5cece2fe7cb575191808da23d146d5611eaf04ec
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-02-28  Andreas Kling  <akling@apple.com>
2
3         Make JSFunction.name allocation fully lazy.
4         <https://webkit.org/b/154806>
5
6         Reviewed by Saam Barati.
7
8         We were reifying the "name" field on functions lazily, but created the string
9         value itself up front. This patch gets rid of the up-front allocation,
10         saving us a JSString allocation per function in most cases.
11
12         * builtins/BuiltinExecutables.cpp:
13         (JSC::createExecutableInternal):
14         * bytecode/UnlinkedFunctionExecutable.cpp:
15         (JSC::UnlinkedFunctionExecutable::visitChildren):
16         * bytecode/UnlinkedFunctionExecutable.h:
17         * runtime/CodeCache.cpp:
18         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
19         * runtime/Executable.h:
20         * runtime/JSFunction.cpp:
21         (JSC::JSFunction::reifyName):
22
23 2016-02-28  Andreas Kling  <akling@apple.com>
24
25         REGRESSION(r197303): 4 jsc tests failing on bots.
26
27         Unreviewed follow-up fix.
28
29         * bytecode/UnlinkedCodeBlock.cpp:
30         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): This function
31         can still get called with !m_rareData, in case the type profiler is active but this
32         particular code block doesn't have type profiler data. Handle it gracefully.
33
34 2016-02-28  Andreas Kling  <akling@apple.com>
35
36         Shrink UnlinkedCodeBlock a bit.
37         <https://webkit.org/b/154797>
38
39         Reviewed by Anders Carlsson.
40
41         Move profiler-related members of UnlinkedCodeBlock into its RareData
42         structure, saving 40 bytes, and then reorder the other members of
43         UnlinkedCodeBlock to save another 24 bytes, netting a nice total 64.
44
45         The VM member was removed entirely since UnlinkedCodeBlock is a cell
46         and can retrieve its VM through MarkedBlock header lookup.
47
48         * bytecode/UnlinkedCodeBlock.cpp:
49         (JSC::UnlinkedCodeBlock::vm):
50         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
51         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
52         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
53         * bytecode/UnlinkedCodeBlock.h:
54         (JSC::UnlinkedCodeBlock::addRegExp):
55         (JSC::UnlinkedCodeBlock::addConstant):
56         (JSC::UnlinkedCodeBlock::addFunctionDecl):
57         (JSC::UnlinkedCodeBlock::addFunctionExpr):
58         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
59         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
60         (JSC::UnlinkedCodeBlock::vm): Deleted.
61
62 2016-02-27  Filip Pizlo  <fpizlo@apple.com>
63
64         FTL should lower its abstract heaps to B3 heap ranges
65         https://bugs.webkit.org/show_bug.cgi?id=154782
66
67         Reviewed by Saam Barati.
68
69         The FTL can describe the abstract heaps (points-to sets) that a memory operation will
70         affect. The abstract heaps are arranged as a hierarchy. We used to transform this into
71         TBAA hierarchies in LLVM, but we never got around to wiring this up to B3's equivalent
72         notion - the HeapRange. That's what this patch fixes.
73
74         B3 has a minimalistic alias analysis. It represents abstract heaps using unsigned 32-bit
75         integers. There are 1<<32 abstract heaps. The B3 client can describe what an operation
76         affects by specifying a heap range: a begin...end pair that says that the operation
77         affects all abstract heaps H such that begin <= H < end.
78
79         This peculiar scheme was a deliberate attempt to distill what the abstract heap
80         hierarchy is all about. We can assign begin...end numbers to abstract heaps so that:
81
82         - A heap's end is greater than its begin.
83         - A heap's begin is greater than or equal to its parent's begin.
84         - A heap's end is less than or equal to its parent's end.
85
86         This is easy to do using a recursive traversal of the abstract heap hierarchy. I almost
87         went for the iterative traversal, which is a splendid algorithm, but it's totally
88         unnecessary here since we tightly control the height of the heap hierarchy.
89
90         Because abstract heaps are produced on-the-fly by FTL lowering, due to the fact that we
91         generate new ones for field names and constant indices we encounter, we can't actually
92         decorate the B3 instructions we create in lowering until all lowering is done. Adding a
93         new abstract heap to the hierarchy after ranges were already computed would require
94         updating the ranges of any heaps "to the right" of that heap in the hierarchy. This
95         patch solves that problem by recording the associations between abstract heaps and their
96         intended roles in the generated IR, and then decorating all of the relevant B3 values
97         after we compute the ranges of the hierarchy after lowering.
98
99         This is perf-neutral. I was hoping for a small speed-up, but I could not detect a
100         speed-up on any benchmark. That's not too surprising. We already have very precise CSE
101         in the DFG, so there aren't many opportunities left for the B3 CSE and it may have
102         already been getting the big ones even without alias analysis.
103
104         Even without a speed-up, this patch is valuable because it makes it easier to implement
105         other optimizations, like store elimination.
106
107         * b3/B3HeapRange.h:
108         (JSC::B3::HeapRange::HeapRange):
109         * ftl/FTLAbstractHeap.cpp:
110         (JSC::FTL::AbstractHeap::AbstractHeap):
111         (JSC::FTL::AbstractHeap::changeParent):
112         (JSC::FTL::AbstractHeap::compute):
113         (JSC::FTL::AbstractHeap::shallowDump):
114         (JSC::FTL::AbstractHeap::dump):
115         (JSC::FTL::AbstractHeap::deepDump):
116         (JSC::FTL::AbstractHeap::badRangeError):
117         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
118         (JSC::FTL::IndexedAbstractHeap::baseIndex):
119         (JSC::FTL::IndexedAbstractHeap::atSlow):
120         (JSC::FTL::IndexedAbstractHeap::initialize):
121         (JSC::FTL::AbstractHeap::decorateInstruction): Deleted.
122         (JSC::FTL::AbstractField::dump): Deleted.
123         * ftl/FTLAbstractHeap.h:
124         (JSC::FTL::AbstractHeap::AbstractHeap):
125         (JSC::FTL::AbstractHeap::isInitialized):
126         (JSC::FTL::AbstractHeap::initialize):
127         (JSC::FTL::AbstractHeap::parent):
128         (JSC::FTL::AbstractHeap::heapName):
129         (JSC::FTL::AbstractHeap::range):
130         (JSC::FTL::AbstractHeap::offset):
131         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
132         (JSC::FTL::IndexedAbstractHeap::at):
133         (JSC::FTL::IndexedAbstractHeap::operator[]):
134         (JSC::FTL::IndexedAbstractHeap::returnInitialized):
135         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::constructDeletedValue):
136         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::isDeletedValue):
137         (JSC::FTL::AbstractHeap::changeParent): Deleted.
138         (JSC::FTL::AbstractField::AbstractField): Deleted.
139         (JSC::FTL::AbstractField::initialize): Deleted.
140         (JSC::FTL::AbstractField::offset): Deleted.
141         * ftl/FTLAbstractHeapRepository.cpp:
142         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
143         (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
144         (JSC::FTL::AbstractHeapRepository::decorateMemory):
145         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
146         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
147         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
148         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
149         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
150         * ftl/FTLAbstractHeapRepository.h:
151         (JSC::FTL::AbstractHeapRepository::forArrayType):
152         (JSC::FTL::AbstractHeapRepository::HeapForValue::HeapForValue):
153         * ftl/FTLLowerDFGToB3.cpp:
154         (JSC::FTL::DFG::LowerDFGToB3::lower):
155         * ftl/FTLOutput.cpp:
156         (JSC::FTL::Output::load):
157         (JSC::FTL::Output::load8SignExt32):
158         (JSC::FTL::Output::load8ZeroExt32):
159         (JSC::FTL::Output::load16SignExt32):
160         (JSC::FTL::Output::load16ZeroExt32):
161         (JSC::FTL::Output::store):
162         (JSC::FTL::Output::store32As8):
163         (JSC::FTL::Output::store32As16):
164         (JSC::FTL::Output::baseIndex):
165         * ftl/FTLOutput.h:
166         (JSC::FTL::Output::address):
167         (JSC::FTL::Output::absolute):
168         (JSC::FTL::Output::load8SignExt32):
169         (JSC::FTL::Output::load8ZeroExt32):
170         (JSC::FTL::Output::load16SignExt32):
171         (JSC::FTL::Output::load16ZeroExt32):
172         (JSC::FTL::Output::load32):
173         (JSC::FTL::Output::load64):
174         (JSC::FTL::Output::loadPtr):
175         (JSC::FTL::Output::loadDouble):
176         (JSC::FTL::Output::store32):
177         (JSC::FTL::Output::store64):
178         (JSC::FTL::Output::storePtr):
179         (JSC::FTL::Output::storeDouble):
180         (JSC::FTL::Output::ascribeRange):
181         (JSC::FTL::Output::nonNegative32):
182         (JSC::FTL::Output::load32NonNegative):
183         (JSC::FTL::Output::equal):
184         (JSC::FTL::Output::notEqual):
185         * ftl/FTLTypedPointer.h:
186         (JSC::FTL::TypedPointer::operator!):
187         (JSC::FTL::TypedPointer::heap):
188         (JSC::FTL::TypedPointer::value):
189
190 2016-02-28  Skachkov Oleksandr  <gskachkov@gmail.com>
191
192         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
193         https://bugs.webkit.org/show_bug.cgi?id=153981
194
195         Reviewed by Saam Barati.
196        
197         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
198         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
199         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
200         During syntax analyze parser store information about using variables in arrow function inside of 
201         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
202
203         * bytecompiler/BytecodeGenerator.cpp:
204         (JSC::BytecodeGenerator::BytecodeGenerator):
205         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
206         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
207         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
208         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
209         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
210         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
211         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
212         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
213         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
214         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
215         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
216         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
217         * bytecompiler/BytecodeGenerator.h:
218         * bytecompiler/NodesCodegen.cpp:
219         (JSC::ThisNode::emitBytecode):
220         (JSC::EvalFunctionCallNode::emitBytecode):
221         (JSC::FunctionNode::emitBytecode):
222         * parser/ASTBuilder.h:
223         (JSC::ASTBuilder::createBracketAccess):
224         (JSC::ASTBuilder::createDotAccess):
225         (JSC::ASTBuilder::usesSuperCall):
226         (JSC::ASTBuilder::usesSuperProperty):
227         (JSC::ASTBuilder::makeFunctionCallNode):
228         * parser/Nodes.cpp:
229         (JSC::ScopeNode::ScopeNode):
230         (JSC::ProgramNode::ProgramNode):
231         (JSC::ModuleProgramNode::ModuleProgramNode):
232         (JSC::EvalNode::EvalNode):
233         (JSC::FunctionNode::FunctionNode):
234         * parser/Nodes.h:
235         (JSC::ScopeNode::innerArrowFunctionCodeFeatures):
236         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseArguments):
237         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperCall):
238         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperProperty):
239         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseEval):
240         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseThis):
241         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseNewTarget):
242         (JSC::ScopeNode::doAnyInnerArrowFunctionUseAnyFeature):
243         (JSC::ScopeNode::usesSuperCall):
244         (JSC::ScopeNode::usesSuperProperty):
245         * parser/Parser.cpp:
246         (JSC::Parser<LexerType>::parseProperty):
247         (JSC::Parser<LexerType>::parsePrimaryExpression):
248         (JSC::Parser<LexerType>::parseMemberExpression):
249         * parser/Parser.h:
250         (JSC::Scope::Scope):
251         (JSC::Scope::isArrowFunctionBoundary):
252         (JSC::Scope::innerArrowFunctionFeatures):
253         (JSC::Scope::setInnerArrowFunctionUsesSuperCall):
254         (JSC::Scope::setInnerArrowFunctionUsesSuperProperty):
255         (JSC::Scope::setInnerArrowFunctionUsesEval):
256         (JSC::Scope::setInnerArrowFunctionUsesThis):
257         (JSC::Scope::setInnerArrowFunctionUsesNewTarget):
258         (JSC::Scope::setInnerArrowFunctionUsesArguments):
259         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
260         (JSC::Scope::collectFreeVariables):
261         (JSC::Scope::mergeInnerArrowFunctionFeatures):
262         (JSC::Scope::fillParametersForSourceProviderCache):
263         (JSC::Scope::restoreFromSourceProviderCache):
264         (JSC::Scope::setIsFunction):
265         (JSC::Scope::setIsArrowFunction):
266         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
267         (JSC::Parser::pushScope):
268         (JSC::Parser::popScopeInternal):
269         (JSC::Parser<LexerType>::parse):
270         * parser/ParserModes.h:
271         * parser/SourceProviderCacheItem.h:
272         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
273         * parser/SyntaxChecker.h:
274         (JSC::SyntaxChecker::createFunctionMetadata):
275         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
276         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
277         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
278         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
279         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
280
281 2016-02-28  Saam barati  <sbarati@apple.com>
282
283         ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot
284         https://bugs.webkit.org/show_bug.cgi?id=154768
285
286         Reviewed by Ryosuke Niwa.
287
288         This fixes a big bug with ProxyObject.[[GetOwnProperty]]:
289         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
290         We weren't correctly propagating the result of this operation to the
291         out PropertySlot& parameter. This patch fixes that and adds tests.
292
293         * runtime/ObjectConstructor.cpp:
294         (JSC::objectConstructorGetOwnPropertyDescriptor):
295         I added a missing exception check after object allocation
296         because I saw that it was missing while reading the code.
297
298         * runtime/PropertyDescriptor.cpp:
299         (JSC::PropertyDescriptor::setUndefined):
300         (JSC::PropertyDescriptor::slowGetterSetter):
301         (JSC::PropertyDescriptor::getter):
302         * runtime/PropertyDescriptor.h:
303         (JSC::PropertyDescriptor::attributes):
304         (JSC::PropertyDescriptor::value):
305         * runtime/ProxyObject.cpp:
306         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
307         * tests/es6.yaml:
308         * tests/stress/proxy-get-own-property.js:
309         (let.handler.getOwnPropertyDescriptor):
310         (set get let.handler.return):
311         (set get let.handler.getOwnPropertyDescriptor):
312         (set get let):
313         (set get let.a):
314         (let.b):
315         (let.setter):
316         (let.getter):
317
318 2016-02-27  Andy VanWagoner  <thetalecrafter@gmail.com>
319
320         Intl.Collator uses POSIX locale (detected by js/intl-collator.html on iOS Simulator)
321         https://bugs.webkit.org/show_bug.cgi?id=152448
322
323         Reviewed by Darin Adler.
324
325         Add defaultLanguage to the globalObjectMethodTable and use it for the
326         default locale in Intl object initializations. Fall back to ICU default
327         locale only if the defaultLanguage function is null, or returns an
328         empty string.
329
330         * jsc.cpp:
331         * runtime/IntlCollator.cpp:
332         (JSC::IntlCollator::initializeCollator):
333         * runtime/IntlDateTimeFormat.cpp:
334         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
335         * runtime/IntlNumberFormat.cpp:
336         (JSC::IntlNumberFormat::initializeNumberFormat):
337         * runtime/IntlObject.cpp:
338         (JSC::defaultLocale):
339         (JSC::lookupMatcher):
340         (JSC::bestFitMatcher):
341         (JSC::resolveLocale):
342         * runtime/IntlObject.h:
343         * runtime/JSGlobalObject.cpp:
344         * runtime/JSGlobalObject.h:
345         * runtime/StringPrototype.cpp:
346         (JSC::toLocaleCase):
347
348 2016-02-27  Oliver Hunt  <oliver@apple.com>
349
350         CLoop build fix.
351
352         * jit/ExecutableAllocatorFixedVMPool.cpp:
353
354 2016-02-26  Oliver Hunt  <oliver@apple.com>
355
356         Remove the on demand executable allocator
357         https://bugs.webkit.org/show_bug.cgi?id=154749
358
359         Reviewed by Geoffrey Garen.
360
361         Remove all the DemandExecutable code and executable allocator ifdefs.
362
363         * CMakeLists.txt:
364         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
365         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
366         * JavaScriptCore.xcodeproj/project.pbxproj:
367         * jit/ExecutableAllocator.cpp: Removed.
368         (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
369         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
370         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
371         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
372         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
373         (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
374         (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
375         (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
376         (JSC::DemandExecutableAllocator::allocators): Deleted.
377         (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
378         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
379         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
380         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
381         (JSC::ExecutableAllocator::isValid): Deleted.
382         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
383         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
384         (JSC::ExecutableAllocator::allocate): Deleted.
385         (JSC::ExecutableAllocator::committedByteCount): Deleted.
386         (JSC::ExecutableAllocator::dumpProfile): Deleted.
387         (JSC::ExecutableAllocator::getLock): Deleted.
388         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
389         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
390         * jit/ExecutableAllocator.h:
391         * jit/ExecutableAllocatorFixedVMPool.cpp:
392         * jit/JITStubRoutine.h:
393         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
394         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
395         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
396
397 2016-02-26  Joseph Pecoraro  <pecoraro@apple.com>
398
399         Reduce direct callers of Structure::findStructuresAndMapForMaterialization
400         https://bugs.webkit.org/show_bug.cgi?id=154751
401
402         Reviewed by Mark Lam.
403
404         * runtime/Structure.cpp:
405         (JSC::Structure::toStructureShape):
406         This property name iteration is identical to Structure::forEachPropertyConcurrently.
407         Share the code and reduce callers to the subtle findStructuresAndMapForMaterialization.
408
409 2016-02-26  Mark Lam  <mark.lam@apple.com>
410
411         Function.name and Function.length should be configurable.
412         https://bugs.webkit.org/show_bug.cgi?id=154604
413
414         Reviewed by Saam Barati.
415
416         According to https://tc39.github.io/ecma262/#sec-ecmascript-language-functions-and-classes,
417         "Unless otherwise specified, the name property of a built-in Function object,
418         if it exists, has the attributes { [[Writable]]: false, [[Enumerable]]: false,
419         [[Configurable]]: true }."
420
421         Similarly, "the length property of a built-in Function object has the attributes
422         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }."
423
424         This patch makes Function.name and Function.length configurable.
425
426         We do this by lazily reifying the JSFunction name and length properties on first
427         access.  We track whether each of these properties have been reified using flags
428         in the FunctionRareData.  On first access, if not already reified, we will put
429         the property into the object with its default value and attributes and set the
430         reified flag.  Thereafter, we rely on the base JSObject to handle access to the
431         property.
432
433         Also, lots of test results have to be re-baselined because the old Function.length
434         has attribute DontDelete, which is in conflict with the ES6 requirement that it
435         is configurable.
436
437         * runtime/FunctionRareData.h:
438         (JSC::FunctionRareData::hasReifiedLength):
439         (JSC::FunctionRareData::setHasReifiedLength):
440         (JSC::FunctionRareData::hasReifiedName):
441         (JSC::FunctionRareData::setHasReifiedName):
442         - Flags for tracking whether each property has been reified.
443
444         * runtime/JSFunction.cpp:
445         (JSC::JSFunction::finishCreation):
446         (JSC::JSFunction::createBuiltinFunction):
447         - Host and builtin functions currently always reify their name and length
448           properties.  Currently, for builtins, the default names that are used may
449           differ from the executable name.  For now, we'll stay with keeping this
450           alternate approach to getting the name and length properties for host and
451           builtin functions.
452           However, we need their default attribute to be configurable as well.
453
454         (JSC::JSFunction::getOwnPropertySlot):
455         (JSC::JSFunction::getOwnNonIndexPropertyNames):
456         (JSC::JSFunction::put):
457         (JSC::JSFunction::deleteProperty):
458         (JSC::JSFunction::defineOwnProperty):
459         (JSC::JSFunction::reifyLength):
460         (JSC::JSFunction::reifyName):
461         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
462         (JSC::JSFunction::lengthGetter): Deleted.
463         (JSC::JSFunction::nameGetter): Deleted.
464         * runtime/JSFunction.h:
465         * runtime/JSFunctionInlines.h:
466         (JSC::JSFunction::hasReifiedLength):
467         (JSC::JSFunction::hasReifiedName):
468
469         * tests/es6.yaml:
470         - 4 new passing tests.
471
472         * tests/mozilla/ecma/Array/15.4.4.3-1.js:
473         * tests/mozilla/ecma/Array/15.4.4.4-1.js:
474         * tests/mozilla/ecma/Array/15.4.4.4-2.js:
475         * tests/mozilla/ecma/GlobalObject/15.1.2.1-1.js:
476         * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
477         * tests/mozilla/ecma/GlobalObject/15.1.2.3-1.js:
478         * tests/mozilla/ecma/GlobalObject/15.1.2.4.js:
479         * tests/mozilla/ecma/GlobalObject/15.1.2.5-1.js:
480         * tests/mozilla/ecma/GlobalObject/15.1.2.6.js:
481         * tests/mozilla/ecma/GlobalObject/15.1.2.7.js:
482         * tests/mozilla/ecma/String/15.5.4.10-1.js:
483         * tests/mozilla/ecma/String/15.5.4.11-1.js:
484         * tests/mozilla/ecma/String/15.5.4.11-5.js:
485         * tests/mozilla/ecma/String/15.5.4.12-1.js:
486         * tests/mozilla/ecma/String/15.5.4.6-2.js:
487         * tests/mozilla/ecma/String/15.5.4.7-2.js:
488         * tests/mozilla/ecma/String/15.5.4.8-1.js:
489         * tests/mozilla/ecma/String/15.5.4.9-1.js:
490         - Rebase expected test results.
491
492         * tests/stress/function-configurable-properties.js: Added.
493
494 2016-02-26  Keith Miller  <keith_miller@apple.com>
495
496         Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup
497         https://bugs.webkit.org/show_bug.cgi?id=154743
498
499         Reviewed by Mark Lam.
500
501         * dfg/DFGConstantFoldingPhase.cpp:
502         (JSC::DFG::ConstantFoldingPhase::foldConstants):
503         * dfg/DFGFixupPhase.cpp:
504         (JSC::DFG::FixupPhase::fixupNode):
505
506 2016-02-26  Keith Miller  <keith_miller@apple.com>
507
508         Native Typed Array functions should use Symbol.species
509         https://bugs.webkit.org/show_bug.cgi?id=154569
510
511         Reviewed by Michael Saboff.
512
513         This patch adds support for Symbol.species in the native Typed Array prototype
514         functions. Additionally, now that other types of typedarrays are creatable inside
515         the slice we use the JSGenericTypedArrayView::set function, which has been beefed
516         up, to put everything into the correct place.
517
518         * runtime/JSDataView.cpp:
519         (JSC::JSDataView::set):
520         * runtime/JSDataView.h:
521         * runtime/JSGenericTypedArrayView.h:
522         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
523         (JSC::constructGenericTypedArrayViewFromIterator):
524         (JSC::constructGenericTypedArrayViewWithArguments):
525         (JSC::constructGenericTypedArrayView):
526         * runtime/JSGenericTypedArrayViewInlines.h:
527         (JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
528         (JSC::JSGenericTypedArrayView<Adaptor>::set):
529         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
530         (JSC::speciesConstruct):
531         (JSC::genericTypedArrayViewProtoFuncSet):
532         (JSC::genericTypedArrayViewProtoFuncSlice):
533         (JSC::genericTypedArrayViewProtoFuncSubarray):
534         * tests/stress/typedarray-slice.js:
535         (subclasses.typedArrays.map):
536         (testSpecies):
537         (forEach):
538         (subclasses.forEach):
539         (testSpeciesRemoveConstructor):
540         (testSpeciesWithSameBuffer):
541         * tests/stress/typedarray-subarray.js: Added.
542         (subclasses.typedArrays.map):
543         (testSpecies):
544         (forEach):
545         (subclasses.forEach):
546         (testSpeciesRemoveConstructor):
547
548 2016-02-26  Benjamin Poulain  <bpoulain@apple.com>
549
550         [JSC] Add32(Imm, Tmp, Tmp) does not ZDef the destination if Imm is zero
551         https://bugs.webkit.org/show_bug.cgi?id=154704
552
553         Reviewed by Geoffrey Garen.
554
555         If the Imm is zero, we should still zero the top bits
556         to match the definition in AirOpcodes.
557
558         * assembler/MacroAssemblerX86Common.h:
559         (JSC::MacroAssemblerX86Common::add32):
560         * b3/testb3.cpp:
561
562 2016-02-26  Oliver Hunt  <oliver@apple.com>
563
564         Make testRegExp not crash when given an invalid regexp
565         https://bugs.webkit.org/show_bug.cgi?id=154732
566
567         Reviewed by Mark Lam.
568
569         * testRegExp.cpp:
570         (parseRegExpLine):
571
572 2016-02-26  Benjamin Poulain  <benjamin@webkit.org>
573
574         [JSC] Add the test for r197155
575         https://bugs.webkit.org/show_bug.cgi?id=154715
576
577         Reviewed by Mark Lam.
578
579         Silly me. I forgot the test in the latest patch update.
580
581         * tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.
582
583 2016-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
584
585         [DFG] Drop unnecessary proved type branch in ToPrimitive
586         https://bugs.webkit.org/show_bug.cgi?id=154716
587
588         Reviewed by Geoffrey Garen.
589
590         This branching based on the proved types is unnecessary because this is already handled in constant folding phase.
591         In fact, the DFGSpeculativeJIT64.cpp case is already removed in r164243.
592         This patch removes the remaining JIT32_64 case.
593
594         * dfg/DFGSpeculativeJIT32_64.cpp:
595         (JSC::DFG::SpeculativeJIT::compile):
596
597 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
598
599         [JSC] Be aggressive with OSR Entry to FTL if the DFG function was only used for OSR Entry itself
600         https://bugs.webkit.org/show_bug.cgi?id=154575
601
602         Reviewed by Filip Pizlo.
603
604         I noticed that imaging-gaussian-blur spends most of its
605         samples in DFG code despite executing most of the loop
606         iterations in FTL.
607
608         On this particular test, the main function is only entered
609         once and have a very heavy loop there. What happens is DFG
610         starts by compiling the full function in FTL. That takes about
611         8 to 10 milliseconds during which the DFG code makes very little
612         progress. The calls to triggerOSREntryNow() try to OSR Enter
613         for a while then finally start compiling something. By the time
614         the function is ready, we have wasted a lot of time in DFG code.
615
616         What this patch does is set a flag when a DFG function is entered.
617         If we try to triggerOSREntryNow() and the flag was never set,
618         we start compiling both the full function and the one for OSR Entry.
619
620         * dfg/DFGJITCode.h:
621         * dfg/DFGJITCompiler.cpp:
622         (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
623         (JSC::DFG::JITCompiler::compile):
624         (JSC::DFG::JITCompiler::compileFunction):
625         * dfg/DFGJITCompiler.h:
626         * dfg/DFGOperations.cpp:
627         * dfg/DFGPlan.cpp:
628         (JSC::DFG::Plan::Plan): Deleted.
629         * dfg/DFGPlan.h:
630         * dfg/DFGTierUpCheckInjectionPhase.cpp:
631         (JSC::DFG::TierUpCheckInjectionPhase::run):
632
633 2016-02-25  Benjamin Poulain  <benjamin@webkit.org>
634
635         [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
636         https://bugs.webkit.org/show_bug.cgi?id=154664
637
638         Reviewed by Saam Barati.
639
640         When doing OSR Enter into a constructor, we lose the information
641         that this may have been set to empty by a previously executed block.
642
643         All the code just assumed the type for a FlushedJS value and thus
644         not an empty value. It was then okay to eliminate the TDZ checks.
645
646         In this patch, the values on root entry now assume they may be empty.
647         As a result, the SetArgument() for "this" has "empty" as possible
648         type and the TDZ checks are no longer eliminated.
649
650         * dfg/DFGInPlaceAbstractState.cpp:
651         (JSC::DFG::InPlaceAbstractState::initialize):
652
653 2016-02-25  Ada Chan  <adachan@apple.com>
654
655         Update the definition of ENABLE_VIDEO_PRESENTATION_MODE for Mac platform
656         https://bugs.webkit.org/show_bug.cgi?id=154702
657
658         Reviewed by Dan Bernstein.
659
660         * Configurations/FeatureDefines.xcconfig:
661
662 2016-02-25  Saam barati  <sbarati@apple.com>
663
664         [ES6] for...in iteration doesn't comply with the specification
665         https://bugs.webkit.org/show_bug.cgi?id=154665
666
667         Reviewed by Michael Saboff.
668
669         If you read ForIn/OfHeadEvaluation inside the spec:
670         https://tc39.github.io/ecma262/#sec-runtime-semantics-forin-div-ofheadevaluation-tdznames-expr-iterationkind
671         It calls EnumerateObjectProperties(obj) to get a set of properties
672         to enumerate over (it models this "set" as en ES6 generator function).
673         EnumerateObjectProperties is defined in section 13.7.5.15:
674         https://tc39.github.io/ecma262/#sec-enumerate-object-properties
675         The implementation calls Reflect.getOwnPropertyDescriptor(.) on the
676         properties it sees. We must do the same by modeling the operation as
677         a [[GetOwnProperty]] instead of a [[HasProperty]] internal method call.
678
679         * jit/JITOperations.cpp:
680         * jit/JITOperations.h:
681         * runtime/CommonSlowPaths.cpp:
682         (JSC::SLOW_PATH_DECL):
683         * runtime/JSObject.cpp:
684         (JSC::JSObject::hasProperty):
685         (JSC::JSObject::hasPropertyGeneric):
686         * runtime/JSObject.h:
687         * tests/stress/proxy-get-own-property.js:
688         (assert):
689         (let.handler.getOwnPropertyDescriptor):
690         (i.set assert):
691
692 2016-02-25  Saam barati  <sbarati@apple.com>
693
694         [ES6] Implement Proxy.[[Set]]
695         https://bugs.webkit.org/show_bug.cgi?id=154511
696
697         Reviewed by Filip Pizlo.
698
699         This patch is mostly an implementation of
700         Proxy.[[Set]] with respect to section 9.5.9
701         of the ECMAScript spec.
702         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-set-p-v-receiver
703
704         This patch also changes JSObject::putInline and JSObject::putByIndex
705         to be aware that a Proxy in the prototype chain will intercept
706         property accesses.
707
708         * runtime/JSObject.cpp:
709         (JSC::JSObject::putInlineSlow):
710         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
711         * runtime/JSObject.h:
712         * runtime/JSObjectInlines.h:
713         (JSC::JSObject::canPerformFastPutInline):
714         (JSC::JSObject::putInline):
715         * runtime/JSType.h:
716         * runtime/ProxyObject.cpp:
717         (JSC::ProxyObject::getOwnPropertySlotByIndex):
718         (JSC::ProxyObject::performPut):
719         (JSC::ProxyObject::put):
720         (JSC::ProxyObject::putByIndexCommon):
721         (JSC::ProxyObject::putByIndex):
722         (JSC::performProxyCall):
723         (JSC::ProxyObject::getCallData):
724         (JSC::performProxyConstruct):
725         (JSC::ProxyObject::deletePropertyByIndex):
726         (JSC::ProxyObject::visitChildren):
727         * runtime/ProxyObject.h:
728         (JSC::ProxyObject::create):
729         (JSC::ProxyObject::createStructure):
730         (JSC::ProxyObject::target):
731         (JSC::ProxyObject::handler):
732         * tests/es6.yaml:
733         * tests/stress/proxy-set.js: Added.
734         (assert):
735         (throw.new.Error.let.handler.set 45):
736         (throw.new.Error):
737         (let.target.set x):
738         (let.target.get x):
739         (set let):
740
741 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
742
743         [JSC] Remove a useless "Move" in the lowering of Select
744         https://bugs.webkit.org/show_bug.cgi?id=154670
745
746         Reviewed by Geoffrey Garen.
747
748         I left the Move instruction when creating the aliasing form
749         of Select.
750
751         On ARM64, that meant a useless move for any case that can't
752         be coalesced.
753
754         On x86, that meant an extra constraint on child2, making it
755         stupidly hard to alias child1.
756
757         * b3/B3LowerToAir.cpp:
758         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
759
760 2016-02-24  Joseph Pecoraro  <pecoraro@apple.com>
761
762         Web Inspector: Expose Proxy target and handler internal properties to Inspector
763         https://bugs.webkit.org/show_bug.cgi?id=154663
764
765         Reviewed by Timothy Hatcher.
766
767         * inspector/JSInjectedScriptHost.cpp:
768         (Inspector::JSInjectedScriptHost::getInternalProperties):
769         Expose the ProxyObject's target and handler.
770
771 2016-02-24  Nikos Andronikos  <nikos.andronikos-webkit@cisra.canon.com.au>
772
773         [web-animations] Add AnimationTimeline, DocumentTimeline and add extensions to Document interface
774         https://bugs.webkit.org/show_bug.cgi?id=151688
775
776         Reviewed by Dean Jackson.
777
778         Enables the WEB_ANIMATIONS compiler switch.
779
780         * Configurations/FeatureDefines.xcconfig:
781
782 2016-02-24  Konstantin Tokarev  <annulen@yandex.ru>
783
784         [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
785         https://bugs.webkit.org/show_bug.cgi?id=154651
786
787         Reviewed by Alex Christensen.
788
789         * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
790
791 2016-02-24  Commit Queue  <commit-queue@webkit.org>
792
793         Unreviewed, rolling out r197033.
794         https://bugs.webkit.org/show_bug.cgi?id=154649
795
796         "It broke JSC tests when 'this' was loaded from global scope"
797         (Requested by saamyjoon on #webkit).
798
799         Reverted changeset:
800
801         "[ES6] Arrow function syntax. Emit loading&putting this/super
802         only if they are used in arrow function"
803         https://bugs.webkit.org/show_bug.cgi?id=153981
804         http://trac.webkit.org/changeset/197033
805
806 2016-02-24  Saam Barati  <sbarati@apple.com>
807
808         [ES6] Implement Proxy.[[Delete]]
809         https://bugs.webkit.org/show_bug.cgi?id=154607
810
811         Reviewed by Mark Lam.
812
813         This patch implements Proxy.[[Delete]] with respect to section 9.5.10 of the ECMAScript spec.
814         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-delete-p
815
816         * runtime/ProxyObject.cpp:
817         (JSC::ProxyObject::getConstructData):
818         (JSC::ProxyObject::performDelete):
819         (JSC::ProxyObject::deleteProperty):
820         (JSC::ProxyObject::deletePropertyByIndex):
821         * runtime/ProxyObject.h:
822         * tests/es6.yaml:
823         * tests/stress/proxy-delete.js: Added.
824         (assert):
825         (throw.new.Error.let.handler.get deleteProperty):
826         (throw.new.Error):
827         (assert.let.handler.deleteProperty):
828         (let.handler.deleteProperty):
829
830 2016-02-24  Filip Pizlo  <fpizlo@apple.com>
831
832         Stackmaps have problems with double register constraints
833         https://bugs.webkit.org/show_bug.cgi?id=154643
834
835         Reviewed by Geoffrey Garen.
836
837         This is currently a benign bug. I found it while playing.
838
839         * b3/B3LowerToAir.cpp:
840         (JSC::B3::Air::LowerToAir::fillStackmap):
841         * b3/testb3.cpp:
842         (JSC::B3::testURShiftSelf64):
843         (JSC::B3::testPatchpointDoubleRegs):
844         (JSC::B3::zero):
845         (JSC::B3::run):
846
847 2016-02-24  Skachkov Oleksandr  <gskachkov@gmail.com>
848
849         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
850         https://bugs.webkit.org/show_bug.cgi?id=153981
851
852         Reviewed by Saam Barati.
853        
854         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
855         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
856         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
857         During syntax analyze parser store information about using variables in arrow function inside of 
858         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
859
860         * bytecode/ExecutableInfo.h:
861         (JSC::ExecutableInfo::ExecutableInfo):
862         (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
863         * bytecode/UnlinkedCodeBlock.cpp:
864         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
865         * bytecode/UnlinkedCodeBlock.h:
866         (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
867         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
868         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
869         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
870         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
871         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
872         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
873         * bytecode/UnlinkedFunctionExecutable.cpp:
874         (JSC::generateUnlinkedFunctionCodeBlock):
875         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
876         * bytecode/UnlinkedFunctionExecutable.h:
877         * bytecompiler/BytecodeGenerator.cpp:
878         (JSC::BytecodeGenerator::BytecodeGenerator):
879         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
880         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
881         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
882         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
883         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
884         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
885         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
886         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
887         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
888         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
889         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
890         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
891         * bytecompiler/BytecodeGenerator.h:
892         * bytecompiler/NodesCodegen.cpp:
893         (JSC::ThisNode::emitBytecode):
894         (JSC::EvalFunctionCallNode::emitBytecode):
895         (JSC::FunctionCallValueNode::emitBytecode):
896         (JSC::FunctionNode::emitBytecode):
897         * parser/ASTBuilder.h:
898         (JSC::ASTBuilder::createFunctionMetadata):
899         * parser/Nodes.cpp:
900         (JSC::FunctionMetadataNode::FunctionMetadataNode):
901         * parser/Nodes.h:
902         * parser/Parser.cpp:
903         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
904         (JSC::Parser<LexerType>::parseFunctionBody):
905         (JSC::Parser<LexerType>::parseFunctionInfo):
906         (JSC::Parser<LexerType>::parseProperty):
907         (JSC::Parser<LexerType>::parsePrimaryExpression):
908         (JSC::Parser<LexerType>::parseMemberExpression):
909         * parser/Parser.h:
910         (JSC::Scope::Scope):
911         (JSC::Scope::isArrowFunctionBoundary):
912         (JSC::Scope::innerArrowFunctionFeatures):
913         (JSC::Scope::setInnerArrowFunctionUseSuperCall):
914         (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
915         (JSC::Scope::setInnerArrowFunctionUseEval):
916         (JSC::Scope::setInnerArrowFunctionUseThis):
917         (JSC::Scope::setInnerArrowFunctionUseNewTarget):
918         (JSC::Scope::setInnerArrowFunctionUseArguments):
919         (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
920         (JSC::Scope::collectFreeVariables):
921         (JSC::Scope::mergeInnerArrowFunctionFeatures):
922         (JSC::Scope::fillParametersForSourceProviderCache):
923         (JSC::Scope::restoreFromSourceProviderCache):
924         (JSC::Scope::setIsFunction):
925         (JSC::Scope::setIsArrowFunction):
926         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
927         (JSC::Parser::pushScope):
928         (JSC::Parser::popScopeInternal):
929         * parser/ParserModes.h:
930         * parser/SourceProviderCacheItem.h:
931         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
932         * parser/SyntaxChecker.h:
933         (JSC::SyntaxChecker::createFunctionMetadata):
934         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
935         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
936         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
937         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
938         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
939
940 2016-02-23  Brian Burg  <bburg@apple.com>
941
942         Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
943         https://bugs.webkit.org/show_bug.cgi?id=154615
944         <rdar://problem/24804330>
945
946         Reviewed by Timothy Hatcher.
947
948         Some of the generated Objective-C bindings are only relevant to code acting as the
949         protocol backend. Add a per-generator setting mechanism and propagate --frontend and
950         --backend to all generators. Use the setting in a few generators to omit code that's
951         not needed.
952
953         Also fix a few places where the code emits the wrong Objective-C class prefix.
954         There is some common non-generated code that must always have the RWIProtocol prefix.
955
956         Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
957         macros defined in the internal header now need to be used outside of the framework.
958
959         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
960         Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
961         depending on the target framework.
962
963         * inspector/scripts/codegen/generate_objc_header.py:
964         (ObjCHeaderGenerator.generate_output):
965         For now, omit generating command protocol and event dispatchers when generating for --frontend.
966
967         (ObjCHeaderGenerator._generate_type_interface):
968         Use OBJC_STATIC_PREFIX along with the unprefixed file name.
969
970         * inspector/scripts/codegen/generate_objc_internal_header.py:
971         Use RWIProtocolJSONObjectPrivate.h instead.
972
973         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
974         (ObjCProtocolTypesImplementationGenerator.generate_output):
975         Include the Internal header if it's being generated (only for --backend).
976
977         * inspector/scripts/codegen/generator.py:
978         (Generator.__init__):
979         (Generator.set_generator_setting):
980         (Generator):
981         (Generator.get_generator_setting):
982         Crib a simple setting system from the Framework class. Make the names more obnoxious.
983
984         (Generator.string_for_file_include):
985         Inspired by the replay input generator, this is a function that uses the proper syntax
986         for a file include depending on the file's framework and target framework.
987
988         * inspector/scripts/codegen/objc_generator.py:
989         (ObjCGenerator.and):
990         (ObjCGenerator.and.objc_prefix):
991         (ObjCGenerator):
992         (ObjCGenerator.objc_type_for_raw_name):
993         (ObjCGenerator.objc_class_for_raw_name):
994         Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
995
996         * inspector/scripts/generate-inspector-protocol-bindings.py:
997         (generate_from_specification):
998         Change the generators to use for the frontend. Propagate --frontend and --backend.
999
1000         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1001         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1002         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1003         * inspector/scripts/tests/expected/enum-values.json-result:
1004         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1005         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1006         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1007         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1008         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1009         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1010         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1011         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1012         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1013         Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
1014
1015 2016-02-23  Saam barati  <sbarati@apple.com>
1016
1017         arrayProtoFuncConcat doesn't check for an exception after allocating an array
1018         https://bugs.webkit.org/show_bug.cgi?id=154621
1019
1020         Reviewed by Michael Saboff.
1021
1022         * runtime/ArrayPrototype.cpp:
1023         (JSC::arrayProtoFuncConcat):
1024
1025 2016-02-23  Dan Bernstein  <mitz@apple.com>
1026
1027         [Xcode] Linker errors display mangled names, but no longer should
1028         https://bugs.webkit.org/show_bug.cgi?id=154632
1029
1030         Reviewed by Sam Weinig.
1031
1032         * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
1033
1034 2016-02-23  Gavin Barraclough  <barraclough@apple.com>
1035
1036         Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
1037         https://bugs.webkit.org/show_bug.cgi?id=112323
1038
1039         Reviewed by Chris Dumez.
1040
1041         This feature is controlled by a runtime switch, and defaults off.
1042
1043         * Configurations/FeatureDefines.xcconfig:
1044
1045 2016-02-23  Keith Miller  <keith_miller@apple.com>
1046
1047         JSC stress tests' standalone-pre.js should exit on the first failure by default
1048         https://bugs.webkit.org/show_bug.cgi?id=154565
1049
1050         Reviewed by Mark Lam.
1051
1052         Currently, if a test writer does not call finishJSTest() at the end of
1053         any test using stress/resources/standalone-pre.js then the test can fail
1054         without actually reporting an error to the harness. By default, we
1055         should throw on the first error so, in the event someone does not call
1056         finishJSTest() the harness will still notice the error.
1057
1058         * tests/stress/regress-151324.js:
1059         * tests/stress/resources/standalone-pre.js:
1060         (testFailed):
1061
1062 2016-02-23  Saam barati  <sbarati@apple.com>
1063
1064         Make JSObject::getMethod have fewer branches
1065         https://bugs.webkit.org/show_bug.cgi?id=154603
1066
1067         Reviewed by Mark Lam.
1068
1069         Writing code with fewer branches is almost always better.
1070
1071         * runtime/JSObject.cpp:
1072         (JSC::JSObject::getMethod):
1073
1074 2016-02-23  Filip Pizlo  <fpizlo@apple.com>
1075
1076         B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
1077         https://bugs.webkit.org/show_bug.cgi?id=154592
1078
1079         Reviewed by Saam Barati.
1080
1081         If Foo has a virtual destructor, then:
1082
1083         foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
1084         subclass of Foo that overrides the destructor, this syntax will not call that override.
1085
1086         foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
1087         get the subclass's override.
1088
1089         In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
1090         This caused leaks because this didn't actually call the subclass's override. This fixes the
1091         problem by using this->~Value() instead.
1092
1093         * b3/B3ControlValue.cpp:
1094         (JSC::B3::ControlValue::convertToJump):
1095         (JSC::B3::ControlValue::convertToOops):
1096         * b3/B3Value.cpp:
1097         (JSC::B3::Value::replaceWithIdentity):
1098         (JSC::B3::Value::replaceWithNop):
1099         (JSC::B3::Value::replaceWithPhi):
1100
1101 2016-02-23  Brian Burg  <bburg@apple.com>
1102
1103         Web Inspector: the protocol generator's Objective-C name prefix should be configurable
1104         https://bugs.webkit.org/show_bug.cgi?id=154596
1105         <rdar://problem/24794962>
1106
1107         Reviewed by Timothy Hatcher.
1108
1109         In order to support different generated protocol sets that don't have conflicting
1110         file and type names, allow the Objective-C prefix to be configurable based on the
1111         target framework. Each name also has the implicit prefix 'Protocol' appended to the
1112         per-target framework prefix.
1113
1114         For example, the existing protocol for remote inspection has the prefix 'RWI'
1115         and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
1116         and is generated as 'AutomationProtocol'.
1117
1118         To make this change, convert ObjCGenerator to be a subclass of Generator and use
1119         the instance method model() to find the target framework and its setting for
1120         'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
1121         these instance methods that used to be static methods. This is a large but
1122         mechanical change to use self instead of ObjCGenerator.
1123
1124         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1125         (ObjCBackendDispatcherHeaderGenerator):
1126         (ObjCBackendDispatcherHeaderGenerator.__init__):
1127         (ObjCBackendDispatcherHeaderGenerator.output_filename):
1128         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
1129         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
1130         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1131         (ObjCConfigurationImplementationGenerator):
1132         (ObjCConfigurationImplementationGenerator.__init__):
1133         (ObjCConfigurationImplementationGenerator.output_filename):
1134         (ObjCConfigurationImplementationGenerator.generate_output):
1135         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
1136         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
1137         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
1138         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1139         (ObjCConfigurationHeaderGenerator):
1140         (ObjCConfigurationHeaderGenerator.__init__):
1141         (ObjCConfigurationHeaderGenerator.output_filename):
1142         (ObjCConfigurationHeaderGenerator.generate_output):
1143         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1144         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
1145         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1146         (ObjCBackendDispatcherImplementationGenerator):
1147         (ObjCBackendDispatcherImplementationGenerator.__init__):
1148         (ObjCBackendDispatcherImplementationGenerator.output_filename):
1149         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1150         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1151         (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
1152         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
1153         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
1154         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1155         (ObjCConversionHelpersGenerator):
1156         (ObjCConversionHelpersGenerator.__init__):
1157         (ObjCConversionHelpersGenerator.output_filename):
1158         (ObjCConversionHelpersGenerator.generate_output):
1159         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
1160         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
1161         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
1162         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1163         (ObjCFrontendDispatcherImplementationGenerator):
1164         (ObjCFrontendDispatcherImplementationGenerator.__init__):
1165         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
1166         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1167         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
1168         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1169         (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
1170         (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
1171         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1172         * inspector/scripts/codegen/generate_objc_header.py:
1173         (ObjCHeaderGenerator):
1174         (ObjCHeaderGenerator.__init__):
1175         (ObjCHeaderGenerator.output_filename):
1176         (ObjCHeaderGenerator.generate_output):
1177         (ObjCHeaderGenerator._generate_forward_declarations):
1178         (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
1179         (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
1180         (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
1181         (ObjCHeaderGenerator._generate_type_interface):
1182         (ObjCHeaderGenerator._generate_init_method_for_required_members):
1183         (ObjCHeaderGenerator._generate_member_property):
1184         (ObjCHeaderGenerator._generate_command_protocols):
1185         (ObjCHeaderGenerator._generate_single_command_protocol):
1186         (ObjCHeaderGenerator._callback_block_for_command):
1187         (ObjCHeaderGenerator._generate_event_interfaces):
1188         (ObjCHeaderGenerator._generate_single_event_interface):
1189         * inspector/scripts/codegen/generate_objc_internal_header.py:
1190         (ObjCInternalHeaderGenerator):
1191         (ObjCInternalHeaderGenerator.__init__):
1192         (ObjCInternalHeaderGenerator.output_filename):
1193         (ObjCInternalHeaderGenerator.generate_output):
1194         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
1195         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1196         (ObjCProtocolTypesImplementationGenerator):
1197         (ObjCProtocolTypesImplementationGenerator.__init__):
1198         (ObjCProtocolTypesImplementationGenerator.output_filename):
1199         (ObjCProtocolTypesImplementationGenerator.generate_output):
1200         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1201         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
1202         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
1203         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
1204         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
1205         (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
1206         * inspector/scripts/codegen/models.py:
1207         * inspector/scripts/codegen/objc_generator.py:
1208         (ObjCTypeCategory.category_for_type):
1209         (ObjCGenerator):
1210         (ObjCGenerator.__init__):
1211         (ObjCGenerator.objc_prefix):
1212         (ObjCGenerator.objc_name_for_type):
1213         (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
1214         (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
1215         (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
1216         (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
1217         (ObjCGenerator.objc_class_for_type):
1218         (ObjCGenerator.objc_class_for_array_type):
1219         (ObjCGenerator.objc_accessor_type_for_member):
1220         (ObjCGenerator.objc_accessor_type_for_member_internal):
1221         (ObjCGenerator.objc_type_for_member):
1222         (ObjCGenerator.objc_type_for_member_internal):
1223         (ObjCGenerator.objc_type_for_param):
1224         (ObjCGenerator.objc_type_for_param_internal):
1225         (ObjCGenerator.objc_protocol_export_expression_for_variable):
1226         (ObjCGenerator.objc_protocol_import_expression_for_member):
1227         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
1228         (ObjCGenerator.objc_protocol_import_expression_for_variable):
1229         (ObjCGenerator.objc_to_protocol_expression_for_member):
1230         (ObjCGenerator.protocol_to_objc_expression_for_member):
1231
1232         Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
1233
1234         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1235         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1236         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1237         * inspector/scripts/tests/expected/enum-values.json-result:
1238         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1239         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1240         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1241         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1242         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1243         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1244         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1245         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1246         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1247
1248 2016-02-23  Mark Lam  <mark.lam@apple.com>
1249
1250         Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
1251         https://bugs.webkit.org/show_bug.cgi?id=154542
1252
1253         Reviewed by Saam Barati.
1254
1255         According to the spec, the constructors of the following types "are not intended
1256         to be called as a function and will throw an exception".  These types are:
1257             TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
1258             Map - https://tc39.github.io/ecma262/#sec-map-constructor
1259             Set - https://tc39.github.io/ecma262/#sec-set-constructor
1260             WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
1261             WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
1262             ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
1263             DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
1264             Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
1265             Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
1266
1267         This patch does the foillowing:
1268         1. Ensures that these constructors can be called but will throw a TypeError
1269            when called.
1270         2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
1271            in their implementation to be consistent.
1272         3. Change the error message to "calling XXX constructor without new is invalid".
1273            This is clearer because the error is likely due to the user forgetting to use
1274            the new operator on these constructors.
1275
1276         * runtime/Error.h:
1277         * runtime/Error.cpp:
1278         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
1279         - Added a convenience function to throw the TypeError.
1280
1281         * runtime/JSArrayBufferConstructor.cpp:
1282         (JSC::constructArrayBuffer):
1283         (JSC::callArrayBuffer):
1284         (JSC::JSArrayBufferConstructor::getCallData):
1285         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1286         (JSC::callGenericTypedArrayView):
1287         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
1288         * runtime/JSPromiseConstructor.cpp:
1289         (JSC::callPromise):
1290         * runtime/MapConstructor.cpp:
1291         (JSC::callMap):
1292         * runtime/ProxyConstructor.cpp:
1293         (JSC::callProxy):
1294         (JSC::ProxyConstructor::getCallData):
1295         * runtime/SetConstructor.cpp:
1296         (JSC::callSet):
1297         * runtime/WeakMapConstructor.cpp:
1298         (JSC::callWeakMap):
1299         * runtime/WeakSetConstructor.cpp:
1300         (JSC::callWeakSet):
1301
1302         * tests/es6.yaml:
1303         - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
1304
1305         * tests/stress/call-non-calleable-constructors-as-function.js: Added.
1306         (test):
1307
1308         * tests/stress/map-constructor.js:
1309         (testCallTypeError):
1310         * tests/stress/promise-cannot-be-called.js:
1311         (shouldThrow):
1312         * tests/stress/proxy-basic.js:
1313         * tests/stress/set-constructor.js:
1314         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
1315         (i.catch):
1316         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
1317         (i.catch):
1318         * tests/stress/throw-from-ftl-call-ic-slow-path.js:
1319         (i.catch):
1320         * tests/stress/weak-map-constructor.js:
1321         (testCallTypeError):
1322         * tests/stress/weak-set-constructor.js:
1323         - Updated error message string.
1324
1325 2016-02-23  Alexey Proskuryakov  <ap@apple.com>
1326
1327         ASan build fix.
1328
1329         Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
1330
1331         * inspector/InspectorBackendDispatcher.h:
1332
1333 2016-02-23  Brian Burg  <bburg@apple.com>
1334
1335         Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
1336         https://bugs.webkit.org/show_bug.cgi?id=154518
1337         <rdar://problem/24761096>
1338
1339         Reviewed by Timothy Hatcher.
1340
1341         * inspector/InspectorBackendDispatcher.h:
1342         Export all the classes since they are used by WebKit::WebAutomationSession.
1343
1344 2016-02-22  Brian Burg  <bburg@apple.com>
1345
1346         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
1347         https://bugs.webkit.org/show_bug.cgi?id=154509
1348         <rdar://problem/24759098>
1349
1350         Reviewed by Timothy Hatcher.
1351
1352         Add a new 'WebKit' framework, which is used to generate protocol code
1353         in WebKit2.
1354
1355         Add --backend and --frontend flags to the main generator script.
1356         These allow a framework to trigger two different sets of generators
1357         so they can be separately generated and compiled.
1358
1359         * inspector/scripts/codegen/models.py:
1360         (Framework.fromString):
1361         (Frameworks): Add new framework.
1362
1363         * inspector/scripts/generate-inspector-protocol-bindings.py:
1364         If neither --backend or --frontend is specified, assume both are wanted.
1365         This matches the behavior for JavaScriptCore and WebInspector frameworks.
1366
1367         (generate_from_specification):
1368         Generate C++ files for the backend and Objective-C files for the frontend.
1369
1370 2016-02-22  Saam barati  <sbarati@apple.com>
1371
1372         JSGlobalObject doesn't visit ProxyObjectStructure during GC
1373         https://bugs.webkit.org/show_bug.cgi?id=154564
1374
1375         Rubber stamped by Mark Lam.
1376
1377         * runtime/JSGlobalObject.cpp:
1378         (JSC::JSGlobalObject::visitChildren):
1379
1380 2016-02-22  Saam barati  <sbarati@apple.com>
1381
1382         InternalFunction::createSubclassStructure doesn't take into account that get() might throw
1383         https://bugs.webkit.org/show_bug.cgi?id=154548
1384
1385         Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
1386
1387         InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw 
1388         an exception. Neither the function nor the call sites of the function took this into
1389         account. This patch audits the call sites of the function to make it work in
1390         the event that an exception is thrown.
1391
1392         * runtime/BooleanConstructor.cpp:
1393         (JSC::constructWithBooleanConstructor):
1394         * runtime/DateConstructor.cpp:
1395         (JSC::constructDate):
1396         * runtime/ErrorConstructor.cpp:
1397         (JSC::Interpreter::constructWithErrorConstructor):
1398         * runtime/FunctionConstructor.cpp:
1399         (JSC::constructFunctionSkippingEvalEnabledCheck):
1400         * runtime/InternalFunction.cpp:
1401         (JSC::InternalFunction::createSubclassStructure):
1402         * runtime/JSArrayBufferConstructor.cpp:
1403         (JSC::constructArrayBuffer):
1404         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1405         (JSC::constructGenericTypedArrayView):
1406         * runtime/JSGlobalObject.h:
1407         (JSC::constructEmptyArray):
1408         (JSC::constructArray):
1409         (JSC::constructArrayNegativeIndexed):
1410         * runtime/JSPromiseConstructor.cpp:
1411         (JSC::constructPromise):
1412         * runtime/MapConstructor.cpp:
1413         (JSC::constructMap):
1414         * runtime/NativeErrorConstructor.cpp:
1415         (JSC::Interpreter::constructWithNativeErrorConstructor):
1416         * runtime/NumberConstructor.cpp:
1417         (JSC::constructWithNumberConstructor):
1418         * runtime/RegExpConstructor.cpp:
1419         (JSC::getRegExpStructure):
1420         (JSC::constructRegExp):
1421         (JSC::constructWithRegExpConstructor):
1422         * runtime/SetConstructor.cpp:
1423         (JSC::constructSet):
1424         * runtime/StringConstructor.cpp:
1425         (JSC::constructWithStringConstructor):
1426         (JSC::StringConstructor::getConstructData):
1427         * runtime/WeakMapConstructor.cpp:
1428         (JSC::constructWeakMap):
1429         * runtime/WeakSetConstructor.cpp:
1430         (JSC::constructWeakSet):
1431         * tests/stress/create-subclass-structure-might-throw.js: Added.
1432         (assert):
1433
1434 2016-02-22  Ting-Wei Lan  <lantw44@gmail.com>
1435
1436         Fix build and implement functions to retrieve registers on FreeBSD
1437         https://bugs.webkit.org/show_bug.cgi?id=152258
1438
1439         Reviewed by Michael Catanzaro.
1440
1441         * heap/MachineStackMarker.cpp:
1442         (pthreadSignalHandlerSuspendResume):
1443         struct ucontext is not specified in POSIX and it is not available on
1444         FreeBSD. Replacing it with ucontext_t fixes the build problem.
1445         (JSC::MachineThreads::Thread::Registers::stackPointer):
1446         (JSC::MachineThreads::Thread::Registers::framePointer):
1447         (JSC::MachineThreads::Thread::Registers::instructionPointer):
1448         (JSC::MachineThreads::Thread::Registers::llintPC):
1449         * heap/MachineStackMarker.h:
1450
1451 2016-02-22  Saam barati  <sbarati@apple.com>
1452
1453         JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
1454         https://bugs.webkit.org/show_bug.cgi?id=154552
1455
1456         Reviewed by Mark Lam.
1457
1458         ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
1459         They return false on a Proxy with internal [[Call]] and [[Construct]]
1460         properties. It seems safest, most forward looking, and most adherent
1461         to the specification to check getCallData() and getConstructData() to
1462         implement these functions.
1463
1464         * runtime/InternalFunction.cpp:
1465         (JSC::InternalFunction::createSubclassStructure):
1466         * runtime/JSCJSValueInlines.h:
1467         (JSC::JSValue::isFunction):
1468         (JSC::JSValue::isConstructor):
1469
1470 2016-02-22  Keith Miller  <keith_miller@apple.com>
1471
1472         Bound functions should use the prototype of the function being bound
1473         https://bugs.webkit.org/show_bug.cgi?id=154195
1474
1475         Reviewed by Geoffrey Garen.
1476
1477         Per ES6, the result of Function.prototype.bind should have the same
1478         prototype as the the function being bound. In order to avoid creating
1479         a new structure each time a function is bound we store the new
1480         structure in our structure map. However, we cannot currently store
1481         structures that have a different GlobalObject than their prototype.
1482         In the rare case that the GlobalObject differs or the prototype of
1483         the bindee is null we create a new structure each time. To further
1484         minimize new structures, as well as making structure lookup faster,
1485         we also store the structure in the RareData of the function we
1486         are binding.
1487
1488         * runtime/FunctionRareData.cpp:
1489         (JSC::FunctionRareData::visitChildren):
1490         * runtime/FunctionRareData.h:
1491         (JSC::FunctionRareData::getBoundFunctionStructure):
1492         (JSC::FunctionRareData::setBoundFunctionStructure):
1493         * runtime/JSBoundFunction.cpp:
1494         (JSC::getBoundFunctionStructure):
1495         (JSC::JSBoundFunction::create):
1496         * tests/es6.yaml:
1497         * tests/stress/bound-function-uses-prototype.js: Added.
1498         (testChangeProto.foo):
1499         (testChangeProto):
1500         (testBuiltins):
1501         * tests/stress/class-subclassing-function.js:
1502
1503 2016-02-22  Keith Miller  <keith_miller@apple.com>
1504
1505         Unreviewed, fix stress test to not print on success.
1506
1507         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
1508         (catch): Deleted.
1509
1510 2016-02-22  Keith Miller  <keith_miller@apple.com>
1511
1512         Use Symbol.species in the builtin TypedArray.prototype functions
1513         https://bugs.webkit.org/show_bug.cgi?id=153384
1514
1515         Reviewed by Geoffrey Garen.
1516
1517         This patch adds the use of species constructors to the TypedArray.prototype map and filter
1518         functions. It also adds a new private function typedArrayGetOriginalConstructor that
1519         returns the TypedArray constructor used to originally create a TypedArray instance.
1520
1521         There are no ES6 tests to update for this patch as species creation for these functions is
1522         not tested in the compatibility table.
1523
1524         * builtins/TypedArrayPrototype.js:
1525         (map):
1526         (filter):
1527         * bytecode/BytecodeIntrinsicRegistry.cpp:
1528         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1529         * bytecode/BytecodeIntrinsicRegistry.h:
1530         * runtime/CommonIdentifiers.h:
1531         * runtime/JSGlobalObject.cpp:
1532         (JSC::JSGlobalObject::init):
1533         (JSC::JSGlobalObject::visitChildren):
1534         * runtime/JSGlobalObject.h:
1535         (JSC::JSGlobalObject::typedArrayConstructor):
1536         * runtime/JSTypedArrayViewPrototype.cpp:
1537         (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
1538         * runtime/JSTypedArrayViewPrototype.h:
1539         * tests/stress/typedarray-filter.js:
1540         (subclasses.typedArrays.map):
1541         (prototype.accept):
1542         (testSpecies):
1543         (accept):
1544         (forEach):
1545         (subclasses.forEach):
1546         (testSpeciesRemoveConstructor):
1547         * tests/stress/typedarray-map.js:
1548         (subclasses.typedArrays.map):
1549         (prototype.id):
1550         (testSpecies):
1551         (id):
1552         (forEach):
1553         (subclasses.forEach):
1554         (testSpeciesRemoveConstructor):
1555
1556 2016-02-22  Keith Miller  <keith_miller@apple.com>
1557
1558         Builtins that should not rely on iteration do.
1559         https://bugs.webkit.org/show_bug.cgi?id=154475
1560
1561         Reviewed by Geoffrey Garen.
1562
1563         When changing the behavior of varargs calls to use ES6 iterators the
1564         call builtin function's use of a varargs call was overlooked. The use
1565         of iterators is observable outside the scope of the the call function,
1566         thus it must be reimplemented.
1567
1568         * builtins/FunctionPrototype.js:
1569         (call):
1570         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
1571         (test):
1572         (addAll):
1573         (catch):
1574
1575 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
1576
1577         [JSC shell] Don't put empty arguments array to VM.
1578         https://bugs.webkit.org/show_bug.cgi?id=154516
1579
1580         Reviewed by Geoffrey Garen.
1581
1582         This allows arrowfunction-lexical-bind-arguments-top-level test to pass
1583         in jsc as well as in browser.
1584
1585         * jsc.cpp:
1586         (GlobalObject::finishCreation):
1587
1588 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
1589
1590         [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
1591         https://bugs.webkit.org/show_bug.cgi?id=154450
1592
1593         Reviewed by Alex Christensen.
1594
1595         * CMakeLists.txt:
1596
1597 2016-02-22  Commit Queue  <commit-queue@webkit.org>
1598
1599         Unreviewed, rolling out r196891.
1600         https://bugs.webkit.org/show_bug.cgi?id=154539
1601
1602         it broke Production builds (Requested by brrian on #webkit).
1603
1604         Reverted changeset:
1605
1606         "Web Inspector: add 'Automation' protocol domain and generate
1607         its backend classes separately in WebKit2"
1608         https://bugs.webkit.org/show_bug.cgi?id=154509
1609         http://trac.webkit.org/changeset/196891
1610
1611 2016-02-21  Joseph Pecoraro  <pecoraro@apple.com>
1612
1613         CodeBlock always visits its unlinked code twice
1614         https://bugs.webkit.org/show_bug.cgi?id=154494
1615
1616         Reviewed by Saam Barati.
1617
1618         * bytecode/CodeBlock.cpp:
1619         (JSC::CodeBlock::visitChildren):
1620         The unlinked code is always visited in stronglyVisitStrongReferences.
1621
1622 2016-02-21  Brian Burg  <bburg@apple.com>
1623
1624         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
1625         https://bugs.webkit.org/show_bug.cgi?id=154509
1626         <rdar://problem/24759098>
1627
1628         Reviewed by Timothy Hatcher.
1629
1630         Add a new 'WebKit' framework, which is used to generate protocol code
1631         in WebKit2.
1632
1633         Add --backend and --frontend flags to the main generator script.
1634         These allow a framework to trigger two different sets of generators
1635         so they can be separately generated and compiled.
1636
1637         * inspector/scripts/codegen/models.py:
1638         (Framework.fromString):
1639         (Frameworks): Add new framework.
1640
1641         * inspector/scripts/generate-inspector-protocol-bindings.py:
1642         If neither --backend or --frontend is specified, assume both are wanted.
1643         This matches the behavior for JavaScriptCore and WebInspector frameworks.
1644
1645         (generate_from_specification):
1646         Generate C++ files for the backend and Objective-C files for the frontend.
1647
1648 2016-02-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1649
1650         Improvements to Intl code
1651         https://bugs.webkit.org/show_bug.cgi?id=154486
1652
1653         Reviewed by Darin Adler.
1654
1655         This patch does several things:
1656         - Use std::unique_ptr to store ICU objects.
1657         - Pass Vector::size() to ICU functions that take a buffer size instead
1658           of Vector::capacity().
1659         - If U_SUCCESS(status) is true, it means there is no error, but there
1660           could be warnings. ICU functions ignore warnings. So, there is no need
1661           to reset status to U_ZERO_ERROR.
1662         - Remove the initialization of the String instance variables of
1663           IntlDateTimeFormat. These values are never read and cause unnecessary
1664           memory allocation.
1665         - Fix coding style.
1666         - Some small optimization.
1667
1668         * runtime/IntlCollator.cpp:
1669         (JSC::IntlCollator::UCollatorDeleter::operator()):
1670         (JSC::IntlCollator::createCollator):
1671         (JSC::IntlCollator::compareStrings):
1672         (JSC::IntlCollator::~IntlCollator): Deleted.
1673         * runtime/IntlCollator.h:
1674         * runtime/IntlDateTimeFormat.cpp:
1675         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
1676         (JSC::defaultTimeZone):
1677         (JSC::canonicalizeTimeZoneName):
1678         (JSC::toDateTimeOptionsAnyDate):
1679         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1680         (JSC::IntlDateTimeFormat::weekdayString):
1681         (JSC::IntlDateTimeFormat::format):
1682         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
1683         (JSC::localeData): Deleted.
1684         * runtime/IntlDateTimeFormat.h:
1685         * runtime/IntlDateTimeFormatConstructor.cpp:
1686         * runtime/IntlNumberFormatConstructor.cpp:
1687         * runtime/IntlObject.cpp:
1688         (JSC::numberingSystemsForLocale):
1689
1690 2016-02-21  Skachkov Oleksandr  <gskachkov@gmail.com>
1691
1692         Remove arrowfunction test cases that rely on arguments variable in jsc
1693         https://bugs.webkit.org/show_bug.cgi?id=154517
1694
1695         Reviewed by Yusuke Suzuki.
1696
1697         Allow to jsc has the same behavior in javascript as browser has
1698
1699         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1700         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1701
1702 2016-02-21  Brian Burg  <bburg@apple.com>
1703
1704         Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
1705         https://bugs.webkit.org/show_bug.cgi?id=154508
1706         <rdar://problem/24759077>
1707
1708         Reviewed by Timothy Hatcher.
1709
1710         In preparation for being able to generate protocol files for WebKit2,
1711         make it possible to not emit generated code that's guarded by
1712         ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
1713         backend dispatchers generated outside of JavaScriptCore. We can't just
1714         define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
1715         in the configurations where the code is actually used.
1716
1717         Add a new opt-in Framework configuration option that turns on generating
1718         this code. Adjust how the code is generated so that it can be easily excluded.
1719
1720         * inspector/scripts/codegen/cpp_generator_templates.py:
1721         Make a separate template for the declarations that are guarded.
1722         Add an initializer expression so the order of initalizers doesn't matter.
1723
1724         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1725         (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
1726         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1727         If the declarations are needed, they will be appended to the end of the
1728         declarations list.
1729
1730         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1731         (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
1732         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
1733
1734         * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
1735         to True for Framework.JavaScriptCore only. It's not needed elsewhere.
1736
1737         Rebaseline affected tests.
1738
1739         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1740         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1741         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1742         * inspector/scripts/tests/expected/enum-values.json-result:
1743         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1744
1745 2016-02-21  Brian Burg  <bburg@apple.com>
1746
1747         Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
1748         https://bugs.webkit.org/show_bug.cgi?id=154505
1749         <rdar://problem/24758042>
1750
1751         Reviewed by Timothy Hatcher.
1752
1753         It should be possible to generate code for a framework using some generators
1754         that other frameworks also use. Right now the generator selection code assumes
1755         that use of a generator is mutually exclusive among non-test frameworks.
1756
1757         Make this code explicitly switch on the framework. Reorder generators
1758         alpabetically within each case.
1759
1760         * inspector/scripts/generate-inspector-protocol-bindings.py:
1761         (generate_from_specification):
1762
1763         Rebaseline tests that are affected by generator reorderings.
1764
1765         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1766         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1767         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1768         * inspector/scripts/tests/expected/enum-values.json-result:
1769         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1770         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1771         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1772         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1773         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1774         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1775         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1776         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1777         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1778
1779 2016-02-19  Saam Barati  <sbarati@apple.com>
1780
1781         [ES6] Implement Proxy.[[Construct]]
1782         https://bugs.webkit.org/show_bug.cgi?id=154440
1783
1784         Reviewed by Oliver Hunt.
1785
1786         This patch is mostly an implementation of
1787         Proxy.[[Construct]] with respect to section 9.5.13
1788         of the ECMAScript spec.
1789         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
1790
1791         This patch also changes op_create_this to accept new.target's
1792         that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]] 
1793         because we might construct a JSFunction with a new.target being
1794         a Proxy. This will also be needed when we implement Reflect.construct.
1795
1796         * dfg/DFGOperations.cpp:
1797         * dfg/DFGSpeculativeJIT32_64.cpp:
1798         (JSC::DFG::SpeculativeJIT::compile):
1799         * dfg/DFGSpeculativeJIT64.cpp:
1800         (JSC::DFG::SpeculativeJIT::compile):
1801         * jit/JITOpcodes.cpp:
1802         (JSC::JIT::emit_op_create_this):
1803         (JSC::JIT::emitSlow_op_create_this):
1804         * jit/JITOpcodes32_64.cpp:
1805         (JSC::JIT::emit_op_create_this):
1806         (JSC::JIT::emitSlow_op_create_this):
1807         * llint/LLIntData.cpp:
1808         (JSC::LLInt::Data::performAssertions):
1809         * llint/LowLevelInterpreter.asm:
1810         * llint/LowLevelInterpreter32_64.asm:
1811         * llint/LowLevelInterpreter64.asm:
1812         * runtime/CommonSlowPaths.cpp:
1813         (JSC::SLOW_PATH_DECL):
1814         * runtime/ProxyObject.cpp:
1815         (JSC::ProxyObject::finishCreation):
1816         (JSC::ProxyObject::visitChildren):
1817         (JSC::performProxyConstruct):
1818         (JSC::ProxyObject::getConstructData):
1819         * runtime/ProxyObject.h:
1820         * tests/es6.yaml:
1821         * tests/stress/proxy-construct.js: Added.
1822         (assert):
1823         (throw.new.Error.let.target):
1824         (throw.new.Error):
1825         (assert.let.target):
1826         (assert.let.handler.get construct):
1827         (let.target):
1828         (let.handler.construct):
1829         (i.catch):
1830         (assert.let.handler.construct):
1831         (assert.let.construct):
1832         (assert.else.assert.let.target):
1833         (assert.else.assert.let.construct):
1834         (assert.else.assert):
1835         (new.proxy.let.target):
1836         (new.proxy.let.construct):
1837         (new.proxy):
1838
1839 2016-02-19  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1840
1841         [INTL] Implement Number Format Functions
1842         https://bugs.webkit.org/show_bug.cgi?id=147605
1843
1844         Reviewed by Darin Adler.
1845
1846         This patch implements Intl.NumberFormat.prototype.format() according
1847         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
1848
1849         * runtime/IntlNumberFormat.cpp:
1850         (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
1851         (JSC::IntlNumberFormat::initializeNumberFormat):
1852         (JSC::IntlNumberFormat::createNumberFormat):
1853         (JSC::IntlNumberFormat::formatNumber):
1854         (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
1855         * runtime/IntlNumberFormat.h:
1856         * runtime/IntlNumberFormatPrototype.cpp:
1857         (JSC::IntlNumberFormatFuncFormatNumber):
1858
1859 2016-02-18  Gavin Barraclough  <barraclough@apple.com>
1860
1861         JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
1862         https://bugs.webkit.org/show_bug.cgi?id=154416
1863
1864         Reviewed by Geoff Garen.
1865
1866         Here's the bug. Suppose you call JSObject::getOwnProperty and -
1867           - PropertyName contains an index,
1868           - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
1869           - The base of the access (or another object on the prototype chain) shadows that property.
1870
1871         JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
1872         index, and as such walks up the prototype chain looking for non-index properties before it
1873         tries calling parseIndex.
1874
1875         At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
1876         would potentially return the property) we may have already skipped over non-overriding
1877         objects that contain the property in index storage.
1878
1879         * runtime/JSObject.h:
1880         (JSC::JSObject::getOwnNonIndexPropertySlot):
1881             - renamed from inlineGetOwnPropertySlot to better describe behaviour;
1882               added ASSERT guarding that this method never returns index properties -
1883               if it ever does, this is unsafe for getPropertySlot.
1884         (JSC::JSObject::getOwnPropertySlot):
1885             - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
1886         (JSC::JSObject::getPropertySlot):
1887             - In case of object overriding getOwnPropertySlot check if propertyName is an index.
1888         (JSC::JSObject::getNonIndexPropertySlot):
1889             - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
1890               in order to avoid repeated calls to parseIndex.
1891         (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
1892             - this was renamed to getOwnNonIndexPropertySlot.
1893         (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
1894             - this was folded back in to getPropertySlot.
1895
1896 2016-02-19  Saam Barati  <sbarati@apple.com>
1897
1898         [ES6] Implement Proxy.[[Call]]
1899         https://bugs.webkit.org/show_bug.cgi?id=154425
1900
1901         Reviewed by Mark Lam.
1902
1903         This patch is a straight forward implementation of
1904         Proxy.[[Call]] with respect to section 9.5.12
1905         of the ECMAScript spec.
1906         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
1907
1908         * runtime/ProxyObject.cpp:
1909         (JSC::ProxyObject::finishCreation):
1910         (JSC::performProxyGet):
1911         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1912         (JSC::ProxyObject::performHasProperty):
1913         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1914         (JSC::performProxyCall):
1915         (JSC::ProxyObject::getCallData):
1916         (JSC::ProxyObject::visitChildren):
1917         * runtime/ProxyObject.h:
1918         (JSC::ProxyObject::create):
1919         * tests/es6.yaml:
1920         * tests/stress/proxy-call.js: Added.
1921         (assert):
1922         (throw.new.Error.let.target):
1923         (throw.new.Error.let.handler.apply):
1924         (throw.new.Error):
1925         (assert.let.target):
1926         (assert.let.handler.get apply):
1927         (let.target):
1928         (let.handler.apply):
1929         (i.catch):
1930         (assert.let.handler.apply):
1931
1932 2016-02-19  Csaba Osztrogonác  <ossy@webkit.org>
1933
1934         Remove more LLVM related dead code after r196729
1935         https://bugs.webkit.org/show_bug.cgi?id=154387
1936
1937         Reviewed by Filip Pizlo.
1938
1939         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
1940         * Configurations/LLVMForJSC.xcconfig: Removed.
1941         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
1942         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
1943         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
1944         * JavaScriptCore.xcodeproj/project.pbxproj:
1945         * disassembler/X86Disassembler.cpp:
1946
1947 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1948
1949         Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
1950         https://bugs.webkit.org/show_bug.cgi?id=154442
1951
1952         Reviewed by Saam Barati.
1953
1954         * runtime/JSString.h:
1955         (JSC::isJSString):
1956
1957 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1958
1959         Remove unused SymbolTable::createNameScopeTable
1960         https://bugs.webkit.org/show_bug.cgi?id=154443
1961
1962         Reviewed by Saam Barati.
1963
1964         * runtime/SymbolTable.h:
1965
1966 2016-02-18  Benjamin Poulain  <bpoulain@apple.com>
1967
1968         [JSC] Improve the instruction selection of Select
1969         https://bugs.webkit.org/show_bug.cgi?id=154432
1970
1971         Reviewed by Filip Pizlo.
1972
1973         Plenty of code but this patch is pretty dumb:
1974         -On ARM64: use the 3 operand form of CSEL instead of forcing a source
1975          to be alised to the destination. This gives more freedom to the register
1976          allocator and it is one less Move to process per Select.
1977         -On x86, introduce a fake 3 operands form and use aggressive aliasing
1978          to try to alias both sources to the destination.
1979
1980          If aliasing succeed on the "elseCase", the condition of the Select
1981          is reverted in the MacroAssembler.
1982
1983          If no aliasing is possible and we end up with 3 registers, the missing
1984          move instruction is generated by the MacroAssembler.
1985
1986          The missing move is generated after testing the values because the destination
1987          can use the same register as one of the test operand.
1988          Experimental testing seems to indicate there is no macro-fusion on CMOV,
1989          there is no measurable cost to having the move there.
1990
1991         * assembler/MacroAssembler.h:
1992         (JSC::MacroAssembler::isInvertible):
1993         (JSC::MacroAssembler::invert):
1994         * assembler/MacroAssemblerARM64.h:
1995         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
1996         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
1997         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
1998         (JSC::MacroAssemblerARM64::moveConditionally32):
1999         (JSC::MacroAssemblerARM64::moveConditionally64):
2000         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
2001         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
2002         * assembler/MacroAssemblerX86Common.h:
2003         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2004         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2005         (JSC::MacroAssemblerX86Common::moveConditionally32):
2006         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
2007         (JSC::MacroAssemblerX86Common::invert):
2008         (JSC::MacroAssemblerX86Common::isInvertible):
2009         * assembler/MacroAssemblerX86_64.h:
2010         (JSC::MacroAssemblerX86_64::moveConditionally64):
2011         (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
2012         * b3/B3LowerToAir.cpp:
2013         (JSC::B3::Air::LowerToAir::createSelect):
2014         (JSC::B3::Air::LowerToAir::lower):
2015         * b3/air/AirInstInlines.h:
2016         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2017         * b3/air/AirOpcode.opcodes:
2018
2019 2016-02-18  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2020
2021         [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
2022         https://bugs.webkit.org/show_bug.cgi?id=154430
2023
2024         Reviewed by Saam Barati.
2025
2026         llvm isn't used anymore.
2027
2028         * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
2029
2030 2016-02-18  Saam Barati  <sbarati@apple.com>
2031
2032         Implement Proxy.[[HasProperty]]
2033         https://bugs.webkit.org/show_bug.cgi?id=154313
2034
2035         Reviewed by Filip Pizlo.
2036
2037         This patch is a straight forward implementation of
2038         Proxy.[[HasProperty]] with respect to section 9.5.7
2039         of the ECMAScript spec.
2040         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
2041
2042         * runtime/ProxyObject.cpp:
2043         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2044         (JSC::ProxyObject::performHasProperty):
2045         (JSC::ProxyObject::getOwnPropertySlotCommon):
2046         * runtime/ProxyObject.h:
2047         * tests/es6.yaml:
2048         * tests/stress/proxy-basic.js:
2049         (assert):
2050         (let.handler.has):
2051         * tests/stress/proxy-has-property.js: Added.
2052         (assert):
2053         (throw.new.Error.let.handler.get has):
2054         (throw.new.Error):
2055         (assert.let.handler.has):
2056         (let.handler.has):
2057         (getOwnPropertyDescriptor):
2058         (i.catch):
2059
2060 2016-02-18  Saam Barati  <sbarati@apple.com>
2061
2062         Proxy's don't properly handle Symbols as PropertyKeys.
2063         https://bugs.webkit.org/show_bug.cgi?id=154385
2064
2065         Reviewed by Mark Lam and Yusuke Suzuki.
2066
2067         We were converting all PropertyKeys to strings, even when
2068         the PropertyName was a Symbol. In the spec, PropertyKeys are
2069         either a Symbol or a String. We now respect that in Proxy.[[Get]] and
2070         Proxy.[[GetOwnProperty]].
2071
2072         * runtime/Completion.cpp:
2073         (JSC::profiledEvaluate):
2074         (JSC::createSymbolForEntryPointModule):
2075         (JSC::identifierToJSValue): Deleted.
2076         * runtime/Identifier.h:
2077         (JSC::parseIndex):
2078         * runtime/IdentifierInlines.h:
2079         (JSC::Identifier::fromString):
2080         (JSC::identifierToJSValue):
2081         (JSC::identifierToSafePublicJSValue):
2082         * runtime/ProxyObject.cpp:
2083         (JSC::performProxyGet):
2084         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2085         * tests/es6.yaml:
2086         * tests/stress/proxy-basic.js:
2087         (let.handler.getOwnPropertyDescriptor):
2088
2089 2016-02-18  Saam Barati  <sbarati@apple.com>
2090
2091         Follow up fix to Implement Proxy.[[GetOwnProperty]]
2092         https://bugs.webkit.org/show_bug.cgi?id=154314
2093
2094         Reviewed by Filip Pizlo.
2095
2096         Part of the implementation was broken because
2097         of how JSObject::getOwnPropertyDescriptor worked.
2098         I've fixed JSObject::getOwnPropertyDescriptor to
2099         be able to handle ProxyObject.
2100
2101         * runtime/JSObject.cpp:
2102         (JSC::JSObject::getOwnPropertyDescriptor):
2103         * runtime/ProxyObject.cpp:
2104         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2105         * tests/stress/proxy-get-own-property.js:
2106         (assert):
2107         (assert.let.handler.get getOwnPropertyDescriptor):
2108
2109 2016-02-18  Saam Barati  <sbarati@apple.com>
2110
2111         Implement Proxy.[[GetOwnProperty]]
2112         https://bugs.webkit.org/show_bug.cgi?id=154314
2113
2114         Reviewed by Filip Pizlo.
2115
2116         This patch implements Proxy.[[GetOwnProperty]].
2117         It's a straight forward implementation as described
2118         in section 9.5.5 of the specification:
2119         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
2120
2121         * runtime/FunctionPrototype.cpp:
2122         (JSC::functionProtoFuncBind):
2123         * runtime/JSObject.cpp:
2124         (JSC::validateAndApplyPropertyDescriptor):
2125         (JSC::JSObject::defineOwnNonIndexProperty):
2126         (JSC::JSObject::defineOwnProperty):
2127         (JSC::JSObject::getGenericPropertyNames):
2128         (JSC::JSObject::getMethod):
2129         * runtime/JSObject.h:
2130         (JSC::JSObject::butterflyAddress):
2131         (JSC::makeIdentifier):
2132         * runtime/ProxyObject.cpp:
2133         (JSC::performProxyGet):
2134         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2135         (JSC::ProxyObject::getOwnPropertySlotCommon):
2136         (JSC::ProxyObject::getOwnPropertySlot):
2137         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2138         (JSC::ProxyObject::visitChildren):
2139         * runtime/ProxyObject.h:
2140         * tests/es6.yaml:
2141         * tests/stress/proxy-basic.js:
2142         (let.handler.get null):
2143         * tests/stress/proxy-get-own-property.js: Added.
2144         (assert):
2145         (throw.new.Error.let.handler.getOwnPropertyDescriptor):
2146         (throw.new.Error):
2147         (let.handler.getOwnPropertyDescriptor):
2148         (i.catch):
2149         (assert.let.handler.getOwnPropertyDescriptor):
2150
2151 2016-02-18  Andreas Kling  <akling@apple.com>
2152
2153         JSString resolution of substrings should use StringImpl sharing optimization.
2154         <https://webkit.org/b/154068>
2155         <rdar://problem/24629358>
2156
2157         Reviewed by Antti Koivisto.
2158
2159         When resolving a JSString that's actually a substring of another JSString,
2160         use the StringImpl sharing optimization to create a new string pointing into
2161         the parent one, instead of copying out the bytes of the string.
2162
2163         This dramatically reduces peak memory usage on Gerrit diff viewer pages.
2164
2165         Another approach to this would be to induce GC far more frequently due to
2166         the added cost of copying out these substrings. It would reduce the risk
2167         of prolonging the life of strings only kept alive by substrings.
2168
2169         This patch chooses to trade that risk for less GC and lower peak memory.
2170
2171         * runtime/JSString.cpp:
2172         (JSC::JSRopeString::resolveRope):
2173
2174 2016-02-18  Chris Dumez  <cdumez@apple.com>
2175
2176         Crash on SES selftest page when loading the page while WebInspector is open
2177         https://bugs.webkit.org/show_bug.cgi?id=154378
2178         <rdar://problem/24713422>
2179
2180         Reviewed by Mark Lam.
2181
2182         Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
2183         returns early again if it detects that getOwnPropertySlot() returns a
2184         non-own property. This check was removed in r196676 because we assumed that
2185         only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
2186         However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
2187         well.
2188
2189         Not having the check would lead to crashes when using the debugger because
2190         we would get a slot with the CustomAccessor attribute but getDirect() would
2191         then fail to return the property (because it is not an own property). We
2192         would then cast the value returned by getDirect() to a CustomGetterSetter*
2193         and dereference it.
2194
2195         * runtime/JSObject.cpp:
2196         (JSC::JSObject::getOwnPropertyDescriptor):
2197
2198 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
2199
2200         Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
2201         for that.
2202
2203         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2204         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2205
2206 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
2207
2208         Unreviewed, fix CMake build. This got messed up when rebasing.
2209
2210         * CMakeLists.txt:
2211
2212 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
2213
2214         Fix the !ENABLE(DFG_JIT) build after r195865
2215         https://bugs.webkit.org/show_bug.cgi?id=154391
2216
2217         Reviewed by Filip Pizlo.
2218
2219         * runtime/SamplingProfiler.cpp:
2220         (JSC::tryGetBytecodeIndex):
2221
2222 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
2223
2224         Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
2225         https://bugs.webkit.org/show_bug.cgi?id=154383
2226
2227         Reviewed by Saam Barati.
2228
2229         I did a grep -i llvm of all of our code and did one of the following for each occurence:
2230
2231         - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
2232           backend".
2233
2234         - Removed the reference because I found it to be dead. In some cases it was a dead
2235           comment: it was telling us things about what LLVM did and that's just not relevant
2236           anymore. In other cases it was dead code that I forgot to delete in a previous patch.
2237
2238         - Edited the comment in some smart way. There were comments talking about what LLVM did
2239           that were still of interest. In some cases, I added a FIXME to consider changing the
2240           code below the comment on the grounds that it was written in a weird way to placate
2241           LLVM and so we can do it better now.
2242
2243         * CMakeLists.txt:
2244         * JavaScriptCore.xcodeproj/project.pbxproj:
2245         * dfg/DFGArgumentsEliminationPhase.cpp:
2246         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2247         * dfg/DFGPlan.cpp:
2248         (JSC::DFG::Plan::compileInThread):
2249         (JSC::DFG::Plan::compileInThreadImpl):
2250         (JSC::DFG::Plan::compileTimeStats):
2251         * dfg/DFGPutStackSinkingPhase.cpp:
2252         * dfg/DFGSSAConversionPhase.h:
2253         * dfg/DFGStaticExecutionCountEstimationPhase.h:
2254         * dfg/DFGUnificationPhase.cpp:
2255         (JSC::DFG::UnificationPhase::run):
2256         * disassembler/ARM64Disassembler.cpp:
2257         (JSC::tryToDisassemble): Deleted.
2258         * disassembler/X86Disassembler.cpp:
2259         (JSC::tryToDisassemble):
2260         * ftl/FTLAbstractHeap.cpp:
2261         (JSC::FTL::IndexedAbstractHeap::initialize):
2262         * ftl/FTLAbstractHeap.h:
2263         * ftl/FTLFormattedValue.h:
2264         * ftl/FTLJITFinalizer.cpp:
2265         (JSC::FTL::JITFinalizer::finalizeFunction):
2266         * ftl/FTLLink.cpp:
2267         (JSC::FTL::link):
2268         * ftl/FTLLocation.cpp:
2269         (JSC::FTL::Location::restoreInto):
2270         * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
2271         (JSC::FTL::DFG::ftlUnreachable):
2272         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2273         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
2274         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2275         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
2276         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
2277         (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
2278         (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
2279         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
2280         (JSC::FTL::lowerDFGToB3):
2281         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
2282         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
2283         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
2284         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
2285         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
2286         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
2287         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
2288         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
2289         (JSC::FTL::lowerDFGToLLVM): Deleted.
2290         * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
2291         * ftl/FTLLowerDFGToLLVM.cpp: Removed.
2292         * ftl/FTLLowerDFGToLLVM.h: Removed.
2293         * ftl/FTLOSRExitCompiler.cpp:
2294         (JSC::FTL::compileStub):
2295         * ftl/FTLWeight.h:
2296         (JSC::FTL::Weight::frequencyClass):
2297         (JSC::FTL::Weight::inverse):
2298         (JSC::FTL::Weight::scaleToTotal): Deleted.
2299         * ftl/FTLWeightedTarget.h:
2300         (JSC::FTL::rarely):
2301         (JSC::FTL::unsure):
2302         * jit/CallFrameShuffler64.cpp:
2303         (JSC::CallFrameShuffler::emitDisplace):
2304         * jit/RegisterSet.cpp:
2305         (JSC::RegisterSet::ftlCalleeSaveRegisters):
2306         * llvm: Removed.
2307         * llvm/InitializeLLVMLinux.cpp: Removed.
2308         * llvm/InitializeLLVMWin.cpp: Removed.
2309         * llvm/library: Removed.
2310         * llvm/library/LLVMTrapCallback.h: Removed.
2311         * llvm/library/libllvmForJSC.version: Removed.
2312         * runtime/Options.cpp:
2313         (JSC::recomputeDependentOptions):
2314         (JSC::Options::initialize):
2315         * runtime/Options.h:
2316         * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
2317         * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
2318         * wasm/WASMFunctionParser.cpp:
2319
2320 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
2321
2322         [cmake] Build system cleanup
2323         https://bugs.webkit.org/show_bug.cgi?id=154337
2324
2325         Reviewed by Žan Doberšek.
2326
2327         * CMakeLists.txt:
2328
2329 2016-02-17  Mark Lam  <mark.lam@apple.com>
2330
2331         Callers of JSString::value() should check for exceptions thereafter.
2332         https://bugs.webkit.org/show_bug.cgi?id=154346
2333
2334         Reviewed by Geoffrey Garen.
2335
2336         JSString::value() can throw an exception if the JS string is a rope and value() 
2337         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
2338         able to resolve the rope, it will return a null string (in addition to throwing
2339         the exception).  If a caller does not check for exceptions after calling
2340         JSString::value(), they may eventually use the returned null string and crash the
2341         VM.
2342
2343         The fix is to add all the necessary exception checks, and do the appropriate
2344         handling if needed.
2345
2346         * jsc.cpp:
2347         (functionRun):
2348         (functionLoad):
2349         (functionReadFile):
2350         (functionCheckSyntax):
2351         (functionLoadWebAssembly):
2352         (functionLoadModule):
2353         (functionCheckModuleSyntax):
2354         * runtime/DateConstructor.cpp:
2355         (JSC::dateParse):
2356         (JSC::dateNow):
2357         * runtime/JSGlobalObjectFunctions.cpp:
2358         (JSC::globalFuncEval):
2359         * tools/JSDollarVMPrototype.cpp:
2360         (JSC::functionPrint):
2361
2362 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
2363
2364         [JSC] ARM64: Support the immediate format used for bit operations in Air
2365         https://bugs.webkit.org/show_bug.cgi?id=154327
2366
2367         Reviewed by Filip Pizlo.
2368
2369         ARM64 supports a pretty rich form of immediates for bit operation.
2370         There are two formats used to encode repeating patterns and common
2371         input in a dense form.
2372
2373         In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
2374         Those represents the valid immediate forms for bit operation.
2375         On x86, any 32bits value is valid. On ARM64, all the encoding
2376         form are tried and the immediate is used when possible.
2377
2378         The arg type Imm64 is renamed to BigImm to better represent what
2379         it is: an immediate that does not fit into Imm.
2380
2381         * assembler/ARM64Assembler.h:
2382         (JSC::LogicalImmediate::create32): Deleted.
2383         (JSC::LogicalImmediate::create64): Deleted.
2384         (JSC::LogicalImmediate::value): Deleted.
2385         (JSC::LogicalImmediate::isValid): Deleted.
2386         (JSC::LogicalImmediate::is64bit): Deleted.
2387         (JSC::LogicalImmediate::LogicalImmediate): Deleted.
2388         (JSC::LogicalImmediate::mask): Deleted.
2389         (JSC::LogicalImmediate::partialHSB): Deleted.
2390         (JSC::LogicalImmediate::highestSetBit): Deleted.
2391         (JSC::LogicalImmediate::findBitRange): Deleted.
2392         (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
2393         * assembler/AssemblerCommon.h:
2394         (JSC::ARM64LogicalImmediate::create32):
2395         (JSC::ARM64LogicalImmediate::create64):
2396         (JSC::ARM64LogicalImmediate::value):
2397         (JSC::ARM64LogicalImmediate::isValid):
2398         (JSC::ARM64LogicalImmediate::is64bit):
2399         (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
2400         (JSC::ARM64LogicalImmediate::mask):
2401         (JSC::ARM64LogicalImmediate::partialHSB):
2402         (JSC::ARM64LogicalImmediate::highestSetBit):
2403         (JSC::ARM64LogicalImmediate::findBitRange):
2404         (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
2405         * assembler/MacroAssemblerARM64.h:
2406         (JSC::MacroAssemblerARM64::and64):
2407         (JSC::MacroAssemblerARM64::or64):
2408         (JSC::MacroAssemblerARM64::xor64):
2409         * b3/B3LowerToAir.cpp:
2410         (JSC::B3::Air::LowerToAir::bitImm):
2411         (JSC::B3::Air::LowerToAir::bitImm64):
2412         (JSC::B3::Air::LowerToAir::appendBinOp):
2413         * b3/air/AirArg.cpp:
2414         (JSC::B3::Air::Arg::dump):
2415         (WTF::printInternal):
2416         * b3/air/AirArg.h:
2417         (JSC::B3::Air::Arg::bitImm):
2418         (JSC::B3::Air::Arg::bitImm64):
2419         (JSC::B3::Air::Arg::isBitImm):
2420         (JSC::B3::Air::Arg::isBitImm64):
2421         (JSC::B3::Air::Arg::isSomeImm):
2422         (JSC::B3::Air::Arg::value):
2423         (JSC::B3::Air::Arg::isGP):
2424         (JSC::B3::Air::Arg::isFP):
2425         (JSC::B3::Air::Arg::hasType):
2426         (JSC::B3::Air::Arg::isValidBitImmForm):
2427         (JSC::B3::Air::Arg::isValidBitImm64Form):
2428         (JSC::B3::Air::Arg::isValidForm):
2429         (JSC::B3::Air::Arg::asTrustedImm32):
2430         (JSC::B3::Air::Arg::asTrustedImm64):
2431         * b3/air/AirOpcode.opcodes:
2432         * b3/air/opcode_generator.rb:
2433
2434 2016-02-17  Keith Miller  <keith_miller@apple.com>
2435
2436         Spread operator should be allowed when not the first argument of parameter list
2437         https://bugs.webkit.org/show_bug.cgi?id=152721
2438
2439         Reviewed by Saam Barati.
2440
2441         Spread arguments to functions should now be ES6 compliant. Before we
2442         would only take a spread operator if it was the sole argument to a
2443         function. Additionally, we would not use the Symbol.iterator on the
2444         object to generate the arguments. Instead we would do a loop up to the
2445         length mapping indexed properties to the corresponding argument. We fix
2446         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
2447         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
2448         old spread semantics). This solution has the downside of requiring the
2449         allocation of another object and copying each element twice but avoids a
2450         large change to the vm calling convention.
2451
2452         * interpreter/Interpreter.cpp:
2453         (JSC::loadVarargs):
2454         * parser/ASTBuilder.h:
2455         (JSC::ASTBuilder::createElementList):
2456         * parser/Parser.cpp:
2457         (JSC::Parser<LexerType>::parseArguments):
2458         (JSC::Parser<LexerType>::parseArgument):
2459         (JSC::Parser<LexerType>::parseMemberExpression):
2460         * parser/Parser.h:
2461         * parser/SyntaxChecker.h:
2462         (JSC::SyntaxChecker::createElementList):
2463         * tests/es6.yaml:
2464         * tests/stress/spread-calling.js: Added.
2465         (testFunction):
2466         (testEmpty):
2467         (makeObject):
2468         (otherIterator.return.next):
2469         (otherIterator):
2470         (totalIter):
2471         (throwingIter.return.next):
2472         (throwingIter):
2473         (i.catch):
2474
2475 2016-02-17  Brian Burg  <bburg@apple.com>
2476
2477         Remove a wrong cast in RemoteInspector::receivedSetupMessage
2478         https://bugs.webkit.org/show_bug.cgi?id=154361
2479         <rdar://problem/24709281>
2480
2481         Reviewed by Joseph Pecoraro.
2482
2483         * inspector/remote/RemoteInspector.mm:
2484         (Inspector::RemoteInspector::receivedSetupMessage):
2485         Not only is this cast unnecessary (the constructor accepts the base class),
2486         but it is wrong since the target could be an automation target. Remove it.
2487
2488 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
2489
2490         Rename FTLB3Blah to FTLBlah
2491         https://bugs.webkit.org/show_bug.cgi?id=154365
2492
2493         Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
2494
2495         * CMakeLists.txt:
2496         * JavaScriptCore.xcodeproj/project.pbxproj:
2497         * ftl/FTLB3Compile.cpp: Removed.
2498         * ftl/FTLB3Output.cpp: Removed.
2499         * ftl/FTLB3Output.h: Removed.
2500         * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
2501         * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
2502         * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
2503
2504 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
2505
2506         Remove LLVM dependencies from WebKit
2507         https://bugs.webkit.org/show_bug.cgi?id=154323
2508
2509         Reviewed by Antti Koivisto and Benjamin Poulain.
2510
2511         We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
2512         LLVM-related code dead, including the disassembler, which was only reachable when you were on
2513         a platform that already had an in-tree disassembler.
2514
2515         * CMakeLists.txt:
2516         * JavaScriptCore.xcodeproj/project.pbxproj:
2517         * dfg/DFGCommon.h:
2518         * dfg/DFGPlan.cpp:
2519         (JSC::DFG::Plan::compileInThread):
2520         (JSC::DFG::Plan::compileInThreadImpl):
2521         (JSC::DFG::Plan::compileTimeStats):
2522         * disassembler/ARM64Disassembler.cpp:
2523         (JSC::tryToDisassemble):
2524         * disassembler/ARMv7Disassembler.cpp:
2525         (JSC::tryToDisassemble):
2526         * disassembler/Disassembler.cpp:
2527         (JSC::disassemble):
2528         (JSC::disassembleAsynchronously):
2529         * disassembler/Disassembler.h:
2530         (JSC::tryToDisassemble):
2531         * disassembler/LLVMDisassembler.cpp: Removed.
2532         * disassembler/LLVMDisassembler.h: Removed.
2533         * disassembler/UDis86Disassembler.cpp:
2534         (JSC::tryToDisassembleWithUDis86):
2535         * disassembler/UDis86Disassembler.h:
2536         (JSC::tryToDisassembleWithUDis86):
2537         * disassembler/X86Disassembler.cpp:
2538         (JSC::tryToDisassemble):
2539         * ftl/FTLAbbreviatedTypes.h:
2540         * ftl/FTLAbbreviations.h: Removed.
2541         * ftl/FTLAbstractHeap.cpp:
2542         (JSC::FTL::AbstractHeap::decorateInstruction):
2543         (JSC::FTL::AbstractHeap::dump):
2544         (JSC::FTL::AbstractField::dump):
2545         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
2546         (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
2547         (JSC::FTL::IndexedAbstractHeap::baseIndex):
2548         (JSC::FTL::IndexedAbstractHeap::dump):
2549         (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
2550         (JSC::FTL::NumberedAbstractHeap::dump):
2551         (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
2552         (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
2553         * ftl/FTLAbstractHeap.h:
2554         (JSC::FTL::AbstractHeap::AbstractHeap):
2555         (JSC::FTL::AbstractHeap::heapName):
2556         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
2557         (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
2558         (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
2559         (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
2560         * ftl/FTLAbstractHeapRepository.cpp:
2561         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2562         * ftl/FTLAbstractHeapRepository.h:
2563         * ftl/FTLB3Compile.cpp:
2564         * ftl/FTLB3Output.cpp:
2565         (JSC::FTL::Output::Output):
2566         (JSC::FTL::Output::check):
2567         (JSC::FTL::Output::load):
2568         (JSC::FTL::Output::store):
2569         * ftl/FTLB3Output.h:
2570         * ftl/FTLCommonValues.cpp:
2571         (JSC::FTL::CommonValues::CommonValues):
2572         (JSC::FTL::CommonValues::initializeConstants):
2573         * ftl/FTLCommonValues.h:
2574         (JSC::FTL::CommonValues::initialize): Deleted.
2575         * ftl/FTLCompile.cpp: Removed.
2576         * ftl/FTLCompileBinaryOp.cpp: Removed.
2577         * ftl/FTLCompileBinaryOp.h: Removed.
2578         * ftl/FTLDWARFDebugLineInfo.cpp: Removed.
2579         * ftl/FTLDWARFDebugLineInfo.h: Removed.
2580         * ftl/FTLDWARFRegister.cpp: Removed.
2581         * ftl/FTLDWARFRegister.h: Removed.
2582         * ftl/FTLDataSection.cpp: Removed.
2583         * ftl/FTLDataSection.h: Removed.
2584         * ftl/FTLExceptionHandlerManager.cpp: Removed.
2585         * ftl/FTLExceptionHandlerManager.h: Removed.
2586         * ftl/FTLExceptionTarget.cpp:
2587         * ftl/FTLExceptionTarget.h:
2588         * ftl/FTLExitThunkGenerator.cpp: Removed.
2589         * ftl/FTLExitThunkGenerator.h: Removed.
2590         * ftl/FTLFail.cpp:
2591         (JSC::FTL::fail):
2592         * ftl/FTLInlineCacheDescriptor.h: Removed.
2593         * ftl/FTLInlineCacheSize.cpp: Removed.
2594         * ftl/FTLInlineCacheSize.h: Removed.
2595         * ftl/FTLIntrinsicRepository.cpp: Removed.
2596         * ftl/FTLIntrinsicRepository.h: Removed.
2597         * ftl/FTLJITCode.cpp:
2598         (JSC::FTL::JITCode::~JITCode):
2599         (JSC::FTL::JITCode::initializeB3Code):
2600         (JSC::FTL::JITCode::initializeB3Byproducts):
2601         (JSC::FTL::JITCode::initializeAddressForCall):
2602         (JSC::FTL::JITCode::contains):
2603         (JSC::FTL::JITCode::ftl):
2604         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2605         (JSC::FTL::JITCode::initializeExitThunks): Deleted.
2606         (JSC::FTL::JITCode::addHandle): Deleted.
2607         (JSC::FTL::JITCode::addDataSection): Deleted.
2608         (JSC::FTL::JITCode::exitThunks): Deleted.
2609         * ftl/FTLJITCode.h:
2610         (JSC::FTL::JITCode::b3Code):
2611         (JSC::FTL::JITCode::handles): Deleted.
2612         (JSC::FTL::JITCode::dataSections): Deleted.
2613         * ftl/FTLJITFinalizer.cpp:
2614         (JSC::FTL::JITFinalizer::codeSize):
2615         (JSC::FTL::JITFinalizer::finalizeFunction):
2616         * ftl/FTLJITFinalizer.h:
2617         * ftl/FTLJSCall.cpp: Removed.
2618         * ftl/FTLJSCall.h: Removed.
2619         * ftl/FTLJSCallBase.cpp: Removed.
2620         * ftl/FTLJSCallBase.h: Removed.
2621         * ftl/FTLJSCallVarargs.cpp: Removed.
2622         * ftl/FTLJSCallVarargs.h: Removed.
2623         * ftl/FTLJSTailCall.cpp: Removed.
2624         * ftl/FTLJSTailCall.h: Removed.
2625         * ftl/FTLLazySlowPath.cpp:
2626         (JSC::FTL::LazySlowPath::LazySlowPath):
2627         (JSC::FTL::LazySlowPath::generate):
2628         * ftl/FTLLazySlowPath.h:
2629         (JSC::FTL::LazySlowPath::createGenerator):
2630         (JSC::FTL::LazySlowPath::patchableJump):
2631         (JSC::FTL::LazySlowPath::done):
2632         (JSC::FTL::LazySlowPath::usedRegisters):
2633         (JSC::FTL::LazySlowPath::callSiteIndex):
2634         (JSC::FTL::LazySlowPath::stub):
2635         (JSC::FTL::LazySlowPath::patchpoint): Deleted.
2636         * ftl/FTLLink.cpp:
2637         (JSC::FTL::link):
2638         * ftl/FTLLocation.cpp:
2639         (JSC::FTL::Location::forValueRep):
2640         (JSC::FTL::Location::dump):
2641         (JSC::FTL::Location::forStackmaps): Deleted.
2642         * ftl/FTLLocation.h:
2643         (JSC::FTL::Location::forRegister):
2644         (JSC::FTL::Location::forIndirect):
2645         (JSC::FTL::Location::forConstant):
2646         (JSC::FTL::Location::kind):
2647         (JSC::FTL::Location::hasReg):
2648         * ftl/FTLLowerDFGToLLVM.cpp:
2649         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM):
2650         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2651         (JSC::FTL::DFG::LowerDFGToLLVM::createPhiVariables):
2652         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2653         (JSC::FTL::DFG::LowerDFGToLLVM::compileUpsilon):
2654         (JSC::FTL::DFG::LowerDFGToLLVM::compilePhi):
2655         (JSC::FTL::DFG::LowerDFGToLLVM::compileDoubleConstant):
2656         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
2657         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
2658         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
2659         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2660         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
2661         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
2662         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
2663         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
2664         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
2665         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
2666         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
2667         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
2668         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
2669         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
2670         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
2671         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
2672         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
2673         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
2674         (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadVarargs):
2675         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
2676         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
2677         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2678         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
2679         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
2680         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
2681         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
2682         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2683         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
2684         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
2685         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
2686         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
2687         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
2688         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
2689         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2690         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
2691         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
2692         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForAvailability):
2693         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
2694         (JSC::FTL::DFG::LowerDFGToLLVM::probe):
2695         (JSC::FTL::DFG::LowerDFGToLLVM::crash):
2696         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp): Deleted.
2697         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException): Deleted.
2698         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall): Deleted.
2699         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap): Deleted.
2700         * ftl/FTLOSRExit.cpp:
2701         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
2702         (JSC::FTL::OSRExitDescriptor::validateReferences):
2703         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
2704         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
2705         (JSC::FTL::OSRExit::OSRExit):
2706         (JSC::FTL::OSRExit::codeLocationForRepatch):
2707         (JSC::FTL::OSRExit::gatherRegistersToSpillForCallIfException): Deleted.
2708         (JSC::FTL::OSRExit::spillRegistersToSpillSlot): Deleted.
2709         (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot): Deleted.
2710         (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck): Deleted.
2711         (JSC::FTL::OSRExit::willArriveAtOSRExitFromCallOperation): Deleted.
2712         (JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath): Deleted.
2713         * ftl/FTLOSRExit.h:
2714         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2715         (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl): Deleted.
2716         * ftl/FTLOSRExitCompilationInfo.h: Removed.
2717         * ftl/FTLOSRExitCompiler.cpp:
2718         (JSC::FTL::compileRecovery):
2719         (JSC::FTL::compileStub):
2720         (JSC::FTL::compileFTLOSRExit):
2721         * ftl/FTLOSRExitHandle.cpp:
2722         * ftl/FTLOSRExitHandle.h:
2723         * ftl/FTLOutput.cpp: Removed.
2724         * ftl/FTLOutput.h: Removed.
2725         * ftl/FTLPatchpointExceptionHandle.cpp:
2726         * ftl/FTLPatchpointExceptionHandle.h:
2727         * ftl/FTLStackMaps.cpp: Removed.
2728         * ftl/FTLStackMaps.h: Removed.
2729         * ftl/FTLState.cpp:
2730         (JSC::FTL::State::State):
2731         (JSC::FTL::State::~State):
2732         (JSC::FTL::State::dumpState): Deleted.
2733         * ftl/FTLState.h:
2734         * ftl/FTLUnwindInfo.cpp: Removed.
2735         * ftl/FTLUnwindInfo.h: Removed.
2736         * ftl/FTLValueRange.cpp:
2737         (JSC::FTL::ValueRange::decorateInstruction):
2738         * ftl/FTLValueRange.h:
2739         (JSC::FTL::ValueRange::ValueRange):
2740         (JSC::FTL::ValueRange::begin):
2741         (JSC::FTL::ValueRange::end):
2742         * ftl/FTLWeight.h:
2743         (JSC::FTL::Weight::value):
2744         (JSC::FTL::Weight::frequencyClass):
2745         (JSC::FTL::Weight::scaleToTotal):
2746         * llvm/InitializeLLVM.cpp: Removed.
2747         * llvm/InitializeLLVM.h: Removed.
2748         * llvm/InitializeLLVMMac.cpp: Removed.
2749         * llvm/InitializeLLVMPOSIX.cpp: Removed.
2750         * llvm/InitializeLLVMPOSIX.h: Removed.
2751         * llvm/LLVMAPI.cpp: Removed.
2752         * llvm/LLVMAPI.h: Removed.
2753         * llvm/LLVMAPIFunctions.h: Removed.
2754         * llvm/LLVMHeaders.h: Removed.
2755         * llvm/library/LLVMAnchor.cpp: Removed.
2756         * llvm/library/LLVMExports.cpp: Removed.
2757         * llvm/library/LLVMOverrides.cpp: Removed.
2758         * llvm/library/config_llvm.h: Removed.
2759
2760 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
2761
2762         [JSC] Remove the overflow check on ArithAbs when possible
2763         https://bugs.webkit.org/show_bug.cgi?id=154325
2764
2765         Reviewed by Filip Pizlo.
2766
2767         This patch adds support for ArithMode for ArithAbs.
2768
2769         It is useful for kraken tests where Math.abs() is used
2770         on values for which the range is known.
2771
2772         For example, imaging-gaussian-blur has two Math.abs() with
2773         integers that are always in a small range around zero.
2774         The IntegerRangeOptimizationPhase detects the range correctly
2775         so we can just update the ArithMode depending on the input.
2776
2777         * dfg/DFGFixupPhase.cpp:
2778         (JSC::DFG::FixupPhase::fixupNode):
2779         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2780         * dfg/DFGNode.h:
2781         (JSC::DFG::Node::convertToArithNegate):
2782         (JSC::DFG::Node::hasArithMode):
2783         * dfg/DFGSpeculativeJIT64.cpp:
2784         (JSC::DFG::SpeculativeJIT::compile):
2785         * ftl/FTLLowerDFGToLLVM.cpp:
2786         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAbs):
2787         * tests/stress/arith-abs-integer-range-optimization.js: Added.
2788         (negativeRange):
2789         (negativeRangeIncludingZero):
2790         (negativeRangeWithOverflow):
2791         (positiveRange):
2792         (positiveRangeIncludingZero):
2793         (rangeWithoutOverflow):
2794         * tests/stress/arith-abs-with-bitwise-or-zero.js: Added.
2795         (opaqueAbs):
2796
2797 2016-02-17  Chris Dumez  <cdumez@apple.com>
2798
2799         SES selftest page crashes on nightly r196694
2800         https://bugs.webkit.org/show_bug.cgi?id=154350
2801         <rdar://problem/24704334>
2802
2803         Reviewed by Mark Lam.
2804
2805         SES selftest page crashes after r196001 / r196145 when calling
2806         Object.getOwnPropertyDescriptor(window, "length") after the window
2807         has been reified and "length" has been shadowed by a value property.
2808
2809         It was crashing in JSObject::getOwnPropertyDescriptor() because
2810         we are getting a slot that has attribute "CustomAccessor" but
2811         the property is not a CustomGetterSetter. In this case, since
2812         window.length is [Replaceable] and has been set to a numeric value,
2813         it makes that the property is not a CustomGetterSetter. However,
2814         the "CustomAccessor" attribute should have been dropped from the
2815         slot when window.length was shadowed. Therefore, this code path
2816         should not be exercised at all when calling
2817         getOwnPropertyDescriptor().
2818
2819         The issue was that putDirectInternal() was updating the slot
2820         attributes only if the "Accessor" flag has changed, but not
2821         the "customAccessor" flag. This patch fixes the issue.
2822
2823         * runtime/JSObject.h:
2824         (JSC::JSObject::putDirectInternal):
2825
2826 2016-02-17  Saam barati  <sbarati@apple.com>
2827
2828         Implement Proxy [[Get]]
2829         https://bugs.webkit.org/show_bug.cgi?id=154081
2830
2831         Reviewed by Michael Saboff.
2832
2833         This patch implements ProxyObject and ProxyConstructor. Their
2834         implementations are straight forward and follow the spec.
2835         The largest change in this patch is adding a second parameter
2836         to PropertySlot's constructor that specifies the internal method type of
2837         the getOwnPropertySlot inquiry. We use getOwnPropertySlot to 
2838         implement more than one Internal Method in the spec. Because 
2839         of this, we need InternalMethodType to give us context about 
2840         which Internal Method we're executing. Specifically, Proxy will 
2841         call into different handlers based on this information.
2842
2843         InternalMethodType is an enum with the following values:
2844         - Get
2845           This corresponds to [[Get]] internal method in the spec.
2846         - GetOwnProperty
2847           This corresponds to [[GetOwnProperty]] internal method in the spec.
2848         - HasProperty
2849           This corresponds to [[HasProperty]] internal method in the spec.
2850         - VMInquiry
2851           This is basically everything else that isn't one of the above
2852           types. This value also mandates that getOwnPropertySlot does
2853           not perform any user observable effects. I.e, it can't call
2854           a JS function.
2855
2856         The other non-VMInquiry InternalMethodTypes are allowed to perform user
2857         observable effects. I.e, in future patches, ProxyObject will implement
2858         InternalMethodType::HasProperty and InternalMethodType::GetOwnProperty, which will both be defined
2859         to call user defined JS functions, which clearly have the right to perform
2860         user observable effects.
2861
2862         This patch implements getOwnPropertySlot of ProxyObject under
2863         InternalMethodType::Get. 
2864
2865         * API/JSCallbackObjectFunctions.h:
2866         (JSC::JSCallbackObject<Parent>::put):
2867         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2868         * CMakeLists.txt:
2869         * JavaScriptCore.xcodeproj/project.pbxproj:
2870         * debugger/DebuggerScope.cpp:
2871         (JSC::DebuggerScope::caughtValue):
2872         * interpreter/Interpreter.cpp:
2873         (JSC::Interpreter::execute):
2874         * jit/JITOperations.cpp:
2875         * llint/LLIntSlowPaths.cpp:
2876         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2877         * runtime/ArrayPrototype.cpp:
2878         (JSC::getProperty):
2879         * runtime/CommonIdentifiers.h:
2880         * runtime/JSCJSValueInlines.h:
2881         (JSC::JSValue::get):
2882         * runtime/JSFunction.cpp:
2883         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2884         (JSC::JSFunction::put):
2885         (JSC::JSFunction::defineOwnProperty):
2886         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2887         (JSC::constructGenericTypedArrayViewWithArguments):
2888         * runtime/JSGlobalObject.cpp:
2889         (JSC::JSGlobalObject::init):
2890         (JSC::JSGlobalObject::defineOwnProperty):
2891         * runtime/JSGlobalObject.h:
2892         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
2893         (JSC::JSGlobalObject::moduleRecordStructure):
2894         (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
2895         (JSC::JSGlobalObject::proxyObjectStructure):
2896         (JSC::JSGlobalObject::wasmModuleStructure):
2897         * runtime/JSModuleEnvironment.cpp:
2898         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2899         * runtime/JSModuleNamespaceObject.cpp:
2900         (JSC::callbackGetter):
2901         * runtime/JSONObject.cpp:
2902         (JSC::Stringifier::Holder::appendNextProperty):
2903         (JSC::Walker::walk):
2904         * runtime/JSObject.cpp:
2905         (JSC::JSObject::calculatedClassName):
2906         (JSC::JSObject::putDirectNonIndexAccessor):
2907         (JSC::JSObject::hasProperty):
2908         (JSC::JSObject::deleteProperty):
2909         (JSC::JSObject::hasOwnProperty):
2910         (JSC::JSObject::getOwnPropertyDescriptor):
2911         * runtime/JSObject.h:
2912         (JSC::JSObject::getDirectIndex):
2913         (JSC::JSObject::get):
2914         * runtime/JSScope.cpp:
2915         (JSC::abstractAccess):
2916         * runtime/ObjectConstructor.cpp:
2917         (JSC::toPropertyDescriptor):
2918         * runtime/ObjectPrototype.cpp:
2919         (JSC::objectProtoFuncLookupGetter):
2920         (JSC::objectProtoFuncLookupSetter):
2921         (JSC::objectProtoFuncToString):
2922         * runtime/PropertySlot.h:
2923         (JSC::attributesForStructure):
2924         (JSC::PropertySlot::PropertySlot):
2925         (JSC::PropertySlot::isCacheableGetter):
2926         (JSC::PropertySlot::isCacheableCustom):
2927         (JSC::PropertySlot::internalMethodType):
2928         (JSC::PropertySlot::disableCaching):
2929         (JSC::PropertySlot::getValue):
2930         * runtime/ProxyConstructor.cpp: Added.
2931         (JSC::ProxyConstructor::create):
2932         (JSC::ProxyConstructor::ProxyConstructor):
2933         (JSC::ProxyConstructor::finishCreation):
2934         (JSC::constructProxyObject):
2935         (JSC::ProxyConstructor::getConstructData):
2936         (JSC::ProxyConstructor::getCallData):
2937         * runtime/ProxyConstructor.h: Added.
2938         (JSC::ProxyConstructor::createStructure):
2939         * runtime/ProxyObject.cpp: Added.
2940         (JSC::ProxyObject::ProxyObject):
2941         (JSC::ProxyObject::finishCreation):
2942         (JSC::performProxyGet):
2943         (JSC::ProxyObject::getOwnPropertySlotCommon):
2944         (JSC::ProxyObject::getOwnPropertySlot):
2945         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2946         (JSC::ProxyObject::visitChildren):
2947         * runtime/ProxyObject.h: Added.
2948         (JSC::ProxyObject::create):
2949         (JSC::ProxyObject::createStructure):
2950         (JSC::ProxyObject::target):
2951         (JSC::ProxyObject::handler):
2952         * runtime/ReflectObject.cpp:
2953         (JSC::reflectObjectGet):
2954         * runtime/SamplingProfiler.cpp:
2955         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
2956         * tests/es6.yaml:
2957         * tests/stress/proxy-basic.js: Added.
2958         (assert):
2959         (let.handler.get null):
2960         (get let):
2961         (let.handler.get switch):
2962         (let.handler):
2963         (let.theTarget.get x):
2964         * tests/stress/proxy-in-proto-chain.js: Added.
2965         (assert):
2966         * tests/stress/proxy-of-a-proxy.js: Added.
2967         (assert):
2968         (throw.new.Error.):
2969         * tests/stress/proxy-property-descriptor.js: Added.
2970         (assert):
2971         (set Object):
2972         * wasm/WASMModuleParser.cpp:
2973         (JSC::WASMModuleParser::getImportedValue):
2974
2975 2016-02-17  Mark Lam  <mark.lam@apple.com>
2976
2977         StringPrototype functions should check for exceptions after calling JSString::value().
2978         https://bugs.webkit.org/show_bug.cgi?id=154340
2979
2980         Reviewed by Filip Pizlo.
2981
2982         JSString::value() can throw an exception if the JS string is a rope and value()
2983         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
2984         able to resolve the rope, it will return a null string (in addition to throwing
2985         the exception).  If StringPrototype functions do not check for exceptions after
2986         calling JSString::value(), they may eventually use the returned null string and
2987         crash the VM.
2988
2989         The fix is to add all the necessary exception checks, and do the appropriate
2990         handling if needed.
2991
2992         Also in a few place where when an exception is detected, we return JSValue(), I
2993         changed it to return jsUndefined() instead to be consistent with the rest of the
2994         file.
2995
2996         * runtime/StringPrototype.cpp:
2997         (JSC::replaceUsingRegExpSearch):
2998         (JSC::stringProtoFuncMatch):
2999         (JSC::stringProtoFuncSlice):
3000         (JSC::stringProtoFuncSplit):
3001         (JSC::stringProtoFuncLocaleCompare):
3002         (JSC::stringProtoFuncBig):
3003         (JSC::stringProtoFuncSmall):
3004         (JSC::stringProtoFuncBlink):
3005         (JSC::stringProtoFuncBold):
3006         (JSC::stringProtoFuncFixed):
3007         (JSC::stringProtoFuncItalics):
3008         (JSC::stringProtoFuncStrike):
3009         (JSC::stringProtoFuncSub):
3010         (JSC::stringProtoFuncSup):
3011         (JSC::stringProtoFuncFontcolor):
3012         (JSC::stringProtoFuncFontsize):
3013         (JSC::stringProtoFuncAnchor):
3014         (JSC::stringProtoFuncLink):
3015         (JSC::trimString):
3016
3017 2016-02-17  Commit Queue  <commit-queue@webkit.org>
3018
3019         Unreviewed, rolling out r196675.
3020         https://bugs.webkit.org/show_bug.cgi?id=154344
3021
3022          "Causes major slowdowns on deltablue-varargs" (Requested by
3023         keith_miller on #webkit).
3024
3025         Reverted changeset:
3026
3027         "Spread operator should be allowed when not the first argument
3028         of parameter list"
3029         https://bugs.webkit.org/show_bug.cgi?id=152721
3030         http://trac.webkit.org/changeset/196675
3031
3032 2016-02-17  Gavin Barraclough  <barraclough@apple.com>
3033
3034         JSDOMWindow::put should not do the same thing twice
3035         https://bugs.webkit.org/show_bug.cgi?id=154334
3036
3037         Reviewed by Chris Dumez.
3038
3039         It either calls JSGlobalObject::put or Base::put. Hint: these are basically the same thing.
3040         In the latter case it might call lookupPut. That's redundant; JSObject::put handles static
3041         table entries.
3042
3043         * runtime/JSGlobalObject.h:
3044         (JSC::JSGlobalObject::hasOwnPropertyForWrite): Deleted.
3045             - no longer needed.
3046
3047 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3048
3049         FTL_USES_B3 should be unconditionally true
3050         https://bugs.webkit.org/show_bug.cgi?id=154324
3051
3052         Reviewed by Benjamin Poulain.
3053
3054         * dfg/DFGCommon.h:
3055
3056 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3057
3058         FTL should support CompareEq(String:, String:)
3059         https://bugs.webkit.org/show_bug.cgi?id=154269
3060         rdar://problem/24499921
3061
3062         Reviewed by Benjamin Poulain.
3063
3064         Looks like a slight pdfjs slow-down, probably because we're having some recompilations. I
3065         think we should land the increased coverage first and fix the issues after, especially since
3066         the regression is so small and doesn't have a statistically significant effect on the overall
3067         score.
3068
3069         * ftl/FTLCapabilities.cpp:
3070         (JSC::FTL::canCompile):
3071         * ftl/FTLLowerDFGToLLVM.cpp:
3072         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
3073         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
3074         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
3075         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
3076         * tests/stress/ftl-string-equality.js: Added.
3077         * tests/stress/ftl-string-ident-equality.js: Added.
3078         * tests/stress/ftl-string-strict-equality.js: Added.
3079
3080 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3081
3082         FTL should support NewTypedArray
3083         https://bugs.webkit.org/show_bug.cgi?id=154268
3084
3085         Reviewed by Saam Barati.
3086
3087         3% speed-up on pdfjs. This was already covered by many different tests.
3088
3089         Rolling this back in after fixing the butterfly argument.
3090
3091         * ftl/FTLCapabilities.cpp:
3092         (JSC::FTL::canCompile):
3093         * ftl/FTLLowerDFGToLLVM.cpp:
3094         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3095         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
3096         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
3097         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
3098         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
3099         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
3100         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
3101
3102 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
3103
3104         JSDOMWindow::getOwnPropertySlot should just call getStaticPropertySlot
3105         https://bugs.webkit.org/show_bug.cgi?id=154257
3106
3107         Reviewed by Chris Dumez.
3108
3109         * runtime/Lookup.h:
3110         (JSC::getStaticPropertySlot):
3111         (JSC::getStaticFunctionSlot):
3112         (JSC::getStaticValueSlot):
3113             - this could all do with a little more love.
3114               But enforce the basic precedence:
3115                 (1) regular storage properties always win over static table properties.
3116                 (2) if properties have been reified, don't consult the static tables.
3117                 (3) only if the property is not present on the object & not reified
3118                     should the static hashtable be consulted.
3119
3120 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
3121
3122         JSDOMWindow::getOwnPropertySlot should not search photo chain
3123         https://bugs.webkit.org/show_bug.cgi?id=154102
3124
3125         Reviewed by Chris Dumez.
3126
3127         Should only return *own* properties.
3128
3129         * runtime/JSObject.cpp:
3130         (JSC::JSObject::getOwnPropertyDescriptor):
3131             - remove hack/special-case for DOMWindow; we no longer need this.
3132
3133 2016-02-16  Keith Miller  <keith_miller@apple.com>
3134
3135         Spread operator should be allowed when not the first argument of parameter list
3136         https://bugs.webkit.org/show_bug.cgi?id=152721
3137
3138         Reviewed by Saam Barati.
3139
3140         Spread arguments to functions should now be ES6 compliant. Before we
3141         would only take a spread operator if it was the sole argument to a
3142         function. Additionally, we would not use the Symbol.iterator on the
3143         object to generate the arguments. Instead we would do a loop up to the
3144         length mapping indexed properties to the corresponding argument. We fix
3145         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
3146         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
3147         old spread semantics). This solution has the downside of requiring the
3148         allocation of another object and copying each element twice but avoids a
3149         large change to the vm calling convention.
3150
3151         * interpreter/Interpreter.cpp:
3152         (JSC::loadVarargs):
3153         * parser/ASTBuilder.h:
3154         (JSC::ASTBuilder::createElementList):
3155         * parser/Parser.cpp:
3156         (JSC::Parser<LexerType>::parseArguments):
3157         (JSC::Parser<LexerType>::parseArgument):
3158         (JSC::Parser<LexerType>::parseMemberExpression):
3159         * parser/Parser.h:
3160         * parser/SyntaxChecker.h:
3161         (JSC::SyntaxChecker::createElementList):
3162         * tests/es6.yaml:
3163         * tests/stress/spread-calling.js: Added.
3164         (testFunction):
3165         (testEmpty):
3166         (makeObject):
3167         (otherIterator.return.next):
3168         (otherIterator):
3169         (totalIter):
3170         (throwingIter.return.next):
3171         (throwingIter):
3172         (i.catch):
3173
3174 2016-02-16  Benjamin Poulain  <bpoulain@apple.com>
3175
3176         [JSC] Enable B3 on ARM64
3177         https://bugs.webkit.org/show_bug.cgi?id=154275
3178
3179         Reviewed by Mark Lam.
3180
3181         The port passes more tests than LLVM now, let's use it by default.
3182
3183         * dfg/DFGCommon.h:
3184
3185 2016-02-16  Commit Queue  <commit-queue@webkit.org>
3186
3187         Unreviewed, rolling out r196652.
3188         https://bugs.webkit.org/show_bug.cgi?id=154315
3189
3190         This change caused LayoutTest crashes (Requested by ryanhaddad
3191         on #webkit).
3192
3193         Reverted changeset:
3194
3195         "FTL should support NewTypedArray"
3196         https://bugs.webkit.org/show_bug.cgi?id=154268
3197         http://trac.webkit.org/changeset/196652
3198
3199 2016-02-16  Brian Burg  <bburg@apple.com>
3200
3201         RemoteInspector should forward new automation session requests to its client
3202         https://bugs.webkit.org/show_bug.cgi?id=154260
3203         <rdar://problem/24663313>
3204
3205         Reviewed by Timothy Hatcher.
3206
3207         * inspector/remote/RemoteInspector.h:
3208         * inspector/remote/RemoteInspector.mm:
3209         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3210         (Inspector::RemoteInspector::listingForAutomationTarget):
3211         Use the correct key for the session identifier in the listing. The name()
3212         override for RemoteAutomationTarget is actually the session identifier.
3213
3214         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
3215         * inspector/remote/RemoteInspectorConstants.h: Add new constants.
3216
3217 2016-02-16  Saam barati  <sbarati@apple.com>
3218
3219         SamplingProfiler still fails with ASan enabled
3220         https://bugs.webkit.org/show_bug.cgi?id=154301
3221         <rdar://problem/24679502>
3222
3223         Reviewed by Filip Pizlo.
3224
3225         To fix this issue, I've come up with unsafe versions
3226         of all operations that load memory from the thread's call
3227         frame. All these new unsafe methods are marked with SUPPRESS_ASAN.
3228
3229         * interpreter/CallFrame.cpp:
3230         (JSC::CallFrame::callSiteAsRawBits):
3231         (JSC::CallFrame::unsafeCallSiteAsRawBits):
3232         (JSC::CallFrame::callSiteIndex):
3233         (JSC::CallFrame::unsafeCallSiteIndex):
3234         (JSC::CallFrame::stack):
3235         (JSC::CallFrame::callerFrame):
3236         (JSC::CallFrame::unsafeCallerFrame):
3237         (JSC::CallFrame::friendlyFunctionName):
3238         * interpreter/CallFrame.h:
3239         (JSC::ExecState::calleeAsValue):
3240         (JSC::ExecState::callee):
3241         (JSC::ExecState::unsafeCallee):
3242         (JSC::ExecState::codeBlock):
3243         (JSC::ExecState::unsafeCodeBlock):
3244         (JSC::ExecState::scope):
3245         (JSC::ExecState::callerFrame):
3246         (JSC::ExecState::callerFrameOrVMEntryFrame):
3247         (JSC::ExecState::unsafeCallerFrameOrVMEntryFrame):
3248         (JSC::ExecState::callerFrameOffset):
3249         (JSC::ExecState::callerFrameAndPC):
3250         (JSC::ExecState::unsafeCallerFrameAndPC):
3251         * interpreter/Register.h:
3252         (JSC::Register::codeBlock):
3253         (JSC::Register::asanUnsafeCodeBlock):
3254         (JSC::Register::unboxedInt32):
3255         (JSC::Register::tag):
3256         (JSC::Register::unsafeTag):
3257         (JSC::Register::payload):
3258         * interpreter/VMEntryRecord.h:
3259         (JSC::VMEntryRecord::prevTopCallFrame):
3260         (JSC::VMEntryRecord::unsafePrevTopCallFrame):
3261         (JSC::VMEntryRecord::prevTopVMEntryFrame):
3262         (JSC::VMEntryRecord::unsafePrevTopVMEntryFrame):
3263         * runtime/SamplingProfiler.cpp:
3264         (JSC::FrameWalker::walk):
3265         (JSC::FrameWalker::advanceToParentFrame):
3266         (JSC::FrameWalker::isAtTop):
3267         (JSC::FrameWalker::resetAtMachineFrame):
3268
3269 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3270
3271         FTL should support NewTypedArray
3272         https://bugs.webkit.org/show_bug.cgi?id=154268
3273
3274         Reviewed by Saam Barati.
3275
3276         3% speed-up on pdfjs. This was already covered by many different tests.
3277
3278         * ftl/FTLCapabilities.cpp:
3279         (JSC::FTL::canCompile):
3280         * ftl/FTLLowerDFGToLLVM.cpp:
3281         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3282         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
3283         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
3284         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
3285         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
3286         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
3287         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
3288
3289 2016-02-16  Saam barati  <sbarati@apple.com>
3290
3291         stress/sampling-profiler-deep-stack.js fails on ARM 32bit
3292         https://bugs.webkit.org/show_bug.cgi?id=154255
3293         <rdar://problem/24662996>
3294
3295         Reviewed by Mark Lam.
3296
3297         The bug here wasn't in the implementation of the sampling profiler 
3298         itself. Rather, it was a bug in the test. JSC wasn't spending a lot
3299         of time in a function that the test assumed a lot of time was spent in.
3300         That's because the DFG was doing a good job at optimizing the function
3301         at the leaf of the recursion. Because of that, we often wouldn't sample it.
3302         I fixed this by making the leaf function do more work.
3303
3304         * tests/stress/sampling-profiler-deep-stack.js:
3305         (platformSupportsSamplingProfiler.foo):
3306
3307 2016-02-16  Chris Dumez  <cdumez@apple.com>
3308
3309         [Web IDL] Operations should be on the instance for global objects or if [Unforgeable]
3310         https://bugs.webkit.org/show_bug.cgi?id=154120
3311         <rdar://problem/24613231>
3312
3313         Reviewed by Gavin Barraclough.
3314
3315         Have putEntry() take a thisValue parameter in addition to the base,
3316         instead of relying on PropertySlot::thisValue() because this did not
3317         always do the right thing. In particular, when JSDOMWindow::put() was
3318         called to set a function, it would end up setting the new value on the
3319         JSDOMWindowShell instead of the actual JSDOMWindow.
3320         JSDOMWindow::getOwnPropertySlot() would then not be able to find it.
3321         Therefore the following would fail:
3322         $ window.open = "test"
3323         $ console.log(window.open) // prints the native function instead of "test"
3324
3325         * runtime/JSObject.cpp:
3326         (JSC::JSObject::putInlineSlow):
3327         * runtime/Lookup.h:
3328         (JSC::putEntry):
3329         (JSC::lookupPut):
3330
3331 2016-02-16  Keith Miller  <keith_miller@apple.com>
3332
3333         ClonedArguments should not materialize its special properties unless they are being changed or deleted
3334         https://bugs.webkit.org/show_bug.cgi?id=154128
3335
3336         Reviewed by Filip Pizlo.
3337
3338         Before we would materialize ClonedArguments whenever they were being accessed.
3339         However this would cause the IC to miss every time as the structure for
3340         the arguments object would change as we went to IC it. Thus on the next
3341         function call we would miss the cache since the new arguments object
3342         would not have materialized the value.
3343
3344         * runtime/ClonedArguments.cpp:
3345         (JSC::ClonedArguments::getOwnPropertySlot):
3346         * tests/stress/cloned-arguments-modification.js: Added.
3347         (foo):
3348
3349 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3350
3351         FTL should support StringFromCharCode
3352         https://bugs.webkit.org/show_bug.cgi?id=154267
3353         rdar://problem/24192536
3354
3355         Reviewed by Mark Lam.
3356
3357         * dfg/DFGFixupPhase.cpp:
3358         (JSC::DFG::FixupPhase::fixupNode): Fix a bug preventing the UntypedUse from being effective.
3359         * ftl/FTLCapabilities.cpp:
3360         (JSC::FTL::canCompile):
3361         * ftl/FTLLowerDFGToLLVM.cpp:
3362         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3363         (JSC::FTL::DFG::LowerDFGToLLVM::compileStringFromCharCode): Implement the opcode.
3364         * tests/stress/string-from-char-code-slow.js: Added.
3365
3366 2016-02-15  Benjamin Poulain  <bpoulain@apple.com>
3367
3368         [JSC] BranchAdd can override arguments of its stackmap
3369         https://bugs.webkit.org/show_bug.cgi?id=154274
3370
3371         Reviewed by Filip Pizlo.
3372
3373         With the 3 operands BranchAdd added in r196513, we can run into
3374         a register allocation such that the destination register is also
3375         used by a value in the stack map.
3376
3377         It use to be that BranchAdd was a 2 operand instruction.
3378         In that form, the destination is also one of the source and
3379         can be recovered through Sub. There is no conflict between
3380         destination and the stackmap.
3381
3382         After r196513, the destination has its own value. It is uncommon
3383         on x86 because of the aggressive aliasing but that can happen.
3384         On ARM, that's a standard form since there is no need for aliasing.
3385
3386         Since the arguments of the stackmap are of type EarlyUse,
3387         they appeared as not interfering with the destination. When the register
3388         allocator gives the same register to the destination and something in
3389         the stack map, the result of BranchAdd destroys the value kept alive
3390         for the stackmap.
3391
3392         In this patch, I introduce a concept very similar to ForceLateUse
3393         to keep the argument of the stackmap live in CheckAdd. The new
3394         role is "ForceLateUseUnlessRecoverable".
3395
3396         In this mode, anything that is not also an input argument becomes
3397         LateUse. As such, it interferes with the destination of CheckAdd.
3398         The arguments are recovered by the slow patch of CheckAdd. They
3399         remain Early use.
3400
3401         This new modes ensure that destination can be aliased to the source
3402         when that's useful, while making sure it is not aliased with another
3403         value that needs to be live on exit.
3404
3405         * b3/B3CheckSpecial.cpp:
3406         (JSC::B3::CheckSpecial::forEachArg):
3407         * b3/B3LowerToAir.cpp:
3408         (JSC::B3::Air::LowerToAir::lower):
3409         * b3/B3PatchpointSpecial.cpp:
3410         (JSC::B3::PatchpointSpecial::forEachArg):
3411         * b3/B3StackmapSpecial.cpp:
3412         (JSC::B3::StackmapSpecial::forEachArgImpl):
3413         (WTF::printInternal):
3414         * b3/B3StackmapSpecial.h:
3415         * b3/B3StackmapValue.h:
3416
3417 2016-02-15  Joseph Pecoraro  <pecoraro@apple.com>
3418
3419         Web Inspector: Web Workers have no access to console for debugging
3420         https://bugs.webkit.org/show_bug.cgi?id=26237
3421
3422         Reviewed by Timothy Hatcher.
3423
3424         * inspector/ConsoleMessage.h:
3425         Add accessor for MessageLevel.
3426
3427 2016-02-15  Mark Lam  <mark.lam@apple.com>
3428
3429         [ARMv7] stress/op_rshift.js and stress/op_urshift.js are failing.
3430         https://bugs.webkit.org/show_bug.cgi?id=151514
3431
3432         Reviewed by Filip Pizlo.
3433
3434         The issue turns out to be trivial: on ARMv7 (and traditional ARM too), arithmetic
3435         shift right (ASR) and logical shift right (LSR) takes an immediate shift amount
3436         from 1-32.  See http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cjacbgca.html.
3437         An immediate shift amount of 0 is interpreted as a shift of 32 bits.
3438
3439         Meanwhile, our macro assembler is expecting the immediate shift value to be
3440         between 0-31.  As a result, a shift amount of 0 is being wrongly encoded with 0
3441         bits which means shift right by 32 bits.
3442
3443         The fix is to check if the shift amount is 0, and if so, emit a move.  Else,
3444         emit the right shift as usual.
3445
3446         This issue does not affect left shifts, as the immediate shift amount for left
3447         shifts is between 0-31 as our macro assembler expects.
3448
3449         * assembler/MacroAssemblerARM.h:
3450         (JSC::MacroAssemblerARM::rshift32):
3451         (JSC::MacroAssemblerARM::urshift32):
3452         (JSC::MacroAssemblerARM::sub32):
3453         * assembler/MacroAssemblerARMv7.h:
3454         (JSC::MacroAssemblerARMv7::rshift32):
3455         (JSC::MacroAssemblerARMv7::urshift32):
3456
3457         * tests/stress/op_rshift.js:
3458         * tests/stress/op_urshift.js:
3459         - Un-skip these tests.  They should always pass now.
3460
3461 2016-02-15  Filip Pizlo  <fpizlo@apple.com>
3462
3463         Parser::parseVariableDeclarationList should null check the node before attempting to create a new CommaExpr
3464         https://bugs.webkit.org/show_bug.cgi?id=154244
3465         rdar://problem/24290670
3466
3467         Reviewed by Michael Saboff.
3468
3469         * parser/ASTBuilder.h:
3470         (JSC::ASTBuilder::appendToCommaExpr): Catch the bug sooner in debug.
3471         * parser/Parser.cpp:
3472         (JSC::Parser<LexerType>::parseVariableDeclarationList): Fix the bug.
3473         * tests/stress/for-let-comma.js: Added. This used to crash in debug and release.
3474
3475 2016-02-15  Benjamin Poulain  <bpoulain@apple.com>
3476
3477         [JSC] Improve the interface of Inst::shouldTryAliasingDef()
3478         https://bugs.webkit.org/show_bug.cgi?id=154227
3479
3480         Reviewed by Andreas Kling.
3481
3482         Using Optional<> instead of a bool+reference looks cleaner
3483         at the call sites.
3484
3485         * b3/B3CheckSpecial.cpp:
3486         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
3487         * b3/B3CheckSpecial.h:
3488         * b3/air/AirCustom.h:
3489         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
3490         * b3/air/AirInst.h:
3491         * b3/air/AirInstInlines.h:
3492         (JSC::B3::Air::Inst::shouldTryAliasingDef):
3493         * b3/air/AirIteratedRegisterCoalescing.cpp:
3494         * b3/air/AirSpecial.cpp:
3495         (JSC::B3::Air::Special::shouldTryAliasingDef):
3496         * b3/air/AirSpecial.h:
3497
3498 2016-02-14  Brian Burg  <bburg@apple.com>
3499
3500         WKAutomationDelegate's requestAutomationSession should take a suggested session identifier
3501         https://bugs.webkit.org/show_bug.cgi?id=154012
3502         <rdar://problem/24557697>
3503
3504         Reviewed by Darin Adler.
3505
3506         Add a string parameter to the client method for requesting a new session.
3507
3508         * inspector/remote/RemoteInspector.h:
3509
3510 2016-02-13  Timothy Hatcher  <timothy@apple.com>
3511
3512         Fix WebAssembly bug URL in the feature list.
3513
3514         * features.json:
3515
3516 2016-02-12  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3517
3518         Change the last RefPtr::get() to release() in String.prototype.normalize
3519         https://bugs.webkit.org/show_bug.cgi?id=154211
3520
3521         Reviewed by Ryosuke Niwa.
3522
3523         Change the last RefPtr::get() to release() in String.prototype.normalize.
3524
3525         * runtime/StringPrototype.cpp:
3526         (JSC::normalize):
3527
3528 2016-02-12  Saam barati  <sbarati@apple.com>
3529
3530         [ES6] we have an incorrect syntax error when a callee of a function expression has the same name as a top-level lexical declaration
3531         https://bugs.webkit.org/show_bug.cgi?id=154143
3532
3533         Reviewed by Benjamin Poulain.
3534
3535         We were raising syntax errors on the following type of programs when
3536         we shouldn't have been.
3537         ```
3538         (function foo() { const foo = 20; });
3539         ```
3540
3541         * parser/Parser.cpp:
3542         (JSC::Parser<LexerType>::parseFunctionInfo):
3543         * parser/Parser.h:
3544         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
3545         (JSC::Scope::declareCallee):
3546         (JSC::Scope::declareVariable):
3547         (JSC::Scope::hasDeclaredVariable):
3548         (JSC::Scope::hasLexicallyDeclaredVariable):
3549         (JSC::Scope::hasDeclaredParameter):
3550         (JSC::Scope::declareWrite):
3551         (JSC::Scope::getCapturedVars):
3552
3553 2016-02-12  Benjamin Poulain  <bpoulain@apple.com>
3554
3555         [JSC] ZeroExtend and SignExtend use incorrect addressing on ARM64
3556         https://bugs.webkit.org/show_bug.cgi?id=154208
3557
3558         Reviewed by Filip Pizlo.
3559
3560         When lowering:
3561             @1 = Load32(@x)
3562             @2 = SExt8(@1)
3563
3564         LowerToAir would see there is a form of SignExtend8To32 (an alias for Load8S)
3565         and use that.
3566
3567         There are two problems with that:
3568         1) If we have an Addr, it went through legalizeMemoryOffsets() for a 32bits
3569            load. If used on an other kind of load, there is no guarantee the addressing
3570            is still valid.
3571         2) If we have an Index, it is computed for the 32bits MemoryValue.
3572            The computed index is not valid for the 8bits load.
3573
3574         (2) could be fixed by changing LowerToAir to use the current instruction width
3575         instead of the B3ValueWidth but that's a bit tricky. We should just embrace
3576         that one of our target is a Load-Store architecture.
3577
3578         In this patch, I just disabled the faulty forms on ARM64. We still need those operations
3579         to be fast, this will be addressed in: https://bugs.webkit.org/show_bug.cgi?id=154207
3580
3581         I also strengthened the m_allowScratchRegister assertion. The instructions that do not
3582         invalidate the temporary did not run the assertion, making this harder to debug.
3583
3584         * assembler/MacroAssemblerARM64.h:
3585         (JSC::MacroAssemblerARM64::load8):
3586         (JSC::MacroAssemblerARM64::store64):
3587         (JSC::MacroAssemblerARM64::store32):
3588         (JSC::MacroAssemblerARM64::loadDouble):
3589         (JSC::MacroAssemblerARM64::storeDouble):
3590         (JSC::MacroAssemblerARM64::branch32):
3591         (JSC::MacroAssemblerARM64::branch64):
3592         (JSC::MacroAssemblerARM64::getCachedDataTempRegisterIDAndInvalidate):
3593         (JSC::MacroAssemblerARM64::getCachedMemoryTempRegisterIDAndInvalidate):
3594         (JSC::MacroAssemblerARM64::dataMemoryTempRegister):
3595         (JSC::MacroAssemblerARM64::cachedMemoryTempRegister):
3596         (JSC::MacroAssemblerARM64::load):
3597         (JSC::MacroAssemblerARM64::store):
3598         * b3/air/AirOpcode.opcodes:
3599
3600 2016-02-12  Michael Saboff  <msaboff@apple.com>
3601
3602         offlineasm: Emit Dwarf2 file and location directives to allow for debugging .asm files
3603         https://bugs.webkit.org/show_bug.cgi?id=152703
3604
3605         Reviewed by Mark Lam.
3606
3607         Added support to output Dwarf2 .file and .loc assembler directives to provide the debugging
3608         information needed to correlate the offline assembler generated code with the source lines 
3609         in the .asm files.
3610
3611         Changed the tracking of file data to include a file index that was provided to the .file
3612         directive.  That index is used when emitting the .loc directives.
3613
3614         * offlineasm/arm.rb:
3615         * offlineasm/arm64.rb:
3616         * offlineasm/asm.rb:
3617         * offlineasm/backends.rb:
3618         * offlineasm/config.rb:
3619         * offlineasm/parser.rb:
3620         * offlineasm/x86.rb:
3621
3622 2016-02-12  Saam barati  <sbarati@apple.com>
3623
3624         The parser doesn't properly protect against global variable references in builtins
3625         https://bugs.webkit.org/show_bug.cgi?id=154144
3626
3627         Reviewed by Geoffrey Garen.
3628
3629         This patch fixes our global variable reference detection
3630         algorithm that was broken. After fixing the algorithm, I
3631         detected many places where we were incorrectly using global
3632         variables. I've fixed all those.
3633
3634         * builtins/BuiltinExecutables.cpp:
3635         (JSC::createExecutableInternal):
3636         * builtins/NumberPrototype.js:
3637         (toLocaleString):
3638         * builtins/PromiseConstructor.js:
3639         (race):
3640         (reject):
3641         (resolve):
3642         * parser/Nodes.cpp:
3643         (JSC::ProgramNode::ProgramNode):
3644         (JSC::ModuleProgramNode::ModuleProgramNode):
3645         (JSC::ProgramNode::setClosedVariables): Deleted.
3646         * parser/Nodes.h:
3647         (JSC::ScopeNode::setClosedVariables): Deleted.
3648         (JSC::ProgramNode::closedVariables): Deleted.
3649         * parser/Parser.cpp:
3650         (JSC::Parser<LexerType>::parseInner):
3651         (JSC::Parser<LexerType>::didFinishParsing):
3652         * parser/Parser.h:
3653         (JSC::Scope::setIsLexicalScope):
3654         (JSC::Scope::isLexicalScope):
3655         (JSC::Scope::closedVariableCandidates):
3656         (JSC::Scope::declaredVariables):
3657         (JSC::Scope::lexicalVariables):
3658         (JSC::Scope::finalizeLexicalEnvironment):
3659         (JSC::Parser::positionBeforeLastNewline):
3660         (JSC::Parser::locationBeforeLastToken):
3661         (JSC::Parser::isFunctionMetadataNode):
3662         (JSC::parse):
3663         (JSC::Parser::closedVariables): Deleted.
3664
3665 2016-02-12  Filip Pizlo  <fpizlo@apple.com>
3666
3667         JSObject::putByIndexBeyondVectorLengthWithoutAttributes needs to go to the sparse map based on MAX_STORAGE_VECTOR_INDEX
3668         https://bugs.webkit.org/show_bug.cgi?id=154201
3669         rdar://problem/24291387
3670
3671         Reviewed by Saam Barati.
3672
3673         I decided against adding a test for this, because it runs for a very long time.
3674
3675         * runtime/JSObject.cpp:
3676         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): Fix the bug.
3677         * runtime/StringPrototype.cpp:
3678         (JSC::stringProtoFuncSplit): Fix a related bug: if this code creates an array that would have
3679             hit the above bug, then it would probably manifest as a spin or as swapping.
3680
3681 2016-02-12  Jonathan Davis  <jond@apple.com>
3682
3683         Add WebAssembly to the status page
3684         https://bugs.webkit.org/show_bug.cgi?id=154199
3685
3686         Reviewed by Timothy Hatcher.
3687
3688         * features.json:
3689
3690 2016-02-12  Brian Burg  <bburg@apple.com>
3691
3692         Web Inspector: disambiguate the various identifier and connection types in RemoteInspector
3693         https://bugs.webkit.org/show_bug.cgi?id=154130
3694
3695         Reviewed by Joseph Pecoraro.
3696
3697         There are multiple identifier types:
3698             - connection identifier, a string UUID for a remote debugger process.
3699             - session identifier, a string UUID for a remote driver/debugger instance.
3700             - page/target identifier, a number unique within a single process.
3701
3702         There are multiple connection types:
3703             - RemoteInspectorXPCConnection, a connection from RemoteInspectorXPCConnectionor to a relay.
3704             - RemoteConnectionToTarget, a class that bridges to targets' dispatch queues.
3705
3706         Use consistent variable and getter names so that these don't get confused and
3707         so that the code is easier to read. This is especially an improvement when working
3708         with multiple target types or connection types within the same function.
3709
3710         * inspector/remote/RemoteConnectionToTarget.h:
3711         * inspector/remote/RemoteConnectionToTarget.mm:
3712         Remove the member for m_identifier since we can ask the target for its target identifier
3713         or use a default value via WTF::Optional. There's no reason to cache the value.
3714
3715         (Inspector::RemoteTargetHandleRunSourceWithInfo):
3716         (Inspector::RemoteConnectionToTarget::targetIdentifier):
3717         (Inspector::RemoteConnectionToTarget::destination):
3718         (Inspector::RemoteConnectionToTarget::setup):
3719         (Inspector::RemoteConnectionToTarget::sendMessageToFrontend):
3720         Bail out if the target pointer was somehow cleared and we can't get a useful target identifier.
3721
3722         (Inspector::RemoteConnectionToTarget::RemoteConnectionToTarget): Deleted.
3723         * inspector/remote/RemoteControllableTarget.h:
3724         * inspector/remote/RemoteInspectionTarget.cpp:
3725         (Inspector::RemoteInspectionTarget::pauseWaitingForAutomaticInspection):
3726         (Inspector::RemoteInspectionTarget::unpauseForInitializedInspector):
3727         * inspector/remote/RemoteInspector.h:
3728         * inspector/remote/RemoteInspector.mm:
3729         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
3730         (Inspector::RemoteInspector::registerTarget):
3731         (Inspector::RemoteInspector::unregisterTarget):
3732         (Inspector::RemoteInspector::updateTarget):
3733         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
3734         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
3735         (Inspector::RemoteInspector::sendMessageToRemote):
3736         (Inspector::RemoteInspector::setupFailed):
3737         (Inspector::RemoteInspector::setupCompleted):
3738         (Inspector::RemoteInspector::stopInternal):
3739         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
3740         (Inspector::RemoteInspector::xpcConnectionFailed):
3741         (Inspector::RemoteInspector::listingForInspectionTarget):
3742         (Inspector::RemoteInspector::listingForAutomationTarget):
3743         (Inspector::RemoteInspector::pushListingsNow):
3744         (Inspector::RemoteInspector::pushListingsSoon):
3745         (Inspector::RemoteInspector::updateHasActiveDebugSession):
3746         (Inspector::RemoteInspector::receivedSetupMessage):
3747         (Inspector::RemoteInspector::receivedDataMessage):
3748         (Inspector::RemoteInspector::receivedDidCloseMessage):
3749         (Inspector::RemoteInspector::receivedIndicateMessage):
3750         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
3751         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
3752         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
3753         (Inspector::RemoteInspector::nextAvailableIdentifier): Deleted.
3754         * inspector/remote/RemoteInspectorConstants.h:
3755
3756 2016-02-12  Benjamin Poulain  <benjamin@webkit.org>
3757
3758         [JSC] On x86, improve the selection of which value are selected for the UseDef part of commutative operations
3759         https://bugs.webkit.org/show_bug.cgi?id=154151
3760
3761         Reviewed by Filip Pizlo.
3762
3763         Previously, when an instruction destroy an argument with
3764         a UseDef use, we would try to pick a good target for the UseDef
3765         while doing instruction selection.
3766
3767         For example:
3768             @x = Add(@1, @2)
3769
3770         can be lowered to:
3771             Move @1 Tmp3
3772             Add @2 Tmp3
3773         or
3774             Move @2 Tmp3
3775             Add @1 Tmp3
3776
3777         The choice of which value ends up copied is done by preferRightForResult()
3778         at lowering time.
3779
3780         There are two common problems with the code we generate:
3781         1) It is based on UseCount. If a value is at its last use,
3782            it is a good target for coalescing even with a use-count > 1.
3783         2) When both values are at their last use, the best choice
3784            depends on the register pressure of each. We don't have that information
3785            until we do register allocation.
3786
3787         This patch implements a simple idea to minimize how many of those Moves are needed.
3788         Each commutative operation gets a 3 op variant. The register allocator then attempts
3789         to alias *both* of them to the destination.
3790         Since our aliasing is conservative, it removes as many copy as possible without causing
3791         spilling.
3792
3793         There was an unexpected cool impovement too. If you have:
3794             Move Tmp1, Tmp2
3795             BranchAdd32 Tmp3, Tmp2
3796         we would previously restore Tmp2 by substracting Tmp3 from the result.
3797         We can now just use Tmp1. That removes quite a few Sub from the slow paths.
3798
3799         The problem is that simple idea uncoverred a bunch of issues that had to be fixed too.
3800         I detail them inline below.
3801
3802         * assembler/MacroAssemblerARM64.h:
3803         (JSC::MacroAssemblerARM64::and64):
3804         * assembler/MacroAssemblerX86Common.h:
3805         Most addition are adding an Address version of the 3 operands opcodes.
3806         The reason for this is allow the complex addressing forms of instructions
3807         when spilling.
3808
3809         (JSC::MacroAssemblerX86Common::and32):
3810         (JSC::MacroAssemblerX86Common::mul32):
3811         (JSC::MacroAssemblerX86Common::or32):
3812         (JSC::MacroAssemblerX86Common::xor32):
3813         (JSC::MacroAssemblerX86Common::moveDouble):
3814         This was an unexpected discovery: removing tons of Move32 made floating-point heavy
3815         code much slower.
3816
3817         It turns out the MoveDouble we were using has partial register dependencies.
3818
3819         The x86 optimization manual, Chapter 3, section 3.4.1.13 lists the move instructions executed
3820         directly on the frontend. That's what we use now.
3821
3822         (JSC::MacroAssemblerX86Common::addDouble):
3823         (JSC::MacroAssemblerX86Common::addFloat):
3824         (JSC::MacroAssemblerX86Common::mulDouble):
3825         (JSC::MacroAssemblerX86Common::mulFloat):
3826         (JSC::MacroAssemblerX86Common::andDouble):
3827         (JSC::MacroAssemblerX86Common::andFloat):
3828         (JSC::MacroAssemblerX86Common::xorDouble):
3829         (JSC::MacroAssemblerX86Common::xorFloat):
3830         If the destination is not aliased, the version taking an address
3831         use LoadFloat/LoadDouble instead of direct addressing.
3832
3833         That is because this:
3834             Move Tmp1, Tmp2
3835             Op [Tmp3], Tmp2
3836         is slower than
3837             Move [Tmp3] Tmp2
3838             Op Tmp1, Tmp2
3839         (sometimes significantly).
3840
3841         I am not exactly sure why.
3842
3843         (JSC::MacroAssemblerX86Common::branchAdd32):
3844         * assembler/MacroAssemblerX86_64.h:
3845         (JSC::MacroAssemblerX86_64::and64):
3846         * assembler/MacroAssemblerARM64.h:
3847         (JSC::MacroAssemblerARM64::and64):
3848         * assembler/MacroAssemblerX86Common.h:
3849         (JSC::MacroAssemblerX86Common::and32):
3850         (JSC::MacroAssemblerX86Common::mul32):
3851         (JSC::MacroAssemblerX86Common::or32):
3852         (JSC::MacroAssemblerX86Common::xor32):
3853         (JSC::MacroAssemblerX86Common::moveDouble):
3854         (JSC::MacroAssemblerX86Common::addDouble):
3855         (JSC::MacroAssemblerX86Common::addFloat):
3856         (JSC::MacroAssemblerX86Common::mulDouble):
3857         (JSC::MacroAssemblerX86Common::mulFloat):
3858         (JSC::MacroAssemblerX86Common::andDouble):
3859         (JSC::MacroAssemblerX86Common::andFloat):
3860         (JSC::MacroAssemblerX86Common::xorDouble):
3861         (JSC::MacroAssemblerX86Common::xorFloat):
3862         (JSC::MacroAssemblerX86Common::branchAdd32):
3863         * assembler/MacroAssemblerX86_64.h:
3864         (JSC::MacroAssemblerX86_64::and64):
3865         (JSC::MacroAssemblerX86_64::mul64):
3866         (JSC::MacroAssemblerX86_64::xor64):
3867         (JSC::MacroAssemblerX86_64::branchAdd64):
3868         * assembler/X86Assembler.h:
3869         (JSC::X86Assembler::movapd_rr):
3870         (JSC::X86Assembler::movaps_rr):
3871         * b3/B3CheckSpecial.cpp:
3872         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
3873         (JSC::B3::CheckSpecial::generate):
3874         * b3/B3CheckSpecial.h:
3875         * b3/B3LowerToAir.cpp:
3876         (JSC::B3::Air::LowerToAir::lower):
3877         * b3/air/AirCustom.h:
3878         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
3879         * b3/air/AirInst.h:
3880         * b3/air/AirInstInlines.h:
3881         (JSC::B3::Air::Inst::shouldTryAliasingDef):
3882         * b3/air/AirIteratedRegisterCoalescing.cpp:
3883         Aliasing the operands is done the same way as any coalescing.
3884
3885         There were problem with considering all those coalescing
3886         as equivalent for the result.
3887
3888         Moves are mostly generated for Upsilon-Phis. Getting rid of
3889         those tends to give better loops.
3890
3891         Sometimes, blocks have only Phis and a Jump. Coalescing
3892         those moves gets rids of the block entirely.
3893
3894         Where it go interesting was that something like:
3895             Move Tmp1, Tmp2
3896             Op Tmp3, Tmp2
3897         was significantly better than:
3898             Op Tmp1, Tmp3
3899             Move Tmp1, Tmp4
3900         even in the same basic block.
3901
3902         To get back to the same performance when, I had to prioritize
3903         regular Moves operations over argument coalescing.
3904
3905         Another argument for doing this is that the alias has a shorter
3906         life in the hardware because the operation itself gets a new
3907         virtual register from the bank.
3908
3909         * b3/air/AirOpcode.opcodes:
3910         * b3/air/AirSpecial.cpp:
3911         (JSC::B3::Air::Special::shouldTryAliasingDef):
3912         * b3/air/AirSpecial.h:
3913         * b3/testb3.cpp:
3914         (JSC::B3::testCheckAddArgumentAliasing64):
3915         (JSC::B3::testCheckAddArgumentAliasing32):
3916         (JSC::B3::testCheckAddSelfOverflow64):
3917         (JSC::B3::testCheckAddSelfOverflow32):
3918         (JSC::B3::testCheckMulArgumentAliasing64):
3919         (JSC::B3::testCheckMulArgumentAliasing32):
3920         (JSC::B3::run):
3921
3922         * dfg/DFGOSRExitCompilerCommon.cpp:
3923         (JSC::DFG::reifyInlinedCallFrames):
3924         * jit/AssemblyHelpers.h:
3925         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
3926         This ruined my week.
3927
3928         When regenerating the frame of an inlined function that