[DFG] Should not fixup AnyIntUse in 32_64
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-08-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [DFG] Should not fixup AnyIntUse in 32_64
4         https://bugs.webkit.org/show_bug.cgi?id=161029
5
6         Reviewed by Saam Barati.
7
8         DFG fixup phase uses AnyIntUse even in 32bit DFG. This patch removes this incorrect filtering.
9         If the 32bit DFG see the TypeAnyInt, it should fallback to the NumberUse case.
10
11         And this patch also fixes the case that the type set only contains TypeNumber. Previously,
12         we used NumberUse edge filtering. But it misses AnyInt logging: While the NumberUse filter
13         passes both TypeAnyInt and TypeNumber, the type set only logged TypeNumber.
14
15         * dfg/DFGFixupPhase.cpp:
16         (JSC::DFG::FixupPhase::fixupNode):
17
18 2016-08-20  Brian Burg  <bburg@apple.com>
19
20         Remote Inspector: some methods don't need to be marked virtual anymore
21         https://bugs.webkit.org/show_bug.cgi?id=161033
22
23         Reviewed by Darin Adler.
24
25         This probably happened when this code was last refactored and moved around.
26
27         * inspector/remote/RemoteConnectionToTarget.h:
28
29 2016-08-19  Sam Weinig  <sam@webkit.org>
30
31         Location.ancestorOrigins should return a FrozenArray<USVString>
32         https://bugs.webkit.org/show_bug.cgi?id=161018
33
34         Reviewed by Ryosuke Niwa and Chris Dumez.
35
36         * runtime/ObjectConstructor.h:
37         (JSC::objectConstructorFreeze):
38         Export objectConstructorFreeze so it can be used to freeze DOM FrozenArrays.
39
40 2016-08-19  Benjamin Poulain  <bpoulain@apple.com>
41
42         [JSC] ArithSqrt should work with any argument type
43         https://bugs.webkit.org/show_bug.cgi?id=160954
44
45         Reviewed by Saam Barati.
46
47         Previsouly, ArithSqrt would always OSR Exit if the argument
48         is not typed Integer, Double, or Boolean.
49         Since we can't recover by generalizing to those, we continuously
50         OSR Exit and recompile the same code over and over again.
51
52         This patch introduces a fallback to handle the remaining types.
53
54         * dfg/DFGAbstractInterpreterInlines.h:
55         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
56         * dfg/DFGClobberize.h:
57         (JSC::DFG::clobberize):
58         * dfg/DFGFixupPhase.cpp:
59         (JSC::DFG::FixupPhase::fixupNode):
60
61         * dfg/DFGMayExit.cpp:
62         This is somewhat unrelated. While discussing the design of this
63         with Filip, we decided not to use ToNumber+ArithSqrt despite
64         the guarantee that ToNumber does not OSR Exit.
65         Since it does not OSR Exit, we should say so in mayExitImpl().
66
67         * dfg/DFGNodeType.h:
68         * dfg/DFGOperations.cpp:
69         * dfg/DFGOperations.h:
70         * dfg/DFGSpeculativeJIT.cpp:
71         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
72         * dfg/DFGSpeculativeJIT.h:
73         (JSC::DFG::SpeculativeJIT::callOperation):
74         * ftl/FTLLowerDFGToB3.cpp:
75         (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt):
76
77 2016-08-19  Joseph Pecoraro  <pecoraro@apple.com>
78
79         Make custom Error properties (line, column, sourceURL) configurable and writable
80         https://bugs.webkit.org/show_bug.cgi?id=160984
81         <rdar://problem/27905979>
82
83         Reviewed by Saam Barati.
84
85         * runtime/Error.cpp:
86         (JSC::addErrorInfoAndGetBytecodeOffset):
87         (JSC::addErrorInfo):
88
89 2016-08-19  Joseph Pecoraro  <pecoraro@apple.com>
90
91         Remove empty files and empty namespace blocks
92         https://bugs.webkit.org/show_bug.cgi?id=160990
93
94         Reviewed by Alex Christensen.
95
96         * CMakeLists.txt:
97         * JavaScriptCore.xcodeproj/project.pbxproj:
98         * bytecode/ValueProfile.cpp: Removed.
99         * runtime/WatchdogMac.cpp: Removed.
100         * runtime/WatchdogNone.cpp: Removed.
101
102         * runtime/StringIteratorPrototype.cpp:
103         Remove empty namespace block.
104
105         * runtime/JSDestructibleObject.h:
106         Drive-by add missing copyright.
107
108 2016-08-19  Per Arne Vollan  <pvollan@apple.com>
109
110         [Win] Warning fix.
111         https://bugs.webkit.org/show_bug.cgi?id=160995
112
113         Avoid setting unknown compile option on source file.
114
115         Reviewed by Anders Carlsson.
116
117         * CMakeLists.txt:
118
119 2016-08-18  Mark Lam  <mark.lam@apple.com>
120
121         ScopedArguments is using the wrong owner object for a write barrier.
122         https://bugs.webkit.org/show_bug.cgi?id=160976
123         <rdar://problem/27328506>
124
125         Reviewed by Keith Miller.
126
127         * runtime/ScopedArguments.h:
128         (JSC::ScopedArguments::setIndexQuickly):
129
130 2016-08-18  Mark Lam  <mark.lam@apple.com>
131
132         Add LLINT probe() macro for X86_64.
133         https://bugs.webkit.org/show_bug.cgi?id=160968
134
135         Reviewed by Geoffrey Garen.
136
137         * llint/LowLevelInterpreter.asm:
138
139 2016-08-18  Mark Lam  <mark.lam@apple.com>
140
141         Remove unused SlotVisitor::append() variant.
142         https://bugs.webkit.org/show_bug.cgi?id=160961
143
144         Reviewed by Saam Barati.
145
146         * heap/SlotVisitor.h:
147         * jit/JITWriteBarrier.h:
148         (JSC::JITWriteBarrier::get):
149         (JSC::SlotVisitor::append): Deleted.
150
151 2016-08-18  Saam Barati  <sbarati@apple.com>
152
153         Make @Array(size) a bytecode intrinsic
154         https://bugs.webkit.org/show_bug.cgi?id=160867
155
156         Reviewed by Mark Lam.
157
158         There were a few places in the code where we were emitting `@Array(size)`
159         or `new @Array(size)`. Since we have a bytecode operation that already
160         represents this, called new_array_with_size, it's faster to just make a
161         bytecode intrinsic for the this operation. This patch does that and
162         the intrinsic is called `@newArrayWithSize`. This might be around a
163         1% speedup on ES6 sample bench, but it's within the noise. This is just
164         a good bytecode operation to have because it's common enough to
165         create arrays and it's good to make that fast in all tiers.
166
167         * builtins/ArrayConstructor.js:
168         (of):
169         (from):
170         * builtins/ArrayPrototype.js:
171         (filter):
172         (map):
173         (sort.stringSort):
174         (sort):
175         (concatSlowPath):
176         * bytecode/BytecodeIntrinsicRegistry.h:
177         * bytecompiler/NodesCodegen.cpp:
178         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
179         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newArrayWithSize):
180
181 2016-08-18  Rawinder Singh  <rawinder.singh-webkit@cisra.canon.com.au>
182
183         [web-animations] Add Animatable, AnimationEffect, KeyframeEffect and Animation interface
184         https://bugs.webkit.org/show_bug.cgi?id=156096
185
186         Reviewed by Dean Jackson.
187
188         Adds:
189         - Animatable interface and implementation of getAnimations in Element.
190         - Interface and implementation for Document getAnimations method.
191         - AnimationEffect interface and class stub.
192         - KeyframeEffect interface and constructor implementation.
193         - 'Animation' interface, constructor and query methods for effect and timeline.
194         - Remove runtime condition on Web animation interfaces (compile time flag is specified).
195
196         * runtime/CommonIdentifiers.h:
197
198 2016-08-17  Keith Miller  <keith_miller@apple.com>
199
200         Add WASM support for i64 simple opcodes.
201         https://bugs.webkit.org/show_bug.cgi?id=160928
202
203         Reviewed by Michael Saboff.
204
205         This patch also removes the unsigned int32 mod operator, which is not supported by B3 yet.
206
207         * wasm/WASMB3IRGenerator.cpp:
208         (JSC::WASM::toB3Op):
209         (JSC::WASM::B3IRGenerator::unaryOp):
210         * wasm/WASMFunctionParser.h:
211         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
212         * wasm/WASMOps.h:
213
214 2016-08-17  JF Bastien  <jfbastien@apple.com>
215
216         We allow assignments to const variables when in a for-in/for-of loop
217         https://bugs.webkit.org/show_bug.cgi?id=156673
218
219         Reviewed by Filip Pizlo.
220
221         for-in and for-of weren't checking whether iteration variable from
222         parent scopes were const. Assigning to such variables should
223         throw, but used not to.
224
225         * bytecompiler/NodesCodegen.cpp:
226         (JSC::ForInNode::emitLoopHeader):
227         (JSC::ForOfNode::emitBytecode):
228
229 2016-08-17  Geoffrey Garen  <ggaren@apple.com>
230
231         Fixed a potential bug in MarkedArgumentBuffer.
232         https://bugs.webkit.org/show_bug.cgi?id=160948
233         <rdar://problem/27889416>
234
235         Reviewed by Oliver Hunt.
236
237         I haven't been able to produce an observable test case after some trying.
238
239         * runtime/ArgList.cpp:
240         (JSC::MarkedArgumentBuffer::addMarkSet): New helper function -- I broke
241         this out from existing code for clarity, but the behavior is the same.
242
243         (JSC::MarkedArgumentBuffer::expandCapacity): Ditto.
244
245         (JSC::MarkedArgumentBuffer::slowAppend): Always addMarkSet() on the slow
246         path. This is faster than the old linear scan, and I think it might
247         avoid cases the old scan could miss.
248
249         * runtime/ArgList.h:
250         (JSC::MarkedArgumentBuffer::append): Account for the case where someone
251         has called clear() or removeLast().
252
253         (JSC::MarkedArgumentBuffer::mallocBase): No behavior change -- but it's
254         clearer to test the buffers directly instead of inferring what they
255         might be based on capacity.
256
257 2016-08-17  Mark Lam  <mark.lam@apple.com>
258
259         Remove an invalid assertion in the DFG backend's GetById emitter.
260         https://bugs.webkit.org/show_bug.cgi?id=160925
261         <rdar://problem/27248961>
262
263         Reviewed by Filip Pizlo.
264
265         The DFG backend's GetById assertion that the node's prediction not be SpecNone
266         is just plain wrong.  It assumes that we can never have a GetById node without a
267         type prediction, but this is not true.  The following test case proves otherwise:
268
269             function foo() {
270                 "use strict";
271                 return --arguments["callee"];
272             }
273
274         Will remove the assertion.  Nothing else needs to change as the DFG is working
275         correctly without the assertion.
276
277         * dfg/DFGSpeculativeJIT32_64.cpp:
278         (JSC::DFG::SpeculativeJIT::compile):
279         * dfg/DFGSpeculativeJIT64.cpp:
280         (JSC::DFG::SpeculativeJIT::compile):
281
282 2016-08-16  Mark Lam  <mark.lam@apple.com>
283
284         Heap::collectAllGarbage() should work with JSC_useImmortalObjects=true.
285         https://bugs.webkit.org/show_bug.cgi?id=160917
286
287         Reviewed by Filip Pizlo.
288
289         If we do an synchronous GC when JSC_useImmortalObjects=true, we'll get a
290         RELEASE_ASSERT failure:
291
292             $ JSC_useImmortalObjects=true jsc
293             >>> gc()
294             Trace/BPT trap: 5
295
296         This is because Heap::collectAllGarbage() is doing an explicit sweep of the
297         MarkedSpace, and the sweeper is expecting to see no RetiredBlocks.  However, we
298         make objects immortal by retiring their blocks.  As a result, there is a mismatch
299         in expectancy.
300
301         The fix is simply to not run the sweeper when JSC_useImmortalObjects=true.
302
303         * heap/Heap.cpp:
304         (JSC::Heap::collectAllGarbage):
305
306 2016-08-16  Keith Miller  <keith_miller@apple.com>
307
308         Add WASM I32 simple operators.
309         https://bugs.webkit.org/show_bug.cgi?id=160914
310
311         Reviewed by Benjamin Poulain.
312
313         This patch adds support for the i32 simple binary operators.
314
315         * wasm/WASMB3IRGenerator.cpp:
316         (JSC::WASM::toB3Op):
317         (JSC::WASM::B3IRGenerator::binaryOp):
318         * wasm/WASMFunctionParser.h:
319         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
320         * wasm/WASMOps.h:
321
322 2016-08-15  Ryosuke Niwa  <rniwa@webkit.org>
323
324         Conversion to sequence<T> is broken for iterable objects
325         https://bugs.webkit.org/show_bug.cgi?id=160801
326
327         Reviewed by Darin Adler.
328
329         Export functions used to iterate over iterable objects.
330
331         * runtime/IteratorOperations.h:
332         (JSC::forEachInIterable):
333
334 2016-08-15  Benjamin Poulain  <bpoulain@apple.com>
335
336         [Regression 204203-204210] 32-bit ASSERTION FAILED: !m_data[index].name.isValid()
337         https://bugs.webkit.org/show_bug.cgi?id=160881
338
339         Reviewed by Mark Lam.
340
341         * dfg/DFGSpeculativeJIT32_64.cpp:
342         (JSC::DFG::SpeculativeJIT::compile):
343         We were trying to set the result of the Identity node to the same
344         value as the source of the Identity.
345         That is pretty messed up.
346
347 2016-08-15  Saam Barati  <sbarati@apple.com>
348
349         Web Inspector: Introduce a method to enable code coverage profiler without enabling type profiler
350         https://bugs.webkit.org/show_bug.cgi?id=160750
351         <rdar://problem/27793469>
352
353         Reviewed by Joseph Pecoraro.
354
355         * inspector/agents/InspectorRuntimeAgent.cpp:
356         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
357         (Inspector::InspectorRuntimeAgent::enableControlFlowProfiler):
358         (Inspector::InspectorRuntimeAgent::disableControlFlowProfiler):
359         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
360         (Inspector::InspectorRuntimeAgent::setControlFlowProfilerEnabledState):
361         * inspector/agents/InspectorRuntimeAgent.h:
362         * inspector/protocol/Runtime.json:
363
364 2016-08-15  Saam Barati  <sbarati@apple.com>
365
366         Array.prototype.map builtin should go on the fast path when constructor===@Array
367         https://bugs.webkit.org/show_bug.cgi?id=160836
368
369         Reviewed by Keith Miller.
370
371         In the FTL, we were not compiling the result array in Array.prototype.map
372         efficiently when the result array should use the Array constructor
373         (which is the common case). We used to compile it as:
374         x: JSConstant(Array)
375         y: Construct(@x, ...)
376         instead of
377         y: NewArrayWithSize(...)
378
379         This patch changes the builtin to go down the fast path when certain
380         conditions are met. Often, the check to go down the fast path will
381         be constant folded because we always create a normal array from the
382         Array constructor.
383
384         This is around a 5% speedup on ES6 Sample Bench.
385
386         I also made similar changes for Array.prototype.filter
387         and Array.prototype.concat on its slow path.
388
389         * builtins/ArrayPrototype.js:
390
391 2016-08-15  Mark Lam  <mark.lam@apple.com>
392
393         Make JSValue::strictEqual() handle failures to resolve JSRopeStrings.
394         https://bugs.webkit.org/show_bug.cgi?id=160832
395         <rdar://problem/27577556>
396
397         Reviewed by Geoffrey Garen.
398
399         Currently, JSValue::strictEqualSlowCaseInline() (and peers) will blindly try to
400         access the StringImpl of a JSRopeString that fails to resolve its rope.  As a
401         result, we'll crash with null pointer dereferences.
402
403         We can fix this by introducing a JSString::equal() method that will do the
404         equality comparison, but is aware of the potential failures to resolve ropes.
405         JSValue::strictEqualSlowCaseInline() (and peers) will now call JSString::equal()
406         instead of accessing the underlying StringImpl directly.
407
408         Also added some exception checks.
409
410         * JavaScriptCore.xcodeproj/project.pbxproj:
411         * jit/JITOperations.cpp:
412         * runtime/ArrayPrototype.cpp:
413         (JSC::arrayProtoFuncIndexOf):
414         (JSC::arrayProtoFuncLastIndexOf):
415         * runtime/JSCJSValueInlines.h:
416         (JSC::JSValue::equalSlowCaseInline):
417         (JSC::JSValue::strictEqualSlowCaseInline):
418         * runtime/JSString.cpp:
419         (JSC::JSString::equalSlowCase):
420         * runtime/JSString.h:
421         * runtime/JSStringInlines.h: Added.
422         (JSC::JSString::equal):
423
424 2016-08-15  Keith Miller  <keith_miller@apple.com>
425
426         Implement WASM Parser and B3 IR generator
427         https://bugs.webkit.org/show_bug.cgi?id=160681
428
429         Reviewed by Benjamin Poulain.
430
431         This patch adds the skeleton for a WebAssembly pipeline. The
432         pipeline is designed in order to make it easy to have as much of
433         the compilation process threaded as possible. The flow of the
434         pipeline roughly goes as follows:
435
436         1) Create a WASMPlan with the VM and a Vector of the
437         assembly. Currently the plan will process all the work
438         synchronously, however, in the future this can be offloaded to
439         other threads.
440
441         2) The plan will run the WASMModuleParser, which collates all the
442         information needed to compile each module function
443         independently. Since, we are still in the early phases, the only
444         information is the starting and ending byte of the function's
445         body. The module parser, however, still scans both and
446         semi-validates the type and the function sections.
447
448         3) Each function is decoded and compiled. In the future this
449         should also include a opcode validation phase. The
450         WASMFunctionParser is templatized so that a validator should be
451         able to use most of the same code the B3 IR generator does.
452
453         4) When the plan has finished it will fill a Vector of
454         B3::Compilation objects that correspond to the respective function
455         in the WASM module.
456
457
458         The current testing plan for the modules is to inline the the
459         binary generated by the spec's OCaml prototype. The inlined binary
460         is passed to a WASMPlan then invoked to check the result of the
461         function. In the future we should add a more robust testing
462         infrastructure.
463
464         * JavaScriptCore.xcodeproj/project.pbxproj:
465         * testWASM.cpp:
466         (printUsageStatement):
467         (CommandLine::parseArguments):
468         (invoke):
469         (runWASMTests):
470         (main):
471         * wasm/JSWASMModule.h:
472         (JSC::JSWASMModule::globalVariableTypes):
473         * wasm/WASMB3IRGenerator.cpp: Added.
474         (JSC::WASM::B3IRGenerator::B3IRGenerator):
475         (JSC::WASM::B3IRGenerator::addLocal):
476         (JSC::WASM::B3IRGenerator::binaryOp):
477         (JSC::WASM::B3IRGenerator::addConstant):
478         (JSC::WASM::B3IRGenerator::addBlock):
479         (JSC::WASM::B3IRGenerator::endBlock):
480         (JSC::WASM::B3IRGenerator::addReturn):
481         (JSC::WASM::B3IRGenerator::unify):
482         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
483         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel):
484         (JSC::WASM::B3IRGenerator::stackForControlLevel):
485         (JSC::WASM::B3IRGenerator::blockForControlLevel):
486         (JSC::WASM::parseAndCompile):
487         * wasm/WASMB3IRGenerator.h: Copied from Source/WTF/wtf/DataLog.h.
488         * wasm/WASMFormat.h:
489         * wasm/WASMFunctionParser.h: Added.
490         (JSC::WASM::WASMFunctionParser<Context>::WASMFunctionParser):
491         (JSC::WASM::WASMFunctionParser<Context>::parse):
492         (JSC::WASM::WASMFunctionParser<Context>::parseBlock):
493         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
494         * wasm/WASMModuleParser.cpp: Added.
495         (JSC::WASM::WASMModuleParser::parse):
496         (JSC::WASM::WASMModuleParser::parseFunctionTypes):
497         (JSC::WASM::WASMModuleParser::parseFunctionSignatures):
498         (JSC::WASM::WASMModuleParser::parseFunctionDefinitions):
499         * wasm/WASMModuleParser.h: Copied from Source/WTF/wtf/DataLog.h.
500         (JSC::WASM::WASMModuleParser::WASMModuleParser):
501         (JSC::WASM::WASMModuleParser::functionInformation):
502         * wasm/WASMOps.h: Copied from Source/WTF/wtf/DataLog.h.
503         * wasm/WASMParser.h: Added.
504         (JSC::WASM::WASMParser::parseVarUInt32):
505         (JSC::WASM::WASMParser::WASMParser):
506         (JSC::WASM::WASMParser::consumeCharacter):
507         (JSC::WASM::WASMParser::consumeString):
508         (JSC::WASM::WASMParser::parseUInt32):
509         (JSC::WASM::WASMParser::parseUInt7):
510         (JSC::WASM::WASMParser::parseVarUInt1):
511         (JSC::WASM::WASMParser::parseValueType):
512         * wasm/WASMPlan.cpp: Copied from Source/WTF/wtf/DataLog.h.
513         (JSC::WASM::Plan::Plan):
514         * wasm/WASMPlan.h: Copied from Source/WTF/wtf/DataLog.h.
515         * wasm/WASMSections.cpp: Copied from Source/WTF/wtf/DataLog.h.
516         (JSC::WASM::WASMSections::lookup):
517         * wasm/WASMSections.h: Copied from Source/WTF/wtf/DataLog.h.
518         (JSC::WASM::WASMSections::validateOrder):
519
520 2016-08-15  Benjamin Poulain  <bpoulain@apple.com>
521
522         [JSC] B3 Neg opcode should support float
523         https://bugs.webkit.org/show_bug.cgi?id=160795
524
525         Reviewed by Geoffrey Garen.
526
527         This is required to implement WASM f32.neg opcode.
528
529         * assembler/MacroAssemblerARM64.h:
530         (JSC::MacroAssemblerARM64::negateFloat):
531         * b3/B3LowerToAir.cpp:
532         (JSC::B3::Air::LowerToAir::lower):
533         * b3/B3ReduceDoubleToFloat.cpp:
534         * b3/air/AirOpcode.opcodes:
535         * b3/testb3.cpp:
536         (JSC::B3::testNegDouble):
537         (JSC::B3::testNegFloat):
538         (JSC::B3::testNegFloatWithUselessDoubleConversion):
539         (JSC::B3::run):
540
541 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
542
543         Use #pragma once in inspector headers
544         https://bugs.webkit.org/show_bug.cgi?id=160861
545
546         Reviewed by Mark Lam.
547
548         * inspector/*.h:
549
550 2016-08-15  Daniel Bates  <dabates@apple.com>
551
552         Cannot build WebKit for iOS device using Xcode 7.3/iOS 9.3 public SDK due to missing
553         private frameworks and libraries
554         https://bugs.webkit.org/show_bug.cgi?id=155931
555         <rdar://problem/25807989>
556
557         Reviewed by Dan Bernstein.
558
559         Add directory WebKitLibraries/WebKitPrivateFrameworkStubs/iOS/X to the framework search path
560         where X is the major version of the active iOS SDK.
561
562         * Configurations/Base.xcconfig:
563
564 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
565
566         Reduce includes of Debugger.h
567         https://bugs.webkit.org/show_bug.cgi?id=160827
568
569         Reviewed by Mark Lam.
570
571         * API/JSTypedArray.cpp:
572         * bytecode/UnlinkedCodeBlock.h:
573         * bytecode/UnlinkedFunctionExecutable.cpp:
574         * bytecode/UnlinkedFunctionExecutable.h:
575         * bytecompiler/BytecodeGenerator.h:
576         * bytecompiler/NodesCodegen.cpp:
577         * dfg/DFGPlan.cpp:
578         * dfg/DFGSpeculativeJIT32_64.cpp:
579         * dfg/DFGSpeculativeJIT64.cpp:
580         * ftl/FTLJITCode.h:
581         * inspector/ScriptCallStackFactory.cpp:
582         * inspector/agents/InspectorDebuggerAgent.h:
583         * jit/JITOpcodes.cpp:
584         * jit/JITOpcodes32_64.cpp:
585         * jit/JITOperations.cpp:
586         * llint/LLIntOffsetsExtractor.cpp:
587         * parser/Nodes.cpp:
588         * parser/Parser.cpp:
589         * parser/Parser.h:
590         * runtime/Completion.cpp:
591         * runtime/Executable.cpp:
592         * runtime/Executable.h:
593         * runtime/FunctionConstructor.cpp:
594         * runtime/SamplingProfiler.cpp:
595         * runtime/SamplingProfiler.h:
596         * runtime/VMEntryScope.cpp:
597
598 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
599
600         Remove unused includes of wtf headers
601         https://bugs.webkit.org/show_bug.cgi?id=160839
602
603         Reviewed by Alex Christensen.
604
605         * Lots of files.
606
607 2016-08-13  Per Arne Vollan  <pvollan@apple.com>
608
609         [Win] Warning fixes.
610         https://bugs.webkit.org/show_bug.cgi?id=160803
611
612         Reviewed by Brent Fulgham.
613
614         Initialize local variables.
615
616         * jit/JIT.cpp:
617         (JSC::JIT::compileWithoutLinking):
618         * runtime/Error.cpp:
619         (JSC::addErrorInfoAndGetBytecodeOffset):
620
621 2016-08-12  Joseph Pecoraro  <pecoraro@apple.com>
622
623         Remove always true JSC::Debugger::needPauseHandling virtual method
624         https://bugs.webkit.org/show_bug.cgi?id=160822
625
626         Reviewed by Mark Lam.
627
628         All subclasses return true for this method. Just remove the method.
629
630         * debugger/Debugger.cpp:
631         (JSC::Debugger::pauseIfNeeded):
632         * inspector/ScriptDebugServer.h:
633
634 2016-08-12  Saam Barati  <sbarati@apple.com>
635
636         Inline store loop for CopyRest in DFG and FTL for certain array modes
637         https://bugs.webkit.org/show_bug.cgi?id=159612
638
639         Reviewed by Filip Pizlo.
640
641         This patch changes the old copy_rest bytecode to actually allocate the rest array itself.
642         The bytecode is now called create_rest with an analogous CreateRest node in the DFG/FTL.
643         This allows the bytecode to be in control of what type of indexingType the array is allocated
644         with. We always allocate using ArrayWithContiguous storage unless we're havingABadTime().
645         This also makes allocating and writing into the array fast. On the fast path, the DFG/FTL
646         JIT will fast allocate the array and its storage, and we will do a memmove from the rest
647         region of arguments into the array's storage.
648
649         I'm seeing a 1-2% speedup on ES6SampleBench, and about a 2x speedup
650         on micro benchmarks that just test rest creation speed.
651
652         * bytecode/BytecodeList.json:
653         * bytecode/BytecodeUseDef.h:
654         (JSC::computeUsesForBytecodeOffset):
655         (JSC::computeDefsForBytecodeOffset):
656         * bytecode/CodeBlock.cpp:
657         (JSC::CodeBlock::dumpBytecode):
658         * bytecompiler/BytecodeGenerator.cpp:
659         (JSC::BytecodeGenerator::emitRestParameter):
660         * dfg/DFGAbstractInterpreterInlines.h:
661         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
662         * dfg/DFGByteCodeParser.cpp:
663         (JSC::DFG::ByteCodeParser::parseBlock):
664         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
665         (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
666         * dfg/DFGCapabilities.cpp:
667         (JSC::DFG::capabilityLevel):
668         * dfg/DFGClobberize.h:
669         (JSC::DFG::clobberize):
670         * dfg/DFGDoesGC.cpp:
671         (JSC::DFG::doesGC):
672         * dfg/DFGFixupPhase.cpp:
673         (JSC::DFG::FixupPhase::fixupNode):
674         * dfg/DFGGraph.h:
675         (JSC::DFG::Graph::uses):
676         (JSC::DFG::Graph::isWatchingHavingABadTimeWatchpoint):
677         (JSC::DFG::Graph::compilation):
678         * dfg/DFGNode.h:
679         (JSC::DFG::Node::numberOfArgumentsToSkip):
680         * dfg/DFGNodeType.h:
681         * dfg/DFGOperations.cpp:
682         * dfg/DFGOperations.h:
683         * dfg/DFGPredictionPropagationPhase.cpp:
684         * dfg/DFGSafeToExecute.h:
685         (JSC::DFG::safeToExecute):
686         * dfg/DFGSpeculativeJIT.cpp:
687         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
688         (JSC::DFG::SpeculativeJIT::compileCreateRest):
689         (JSC::DFG::SpeculativeJIT::compileGetRestLength):
690         (JSC::DFG::SpeculativeJIT::compileCopyRest): Deleted.
691         * dfg/DFGSpeculativeJIT.h:
692         (JSC::DFG::SpeculativeJIT::callOperation):
693         * dfg/DFGSpeculativeJIT32_64.cpp:
694         (JSC::DFG::SpeculativeJIT::compile):
695         (JSC::DFG::SpeculativeJIT::compileArithRandom):
696         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
697         * dfg/DFGSpeculativeJIT64.cpp:
698         (JSC::DFG::SpeculativeJIT::compile):
699         (JSC::DFG::SpeculativeJIT::compileArithRandom):
700         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
701         * ftl/FTLCapabilities.cpp:
702         (JSC::FTL::canCompile):
703         * ftl/FTLLowerDFGToB3.cpp:
704         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
705         (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
706         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
707         (JSC::FTL::DFG::LowerDFGToB3::compileGetRestLength):
708         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
709         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize):
710         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
711         (JSC::FTL::DFG::LowerDFGToB3::compileCopyRest): Deleted.
712         * interpreter/CallFrame.h:
713         (JSC::ExecState::addressOfArgumentsStart):
714         (JSC::ExecState::argument):
715         * jit/JIT.cpp:
716         (JSC::JIT::privateCompileMainPass):
717         * jit/JIT.h:
718         * jit/JITOpcodes.cpp:
719         (JSC::JIT::emit_op_argument_count):
720         (JSC::JIT::emit_op_create_rest):
721         (JSC::JIT::emit_op_copy_rest): Deleted.
722         * jit/JITOperations.h:
723         * llint/LowLevelInterpreter.asm:
724         * runtime/CommonSlowPaths.cpp:
725         (JSC::SLOW_PATH_DECL):
726         * runtime/CommonSlowPaths.h:
727
728 2016-08-12  Ryosuke Niwa  <rniwa@webkit.org>
729
730         Add a helper class for enumerating elements in an iterable object
731         https://bugs.webkit.org/show_bug.cgi?id=160800
732
733         Reviewed by Benjamin Poulain.
734
735         Added iteratorForIterable which provides an abstraction for iterating over an iterable object,
736         and deployed it in the constructors of Set, WeakSet, Map, and WeakMap.
737
738         Also added a helper function iteratorForIterable, which retrieves the iterator out of an iterable object.
739
740         * runtime/IteratorOperations.cpp:
741         (JSC::iteratorForIterable): Added.
742         * runtime/IteratorOperations.h:
743         (JSC::forEachInIterable): Added.
744         * runtime/MapConstructor.cpp:
745         (JSC::constructMap):
746         * runtime/SetConstructor.cpp:
747         (JSC::constructSet):
748         * runtime/WeakMapConstructor.cpp:
749         (JSC::constructWeakMap):
750         * runtime/WeakSetConstructor.cpp:
751         (JSC::constructWeakSet):
752
753 2016-08-12  Joseph Pecoraro  <pecoraro@apple.com>
754
755         Remove unused includes of RefCountedLeakCounter.h
756         https://bugs.webkit.org/show_bug.cgi?id=160817
757
758         Reviewed by Mark Lam.
759
760         * parser/Nodes.cpp:
761         * runtime/Structure.cpp:
762
763 2016-08-12  Pranjal Jumde  <pjumde@apple.com>
764
765         ASSERTION FAILED: : line >= firstLine in BytecodeGenerator::emitExpressionInfo.
766         https://bugs.webkit.org/show_bug.cgi?id=160535
767         <rdar://problem/27328151>
768         
769         Reviewed by Saam Barati.
770
771         lineNumber from the savePoint was not being restored before calling next() causing discrepancy in the offset and line for the token
772
773         * parser/Parser.h:
774         (JSC::Parser::restoreLexerState):
775
776 2016-08-12  Skachkov Oleksandr  <gskachkov@gmail.com>
777
778         [ES2016] Implement Object.entries
779         https://bugs.webkit.org/show_bug.cgi?id=160412
780
781         Reviewed by Saam Barati.
782
783         This patch adds entries function to Object that returns list of 
784         key+values pairs. Patch did according to the point of
785         spec https://tc39.github.io/ecma262/#sec-object.entries
786
787         * builtins/ObjectConstructor.js:
788         (globalPrivate.enumerableOwnProperties):
789         (entries):
790         * runtime/ObjectConstructor.cpp:
791
792 2016-08-11  Mark Lam  <mark.lam@apple.com>
793
794         OverridesHasInstance should not branch across register allocations.
795         https://bugs.webkit.org/show_bug.cgi?id=160792
796         <rdar://problem/27361778>
797
798         Reviewed by Benjamin Poulain.
799
800         The OverrideHasInstance node has a branch test that is emitted conditionally.
801         It also has a bug where it allocated a register after this branch, which is not
802         allowed and would fail an assertion introduced in https://trac.webkit.org/r145931.
803         From the ChangeLog for r145931:
804
805         "This [assertion that register allocations are not branched around] protects
806         against the case where an allocation could have spilled register contents to free
807         up a register and that spill only occurs on one path of many through the code.
808         A subsequent fill of the spilled register may load garbage."
809
810         Because the branch isn't always emitted, this bug has gone unnoticed until now.
811         This patch fixes this issue by pre-allocating the registers before emitting the
812         branch in OverrideHasInstance.
813
814         Note: this issue is only present in DFGSpeculativeJIT64.cpp.  The 32-bit version
815         is doing it right.
816
817         * dfg/DFGSpeculativeJIT64.cpp:
818         (JSC::DFG::SpeculativeJIT::compile):
819
820 2016-08-11  Benjamin Poulain  <bpoulain@apple.com>
821
822         [JSC] Make B3 Return opcode work without arguments
823         https://bugs.webkit.org/show_bug.cgi?id=160787
824
825         Reviewed by Keith Miller.
826
827         We need a way to create functions that do not return values.
828
829         * assembler/MacroAssembler.h:
830         (JSC::MacroAssembler::retVoid):
831         * b3/B3BasicBlock.cpp:
832         (JSC::B3::BasicBlock::appendNewControlValue):
833         * b3/B3LowerToAir.cpp:
834         (JSC::B3::Air::LowerToAir::lower):
835         * b3/B3Validate.cpp:
836         * b3/B3Value.h:
837         * b3/air/AirOpcode.opcodes:
838         * b3/testb3.cpp:
839         (JSC::B3::testReturnVoid):
840         (JSC::B3::run):
841
842 2016-08-11  Mark Lam  <mark.lam@apple.com>
843
844         Gardening: fix gcc builds after r204387. 
845
846         Not reviewed.
847
848         Apparently, gcc is not sophisticated enough to realize that the end of the
849         function is unreachable, and is wrongly complaining about "control reaches end of
850         non-void function".  I'm restoring the RELEASE_ASSERT_NOT_REACHED() and return
851         statement at the end of MarkedBlock::sweepHelper() to appease gcc.
852
853         * heap/MarkedBlock.cpp:
854         (JSC::MarkedBlock::sweepHelper):
855
856 2016-08-11  Alex Christensen  <achristensen@webkit.org>
857
858         Use StringBuilder::appendLiteral when possible don't append result of makeString
859         https://bugs.webkit.org/show_bug.cgi?id=160772
860
861         Reviewed by Sam Weinig.
862
863         * API/tests/ExecutionTimeLimitTest.cpp:
864         (testExecutionTimeLimit):
865         * API/tests/PingPongStackOverflowTest.cpp:
866         (PingPongStackOverflowObject_hasInstance):
867         * bytecompiler/NodesCodegen.cpp:
868         (JSC::ArrayPatternNode::toString):
869         (JSC::RestParameterNode::toString):
870         * runtime/ErrorInstance.cpp:
871         (JSC::ErrorInstance::sanitizedToString):
872         * runtime/Options.cpp:
873         (JSC::Options::dumpOption):
874
875 2016-08-11  Benjamin Poulain  <bpoulain@apple.com>
876
877         [JSC] Revert most of r203808
878         https://bugs.webkit.org/show_bug.cgi?id=160784
879
880         Reviewed by Geoffrey Garen.
881
882         Switching to fastMalloc() caused regressions on Jetstream and Octane
883         on MacBook Air. I was able to get back some of it in the following
884         patches but the tests that never go to FTL are still regressed.
885
886         This patch revert r203808 except of the node index.
887         Nodes are allocated with the custom allocator like before but they are
888         now also kept in a table, addressed by the node index.
889
890         * CMakeLists.txt:
891         * JavaScriptCore.xcodeproj/project.pbxproj:
892         * b3/B3SparseCollection.h:
893         (JSC::B3::SparseCollection::packIndices): Deleted.
894         * dfg/DFGAllocator.h: Added.
895         (JSC::DFG::Allocator::Region::size):
896         (JSC::DFG::Allocator::Region::headerSize):
897         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
898         (JSC::DFG::Allocator::Region::data):
899         (JSC::DFG::Allocator::Region::isInThisRegion):
900         (JSC::DFG::Allocator::Region::regionFor):
901         (JSC::DFG::Allocator<T>::Allocator):
902         (JSC::DFG::Allocator<T>::~Allocator):
903         (JSC::DFG::Allocator<T>::allocate):
904         (JSC::DFG::Allocator<T>::free):
905         (JSC::DFG::Allocator<T>::freeAll):
906         (JSC::DFG::Allocator<T>::reset):
907         (JSC::DFG::Allocator<T>::indexOf):
908         (JSC::DFG::Allocator<T>::allocatorOf):
909         (JSC::DFG::Allocator<T>::bumpAllocate):
910         (JSC::DFG::Allocator<T>::freeListAllocate):
911         (JSC::DFG::Allocator<T>::allocateSlow):
912         (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
913         (JSC::DFG::Allocator<T>::startBumpingIn):
914         * dfg/DFGDriver.cpp:
915         (JSC::DFG::compileImpl):
916         * dfg/DFGGraph.cpp:
917         (JSC::DFG::Graph::Graph):
918         (JSC::DFG::Graph::~Graph):
919         (JSC::DFG::Graph::addNodeToMapByIndex):
920         (JSC::DFG::Graph::deleteNode):
921         (JSC::DFG::Graph::packNodeIndices):
922         * dfg/DFGGraph.h:
923         (JSC::DFG::Graph::addNode):
924         (JSC::DFG::Graph::maxNodeCount):
925         (JSC::DFG::Graph::nodeAt):
926         * dfg/DFGLongLivedState.cpp: Added.
927         (JSC::DFG::LongLivedState::LongLivedState):
928         (JSC::DFG::LongLivedState::~LongLivedState):
929         (JSC::DFG::LongLivedState::shrinkToFit):
930         * dfg/DFGLongLivedState.h: Added.
931         * dfg/DFGNode.h:
932         * dfg/DFGNodeAllocator.h: Added.
933         (operator new ):
934         * dfg/DFGPlan.cpp:
935         (JSC::DFG::Plan::compileInThread):
936         (JSC::DFG::Plan::compileInThreadImpl):
937         * dfg/DFGPlan.h:
938         * dfg/DFGWorklist.cpp:
939         (JSC::DFG::Worklist::runThread):
940         * runtime/VM.cpp:
941         (JSC::VM::VM):
942         * runtime/VM.h:
943
944 2016-08-11  Mark Lam  <mark.lam@apple.com>
945
946         The jsc shell's Element host constructor should throw if it fails to construct an object.
947         https://bugs.webkit.org/show_bug.cgi?id=160773
948         <rdar://problem/27328608>
949
950         Reviewed by Saam Barati.
951
952         The Element object is a test object provided in the jsc shell for testing use only.
953         JavaScriptCore expects host constructors to either throw an error or return a
954         constructed object.  Element has a host constructor that did not obey this contract.
955         As a result, the following statement will fail a RELEASE_ASSERT:
956
957             new (Element.bind())
958
959         This is now fixed.
960
961         * jsc.cpp:
962         (functionCreateElement):
963
964 2016-08-11  Mark Lam  <mark.lam@apple.com>
965
966         Disallow synchronous sweeping for eden GCs.
967         https://bugs.webkit.org/show_bug.cgi?id=160716
968
969         Reviewed by Geoffrey Garen.
970
971         * heap/Heap.cpp:
972         (JSC::Heap::collectAllGarbage):
973         (JSC::Heap::collectAndSweep): Deleted.
974         * heap/Heap.h:
975         (JSC::Heap::collectAllGarbage): Deleted.
976         - No need for a separate collectAndSweep() anymore since we only call it for
977           FullCollections.
978         - Since we've already swept all the blocks, I cleared m_blockSnapshot so that the
979           IncrementalSweeper can bail earlier when it runs later.
980
981         * heap/MarkedBlock.cpp:
982         (JSC::MarkedBlock::sweepHelper):
983         - Removed the unreachable return statement.
984
985         * heap/MarkedBlock.h:
986         - Document what "Retired" means.
987
988         * tools/JSDollarVMPrototype.cpp:
989         (JSC::JSDollarVMPrototype::edenGC):
990
991 2016-08-11  Per Arne Vollan  <pvollan@apple.com>
992
993         [Win] Warning fix.
994         https://bugs.webkit.org/show_bug.cgi?id=160734
995
996         Reviewed by Sam Weinig.
997
998         Add static cast from int to uint32_t.
999
1000         * bytecode/ArithProfile.h:
1001
1002 2016-08-10  Michael Saboff  <msaboff@apple.com>
1003
1004         Baseline GetByVal and PutByVal for cache ID stubs need to handle exceptions
1005         https://bugs.webkit.org/show_bug.cgi?id=160749
1006
1007         Reviewed by Filip Pizlo.
1008
1009         We were emitting "callOperation()" calls in emitGetByValWithCachedId() and
1010         emitPutByValWithCachedId() without linking the exception checks created by the
1011         code emitted.  This manifested itself in various ways depending on the processor.
1012         This is due to what the destination is for an unlinked branch.  On X86, an unlinked
1013         branch goes tot he next instructions.  On ARM64, we end up with an infinite loop
1014         as we branch to the same instruction.  On ARM we branch to 0 as the branch is to
1015         an absolute address of 0.
1016
1017         Now we save the exception handler address for the original generated function and
1018         link the exception cases for these by-val stubs to this handler.
1019
1020         * bytecode/ByValInfo.h:
1021         (JSC::ByValInfo::ByValInfo): Added the address of the exception handler we should
1022         link to.
1023
1024         * jit/JIT.cpp:
1025         (JSC::JIT::link): Compute the linked exception handler address and pass it to
1026         the ByValInfo constructor.
1027         (JSC::JIT::privateCompileExceptionHandlers): Make sure that we generate the
1028         exception handler if we have any by-val handlers.
1029
1030         * jit/JIT.h:
1031         Added a label for the exception handler.  We'll link this later for the
1032         by value handlers.
1033
1034         * jit/JITPropertyAccess.cpp:
1035         (JSC::JIT::privateCompileGetByValWithCachedId):
1036         (JSC::JIT::privateCompilePutByValWithCachedId):
1037         Link exception branches to the exception handler for the main function.
1038
1039 2016-08-10  Mark Lam  <mark.lam@apple.com>
1040
1041         DFG's flushForTerminal() needs to add PhantomLocals for bytecode live locals.
1042         https://bugs.webkit.org/show_bug.cgi?id=160755
1043         <rdar://problem/27488507>
1044
1045         Reviewed by Filip Pizlo.
1046
1047         If the DFG sees that an inlined function will result in an OSR exit every time,
1048         it will treat all downstream blocks as dead.  However, it still needs to keep
1049         locals that are alive in the bytecode alive for the compiled function so that
1050         those locals are properly written to the stack by the OSR exit ramp.
1051
1052         The existing code neglected to do this.  This patch remedies this issue.
1053
1054         * dfg/DFGByteCodeParser.cpp:
1055         (JSC::DFG::ByteCodeParser::flushDirect):
1056         (JSC::DFG::ByteCodeParser::addFlushOrPhantomLocal):
1057         (JSC::DFG::ByteCodeParser::phantomLocalDirect):
1058         (JSC::DFG::ByteCodeParser::flushForTerminal):
1059
1060 2016-08-09  Skachkov Oleksandr  <gskachkov@gmail.com>
1061
1062         [ES2016] Implement Object.values
1063         https://bugs.webkit.org/show_bug.cgi?id=160410
1064
1065         Reviewed by Saam Barati, Yusuke Suzuki.
1066
1067         This patch adds values function to Object that return list of 
1068         own values of the object. Patch did according to the point of 
1069         spec http://tc39.github.io/ecma262/#sec-object.values
1070         
1071         Also patch adds generic builtin intrinsic constants: 
1072         @IterationKindKey/@IterationKindValue/@IterationKindKeyValue 
1073         that is used in  EnumerableOwnProperties to set Kind of operation  
1074         and replace own IterationKind enums in following iterators: 
1075         ArrayIterator, MapIterator, and SetIterator 
1076
1077         * JavaScriptCore.xcodeproj/project.pbxproj:
1078         * builtins/ObjectConstructor.js:
1079         (globalPrivate.enumerableOwnProperties):
1080         (values):
1081         * bytecode/BytecodeIntrinsicRegistry.cpp:
1082         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1083         * bytecode/BytecodeIntrinsicRegistry.h:
1084         * inspector/JSInjectedScriptHost.cpp:
1085         (Inspector::JSInjectedScriptHost::getInternalProperties):
1086         * runtime/ArrayIteratorPrototype.h:
1087         * runtime/IterationKind.h: Copied from Source/JavaScriptCore/builtins/ObjectConstructor.js.
1088         * runtime/JSMapIterator.h:
1089         (JSC::JSMapIterator::create):
1090         (JSC::JSMapIterator::next):
1091         (JSC::JSMapIterator::kind):
1092         (JSC::JSMapIterator::JSMapIterator):
1093         * runtime/JSSetIterator.h:
1094         (JSC::JSSetIterator::create):
1095         (JSC::JSSetIterator::next):
1096         (JSC::JSSetIterator::kind):
1097         (JSC::JSSetIterator::JSSetIterator):
1098         * runtime/MapPrototype.cpp:
1099         (JSC::mapProtoFuncValues):
1100         (JSC::mapProtoFuncEntries):
1101         (JSC::mapProtoFuncKeys):
1102         (JSC::privateFuncMapIterator):
1103         * runtime/ObjectConstructor.cpp:
1104         * runtime/SetPrototype.cpp:
1105         (JSC::setProtoFuncValues):
1106         (JSC::setProtoFuncEntries):
1107         (JSC::privateFuncSetIterator):
1108
1109 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
1110
1111         [JSC] Speed up SparseCollection & related maps
1112         https://bugs.webkit.org/show_bug.cgi?id=160733
1113
1114         Reviewed by Saam Barati.
1115
1116         On MBA, Graph::addNode() shows up in profiles due to SparseCollection::add().
1117         This is unfortunate.
1118
1119         The first improvement is to build the new unique_ptr in the empty slot
1120         instead of moving a new value into it.
1121
1122         Previously, the code would load the previous value, test if it is null
1123         then invoke the destructor and finally fastFree(). The initial test
1124         obviously fails so that's a whole bunch of code that is never executed.
1125
1126         With the new code, we just have a store.
1127
1128         I also removed the bounds checking on our maps based on node index.
1129         Those bounds checks are never eliminated by clang because the index
1130         is always loaded from memory instead of being computed.
1131         There are unfortunately too many nodes processed and the bounds checks
1132         get costly.
1133
1134         * b3/B3SparseCollection.h:
1135         (JSC::B3::SparseCollection::add):
1136         * dfg/DFGGraph.h:
1137         (JSC::DFG::Graph::abstractValuesCache):
1138         * dfg/DFGInPlaceAbstractState.h:
1139
1140 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
1141
1142         [JSC] Remove some useless code I left when rewriting CSE's large maps
1143         https://bugs.webkit.org/show_bug.cgi?id=160720
1144
1145         Reviewed by Michael Saboff.
1146
1147         * dfg/DFGCSEPhase.cpp:
1148         The maps m_worldMap && m_sideStateMap are useless. They come from the previous
1149         iteration that had weaker constraints.
1150
1151         Also move m_heapMap after m_fallbackStackMap since that is the order
1152         in which they are used in the algorithm.
1153
1154 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
1155
1156         Remove AbstractInterpreter::executeEdges(unsigned), it is no longer used anywhere
1157         https://bugs.webkit.org/show_bug.cgi?id=160708
1158
1159         Reviewed by Mark Lam.
1160
1161         * dfg/DFGAbstractInterpreter.h:
1162         * dfg/DFGAbstractInterpreterInlines.h:
1163         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges): Deleted.
1164
1165 2016-08-10  Simon Fraser  <simon.fraser@apple.com>
1166
1167         Sort the feature flags in the FEATURE_DEFINES lines
1168         https://bugs.webkit.org/show_bug.cgi?id=160742
1169
1170         Reviewed by Anders Carlsson.
1171
1172         * Configurations/FeatureDefines.xcconfig:
1173
1174 2016-08-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1175
1176         [ES6] Add ModuleLoaderPrototype and move methods to it
1177         https://bugs.webkit.org/show_bug.cgi?id=160633
1178
1179         Reviewed by Saam Barati.
1180
1181         In the future, we need to add the ability to create the new Loader object (by users).
1182         So rather than holding all the methods in the ModuleLoaderObject instance, moving them
1183         to ModuleLoaderPrototype and create the default JSModuleLoader instance is better.
1184
1185         No behavior change.
1186
1187         * CMakeLists.txt:
1188         * DerivedSources.make:
1189         * JavaScriptCore.xcodeproj/project.pbxproj:
1190         * builtins/ModuleLoaderObject.js:
1191         (setStateToMax): Deleted.
1192         (newRegistryEntry): Deleted.
1193         (ensureRegistered): Deleted.
1194         (forceFulfillPromise): Deleted.
1195         (fulfillFetch): Deleted.
1196         (fulfillTranslate): Deleted.
1197         (fulfillInstantiate): Deleted.
1198         (commitInstantiated): Deleted.
1199         (instantiation): Deleted.
1200         (requestFetch): Deleted.
1201         (requestTranslate): Deleted.
1202         (requestInstantiate): Deleted.
1203         (requestResolveDependencies.): Deleted.
1204         (requestResolveDependencies): Deleted.
1205         (requestInstantiateAll): Deleted.
1206         (requestLink): Deleted.
1207         (requestReady): Deleted.
1208         (link): Deleted.
1209         (moduleEvaluation): Deleted.
1210         (provide): Deleted.
1211         (loadAndEvaluateModule): Deleted.
1212         (loadModule): Deleted.
1213         (linkAndEvaluateModule): Deleted.
1214         * builtins/ModuleLoaderPrototype.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderObject.js.
1215         (setStateToMax):
1216         (newRegistryEntry):
1217         (ensureRegistered):
1218         (forceFulfillPromise):
1219         (fulfillFetch):
1220         (fulfillTranslate):
1221         (fulfillInstantiate):
1222         (commitInstantiated):
1223         (instantiation):
1224         (requestFetch):
1225         (requestTranslate):
1226         (requestInstantiate):
1227         (requestResolveDependencies.):
1228         (requestResolveDependencies):
1229         (requestInstantiateAll):
1230         (requestLink):
1231         (requestReady):
1232         (link):
1233         (moduleEvaluation):
1234         (provide):
1235         (loadAndEvaluateModule):
1236         (loadModule):
1237         (linkAndEvaluateModule):
1238         * bytecode/BytecodeIntrinsicRegistry.cpp:
1239         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1240         * jsc.cpp:
1241         (GlobalObject::moduleLoaderResolve):
1242         (GlobalObject::moduleLoaderFetch):
1243         * runtime/Completion.cpp:
1244         (JSC::loadAndEvaluateModule):
1245         (JSC::loadModule):
1246         * runtime/JSGlobalObject.cpp:
1247         (JSC::JSGlobalObject::init):
1248         (JSC::JSGlobalObject::visitChildren):
1249         * runtime/JSGlobalObject.h:
1250         (JSC::JSGlobalObject::moduleLoader):
1251         (JSC::JSGlobalObject::moduleLoaderStructure):
1252         * runtime/JSModuleLoader.cpp: Added.
1253         (JSC::JSModuleLoader::JSModuleLoader):
1254         (JSC::JSModuleLoader::finishCreation):
1255         (JSC::printableModuleKey):
1256         (JSC::JSModuleLoader::provide):
1257         (JSC::JSModuleLoader::loadAndEvaluateModule):
1258         (JSC::JSModuleLoader::loadModule):
1259         (JSC::JSModuleLoader::linkAndEvaluateModule):
1260         (JSC::JSModuleLoader::resolve):
1261         (JSC::JSModuleLoader::fetch):
1262         (JSC::JSModuleLoader::translate):
1263         (JSC::JSModuleLoader::instantiate):
1264         (JSC::JSModuleLoader::evaluate):
1265         * runtime/JSModuleLoader.h: Copied from Source/JavaScriptCore/runtime/ModuleLoaderObject.h.
1266         (JSC::JSModuleLoader::create):
1267         (JSC::JSModuleLoader::createStructure):
1268         * runtime/JSModuleRecord.h:
1269         * runtime/ModuleLoaderObject.cpp: Removed.
1270         (JSC::ModuleLoaderObject::ModuleLoaderObject): Deleted.
1271         (JSC::ModuleLoaderObject::finishCreation): Deleted.
1272         (JSC::printableModuleKey): Deleted.
1273         (JSC::ModuleLoaderObject::provide): Deleted.
1274         (JSC::ModuleLoaderObject::loadAndEvaluateModule): Deleted.
1275         (JSC::ModuleLoaderObject::loadModule): Deleted.
1276         (JSC::ModuleLoaderObject::linkAndEvaluateModule): Deleted.
1277         (JSC::ModuleLoaderObject::resolve): Deleted.
1278         (JSC::ModuleLoaderObject::fetch): Deleted.
1279         (JSC::ModuleLoaderObject::translate): Deleted.
1280         (JSC::ModuleLoaderObject::instantiate): Deleted.
1281         (JSC::ModuleLoaderObject::evaluate): Deleted.
1282         (JSC::moduleLoaderObjectParseModule): Deleted.
1283         (JSC::moduleLoaderObjectRequestedModules): Deleted.
1284         (JSC::moduleLoaderObjectModuleDeclarationInstantiation): Deleted.
1285         (JSC::moduleLoaderObjectResolve): Deleted.
1286         (JSC::moduleLoaderObjectFetch): Deleted.
1287         (JSC::moduleLoaderObjectTranslate): Deleted.
1288         (JSC::moduleLoaderObjectInstantiate): Deleted.
1289         (JSC::moduleLoaderObjectEvaluate): Deleted.
1290         * runtime/ModuleLoaderObject.h:
1291         (JSC::ModuleLoaderObject::create): Deleted.
1292         (JSC::ModuleLoaderObject::createStructure): Deleted.
1293         * runtime/ModuleLoaderPrototype.cpp: Added.
1294         (JSC::ModuleLoaderPrototype::ModuleLoaderPrototype):
1295         (JSC::moduleLoaderPrototypeParseModule):
1296         (JSC::moduleLoaderPrototypeRequestedModules):
1297         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1298         (JSC::moduleLoaderPrototypeResolve):
1299         (JSC::moduleLoaderPrototypeFetch):
1300         (JSC::moduleLoaderPrototypeTranslate):
1301         (JSC::moduleLoaderPrototypeInstantiate):
1302         (JSC::moduleLoaderPrototypeEvaluate):
1303         * runtime/ModuleLoaderPrototype.h: Renamed from Source/JavaScriptCore/runtime/ModuleLoaderObject.h.
1304         (JSC::ModuleLoaderPrototype::create):
1305         (JSC::ModuleLoaderPrototype::createStructure):
1306
1307 2016-08-09  Saam Barati  <sbarati@apple.com>
1308
1309         JSBoundFunction should lazily generate its name string
1310         https://bugs.webkit.org/show_bug.cgi?id=160678
1311         <rdar://problem/27043194>
1312
1313         Reviewed by Mark Lam.
1314
1315         We were eagerly allocating the BoundFunction's 'name' string
1316         by prepending the "bound " prefix. This patch makes the 'name'
1317         string creation lazy like we do with ordinary JSFunctions.
1318
1319         This is a 25% speedup on the microbenchmark I added that measures
1320         bound function creation speed. Hopefully this also helps us recover
1321         from a 1% Speedometer regression that was introduced in the original
1322         bound function "bound " prefixing patch.
1323
1324         * runtime/JSBoundFunction.cpp:
1325         (JSC::JSBoundFunction::create):
1326         (JSC::JSBoundFunction::JSBoundFunction):
1327         (JSC::JSBoundFunction::finishCreation):
1328         * runtime/JSBoundFunction.h:
1329         * runtime/JSFunction.cpp:
1330         (JSC::JSFunction::finishCreation):
1331         (JSC::JSFunction::getOwnPropertySlot):
1332         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1333         (JSC::JSFunction::put):
1334         (JSC::JSFunction::deleteProperty):
1335         (JSC::JSFunction::defineOwnProperty):
1336         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1337         (JSC::JSFunction::reifyBoundNameIfNeeded):
1338         * runtime/JSFunction.h:
1339
1340 2016-08-09  George Ruan  <gruan@apple.com>
1341
1342         Implement functionality of media capture on iOS
1343         https://bugs.webkit.org/show_bug.cgi?id=158945
1344         <rdar://problem/26893343>
1345
1346         Reviewed by Tim Horton.
1347
1348         * Configurations/FeatureDefines.xcconfig: Enable media capture feature
1349         for iOS.
1350
1351 2016-08-09  Saam Barati  <sbarati@apple.com>
1352
1353         Parser<LexerType>::parseFunctionInfo() has the wrong info about captured vars when a function is not cached.
1354         https://bugs.webkit.org/show_bug.cgi?id=160671
1355         <rdar://problem/27756112>
1356
1357         Reviewed by Mark Lam.
1358
1359         There was a bug in our captured variable analysis when a function has a default
1360         parameter expression that is a function that captures something from the parent scope.
1361         The bug was that we were relying on the SourceProviderCache to succeed for the
1362         analysis to work. This is obviously wrong. I've fixed this to work regardless
1363         of getting a cache hit. To prevent future bugs that rely on the success of the
1364         SourceProviderCache, I've made the validate testing mode disable the SourceProviderCache
1365
1366         * parser/Parser.cpp:
1367         (JSC::Parser<LexerType>::parseFunctionInfo):
1368         * parser/Parser.h:
1369         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1370         (JSC::Scope::addClosedVariableCandidateUnconditionally):
1371         (JSC::Scope::collectFreeVariables):
1372         * runtime/Options.h:
1373
1374 2016-08-08  Mark Lam  <mark.lam@apple.com>
1375
1376         ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().
1377         https://bugs.webkit.org/show_bug.cgi?id=160666
1378
1379         Reviewed by Keith Miller.
1380
1381         This assertion is benign.  JSFinalObject::visitChildren() calls
1382         JSObject::inlineStorage() to get a pointer to the object's inline storage, and
1383         later passes it to visitor.appendValuesHidden() with a previously computed
1384         storageSize.  When storageSize is 0, appendValuesHidden() ends up doing nothing.
1385         However, before we get there, JSObject::inlineStorage() will be asserting
1386         hasInlineStorage() and this assertion will fail when storageSize is 0.
1387
1388         We can fix this assertion failure by simply adding a storageSize check before
1389         calling hasInlineStorage() and visitor.appendValuesHidden().
1390
1391         * runtime/JSObject.cpp:
1392         (JSC::JSFinalObject::visitChildren):
1393
1394 2016-08-08  Brian Burg  <bburg@apple.com>
1395
1396         Web Inspector: clean up prefixing of Automation protocol generated files
1397         https://bugs.webkit.org/show_bug.cgi?id=160635
1398         <rdar://problem/27735327>
1399
1400         Reviewed by Timothy Hatcher.
1401
1402         Introduce different settings for the 'protocol group' name for C++ vs. Objective-C.
1403
1404         Use 'WD' as the prefix for generated Objective-C frontend dispatchers and helpers.
1405         Continue using 'Automation' as the prefix for generated C++ backend dispatchers.
1406
1407         * inspector/scripts/codegen/cpp_generator.py:
1408         (CppGenerator.protocol_name):
1409         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
1410         (ObjCProtocolTypeConversionsImplementationGenerator.generate_output):
1411         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
1412         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
1413         Adjust the class name. Generate one category per protocol domain to keep it easy to read.
1414
1415         * inspector/scripts/codegen/models.py:
1416         * inspector/scripts/codegen/objc_generator.py:
1417         (ObjCGenerator.protocol_name):
1418
1419         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1420         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1421         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1422         * inspector/scripts/tests/expected/enum-values.json-result:
1423         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1424         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1425         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1426         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1427         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1428         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1429         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1430         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1431         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1432         Rebaseline test results.
1433
1434 2016-08-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1435
1436         [ES6] Module namespace object should not allow unset IC
1437         https://bugs.webkit.org/show_bug.cgi?id=160553
1438
1439         Reviewed by Saam Barati.
1440
1441         Previously, module namespace object accidentally allow "unset IC". But this "unsetness" does not rely on
1442         the structure. We should disable inline caching onto the namespace object. Once it is needed, we should
1443         create the special caching for namespace object like the following: it should be similar to monomorphic IC,
1444         but it caches the object itself instead of the structure. It checks the object itself (And in DFG, it should be
1445         CheckCell) and loads the value from the target module environment directly[1].
1446
1447         And this patch also set setIsTaintedByProxy for the module namespace object to notify to the caller that
1448         this object has impure ::getOwnPropertySlot. Then this function is now renamed to setIsTaintedByOpaqueObject.
1449
1450         We drop the hack in JSModuleNamespaceObject::getOwnPropertySlot since we already introduced InternalMethodType
1451         for ProxyObject. Previously we cannot distinguish ::HasProperty and ::GetOwnProperty. So not to throw any
1452         errors for ::HasProperty case, we used slot.setCustom to delay the observable operation.
1453         But, this hack lacks the support for hasOwnProperty: hasOwnProperty uses [[GetOwnProperty]], so it should throw an error.
1454         However the previous implementation does not throw an error since the delayed observable part (custom function part) is
1455         skipped in hasOwnProperty implementation. We now remove this custom property hack and fix the corresponding failure
1456         in test262.
1457
1458         [1]: https://bugs.webkit.org/show_bug.cgi?id=160590
1459
1460         * jit/JITOperations.cpp:
1461         * runtime/ArrayPrototype.cpp:
1462         (JSC::getProperty):
1463         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1464         (JSC::constructGenericTypedArrayViewWithArguments):
1465         * runtime/JSModuleNamespaceObject.cpp:
1466         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1467         (JSC::callbackGetter): Deleted.
1468         * runtime/JSModuleNamespaceObject.h:
1469         * runtime/PropertySlot.cpp:
1470         (JSC::PropertySlot::getPureResult):
1471         * runtime/PropertySlot.h:
1472         (JSC::PropertySlot::PropertySlot):
1473         (JSC::PropertySlot::setIsTaintedByOpaqueObject):
1474         (JSC::PropertySlot::isTaintedByOpaqueObject):
1475         (JSC::PropertySlot::setIsTaintedByProxy): Deleted.
1476         (JSC::PropertySlot::isTaintedByProxy): Deleted.
1477         * runtime/ProxyObject.cpp:
1478         (JSC::ProxyObject::getOwnPropertySlotCommon):
1479
1480 2016-08-05  Keith Miller  <keith_miller@apple.com>
1481
1482         Add LEBDecoder and tests
1483         https://bugs.webkit.org/show_bug.cgi?id=160625
1484
1485         Reviewed by Benjamin Poulain.
1486
1487         Adds a new target testWASM that is currently used to test the LEB decoder.
1488         In the future, if we add more support for WASM we will put more tests
1489         here.
1490
1491         * JavaScriptCore.xcodeproj/project.pbxproj:
1492         * testWASM.cpp: Added.
1493         (CommandLine::CommandLine):
1494         (printUsageStatement):
1495         (CommandLine::parseArguments):
1496         (runLEBTests):
1497         (main):
1498
1499 2016-08-05  Keith Miller  <keith_miller@apple.com>
1500
1501         32-bit JSC test failure: stress/instanceof-late-constant-folding.js
1502         https://bugs.webkit.org/show_bug.cgi?id=160620
1503
1504         Reviewed by Filip Pizlo.
1505
1506         * dfg/DFGSpeculativeJIT32_64.cpp:
1507         (JSC::DFG::SpeculativeJIT::compile):
1508
1509 2016-08-05  Benjamin Poulain  <bpoulain@apple.com>
1510
1511         [JSC] Remove the first LocalCSE
1512         https://bugs.webkit.org/show_bug.cgi?id=160615
1513
1514         Reviewed by Saam Barati.
1515
1516         LocalCSE is the most expensive phase in DFG (excluding FTL).
1517
1518         The combination of two LocalCSEs does not seem to pay for its cost.
1519         Doing a single LocalCSE is always after ConstantFolding and StrengthReduction
1520         is always a win on my machine.
1521
1522         * dfg/DFGCleanUpPhase.cpp:
1523         (JSC::DFG::CleanUpPhase::run):
1524         * dfg/DFGPlan.cpp:
1525         (JSC::DFG::Plan::compileInThreadImpl):
1526
1527 2016-08-05  Saam Barati  <sbarati@apple.com>
1528
1529         various math operations don't properly check for an exception after calling toNumber() on the lhs
1530         https://bugs.webkit.org/show_bug.cgi?id=160154
1531
1532         Reviewed by Mark Lam.
1533
1534         We must check for an exception after calling toNumber() on the lhs
1535         because this can throw an exception. If we called toNumber() on
1536         the rhs without first checking for an exception after the toNumber()
1537         on the lhs, this can lead us to execute effectful code or deviate
1538         from the standard in subtle ways. I fixed this bug in various places
1539         by always checking for an exception after calling toNumber() on the
1540         lhs for the various bit and arithmetic operations.
1541
1542         This patch also found a commutativity bug inside DFGStrengthReduction.
1543         We could end up commuting the lhs and rhs of say an "|" expression
1544         even when the lhs/rhs may not be numbers. This is wrong because
1545         executing toNumber() on the lhs/rhs has strict ordering guarantees
1546         by the specification and is observable by user programs.
1547
1548         * dfg/DFGOperations.cpp:
1549         * dfg/DFGStrengthReductionPhase.cpp:
1550         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
1551         * jit/JITOperations.cpp:
1552         * runtime/CommonSlowPaths.cpp:
1553         (JSC::SLOW_PATH_DECL):
1554         * runtime/Operations.cpp:
1555         (JSC::jsAddSlowCase):
1556
1557 2016-08-05  Michael Saboff  <msaboff@apple.com>
1558
1559         compilePutByValForIntTypedArray() has a slow path in the middle of its processing
1560         https://bugs.webkit.org/show_bug.cgi?id=160614
1561
1562         Reviewed by Keith Miller.
1563
1564         In compilePutByValForIntTypedArray() we were calling out to the slow path
1565         operationToInt32() and then returning back to the middle of code to finish
1566         the processing of writing the value to the array.  When we make the slow
1567         path call, we trash any temporary registers that have been allocated.
1568         In general slow path calls should finish the operation in progress and
1569         continue processing at the beginning of the next node.
1570
1571         This was discovered while working on the register argument changes, when
1572         we SpeculateStrictInt32Operand on the value child node.  That child node's
1573         value was live in register with a spill format of DataFormatJSInt32.  In that
1574         case we allocate a new temporary register and copy just the lower 32 bits from
1575         the child register to the new temp register.  That temp register gets trashed
1576         when we make the operationToInt32() slow path call.
1577
1578         I spent some time trying to devise a test with the current code base and wasn't
1579         successful.  This case is tested with the register argument changes in progress.
1580
1581         * dfg/DFGSpeculativeJIT.cpp:
1582         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1583
1584 2016-08-05  Saam Barati  <sbarati@apple.com>
1585
1586         Assertion failure when accessing TDZ variable in catch through eval
1587         https://bugs.webkit.org/show_bug.cgi?id=160554
1588
1589         Reviewed by Mark Lam and Keith Miller.
1590
1591         When we were calculating the variables under TDZ from a JSScope,
1592         the algorithm was not taking into account that a catch scope
1593         has variables under TDZ.
1594
1595         * runtime/JSScope.cpp:
1596         (JSC::JSScope::collectVariablesUnderTDZ):
1597
1598 2016-08-05  Keith Miller  <keith_miller@apple.com>
1599
1600         Delete out of date WASM code.
1601         https://bugs.webkit.org/show_bug.cgi?id=160603
1602
1603         Reviewed by Saam Barati.
1604
1605         This patch removes a bunch of the wasm files that we are unlikey to use
1606         with the newer wasm spec. If we end up needing any of the deleted code
1607         later we can restore it at that time.
1608
1609         * CMakeLists.txt:
1610         * JavaScriptCore.xcodeproj/project.pbxproj:
1611         * jit/JITOperations.cpp:
1612         * jsc.cpp:
1613         (GlobalObject::finishCreation): Deleted.
1614         (functionLoadWebAssembly): Deleted.
1615         * llint/LLIntSlowPaths.cpp:
1616         (JSC::LLInt::setUpCall): Deleted.
1617         * runtime/Executable.cpp:
1618         (JSC::WebAssemblyExecutable::prepareForExecution): Deleted.
1619         * runtime/JSGlobalObject.cpp:
1620         (JSC::JSGlobalObject::init): Deleted.
1621         (JSC::JSGlobalObject::visitChildren): Deleted.
1622         * runtime/JSGlobalObject.h:
1623         (JSC::JSGlobalObject::wasmModuleStructure): Deleted.
1624         * wasm/WASMConstants.h: Removed.
1625         * wasm/WASMFunctionB3IRGenerator.h: Removed.
1626         (JSC::WASMFunctionB3IRGenerator::MemoryAddress::MemoryAddress): Deleted.
1627         (JSC::WASMFunctionB3IRGenerator::startFunction): Deleted.
1628         (JSC::WASMFunctionB3IRGenerator::endFunction): Deleted.
1629         (JSC::WASMFunctionB3IRGenerator::buildSetLocal): Deleted.
1630         (JSC::WASMFunctionB3IRGenerator::buildSetGlobal): Deleted.
1631         (JSC::WASMFunctionB3IRGenerator::buildReturn): Deleted.
1632         (JSC::WASMFunctionB3IRGenerator::buildImmediateI32): Deleted.
1633         (JSC::WASMFunctionB3IRGenerator::buildImmediateF32): Deleted.
1634         (JSC::WASMFunctionB3IRGenerator::buildImmediateF64): Deleted.
1635         (JSC::WASMFunctionB3IRGenerator::buildGetLocal): Deleted.
1636         (JSC::WASMFunctionB3IRGenerator::buildGetGlobal): Deleted.
1637         (JSC::WASMFunctionB3IRGenerator::buildConvertType): Deleted.
1638         (JSC::WASMFunctionB3IRGenerator::buildLoad): Deleted.
1639         (JSC::WASMFunctionB3IRGenerator::buildStore): Deleted.
1640         (JSC::WASMFunctionB3IRGenerator::buildUnaryI32): Deleted.
1641         (JSC::WASMFunctionB3IRGenerator::buildUnaryF32): Deleted.
1642         (JSC::WASMFunctionB3IRGenerator::buildUnaryF64): Deleted.
1643         (JSC::WASMFunctionB3IRGenerator::buildBinaryI32): Deleted.
1644         (JSC::WASMFunctionB3IRGenerator::buildBinaryF32): Deleted.
1645         (JSC::WASMFunctionB3IRGenerator::buildBinaryF64): Deleted.
1646         (JSC::WASMFunctionB3IRGenerator::buildRelationalI32): Deleted.
1647         (JSC::WASMFunctionB3IRGenerator::buildRelationalF32): Deleted.
1648         (JSC::WASMFunctionB3IRGenerator::buildRelationalF64): Deleted.
1649         (JSC::WASMFunctionB3IRGenerator::buildMinOrMaxI32): Deleted.
1650         (JSC::WASMFunctionB3IRGenerator::buildMinOrMaxF64): Deleted.
1651         (JSC::WASMFunctionB3IRGenerator::buildCallInternal): Deleted.
1652         (JSC::WASMFunctionB3IRGenerator::buildCallIndirect): Deleted.
1653         (JSC::WASMFunctionB3IRGenerator::buildCallImport): Deleted.
1654         (JSC::WASMFunctionB3IRGenerator::appendExpressionList): Deleted.
1655         (JSC::WASMFunctionB3IRGenerator::discard): Deleted.
1656         (JSC::WASMFunctionB3IRGenerator::linkTarget): Deleted.
1657         (JSC::WASMFunctionB3IRGenerator::jumpToTarget): Deleted.
1658         (JSC::WASMFunctionB3IRGenerator::jumpToTargetIf): Deleted.
1659         (JSC::WASMFunctionB3IRGenerator::startLoop): Deleted.
1660         (JSC::WASMFunctionB3IRGenerator::endLoop): Deleted.
1661         (JSC::WASMFunctionB3IRGenerator::startSwitch): Deleted.
1662         (JSC::WASMFunctionB3IRGenerator::endSwitch): Deleted.
1663         (JSC::WASMFunctionB3IRGenerator::startLabel): Deleted.
1664         (JSC::WASMFunctionB3IRGenerator::endLabel): Deleted.
1665         (JSC::WASMFunctionB3IRGenerator::breakTarget): Deleted.
1666         (JSC::WASMFunctionB3IRGenerator::continueTarget): Deleted.
1667         (JSC::WASMFunctionB3IRGenerator::breakLabelTarget): Deleted.
1668         (JSC::WASMFunctionB3IRGenerator::continueLabelTarget): Deleted.
1669         (JSC::WASMFunctionB3IRGenerator::buildSwitch): Deleted.
1670         * wasm/WASMFunctionCompiler.h: Removed.
1671         (JSC::operationConvertJSValueToInt32): Deleted.
1672         (JSC::operationConvertJSValueToDouble): Deleted.
1673         (JSC::operationDiv): Deleted.
1674         (JSC::operationMod): Deleted.
1675         (JSC::operationUnsignedDiv): Deleted.
1676         (JSC::operationUnsignedMod): Deleted.
1677         (JSC::operationConvertUnsignedInt32ToDouble): Deleted.
1678         (JSC::sizeOfMemoryType): Deleted.
1679         (JSC::WASMFunctionCompiler::MemoryAddress::MemoryAddress): Deleted.
1680         (JSC::WASMFunctionCompiler::WASMFunctionCompiler): Deleted.
1681         (JSC::WASMFunctionCompiler::startFunction): Deleted.
1682         (JSC::WASMFunctionCompiler::endFunction): Deleted.
1683         (JSC::WASMFunctionCompiler::buildSetLocal): Deleted.
1684         (JSC::WASMFunctionCompiler::buildSetGlobal): Deleted.
1685         (JSC::WASMFunctionCompiler::buildReturn): Deleted.
1686         (JSC::WASMFunctionCompiler::buildImmediateI32): Deleted.
1687         (JSC::WASMFunctionCompiler::buildImmediateF32): Deleted.
1688         (JSC::WASMFunctionCompiler::buildImmediateF64): Deleted.
1689         (JSC::WASMFunctionCompiler::buildGetLocal): Deleted.
1690         (JSC::WASMFunctionCompiler::buildGetGlobal): Deleted.
1691         (JSC::WASMFunctionCompiler::buildConvertType): Deleted.
1692         (JSC::WASMFunctionCompiler::buildLoad): Deleted.
1693         (JSC::WASMFunctionCompiler::buildStore): Deleted.
1694         (JSC::WASMFunctionCompiler::buildUnaryI32): Deleted.
1695         (JSC::WASMFunctionCompiler::buildUnaryF32): Deleted.
1696         (JSC::WASMFunctionCompiler::buildUnaryF64): Deleted.
1697         (JSC::WASMFunctionCompiler::buildBinaryI32): Deleted.
1698         (JSC::WASMFunctionCompiler::buildBinaryF32): Deleted.
1699         (JSC::WASMFunctionCompiler::buildBinaryF64): Deleted.
1700         (JSC::WASMFunctionCompiler::buildRelationalI32): Deleted.
1701         (JSC::WASMFunctionCompiler::buildRelationalF32): Deleted.
1702         (JSC::WASMFunctionCompiler::buildRelationalF64): Deleted.
1703         (JSC::WASMFunctionCompiler::buildMinOrMaxI32): Deleted.
1704         (JSC::WASMFunctionCompiler::buildMinOrMaxF64): Deleted.
1705         (JSC::WASMFunctionCompiler::buildCallInternal): Deleted.
1706         (JSC::WASMFunctionCompiler::buildCallIndirect): Deleted.
1707         (JSC::WASMFunctionCompiler::buildCallImport): Deleted.
1708         (JSC::WASMFunctionCompiler::appendExpressionList): Deleted.
1709         (JSC::WASMFunctionCompiler::discard): Deleted.
1710         (JSC::WASMFunctionCompiler::linkTarget): Deleted.
1711         (JSC::WASMFunctionCompiler::jumpToTarget): Deleted.
1712         (JSC::WASMFunctionCompiler::jumpToTargetIf): Deleted.
1713         (JSC::WASMFunctionCompiler::startLoop): Deleted.
1714         (JSC::WASMFunctionCompiler::endLoop): Deleted.
1715         (JSC::WASMFunctionCompiler::startSwitch): Deleted.
1716         (JSC::WASMFunctionCompiler::endSwitch): Deleted.
1717         (JSC::WASMFunctionCompiler::startLabel): Deleted.
1718         (JSC::WASMFunctionCompiler::endLabel): Deleted.
1719         (JSC::WASMFunctionCompiler::breakTarget): Deleted.
1720         (JSC::WASMFunctionCompiler::continueTarget): Deleted.
1721         (JSC::WASMFunctionCompiler::breakLabelTarget): Deleted.
1722         (JSC::WASMFunctionCompiler::continueLabelTarget): Deleted.
1723         (JSC::WASMFunctionCompiler::buildSwitch): Deleted.
1724         (JSC::WASMFunctionCompiler::localAddress): Deleted.
1725         (JSC::WASMFunctionCompiler::temporaryAddress): Deleted.
1726         (JSC::WASMFunctionCompiler::appendCall): Deleted.
1727         (JSC::WASMFunctionCompiler::appendCallWithExceptionCheck): Deleted.
1728         (JSC::WASMFunctionCompiler::emitNakedCall): Deleted.
1729         (JSC::WASMFunctionCompiler::appendCallSetResult): Deleted.
1730         (JSC::WASMFunctionCompiler::callOperation): Deleted.
1731         (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer): Deleted.
1732         (JSC::WASMFunctionCompiler::callAndUnboxResult): Deleted.
1733         (JSC::WASMFunctionCompiler::convertValueToInt32): Deleted.
1734         (JSC::WASMFunctionCompiler::convertValueToDouble): Deleted.
1735         (JSC::WASMFunctionCompiler::convertDoubleToValue): Deleted.
1736         * wasm/WASMFunctionParser.cpp: Removed.
1737         (JSC::nameOfType): Deleted.
1738         (JSC::WASMFunctionParser::checkSyntax): Deleted.
1739         (JSC::WASMFunctionParser::compile): Deleted.
1740         (JSC::WASMFunctionParser::parseFunction): Deleted.
1741         (JSC::WASMFunctionParser::parseLocalVariables): Deleted.
1742         (JSC::WASMFunctionParser::parseStatement): Deleted.
1743         (JSC::WASMFunctionParser::parseReturnStatement): Deleted.
1744         (JSC::WASMFunctionParser::parseBlockStatement): Deleted.
1745         (JSC::WASMFunctionParser::parseIfStatement): Deleted.
1746         (JSC::WASMFunctionParser::parseIfElseStatement): Deleted.
1747         (JSC::WASMFunctionParser::parseWhileStatement): Deleted.
1748         (JSC::WASMFunctionParser::parseDoStatement): Deleted.
1749         (JSC::WASMFunctionParser::parseLabelStatement): Deleted.
1750         (JSC::WASMFunctionParser::parseBreakStatement): Deleted.
1751         (JSC::WASMFunctionParser::parseBreakLabelStatement): Deleted.
1752         (JSC::WASMFunctionParser::parseContinueStatement): Deleted.
1753         (JSC::WASMFunctionParser::parseContinueLabelStatement): Deleted.
1754         (JSC::WASMFunctionParser::parseSwitchStatement): Deleted.
1755         (JSC::WASMFunctionParser::parseExpression): Deleted.
1756         (JSC::WASMFunctionParser::parseExpressionI32): Deleted.
1757         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionI32): Deleted.
1758         (JSC::WASMFunctionParser::parseImmediateExpressionI32): Deleted.
1759         (JSC::WASMFunctionParser::parseUnaryExpressionI32): Deleted.
1760         (JSC::WASMFunctionParser::parseBinaryExpressionI32): Deleted.
1761         (JSC::WASMFunctionParser::parseRelationalI32ExpressionI32): Deleted.
1762         (JSC::WASMFunctionParser::parseRelationalF32ExpressionI32): Deleted.
1763         (JSC::WASMFunctionParser::parseRelationalF64ExpressionI32): Deleted.
1764         (JSC::WASMFunctionParser::parseMinOrMaxExpressionI32): Deleted.
1765         (JSC::WASMFunctionParser::parseExpressionF32): Deleted.
1766         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF32): Deleted.
1767         (JSC::WASMFunctionParser::parseImmediateExpressionF32): Deleted.
1768         (JSC::WASMFunctionParser::parseUnaryExpressionF32): Deleted.
1769         (JSC::WASMFunctionParser::parseBinaryExpressionF32): Deleted.
1770         (JSC::WASMFunctionParser::parseExpressionF64): Deleted.
1771         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF64): Deleted.
1772         (JSC::WASMFunctionParser::parseImmediateExpressionF64): Deleted.
1773         (JSC::WASMFunctionParser::parseUnaryExpressionF64): Deleted.
1774         (JSC::WASMFunctionParser::parseBinaryExpressionF64): Deleted.
1775         (JSC::WASMFunctionParser::parseMinOrMaxExpressionF64): Deleted.
1776         (JSC::WASMFunctionParser::parseExpressionVoid): Deleted.
1777         (JSC::WASMFunctionParser::parseGetLocalExpression): Deleted.
1778         (JSC::WASMFunctionParser::parseGetGlobalExpression): Deleted.
1779         (JSC::WASMFunctionParser::parseSetLocal): Deleted.
1780         (JSC::WASMFunctionParser::parseSetGlobal): Deleted.
1781         (JSC::WASMFunctionParser::parseMemoryAddress): Deleted.
1782         (JSC::WASMFunctionParser::parseLoad): Deleted.
1783         (JSC::WASMFunctionParser::parseStore): Deleted.
1784         (JSC::WASMFunctionParser::parseCallArguments): Deleted.
1785         (JSC::WASMFunctionParser::parseCallInternal): Deleted.
1786         (JSC::WASMFunctionParser::parseCallIndirect): Deleted.
1787         (JSC::WASMFunctionParser::parseCallImport): Deleted.
1788         (JSC::WASMFunctionParser::parseConditional): Deleted.
1789         (JSC::WASMFunctionParser::parseComma): Deleted.
1790         (JSC::WASMFunctionParser::parseConvertType): Deleted.
1791         * wasm/WASMFunctionParser.h: Removed.
1792         (JSC::WASMFunctionParser::WASMFunctionParser): Deleted.
1793         * wasm/WASMFunctionSyntaxChecker.h: Removed.
1794         (JSC::WASMFunctionSyntaxChecker::MemoryAddress::MemoryAddress): Deleted.
1795         (JSC::WASMFunctionSyntaxChecker::startFunction): Deleted.
1796         (JSC::WASMFunctionSyntaxChecker::endFunction): Deleted.
1797         (JSC::WASMFunctionSyntaxChecker::buildSetLocal): Deleted.
1798         (JSC::WASMFunctionSyntaxChecker::buildSetGlobal): Deleted.
1799         (JSC::WASMFunctionSyntaxChecker::buildReturn): Deleted.
1800         (JSC::WASMFunctionSyntaxChecker::buildImmediateI32): Deleted.
1801         (JSC::WASMFunctionSyntaxChecker::buildImmediateF32): Deleted.
1802         (JSC::WASMFunctionSyntaxChecker::buildImmediateF64): Deleted.
1803         (JSC::WASMFunctionSyntaxChecker::buildGetLocal): Deleted.
1804         (JSC::WASMFunctionSyntaxChecker::buildGetGlobal): Deleted.
1805         (JSC::WASMFunctionSyntaxChecker::buildConvertType): Deleted.
1806         (JSC::WASMFunctionSyntaxChecker::buildLoad): Deleted.
1807         (JSC::WASMFunctionSyntaxChecker::buildStore): Deleted.
1808         (JSC::WASMFunctionSyntaxChecker::buildUnaryI32): Deleted.
1809         (JSC::WASMFunctionSyntaxChecker::buildUnaryF32): Deleted.
1810         (JSC::WASMFunctionSyntaxChecker::buildUnaryF64): Deleted.
1811         (JSC::WASMFunctionSyntaxChecker::buildBinaryI32): Deleted.
1812         (JSC::WASMFunctionSyntaxChecker::buildBinaryF32): Deleted.
1813         (JSC::WASMFunctionSyntaxChecker::buildBinaryF64): Deleted.
1814         (JSC::WASMFunctionSyntaxChecker::buildRelationalI32): Deleted.
1815         (JSC::WASMFunctionSyntaxChecker::buildRelationalF32): Deleted.
1816         (JSC::WASMFunctionSyntaxChecker::buildRelationalF64): Deleted.
1817         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxI32): Deleted.
1818         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxF64): Deleted.
1819         (JSC::WASMFunctionSyntaxChecker::buildCallInternal): Deleted.
1820         (JSC::WASMFunctionSyntaxChecker::buildCallImport): Deleted.
1821         (JSC::WASMFunctionSyntaxChecker::buildCallIndirect): Deleted.
1822         (JSC::WASMFunctionSyntaxChecker::appendExpressionList): Deleted.
1823         (JSC::WASMFunctionSyntaxChecker::discard): Deleted.
1824         (JSC::WASMFunctionSyntaxChecker::linkTarget): Deleted.
1825         (JSC::WASMFunctionSyntaxChecker::jumpToTarget): Deleted.
1826         (JSC::WASMFunctionSyntaxChecker::jumpToTargetIf): Deleted.
1827         (JSC::WASMFunctionSyntaxChecker::startLoop): Deleted.
1828         (JSC::WASMFunctionSyntaxChecker::endLoop): Deleted.
1829         (JSC::WASMFunctionSyntaxChecker::startSwitch): Deleted.
1830         (JSC::WASMFunctionSyntaxChecker::endSwitch): Deleted.
1831         (JSC::WASMFunctionSyntaxChecker::startLabel): Deleted.
1832         (JSC::WASMFunctionSyntaxChecker::endLabel): Deleted.
1833         (JSC::WASMFunctionSyntaxChecker::breakTarget): Deleted.
1834         (JSC::WASMFunctionSyntaxChecker::continueTarget): Deleted.
1835         (JSC::WASMFunctionSyntaxChecker::breakLabelTarget): Deleted.
1836         (JSC::WASMFunctionSyntaxChecker::continueLabelTarget): Deleted.
1837         (JSC::WASMFunctionSyntaxChecker::buildSwitch): Deleted.
1838         (JSC::WASMFunctionSyntaxChecker::stackHeight): Deleted.
1839         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeight): Deleted.
1840         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeightForCall): Deleted.
1841         * wasm/WASMModuleParser.cpp: Removed.
1842         (JSC::WASMModuleParser::WASMModuleParser): Deleted.
1843         (JSC::WASMModuleParser::parse): Deleted.
1844         (JSC::WASMModuleParser::parseModule): Deleted.
1845         (JSC::WASMModuleParser::parseConstantPoolSection): Deleted.
1846         (JSC::WASMModuleParser::parseSignatureSection): Deleted.
1847         (JSC::WASMModuleParser::parseFunctionImportSection): Deleted.
1848         (JSC::WASMModuleParser::parseGlobalSection): Deleted.
1849         (JSC::WASMModuleParser::parseFunctionDeclarationSection): Deleted.
1850         (JSC::WASMModuleParser::parseFunctionPointerTableSection): Deleted.
1851         (JSC::WASMModuleParser::parseFunctionDefinitionSection): Deleted.
1852         (JSC::WASMModuleParser::parseFunctionDefinition): Deleted.
1853         (JSC::WASMModuleParser::parseExportSection): Deleted.
1854         (JSC::WASMModuleParser::getImportedValue): Deleted.
1855         (JSC::parseWebAssembly): Deleted.
1856         * wasm/WASMModuleParser.h: Removed.
1857         * wasm/WASMReader.cpp: Removed.
1858         (JSC::WASMReader::readUInt32): Deleted.
1859         (JSC::WASMReader::readFloat): Deleted.
1860         (JSC::WASMReader::readDouble): Deleted.
1861         (JSC::WASMReader::readCompactInt32): Deleted.
1862         (JSC::WASMReader::readCompactUInt32): Deleted.
1863         (JSC::WASMReader::readString): Deleted.
1864         (JSC::WASMReader::readType): Deleted.
1865         (JSC::WASMReader::readExpressionType): Deleted.
1866         (JSC::WASMReader::readExportFormat): Deleted.
1867         (JSC::WASMReader::readByte): Deleted.
1868         (JSC::WASMReader::readOpStatement): Deleted.
1869         (JSC::WASMReader::readOpExpressionI32): Deleted.
1870         (JSC::WASMReader::readOpExpressionF32): Deleted.
1871         (JSC::WASMReader::readOpExpressionF64): Deleted.
1872         (JSC::WASMReader::readOpExpressionVoid): Deleted.
1873         (JSC::WASMReader::readVariableTypes): Deleted.
1874         (JSC::WASMReader::readOp): Deleted.
1875         (JSC::WASMReader::readSwitchCase): Deleted.
1876         * wasm/WASMReader.h: Removed.
1877         (JSC::WASMReader::WASMReader): Deleted.
1878         (JSC::WASMReader::offset): Deleted.
1879         (JSC::WASMReader::setOffset): Deleted.
1880
1881 2016-08-05  Keith Miller  <keith_miller@apple.com>
1882
1883         Fix 32-bit OverridesHasInstance in the DFG.
1884         https://bugs.webkit.org/show_bug.cgi?id=160600
1885
1886         Reviewed by Mark Lam.
1887
1888         In https://trac.webkit.org/changeset/204140, we fixed an issue where the DFG might
1889         do the wrong thing if it proved that the Symbol.hasInstance value for a constructor
1890         was a constant late in compilation. That fix was ommited from the 32-bit version,
1891         causing the new test to fail.
1892
1893         * dfg/DFGSpeculativeJIT32_64.cpp:
1894         (JSC::DFG::SpeculativeJIT::compile):
1895
1896 2016-08-04  Saam Barati  <sbarati@apple.com>
1897
1898         Restore CodeBlock jettison code to jettison when a CodeBlock has been alive for a long time
1899         https://bugs.webkit.org/show_bug.cgi?id=151241
1900
1901         Reviewed by Benjamin Poulain.
1902
1903         This patch rolls back in the jettisoning policy from https://bugs.webkit.org/show_bug.cgi?id=149727.
1904         We can now jettison a CodeBlock when it has been alive for a long time
1905         and is only pointed to by its owner executable. I haven't been able to get this
1906         patch to crash on anything it used to crash on, so I suspect we've fixed the bugs that
1907         were causing this before. I've also added some stress options for this feature that
1908         will cause us to either eagerly old-age jettison or to old-age jettison whenever it's legal.
1909         These options helped me find a bug where we would ask an Executable to create a CodeBlock,
1910         and then the Executable would do some other allocations, causing a GC, immediately causing
1911         the CodeBlock to jettison. There is a small chance that this was the bug we were seeing before,
1912         however, it's unlikely given that the previous timing metrics require at least 5 second between
1913         compiling to jettisoning.
1914
1915         This patch also enables the stress options for various modes
1916         of JSC stress tests.
1917
1918         * bytecode/CodeBlock.cpp:
1919         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
1920         (JSC::timeToLive):
1921         (JSC::CodeBlock::shouldJettisonDueToOldAge):
1922         * interpreter/CallFrame.h:
1923         (JSC::ExecState::callee):
1924         (JSC::ExecState::unsafeCallee):
1925         (JSC::ExecState::codeBlock):
1926         (JSC::ExecState::addressOfCodeBlock):
1927         (JSC::ExecState::unsafeCodeBlock):
1928         (JSC::ExecState::scope):
1929         * interpreter/Interpreter.cpp:
1930         (JSC::Interpreter::execute):
1931         (JSC::Interpreter::executeCall):
1932         (JSC::Interpreter::executeConstruct):
1933         (JSC::Interpreter::prepareForRepeatCall):
1934         * jit/JITOperations.cpp:
1935         * llint/LLIntSlowPaths.cpp:
1936         (JSC::LLInt::setUpCall):
1937         * runtime/Executable.cpp:
1938         (JSC::ScriptExecutable::installCode):
1939         (JSC::setupJIT):
1940         (JSC::ScriptExecutable::prepareForExecutionImpl):
1941         * runtime/Executable.h:
1942         (JSC::ScriptExecutable::prepareForExecution):
1943         * runtime/Options.h:
1944
1945 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1946
1947         [ES6] JSModuleNamespaceObject's Symbol.iterator function should have name
1948         https://bugs.webkit.org/show_bug.cgi?id=160549
1949
1950         Reviewed by Saam Barati.
1951
1952         ES6 Module's namespace[Symbol.iterator] function should have the name, "[Symbol.iterator]".
1953
1954         * runtime/JSModuleNamespaceObject.cpp:
1955         (JSC::JSModuleNamespaceObject::finishCreation):
1956
1957 2016-08-04  Keith Miller  <keith_miller@apple.com>
1958
1959         ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()
1960         https://bugs.webkit.org/show_bug.cgi?id=160562
1961         <rdar://problem/27704825>
1962
1963         Reviewed by Mark Lam.
1964
1965         This patch fixes an issue where we would emit incorrect code in the DFG when constant folding would
1966         convert a GetByOffset into a constant late in compilation. Additionally, it removes invalid assertions
1967         associated with the assumption that this could not happen.
1968
1969         * dfg/DFGSpeculativeJIT64.cpp:
1970         (JSC::DFG::SpeculativeJIT::compile):
1971         * ftl/FTLLowerDFGToB3.cpp:
1972         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance): Deleted.
1973
1974 2016-08-04  Keith Miller  <keith_miller@apple.com>
1975
1976         Remove unused intrinsic member of NativeExecutable
1977         https://bugs.webkit.org/show_bug.cgi?id=160560
1978
1979         Reviewed by Saam Barati.
1980
1981         NativeExecutable has an Intrinsic member. It appears that this member is never
1982         used. Instead we use the Intrinsic member NativeExecutable's super class,
1983         ExecutableBase.
1984
1985         * runtime/Executable.h:
1986
1987 2016-08-04  Benjamin Poulain  <bpoulain@apple.com>
1988
1989         [JSC] Speed up InPlaceAbstractState::endBasicBlock()
1990         https://bugs.webkit.org/show_bug.cgi?id=160539
1991
1992         Reviewed by Mark Lam.
1993
1994         This patch does small improvements to our handling
1995         of value propagation to the successors.
1996
1997         One key insight is that using HashMap to map Nodes
1998         to Value in valuesAtTail is too inefficient at the scale
1999         we use it. Instead, I reuse our existing mapping
2000         from every Node to its value, abstracted by forNode().
2001
2002         Since we are not going to use the mapping after endBasicBlock()
2003         I can replace whatever we had there. The next beginBasicBlock()
2004         will setup the new value as needed.
2005
2006         In endBasicBlock(), valuesAtTail is now a vector of all values live
2007         at tail. For each node, I merge the previous live at tail with
2008         the new value, then replace the value in the mapping.
2009         Liveness Analysis guarantees we won't have duplicates there which
2010         make the replacement sound.
2011
2012         Next, when propagating, I take the vector of values lives at head
2013         and use the global node->value mapping to find its new abstract value.
2014         Again, Liveness Analysis guarantees I won't find a value live at head
2015         that was not replaced by the merging at tail of the predecessor.
2016
2017         All our live lists have become vectors instead of HashTable.
2018         The mapping from Node to Value is always done by array indexing.
2019         Same big-O, much smaller constant.
2020
2021         * dfg/DFGAtTailAbstractState.cpp:
2022         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2023         (JSC::DFG::AtTailAbstractState::createValueForNode):
2024         (JSC::DFG::AtTailAbstractState::forNode):
2025         * dfg/DFGAtTailAbstractState.h:
2026         I did not look much into this state, I just made it equivalent
2027         to the previous mapping.
2028
2029         * dfg/DFGBasicBlock.h:
2030         * dfg/DFGCFAPhase.cpp:
2031         (JSC::DFG::CFAPhase::performBlockCFA):
2032         * dfg/DFGGraph.cpp:
2033         (JSC::DFG::Graph::dump):
2034         * dfg/DFGInPlaceAbstractState.cpp:
2035         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2036
2037         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2038         AbstractValue is big enough that we really don't want to copy it twice.
2039
2040         (JSC::DFG::InPlaceAbstractState::merge):
2041         (JSC::DFG::setLiveValues): Deleted.
2042         * dfg/DFGInPlaceAbstractState.h:
2043
2044         * dfg/DFGPhiChildren.h:
2045         This is heap allocated by AbstractInterpreter. It should use fastMalloc().
2046
2047 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2048
2049         [ES7] Update features.json for exponentiation expression
2050         https://bugs.webkit.org/show_bug.cgi?id=160541
2051
2052         Reviewed by Mark Lam.
2053
2054         * features.json:
2055
2056 2016-08-03  Chris Dumez  <cdumez@apple.com>
2057
2058         Drop DocumentType.internalSubset attribute
2059         https://bugs.webkit.org/show_bug.cgi?id=160530
2060
2061         Reviewed by Alex Christensen.
2062
2063         Drop DocumentType.internalSubset attribute.
2064
2065         * inspector/protocol/DOM.json:
2066
2067 2016-08-03  Benjamin Poulain  <bpoulain@apple.com>
2068
2069         [JSC] Improve the memory locality of DFG Node's AbstractValues
2070         https://bugs.webkit.org/show_bug.cgi?id=160443
2071
2072         Reviewed by Mark Lam.
2073
2074         The AbstractInterpreter spends a lot of time on memory operations
2075         for AbstractValues. This patch attempts to improve the situation
2076         by putting the values closer together in memory.
2077
2078         First, AbstractValue is moved out of DFG::Node and it kept in
2079         a vector addressed by node indices.
2080
2081         I initially moved them to InPlaceAbstractState but I quickly discovered
2082         initializing the values in the vector was costly.
2083         I moved the vector to Graph as a cache shared by every instantiation of
2084         InPlaceAbstractState. It is mainly there to avoid constructors and destructors
2085         of AbstractValue. The patch of https://bugs.webkit.org/show_bug.cgi?id=160370
2086         should also help eventually.
2087
2088         I instrumented CFA to find how packed is SparseCollection.
2089         The answer is it can be very sparse, which is bad for CFA.
2090         I added packIndices() to repack the collection before running
2091         liveness since that's where we start using the memory intensively.
2092         This is a measurable improvement but it implies we can no longer
2093         keep indices on a side channel between phases since they may change.
2094
2095         * b3/B3SparseCollection.h:
2096         (JSC::B3::SparseCollection::packIndices):
2097         * dfg/DFGGraph.cpp:
2098         (JSC::DFG::Graph::packNodeIndices):
2099         * dfg/DFGGraph.h:
2100         (JSC::DFG::Graph::abstractValuesCache):
2101         * dfg/DFGInPlaceAbstractState.cpp:
2102         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
2103         * dfg/DFGInPlaceAbstractState.h:
2104         (JSC::DFG::InPlaceAbstractState::forNode):
2105         * dfg/DFGLivenessAnalysisPhase.cpp:
2106         (JSC::DFG::performLivenessAnalysis):
2107         * dfg/DFGNode.h:
2108
2109 2016-08-03  Caitlin Potter  <caitp@igalia.com>
2110
2111         Clarify SyntaxErrors around yield and unskip tests
2112         https://bugs.webkit.org/show_bug.cgi?id=158460
2113
2114         Reviewed by Saam Barati.
2115
2116         Fix and unskip tests which erroneously asserted that `yield` is not a
2117         valid BindingIdentifier, and improve error message for YieldExpressions
2118         occuring in Arrow formal parameters.
2119
2120         * parser/Parser.cpp:
2121         (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope):
2122         (JSC::Parser<LexerType>::parseFunctionInfo):
2123         (JSC::Parser<LexerType>::parseYieldExpression):
2124         * parser/Parser.h:
2125
2126 2016-08-03  Filip Pizlo  <fpizlo@apple.com>
2127
2128         REGRESSION(r203368): broke some test262 tests
2129         https://bugs.webkit.org/show_bug.cgi?id=160479
2130
2131         Reviewed by Mark Lam.
2132         
2133         The optimization in r203368 overlooked a subtle detail: freezing should not set ReadOnly on
2134         Accessor properties.
2135
2136         * runtime/Structure.cpp:
2137         (JSC::Structure::nonPropertyTransition):
2138         * runtime/StructureTransitionTable.h:
2139         (JSC::setsDontDeleteOnAllProperties):
2140         (JSC::setsReadOnlyOnNonAccessorProperties):
2141         (JSC::setsReadOnlyOnAllProperties): Deleted.
2142
2143 2016-08-03  Csaba Osztrogonác  <ossy@webkit.org>
2144
2145         Lacking support on a arm-traditional disassembler.
2146         https://bugs.webkit.org/show_bug.cgi?id=123717
2147
2148         Reviewed by Mark Lam.
2149
2150         * CMakeLists.txt:
2151         * disassembler/ARMLLVMDisassembler.cpp: Added, based on pre r196729 LLVMDisassembler, but it is ARM traditional only now.
2152         (JSC::tryToDisassemble):
2153
2154 2016-08-03  Saam Barati  <sbarati@apple.com>
2155
2156         Implement nested rest destructuring w.r.t the ES7 spec
2157         https://bugs.webkit.org/show_bug.cgi?id=160423
2158
2159         Reviewed by Filip Pizlo.
2160
2161         The spec has updated the BindingRestElement grammar production to be:
2162         BindingRestElement:
2163            BindingIdentifier
2164            BindingingPattern.
2165
2166         It used to only allow BindingIdentifier in the grammar production.
2167         I've updated our engine to account for this. The semantics are exactly
2168         what you'd expect.  For example:
2169         `let [a, ...[b, ...c]] = expr();`
2170         means that we create an array for the first rest element `...[b, ...c]`
2171         and then perform the binding of `[b, ...c]` to that array. And so on, 
2172         applied recursively through the pattern.
2173
2174         * bytecompiler/NodesCodegen.cpp:
2175         (JSC::RestParameterNode::collectBoundIdentifiers):
2176         (JSC::RestParameterNode::toString):
2177         (JSC::RestParameterNode::bindValue):
2178         (JSC::RestParameterNode::emit):
2179         * parser/ASTBuilder.h:
2180         (JSC::ASTBuilder::createBindingLocation):
2181         (JSC::ASTBuilder::createRestParameter):
2182         (JSC::ASTBuilder::createAssignmentElement):
2183         * parser/NodeConstructors.h:
2184         (JSC::AssignmentElementNode::AssignmentElementNode):
2185         (JSC::RestParameterNode::RestParameterNode):
2186         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
2187         * parser/Nodes.h:
2188         (JSC::RestParameterNode::name): Deleted.
2189         * parser/Parser.cpp:
2190         (JSC::Parser<LexerType>::parseDestructuringPattern):
2191         (JSC::Parser<LexerType>::parseFormalParameters):
2192         * parser/SyntaxChecker.h:
2193         (JSC::SyntaxChecker::operatorStackPop):
2194
2195 2016-08-03  Benjamin Poulain  <benjamin@webkit.org>
2196
2197         [JSC] Fix Windows build after r204065
2198
2199         * dfg/DFGAbstractValue.cpp:
2200         (JSC::DFG::AbstractValue::observeTransitions):
2201         AbstractValue is bigger on Windows for an unknown reason.
2202
2203 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
2204
2205         [JSC] Fix 32bits jsc after r204065
2206
2207         Default constructed JSValue() are not equal to zero in 32bits.
2208
2209         * dfg/DFGAbstractValue.h:
2210         (JSC::DFG::AbstractValue::AbstractValue):
2211
2212 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
2213
2214         [JSC] Simplify the initialization of AbstractValue in the AbstractInterpreter
2215         https://bugs.webkit.org/show_bug.cgi?id=160370
2216
2217         Reviewed by Saam Barati.
2218
2219         We use a ton of AbstractValue to run the Abstract Interpreter.
2220
2221         When we set up the initial values, the compiler sets
2222         a zero on a first word, a one on a second word, and a zero
2223         again on a third word.
2224         Since no vector or double-store can deal with 3 words, unrolling
2225         is done by repeating those instructions.
2226
2227         The reason for the one was TinyPtrSet. It needed a flag for
2228         empty value to identify the set as thin. I flipped the flag to "fat"
2229         to make sure TinyPtrSet is initialized to zero.
2230
2231         With that done, I just had to clean some places to make
2232         the initialization shorter.
2233         It makes the binary easier to follow but this does not help with
2234         the bigger problem: the time spent per block on Abstract Interpreter.
2235
2236         * bytecode/Operands.h:
2237         The traits were useless, no client code defines it.
2238
2239         (JSC::Operands::Operands):
2240         (JSC::Operands::ensureLocals):
2241         Because of the size of the function, llvm is not inlining it.
2242         We were literally loading 3 registers from memory and storing
2243         them in the vector.
2244         Now that AbstractValue has a VectorTraits, we should just rely
2245         on the memset of Vector when possible.
2246
2247         (JSC::Operands::getLocal):
2248         (JSC::Operands::setArgumentFirstTime):
2249         (JSC::Operands::setLocalFirstTime):
2250         (JSC::Operands::clear):
2251         (JSC::OperandValueTraits::defaultValue): Deleted.
2252         (JSC::OperandValueTraits::isEmptyForDump): Deleted.
2253         * bytecode/OperandsInlines.h:
2254         (JSC::Operands<T>::dumpInContext):
2255         (JSC::Operands<T>::dump):
2256         (JSC::Traits>::dumpInContext): Deleted.
2257         (JSC::Traits>::dump): Deleted.
2258         * dfg/DFGAbstractValue.cpp:
2259         * dfg/DFGAbstractValue.h:
2260         (JSC::DFG::AbstractValue::AbstractValue):
2261
2262 2016-08-02  Saam Barati  <sbarati@apple.com>
2263
2264         update a class extending null w.r.t the ES7 spec
2265         https://bugs.webkit.org/show_bug.cgi?id=160417
2266
2267         Reviewed by Keith Miller.
2268
2269         When a class extends null, it should not be marked as a derived class.
2270         This was changed in the ES2016 spec, and this patch makes the needed
2271         changes in JSC to follow the spec. This allows classes to extend
2272         null and have their default constructor invoked without throwing an exception.
2273         This also prevents |this| from being under TDZ at the start of the constructor.
2274         Because ES6 allows arbitrary expressions in the `class <ident> extends <expr>`
2275         syntax, we don't know statically if a constructor is extending null or not.
2276         Therefore, we don't always know statically if it's a base or derived constructor.
2277         I solved this by putting a boolean on the constructor function under a private
2278         symbol named isDerivedConstructor when doing class construction. We only need
2279         to put this boolean on constructors that may extend null. Constructors that are
2280         declared in a class with no extends syntax can tell statically that they are a base constructor.
2281
2282         I've also renamed the ConstructorKind::Derived enum value to be
2283         ConstructorKind::Extends to better indicate that we can't answer
2284         the "am I a derived constructor?" question statically.
2285
2286         * builtins/BuiltinExecutables.cpp:
2287         (JSC::BuiltinExecutables::createDefaultConstructor):
2288         * builtins/BuiltinNames.h:
2289         * bytecompiler/BytecodeGenerator.cpp:
2290         (JSC::BytecodeGenerator::BytecodeGenerator):
2291         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2292         (JSC::BytecodeGenerator::emitReturn):
2293         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
2294         (JSC::BytecodeGenerator::ensureThis):
2295         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
2296         * bytecompiler/BytecodeGenerator.h:
2297         (JSC::BytecodeGenerator::makeFunction):
2298         * bytecompiler/NodesCodegen.cpp:
2299         (JSC::EvalFunctionCallNode::emitBytecode):
2300         (JSC::FunctionCallValueNode::emitBytecode):
2301         (JSC::FunctionNode::emitBytecode):
2302         (JSC::ClassExprNode::emitBytecode):
2303         * parser/Parser.cpp:
2304         (JSC::Parser<LexerType>::Parser):
2305         (JSC::Parser<LexerType>::parseFunctionInfo):
2306         (JSC::Parser<LexerType>::parseClass):
2307         (JSC::Parser<LexerType>::parseMemberExpression):
2308         * parser/ParserModes.h:
2309
2310 2016-08-02  Enrica Casucci  <enrica@apple.com>
2311
2312         Allow building with content filtering disabled.
2313         https://bugs.webkit.org/show_bug.cgi?id=160454
2314
2315         Reviewed by Simon Fraser.
2316
2317         * Configurations/FeatureDefines.xcconfig:
2318
2319 2016-08-02  Csaba Osztrogonác  <ossy@webkit.org>
2320
2321         [ARM] Disable Inline Caching on ARMv7 traditional until proper fix
2322         https://bugs.webkit.org/show_bug.cgi?id=159759
2323
2324         Reviewed by Saam Barati.
2325
2326         * jit/JITMathIC.h:
2327         (JSC::JITMathIC::generateInline):
2328
2329 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
2330
2331         REGRESSION (r203990): JSC Debug test stress/arity-check-ftl-throw.js failing
2332         https://bugs.webkit.org/show_bug.cgi?id=160438
2333
2334         Reviewed by Mark Lam.
2335         
2336         In r203990 I fixed a bug where CommonSlowPaths.h/arityCheckFor() was basically failing at
2337         catching stack overflow due to large parameter count. It would only catch regular old stack
2338         overflow, like if the frame pointer was already past the limit.
2339         
2340         This had a secondary problem: unfortunately all of our tests for what happens when you overflow
2341         the stack due to large parameter count were not going down that path at all, so we haven't had
2342         test coverage for this in ages.  There were bugs in all tiers of the engine when handling this
2343         case.
2344
2345         We need to be able to roll back the topCallFrame on paths that are meant to throw an exception
2346         from the caller. Otherwise, we'd crash in StackVisitor because it would see a busted stack
2347         frame. Rolling back like this "just works" except when the caller is the VM entry frame. I had
2348         some choices here. I could have forced anyone who is rolling back to always skip VM entry
2349         frames. They can't do it in a way that changes the value of VM::topVMEntryFrame, which is what
2350         a stack frame roll back normally does, since exception unwinding needs to see the current value
2351         of topVMEntryFrame. So, we have a choice to either try to magically avoid all of the paths that
2352         look at topCallFrame, or give topCallFrame a state that unambiguously signals that we are
2353         sitting right on top of a VM entry frame without having succeeded at making a JS call. The only
2354         place that really needs to know is StackVisitor, which wants to start scanning at topCallFrame.
2355         To signal this, I could have either made topCallFrame point to the real top JS call frame
2356         without also rolling back topVMEntryFrame, or I could make topCallFrame == topVMEntryFrame. The
2357         latter felt somehow cleaner. I filed a bug (https://bugs.webkit.org/show_bug.cgi?id=160441) for
2358         converting topCallFrame to a void*, which would give us a chance to harden the rest of the
2359         engine against this case.
2360         
2361         * interpreter/StackVisitor.cpp:
2362         (JSC::StackVisitor::StackVisitor):
2363         We may do ShadowChicken processing, which invokes StackVisitor, when we have topCallFrame
2364         pointing at topVMEntryFrame. This teaches StackVisitor how to handle this case. I believe that
2365         StackVisitor is the only place that needs to be taught about this at this time, because it's
2366         one of the few things that access topCallFrame along this special path.
2367         
2368         * jit/JITOperations.cpp: Roll back the top call frame.
2369         * runtime/CommonSlowPaths.cpp:
2370         (JSC::SLOW_PATH_DECL): Roll back the top call frame.
2371
2372 2016-08-01  Benjamin Poulain  <bpoulain@apple.com>
2373
2374         [JSC][ARM64] Fix branchTest32/64 taking an immediate as mask
2375         https://bugs.webkit.org/show_bug.cgi?id=160439
2376
2377         Reviewed by Filip Pizlo.
2378
2379         * assembler/MacroAssemblerARM64.h:
2380         (JSC::MacroAssemblerARM64::branchTest64):
2381         * b3/air/AirOpcode.opcodes:
2382         Fix the ARM64 codegen to lower BitImm64 without using a scratch register.
2383
2384 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
2385
2386         [B3] Fusing immediates into test instructions should work again
2387         https://bugs.webkit.org/show_bug.cgi?id=160073
2388
2389         Reviewed by Sam Weinig.
2390
2391         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
2392         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
2393         was still using Imm!  This meant that isValidForm() always returned false.
2394         
2395         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
2396         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
2397         with the scratch register).
2398         
2399         This is not an obvious progression on anything, so I added comprehensive tests to
2400         testb3, which check that we selected the optimal instruction in a variety of situations.
2401         We should add more tests like this!
2402
2403         Rolling this back in after fixing ARM64. The bug was that branchTest32|64 on ARM64 doesn't
2404         actually support BitImm or BitImm64, at least not yet. Disabling that in AirOpcodes makes
2405         this patch not a regression on ARM64. That change was reviewed by Benjamin Poulain.
2406
2407         * b3/B3BasicBlock.h:
2408         (JSC::B3::BasicBlock::successorBlock):
2409         * b3/B3LowerToAir.cpp:
2410         (JSC::B3::Air::LowerToAir::createGenericCompare):
2411         * b3/B3LowerToAir.h:
2412         * b3/air/AirArg.cpp:
2413         (JSC::B3::Air::Arg::isRepresentableAs):
2414         (JSC::B3::Air::Arg::usesTmp):
2415         * b3/air/AirArg.h:
2416         (JSC::B3::Air::Arg::isRepresentableAs):
2417         (JSC::B3::Air::Arg::castToType):
2418         (JSC::B3::Air::Arg::asNumber):
2419         * b3/air/AirCode.h:
2420         (JSC::B3::Air::Code::size):
2421         (JSC::B3::Air::Code::at):
2422         * b3/air/AirOpcode.opcodes:
2423         * b3/air/AirValidate.h:
2424         * b3/air/opcode_generator.rb:
2425         * b3/testb3.cpp:
2426         (JSC::B3::compile):
2427         (JSC::B3::compileAndRun):
2428         (JSC::B3::lowerToAirForTesting):
2429         (JSC::B3::testSomeEarlyRegister):
2430         (JSC::B3::testBranchBitAndImmFusion):
2431         (JSC::B3::zero):
2432         (JSC::B3::run):
2433
2434 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
2435
2436         Rationalize varargs stack overflow checks
2437         https://bugs.webkit.org/show_bug.cgi?id=160425
2438
2439         Reviewed by Michael Saboff.
2440
2441         * ftl/FTLLink.cpp:
2442         (JSC::FTL::link): AboveOrEqual 0 is a tautology. The code meant GreaterThanOrEqual, since the error code is -1.
2443         * runtime/CommonSlowPaths.h:
2444         (JSC::CommonSlowPaths::arityCheckFor): Use roundUpToMultipleOf(), which is almost certainly what we meant when we said %.
2445
2446 2016-08-01  Saam Barati  <sbarati@apple.com>
2447
2448         Sub should be a Math IC
2449         https://bugs.webkit.org/show_bug.cgi?id=160270
2450
2451         Reviewed by Mark Lam.
2452
2453         This makes Sub an IC like Mul and Add. I'm seeing the following
2454         improvements of average Sub size on Unity and JetStream:
2455
2456                    |   JetStream  |  Unity 3D  |
2457              ------| -------------|--------------
2458               Old  |   202 bytes  |  205 bytes |
2459              ------| -------------|--------------
2460               New  |   134  bytes |  134 bytes |
2461              ------------------------------------
2462
2463         * bytecode/CodeBlock.cpp:
2464         (JSC::CodeBlock::addJITMulIC):
2465         (JSC::CodeBlock::addJITSubIC):
2466         (JSC::CodeBlock::findStubInfo):
2467         (JSC::CodeBlock::dumpMathICStats):
2468         * bytecode/CodeBlock.h:
2469         (JSC::CodeBlock::stubInfoBegin):
2470         (JSC::CodeBlock::stubInfoEnd):
2471         * dfg/DFGSpeculativeJIT.cpp:
2472         (JSC::DFG::SpeculativeJIT::compileArithSub):
2473         * ftl/FTLLowerDFGToB3.cpp:
2474         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2475         * jit/JITArithmetic.cpp:
2476         (JSC::JIT::emit_op_sub):
2477         (JSC::JIT::emitSlow_op_sub):
2478         (JSC::JIT::emit_op_pow):
2479         * jit/JITMathIC.h:
2480         * jit/JITMathICForwards.h:
2481         * jit/JITOperations.cpp:
2482         * jit/JITOperations.h:
2483         * jit/JITSubGenerator.cpp:
2484         (JSC::JITSubGenerator::generateInline):
2485         (JSC::JITSubGenerator::generateFastPath):
2486         * jit/JITSubGenerator.h:
2487         (JSC::JITSubGenerator::JITSubGenerator):
2488         (JSC::JITSubGenerator::isLeftOperandValidConstant):
2489         (JSC::JITSubGenerator::isRightOperandValidConstant):
2490         (JSC::JITSubGenerator::arithProfile):
2491         (JSC::JITSubGenerator::didEmitFastPath): Deleted.
2492         (JSC::JITSubGenerator::endJumpList): Deleted.
2493         (JSC::JITSubGenerator::slowPathJumpList): Deleted.
2494
2495 2016-08-01  Keith Miller  <keith_miller@apple.com>
2496
2497         We should not keep the JavaScript tests inside the Source/JavaScriptCore/ directory.
2498         https://bugs.webkit.org/show_bug.cgi?id=160372
2499
2500         Rubber stamped by Geoffrey Garen.
2501
2502         This patch moves all the JavaScript tests from Source/JavaScriptCore/tests to
2503         a new top level directory, JSTests. Having the tests in the Source directory
2504         was both confusing an inconvenient for people that just want to checkout the
2505         source code of WebKit. Since there is no other obvious place to put all the
2506         JavaScript tests a new top level directory seemed the most sensible.
2507
2508         * tests/: Deleted.
2509
2510 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2511
2512         [JSC] Should check Test262Error correctly
2513         https://bugs.webkit.org/show_bug.cgi?id=159862
2514
2515         Reviewed by Saam Barati.
2516
2517         Test262Error in the harness does not have "name" property.
2518         Rather than checking "name" property, peforming `instanceof` is better to check the class of the exception.
2519
2520         * jsc.cpp:
2521         (checkUncaughtException):
2522         * runtime/JSObject.h:
2523         * tests/test262.yaml:
2524
2525 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2526
2527         [ES6] Module binding can be exported by multiple names
2528         https://bugs.webkit.org/show_bug.cgi?id=160343
2529
2530         Reviewed by Saam Barati.
2531
2532         ES6 Module can export the same local binding by using multiple names.
2533         For example,
2534
2535             ```
2536             var value = 42;
2537
2538             export { value };
2539             export { value as value2 };
2540             ```
2541
2542         Currently, we only allowed one local binding to be exported with one name. So, in the above case,
2543         the local binding "value" is exported as "value2" and "value" name is not exported. This is wrong.
2544
2545         To fix this issue, we collect the correspondence (local name => exported name) to the local bindings
2546         in the parser. Previously, we only maintained the exported local bindings in the parser. And utilize
2547         this information when creating the export entries in ModuleAnalyzer.
2548
2549         And this patch also moves ModuleScopeData from the Scope object to the Parser class since exported
2550         names should be managed per-module, not per-scope.
2551
2552         This change fixes several test262 failures.
2553
2554         * JavaScriptCore.xcodeproj/project.pbxproj:
2555         * parser/ModuleAnalyzer.cpp:
2556         (JSC::ModuleAnalyzer::exportVariable):
2557         (JSC::ModuleAnalyzer::analyze):
2558         (JSC::ModuleAnalyzer::exportedBinding): Deleted.
2559         (JSC::ModuleAnalyzer::declareExportAlias): Deleted.
2560         * parser/ModuleAnalyzer.h:
2561         * parser/ModuleScopeData.h: Copied from Source/JavaScriptCore/parser/ModuleAnalyzer.h.
2562         (JSC::ModuleScopeData::create):
2563         (JSC::ModuleScopeData::exportedBindings):
2564         (JSC::ModuleScopeData::exportName):
2565         (JSC::ModuleScopeData::exportBinding):
2566         * parser/Nodes.cpp:
2567         (JSC::ProgramNode::ProgramNode):
2568         (JSC::ModuleProgramNode::ModuleProgramNode):
2569         (JSC::EvalNode::EvalNode):
2570         (JSC::FunctionNode::FunctionNode):
2571         * parser/Nodes.h:
2572         (JSC::ModuleProgramNode::moduleScopeData):
2573         * parser/NodesAnalyzeModule.cpp:
2574         (JSC::ExportDefaultDeclarationNode::analyzeModule):
2575         (JSC::ExportNamedDeclarationNode::analyzeModule): Deleted.
2576         * parser/Parser.cpp:
2577         (JSC::Parser<LexerType>::Parser):
2578         (JSC::Parser<LexerType>::parseModuleSourceElements):
2579         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2580         (JSC::Parser<LexerType>::createBindingPattern):
2581         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2582         (JSC::Parser<LexerType>::parseClassDeclaration):
2583         (JSC::Parser<LexerType>::parseExportSpecifier):
2584         (JSC::Parser<LexerType>::parseExportDeclaration):
2585         * parser/Parser.h:
2586         (JSC::Parser::exportName):
2587         (JSC::Parser<LexerType>::parse):
2588         (JSC::ModuleScopeData::create): Deleted.
2589         (JSC::ModuleScopeData::exportedBindings): Deleted.
2590         (JSC::ModuleScopeData::exportName): Deleted.
2591         (JSC::ModuleScopeData::exportBinding): Deleted.
2592         (JSC::Scope::Scope): Deleted.
2593         (JSC::Scope::setSourceParseMode): Deleted.
2594         (JSC::Scope::moduleScopeData): Deleted.
2595         (JSC::Scope::setIsModule): Deleted.
2596         * tests/modules/aliased-names.js: Added.
2597         * tests/modules/aliased-names/main.js: Added.
2598         (change):
2599         * tests/stress/modules-syntax-error-with-names.js:
2600         (export.Cocoa):
2601         (SyntaxError.Cannot.export.a.duplicate.name):
2602         * tests/test262.yaml:
2603
2604 2016-07-30  Mark Lam  <mark.lam@apple.com>
2605
2606         Assertion failure while setting the length of an ArrayClass array.
2607         https://bugs.webkit.org/show_bug.cgi?id=160381
2608         <rdar://problem/27328703>
2609
2610         Reviewed by Filip Pizlo.
2611
2612         When setting large length values, we're currently treating ArrayClass as a
2613         ContiguousIndexingType array.  This results in an assertion failure.  This is
2614         now fixed.
2615
2616         There are currently only 2 places where we create arrays with indexing type
2617         ArrayClass: ArrayPrototype and RuntimeArray.  The fix in JSArray:;setLength()
2618         takes care of ArrayPrototype.
2619
2620         RuntimeArray already checks for the setting of its length property, and will
2621         throw a RangeError.  Hence, there's no change is needed for the RuntimeArray.
2622         Instead, I added some test cases ensure that the check and throw behavior does
2623         not change without notice.
2624
2625         * runtime/JSArray.cpp:
2626         (JSC::JSArray::setLength):
2627         * tests/stress/array-setLength-on-ArrayClass-with-large-length.js: Added.
2628         (toString):
2629         (assertEqual):
2630         * tests/stress/array-setLength-on-ArrayClass-with-small-length.js: Added.
2631         (toString):
2632         (assertEqual):
2633
2634 2016-07-29  Keith Miller  <keith_miller@apple.com>
2635
2636         TypedArray super constructor has some incompatabilities
2637         https://bugs.webkit.org/show_bug.cgi?id=160369
2638
2639         Reviewed by Filip Pizlo.
2640
2641         This patch fixes the length proprety of the TypedArray super constructor.
2642         Additionally, the TypedArray super constructor should no longer be callable.
2643
2644         Also, this patch fixes the expected result of some test262 tests.
2645
2646         * runtime/JSTypedArrayViewConstructor.cpp:
2647         (JSC::JSTypedArrayViewConstructor::finishCreation):
2648         (JSC::constructTypedArrayView):
2649         (JSC::JSTypedArrayViewConstructor::getCallData):
2650         * tests/test262.yaml:
2651
2652 2016-07-29  Jonathan Bedard  <jbedard@apple.com>
2653
2654         Undefined Behavior in JSValue cast from NaN
2655         https://bugs.webkit.org/show_bug.cgi?id=160322
2656
2657         Reviewed by Mark Lam.
2658
2659         JSValues can be constructed from doubles, and in some cases, are deliberately constructed with NaN values.
2660
2661         In circumstances where NaN is bound through the default JSValue constructor, however, an undefined conversion
2662         to int32_t occurs.  While the subsequent if statement should fail and construct the JSValue through the explicit
2663         double constructor, given that the deliberate use of NaN is fairly common, it seems that the jsNaN() function
2664         should immediately call the explicit double constructor both for efficiency and to prevent inadvertent
2665         suppressing of any other bugs which may be instantiating a JSValue with a NaN double.
2666
2667         * runtime/JSCJSValueInlines.h:
2668         (JSC::jsNaN): Explicit double construction for NaN JSValues to avoid undefined behavior.
2669
2670 2016-07-29  Michael Saboff  <msaboff@apple.com>
2671
2672         Refactor DFG::Node::hasLocal() to accessesStack()
2673         https://bugs.webkit.org/show_bug.cgi?id=160357
2674
2675         Reviewed by Filip Pizlo.
2676
2677         Refactoring in preparation for using register arguments for JavaScript calls.
2678
2679         Renamed Node::hasLocal() to Node::accessesStack() and changed all uses accordingly.
2680         Also changed uses of Node::hasVariableAccessData() to accessesStack() where that
2681         use guards stack operation logic associated with the Node's VariableAccessData.
2682
2683         The hasVariableAccessData() check now implies no more than the node has a
2684         VariableAccessData and nothing about its use of that data to coordinate stack   
2685         accesses.
2686
2687         * dfg/DFGGraph.cpp:
2688         (JSC::DFG::Graph::dump):
2689         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2690         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
2691         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
2692         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2693         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2694         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
2695         * dfg/DFGNode.h:
2696         (JSC::DFG::Node::containsMovHint):
2697         (JSC::DFG::Node::accessesStack):
2698         (JSC::DFG::Node::hasLocal): Deleted.
2699         * dfg/DFGPredictionInjectionPhase.cpp:
2700         (JSC::DFG::PredictionInjectionPhase::run):
2701         * dfg/DFGValidate.cpp:
2702
2703 2016-07-29  Benjamin Poulain  <benjamin@webkit.org>
2704
2705         [JSC] Use the same data structures for DFG and Air Liveness Analysis
2706         https://bugs.webkit.org/show_bug.cgi?id=160346
2707
2708         Reviewed by Geoffrey Garen.
2709
2710         In Air, we minimized memory accesses during liveness analysis
2711         with a couple of tricks:
2712         -Use a single Sparse Set ADT for the live value of each block.
2713         -Manipulate compact positive indices instead of hashing values.
2714
2715         This patch brings the same ideas to DFG.
2716
2717         This patch still uses the same fixpoint algorithms.
2718         The reason is Edge's KillStatus used by other phases. We cannot
2719         use a block-boundary liveness algorithm and update KillStatus
2720         simultaneously. It's something I'll probably revisit at some point.
2721
2722         * dfg/DFGAbstractInterpreterInlines.h:
2723         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
2724         (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
2725         * dfg/DFGBasicBlock.h:
2726         * dfg/DFGGraph.h:
2727         (JSC::DFG::Graph::maxNodeCount):
2728         (JSC::DFG::Graph::nodeAt):
2729         * dfg/DFGInPlaceAbstractState.cpp:
2730         (JSC::DFG::setLiveValues):
2731         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2732         * dfg/DFGLivenessAnalysisPhase.cpp:
2733         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
2734         (JSC::DFG::LivenessAnalysisPhase::run):
2735         (JSC::DFG::LivenessAnalysisPhase::processBlock):
2736         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
2737         (JSC::DFG::LivenessAnalysisPhase::process): Deleted.
2738
2739 2016-07-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2740
2741         Unreviewed, ByValInfo is only used in JIT enabled environments
2742         https://bugs.webkit.org/show_bug.cgi?id=158908
2743
2744         * bytecode/CodeBlock.cpp:
2745         (JSC::CodeBlock::stronglyVisitStrongReferences):
2746
2747 2016-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2748
2749         JSC::Symbol should be hash-consed
2750         https://bugs.webkit.org/show_bug.cgi?id=158908
2751
2752         Reviewed by Filip Pizlo.
2753
2754         Previously, SymbolImpls held by symbols represent identity of symbols.
2755         When we check the equality between symbols, we need to load SymbolImpls of symbols and compare them.
2756
2757         This patch performs hash-consing onto the symbols. We cache symbols in per-VM's SymbolImpl-keyed WeakGCMap.
2758         When creating a new symbol from SymbolImpl, we first query to this map and reuse the previously created symbol
2759         if it is found. This ensures that one-on-one correspondence between SymbolImpl and symbol. So now, we can use
2760         pointer-comparison to query the equality of symbols.
2761
2762         This change drops SymbolImpl loads when checking the equality. Furthermore, we can use DFG CheckCell to symbol
2763         when we would like to ensure that the given value is the expected symbol. This cleans up GetByVal's symbol-keyd
2764         caching. Then, we changed CheckIdent to CheckStringIdent since it only checks the string case now. The symbol
2765         case is handled by CheckCell.
2766
2767         Additionally, this patch also cleans up Map / Set implementation since we can use the logic for JSCell to symbols.
2768
2769         The performance effects in the related benchmarks are the followings.
2770
2771                                                                baseline                   patch
2772
2773             bigswitch-indirect-symbol-or-undefined         85.6214+-1.0063     ^     63.0522+-0.8615        ^ definitely 1.3579x faster
2774             bigswitch-indirect-symbol                      84.9653+-0.6258     ^     80.4900+-0.8008        ^ definitely 1.0556x faster
2775             fold-put-by-val-with-symbol-to-multi-put-by-offset
2776                                                             9.4396+-0.3726            9.2941+-0.3311          might be 1.0157x faster
2777             inlined-put-by-val-with-symbol-transition
2778                                                            49.5477+-0.2401     ?     49.7533+-0.3369        ?
2779             get-by-val-with-symbol-self-or-proto           11.9740+-0.0798     ?     12.1706+-0.2723        ? might be 1.0164x slower
2780             get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple
2781                                                             4.1364+-0.0841            4.0872+-0.0925          might be 1.0120x faster
2782             put-by-val-with-symbol                         11.3709+-0.0223           11.3613+-0.0264
2783             get-by-val-with-symbol-proto-or-self           11.8984+-0.0706     ?     11.9030+-0.0787        ?
2784             polymorphic-put-by-val-with-symbol             31.4176+-0.0558           31.3825+-0.0447
2785             implicit-bigswitch-indirect-symbol             61.3115+-0.6577     ^     58.0098+-0.1212        ^ definitely 1.0569x faster
2786             get-by-val-with-symbol-bimorphic-check-structure-elimination-simple
2787                                                             3.3139+-0.0565     ^      2.9947+-0.0732        ^ definitely 1.1066x faster
2788             get-by-val-with-symbol-chain-from-try-block
2789                                                             2.2316+-0.0179            2.2137+-0.0210
2790             get-by-val-with-symbol-bimorphic-check-structure-elimination
2791                                                            10.6031+-0.2216     ^     10.0939+-0.1977        ^ definitely 1.0504x faster
2792             get-by-val-with-symbol-check-structure-elimination
2793                                                             8.5576+-0.1521     ^      7.7107+-0.1308        ^ definitely 1.1098x faster
2794             put-by-val-with-symbol-slightly-polymorphic
2795                                                             3.1957+-0.0538     ^      2.9181+-0.0708        ^ definitely 1.0951x faster
2796             put-by-val-with-symbol-replace-and-transition
2797                                                            11.8253+-0.0757     ^     11.6590+-0.0351        ^ definitely 1.0143x faster
2798
2799             <geometric>                                    13.3911+-0.0527     ^     12.7376+-0.0457        ^ definitely 1.0513x faster
2800
2801         * bytecode/ByValInfo.h:
2802         * bytecode/CodeBlock.cpp:
2803         (JSC::CodeBlock::stronglyVisitStrongReferences):
2804         * dfg/DFGAbstractInterpreterInlines.h:
2805         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2806         * dfg/DFGByteCodeParser.cpp:
2807         (JSC::DFG::ByteCodeParser::parseBlock):
2808         * dfg/DFGClobberize.h:
2809         (JSC::DFG::clobberize):
2810         * dfg/DFGConstantFoldingPhase.cpp:
2811         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2812         * dfg/DFGDoesGC.cpp:
2813         (JSC::DFG::doesGC):
2814         * dfg/DFGFixupPhase.cpp:
2815         (JSC::DFG::FixupPhase::fixupNode):
2816         * dfg/DFGNode.h:
2817         (JSC::DFG::Node::hasUidOperand):
2818         * dfg/DFGNodeType.h:
2819         * dfg/DFGPredictionPropagationPhase.cpp:
2820         * dfg/DFGSafeToExecute.h:
2821         (JSC::DFG::safeToExecute):
2822         * dfg/DFGSpeculativeJIT.cpp:
2823         (JSC::DFG::SpeculativeJIT::compileSymbolEquality):
2824         (JSC::DFG::SpeculativeJIT::compilePeepHoleSymbolEquality):
2825         (JSC::DFG::SpeculativeJIT::compileCheckStringIdent):
2826         (JSC::DFG::SpeculativeJIT::extractStringImplFromBinarySymbols): Deleted.
2827         (JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
2828         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality): Deleted.
2829         * dfg/DFGSpeculativeJIT.h:
2830         * dfg/DFGSpeculativeJIT32_64.cpp:
2831         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
2832         (JSC::DFG::SpeculativeJIT::compile):
2833         * dfg/DFGSpeculativeJIT64.cpp:
2834         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
2835         (JSC::DFG::SpeculativeJIT::compile):
2836         * ftl/FTLAbstractHeapRepository.h:
2837         * ftl/FTLCapabilities.cpp:
2838         (JSC::FTL::canCompile):
2839         * ftl/FTLLowerDFGToB3.cpp:
2840         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2841         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStringIdent):
2842         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2843         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent): Deleted.
2844         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID): Deleted.
2845         * jit/JIT.h:
2846         * jit/JITOperations.cpp:
2847         (JSC::tryGetByValOptimize):
2848         * jit/JITPropertyAccess.cpp:
2849         (JSC::JIT::emitGetByValWithCachedId):
2850         (JSC::JIT::emitPutByValWithCachedId):
2851         (JSC::JIT::emitByValIdentifierCheck):
2852         (JSC::JIT::privateCompileGetByValWithCachedId):
2853         (JSC::JIT::privateCompilePutByValWithCachedId):
2854         (JSC::JIT::emitIdentifierCheck): Deleted.
2855         * jit/JITPropertyAccess32_64.cpp:
2856         (JSC::JIT::emitGetByValWithCachedId):
2857         (JSC::JIT::emitPutByValWithCachedId):
2858         * runtime/JSCJSValue.cpp:
2859         (JSC::JSValue::dumpInContextAssumingStructure):
2860         * runtime/JSCJSValueInlines.h:
2861         (JSC::JSValue::equalSlowCaseInline):
2862         (JSC::JSValue::strictEqualSlowCaseInline): Deleted.
2863         * runtime/JSFunction.cpp:
2864         (JSC::JSFunction::setFunctionName):
2865         * runtime/MapData.h:
2866         * runtime/MapDataInlines.h:
2867         (JSC::JSIterator>::clear): Deleted.
2868         (JSC::JSIterator>::find): Deleted.
2869         (JSC::JSIterator>::add): Deleted.
2870         (JSC::JSIterator>::remove): Deleted.
2871         (JSC::JSIterator>::replaceAndPackBackingStore): Deleted.
2872         * runtime/Symbol.cpp:
2873         (JSC::Symbol::finishCreation):
2874         (JSC::Symbol::create):
2875         * runtime/Symbol.h:
2876         * runtime/VM.cpp:
2877         (JSC::VM::VM):
2878         * runtime/VM.h:
2879         * tests/stress/symbol-equality-over-gc.js: Added.
2880         (shouldBe):
2881         (test):
2882
2883 2016-07-28  Mark Lam  <mark.lam@apple.com>
2884
2885         ASSERTION FAILED in errorProtoFuncToString() when Error name is a single char string.
2886         https://bugs.webkit.org/show_bug.cgi?id=160324
2887         <rdar://problem/27389572>
2888
2889         Reviewed by Keith Miller.
2890
2891         The issue is that errorProtoFuncToString() was using jsNontrivialString() to
2892         generate the error string even when the name string can be a single character
2893         string.  This is incorrect.  We should be using jsString() instead.
2894
2895         * runtime/ErrorPrototype.cpp:
2896         (JSC::errorProtoFuncToString):
2897         * tests/stress/errors-with-simple-names-or-messages-should-not-crash-toString.js: Added.
2898
2899 2016-07-28  Michael Saboff  <msaboff@apple.com>
2900
2901         ARM64: Fused left shift with a right shift can create NaNs from integers
2902         https://bugs.webkit.org/show_bug.cgi?id=160329
2903
2904         Reviewed by Geoffrey Garen.
2905
2906         When we fuse a left shift and a right shift of integers where the shift amounts
2907         are the same and the size of the quantity being shifted is 8 bits, we rightly
2908         generate a sign extend byte instruction.  On ARM64, we were sign extending
2909         to a 64 bit quantity, when we really wanted to sign extend to a 32 bit quantity.
2910
2911         Checking the ARM64 marco assembler and we were extending to 64 bits for all
2912         four combinations of zero / sign and 8 / 16 bits.
2913         
2914         * assembler/MacroAssemblerARM64.h:
2915         (JSC::MacroAssemblerARM64::zeroExtend16To32):
2916         (JSC::MacroAssemblerARM64::signExtend16To32):
2917         (JSC::MacroAssemblerARM64::zeroExtend8To32):
2918         (JSC::MacroAssemblerARM64::signExtend8To32):
2919         * tests/stress/regress-160329.js: New test added.
2920         (narrow):
2921
2922 2016-07-28  Mark Lam  <mark.lam@apple.com>
2923
2924         StringView should have an explicit m_is8Bit field.
2925         https://bugs.webkit.org/show_bug.cgi?id=160282
2926         <rdar://problem/27327943>
2927
2928         Reviewed by Benjamin Poulain.
2929
2930         * tests/stress/string-joining-long-strings-should-not-crash.js: Added.
2931         (catch):
2932
2933 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
2934
2935         [ARM] Typo fix after r121885
2936         https://bugs.webkit.org/show_bug.cgi?id=160288
2937
2938         Reviewed by Zoltan Herczeg.
2939
2940         * assembler/MacroAssemblerARM.h:
2941         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
2942
2943 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
2944
2945         64-bit alignment check isn't necessary in ARMAssembler::prepareExecutableCopy after r202214
2946         https://bugs.webkit.org/show_bug.cgi?id=159711
2947
2948         Reviewed by Mark Lam.
2949
2950         * assembler/ARMAssembler.cpp:
2951         (JSC::ARMAssembler::prepareExecutableCopy):
2952
2953 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2954
2955         [JSC] Remove some unused code from FTL
2956         https://bugs.webkit.org/show_bug.cgi?id=160285
2957
2958         Reviewed by Mark Lam.
2959
2960         All the liveness and swapping is done inside B3,
2961         this code is no longer needed.
2962
2963         * dfg/DFGEdge.h:
2964         (JSC::DFG::Edge::doesNotKill): Deleted.
2965         * ftl/FTLLowerDFGToB3.cpp:
2966         (JSC::FTL::DFG::LowerDFGToB3::doesKill): Deleted.
2967
2968 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2969
2970         [JSC] DFG::Node should not have its own allocator
2971         https://bugs.webkit.org/show_bug.cgi?id=160098
2972
2973         Reviewed by Geoffrey Garen.
2974
2975         We need some design changes for DFG::Node:
2976         -Accessing the index must be fast. B3 uses indices for sets
2977          and maps, it is a lot faster than hashing pointers.
2978         -We should be able to subclass DFG::Node to specialize it.
2979
2980         * CMakeLists.txt:
2981         * JavaScriptCore.xcodeproj/project.pbxproj:
2982         * dfg/DFGAllocator.h: Removed.
2983         (JSC::DFG::Allocator::Region::size): Deleted.
2984         (JSC::DFG::Allocator::Region::headerSize): Deleted.
2985         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
2986         (JSC::DFG::Allocator::Region::data): Deleted.
2987         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
2988         (JSC::DFG::Allocator::Region::regionFor): Deleted.
2989         (JSC::DFG::Allocator<T>::Allocator): Deleted.
2990         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
2991         (JSC::DFG::Allocator<T>::allocate): Deleted.
2992         (JSC::DFG::Allocator<T>::free): Deleted.
2993         (JSC::DFG::Allocator<T>::freeAll): Deleted.
2994         (JSC::DFG::Allocator<T>::reset): Deleted.
2995         (JSC::DFG::Allocator<T>::indexOf): Deleted.
2996         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
2997         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
2998         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
2999         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
3000         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
3001         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
3002         * dfg/DFGByteCodeParser.cpp:
3003         (JSC::DFG::ByteCodeParser::addToGraph):
3004         * dfg/DFGCPSRethreadingPhase.cpp:
3005         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3006         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
3007         * dfg/DFGCleanUpPhase.cpp:
3008         (JSC::DFG::CleanUpPhase::run):
3009         * dfg/DFGConstantFoldingPhase.cpp:
3010         (JSC::DFG::ConstantFoldingPhase::run):
3011         * dfg/DFGConstantHoistingPhase.cpp:
3012         * dfg/DFGDCEPhase.cpp:
3013         (JSC::DFG::DCEPhase::fixupBlock):
3014         * dfg/DFGDriver.cpp:
3015         (JSC::DFG::compileImpl):
3016         * dfg/DFGGraph.cpp:
3017         (JSC::DFG::Graph::Graph):
3018         (JSC::DFG::Graph::deleteNode):
3019         (JSC::DFG::Graph::killBlockAndItsContents):
3020         (JSC::DFG::Graph::~Graph): Deleted.
3021         * dfg/DFGGraph.h:
3022         (JSC::DFG::Graph::addNode):
3023         * dfg/DFGLICMPhase.cpp:
3024         (JSC::DFG::LICMPhase::attemptHoist):
3025         * dfg/DFGLongLivedState.cpp: Removed.
3026         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
3027         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
3028         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
3029         * dfg/DFGLongLivedState.h: Removed.
3030         * dfg/DFGNode.cpp:
3031         (JSC::DFG::Node::index): Deleted.
3032         * dfg/DFGNode.h:
3033         (JSC::DFG::Node::index):
3034         * dfg/DFGNodeAllocator.h: Removed.
3035         (operator new ): Deleted.
3036         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3037         * dfg/DFGPlan.cpp:
3038         (JSC::DFG::Plan::compileInThread):
3039         (JSC::DFG::Plan::compileInThreadImpl):
3040         * dfg/DFGPlan.h:
3041         * dfg/DFGSSAConversionPhase.cpp:
3042         (JSC::DFG::SSAConversionPhase::run):
3043         * dfg/DFGWorklist.cpp:
3044         (JSC::DFG::Worklist::runThread):
3045         * runtime/VM.cpp:
3046         (JSC::VM::VM): Deleted.
3047         * runtime/VM.h:
3048
3049 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
3050
3051         [JSC] Fix a bunch of use-after-free of DFG::Node
3052         https://bugs.webkit.org/show_bug.cgi?id=160228
3053
3054         Reviewed by Mark Lam.
3055
3056         FTL had a few places where we use a node after it has been
3057         deleted. The dangling pointers come from the SSA liveness information
3058         kept on the basic blocks.
3059
3060         This patch fixes the issues I could find and adds liveness invalidation
3061         to help finding dependencies like these.
3062
3063         * dfg/DFGBasicBlock.h:
3064         (JSC::DFG::BasicBlock::SSAData::invalidate):
3065
3066         * dfg/DFGConstantFoldingPhase.cpp:
3067         (JSC::DFG::ConstantFoldingPhase::run):
3068         Constant folding phase was deleting nodes in the loop over basic blocks.
3069         The problem is the deleted nodes can be referenced by other blocks.
3070         When the abstract interpreter was manipulating the abstract values of those
3071         it was doing so on the dead nodes.
3072
3073         * dfg/DFGConstantHoistingPhase.cpp:
3074         Just invalidation. Nothing wrong here since the useless nodes were
3075         kept live while iterating the blocks.
3076
3077         * dfg/DFGGraph.cpp:
3078         (JSC::DFG::Graph::killBlockAndItsContents):
3079         (JSC::DFG::Graph::killUnreachableBlocks):
3080         (JSC::DFG::Graph::invalidateNodeLiveness):
3081
3082         * dfg/DFGGraph.h:
3083         * dfg/DFGPlan.cpp:
3084         (JSC::DFG::Plan::compileInThreadImpl):
3085         We had a lot of use-after-free in LCIM because we were using the stale
3086         live nodes deleted by previous phases.
3087
3088 2016-07-27  Keith Miller  <keith_miller@apple.com>
3089
3090         concatAppendOne should allocate using the indexing type of the array if it cannot merge
3091         https://bugs.webkit.org/show_bug.cgi?id=160261
3092         <rdar://problem/27530122>
3093
3094         Reviewed by Mark Lam.
3095
3096         Before, if we could not merge the indexing types for copying, we would allocate the
3097         the array as ArrayWithUndecided. Instead, we should allocate an array with the original
3098         array's indexing type.
3099
3100         * runtime/ArrayPrototype.cpp:
3101         (JSC::concatAppendOne):
3102         * tests/stress/concat-append-one-with-sparse-array.js: Added.
3103
3104 2016-07-27  Saam Barati  <sbarati@apple.com>
3105
3106         We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an object with symbols
3107         https://bugs.webkit.org/show_bug.cgi?id=160211
3108         <rdar://problem/27572612>
3109
3110         Reviewed by Geoffrey Garen.
3111
3112         The fast for-in iteration mode assumes all inline/out-of-line properties
3113         can be iterated in linear order. This is not true if we have Symbols
3114         because Symbols should not be iterated by for-in.
3115
3116         * runtime/Structure.cpp:
3117         (JSC::Structure::add):
3118         * tests/stress/symbol-should-not-break-for-in.js: Added.
3119         (assert):
3120         (foo):
3121
3122 2016-07-27  Mark Lam  <mark.lam@apple.com>
3123
3124         The second argument for Function.prototype.apply should be array-like or null/undefined.
3125         https://bugs.webkit.org/show_bug.cgi?id=160212
3126         <rdar://problem/27328525>
3127
3128         Reviewed by Filip Pizlo.
3129
3130         The spec for Function.prototype.apply says its second argument can only be null,
3131         undefined, or must be array-like.  See
3132         https://tc39.github.io/ecma262/#sec-function.prototype.apply and
3133         https://tc39.github.io/ecma262/#sec-createlistfromarraylike.
3134
3135         Our previous implementation was not handling this correctly for SymbolType.
3136         This is now fixed.
3137
3138         * interpreter/Interpreter.cpp:
3139         (JSC::sizeOfVarargs):
3140         * tests/stress/apply-second-argument-must-be-array-like.js: Added.
3141
3142 2016-07-27  Saam Barati  <sbarati@apple.com>
3143
3144         MathICs should be able to emit only a jump along the inline path when they don't have any type data
3145         https://bugs.webkit.org/show_bug.cgi?id=160110
3146
3147         Reviewed by Mark Lam.
3148
3149         This patch allows for MathIC fast-path generation to be delayed.
3150         We delay when we don't see any observed type information for
3151         the lhs/rhs operand, which implies that the MathIC has never
3152         executed. This is profitable for two main reasons:
3153         1. If the math operation never executes, we emit much less code.
3154         2. Once we get type information for the lhs/rhs, we can emit better code.
3155
3156         To implement this, we just emit a jump to the slow path call
3157         that will repatch on first execution.
3158
3159         New data for add:
3160                    |   JetStream  |  Unity 3D  |
3161              ------| -------------|--------------
3162               Old  |   148 bytes  |  143 bytes |
3163              ------| -------------|--------------
3164               New  |   116  bytes |  113 bytes |
3165              ------------------------------------
3166
3167         New data for mul:
3168                    |   JetStream  |  Unity 3D  |
3169              ------| -------------|--------------
3170               Old  |   210 bytes  |  185 bytes |
3171              ------| -------------|--------------
3172               New  |   170  bytes |  137 bytes |
3173              ------------------------------------
3174
3175         * jit/JITAddGenerator.cpp:
3176         (JSC::JITAddGenerator::generateInline):
3177         * jit/JITAddGenerator.h:
3178         (JSC::JITAddGenerator::isLeftOperandValidConstant):
3179         (JSC::JITAddGenerator::isRightOperandValidConstant):
3180         (JSC::JITAddGenerator::arithProfile):
3181         * jit/JITMathIC.h:
3182         (JSC::JITMathIC::generateInline):
3183         (JSC::JITMathIC::generateOutOfLine):
3184         (JSC::JITMathIC::finalizeInlineCode):
3185         * jit/JITMathICInlineResult.h:
3186         * jit/JITMulGenerator.cpp:
3187         (JSC::JITMulGenerator::generateInline):
3188         * jit/JITMulGenerator.h:
3189         (JSC::JITMulGenerator::isLeftOperandValidConstant):
3190         (JSC::JITMulGenerator::isRightOperandValidConstant):
3191         (JSC::JITMulGenerator::arithProfile):
3192         * jit/JITOperations.cpp:
3193
3194 2016-07-26  Saam Barati  <sbarati@apple.com>
3195
3196         rollout r203666
3197         https://bugs.webkit.org/show_bug.cgi?id=160226
3198
3199         Unreviewed rollout.
3200
3201         * b3/B3BasicBlock.h:
3202         (JSC::B3::BasicBlock::successorBlock):
3203         * b3/B3LowerToAir.cpp:
3204         (JSC::B3::Air::LowerToAir::createGenericCompare):
3205         * b3/B3LowerToAir.h:
3206         * b3/air/AirArg.cpp:
3207         (JSC::B3::Air::Arg::isRepresentableAs):
3208         (JSC::B3::Air::Arg::usesTmp):
3209         * b3/air/AirArg.h:
3210         (JSC::B3::Air::Arg::isRepresentableAs):
3211         (JSC::B3::Air::Arg::asNumber):
3212         (JSC::B3::Air::Arg::castToType): Deleted.
3213         * b3/air/AirCode.h:
3214         (JSC::B3::Air::Code::size):
3215         (JSC::B3::Air::Code::at):
3216         * b3/air/AirOpcode.opcodes:
3217         * b3/air/AirValidate.h:
3218         * b3/air/opcode_generator.rb:
3219         * b3/testb3.cpp:
3220         (JSC::B3::compileAndRun):
3221         (JSC::B3::testSomeEarlyRegister):
3222         (JSC::B3::zero):
3223         (JSC::B3::run):
3224         (JSC::B3::lowerToAirForTesting): Deleted.
3225         (JSC::B3::testBranchBitAndImmFusion): Deleted.
3226
3227 2016-07-26  Caitlin Potter  <caitp@igalia.com>
3228
3229         [JSC] Object.getOwnPropertyDescriptors should not add undefined props to result
3230         https://bugs.webkit.org/show_bug.cgi?id=159409
3231
3232         Reviewed by Geoffrey Garen.
3233
3234         * runtime/ObjectConstructor.cpp:
3235         (JSC::objectConstructorGetOwnPropertyDescriptors):
3236         * tests/es6.yaml:
3237         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
3238         (testPropertiesIndexedSetterOnPrototypeThrows.set get var): Deleted.
3239         (testPropertiesIndexedSetterOnPrototypeThrows): Deleted.
3240         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js.
3241         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js.
3242
3243 2016-07-26  Mark Lam  <mark.lam@apple.com>
3244
3245         Remove unused DEBUG_WITH_BREAKPOINT configuration.
3246         https://bugs.webkit.org/show_bug.cgi?id=160203
3247
3248         Reviewed by Keith Miller.
3249
3250         * bytecompiler/BytecodeGenerator.cpp:
3251         (JSC::BytecodeGenerator::emitDebugHook):
3252
3253 2016-07-25  Benjamin Poulain  <benjamin@webkit.org>
3254
3255         Unreviewed, rolling out r203703.
3256
3257         It breaks some internal tests
3258
3259         Reverted changeset:
3260
3261         "[JSC] DFG::Node should not have its own allocator"
3262         https://bugs.webkit.org/show_bug.cgi?id=160098
3263         http://trac.webkit.org/changeset/203703
3264
3265 2016-07-25  Benjamin Poulain  <bpoulain@apple.com>
3266
3267         [JSC] DFG::Node should not have its own allocator
3268         https://bugs.webkit.org/show_bug.cgi?id=160098
3269
3270         Reviewed by Geoffrey Garen.
3271
3272         We need some design changes for DFG::Node:
3273         -Accessing the index must be fast. B3 uses indices for sets
3274          and maps, it is a lot faster than hashing pointers.
3275         -We should be able to subclass DFG::Node to specialize it.
3276
3277         * CMakeLists.txt:
3278         * JavaScriptCore.xcodeproj/project.pbxproj:
3279         * dfg/DFGAllocator.h: Removed.
3280         (JSC::DFG::Allocator::Region::size): Deleted.
3281         (JSC::DFG::Allocator::Region::headerSize): Deleted.
3282         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
3283         (JSC::DFG::Allocator::Region::data): Deleted.
3284         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
3285         (JSC::DFG::Allocator::Region::regionFor): Deleted.
3286         (JSC::DFG::Allocator<T>::Allocator): Deleted.
3287         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
3288         (JSC::DFG::Allocator<T>::allocate): Deleted.
3289         (JSC::DFG::Allocator<T>::free): Deleted.
3290         (JSC::DFG::Allocator<T>::freeAll): Deleted.
3291         (JSC::DFG::Allocator<T>::reset): Deleted.
3292         (JSC::DFG::Allocator<T>::indexOf): Deleted.
3293         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
3294         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
3295         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
3296         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
3297         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
3298         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
3299         * dfg/DFGByteCodeParser.cpp:
3300         (JSC::DFG::ByteCodeParser::addToGraph):
3301         * dfg/DFGCPSRethreadingPhase.cpp:
3302         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3303         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
3304         * dfg/DFGCleanUpPhase.cpp:
3305         (JSC::DFG::CleanUpPhase::run):
3306         * dfg/DFGConstantFoldingPhase.cpp:
3307         (JSC::DFG::ConstantFoldingPhase::run):
3308         * dfg/DFGConstantHoistingPhase.cpp:
3309         * dfg/DFGDCEPhase.cpp:
3310         (JSC::DFG::DCEPhase::fixupBlock):
3311         * dfg/DFGDriver.cpp:
3312         (JSC::DFG::compileImpl):
3313         * dfg/DFGGraph.cpp:
3314         (JSC::DFG::Graph::Graph):
3315         (JSC::DFG::Graph::deleteNode):
3316         (JSC::DFG::Graph::killBlockAndItsContents):
3317         (JSC::DFG::Graph::~Graph): Deleted.
3318         * dfg/DFGGraph.h:
3319         (JSC::DFG::Graph::addNode):
3320         * dfg/DFGLICMPhase.cpp:
3321         (JSC::DFG::LICMPhase::attemptHoist):
3322         * dfg/DFGLongLivedState.cpp: Removed.
3323         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
3324         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
3325         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
3326         * dfg/DFGLongLivedState.h: Removed.
3327         * dfg/DFGNode.cpp:
3328         (JSC::DFG::Node::index): Deleted.
3329         * dfg/DFGNode.h:
3330         (JSC::DFG::Node::index):
3331         * dfg/DFGNodeAllocator.h: Removed.
3332         (operator new ): Deleted.
3333         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3334         * dfg/DFGPlan.cpp:
3335         (JSC::DFG::Plan::compileInThread):
3336         (JSC::DFG::Plan::compileInThreadImpl):
3337         * dfg/DFGPlan.h:
3338         * dfg/DFGSSAConversionPhase.cpp:
3339         (JSC::DFG::SSAConversionPhase::run):
3340         * dfg/DFGWorklist.cpp:
3341         (JSC::DFG::Worklist::runThread):
3342         * runtime/VM.cpp:
3343         (JSC::VM::VM): Deleted.
3344         * runtime/VM.h:
3345
3346 2016-07-25  Filip Pizlo  <fpizlo@apple.com>
3347
3348         AssemblyHelpers should own all of the cell allocation meth