pbxproj:
742         * b3/B3SparseCollection.h:
743         (JSC::B3::SparseCollection::packIndices): Deleted.
744         * dfg/DFGAllocator.h: Added.
745         (JSC::DFG::Allocator::Region::size):
746         (JSC::DFG::Allocator::Region::headerSize):
747         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
748         (JSC::DFG::Allocator::Region::data):
749         (JSC::DFG::Allocator::Region::isInThisRegion):
750         (JSC::DFG::Allocator::Region::regionFor):
751         (JSC::DFG::Allocator<T>::Allocator):
752         (JSC::DFG::Allocator<T>::~Allocator):
753         (JSC::DFG::Allocator<T>::allocate):
754         (JSC::DFG::Allocator<T>::free):
755         (JSC::DFG::Allocator<T>::freeAll):
756         (JSC::DFG::Allocator<T>::reset):
757         (JSC::DFG::Allocator<T>::indexOf):
758         (JSC::DFG::Allocator<T>::allocatorOf):
759         (JSC::DFG::Allocator<T>::bumpAllocate):
760         (JSC::DFG::Allocator<T>::freeListAllocate):
761         (JSC::DFG::Allocator<T>::allocateSlow):
762         (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
763         (JSC::DFG::Allocator<T>::startBumpingIn):
764         * dfg/DFGDriver.cpp:
765         (JSC::DFG::compileImpl):
766         * dfg/DFGGraph.cpp:
767         (JSC::DFG::Graph::Graph):
768         (JSC::DFG::Graph::~Graph):
769         (JSC::DFG::Graph::addNodeToMapByIndex):
770         (JSC::DFG::Graph::deleteNode):
771         (JSC::DFG::Graph::packNodeIndices):
772         * dfg/DFGGraph.h:
773         (JSC::DFG::Graph::addNode):
774         (JSC::DFG::Graph::maxNodeCount):
775         (JSC::DFG::Graph::nodeAt):
776         * dfg/DFGLongLivedState.cpp: Added.
777         (JSC::DFG::LongLivedState::LongLivedState):
778         (JSC::DFG::LongLivedState::~LongLivedState):
779         (JSC::DFG::LongLivedState::shrinkToFit):
780         * dfg/DFGLongLivedState.h: Added.
781         * dfg/DFGNode.h:
782         * dfg/DFGNodeAllocator.h: Added.
783         (operator new ):
784         * dfg/DFGPlan.cpp:
785         (JSC::DFG::Plan::compileInThread):
786         (JSC::DFG::Plan::compileInThreadImpl):
787         * dfg/DFGPlan.h:
788         * dfg/DFGWorklist.cpp:
789         (JSC::DFG::Worklist::runThread):
790         * runtime/VM.cpp:
791         (JSC::VM::VM):
792         * runtime/VM.h:
793
794 2016-08-11  Mark Lam  <mark.lam@apple.com>
795
796         The jsc shell's Element host constructor should throw if it fails to construct an object.
797         https://bugs.webkit.org/show_bug.cgi?id=160773
798         <rdar://problem/27328608>
799
800         Reviewed by Saam Barati.
801
802         The Element object is a test object provided in the jsc shell for testing use only.
803         JavaScriptCore expects host constructors to either throw an error or return a
804         constructed object.  Element has a host constructor that did not obey this contract.
805         As a result, the following statement will fail a RELEASE_ASSERT:
806
807             new (Element.bind())
808
809         This is now fixed.
810
811         * jsc.cpp:
812         (functionCreateElement):
813
814 2016-08-11  Mark Lam  <mark.lam@apple.com>
815
816         Disallow synchronous sweeping for eden GCs.
817         https://bugs.webkit.org/show_bug.cgi?id=160716
818
819         Reviewed by Geoffrey Garen.
820
821         * heap/Heap.cpp:
822         (JSC::Heap::collectAllGarbage):
823         (JSC::Heap::collectAndSweep): Deleted.
824         * heap/Heap.h:
825         (JSC::Heap::collectAllGarbage): Deleted.
826         - No need for a separate collectAndSweep() anymore since we only call it for
827           FullCollections.
828         - Since we've already swept all the blocks, I cleared m_blockSnapshot so that the
829           IncrementalSweeper can bail earlier when it runs later.
830
831         * heap/MarkedBlock.cpp:
832         (JSC::MarkedBlock::sweepHelper):
833         - Removed the unreachable return statement.
834
835         * heap/MarkedBlock.h:
836         - Document what "Retired" means.
837
838         * tools/JSDollarVMPrototype.cpp:
839         (JSC::JSDollarVMPrototype::edenGC):
840
841 2016-08-11  Per Arne Vollan  <pvollan@apple.com>
842
843         [Win] Warning fix.
844         https://bugs.webkit.org/show_bug.cgi?id=160734
845
846         Reviewed by Sam Weinig.
847
848         Add static cast from int to uint32_t.
849
850         * bytecode/ArithProfile.h:
851
852 2016-08-10  Michael Saboff  <msaboff@apple.com>
853
854         Baseline GetByVal and PutByVal for cache ID stubs need to handle exceptions
855         https://bugs.webkit.org/show_bug.cgi?id=160749
856
857         Reviewed by Filip Pizlo.
858
859         We were emitting "callOperation()" calls in emitGetByValWithCachedId() and
860         emitPutByValWithCachedId() without linking the exception checks created by the
861         code emitted.  This manifested itself in various ways depending on the processor.
862         This is due to what the destination is for an unlinked branch.  On X86, an unlinked
863         branch goes tot he next instructions.  On ARM64, we end up with an infinite loop
864         as we branch to the same instruction.  On ARM we branch to 0 as the branch is to
865         an absolute address of 0.
866
867         Now we save the exception handler address for the original generated function and
868         link the exception cases for these by-val stubs to this handler.
869
870         * bytecode/ByValInfo.h:
871         (JSC::ByValInfo::ByValInfo): Added the address of the exception handler we should
872         link to.
873
874         * jit/JIT.cpp:
875         (JSC::JIT::link): Compute the linked exception handler address and pass it to
876         the ByValInfo constructor.
877         (JSC::JIT::privateCompileExceptionHandlers): Make sure that we generate the
878         exception handler if we have any by-val handlers.
879
880         * jit/JIT.h:
881         Added a label for the exception handler.  We'll link this later for the
882         by value handlers.
883
884         * jit/JITPropertyAccess.cpp:
885         (JSC::JIT::privateCompileGetByValWithCachedId):
886         (JSC::JIT::privateCompilePutByValWithCachedId):
887         Link exception branches to the exception handler for the main function.
888
889 2016-08-10  Mark Lam  <mark.lam@apple.com>
890
891         DFG's flushForTerminal() needs to add PhantomLocals for bytecode live locals.
892         https://bugs.webkit.org/show_bug.cgi?id=160755
893         <rdar://problem/27488507>
894
895         Reviewed by Filip Pizlo.
896
897         If the DFG sees that an inlined function will result in an OSR exit every time,
898         it will treat all downstream blocks as dead.  However, it still needs to keep
899         locals that are alive in the bytecode alive for the compiled function so that
900         those locals are properly written to the stack by the OSR exit ramp.
901
902         The existing code neglected to do this.  This patch remedies this issue.
903
904         * dfg/DFGByteCodeParser.cpp:
905         (JSC::DFG::ByteCodeParser::flushDirect):
906         (JSC::DFG::ByteCodeParser::addFlushOrPhantomLocal):
907         (JSC::DFG::ByteCodeParser::phantomLocalDirect):
908         (JSC::DFG::ByteCodeParser::flushForTerminal):
909
910 2016-08-09  Skachkov Oleksandr  <gskachkov@gmail.com>
911
912         [ES2016] Implement Object.values
913         https://bugs.webkit.org/show_bug.cgi?id=160410
914
915         Reviewed by Saam Barati, Yusuke Suzuki.
916
917         This patch adds values function to Object that return list of 
918         own values of the object. Patch did according to the point of 
919         spec http://tc39.github.io/ecma262/#sec-object.values
920         
921         Also patch adds generic builtin intrinsic constants: 
922         @IterationKindKey/@IterationKindValue/@IterationKindKeyValue 
923         that is used in  EnumerableOwnProperties to set Kind of operation  
924         and replace own IterationKind enums in following iterators: 
925         ArrayIterator, MapIterator, and SetIterator 
926
927         * JavaScriptCore.xcodeproj/project.pbxproj:
928         * builtins/ObjectConstructor.js:
929         (globalPrivate.enumerableOwnProperties):
930         (values):
931         * bytecode/BytecodeIntrinsicRegistry.cpp:
932         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
933         * bytecode/BytecodeIntrinsicRegistry.h:
934         * inspector/JSInjectedScriptHost.cpp:
935         (Inspector::JSInjectedScriptHost::getInternalProperties):
936         * runtime/ArrayIteratorPrototype.h:
937         * runtime/IterationKind.h: Copied from Source/JavaScriptCore/builtins/ObjectConstructor.js.
938         * runtime/JSMapIterator.h:
939         (JSC::JSMapIterator::create):
940         (JSC::JSMapIterator::next):
941         (JSC::JSMapIterator::kind):
942         (JSC::JSMapIterator::JSMapIterator):
943         * runtime/JSSetIterator.h:
944         (JSC::JSSetIterator::create):
945         (JSC::JSSetIterator::next):
946         (JSC::JSSetIterator::kind):
947         (JSC::JSSetIterator::JSSetIterator):
948         * runtime/MapPrototype.cpp:
949         (JSC::mapProtoFuncValues):
950         (JSC::mapProtoFuncEntries):
951         (JSC::mapProtoFuncKeys):
952         (JSC::privateFuncMapIterator):
953         * runtime/ObjectConstructor.cpp:
954         * runtime/SetPrototype.cpp:
955         (JSC::setProtoFuncValues):
956         (JSC::setProtoFuncEntries):
957         (JSC::privateFuncSetIterator):
958
959 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
960
961         [JSC] Speed up SparseCollection & related maps
962         https://bugs.webkit.org/show_bug.cgi?id=160733
963
964         Reviewed by Saam Barati.
965
966         On MBA, Graph::addNode() shows up in profiles due to SparseCollection::add().
967         This is unfortunate.
968
969         The first improvement is to build the new unique_ptr in the empty slot
970         instead of moving a new value into it.
971
972         Previously, the code would load the previous value, test if it is null
973         then invoke the destructor and finally fastFree(). The initial test
974         obviously fails so that's a whole bunch of code that is never executed.
975
976         With the new code, we just have a store.
977
978         I also removed the bounds checking on our maps based on node index.
979         Those bounds checks are never eliminated by clang because the index
980         is always loaded from memory instead of being computed.
981         There are unfortunately too many nodes processed and the bounds checks
982         get costly.
983
984         * b3/B3SparseCollection.h:
985         (JSC::B3::SparseCollection::add):
986         * dfg/DFGGraph.h:
987         (JSC::DFG::Graph::abstractValuesCache):
988         * dfg/DFGInPlaceAbstractState.h:
989
990 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
991
992         [JSC] Remove some useless code I left when rewriting CSE's large maps
993         https://bugs.webkit.org/show_bug.cgi?id=160720
994
995         Reviewed by Michael Saboff.
996
997         * dfg/DFGCSEPhase.cpp:
998         The maps m_worldMap && m_sideStateMap are useless. They come from the previous
999         iteration that had weaker constraints.
1000
1001         Also move m_heapMap after m_fallbackStackMap since that is the order
1002         in which they are used in the algorithm.
1003
1004 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
1005
1006         Remove AbstractInterpreter::executeEdges(unsigned), it is no longer used anywhere
1007         https://bugs.webkit.org/show_bug.cgi?id=160708
1008
1009         Reviewed by Mark Lam.
1010
1011         * dfg/DFGAbstractInterpreter.h:
1012         * dfg/DFGAbstractInterpreterInlines.h:
1013         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges): Deleted.
1014
1015 2016-08-10  Simon Fraser  <simon.fraser@apple.com>
1016
1017         Sort the feature flags in the FEATURE_DEFINES lines
1018         https://bugs.webkit.org/show_bug.cgi?id=160742
1019
1020         Reviewed by Anders Carlsson.
1021
1022         * Configurations/FeatureDefines.xcconfig:
1023
1024 2016-08-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1025
1026         [ES6] Add ModuleLoaderPrototype and move methods to it
1027         https://bugs.webkit.org/show_bug.cgi?id=160633
1028
1029         Reviewed by Saam Barati.
1030
1031         In the future, we need to add the ability to create the new Loader object (by users).
1032         So rather than holding all the methods in the ModuleLoaderObject instance, moving them
1033         to ModuleLoaderPrototype and create the default JSModuleLoader instance is better.
1034
1035         No behavior change.
1036
1037         * CMakeLists.txt:
1038         * DerivedSources.make:
1039         * JavaScriptCore.xcodeproj/project.pbxproj:
1040         * builtins/ModuleLoaderObject.js:
1041         (setStateToMax): Deleted.
1042         (newRegistryEntry): Deleted.
1043         (ensureRegistered): Deleted.
1044         (forceFulfillPromise): Deleted.
1045         (fulfillFetch): Deleted.
1046         (fulfillTranslate): Deleted.
1047         (fulfillInstantiate): Deleted.
1048         (commitInstantiated): Deleted.
1049         (instantiation): Deleted.
1050         (requestFetch): Deleted.
1051         (requestTranslate): Deleted.
1052         (requestInstantiate): Deleted.
1053         (requestResolveDependencies.): Deleted.
1054         (requestResolveDependencies): Deleted.
1055         (requestInstantiateAll): Deleted.
1056         (requestLink): Deleted.
1057         (requestReady): Deleted.
1058         (link): Deleted.
1059         (moduleEvaluation): Deleted.
1060         (provide): Deleted.
1061         (loadAndEvaluateModule): Deleted.
1062         (loadModule): Deleted.
1063         (linkAndEvaluateModule): Deleted.
1064         * builtins/ModuleLoaderPrototype.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderObject.js.
1065         (setStateToMax):
1066         (newRegistryEntry):
1067         (ensureRegistered):
1068         (forceFulfillPromise):
1069         (fulfillFetch):
1070         (fulfillTranslate):
1071         (fulfillInstantiate):
1072         (commitInstantiated):
1073         (instantiation):
1074         (requestFetch):
1075         (requestTranslate):
1076         (requestInstantiate):
1077         (requestResolveDependencies.):
1078         (requestResolveDependencies):
1079         (requestInstantiateAll):
1080         (requestLink):
1081         (requestReady):
1082         (link):
1083         (moduleEvaluation):
1084         (provide):
1085         (loadAndEvaluateModule):
1086         (loadModule):
1087         (linkAndEvaluateModule):
1088         * bytecode/BytecodeIntrinsicRegistry.cpp:
1089         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1090         * jsc.cpp:
1091         (GlobalObject::moduleLoaderResolve):
1092         (GlobalObject::moduleLoaderFetch):
1093         * runtime/Completion.cpp:
1094         (JSC::loadAndEvaluateModule):
1095         (JSC::loadModule):
1096         * runtime/JSGlobalObject.cpp:
1097         (JSC::JSGlobalObject::init):
1098         (JSC::JSGlobalObject::visitChildren):
1099         * runtime/JSGlobalObject.h:
1100         (JSC::JSGlobalObject::moduleLoader):
1101         (JSC::JSGlobalObject::moduleLoaderStructure):
1102         * runtime/JSModuleLoader.cpp: Added.
1103         (JSC::JSModuleLoader::JSModuleLoader):
1104         (JSC::JSModuleLoader::finishCreation):
1105         (JSC::printableModuleKey):
1106         (JSC::JSModuleLoader::provide):
1107         (JSC::JSModuleLoader::loadAndEvaluateModule):
1108         (JSC::JSModuleLoader::loadModule):
1109         (JSC::JSModuleLoader::linkAndEvaluateModule):
1110         (JSC::JSModuleLoader::resolve):
1111         (JSC::JSModuleLoader::fetch):
1112         (JSC::JSModuleLoader::translate):
1113         (JSC::JSModuleLoader::instantiate):
1114         (JSC::JSModuleLoader::evaluate):
1115         * runtime/JSModuleLoader.h: Copied from Source/JavaScriptCore/runtime/ModuleLoaderObject.h.
1116         (JSC::JSModuleLoader::create):
1117         (JSC::JSModuleLoader::createStructure):
1118         * runtime/JSModuleRecord.h:
1119         * runtime/ModuleLoaderObject.cpp: Removed.
1120         (JSC::ModuleLoaderObject::ModuleLoaderObject): Deleted.
1121         (JSC::ModuleLoaderObject::finishCreation): Deleted.
1122         (JSC::printableModuleKey): Deleted.
1123         (JSC::ModuleLoaderObject::provide): Deleted.
1124         (JSC::ModuleLoaderObject::loadAndEvaluateModule): Deleted.
1125         (JSC::ModuleLoaderObject::loadModule): Deleted.
1126         (JSC::ModuleLoaderObject::linkAndEvaluateModule): Deleted.
1127         (JSC::ModuleLoaderObject::resolve): Deleted.
1128         (JSC::ModuleLoaderObject::fetch): Deleted.
1129         (JSC::ModuleLoaderObject::translate): Deleted.
1130         (JSC::ModuleLoaderObject::instantiate): Deleted.
1131         (JSC::ModuleLoaderObject::evaluate): Deleted.
1132         (JSC::moduleLoaderObjectParseModule): Deleted.
1133         (JSC::moduleLoaderObjectRequestedModules): Deleted.
1134         (JSC::moduleLoaderObjectModuleDeclarationInstantiation): Deleted.
1135         (JSC::moduleLoaderObjectResolve): Deleted.
1136         (JSC::moduleLoaderObjectFetch): Deleted.
1137         (JSC::moduleLoaderObjectTranslate): Deleted.
1138         (JSC::moduleLoaderObjectInstantiate): Deleted.
1139         (JSC::moduleLoaderObjectEvaluate): Deleted.
1140         * runtime/ModuleLoaderObject.h:
1141         (JSC::ModuleLoaderObject::create): Deleted.
1142         (JSC::ModuleLoaderObject::createStructure): Deleted.
1143         * runtime/ModuleLoaderPrototype.cpp: Added.
1144         (JSC::ModuleLoaderPrototype::ModuleLoaderPrototype):
1145         (JSC::moduleLoaderPrototypeParseModule):
1146         (JSC::moduleLoaderPrototypeRequestedModules):
1147         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1148         (JSC::moduleLoaderPrototypeResolve):
1149         (JSC::moduleLoaderPrototypeFetch):
1150         (JSC::moduleLoaderPrototypeTranslate):
1151         (JSC::moduleLoaderPrototypeInstantiate):
1152         (JSC::moduleLoaderPrototypeEvaluate):
1153         * runtime/ModuleLoaderPrototype.h: Renamed from Source/JavaScriptCore/runtime/ModuleLoaderObject.h.
1154         (JSC::ModuleLoaderPrototype::create):
1155         (JSC::ModuleLoaderPrototype::createStructure):
1156
1157 2016-08-09  Saam Barati  <sbarati@apple.com>
1158
1159         JSBoundFunction should lazily generate its name string
1160         https://bugs.webkit.org/show_bug.cgi?id=160678
1161         <rdar://problem/27043194>
1162
1163         Reviewed by Mark Lam.
1164
1165         We were eagerly allocating the BoundFunction's 'name' string
1166         by prepending the "bound " prefix. This patch makes the 'name'
1167         string creation lazy like we do with ordinary JSFunctions.
1168
1169         This is a 25% speedup on the microbenchmark I added that measures
1170         bound function creation speed. Hopefully this also helps us recover
1171         from a 1% Speedometer regression that was introduced in the original
1172         bound function "bound " prefixing patch.
1173
1174         * runtime/JSBoundFunction.cpp:
1175         (JSC::JSBoundFunction::create):
1176         (JSC::JSBoundFunction::JSBoundFunction):
1177         (JSC::JSBoundFunction::finishCreation):
1178         * runtime/JSBoundFunction.h:
1179         * runtime/JSFunction.cpp:
1180         (JSC::JSFunction::finishCreation):
1181         (JSC::JSFunction::getOwnPropertySlot):
1182         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1183         (JSC::JSFunction::put):
1184         (JSC::JSFunction::deleteProperty):
1185         (JSC::JSFunction::defineOwnProperty):
1186         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1187         (JSC::JSFunction::reifyBoundNameIfNeeded):
1188         * runtime/JSFunction.h:
1189
1190 2016-08-09  George Ruan  <gruan@apple.com>
1191
1192         Implement functionality of media capture on iOS
1193         https://bugs.webkit.org/show_bug.cgi?id=158945
1194         <rdar://problem/26893343>
1195
1196         Reviewed by Tim Horton.
1197
1198         * Configurations/FeatureDefines.xcconfig: Enable media capture feature
1199         for iOS.
1200
1201 2016-08-09  Saam Barati  <sbarati@apple.com>
1202
1203         Parser<LexerType>::parseFunctionInfo() has the wrong info about captured vars when a function is not cached.
1204         https://bugs.webkit.org/show_bug.cgi?id=160671
1205         <rdar://problem/27756112>
1206
1207         Reviewed by Mark Lam.
1208
1209         There was a bug in our captured variable analysis when a function has a default
1210         parameter expression that is a function that captures something from the parent scope.
1211         The bug was that we were relying on the SourceProviderCache to succeed for the
1212         analysis to work. This is obviously wrong. I've fixed this to work regardless
1213         of getting a cache hit. To prevent future bugs that rely on the success of the
1214         SourceProviderCache, I've made the validate testing mode disable the SourceProviderCache
1215
1216         * parser/Parser.cpp:
1217         (JSC::Parser<LexerType>::parseFunctionInfo):
1218         * parser/Parser.h:
1219         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1220         (JSC::Scope::addClosedVariableCandidateUnconditionally):
1221         (JSC::Scope::collectFreeVariables):
1222         * runtime/Options.h:
1223
1224 2016-08-08  Mark Lam  <mark.lam@apple.com>
1225
1226         ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().
1227         https://bugs.webkit.org/show_bug.cgi?id=160666
1228
1229         Reviewed by Keith Miller.
1230
1231         This assertion is benign.  JSFinalObject::visitChildren() calls
1232         JSObject::inlineStorage() to get a pointer to the object's inline storage, and
1233         later passes it to visitor.appendValuesHidden() with a previously computed
1234         storageSize.  When storageSize is 0, appendValuesHidden() ends up doing nothing.
1235         However, before we get there, JSObject::inlineStorage() will be asserting
1236         hasInlineStorage() and this assertion will fail when storageSize is 0.
1237
1238         We can fix this assertion failure by simply adding a storageSize check before
1239         calling hasInlineStorage() and visitor.appendValuesHidden().
1240
1241         * runtime/JSObject.cpp:
1242         (JSC::JSFinalObject::visitChildren):
1243
1244 2016-08-08  Brian Burg  <bburg@apple.com>
1245
1246         Web Inspector: clean up prefixing of Automation protocol generated files
1247         https://bugs.webkit.org/show_bug.cgi?id=160635
1248         <rdar://problem/27735327>
1249
1250         Reviewed by Timothy Hatcher.
1251
1252         Introduce different settings for the 'protocol group' name for C++ vs. Objective-C.
1253
1254         Use 'WD' as the prefix for generated Objective-C frontend dispatchers and helpers.
1255         Continue using 'Automation' as the prefix for generated C++ backend dispatchers.
1256
1257         * inspector/scripts/codegen/cpp_generator.py:
1258         (CppGenerator.protocol_name):
1259         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
1260         (ObjCProtocolTypeConversionsImplementationGenerator.generate_output):
1261         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
1262         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
1263         Adjust the class name. Generate one category per protocol domain to keep it easy to read.
1264
1265         * inspector/scripts/codegen/models.py:
1266         * inspector/scripts/codegen/objc_generator.py:
1267         (ObjCGenerator.protocol_name):
1268
1269         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1270         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1271         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1272         * inspector/scripts/tests/expected/enum-values.json-result:
1273         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1274         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1275         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1276         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1277         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1278         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1279         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1280         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1281         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1282         Rebaseline test results.
1283
1284 2016-08-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1285
1286         [ES6] Module namespace object should not allow unset IC
1287         https://bugs.webkit.org/show_bug.cgi?id=160553
1288
1289         Reviewed by Saam Barati.
1290
1291         Previously, module namespace object accidentally allow "unset IC". But this "unsetness" does not rely on
1292         the structure. We should disable inline caching onto the namespace object. Once it is needed, we should
1293         create the special caching for namespace object like the following: it should be similar to monomorphic IC,
1294         but it caches the object itself instead of the structure. It checks the object itself (And in DFG, it should be
1295         CheckCell) and loads the value from the target module environment directly[1].
1296
1297         And this patch also set setIsTaintedByProxy for the module namespace object to notify to the caller that
1298         this object has impure ::getOwnPropertySlot. Then this function is now renamed to setIsTaintedByOpaqueObject.
1299
1300         We drop the hack in JSModuleNamespaceObject::getOwnPropertySlot since we already introduced InternalMethodType
1301         for ProxyObject. Previously we cannot distinguish ::HasProperty and ::GetOwnProperty. So not to throw any
1302         errors for ::HasProperty case, we used slot.setCustom to delay the observable operation.
1303         But, this hack lacks the support for hasOwnProperty: hasOwnProperty uses [[GetOwnProperty]], so it should throw an error.
1304         However the previous implementation does not throw an error since the delayed observable part (custom function part) is
1305         skipped in hasOwnProperty implementation. We now remove this custom property hack and fix the corresponding failure
1306         in test262.
1307
1308         [1]: https://bugs.webkit.org/show_bug.cgi?id=160590
1309
1310         * jit/JITOperations.cpp:
1311         * runtime/ArrayPrototype.cpp:
1312         (JSC::getProperty):
1313         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1314         (JSC::constructGenericTypedArrayViewWithArguments):
1315         * runtime/JSModuleNamespaceObject.cpp:
1316         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1317         (JSC::callbackGetter): Deleted.
1318         * runtime/JSModuleNamespaceObject.h:
1319         * runtime/PropertySlot.cpp:
1320         (JSC::PropertySlot::getPureResult):
1321         * runtime/PropertySlot.h:
1322         (JSC::PropertySlot::PropertySlot):
1323         (JSC::PropertySlot::setIsTaintedByOpaqueObject):
1324         (JSC::PropertySlot::isTaintedByOpaqueObject):
1325         (JSC::PropertySlot::setIsTaintedByProxy): Deleted.
1326         (JSC::PropertySlot::isTaintedByProxy): Deleted.
1327         * runtime/ProxyObject.cpp:
1328         (JSC::ProxyObject::getOwnPropertySlotCommon):
1329
1330 2016-08-05  Keith Miller  <keith_miller@apple.com>
1331
1332         Add LEBDecoder and tests
1333         https://bugs.webkit.org/show_bug.cgi?id=160625
1334
1335         Reviewed by Benjamin Poulain.
1336
1337         Adds a new target testWASM that is currently used to test the LEB decoder.
1338         In the future, if we add more support for WASM we will put more tests
1339         here.
1340
1341         * JavaScriptCore.xcodeproj/project.pbxproj:
1342         * testWASM.cpp: Added.
1343         (CommandLine::CommandLine):
1344         (printUsageStatement):
1345         (CommandLine::parseArguments):
1346         (runLEBTests):
1347         (main):
1348
1349 2016-08-05  Keith Miller  <keith_miller@apple.com>
1350
1351         32-bit JSC test failure: stress/instanceof-late-constant-folding.js
1352         https://bugs.webkit.org/show_bug.cgi?id=160620
1353
1354         Reviewed by Filip Pizlo.
1355
1356         * dfg/DFGSpeculativeJIT32_64.cpp:
1357         (JSC::DFG::SpeculativeJIT::compile):
1358
1359 2016-08-05  Benjamin Poulain  <bpoulain@apple.com>
1360
1361         [JSC] Remove the first LocalCSE
1362         https://bugs.webkit.org/show_bug.cgi?id=160615
1363
1364         Reviewed by Saam Barati.
1365
1366         LocalCSE is the most expensive phase in DFG (excluding FTL).
1367
1368         The combination of two LocalCSEs does not seem to pay for its cost.
1369         Doing a single LocalCSE is always after ConstantFolding and StrengthReduction
1370         is always a win on my machine.
1371
1372         * dfg/DFGCleanUpPhase.cpp:
1373         (JSC::DFG::CleanUpPhase::run):
1374         * dfg/DFGPlan.cpp:
1375         (JSC::DFG::Plan::compileInThreadImpl):
1376
1377 2016-08-05  Saam Barati  <sbarati@apple.com>
1378
1379         various math operations don't properly check for an exception after calling toNumber() on the lhs
1380         https://bugs.webkit.org/show_bug.cgi?id=160154
1381
1382         Reviewed by Mark Lam.
1383
1384         We must check for an exception after calling toNumber() on the lhs
1385         because this can throw an exception. If we called toNumber() on
1386         the rhs without first checking for an exception after the toNumber()
1387         on the lhs, this can lead us to execute effectful code or deviate
1388         from the standard in subtle ways. I fixed this bug in various places
1389         by always checking for an exception after calling toNumber() on the
1390         lhs for the various bit and arithmetic operations.
1391
1392         This patch also found a commutativity bug inside DFGStrengthReduction.
1393         We could end up commuting the lhs and rhs of say an "|" expression
1394         even when the lhs/rhs may not be numbers. This is wrong because
1395         executing toNumber() on the lhs/rhs has strict ordering guarantees
1396         by the specification and is observable by user programs.
1397
1398         * dfg/DFGOperations.cpp:
1399         * dfg/DFGStrengthReductionPhase.cpp:
1400         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
1401         * jit/JITOperations.cpp:
1402         * runtime/CommonSlowPaths.cpp:
1403         (JSC::SLOW_PATH_DECL):
1404         * runtime/Operations.cpp:
1405         (JSC::jsAddSlowCase):
1406
1407 2016-08-05  Michael Saboff  <msaboff@apple.com>
1408
1409         compilePutByValForIntTypedArray() has a slow path in the middle of its processing
1410         https://bugs.webkit.org/show_bug.cgi?id=160614
1411
1412         Reviewed by Keith Miller.
1413
1414         In compilePutByValForIntTypedArray() we were calling out to the slow path
1415         operationToInt32() and then returning back to the middle of code to finish
1416         the processing of writing the value to the array.  When we make the slow
1417         path call, we trash any temporary registers that have been allocated.
1418         In general slow path calls should finish the operation in progress and
1419         continue processing at the beginning of the next node.
1420
1421         This was discovered while working on the register argument changes, when
1422         we SpeculateStrictInt32Operand on the value child node.  That child node's
1423         value was live in register with a spill format of DataFormatJSInt32.  In that
1424         case we allocate a new temporary register and copy just the lower 32 bits from
1425         the child register to the new temp register.  That temp register gets trashed
1426         when we make the operationToInt32() slow path call.
1427
1428         I spent some time trying to devise a test with the current code base and wasn't
1429         successful.  This case is tested with the register argument changes in progress.
1430
1431         * dfg/DFGSpeculativeJIT.cpp:
1432         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1433
1434 2016-08-05  Saam Barati  <sbarati@apple.com>
1435
1436         Assertion failure when accessing TDZ variable in catch through eval
1437         https://bugs.webkit.org/show_bug.cgi?id=160554
1438
1439         Reviewed by Mark Lam and Keith Miller.
1440
1441         When we were calculating the variables under TDZ from a JSScope,
1442         the algorithm was not taking into account that a catch scope
1443         has variables under TDZ.
1444
1445         * runtime/JSScope.cpp:
1446         (JSC::JSScope::collectVariablesUnderTDZ):
1447
1448 2016-08-05  Keith Miller  <keith_miller@apple.com>
1449
1450         Delete out of date WASM code.
1451         https://bugs.webkit.org/show_bug.cgi?id=160603
1452
1453         Reviewed by Saam Barati.
1454
1455         This patch removes a bunch of the wasm files that we are unlikey to use
1456         with the newer wasm spec. If we end up needing any of the deleted code
1457         later we can restore it at that time.
1458
1459         * CMakeLists.txt:
1460         * JavaScriptCore.xcodeproj/project.pbxproj:
1461         * jit/JITOperations.cpp:
1462         * jsc.cpp:
1463         (GlobalObject::finishCreation): Deleted.
1464         (functionLoadWebAssembly): Deleted.
1465         * llint/LLIntSlowPaths.cpp:
1466         (JSC::LLInt::setUpCall): Deleted.
1467         * runtime/Executable.cpp:
1468         (JSC::WebAssemblyExecutable::prepareForExecution): Deleted.
1469         * runtime/JSGlobalObject.cpp:
1470         (JSC::JSGlobalObject::init): Deleted.
1471         (JSC::JSGlobalObject::visitChildren): Deleted.
1472         * runtime/JSGlobalObject.h:
1473         (JSC::JSGlobalObject::wasmModuleStructure): Deleted.
1474         * wasm/WASMConstants.h: Removed.
1475         * wasm/WASMFunctionB3IRGenerator.h: Removed.
1476         (JSC::WASMFunctionB3IRGenerator::MemoryAddress::MemoryAddress): Deleted.
1477         (JSC::WASMFunctionB3IRGenerator::startFunction): Deleted.
1478         (JSC::WASMFunctionB3IRGenerator::endFunction): Deleted.
1479         (JSC::WASMFunctionB3IRGenerator::buildSetLocal): Deleted.
1480         (JSC::WASMFunctionB3IRGenerator::buildSetGlobal): Deleted.
1481         (JSC::WASMFunctionB3IRGenerator::buildReturn): Deleted.
1482         (JSC::WASMFunctionB3IRGenerator::buildImmediateI32): Deleted.
1483         (JSC::WASMFunctionB3IRGenerator::buildImmediateF32): Deleted.
1484         (JSC::WASMFunctionB3IRGenerator::buildImmediateF64): Deleted.
1485         (JSC::WASMFunctionB3IRGenerator::buildGetLocal): Deleted.
1486         (JSC::WASMFunctionB3IRGenerator::buildGetGlobal): Deleted.
1487         (JSC::WASMFunctionB3IRGenerator::buildConvertType): Deleted.
1488         (JSC::WASMFunctionB3IRGenerator::buildLoad): Deleted.
1489         (JSC::WASMFunctionB3IRGenerator::buildStore): Deleted.
1490         (JSC::WASMFunctionB3IRGenerator::buildUnaryI32): Deleted.
1491         (JSC::WASMFunctionB3IRGenerator::buildUnaryF32): Deleted.
1492         (JSC::WASMFunctionB3IRGenerator::buildUnaryF64): Deleted.
1493         (JSC::WASMFunctionB3IRGenerator::buildBinaryI32): Deleted.
1494         (JSC::WASMFunctionB3IRGenerator::buildBinaryF32): Deleted.
1495         (JSC::WASMFunctionB3IRGenerator::buildBinaryF64): Deleted.
1496         (JSC::WASMFunctionB3IRGenerator::buildRelationalI32): Deleted.
1497         (JSC::WASMFunctionB3IRGenerator::buildRelationalF32): Deleted.
1498         (JSC::WASMFunctionB3IRGenerator::buildRelationalF64): Deleted.
1499         (JSC::WASMFunctionB3IRGenerator::buildMinOrMaxI32): Deleted.
1500         (JSC::WASMFunctionB3IRGenerator::buildMinOrMaxF64): Deleted.
1501         (JSC::WASMFunctionB3IRGenerator::buildCallInternal): Deleted.
1502         (JSC::WASMFunctionB3IRGenerator::buildCallIndirect): Deleted.
1503         (JSC::WASMFunctionB3IRGenerator::buildCallImport): Deleted.
1504         (JSC::WASMFunctionB3IRGenerator::appendExpressionList): Deleted.
1505         (JSC::WASMFunctionB3IRGenerator::discard): Deleted.
1506         (JSC::WASMFunctionB3IRGenerator::linkTarget): Deleted.
1507         (JSC::WASMFunctionB3IRGenerator::jumpToTarget): Deleted.
1508         (JSC::WASMFunctionB3IRGenerator::jumpToTargetIf): Deleted.
1509         (JSC::WASMFunctionB3IRGenerator::startLoop): Deleted.
1510         (JSC::WASMFunctionB3IRGenerator::endLoop): Deleted.
1511         (JSC::WASMFunctionB3IRGenerator::startSwitch): Deleted.
1512         (JSC::WASMFunctionB3IRGenerator::endSwitch): Deleted.
1513         (JSC::WASMFunctionB3IRGenerator::startLabel): Deleted.
1514         (JSC::WASMFunctionB3IRGenerator::endLabel): Deleted.
1515         (JSC::WASMFunctionB3IRGenerator::breakTarget): Deleted.
1516         (JSC::WASMFunctionB3IRGenerator::continueTarget): Deleted.
1517         (JSC::WASMFunctionB3IRGenerator::breakLabelTarget): Deleted.
1518         (JSC::WASMFunctionB3IRGenerator::continueLabelTarget): Deleted.
1519         (JSC::WASMFunctionB3IRGenerator::buildSwitch): Deleted.
1520         * wasm/WASMFunctionCompiler.h: Removed.
1521         (JSC::operationConvertJSValueToInt32): Deleted.
1522         (JSC::operationConvertJSValueToDouble): Deleted.
1523         (JSC::operationDiv): Deleted.
1524         (JSC::operationMod): Deleted.
1525         (JSC::operationUnsignedDiv): Deleted.
1526         (JSC::operationUnsignedMod): Deleted.
1527         (JSC::operationConvertUnsignedInt32ToDouble): Deleted.
1528         (JSC::sizeOfMemoryType): Deleted.
1529         (JSC::WASMFunctionCompiler::MemoryAddress::MemoryAddress): Deleted.
1530         (JSC::WASMFunctionCompiler::WASMFunctionCompiler): Deleted.
1531         (JSC::WASMFunctionCompiler::startFunction): Deleted.
1532         (JSC::WASMFunctionCompiler::endFunction): Deleted.
1533         (JSC::WASMFunctionCompiler::buildSetLocal): Deleted.
1534         (JSC::WASMFunctionCompiler::buildSetGlobal): Deleted.
1535         (JSC::WASMFunctionCompiler::buildReturn): Deleted.
1536         (JSC::WASMFunctionCompiler::buildImmediateI32): Deleted.
1537         (JSC::WASMFunctionCompiler::buildImmediateF32): Deleted.
1538         (JSC::WASMFunctionCompiler::buildImmediateF64): Deleted.
1539         (JSC::WASMFunctionCompiler::buildGetLocal): Deleted.
1540         (JSC::WASMFunctionCompiler::buildGetGlobal): Deleted.
1541         (JSC::WASMFunctionCompiler::buildConvertType): Deleted.
1542         (JSC::WASMFunctionCompiler::buildLoad): Deleted.
1543         (JSC::WASMFunctionCompiler::buildStore): Deleted.
1544         (JSC::WASMFunctionCompiler::buildUnaryI32): Deleted.
1545         (JSC::WASMFunctionCompiler::buildUnaryF32): Deleted.
1546         (JSC::WASMFunctionCompiler::buildUnaryF64): Deleted.
1547         (JSC::WASMFunctionCompiler::buildBinaryI32): Deleted.
1548         (JSC::WASMFunctionCompiler::buildBinaryF32): Deleted.
1549         (JSC::WASMFunctionCompiler::buildBinaryF64): Deleted.
1550         (JSC::WASMFunctionCompiler::buildRelationalI32): Deleted.
1551         (JSC::WASMFunctionCompiler::buildRelationalF32): Deleted.
1552         (JSC::WASMFunctionCompiler::buildRelationalF64): Deleted.
1553         (JSC::WASMFunctionCompiler::buildMinOrMaxI32): Deleted.
1554         (JSC::WASMFunctionCompiler::buildMinOrMaxF64): Deleted.
1555         (JSC::WASMFunctionCompiler::buildCallInternal): Deleted.
1556         (JSC::WASMFunctionCompiler::buildCallIndirect): Deleted.
1557         (JSC::WASMFunctionCompiler::buildCallImport): Deleted.
1558         (JSC::WASMFunctionCompiler::appendExpressionList): Deleted.
1559         (JSC::WASMFunctionCompiler::discard): Deleted.
1560         (JSC::WASMFunctionCompiler::linkTarget): Deleted.
1561         (JSC::WASMFunctionCompiler::jumpToTarget): Deleted.
1562         (JSC::WASMFunctionCompiler::jumpToTargetIf): Deleted.
1563         (JSC::WASMFunctionCompiler::startLoop): Deleted.
1564         (JSC::WASMFunctionCompiler::endLoop): Deleted.
1565         (JSC::WASMFunctionCompiler::startSwitch): Deleted.
1566         (JSC::WASMFunctionCompiler::endSwitch): Deleted.
1567         (JSC::WASMFunctionCompiler::startLabel): Deleted.
1568         (JSC::WASMFunctionCompiler::endLabel): Deleted.
1569         (JSC::WASMFunctionCompiler::breakTarget): Deleted.
1570         (JSC::WASMFunctionCompiler::continueTarget): Deleted.
1571         (JSC::WASMFunctionCompiler::breakLabelTarget): Deleted.
1572         (JSC::WASMFunctionCompiler::continueLabelTarget): Deleted.
1573         (JSC::WASMFunctionCompiler::buildSwitch): Deleted.
1574         (JSC::WASMFunctionCompiler::localAddress): Deleted.
1575         (JSC::WASMFunctionCompiler::temporaryAddress): Deleted.
1576         (JSC::WASMFunctionCompiler::appendCall): Deleted.
1577         (JSC::WASMFunctionCompiler::appendCallWithExceptionCheck): Deleted.
1578         (JSC::WASMFunctionCompiler::emitNakedCall): Deleted.
1579         (JSC::WASMFunctionCompiler::appendCallSetResult): Deleted.
1580         (JSC::WASMFunctionCompiler::callOperation): Deleted.
1581         (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer): Deleted.
1582         (JSC::WASMFunctionCompiler::callAndUnboxResult): Deleted.
1583         (JSC::WASMFunctionCompiler::convertValueToInt32): Deleted.
1584         (JSC::WASMFunctionCompiler::convertValueToDouble): Deleted.
1585         (JSC::WASMFunctionCompiler::convertDoubleToValue): Deleted.
1586         * wasm/WASMFunctionParser.cpp: Removed.
1587         (JSC::nameOfType): Deleted.
1588         (JSC::WASMFunctionParser::checkSyntax): Deleted.
1589         (JSC::WASMFunctionParser::compile): Deleted.
1590         (JSC::WASMFunctionParser::parseFunction): Deleted.
1591         (JSC::WASMFunctionParser::parseLocalVariables): Deleted.
1592         (JSC::WASMFunctionParser::parseStatement): Deleted.
1593         (JSC::WASMFunctionParser::parseReturnStatement): Deleted.
1594         (JSC::WASMFunctionParser::parseBlockStatement): Deleted.
1595         (JSC::WASMFunctionParser::parseIfStatement): Deleted.
1596         (JSC::WASMFunctionParser::parseIfElseStatement): Deleted.
1597         (JSC::WASMFunctionParser::parseWhileStatement): Deleted.
1598         (JSC::WASMFunctionParser::parseDoStatement): Deleted.
1599         (JSC::WASMFunctionParser::parseLabelStatement): Deleted.
1600         (JSC::WASMFunctionParser::parseBreakStatement): Deleted.
1601         (JSC::WASMFunctionParser::parseBreakLabelStatement): Deleted.
1602         (JSC::WASMFunctionParser::parseContinueStatement): Deleted.
1603         (JSC::WASMFunctionParser::parseContinueLabelStatement): Deleted.
1604         (JSC::WASMFunctionParser::parseSwitchStatement): Deleted.
1605         (JSC::WASMFunctionParser::parseExpression): Deleted.
1606         (JSC::WASMFunctionParser::parseExpressionI32): Deleted.
1607         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionI32): Deleted.
1608         (JSC::WASMFunctionParser::parseImmediateExpressionI32): Deleted.
1609         (JSC::WASMFunctionParser::parseUnaryExpressionI32): Deleted.
1610         (JSC::WASMFunctionParser::parseBinaryExpressionI32): Deleted.
1611         (JSC::WASMFunctionParser::parseRelationalI32ExpressionI32): Deleted.
1612         (JSC::WASMFunctionParser::parseRelationalF32ExpressionI32): Deleted.
1613         (JSC::WASMFunctionParser::parseRelationalF64ExpressionI32): Deleted.
1614         (JSC::WASMFunctionParser::parseMinOrMaxExpressionI32): Deleted.
1615         (JSC::WASMFunctionParser::parseExpressionF32): Deleted.
1616         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF32): Deleted.
1617         (JSC::WASMFunctionParser::parseImmediateExpressionF32): Deleted.
1618         (JSC::WASMFunctionParser::parseUnaryExpressionF32): Deleted.
1619         (JSC::WASMFunctionParser::parseBinaryExpressionF32): Deleted.
1620         (JSC::WASMFunctionParser::parseExpressionF64): Deleted.
1621         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF64): Deleted.
1622         (JSC::WASMFunctionParser::parseImmediateExpressionF64): Deleted.
1623         (JSC::WASMFunctionParser::parseUnaryExpressionF64): Deleted.
1624         (JSC::WASMFunctionParser::parseBinaryExpressionF64): Deleted.
1625         (JSC::WASMFunctionParser::parseMinOrMaxExpressionF64): Deleted.
1626         (JSC::WASMFunctionParser::parseExpressionVoid): Deleted.
1627         (JSC::WASMFunctionParser::parseGetLocalExpression): Deleted.
1628         (JSC::WASMFunctionParser::parseGetGlobalExpression): Deleted.
1629         (JSC::WASMFunctionParser::parseSetLocal): Deleted.
1630         (JSC::WASMFunctionParser::parseSetGlobal): Deleted.
1631         (JSC::WASMFunctionParser::parseMemoryAddress): Deleted.
1632         (JSC::WASMFunctionParser::parseLoad): Deleted.
1633         (JSC::WASMFunctionParser::parseStore): Deleted.
1634         (JSC::WASMFunctionParser::parseCallArguments): Deleted.
1635         (JSC::WASMFunctionParser::parseCallInternal): Deleted.
1636         (JSC::WASMFunctionParser::parseCallIndirect): Deleted.
1637         (JSC::WASMFunctionParser::parseCallImport): Deleted.
1638         (JSC::WASMFunctionParser::parseConditional): Deleted.
1639         (JSC::WASMFunctionParser::parseComma): Deleted.
1640         (JSC::WASMFunctionParser::parseConvertType): Deleted.
1641         * wasm/WASMFunctionParser.h: Removed.
1642         (JSC::WASMFunctionParser::WASMFunctionParser): Deleted.
1643         * wasm/WASMFunctionSyntaxChecker.h: Removed.
1644         (JSC::WASMFunctionSyntaxChecker::MemoryAddress::MemoryAddress): Deleted.
1645         (JSC::WASMFunctionSyntaxChecker::startFunction): Deleted.
1646         (JSC::WASMFunctionSyntaxChecker::endFunction): Deleted.
1647         (JSC::WASMFunctionSyntaxChecker::buildSetLocal): Deleted.
1648         (JSC::WASMFunctionSyntaxChecker::buildSetGlobal): Deleted.
1649         (JSC::WASMFunctionSyntaxChecker::buildReturn): Deleted.
1650         (JSC::WASMFunctionSyntaxChecker::buildImmediateI32): Deleted.
1651         (JSC::WASMFunctionSyntaxChecker::buildImmediateF32): Deleted.
1652         (JSC::WASMFunctionSyntaxChecker::buildImmediateF64): Deleted.
1653         (JSC::WASMFunctionSyntaxChecker::buildGetLocal): Deleted.
1654         (JSC::WASMFunctionSyntaxChecker::buildGetGlobal): Deleted.
1655         (JSC::WASMFunctionSyntaxChecker::buildConvertType): Deleted.
1656         (JSC::WASMFunctionSyntaxChecker::buildLoad): Deleted.
1657         (JSC::WASMFunctionSyntaxChecker::buildStore): Deleted.
1658         (JSC::WASMFunctionSyntaxChecker::buildUnaryI32): Deleted.
1659         (JSC::WASMFunctionSyntaxChecker::buildUnaryF32): Deleted.
1660         (JSC::WASMFunctionSyntaxChecker::buildUnaryF64): Deleted.
1661         (JSC::WASMFunctionSyntaxChecker::buildBinaryI32): Deleted.
1662         (JSC::WASMFunctionSyntaxChecker::buildBinaryF32): Deleted.
1663         (JSC::WASMFunctionSyntaxChecker::buildBinaryF64): Deleted.
1664         (JSC::WASMFunctionSyntaxChecker::buildRelationalI32): Deleted.
1665         (JSC::WASMFunctionSyntaxChecker::buildRelationalF32): Deleted.
1666         (JSC::WASMFunctionSyntaxChecker::buildRelationalF64): Deleted.
1667         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxI32): Deleted.
1668         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxF64): Deleted.
1669         (JSC::WASMFunctionSyntaxChecker::buildCallInternal): Deleted.
1670         (JSC::WASMFunctionSyntaxChecker::buildCallImport): Deleted.
1671         (JSC::WASMFunctionSyntaxChecker::buildCallIndirect): Deleted.
1672         (JSC::WASMFunctionSyntaxChecker::appendExpressionList): Deleted.
1673         (JSC::WASMFunctionSyntaxChecker::discard): Deleted.
1674         (JSC::WASMFunctionSyntaxChecker::linkTarget): Deleted.
1675         (JSC::WASMFunctionSyntaxChecker::jumpToTarget): Deleted.
1676         (JSC::WASMFunctionSyntaxChecker::jumpToTargetIf): Deleted.
1677         (JSC::WASMFunctionSyntaxChecker::startLoop): Deleted.
1678         (JSC::WASMFunctionSyntaxChecker::endLoop): Deleted.
1679         (JSC::WASMFunctionSyntaxChecker::startSwitch): Deleted.
1680         (JSC::WASMFunctionSyntaxChecker::endSwitch): Deleted.
1681         (JSC::WASMFunctionSyntaxChecker::startLabel): Deleted.
1682         (JSC::WASMFunctionSyntaxChecker::endLabel): Deleted.
1683         (JSC::WASMFunctionSyntaxChecker::breakTarget): Deleted.
1684         (JSC::WASMFunctionSyntaxChecker::continueTarget): Deleted.
1685         (JSC::WASMFunctionSyntaxChecker::breakLabelTarget): Deleted.
1686         (JSC::WASMFunctionSyntaxChecker::continueLabelTarget): Deleted.
1687         (JSC::WASMFunctionSyntaxChecker::buildSwitch): Deleted.
1688         (JSC::WASMFunctionSyntaxChecker::stackHeight): Deleted.
1689         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeight): Deleted.
1690         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeightForCall): Deleted.
1691         * wasm/WASMModuleParser.cpp: Removed.
1692         (JSC::WASMModuleParser::WASMModuleParser): Deleted.
1693         (JSC::WASMModuleParser::parse): Deleted.
1694         (JSC::WASMModuleParser::parseModule): Deleted.
1695         (JSC::WASMModuleParser::parseConstantPoolSection): Deleted.
1696         (JSC::WASMModuleParser::parseSignatureSection): Deleted.
1697         (JSC::WASMModuleParser::parseFunctionImportSection): Deleted.
1698         (JSC::WASMModuleParser::parseGlobalSection): Deleted.
1699         (JSC::WASMModuleParser::parseFunctionDeclarationSection): Deleted.
1700         (JSC::WASMModuleParser::parseFunctionPointerTableSection): Deleted.
1701         (JSC::WASMModuleParser::parseFunctionDefinitionSection): Deleted.
1702         (JSC::WASMModuleParser::parseFunctionDefinition): Deleted.
1703         (JSC::WASMModuleParser::parseExportSection): Deleted.
1704         (JSC::WASMModuleParser::getImportedValue): Deleted.
1705         (JSC::parseWebAssembly): Deleted.
1706         * wasm/WASMModuleParser.h: Removed.
1707         * wasm/WASMReader.cpp: Removed.
1708         (JSC::WASMReader::readUInt32): Deleted.
1709         (JSC::WASMReader::readFloat): Deleted.
1710         (JSC::WASMReader::readDouble): Deleted.
1711         (JSC::WASMReader::readCompactInt32): Deleted.
1712         (JSC::WASMReader::readCompactUInt32): Deleted.
1713         (JSC::WASMReader::readString): Deleted.
1714         (JSC::WASMReader::readType): Deleted.
1715         (JSC::WASMReader::readExpressionType): Deleted.
1716         (JSC::WASMReader::readExportFormat): Deleted.
1717         (JSC::WASMReader::readByte): Deleted.
1718         (JSC::WASMReader::readOpStatement): Deleted.
1719         (JSC::WASMReader::readOpExpressionI32): Deleted.
1720         (JSC::WASMReader::readOpExpressionF32): Deleted.
1721         (JSC::WASMReader::readOpExpressionF64): Deleted.
1722         (JSC::WASMReader::readOpExpressionVoid): Deleted.
1723         (JSC::WASMReader::readVariableTypes): Deleted.
1724         (JSC::WASMReader::readOp): Deleted.
1725         (JSC::WASMReader::readSwitchCase): Deleted.
1726         * wasm/WASMReader.h: Removed.
1727         (JSC::WASMReader::WASMReader): Deleted.
1728         (JSC::WASMReader::offset): Deleted.
1729         (JSC::WASMReader::setOffset): Deleted.
1730
1731 2016-08-05  Keith Miller  <keith_miller@apple.com>
1732
1733         Fix 32-bit OverridesHasInstance in the DFG.
1734         https://bugs.webkit.org/show_bug.cgi?id=160600
1735
1736         Reviewed by Mark Lam.
1737
1738         In https://trac.webkit.org/changeset/204140, we fixed an issue where the DFG might
1739         do the wrong thing if it proved that the Symbol.hasInstance value for a constructor
1740         was a constant late in compilation. That fix was ommited from the 32-bit version,
1741         causing the new test to fail.
1742
1743         * dfg/DFGSpeculativeJIT32_64.cpp:
1744         (JSC::DFG::SpeculativeJIT::compile):
1745
1746 2016-08-04  Saam Barati  <sbarati@apple.com>
1747
1748         Restore CodeBlock jettison code to jettison when a CodeBlock has been alive for a long time
1749         https://bugs.webkit.org/show_bug.cgi?id=151241
1750
1751         Reviewed by Benjamin Poulain.
1752
1753         This patch rolls back in the jettisoning policy from https://bugs.webkit.org/show_bug.cgi?id=149727.
1754         We can now jettison a CodeBlock when it has been alive for a long time
1755         and is only pointed to by its owner executable. I haven't been able to get this
1756         patch to crash on anything it used to crash on, so I suspect we've fixed the bugs that
1757         were causing this before. I've also added some stress options for this feature that
1758         will cause us to either eagerly old-age jettison or to old-age jettison whenever it's legal.
1759         These options helped me find a bug where we would ask an Executable to create a CodeBlock,
1760         and then the Executable would do some other allocations, causing a GC, immediately causing
1761         the CodeBlock to jettison. There is a small chance that this was the bug we were seeing before,
1762         however, it's unlikely given that the previous timing metrics require at least 5 second between
1763         compiling to jettisoning.
1764
1765         This patch also enables the stress options for various modes
1766         of JSC stress tests.
1767
1768         * bytecode/CodeBlock.cpp:
1769         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
1770         (JSC::timeToLive):
1771         (JSC::CodeBlock::shouldJettisonDueToOldAge):
1772         * interpreter/CallFrame.h:
1773         (JSC::ExecState::callee):
1774         (JSC::ExecState::unsafeCallee):
1775         (JSC::ExecState::codeBlock):
1776         (JSC::ExecState::addressOfCodeBlock):
1777         (JSC::ExecState::unsafeCodeBlock):
1778         (JSC::ExecState::scope):
1779         * interpreter/Interpreter.cpp:
1780         (JSC::Interpreter::execute):
1781         (JSC::Interpreter::executeCall):
1782         (JSC::Interpreter::executeConstruct):
1783         (JSC::Interpreter::prepareForRepeatCall):
1784         * jit/JITOperations.cpp:
1785         * llint/LLIntSlowPaths.cpp:
1786         (JSC::LLInt::setUpCall):
1787         * runtime/Executable.cpp:
1788         (JSC::ScriptExecutable::installCode):
1789         (JSC::setupJIT):
1790         (JSC::ScriptExecutable::prepareForExecutionImpl):
1791         * runtime/Executable.h:
1792         (JSC::ScriptExecutable::prepareForExecution):
1793         * runtime/Options.h:
1794
1795 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1796
1797         [ES6] JSModuleNamespaceObject's Symbol.iterator function should have name
1798         https://bugs.webkit.org/show_bug.cgi?id=160549
1799
1800         Reviewed by Saam Barati.
1801
1802         ES6 Module's namespace[Symbol.iterator] function should have the name, "[Symbol.iterator]".
1803
1804         * runtime/JSModuleNamespaceObject.cpp:
1805         (JSC::JSModuleNamespaceObject::finishCreation):
1806
1807 2016-08-04  Keith Miller  <keith_miller@apple.com>
1808
1809         ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()
1810         https://bugs.webkit.org/show_bug.cgi?id=160562
1811         <rdar://problem/27704825>
1812
1813         Reviewed by Mark Lam.
1814
1815         This patch fixes an issue where we would emit incorrect code in the DFG when constant folding would
1816         convert a GetByOffset into a constant late in compilation. Additionally, it removes invalid assertions
1817         associated with the assumption that this could not happen.
1818
1819         * dfg/DFGSpeculativeJIT64.cpp:
1820         (JSC::DFG::SpeculativeJIT::compile):
1821         * ftl/FTLLowerDFGToB3.cpp:
1822         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance): Deleted.
1823
1824 2016-08-04  Keith Miller  <keith_miller@apple.com>
1825
1826         Remove unused intrinsic member of NativeExecutable
1827         https://bugs.webkit.org/show_bug.cgi?id=160560
1828
1829         Reviewed by Saam Barati.
1830
1831         NativeExecutable has an Intrinsic member. It appears that this member is never
1832         used. Instead we use the Intrinsic member NativeExecutable's super class,
1833         ExecutableBase.
1834
1835         * runtime/Executable.h:
1836
1837 2016-08-04  Benjamin Poulain  <bpoulain@apple.com>
1838
1839         [JSC] Speed up InPlaceAbstractState::endBasicBlock()
1840         https://bugs.webkit.org/show_bug.cgi?id=160539
1841
1842         Reviewed by Mark Lam.
1843
1844         This patch does small improvements to our handling
1845         of value propagation to the successors.
1846
1847         One key insight is that using HashMap to map Nodes
1848         to Value in valuesAtTail is too inefficient at the scale
1849         we use it. Instead, I reuse our existing mapping
1850         from every Node to its value, abstracted by forNode().
1851
1852         Since we are not going to use the mapping after endBasicBlock()
1853         I can replace whatever we had there. The next beginBasicBlock()
1854         will setup the new value as needed.
1855
1856         In endBasicBlock(), valuesAtTail is now a vector of all values live
1857         at tail. For each node, I merge the previous live at tail with
1858         the new value, then replace the value in the mapping.
1859         Liveness Analysis guarantees we won't have duplicates there which
1860         make the replacement sound.
1861
1862         Next, when propagating, I take the vector of values lives at head
1863         and use the global node->value mapping to find its new abstract value.
1864         Again, Liveness Analysis guarantees I won't find a value live at head
1865         that was not replaced by the merging at tail of the predecessor.
1866
1867         All our live lists have become vectors instead of HashTable.
1868         The mapping from Node to Value is always done by array indexing.
1869         Same big-O, much smaller constant.
1870
1871         * dfg/DFGAtTailAbstractState.cpp:
1872         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
1873         (JSC::DFG::AtTailAbstractState::createValueForNode):
1874         (JSC::DFG::AtTailAbstractState::forNode):
1875         * dfg/DFGAtTailAbstractState.h:
1876         I did not look much into this state, I just made it equivalent
1877         to the previous mapping.
1878
1879         * dfg/DFGBasicBlock.h:
1880         * dfg/DFGCFAPhase.cpp:
1881         (JSC::DFG::CFAPhase::performBlockCFA):
1882         * dfg/DFGGraph.cpp:
1883         (JSC::DFG::Graph::dump):
1884         * dfg/DFGInPlaceAbstractState.cpp:
1885         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1886
1887         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1888         AbstractValue is big enough that we really don't want to copy it twice.
1889
1890         (JSC::DFG::InPlaceAbstractState::merge):
1891         (JSC::DFG::setLiveValues): Deleted.
1892         * dfg/DFGInPlaceAbstractState.h:
1893
1894         * dfg/DFGPhiChildren.h:
1895         This is heap allocated by AbstractInterpreter. It should use fastMalloc().
1896
1897 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1898
1899         [ES7] Update features.json for exponentiation expression
1900         https://bugs.webkit.org/show_bug.cgi?id=160541
1901
1902         Reviewed by Mark Lam.
1903
1904         * features.json:
1905
1906 2016-08-03  Chris Dumez  <cdumez@apple.com>
1907
1908         Drop DocumentType.internalSubset attribute
1909         https://bugs.webkit.org/show_bug.cgi?id=160530
1910
1911         Reviewed by Alex Christensen.
1912
1913         Drop DocumentType.internalSubset attribute.
1914
1915         * inspector/protocol/DOM.json:
1916
1917 2016-08-03  Benjamin Poulain  <bpoulain@apple.com>
1918
1919         [JSC] Improve the memory locality of DFG Node's AbstractValues
1920         https://bugs.webkit.org/show_bug.cgi?id=160443
1921
1922         Reviewed by Mark Lam.
1923
1924         The AbstractInterpreter spends a lot of time on memory operations
1925         for AbstractValues. This patch attempts to improve the situation
1926         by putting the values closer together in memory.
1927
1928         First, AbstractValue is moved out of DFG::Node and it kept in
1929         a vector addressed by node indices.
1930
1931         I initially moved them to InPlaceAbstractState but I quickly discovered
1932         initializing the values in the vector was costly.
1933         I moved the vector to Graph as a cache shared by every instantiation of
1934         InPlaceAbstractState. It is mainly there to avoid constructors and destructors
1935         of AbstractValue. The patch of https://bugs.webkit.org/show_bug.cgi?id=160370
1936         should also help eventually.
1937
1938         I instrumented CFA to find how packed is SparseCollection.
1939         The answer is it can be very sparse, which is bad for CFA.
1940         I added packIndices() to repack the collection before running
1941         liveness since that's where we start using the memory intensively.
1942         This is a measurable improvement but it implies we can no longer
1943         keep indices on a side channel between phases since they may change.
1944
1945         * b3/B3SparseCollection.h:
1946         (JSC::B3::SparseCollection::packIndices):
1947         * dfg/DFGGraph.cpp:
1948         (JSC::DFG::Graph::packNodeIndices):
1949         * dfg/DFGGraph.h:
1950         (JSC::DFG::Graph::abstractValuesCache):
1951         * dfg/DFGInPlaceAbstractState.cpp:
1952         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
1953         * dfg/DFGInPlaceAbstractState.h:
1954         (JSC::DFG::InPlaceAbstractState::forNode):
1955         * dfg/DFGLivenessAnalysisPhase.cpp:
1956         (JSC::DFG::performLivenessAnalysis):
1957         * dfg/DFGNode.h:
1958
1959 2016-08-03  Caitlin Potter  <caitp@igalia.com>
1960
1961         Clarify SyntaxErrors around yield and unskip tests
1962         https://bugs.webkit.org/show_bug.cgi?id=158460
1963
1964         Reviewed by Saam Barati.
1965
1966         Fix and unskip tests which erroneously asserted that `yield` is not a
1967         valid BindingIdentifier, and improve error message for YieldExpressions
1968         occuring in Arrow formal parameters.
1969
1970         * parser/Parser.cpp:
1971         (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope):
1972         (JSC::Parser<LexerType>::parseFunctionInfo):
1973         (JSC::Parser<LexerType>::parseYieldExpression):
1974         * parser/Parser.h:
1975
1976 2016-08-03  Filip Pizlo  <fpizlo@apple.com>
1977
1978         REGRESSION(r203368): broke some test262 tests
1979         https://bugs.webkit.org/show_bug.cgi?id=160479
1980
1981         Reviewed by Mark Lam.
1982         
1983         The optimization in r203368 overlooked a subtle detail: freezing should not set ReadOnly on
1984         Accessor properties.
1985
1986         * runtime/Structure.cpp:
1987         (JSC::Structure::nonPropertyTransition):
1988         * runtime/StructureTransitionTable.h:
1989         (JSC::setsDontDeleteOnAllProperties):
1990         (JSC::setsReadOnlyOnNonAccessorProperties):
1991         (JSC::setsReadOnlyOnAllProperties): Deleted.
1992
1993 2016-08-03  Csaba Osztrogonác  <ossy@webkit.org>
1994
1995         Lacking support on a arm-traditional disassembler.
1996         https://bugs.webkit.org/show_bug.cgi?id=123717
1997
1998         Reviewed by Mark Lam.
1999
2000         * CMakeLists.txt:
2001         * disassembler/ARMLLVMDisassembler.cpp: Added, based on pre r196729 LLVMDisassembler, but it is ARM traditional only now.
2002         (JSC::tryToDisassemble):
2003
2004 2016-08-03  Saam Barati  <sbarati@apple.com>
2005
2006         Implement nested rest destructuring w.r.t the ES7 spec
2007         https://bugs.webkit.org/show_bug.cgi?id=160423
2008
2009         Reviewed by Filip Pizlo.
2010
2011         The spec has updated the BindingRestElement grammar production to be:
2012         BindingRestElement:
2013            BindingIdentifier
2014            BindingingPattern.
2015
2016         It used to only allow BindingIdentifier in the grammar production.
2017         I've updated our engine to account for this. The semantics are exactly
2018         what you'd expect.  For example:
2019         `let [a, ...[b, ...c]] = expr();`
2020         means that we create an array for the first rest element `...[b, ...c]`
2021         and then perform the binding of `[b, ...c]` to that array. And so on, 
2022         applied recursively through the pattern.
2023
2024         * bytecompiler/NodesCodegen.cpp:
2025         (JSC::RestParameterNode::collectBoundIdentifiers):
2026         (JSC::RestParameterNode::toString):
2027         (JSC::RestParameterNode::bindValue):
2028         (JSC::RestParameterNode::emit):
2029         * parser/ASTBuilder.h:
2030         (JSC::ASTBuilder::createBindingLocation):
2031         (JSC::ASTBuilder::createRestParameter):
2032         (JSC::ASTBuilder::createAssignmentElement):
2033         * parser/NodeConstructors.h:
2034         (JSC::AssignmentElementNode::AssignmentElementNode):
2035         (JSC::RestParameterNode::RestParameterNode):
2036         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
2037         * parser/Nodes.h:
2038         (JSC::RestParameterNode::name): Deleted.
2039         * parser/Parser.cpp:
2040         (JSC::Parser<LexerType>::parseDestructuringPattern):
2041         (JSC::Parser<LexerType>::parseFormalParameters):
2042         * parser/SyntaxChecker.h:
2043         (JSC::SyntaxChecker::operatorStackPop):
2044
2045 2016-08-03  Benjamin Poulain  <benjamin@webkit.org>
2046
2047         [JSC] Fix Windows build after r204065
2048
2049         * dfg/DFGAbstractValue.cpp:
2050         (JSC::DFG::AbstractValue::observeTransitions):
2051         AbstractValue is bigger on Windows for an unknown reason.
2052
2053 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
2054
2055         [JSC] Fix 32bits jsc after r204065
2056
2057         Default constructed JSValue() are not equal to zero in 32bits.
2058
2059         * dfg/DFGAbstractValue.h:
2060         (JSC::DFG::AbstractValue::AbstractValue):
2061
2062 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
2063
2064         [JSC] Simplify the initialization of AbstractValue in the AbstractInterpreter
2065         https://bugs.webkit.org/show_bug.cgi?id=160370
2066
2067         Reviewed by Saam Barati.
2068
2069         We use a ton of AbstractValue to run the Abstract Interpreter.
2070
2071         When we set up the initial values, the compiler sets
2072         a zero on a first word, a one on a second word, and a zero
2073         again on a third word.
2074         Since no vector or double-store can deal with 3 words, unrolling
2075         is done by repeating those instructions.
2076
2077         The reason for the one was TinyPtrSet. It needed a flag for
2078         empty value to identify the set as thin. I flipped the flag to "fat"
2079         to make sure TinyPtrSet is initialized to zero.
2080
2081         With that done, I just had to clean some places to make
2082         the initialization shorter.
2083         It makes the binary easier to follow but this does not help with
2084         the bigger problem: the time spent per block on Abstract Interpreter.
2085
2086         * bytecode/Operands.h:
2087         The traits were useless, no client code defines it.
2088
2089         (JSC::Operands::Operands):
2090         (JSC::Operands::ensureLocals):
2091         Because of the size of the function, llvm is not inlining it.
2092         We were literally loading 3 registers from memory and storing
2093         them in the vector.
2094         Now that AbstractValue has a VectorTraits, we should just rely
2095         on the memset of Vector when possible.
2096
2097         (JSC::Operands::getLocal):
2098         (JSC::Operands::setArgumentFirstTime):
2099         (JSC::Operands::setLocalFirstTime):
2100         (JSC::Operands::clear):
2101         (JSC::OperandValueTraits::defaultValue): Deleted.
2102         (JSC::OperandValueTraits::isEmptyForDump): Deleted.
2103         * bytecode/OperandsInlines.h:
2104         (JSC::Operands<T>::dumpInContext):
2105         (JSC::Operands<T>::dump):
2106         (JSC::Traits>::dumpInContext): Deleted.
2107         (JSC::Traits>::dump): Deleted.
2108         * dfg/DFGAbstractValue.cpp:
2109         * dfg/DFGAbstractValue.h:
2110         (JSC::DFG::AbstractValue::AbstractValue):
2111
2112 2016-08-02  Saam Barati  <sbarati@apple.com>
2113
2114         update a class extending null w.r.t the ES7 spec
2115         https://bugs.webkit.org/show_bug.cgi?id=160417
2116
2117         Reviewed by Keith Miller.
2118
2119         When a class extends null, it should not be marked as a derived class.
2120         This was changed in the ES2016 spec, and this patch makes the needed
2121         changes in JSC to follow the spec. This allows classes to extend
2122         null and have their default constructor invoked without throwing an exception.
2123         This also prevents |this| from being under TDZ at the start of the constructor.
2124         Because ES6 allows arbitrary expressions in the `class <ident> extends <expr>`
2125         syntax, we don't know statically if a constructor is extending null or not.
2126         Therefore, we don't always know statically if it's a base or derived constructor.
2127         I solved this by putting a boolean on the constructor function under a private
2128         symbol named isDerivedConstructor when doing class construction. We only need
2129         to put this boolean on constructors that may extend null. Constructors that are
2130         declared in a class with no extends syntax can tell statically that they are a base constructor.
2131
2132         I've also renamed the ConstructorKind::Derived enum value to be
2133         ConstructorKind::Extends to better indicate that we can't answer
2134         the "am I a derived constructor?" question statically.
2135
2136         * builtins/BuiltinExecutables.cpp:
2137         (JSC::BuiltinExecutables::createDefaultConstructor):
2138         * builtins/BuiltinNames.h:
2139         * bytecompiler/BytecodeGenerator.cpp:
2140         (JSC::BytecodeGenerator::BytecodeGenerator):
2141         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2142         (JSC::BytecodeGenerator::emitReturn):
2143         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
2144         (JSC::BytecodeGenerator::ensureThis):
2145         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
2146         * bytecompiler/BytecodeGenerator.h:
2147         (JSC::BytecodeGenerator::makeFunction):
2148         * bytecompiler/NodesCodegen.cpp:
2149         (JSC::EvalFunctionCallNode::emitBytecode):
2150         (JSC::FunctionCallValueNode::emitBytecode):
2151         (JSC::FunctionNode::emitBytecode):
2152         (JSC::ClassExprNode::emitBytecode):
2153         * parser/Parser.cpp:
2154         (JSC::Parser<LexerType>::Parser):
2155         (JSC::Parser<LexerType>::parseFunctionInfo):
2156         (JSC::Parser<LexerType>::parseClass):
2157         (JSC::Parser<LexerType>::parseMemberExpression):
2158         * parser/ParserModes.h:
2159
2160 2016-08-02  Enrica Casucci  <enrica@apple.com>
2161
2162         Allow building with content filtering disabled.
2163         https://bugs.webkit.org/show_bug.cgi?id=160454
2164
2165         Reviewed by Simon Fraser.
2166
2167         * Configurations/FeatureDefines.xcconfig:
2168
2169 2016-08-02  Csaba Osztrogonác  <ossy@webkit.org>
2170
2171         [ARM] Disable Inline Caching on ARMv7 traditional until proper fix
2172         https://bugs.webkit.org/show_bug.cgi?id=159759
2173
2174         Reviewed by Saam Barati.
2175
2176         * jit/JITMathIC.h:
2177         (JSC::JITMathIC::generateInline):
2178
2179 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
2180
2181         REGRESSION (r203990): JSC Debug test stress/arity-check-ftl-throw.js failing
2182         https://bugs.webkit.org/show_bug.cgi?id=160438
2183
2184         Reviewed by Mark Lam.
2185         
2186         In r203990 I fixed a bug where CommonSlowPaths.h/arityCheckFor() was basically failing at
2187         catching stack overflow due to large parameter count. It would only catch regular old stack
2188         overflow, like if the frame pointer was already past the limit.
2189         
2190         This had a secondary problem: unfortunately all of our tests for what happens when you overflow
2191         the stack due to large parameter count were not going down that path at all, so we haven't had
2192         test coverage for this in ages.  There were bugs in all tiers of the engine when handling this
2193         case.
2194
2195         We need to be able to roll back the topCallFrame on paths that are meant to throw an exception
2196         from the caller. Otherwise, we'd crash in StackVisitor because it would see a busted stack
2197         frame. Rolling back like this "just works" except when the caller is the VM entry frame. I had
2198         some choices here. I could have forced anyone who is rolling back to always skip VM entry
2199         frames. They can't do it in a way that changes the value of VM::topVMEntryFrame, which is what
2200         a stack frame roll back normally does, since exception unwinding needs to see the current value
2201         of topVMEntryFrame. So, we have a choice to either try to magically avoid all of the paths that
2202         look at topCallFrame, or give topCallFrame a state that unambiguously signals that we are
2203         sitting right on top of a VM entry frame without having succeeded at making a JS call. The only
2204         place that really needs to know is StackVisitor, which wants to start scanning at topCallFrame.
2205         To signal this, I could have either made topCallFrame point to the real top JS call frame
2206         without also rolling back topVMEntryFrame, or I could make topCallFrame == topVMEntryFrame. The
2207         latter felt somehow cleaner. I filed a bug (https://bugs.webkit.org/show_bug.cgi?id=160441) for
2208         converting topCallFrame to a void*, which would give us a chance to harden the rest of the
2209         engine against this case.
2210         
2211         * interpreter/StackVisitor.cpp:
2212         (JSC::StackVisitor::StackVisitor):
2213         We may do ShadowChicken processing, which invokes StackVisitor, when we have topCallFrame
2214         pointing at topVMEntryFrame. This teaches StackVisitor how to handle this case. I believe that
2215         StackVisitor is the only place that needs to be taught about this at this time, because it's
2216         one of the few things that access topCallFrame along this special path.
2217         
2218         * jit/JITOperations.cpp: Roll back the top call frame.
2219         * runtime/CommonSlowPaths.cpp:
2220         (JSC::SLOW_PATH_DECL): Roll back the top call frame.
2221
2222 2016-08-01  Benjamin Poulain  <bpoulain@apple.com>
2223
2224         [JSC][ARM64] Fix branchTest32/64 taking an immediate as mask
2225         https://bugs.webkit.org/show_bug.cgi?id=160439
2226
2227         Reviewed by Filip Pizlo.
2228
2229         * assembler/MacroAssemblerARM64.h:
2230         (JSC::MacroAssemblerARM64::branchTest64):
2231         * b3/air/AirOpcode.opcodes:
2232         Fix the ARM64 codegen to lower BitImm64 without using a scratch register.
2233
2234 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
2235
2236         [B3] Fusing immediates into test instructions should work again
2237         https://bugs.webkit.org/show_bug.cgi?id=160073
2238
2239         Reviewed by Sam Weinig.
2240
2241         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
2242         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
2243         was still using Imm!  This meant that isValidForm() always returned false.
2244         
2245         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
2246         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
2247         with the scratch register).
2248         
2249         This is not an obvious progression on anything, so I added comprehensive tests to
2250         testb3, which check that we selected the optimal instruction in a variety of situations.
2251         We should add more tests like this!
2252
2253         Rolling this back in after fixing ARM64. The bug was that branchTest32|64 on ARM64 doesn't
2254         actually support BitImm or BitImm64, at least not yet. Disabling that in AirOpcodes makes
2255         this patch not a regression on ARM64. That change was reviewed by Benjamin Poulain.
2256
2257         * b3/B3BasicBlock.h:
2258         (JSC::B3::BasicBlock::successorBlock):
2259         * b3/B3LowerToAir.cpp:
2260         (JSC::B3::Air::LowerToAir::createGenericCompare):
2261         * b3/B3LowerToAir.h:
2262         * b3/air/AirArg.cpp:
2263         (JSC::B3::Air::Arg::isRepresentableAs):
2264         (JSC::B3::Air::Arg::usesTmp):
2265         * b3/air/AirArg.h:
2266         (JSC::B3::Air::Arg::isRepresentableAs):
2267         (JSC::B3::Air::Arg::castToType):
2268         (JSC::B3::Air::Arg::asNumber):
2269         * b3/air/AirCode.h:
2270         (JSC::B3::Air::Code::size):
2271         (JSC::B3::Air::Code::at):
2272         * b3/air/AirOpcode.opcodes:
2273         * b3/air/AirValidate.h:
2274         * b3/air/opcode_generator.rb:
2275         * b3/testb3.cpp:
2276         (JSC::B3::compile):
2277         (JSC::B3::compileAndRun):
2278         (JSC::B3::lowerToAirForTesting):
2279         (JSC::B3::testSomeEarlyRegister):
2280         (JSC::B3::testBranchBitAndImmFusion):
2281         (JSC::B3::zero):
2282         (JSC::B3::run):
2283
2284 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
2285
2286         Rationalize varargs stack overflow checks
2287         https://bugs.webkit.org/show_bug.cgi?id=160425
2288
2289         Reviewed by Michael Saboff.
2290
2291         * ftl/FTLLink.cpp:
2292         (JSC::FTL::link): AboveOrEqual 0 is a tautology. The code meant GreaterThanOrEqual, since the error code is -1.
2293         * runtime/CommonSlowPaths.h:
2294         (JSC::CommonSlowPaths::arityCheckFor): Use roundUpToMultipleOf(), which is almost certainly what we meant when we said %.
2295
2296 2016-08-01  Saam Barati  <sbarati@apple.com>
2297
2298         Sub should be a Math IC
2299         https://bugs.webkit.org/show_bug.cgi?id=160270
2300
2301         Reviewed by Mark Lam.
2302
2303         This makes Sub an IC like Mul and Add. I'm seeing the following
2304         improvements of average Sub size on Unity and JetStream:
2305
2306                    |   JetStream  |  Unity 3D  |
2307              ------| -------------|--------------
2308               Old  |   202 bytes  |  205 bytes |
2309              ------| -------------|--------------
2310               New  |   134  bytes |  134 bytes |
2311              ------------------------------------
2312
2313         * bytecode/CodeBlock.cpp:
2314         (JSC::CodeBlock::addJITMulIC):
2315         (JSC::CodeBlock::addJITSubIC):
2316         (JSC::CodeBlock::findStubInfo):
2317         (JSC::CodeBlock::dumpMathICStats):
2318         * bytecode/CodeBlock.h:
2319         (JSC::CodeBlock::stubInfoBegin):
2320         (JSC::CodeBlock::stubInfoEnd):
2321         * dfg/DFGSpeculativeJIT.cpp:
2322         (JSC::DFG::SpeculativeJIT::compileArithSub):
2323         * ftl/FTLLowerDFGToB3.cpp:
2324         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2325         * jit/JITArithmetic.cpp:
2326         (JSC::JIT::emit_op_sub):
2327         (JSC::JIT::emitSlow_op_sub):
2328         (JSC::JIT::emit_op_pow):
2329         * jit/JITMathIC.h:
2330         * jit/JITMathICForwards.h:
2331         * jit/JITOperations.cpp:
2332         * jit/JITOperations.h:
2333         * jit/JITSubGenerator.cpp:
2334         (JSC::JITSubGenerator::generateInline):
2335         (JSC::JITSubGenerator::generateFastPath):
2336         * jit/JITSubGenerator.h:
2337         (JSC::JITSubGenerator::JITSubGenerator):
2338         (JSC::JITSubGenerator::isLeftOperandValidConstant):
2339         (JSC::JITSubGenerator::isRightOperandValidConstant):
2340         (JSC::JITSubGenerator::arithProfile):
2341         (JSC::JITSubGenerator::didEmitFastPath): Deleted.
2342         (JSC::JITSubGenerator::endJumpList): Deleted.
2343         (JSC::JITSubGenerator::slowPathJumpList): Deleted.
2344
2345 2016-08-01  Keith Miller  <keith_miller@apple.com>
2346
2347         We should not keep the JavaScript tests inside the Source/JavaScriptCore/ directory.
2348         https://bugs.webkit.org/show_bug.cgi?id=160372
2349
2350         Rubber stamped by Geoffrey Garen.
2351
2352         This patch moves all the JavaScript tests from Source/JavaScriptCore/tests to
2353         a new top level directory, JSTests. Having the tests in the Source directory
2354         was both confusing an inconvenient for people that just want to checkout the
2355         source code of WebKit. Since there is no other obvious place to put all the
2356         JavaScript tests a new top level directory seemed the most sensible.
2357
2358         * tests/: Deleted.
2359
2360 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2361
2362         [JSC] Should check Test262Error correctly
2363         https://bugs.webkit.org/show_bug.cgi?id=159862
2364
2365         Reviewed by Saam Barati.
2366
2367         Test262Error in the harness does not have "name" property.
2368         Rather than checking "name" property, peforming `instanceof` is better to check the class of the exception.
2369
2370         * jsc.cpp:
2371         (checkUncaughtException):
2372         * runtime/JSObject.h:
2373         * tests/test262.yaml:
2374
2375 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2376
2377         [ES6] Module binding can be exported by multiple names
2378         https://bugs.webkit.org/show_bug.cgi?id=160343
2379
2380         Reviewed by Saam Barati.
2381
2382         ES6 Module can export the same local binding by using multiple names.
2383         For example,
2384
2385             ```
2386             var value = 42;
2387
2388             export { value };
2389             export { value as value2 };
2390             ```
2391
2392         Currently, we only allowed one local binding to be exported with one name. So, in the above case,
2393         the local binding "value" is exported as "value2" and "value" name is not exported. This is wrong.
2394
2395         To fix this issue, we collect the correspondence (local name => exported name) to the local bindings
2396         in the parser. Previously, we only maintained the exported local bindings in the parser. And utilize
2397         this information when creating the export entries in ModuleAnalyzer.
2398
2399         And this patch also moves ModuleScopeData from the Scope object to the Parser class since exported
2400         names should be managed per-module, not per-scope.
2401
2402         This change fixes several test262 failures.
2403
2404         * JavaScriptCore.xcodeproj/project.pbxproj:
2405         * parser/ModuleAnalyzer.cpp:
2406         (JSC::ModuleAnalyzer::exportVariable):
2407         (JSC::ModuleAnalyzer::analyze):
2408         (JSC::ModuleAnalyzer::exportedBinding): Deleted.
2409         (JSC::ModuleAnalyzer::declareExportAlias): Deleted.
2410         * parser/ModuleAnalyzer.h:
2411         * parser/ModuleScopeData.h: Copied from Source/JavaScriptCore/parser/ModuleAnalyzer.h.
2412         (JSC::ModuleScopeData::create):
2413         (JSC::ModuleScopeData::exportedBindings):
2414         (JSC::ModuleScopeData::exportName):
2415         (JSC::ModuleScopeData::exportBinding):
2416         * parser/Nodes.cpp:
2417         (JSC::ProgramNode::ProgramNode):
2418         (JSC::ModuleProgramNode::ModuleProgramNode):
2419         (JSC::EvalNode::EvalNode):
2420         (JSC::FunctionNode::FunctionNode):
2421         * parser/Nodes.h:
2422         (JSC::ModuleProgramNode::moduleScopeData):
2423         * parser/NodesAnalyzeModule.cpp:
2424         (JSC::ExportDefaultDeclarationNode::analyzeModule):
2425         (JSC::ExportNamedDeclarationNode::analyzeModule): Deleted.
2426         * parser/Parser.cpp:
2427         (JSC::Parser<LexerType>::Parser):
2428         (JSC::Parser<LexerType>::parseModuleSourceElements):
2429         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2430         (JSC::Parser<LexerType>::createBindingPattern):
2431         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2432         (JSC::Parser<LexerType>::parseClassDeclaration):
2433         (JSC::Parser<LexerType>::parseExportSpecifier):
2434         (JSC::Parser<LexerType>::parseExportDeclaration):
2435         * parser/Parser.h:
2436         (JSC::Parser::exportName):
2437         (JSC::Parser<LexerType>::parse):
2438         (JSC::ModuleScopeData::create): Deleted.
2439         (JSC::ModuleScopeData::exportedBindings): Deleted.
2440         (JSC::ModuleScopeData::exportName): Deleted.
2441         (JSC::ModuleScopeData::exportBinding): Deleted.
2442         (JSC::Scope::Scope): Deleted.
2443         (JSC::Scope::setSourceParseMode): Deleted.
2444         (JSC::Scope::moduleScopeData): Deleted.
2445         (JSC::Scope::setIsModule): Deleted.
2446         * tests/modules/aliased-names.js: Added.
2447         * tests/modules/aliased-names/main.js: Added.
2448         (change):
2449         * tests/stress/modules-syntax-error-with-names.js:
2450         (export.Cocoa):
2451         (SyntaxError.Cannot.export.a.duplicate.name):
2452         * tests/test262.yaml:
2453
2454 2016-07-30  Mark Lam  <mark.lam@apple.com>
2455
2456         Assertion failure while setting the length of an ArrayClass array.
2457         https://bugs.webkit.org/show_bug.cgi?id=160381
2458         <rdar://problem/27328703>
2459
2460         Reviewed by Filip Pizlo.
2461
2462         When setting large length values, we're currently treating ArrayClass as a
2463         ContiguousIndexingType array.  This results in an assertion failure.  This is
2464         now fixed.
2465
2466         There are currently only 2 places where we create arrays with indexing type
2467         ArrayClass: ArrayPrototype and RuntimeArray.  The fix in JSArray:;setLength()
2468         takes care of ArrayPrototype.
2469
2470         RuntimeArray already checks for the setting of its length property, and will
2471         throw a RangeError.  Hence, there's no change is needed for the RuntimeArray.
2472         Instead, I added some test cases ensure that the check and throw behavior does
2473         not change without notice.
2474
2475         * runtime/JSArray.cpp:
2476         (JSC::JSArray::setLength):
2477         * tests/stress/array-setLength-on-ArrayClass-with-large-length.js: Added.
2478         (toString):
2479         (assertEqual):
2480         * tests/stress/array-setLength-on-ArrayClass-with-small-length.js: Added.
2481         (toString):
2482         (assertEqual):
2483
2484 2016-07-29  Keith Miller  <keith_miller@apple.com>
2485
2486         TypedArray super constructor has some incompatabilities
2487         https://bugs.webkit.org/show_bug.cgi?id=160369
2488
2489         Reviewed by Filip Pizlo.
2490
2491         This patch fixes the length proprety of the TypedArray super constructor.
2492         Additionally, the TypedArray super constructor should no longer be callable.
2493
2494         Also, this patch fixes the expected result of some test262 tests.
2495
2496         * runtime/JSTypedArrayViewConstructor.cpp:
2497         (JSC::JSTypedArrayViewConstructor::finishCreation):
2498         (JSC::constructTypedArrayView):
2499         (JSC::JSTypedArrayViewConstructor::getCallData):
2500         * tests/test262.yaml:
2501
2502 2016-07-29  Jonathan Bedard  <jbedard@apple.com>
2503
2504         Undefined Behavior in JSValue cast from NaN
2505         https://bugs.webkit.org/show_bug.cgi?id=160322
2506
2507         Reviewed by Mark Lam.
2508
2509         JSValues can be constructed from doubles, and in some cases, are deliberately constructed with NaN values.
2510
2511         In circumstances where NaN is bound through the default JSValue constructor, however, an undefined conversion
2512         to int32_t occurs.  While the subsequent if statement should fail and construct the JSValue through the explicit
2513         double constructor, given that the deliberate use of NaN is fairly common, it seems that the jsNaN() function
2514         should immediately call the explicit double constructor both for efficiency and to prevent inadvertent
2515         suppressing of any other bugs which may be instantiating a JSValue with a NaN double.
2516
2517         * runtime/JSCJSValueInlines.h:
2518         (JSC::jsNaN): Explicit double construction for NaN JSValues to avoid undefined behavior.
2519
2520 2016-07-29  Michael Saboff  <msaboff@apple.com>
2521
2522         Refactor DFG::Node::hasLocal() to accessesStack()
2523         https://bugs.webkit.org/show_bug.cgi?id=160357
2524
2525         Reviewed by Filip Pizlo.
2526
2527         Refactoring in preparation for using register arguments for JavaScript calls.
2528
2529         Renamed Node::hasLocal() to Node::accessesStack() and changed all uses accordingly.
2530         Also changed uses of Node::hasVariableAccessData() to accessesStack() where that
2531         use guards stack operation logic associated with the Node's VariableAccessData.
2532
2533         The hasVariableAccessData() check now implies no more than the node has a
2534         VariableAccessData and nothing about its use of that data to coordinate stack   
2535         accesses.
2536
2537         * dfg/DFGGraph.cpp:
2538         (JSC::DFG::Graph::dump):
2539         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2540         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
2541         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
2542         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2543         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2544         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
2545         * dfg/DFGNode.h:
2546         (JSC::DFG::Node::containsMovHint):
2547         (JSC::DFG::Node::accessesStack):
2548         (JSC::DFG::Node::hasLocal): Deleted.
2549         * dfg/DFGPredictionInjectionPhase.cpp:
2550         (JSC::DFG::PredictionInjectionPhase::run):
2551         * dfg/DFGValidate.cpp:
2552
2553 2016-07-29  Benjamin Poulain  <benjamin@webkit.org>
2554
2555         [JSC] Use the same data structures for DFG and Air Liveness Analysis
2556         https://bugs.webkit.org/show_bug.cgi?id=160346
2557
2558         Reviewed by Geoffrey Garen.
2559
2560         In Air, we minimized memory accesses during liveness analysis
2561         with a couple of tricks:
2562         -Use a single Sparse Set ADT for the live value of each block.
2563         -Manipulate compact positive indices instead of hashing values.
2564
2565         This patch brings the same ideas to DFG.
2566
2567         This patch still uses the same fixpoint algorithms.
2568         The reason is Edge's KillStatus used by other phases. We cannot
2569         use a block-boundary liveness algorithm and update KillStatus
2570         simultaneously. It's something I'll probably revisit at some point.
2571
2572         * dfg/DFGAbstractInterpreterInlines.h:
2573         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
2574         (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
2575         * dfg/DFGBasicBlock.h:
2576         * dfg/DFGGraph.h:
2577         (JSC::DFG::Graph::maxNodeCount):
2578         (JSC::DFG::Graph::nodeAt):
2579         * dfg/DFGInPlaceAbstractState.cpp:
2580         (JSC::DFG::setLiveValues):
2581         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2582         * dfg/DFGLivenessAnalysisPhase.cpp:
2583         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
2584         (JSC::DFG::LivenessAnalysisPhase::run):
2585         (JSC::DFG::LivenessAnalysisPhase::processBlock):
2586         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
2587         (JSC::DFG::LivenessAnalysisPhase::process): Deleted.
2588
2589 2016-07-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2590
2591         Unreviewed, ByValInfo is only used in JIT enabled environments
2592         https://bugs.webkit.org/show_bug.cgi?id=158908
2593
2594         * bytecode/CodeBlock.cpp:
2595         (JSC::CodeBlock::stronglyVisitStrongReferences):
2596
2597 2016-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2598
2599         JSC::Symbol should be hash-consed
2600         https://bugs.webkit.org/show_bug.cgi?id=158908
2601
2602         Reviewed by Filip Pizlo.
2603
2604         Previously, SymbolImpls held by symbols represent identity of symbols.
2605         When we check the equality between symbols, we need to load SymbolImpls of symbols and compare them.
2606
2607         This patch performs hash-consing onto the symbols. We cache symbols in per-VM's SymbolImpl-keyed WeakGCMap.
2608         When creating a new symbol from SymbolImpl, we first query to this map and reuse the previously created symbol
2609         if it is found. This ensures that one-on-one correspondence between SymbolImpl and symbol. So now, we can use
2610         pointer-comparison to query the equality of symbols.
2611
2612         This change drops SymbolImpl loads when checking the equality. Furthermore, we can use DFG CheckCell to symbol
2613         when we would like to ensure that the given value is the expected symbol. This cleans up GetByVal's symbol-keyd
2614         caching. Then, we changed CheckIdent to CheckStringIdent since it only checks the string case now. The symbol
2615         case is handled by CheckCell.
2616
2617         Additionally, this patch also cleans up Map / Set implementation since we can use the logic for JSCell to symbols.
2618
2619         The performance effects in the related benchmarks are the followings.
2620
2621                                                                baseline                   patch
2622
2623             bigswitch-indirect-symbol-or-undefined         85.6214+-1.0063     ^     63.0522+-0.8615        ^ definitely 1.3579x faster
2624             bigswitch-indirect-symbol                      84.9653+-0.6258     ^     80.4900+-0.8008        ^ definitely 1.0556x faster
2625             fold-put-by-val-with-symbol-to-multi-put-by-offset
2626                                                             9.4396+-0.3726            9.2941+-0.3311          might be 1.0157x faster
2627             inlined-put-by-val-with-symbol-transition
2628                                                            49.5477+-0.2401     ?     49.7533+-0.3369        ?
2629             get-by-val-with-symbol-self-or-proto           11.9740+-0.0798     ?     12.1706+-0.2723        ? might be 1.0164x slower
2630             get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple
2631                                                             4.1364+-0.0841            4.0872+-0.0925          might be 1.0120x faster
2632             put-by-val-with-symbol                         11.3709+-0.0223           11.3613+-0.0264
2633             get-by-val-with-symbol-proto-or-self           11.8984+-0.0706     ?     11.9030+-0.0787        ?
2634             polymorphic-put-by-val-with-symbol             31.4176+-0.0558           31.3825+-0.0447
2635             implicit-bigswitch-indirect-symbol             61.3115+-0.6577     ^     58.0098+-0.1212        ^ definitely 1.0569x faster
2636             get-by-val-with-symbol-bimorphic-check-structure-elimination-simple
2637                                                             3.3139+-0.0565     ^      2.9947+-0.0732        ^ definitely 1.1066x faster
2638             get-by-val-with-symbol-chain-from-try-block
2639                                                             2.2316+-0.0179            2.2137+-0.0210
2640             get-by-val-with-symbol-bimorphic-check-structure-elimination
2641                                                            10.6031+-0.2216     ^     10.0939+-0.1977        ^ definitely 1.0504x faster
2642             get-by-val-with-symbol-check-structure-elimination
2643                                                             8.5576+-0.1521     ^      7.7107+-0.1308        ^ definitely 1.1098x faster
2644             put-by-val-with-symbol-slightly-polymorphic
2645                                                             3.1957+-0.0538     ^      2.9181+-0.0708        ^ definitely 1.0951x faster
2646             put-by-val-with-symbol-replace-and-transition
2647                                                            11.8253+-0.0757     ^     11.6590+-0.0351        ^ definitely 1.0143x faster
2648
2649             <geometric>                                    13.3911+-0.0527     ^     12.7376+-0.0457        ^ definitely 1.0513x faster
2650
2651         * bytecode/ByValInfo.h:
2652         * bytecode/CodeBlock.cpp:
2653         (JSC::CodeBlock::stronglyVisitStrongReferences):
2654         * dfg/DFGAbstractInterpreterInlines.h:
2655         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2656         * dfg/DFGByteCodeParser.cpp:
2657         (JSC::DFG::ByteCodeParser::parseBlock):
2658         * dfg/DFGClobberize.h:
2659         (JSC::DFG::clobberize):
2660         * dfg/DFGConstantFoldingPhase.cpp:
2661         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2662         * dfg/DFGDoesGC.cpp:
2663         (JSC::DFG::doesGC):
2664         * dfg/DFGFixupPhase.cpp:
2665         (JSC::DFG::FixupPhase::fixupNode):
2666         * dfg/DFGNode.h:
2667         (JSC::DFG::Node::hasUidOperand):
2668         * dfg/DFGNodeType.h:
2669         * dfg/DFGPredictionPropagationPhase.cpp:
2670         * dfg/DFGSafeToExecute.h:
2671         (JSC::DFG::safeToExecute):
2672         * dfg/DFGSpeculativeJIT.cpp:
2673         (JSC::DFG::SpeculativeJIT::compileSymbolEquality):
2674         (JSC::DFG::SpeculativeJIT::compilePeepHoleSymbolEquality):
2675         (JSC::DFG::SpeculativeJIT::compileCheckStringIdent):
2676         (JSC::DFG::SpeculativeJIT::extractStringImplFromBinarySymbols): Deleted.
2677         (JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
2678         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality): Deleted.
2679         * dfg/DFGSpeculativeJIT.h:
2680         * dfg/DFGSpeculativeJIT32_64.cpp:
2681         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
2682         (JSC::DFG::SpeculativeJIT::compile):
2683         * dfg/DFGSpeculativeJIT64.cpp:
2684         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
2685         (JSC::DFG::SpeculativeJIT::compile):
2686         * ftl/FTLAbstractHeapRepository.h:
2687         * ftl/FTLCapabilities.cpp:
2688         (JSC::FTL::canCompile):
2689         * ftl/FTLLowerDFGToB3.cpp:
2690         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2691         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStringIdent):
2692         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2693         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent): Deleted.
2694         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID): Deleted.
2695         * jit/JIT.h:
2696         * jit/JITOperations.cpp:
2697         (JSC::tryGetByValOptimize):
2698         * jit/JITPropertyAccess.cpp:
2699         (JSC::JIT::emitGetByValWithCachedId):
2700         (JSC::JIT::emitPutByValWithCachedId):
2701         (JSC::JIT::emitByValIdentifierCheck):
2702         (JSC::JIT::privateCompileGetByValWithCachedId):
2703         (JSC::JIT::privateCompilePutByValWithCachedId):
2704         (JSC::JIT::emitIdentifierCheck): Deleted.
2705         * jit/JITPropertyAccess32_64.cpp:
2706         (JSC::JIT::emitGetByValWithCachedId):
2707         (JSC::JIT::emitPutByValWithCachedId):
2708         * runtime/JSCJSValue.cpp:
2709         (JSC::JSValue::dumpInContextAssumingStructure):
2710         * runtime/JSCJSValueInlines.h:
2711         (JSC::JSValue::equalSlowCaseInline):
2712         (JSC::JSValue::strictEqualSlowCaseInline): Deleted.
2713         * runtime/JSFunction.cpp:
2714         (JSC::JSFunction::setFunctionName):
2715         * runtime/MapData.h:
2716         * runtime/MapDataInlines.h:
2717         (JSC::JSIterator>::clear): Deleted.
2718         (JSC::JSIterator>::find): Deleted.
2719         (JSC::JSIterator>::add): Deleted.
2720         (JSC::JSIterator>::remove): Deleted.
2721         (JSC::JSIterator>::replaceAndPackBackingStore): Deleted.
2722         * runtime/Symbol.cpp:
2723         (JSC::Symbol::finishCreation):
2724         (JSC::Symbol::create):
2725         * runtime/Symbol.h:
2726         * runtime/VM.cpp:
2727         (JSC::VM::VM):
2728         * runtime/VM.h:
2729         * tests/stress/symbol-equality-over-gc.js: Added.
2730         (shouldBe):
2731         (test):
2732
2733 2016-07-28  Mark Lam  <mark.lam@apple.com>
2734
2735         ASSERTION FAILED in errorProtoFuncToString() when Error name is a single char string.
2736         https://bugs.webkit.org/show_bug.cgi?id=160324
2737         <rdar://problem/27389572>
2738
2739         Reviewed by Keith Miller.
2740
2741         The issue is that errorProtoFuncToString() was using jsNontrivialString() to
2742         generate the error string even when the name string can be a single character
2743         string.  This is incorrect.  We should be using jsString() instead.
2744
2745         * runtime/ErrorPrototype.cpp:
2746         (JSC::errorProtoFuncToString):
2747         * tests/stress/errors-with-simple-names-or-messages-should-not-crash-toString.js: Added.
2748
2749 2016-07-28  Michael Saboff  <msaboff@apple.com>
2750
2751         ARM64: Fused left shift with a right shift can create NaNs from integers
2752         https://bugs.webkit.org/show_bug.cgi?id=160329
2753
2754         Reviewed by Geoffrey Garen.
2755
2756         When we fuse a left shift and a right shift of integers where the shift amounts
2757         are the same and the size of the quantity being shifted is 8 bits, we rightly
2758         generate a sign extend byte instruction.  On ARM64, we were sign extending
2759         to a 64 bit quantity, when we really wanted to sign extend to a 32 bit quantity.
2760
2761         Checking the ARM64 marco assembler and we were extending to 64 bits for all
2762         four combinations of zero / sign and 8 / 16 bits.
2763         
2764         * assembler/MacroAssemblerARM64.h:
2765         (JSC::MacroAssemblerARM64::zeroExtend16To32):
2766         (JSC::MacroAssemblerARM64::signExtend16To32):
2767         (JSC::MacroAssemblerARM64::zeroExtend8To32):
2768         (JSC::MacroAssemblerARM64::signExtend8To32):
2769         * tests/stress/regress-160329.js: New test added.
2770         (narrow):
2771
2772 2016-07-28  Mark Lam  <mark.lam@apple.com>
2773
2774         StringView should have an explicit m_is8Bit field.
2775         https://bugs.webkit.org/show_bug.cgi?id=160282
2776         <rdar://problem/27327943>
2777
2778         Reviewed by Benjamin Poulain.
2779
2780         * tests/stress/string-joining-long-strings-should-not-crash.js: Added.
2781         (catch):
2782
2783 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
2784
2785         [ARM] Typo fix after r121885
2786         https://bugs.webkit.org/show_bug.cgi?id=160288
2787
2788         Reviewed by Zoltan Herczeg.
2789
2790         * assembler/MacroAssemblerARM.h:
2791         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
2792
2793 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
2794
2795         64-bit alignment check isn't necessary in ARMAssembler::prepareExecutableCopy after r202214
2796         https://bugs.webkit.org/show_bug.cgi?id=159711
2797
2798         Reviewed by Mark Lam.
2799
2800         * assembler/ARMAssembler.cpp:
2801         (JSC::ARMAssembler::prepareExecutableCopy):
2802
2803 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2804
2805         [JSC] Remove some unused code from FTL
2806         https://bugs.webkit.org/show_bug.cgi?id=160285
2807
2808         Reviewed by Mark Lam.
2809
2810         All the liveness and swapping is done inside B3,
2811         this code is no longer needed.
2812
2813         * dfg/DFGEdge.h:
2814         (JSC::DFG::Edge::doesNotKill): Deleted.
2815         * ftl/FTLLowerDFGToB3.cpp:
2816         (JSC::FTL::DFG::LowerDFGToB3::doesKill): Deleted.
2817
2818 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2819
2820         [JSC] DFG::Node should not have its own allocator
2821         https://bugs.webkit.org/show_bug.cgi?id=160098
2822
2823         Reviewed by Geoffrey Garen.
2824
2825         We need some design changes for DFG::Node:
2826         -Accessing the index must be fast. B3 uses indices for sets
2827          and maps, it is a lot faster than hashing pointers.
2828         -We should be able to subclass DFG::Node to specialize it.
2829
2830         * CMakeLists.txt:
2831         * JavaScriptCore.xcodeproj/project.pbxproj:
2832         * dfg/DFGAllocator.h: Removed.
2833         (JSC::DFG::Allocator::Region::size): Deleted.
2834         (JSC::DFG::Allocator::Region::headerSize): Deleted.
2835         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
2836         (JSC::DFG::Allocator::Region::data): Deleted.
2837         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
2838         (JSC::DFG::Allocator::Region::regionFor): Deleted.
2839         (JSC::DFG::Allocator<T>::Allocator): Deleted.
2840         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
2841         (JSC::DFG::Allocator<T>::allocate): Deleted.
2842         (JSC::DFG::Allocator<T>::free): Deleted.
2843         (JSC::DFG::Allocator<T>::freeAll): Deleted.
2844         (JSC::DFG::Allocator<T>::reset): Deleted.
2845         (JSC::DFG::Allocator<T>::indexOf): Deleted.
2846         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
2847         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
2848         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
2849         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
2850         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
2851         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
2852         * dfg/DFGByteCodeParser.cpp:
2853         (JSC::DFG::ByteCodeParser::addToGraph):
2854         * dfg/DFGCPSRethreadingPhase.cpp:
2855         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
2856         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
2857         * dfg/DFGCleanUpPhase.cpp:
2858         (JSC::DFG::CleanUpPhase::run):
2859         * dfg/DFGConstantFoldingPhase.cpp:
2860         (JSC::DFG::ConstantFoldingPhase::run):
2861         * dfg/DFGConstantHoistingPhase.cpp:
2862         * dfg/DFGDCEPhase.cpp:
2863         (JSC::DFG::DCEPhase::fixupBlock):
2864         * dfg/DFGDriver.cpp:
2865         (JSC::DFG::compileImpl):
2866         * dfg/DFGGraph.cpp:
2867         (JSC::DFG::Graph::Graph):
2868         (JSC::DFG::Graph::deleteNode):
2869         (JSC::DFG::Graph::killBlockAndItsContents):
2870         (JSC::DFG::Graph::~Graph): Deleted.
2871         * dfg/DFGGraph.h:
2872         (JSC::DFG::Graph::addNode):
2873         * dfg/DFGLICMPhase.cpp:
2874         (JSC::DFG::LICMPhase::attemptHoist):
2875         * dfg/DFGLongLivedState.cpp: Removed.
2876         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
2877         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
2878         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
2879         * dfg/DFGLongLivedState.h: Removed.
2880         * dfg/DFGNode.cpp:
2881         (JSC::DFG::Node::index): Deleted.
2882         * dfg/DFGNode.h:
2883         (JSC::DFG::Node::index):
2884         * dfg/DFGNodeAllocator.h: Removed.
2885         (operator new ): Deleted.
2886         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2887         * dfg/DFGPlan.cpp:
2888         (JSC::DFG::Plan::compileInThread):
2889         (JSC::DFG::Plan::compileInThreadImpl):
2890         * dfg/DFGPlan.h:
2891         * dfg/DFGSSAConversionPhase.cpp:
2892         (JSC::DFG::SSAConversionPhase::run):
2893         * dfg/DFGWorklist.cpp:
2894         (JSC::DFG::Worklist::runThread):
2895         * runtime/VM.cpp:
2896         (JSC::VM::VM): Deleted.
2897         * runtime/VM.h:
2898
2899 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2900
2901         [JSC] Fix a bunch of use-after-free of DFG::Node
2902         https://bugs.webkit.org/show_bug.cgi?id=160228
2903
2904         Reviewed by Mark Lam.
2905
2906         FTL had a few places where we use a node after it has been
2907         deleted. The dangling pointers come from the SSA liveness information
2908         kept on the basic blocks.
2909
2910         This patch fixes the issues I could find and adds liveness invalidation
2911         to help finding dependencies like these.
2912
2913         * dfg/DFGBasicBlock.h:
2914         (JSC::DFG::BasicBlock::SSAData::invalidate):
2915
2916         * dfg/DFGConstantFoldingPhase.cpp:
2917         (JSC::DFG::ConstantFoldingPhase::run):
2918         Constant folding phase was deleting nodes in the loop over basic blocks.
2919         The problem is the deleted nodes can be referenced by other blocks.
2920         When the abstract interpreter was manipulating the abstract values of those
2921         it was doing so on the dead nodes.
2922
2923         * dfg/DFGConstantHoistingPhase.cpp:
2924         Just invalidation. Nothing wrong here since the useless nodes were
2925         kept live while iterating the blocks.
2926
2927         * dfg/DFGGraph.cpp:
2928         (JSC::DFG::Graph::killBlockAndItsContents):
2929         (JSC::DFG::Graph::killUnreachableBlocks):
2930         (JSC::DFG::Graph::invalidateNodeLiveness):
2931
2932         * dfg/DFGGraph.h:
2933         * dfg/DFGPlan.cpp:
2934         (JSC::DFG::Plan::compileInThreadImpl):
2935         We had a lot of use-after-free in LCIM because we were using the stale
2936         live nodes deleted by previous phases.
2937
2938 2016-07-27  Keith Miller  <keith_miller@apple.com>
2939
2940         concatAppendOne should allocate using the indexing type of the array if it cannot merge
2941         https://bugs.webkit.org/show_bug.cgi?id=160261
2942         <rdar://problem/27530122>
2943
2944         Reviewed by Mark Lam.
2945
2946         Before, if we could not merge the indexing types for copying, we would allocate the
2947         the array as ArrayWithUndecided. Instead, we should allocate an array with the original
2948         array's indexing type.
2949
2950         * runtime/ArrayPrototype.cpp:
2951         (JSC::concatAppendOne):
2952         * tests/stress/concat-append-one-with-sparse-array.js: Added.
2953
2954 2016-07-27  Saam Barati  <sbarati@apple.com>
2955
2956         We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an object with symbols
2957         https://bugs.webkit.org/show_bug.cgi?id=160211
2958         <rdar://problem/27572612>
2959
2960         Reviewed by Geoffrey Garen.
2961
2962         The fast for-in iteration mode assumes all inline/out-of-line properties
2963         can be iterated in linear order. This is not true if we have Symbols
2964         because Symbols should not be iterated by for-in.
2965
2966         * runtime/Structure.cpp:
2967         (JSC::Structure::add):
2968         * tests/stress/symbol-should-not-break-for-in.js: Added.
2969         (assert):
2970         (foo):
2971
2972 2016-07-27  Mark Lam  <mark.lam@apple.com>
2973
2974         The second argument for Function.prototype.apply should be array-like or null/undefined.
2975         https://bugs.webkit.org/show_bug.cgi?id=160212
2976         <rdar://problem/27328525>
2977
2978         Reviewed by Filip Pizlo.
2979
2980         The spec for Function.prototype.apply says its second argument can only be null,
2981         undefined, or must be array-like.  See
2982         https://tc39.github.io/ecma262/#sec-function.prototype.apply and
2983         https://tc39.github.io/ecma262/#sec-createlistfromarraylike.
2984
2985         Our previous implementation was not handling this correctly for SymbolType.
2986         This is now fixed.
2987
2988         * interpreter/Interpreter.cpp:
2989         (JSC::sizeOfVarargs):
2990         * tests/stress/apply-second-argument-must-be-array-like.js: Added.
2991
2992 2016-07-27  Saam Barati  <sbarati@apple.com>
2993
2994         MathICs should be able to emit only a jump along the inline path when they don't have any type data
2995         https://bugs.webkit.org/show_bug.cgi?id=160110
2996
2997         Reviewed by Mark Lam.
2998
2999         This patch allows for MathIC fast-path generation to be delayed.
3000         We delay when we don't see any observed type information for
3001         the lhs/rhs operand, which implies that the MathIC has never
3002         executed. This is profitable for two main reasons:
3003         1. If the math operation never executes, we emit much less code.
3004         2. Once we get type information for the lhs/rhs, we can emit better code.
3005
3006         To implement this, we just emit a jump to the slow path call
3007         that will repatch on first execution.
3008
3009         New data for add:
3010                    |   JetStream  |  Unity 3D  |
3011              ------| -------------|--------------
3012               Old  |   148 bytes  |  143 bytes |
3013              ------| -------------|--------------
3014               New  |   116  bytes |  113 bytes |
3015              ------------------------------------
3016
3017         New data for mul:
3018                    |   JetStream  |  Unity 3D  |
3019              ------| -------------|--------------
3020               Old  |   210 bytes  |  185 bytes |
3021              ------| -------------|--------------
3022               New  |   170  bytes |  137 bytes |
3023              ------------------------------------
3024
3025         * jit/JITAddGenerator.cpp:
3026         (JSC::JITAddGenerator::generateInline):
3027         * jit/JITAddGenerator.h:
3028         (JSC::JITAddGenerator::isLeftOperandValidConstant):
3029         (JSC::JITAddGenerator::isRightOperandValidConstant):
3030         (JSC::JITAddGenerator::arithProfile):
3031         * jit/JITMathIC.h:
3032         (JSC::JITMathIC::generateInline):
3033         (JSC::JITMathIC::generateOutOfLine):
3034         (JSC::JITMathIC::finalizeInlineCode):
3035         * jit/JITMathICInlineResult.h:
3036         * jit/JITMulGenerator.cpp:
3037         (JSC::JITMulGenerator::generateInline):
3038         * jit/JITMulGenerator.h:
3039         (JSC::JITMulGenerator::isLeftOperandValidConstant):
3040         (JSC::JITMulGenerator::isRightOperandValidConstant):
3041         (JSC::JITMulGenerator::arithProfile):
3042         * jit/JITOperations.cpp:
3043
3044 2016-07-26  Saam Barati  <sbarati@apple.com>
3045
3046         rollout r203666
3047         https://bugs.webkit.org/show_bug.cgi?id=160226
3048
3049         Unreviewed rollout.
3050
3051         * b3/B3BasicBlock.h:
3052         (JSC::B3::BasicBlock::successorBlock):
3053         * b3/B3LowerToAir.cpp:
3054         (JSC::B3::Air::LowerToAir::createGenericCompare):
3055         * b3/B3LowerToAir.h:
3056         * b3/air/AirArg.cpp:
3057         (JSC::B3::Air::Arg::isRepresentableAs):
3058         (JSC::B3::Air::Arg::usesTmp):
3059         * b3/air/AirArg.h:
3060         (JSC::B3::Air::Arg::isRepresentableAs):
3061         (JSC::B3::Air::Arg::asNumber):
3062         (JSC::B3::Air::Arg::castToType): Deleted.
3063         * b3/air/AirCode.h:
3064         (JSC::B3::Air::Code::size):
3065         (JSC::B3::Air::Code::at):
3066         * b3/air/AirOpcode.opcodes:
3067         * b3/air/AirValidate.h:
3068         * b3/air/opcode_generator.rb:
3069         * b3/testb3.cpp:
3070         (JSC::B3::compileAndRun):
3071         (JSC::B3::testSomeEarlyRegister):
3072         (JSC::B3::zero):
3073         (JSC::B3::run):
3074         (JSC::B3::lowerToAirForTesting): Deleted.
3075         (JSC::B3::testBranchBitAndImmFusion): Deleted.
3076
3077 2016-07-26  Caitlin Potter  <caitp@igalia.com>
3078
3079         [JSC] Object.getOwnPropertyDescriptors should not add undefined props to result
3080         https://bugs.webkit.org/show_bug.cgi?id=159409
3081
3082         Reviewed by Geoffrey Garen.
3083
3084         * runtime/ObjectConstructor.cpp:
3085         (JSC::objectConstructorGetOwnPropertyDescriptors):
3086         * tests/es6.yaml:
3087         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
3088         (testPropertiesIndexedSetterOnPrototypeThrows.set get var): Deleted.
3089         (testPropertiesIndexedSetterOnPrototypeThrows): Deleted.
3090         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js.
3091         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js.
3092
3093 2016-07-26  Mark Lam  <mark.lam@apple.com>
3094
3095         Remove unused DEBUG_WITH_BREAKPOINT configuration.
3096         https://bugs.webkit.org/show_bug.cgi?id=160203
3097
3098         Reviewed by Keith Miller.
3099
3100         * bytecompiler/BytecodeGenerator.cpp:
3101         (JSC::BytecodeGenerator::emitDebugHook):
3102
3103 2016-07-25  Benjamin Poulain  <benjamin@webkit.org>
3104
3105         Unreviewed, rolling out r203703.
3106
3107         It breaks some internal tests
3108
3109         Reverted changeset:
3110
3111         "[JSC] DFG::Node should not have its own allocator"
3112         https://bugs.webkit.org/show_bug.cgi?id=160098
3113         http://trac.webkit.org/changeset/203703
3114
3115 2016-07-25  Benjamin Poulain  <bpoulain@apple.com>
3116
3117         [JSC] DFG::Node should not have its own allocator
3118         https://bugs.webkit.org/show_bug.cgi?id=160098
3119
3120         Reviewed by Geoffrey Garen.
3121
3122         We need some design changes for DFG::Node:
3123         -Accessing the index must be fast. B3 uses indices for sets
3124          and maps, it is a lot faster than hashing pointers.
3125         -We should be able to subclass DFG::Node to specialize it.
3126
3127         * CMakeLists.txt:
3128         * JavaScriptCore.xcodeproj/project.pbxproj:
3129         * dfg/DFGAllocator.h: Removed.
3130         (JSC::DFG::Allocator::Region::size): Deleted.
3131         (JSC::DFG::Allocator::Region::headerSize): Deleted.
3132         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
3133         (JSC::DFG::Allocator::Region::data): Deleted.
3134         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
3135         (JSC::DFG::Allocator::Region::regionFor): Deleted.
3136         (JSC::DFG::Allocator<T>::Allocator): Deleted.
3137         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
3138         (JSC::DFG::Allocator<T>::allocate): Deleted.
3139         (JSC::DFG::Allocator<T>::free): Deleted.
3140         (JSC::DFG::Allocator<T>::freeAll): Deleted.
3141         (JSC::DFG::Allocator<T>::reset): Deleted.
3142         (JSC::DFG::Allocator<T>::indexOf): Deleted.
3143         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
3144         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
3145         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
3146         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
3147         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
3148         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
3149         * dfg/DFGByteCodeParser.cpp:
3150         (JSC::DFG::ByteCodeParser::addToGraph):
3151         * dfg/DFGCPSRethreadingPhase.cpp:
3152         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3153         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
3154         * dfg/DFGCleanUpPhase.cpp:
3155         (JSC::DFG::CleanUpPhase::run):
3156         * dfg/DFGConstantFoldingPhase.cpp:
3157         (JSC::DFG::ConstantFoldingPhase::run):
3158         * dfg/DFGConstantHoistingPhase.cpp:
3159         * dfg/DFGDCEPhase.cpp:
3160         (JSC::DFG::DCEPhase::fixupBlock):
3161         * dfg/DFGDriver.cpp:
3162         (JSC::DFG::compileImpl):
3163         * dfg/DFGGraph.cpp:
3164         (JSC::DFG::Graph::Graph):
3165         (JSC::DFG::Graph::deleteNode):
3166         (JSC::DFG::Graph::killBlockAndItsContents):
3167         (JSC::DFG::Graph::~Graph): Deleted.
3168         * dfg/DFGGraph.h:
3169         (JSC::DFG::Graph::addNode):
3170         * dfg/DFGLICMPhase.cpp:
3171         (JSC::DFG::LICMPhase::attemptHoist):
3172         * dfg/DFGLongLivedState.cpp: Removed.
3173         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
3174         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
3175         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
3176         * dfg/DFGLongLivedState.h: Removed.
3177         * dfg/DFGNode.cpp:
3178         (JSC::DFG::Node::index): Deleted.
3179         * dfg/DFGNode.h:
3180         (JSC::DFG::Node::index):
3181         * dfg/DFGNodeAllocator.h: Removed.
3182         (operator new ): Deleted.
3183         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3184         * dfg/DFGPlan.cpp:
3185         (JSC::DFG::Plan::compileInThread):
3186         (JSC::DFG::Plan::compileInThreadImpl):
3187         * dfg/DFGPlan.h:
3188         * dfg/DFGSSAConversionPhase.cpp:
3189         (JSC::DFG::SSAConversionPhase::run):
3190         * dfg/DFGWorklist.cpp:
3191         (JSC::DFG::Worklist::runThread):
3192         * runtime/VM.cpp:
3193         (JSC::VM::VM): Deleted.
3194         * runtime/VM.h:
3195
3196 2016-07-25  Filip Pizlo  <fpizlo@apple.com>
3197
3198         AssemblyHelpers should own all of the cell allocation methods
3199         https://bugs.webkit.org/show_bug.cgi?id=160171
3200
3201         Reviewed by Saam Barati.
3202         
3203         Prior to this change we had some code in DFGSpeculativeJIT.h and some code in JIT.h that
3204         did cell allocation.
3205         
3206         This change moves all of that code into AssemblyHelpers.h.
3207
3208         * dfg/DFGSpeculativeJIT.h:
3209         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
3210         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
3211         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
3212         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
3213         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
3214         * jit/AssemblyHelpers.h:
3215         (JSC::AssemblyHelpers::emitAllocate):
3216         (JSC::AssemblyHelpers::emitAllocateJSCell):
3217         (JSC::AssemblyHelpers::emitAllocateJSObject):
3218         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3219         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3220         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
3221         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
3222         * jit/JIT.h:
3223         * jit/JITInlines.h:
3224         (JSC::JIT::isOperandConstantChar):
3225         (JSC::JIT::emitValueProfilingSite):
3226         (JSC::JIT::emitAllocateJSObject): Deleted.
3227         * jit/JITOpcodes.cpp:
3228         (JSC::JIT::emit_op_new_object):
3229         (JSC::JIT::emit_op_create_this):
3230         * jit/JITOpcodes32_64.cpp:
3231         (JSC::JIT::emit_op_new_object):
3232         (JSC::JIT::emit_op_create_this):
3233
3234 2016-07-25  Saam Barati  <sbarati@apple.com>
3235
3236         MathICs should be able to take and dump stats about code size
3237         https://bugs.webkit.org/show_bug.cgi?id=160148
3238
3239         Reviewed by Filip Pizlo.
3240
3241         This will make testing changes on MathIC going forward much easier.
3242         We will be able to easily see if modifications to MathIC will lead
3243         to us generating smaller code. We now only dump average size when we
3244         regenerate any MathIC. This works out for large tests/pages, but is not
3245         great for testing small programs. We can add more dump points later if
3246         we find that we want to dump stats while running small small programs.
3247
3248         * bytecode/CodeBlock.cpp:
3249         (JSC::CodeBlock::jitSoon):
3250         (JSC::CodeBlock::dumpMathICStats):
3251         * bytecode/CodeBlock.h:
3252         (JSC::CodeBlock::isStrictMode):
3253         (JSC::CodeBlock::ecmaMode):
3254         * dfg/DFGSpeculativeJIT.cpp:
3255         (JSC::DFG::SpeculativeJIT::compileMathIC):
3256         * ftl/FTLLowerDFGToB3.cpp:
3257         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
3258         * jit/JITArithmetic.cpp:
3259         (JSC::JIT::emitMathICFast):
3260         (JSC::JIT::emitMathICSlow):
3261         * jit/JITMathIC.h:
3262         (JSC::JITMathIC::finalizeInlineCode):
3263         (JSC::JITMathIC::codeSize):
3264         * jit/JITOperations.cpp:
3265
3266 2016-07-25  Saam Barati  <sbarati@apple.com>
3267
3268         op_mul/ArithMul(Untyped,Untyped) should be an IC
3269         https://bugs.webkit.org/show_bug.cgi?id=160108
3270
3271         Reviewed by Mark Lam.
3272
3273         This patch makes Mul a type based IC in much the same way that we made
3274         Add a type-based IC. I implemented Mul in the same way. I abstracted the
3275         implementation of the Add IC in the various JITs to allow for it to
3276         work over arbitrary IC snippets. This will make adding Div/Sub/Pow in the
3277         future easy. This patch also adds a new boolean argument to the various
3278         snippet generateFastPath() methods to indicate if we should emit result profiling.
3279         I added this because we want this profiling to be emitted for Mul in
3280         the baseline, but not in the DFG. We used to indicate this through passing
3281         in a nullptr for the ArithProfile, but we no longer do that in the upper
3282         JIT tiers. So we are passing an explicit request from the JIT tier about
3283         whether or not it's worth it for the IC to emit profiling.
3284
3285         We now emit much less code for Mul. Here is some data on the average
3286         Mul snippet/IC size:
3287
3288                    |   JetStream  |  Unity 3D  |
3289              ------| -------------|--------------
3290               Old  |  ~280 bytes  | ~280 bytes |
3291              ------| -------------|--------------
3292               New  |   210  bytes |  185 bytes |
3293              ------------------------------------
3294
3295         * bytecode/CodeBlock.cpp:
3296         (JSC::CodeBlock::addJITAddIC):
3297         (JSC::CodeBlock::addJITMulIC):
3298         (JSC::CodeBlock::findStubInfo):
3299         * bytecode/CodeBlock.h:
3300         (JSC::CodeBlock::stubInfoBegin):
3301         (JSC::CodeBlock::stubInfoEnd):
3302         * dfg/DFGSpeculativeJIT.cpp:
3303         (JSC::DFG::GPRTemporary::adopt):
3304         (JSC::DFG::FPRTemporary::FPRTemporary):
3305         (JSC::DFG::SpeculativeJIT::compileValueAdd):
3306         (JSC::DFG::SpeculativeJIT::compileMathIC):
3307         (JSC::DFG::SpeculativeJIT::compileArithMul):
3308         * dfg/DFGSpeculativeJIT.h:
3309         (JSC::DFG::SpeculativeJIT::callOperation):
3310         (JSC::DFG::GPRTemporary::GPRTemporary):
3311         (JSC::DFG::GPRTemporary::operator=):
3312         (JSC::DFG::FPRTemporary::~FPRTemporary):
3313         (JSC::DFG::FPRTemporary::fpr):
3314         * ftl/FTLLowerDFGToB3.cpp:
3315         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
3316         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3317         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
3318         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
3319         * jit/JIT.h:
3320         (JSC::JIT::getSlowCase):
3321         * jit/JITAddGenerator.cpp:
3322         (JSC::JITAddGenerator::generateInline):
3323         (JSC::JITAddGenerator::generateFastPath):
3324         * jit/JITAddGenerator.h:
3325         (JSC::JITAddGenerator::JITAddGenerator):
3326         (JSC::JITAddGenerator::isLeftOperandValidConstant):
3327         (JSC::JITAddGenerator::isRightOperandValidConstant):
3328         * jit/JITArithmetic.cpp:
3329         (JSC::JIT::emit_op_add):
3330         (JSC::JIT::emitSlow_op_add):
3331         (JSC::JIT::emitMathICFast):
3332         (JSC::JIT::emitMathICSlow):
3333         (JSC::JIT::emit_op_mul):
3334         (JSC::JIT::emitSlow_op_mul):
3335         (JSC::JIT::emit_op_sub):
3336         * jit/JITInlines.h:
3337         (JSC::JIT::callOperat