5cf8fc9643a0cac47aa38146736ac8389d67ae47
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
2
3         Air should know that CeilDouble has the partial register stall issue
4         https://bugs.webkit.org/show_bug.cgi?id=153338
5
6         Rubber stamped by Benjamin Poulain.
7
8         This is a 8% speed-up on Kraken with B3 enabled, mostly because of a 2.4x speed-up on
9         audio-oscillator.
10
11         * b3/air/AirFixPartialRegisterStalls.cpp:
12
13 2016-01-21  Andy VanWagoner  <andy@instructure.com>
14
15         [INTL] Implement Array.prototype.toLocaleString in ECMA-402
16         https://bugs.webkit.org/show_bug.cgi?id=147614
17
18         Reviewed by Benjamin Poulain.
19
20         The primary changes in the ECMA-402 version, and the existing implementation
21         are passing the arguments on to each element's toLocaleString call, and
22         missing/undefined/null elements become empty string instead of being skipped.
23
24         * runtime/ArrayPrototype.cpp:
25         (JSC::arrayProtoFuncToLocaleString):
26
27 2016-01-21  Per Arne Vollan  <peavo@outlook.com>
28
29         [B3][Win64] Compile fixes.
30         https://bugs.webkit.org/show_bug.cgi?id=153312
31
32         Reviewed by Alex Christensen.
33
34         Since MSVC has several overloads of sin, cos, pow, and log, we need to specify
35         which one we want to use.
36
37         * ftl/FTLB3Output.h:
38         (JSC::FTL::Output::doubleSin):
39         (JSC::FTL::Output::doubleCos):
40         (JSC::FTL::Output::doublePow):
41         (JSC::FTL::Output::doubleLog):
42
43 2016-01-21  Benjamin Poulain  <benjamin@webkit.org>
44
45         [JSC] foldPathConstants() makes invalid assumptions with Switch
46         https://bugs.webkit.org/show_bug.cgi?id=153324
47
48         Reviewed by Filip Pizlo.
49
50         If a Switch() has two cases pointing to the same basic block, foldPathConstants()
51         was adding two override for that block with two different constants.
52         If the block with the Switch dominates the target, both override were equally valid
53         and we were assuming any of the constants as the value in the target block.
54
55         See testSwitchTargettingSameBlockFoldPathConstant() for an example that breaks.
56
57         This patch adds checks to ignore any block that is reached more than
58         once by the control value.
59
60         * b3/B3FoldPathConstants.cpp:
61         * b3/B3Generate.cpp:
62         (JSC::B3::generateToAir):
63         * b3/testb3.cpp:
64         (JSC::B3::testSwitchTargettingSameBlock):
65         (JSC::B3::testSwitchTargettingSameBlockFoldPathConstant):
66         (JSC::B3::run):
67
68 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
69
70         Unreviewed, undo DFGCommon.h change that accidentally enabled the B3 JIT.
71
72         * dfg/DFGCommon.h:
73
74 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
75
76         Move32 should have an Imm, Tmp form
77         https://bugs.webkit.org/show_bug.cgi?id=153313
78
79         Reviewed by Mark Lam.
80
81         This enables some useful optimizations, like constant propagation in fixObviousSpills().
82
83         * assembler/MacroAssemblerX86Common.h:
84         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
85         (JSC::MacroAssemblerX86Common::move):
86         * b3/air/AirOpcode.opcodes:
87
88 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
89
90         B3 should have load elimination
91         https://bugs.webkit.org/show_bug.cgi?id=153288
92
93         Reviewed by Geoffrey Garen.
94
95         This adds a complete GCSE pass that includes load elimination. It would have been super hard
96         to make this work as part of the reduceStrength() fixpoint, since GCSE needs to analyze
97         control flow and reduceStrength() is messing with control flow. So, I did a compromise: I
98         factored out the pure CSE that reduceStrength() was already doing, and now we have:
99
100         - reduceStrength() still does pure CSE using the new PureCSE helper.
101
102         - eliminateCommonSubexpressions() is a separate phase that does general CSE. It uses the
103           PureCSE helper for pure values and does its own special thing for memory values.
104         
105         Unfortunately, this doesn't help any benchmark right now. It doesn't hurt anything, either,
106         and it's likely to become a bigger pay-off once we implement other features, like mapping
107         FTL's abstract heaps onto B3's heap ranges.
108
109         * CMakeLists.txt:
110         * JavaScriptCore.xcodeproj/project.pbxproj:
111         * b3/B3EliminateCommonSubexpressions.cpp: Added.
112         (JSC::B3::eliminateCommonSubexpressions):
113         * b3/B3EliminateCommonSubexpressions.h: Added.
114         * b3/B3Generate.cpp:
115         (JSC::B3::generateToAir):
116         * b3/B3HeapRange.h:
117         (JSC::B3::HeapRange::HeapRange):
118         * b3/B3InsertionSet.h:
119         (JSC::B3::InsertionSet::InsertionSet):
120         (JSC::B3::InsertionSet::isEmpty):
121         (JSC::B3::InsertionSet::code):
122         (JSC::B3::InsertionSet::appendInsertion):
123         * b3/B3MemoryValue.h:
124         * b3/B3PureCSE.cpp: Added.
125         (JSC::B3::PureCSE::PureCSE):
126         (JSC::B3::PureCSE::~PureCSE):
127         (JSC::B3::PureCSE::clear):
128         (JSC::B3::PureCSE::process):
129         * b3/B3PureCSE.h: Added.
130         * b3/B3ReduceStrength.cpp:
131         * b3/B3ReduceStrength.h:
132         * b3/B3Validate.cpp:
133
134 2016-01-21  Keith Miller  <keith_miller@apple.com>
135
136         Fix bug in TypedArray.prototype.set and add tests
137         https://bugs.webkit.org/show_bug.cgi?id=153309
138
139         Reviewed by Michael Saboff.
140
141         This patch fixes an issue with TypedArray.prototype.set where we would
142         assign a double to an unsigned without checking that the double was
143         in the range of the unsigned. Additionally, the patch also adds
144         tests for set for cases that were not covered before.
145
146         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
147         (JSC::genericTypedArrayViewProtoFuncSet):
148         * tests/stress/typedarray-set.js: Added.
149
150 2016-01-19  Ada Chan  <adachan@apple.com>
151
152         Make it possible to enable VIDEO_PRESENTATION_MODE on other Cocoa platforms.
153         https://bugs.webkit.org/show_bug.cgi?id=153218
154
155         Reviewed by Eric Carlson.
156
157         * Configurations/FeatureDefines.xcconfig:
158
159 2016-01-21  Per Arne Vollan  <peavo@outlook.com>
160
161         [B3][CMake] Add missing source file.
162         https://bugs.webkit.org/show_bug.cgi?id=153303
163
164         Reviewed by Csaba Osztrogonác.
165
166         * CMakeLists.txt:
167
168 2016-01-20  Commit Queue  <commit-queue@webkit.org>
169
170         Unreviewed, rolling out r195375.
171         https://bugs.webkit.org/show_bug.cgi?id=153300
172
173         Caused crashes on GuardMalloc (Requested by ap on #webkit).
174
175         Reverted changeset:
176
177         "TypedArray's .buffer does not return the JSArrayBuffer that
178         was passed to it on creation."
179         https://bugs.webkit.org/show_bug.cgi?id=153281
180         http://trac.webkit.org/changeset/195375
181
182 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
183
184         B3 should have basic path specialization
185         https://bugs.webkit.org/show_bug.cgi?id=153200
186
187         Reviewed by Benjamin Poulain.
188
189         This adds two different kind of path specializations:
190
191         - Check(Select) where the Select results are constants is specialized into a Branch
192           instead of a Select and duplicated paths where the results of the Select are folded.
193
194         - Tail duplication. A jump to a small block causes the block's contents to be copied over
195           the Jump.
196
197         Both optimizations required being able to clone Values. We can now do that using
198         proc.clone(value).
199
200         Check(Select) specialization needed some utilities for walking graphs of Values.
201
202         Tail duplication needed SSA fixup, so I added a way to demote values to anonymous stack
203         slots (B3's equivalent of non-SSA variables) and a way to "fix SSA", i.e. to allocate
204         anonymous stack slots to SSA values along with an optimal Phi graph.
205
206         This is a big speed-up on Octane/deltablue. It's a 2.2% speed-up on Octane overall.
207
208         * CMakeLists.txt:
209         * JavaScriptCore.xcodeproj/project.pbxproj:
210         * b3/B3ArgumentRegValue.cpp:
211         (JSC::B3::ArgumentRegValue::dumpMeta):
212         (JSC::B3::ArgumentRegValue::cloneImpl):
213         * b3/B3ArgumentRegValue.h:
214         * b3/B3BasicBlock.cpp:
215         (JSC::B3::BasicBlock::append):
216         (JSC::B3::BasicBlock::appendNonTerminal):
217         (JSC::B3::BasicBlock::removeLast):
218         * b3/B3BasicBlock.h:
219         (JSC::B3::BasicBlock::values):
220         * b3/B3BasicBlockInlines.h:
221         (JSC::B3::BasicBlock::appendNew):
222         (JSC::B3::BasicBlock::appendNewNonTerminal):
223         (JSC::B3::BasicBlock::replaceLastWithNew):
224         * b3/B3BlockInsertionSet.h:
225         * b3/B3BreakCriticalEdges.cpp: Added.
226         (JSC::B3::breakCriticalEdges):
227         * b3/B3BreakCriticalEdges.h: Added.
228         * b3/B3CCallValue.cpp:
229         (JSC::B3::CCallValue::~CCallValue):
230         (JSC::B3::CCallValue::cloneImpl):
231         * b3/B3CCallValue.h:
232         * b3/B3CheckValue.cpp:
233         (JSC::B3::CheckValue::convertToAdd):
234         (JSC::B3::CheckValue::cloneImpl):
235         (JSC::B3::CheckValue::CheckValue):
236         * b3/B3CheckValue.h:
237         * b3/B3Const32Value.cpp:
238         (JSC::B3::Const32Value::dumpMeta):
239         (JSC::B3::Const32Value::cloneImpl):
240         * b3/B3Const32Value.h:
241         * b3/B3Const64Value.cpp:
242         (JSC::B3::Const64Value::dumpMeta):
243         (JSC::B3::Const64Value::cloneImpl):
244         * b3/B3Const64Value.h:
245         * b3/B3ConstDoubleValue.cpp:
246         (JSC::B3::ConstDoubleValue::dumpMeta):
247         (JSC::B3::ConstDoubleValue::cloneImpl):
248         * b3/B3ConstDoubleValue.h:
249         * b3/B3ConstFloatValue.cpp:
250         (JSC::B3::ConstFloatValue::dumpMeta):
251         (JSC::B3::ConstFloatValue::cloneImpl):
252         * b3/B3ConstFloatValue.h:
253         * b3/B3ControlValue.cpp:
254         (JSC::B3::ControlValue::dumpMeta):
255         (JSC::B3::ControlValue::cloneImpl):
256         * b3/B3ControlValue.h:
257         * b3/B3DuplicateTails.cpp: Added.
258         (JSC::B3::duplicateTails):
259         * b3/B3DuplicateTails.h: Added.
260         * b3/B3FixSSA.cpp: Added.
261         (JSC::B3::demoteValues):
262         (JSC::B3::fixSSA):
263         * b3/B3FixSSA.h: Added.
264         * b3/B3Generate.cpp:
265         (JSC::B3::generateToAir):
266         * b3/B3IndexSet.h:
267         (JSC::B3::IndexSet::Iterable::Iterable):
268         (JSC::B3::IndexSet::values):
269         (JSC::B3::IndexSet::indices):
270         * b3/B3InsertionSet.cpp:
271         (JSC::B3::InsertionSet::insertIntConstant):
272         (JSC::B3::InsertionSet::insertBottom):
273         (JSC::B3::InsertionSet::execute):
274         * b3/B3InsertionSet.h:
275         * b3/B3LowerToAir.cpp:
276         (JSC::B3::Air::LowerToAir::run):
277         (JSC::B3::Air::LowerToAir::tmp):
278         * b3/B3MemoryValue.cpp:
279         (JSC::B3::MemoryValue::dumpMeta):
280         (JSC::B3::MemoryValue::cloneImpl):
281         * b3/B3MemoryValue.h:
282         * b3/B3OriginDump.cpp: Added.
283         (JSC::B3::OriginDump::dump):
284         * b3/B3OriginDump.h:
285         (JSC::B3::OriginDump::OriginDump):
286         (JSC::B3::OriginDump::dump): Deleted.
287         * b3/B3PatchpointValue.cpp:
288         (JSC::B3::PatchpointValue::dumpMeta):
289         (JSC::B3::PatchpointValue::cloneImpl):
290         (JSC::B3::PatchpointValue::PatchpointValue):
291         * b3/B3PatchpointValue.h:
292         * b3/B3Procedure.cpp:
293         (JSC::B3::Procedure::addBlock):
294         (JSC::B3::Procedure::clone):
295         (JSC::B3::Procedure::addIntConstant):
296         (JSC::B3::Procedure::addBottom):
297         (JSC::B3::Procedure::addBoolConstant):
298         (JSC::B3::Procedure::deleteValue):
299         * b3/B3Procedure.h:
300         * b3/B3ReduceStrength.cpp:
301         * b3/B3SSACalculator.cpp: Added.
302         (JSC::B3::SSACalculator::Variable::dump):
303         (JSC::B3::SSACalculator::Variable::dumpVerbose):
304         (JSC::B3::SSACalculator::Def::dump):
305         (JSC::B3::SSACalculator::SSACalculator):
306         (JSC::B3::SSACalculator::~SSACalculator):
307         (JSC::B3::SSACalculator::reset):
308         (JSC::B3::SSACalculator::newVariable):
309         (JSC::B3::SSACalculator::newDef):
310         (JSC::B3::SSACalculator::nonLocalReachingDef):
311         (JSC::B3::SSACalculator::reachingDefAtTail):
312         (JSC::B3::SSACalculator::dump):
313         * b3/B3SSACalculator.h: Added.
314         (JSC::B3::SSACalculator::Variable::index):
315         (JSC::B3::SSACalculator::Variable::Variable):
316         (JSC::B3::SSACalculator::Def::variable):
317         (JSC::B3::SSACalculator::Def::block):
318         (JSC::B3::SSACalculator::Def::value):
319         (JSC::B3::SSACalculator::Def::Def):
320         (JSC::B3::SSACalculator::variable):
321         (JSC::B3::SSACalculator::computePhis):
322         (JSC::B3::SSACalculator::phisForBlock):
323         (JSC::B3::SSACalculator::reachingDefAtHead):
324         * b3/B3StackSlotKind.h:
325         * b3/B3StackSlotValue.cpp:
326         (JSC::B3::StackSlotValue::dumpMeta):
327         (JSC::B3::StackSlotValue::cloneImpl):
328         * b3/B3StackSlotValue.h:
329         * b3/B3SwitchValue.cpp:
330         (JSC::B3::SwitchValue::dumpMeta):
331         (JSC::B3::SwitchValue::cloneImpl):
332         (JSC::B3::SwitchValue::SwitchValue):
333         * b3/B3SwitchValue.h:
334         * b3/B3UpsilonValue.cpp:
335         (JSC::B3::UpsilonValue::dumpMeta):
336         (JSC::B3::UpsilonValue::cloneImpl):
337         * b3/B3UpsilonValue.h:
338         * b3/B3Validate.cpp:
339         * b3/B3Value.cpp:
340         (JSC::B3::Value::replaceWithNop):
341         (JSC::B3::Value::replaceWithPhi):
342         (JSC::B3::Value::dump):
343         (JSC::B3::Value::cloneImpl):
344         (JSC::B3::Value::dumpChildren):
345         (JSC::B3::Value::deepDump):
346         * b3/B3Value.h:
347         (JSC::B3::DeepValueDump::DeepValueDump):
348         (JSC::B3::DeepValueDump::dump):
349         (JSC::B3::deepDump):
350         * b3/B3ValueInlines.h:
351         (JSC::B3::Value::asNumber):
352         (JSC::B3::Value::walk):
353         * b3/B3ValueKey.cpp:
354         (JSC::B3::ValueKey::intConstant):
355         (JSC::B3::ValueKey::dump):
356         * b3/B3ValueKey.h:
357         (JSC::B3::ValueKey::ValueKey):
358         (JSC::B3::ValueKey::opcode):
359         (JSC::B3::ValueKey::type):
360         (JSC::B3::ValueKey::childIndex):
361         * b3/air/AirCode.h:
362         (JSC::B3::Air::Code::forAllTmps):
363         (JSC::B3::Air::Code::isFastTmp):
364         * b3/air/AirIteratedRegisterCoalescing.cpp:
365         * b3/air/AirUseCounts.h:
366         (JSC::B3::Air::UseCounts::UseCounts):
367         (JSC::B3::Air::UseCounts::operator[]):
368         (JSC::B3::Air::UseCounts::dump):
369         * b3/testb3.cpp:
370         (JSC::B3::testSelectInvert):
371         (JSC::B3::testCheckSelect):
372         (JSC::B3::testCheckSelectCheckSelect):
373         (JSC::B3::testPowDoubleByIntegerLoop):
374         (JSC::B3::run):
375         * runtime/Options.h:
376
377 2016-01-20  Benjamin Poulain  <bpoulain@apple.com>
378
379         [JSC] Fix a typo in the Air definition of CeilDouble/CeilFloat
380         https://bugs.webkit.org/show_bug.cgi?id=153286
381
382         Reviewed by Mark Lam.
383
384         * b3/air/AirOpcode.opcodes:
385         The second argument should a Def. The previous definition was
386         adding useless constraints on the allocation of the second argument.
387
388 2016-01-20  Benjamin Poulain  <benjamin@webkit.org>
389
390         [JSC] The register allocator can use a dangling pointer when selecting a spill candidate
391         https://bugs.webkit.org/show_bug.cgi?id=153287
392
393         Reviewed by Mark Lam.
394
395         A tricky bug I discovered while experimenting with live range breaking.
396
397         We have the following initial conditions:
398         -UseCounts is slow, so we only compute it once for all the iterations
399          of the allocator.
400         -The only new Tmps we create are for spills and refills. They are unspillable
401          by definition so it is fine to not update UseCounts accordingly.
402
403         But, in selectSpill(), we go over all the spill candidates and select the best
404         one based on its score. The score() lambda uses useCounts, it cannot be used
405         with a new Tmps created for something we already spilled.
406
407         The first time we use score is correct, we started by skipping all the unspillable
408         Tmps from the candidate. The next use was incorrect: we were checking unspillableTmps
409         *after* calling score().
410
411         The existing tests did not catch this due to back luck. I added an assertion
412         to find similar problems in the future.
413
414         * b3/air/AirIteratedRegisterCoalescing.cpp:
415         * b3/air/AirUseCounts.h:
416
417 2016-01-20  Saam barati  <sbarati@apple.com>
418
419         Fix CLoop build after bug https://bugs.webkit.org/show_bug.cgi?id=152766
420
421         Unreviewed build fix.
422
423         * inspector/agents/InspectorScriptProfilerAgent.h:
424
425 2016-01-20  Andy VanWagoner  <thetalecrafter@gmail.com>
426
427         [INTL] Implement Date.prototype.toLocaleTimeString in ECMA-402
428         https://bugs.webkit.org/show_bug.cgi?id=147613
429
430         Reviewed by Darin Adler.
431
432         Implement toLocaleTimeString in builtin JavaScript.
433
434         * builtins/DatePrototype.js:
435         (toLocaleTimeString.toDateTimeOptionsTimeTime):
436         (toLocaleTimeString):
437         * runtime/DatePrototype.cpp:
438         (JSC::DatePrototype::finishCreation):
439
440 2016-01-20  Saam barati  <sbarati@apple.com>
441
442         Web Inspector: Hook the sampling profiler into the Timelines UI
443         https://bugs.webkit.org/show_bug.cgi?id=152766
444         <rdar://problem/24066360>
445
446         Reviewed by Joseph Pecoraro.
447
448         This patch adds some necessary functions to SamplingProfiler::StackFrame
449         to allow it to give data to the Inspector for the timelines UI. i.e, the
450         sourceID of the executable of a stack frame.
451
452         This patch also swaps in the SamplingProfiler in place of the
453         LegacyProfiler inside InspectorScriptProfilerAgent. It adds
454         the necessary protocol data to allow the SamplingProfiler's
455         data to hook into the timelines UI.
456
457         * debugger/Debugger.cpp:
458         (JSC::Debugger::setProfilingClient):
459         (JSC::Debugger::willEvaluateScript):
460         (JSC::Debugger::didEvaluateScript):
461         (JSC::Debugger::toggleBreakpoint):
462         * debugger/Debugger.h:
463         * debugger/ScriptProfilingScope.h:
464         (JSC::ScriptProfilingScope::ScriptProfilingScope):
465         (JSC::ScriptProfilingScope::~ScriptProfilingScope):
466         * inspector/agents/InspectorScriptProfilerAgent.cpp:
467         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
468         (Inspector::InspectorScriptProfilerAgent::startTracking):
469         (Inspector::InspectorScriptProfilerAgent::stopTracking):
470         (Inspector::InspectorScriptProfilerAgent::isAlreadyProfiling):
471         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
472         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
473         (Inspector::InspectorScriptProfilerAgent::addEvent):
474         (Inspector::buildSamples):
475         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
476         (Inspector::buildAggregateCallInfoInspectorObject): Deleted.
477         (Inspector::buildInspectorObject): Deleted.
478         (Inspector::buildProfileInspectorObject): Deleted.
479         * inspector/agents/InspectorScriptProfilerAgent.h:
480         * inspector/protocol/ScriptProfiler.json:
481         * jsc.cpp:
482         (functionSamplingProfilerStackTraces):
483         * runtime/SamplingProfiler.cpp:
484         (JSC::SamplingProfiler::start):
485         (JSC::SamplingProfiler::stop):
486         (JSC::SamplingProfiler::clearData):
487         (JSC::SamplingProfiler::StackFrame::displayName):
488         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
489         (JSC::SamplingProfiler::StackFrame::startLine):
490         (JSC::SamplingProfiler::StackFrame::startColumn):
491         (JSC::SamplingProfiler::StackFrame::sourceID):
492         (JSC::SamplingProfiler::StackFrame::url):
493         (JSC::SamplingProfiler::stackTraces):
494         (JSC::SamplingProfiler::stackTracesAsJSON):
495         (JSC::displayName): Deleted.
496         (JSC::SamplingProfiler::stacktracesAsJSON): Deleted.
497         * runtime/SamplingProfiler.h:
498         (JSC::SamplingProfiler::StackFrame::StackFrame):
499         (JSC::SamplingProfiler::getLock):
500         (JSC::SamplingProfiler::setTimingInterval):
501         (JSC::SamplingProfiler::totalTime):
502         (JSC::SamplingProfiler::setStopWatch):
503         (JSC::SamplingProfiler::stackTraces): Deleted.
504         * tests/stress/sampling-profiler-anonymous-function.js:
505         (platformSupportsSamplingProfiler.baz):
506         (platformSupportsSamplingProfiler):
507         * tests/stress/sampling-profiler-basic.js:
508         (platformSupportsSamplingProfiler.nothing):
509         (platformSupportsSamplingProfiler.top):
510         * tests/stress/sampling-profiler/samplingProfiler.js:
511         (doesTreeHaveStackTrace):
512
513 2016-01-20  Keith Miller  <keith_miller@apple.com>
514
515         TypedArray's .buffer does not return the JSArrayBuffer that was passed to it on creation.
516         https://bugs.webkit.org/show_bug.cgi?id=153281
517
518         Reviewed by Geoffrey Garen.
519
520         When creating an JSArrayBuffer we should make sure that the backing ArrayBuffer uses the
521         new JSArrayBuffer as its wrapper. This causes issues when we get the buffer of a Typed Array
522         created by passing a JSArrayBuffer as the backing ArrayBuffer does not have a reference to
523         the original JSArrayBuffer and a new object is created.
524
525         * runtime/JSArrayBuffer.cpp:
526         (JSC::JSArrayBuffer::finishCreation):
527         * tests/stress/typedarray-buffer-neutered.js: Added.
528         (arrays.typedArrays.map):
529
530 2016-01-20  Andreas Kling  <akling@apple.com>
531
532         Pack RegisterAtOffset harder.
533         <https://webkit.org/b/152501>
534
535         Reviewed by Michael Saboff.
536
537         Pack the register index and the offset into a single pointer-sized word instead of two.
538         This reduces memory consumption by 620 kB on mobile theverge.com.
539
540         The packing doesn't succeed on MSVC for some reason, so I've left out the static
541         assertion about class size in those builds.
542
543         * jit/RegisterAtOffset.cpp:
544         * jit/RegisterAtOffset.h:
545
546 2016-01-20  Per Arne Vollan  <peavo@outlook.com>
547
548         [B3][Win64] Compile fix.
549         https://bugs.webkit.org/show_bug.cgi?id=153278
550
551         Reviewed by Filip Pizlo.
552
553         MSVC does not accept that a class declared as exported also have members declared as exported.
554
555         * b3/B3Const32Value.h:
556         * b3/B3ControlValue.h:
557
558 2016-01-19  Keith Miller  <keith_miller@apple.com>
559
560         [ES6] Fix various issues with TypedArrays.
561         https://bugs.webkit.org/show_bug.cgi?id=153245
562
563         Reviewed by Geoffrey Garen.
564
565         This patch fixes a couple of issues with TypedArrays:
566
567         1) We were not checking if a view had been neutered and throwing an error
568         if it had in the our TypedArray.prototype functions.
569
570         2) The TypedArray.prototype.set function had a couple of minor issues with
571         checking for the offset being negative.
572
573         3) The JSArrayBufferView class did not check if the backing store had
574         been neutered when computing the offset even though the view's vector
575         pointer had been set to NULL. This meant that under some conditions we
576         could, occasionally, return a garbage number as the offset. Now, we only
577         neuter views if the backing ArrayBuffer's view is actually transfered.
578
579         * jsc.cpp:
580         (GlobalObject::finishCreation):
581         (functionNeuterTypedArray):
582         * runtime/JSArrayBufferView.h:
583         (JSC::JSArrayBufferView::isNeutered):
584         * runtime/JSArrayBufferViewInlines.h:
585         (JSC::JSArrayBufferView::byteOffset):
586         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
587         (JSC::genericTypedArrayViewProtoFuncSet):
588         (JSC::genericTypedArrayViewProtoFuncEntries):
589         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
590         (JSC::genericTypedArrayViewProtoFuncFill):
591         (JSC::genericTypedArrayViewProtoFuncIndexOf):
592         (JSC::genericTypedArrayViewProtoFuncJoin):
593         (JSC::genericTypedArrayViewProtoFuncKeys):
594         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
595         (JSC::genericTypedArrayViewProtoFuncReverse):
596         (JSC::genericTypedArrayViewPrivateFuncSort):
597         (JSC::genericTypedArrayViewProtoFuncSlice):
598         (JSC::genericTypedArrayViewProtoFuncSubarray):
599         (JSC::typedArrayViewProtoFuncValues):
600         * runtime/JSTypedArrayViewPrototype.cpp:
601         (JSC::typedArrayViewPrivateFuncLength):
602         (JSC::typedArrayViewPrivateFuncSort): Deleted.
603         * tests/stress/typedarray-functions-with-neutered.js: Added.
604         (getGetter):
605         (unit):
606         (args.new.Int32Array):
607         (arrays.typedArrays.map):
608         (checkProtoFunc.throwsCorrectError):
609         (checkProtoFunc):
610         (test):
611
612 2016-01-19  Andy VanWagoner  <thetalecrafter@gmail.com>
613
614         [INTL] Implement Date.prototype.toLocaleDateString in ECMA-402
615         https://bugs.webkit.org/show_bug.cgi?id=147612
616
617         Reviewed by Benjamin Poulain.
618
619         Implement toLocaleDateString in builtin JavaScript. Remove comments with
620         spec steps, and instead link to the new HTML version of the spec.
621
622         Avoids creating an extra empty object in the prototype chain of the options
623         object in ToDateTimeOptions. The version used in toLocaleString was updated
624         to match as well.
625
626         * builtins/DatePrototype.js:
627         (toLocaleString.toDateTimeOptionsAnyAll):
628         (toLocaleString):
629         (toLocaleDateString.toDateTimeOptionsDateDate):
630         (toLocaleDateString):
631         * runtime/DatePrototype.cpp:
632         (JSC::DatePrototype::finishCreation):
633
634 2016-01-19  Benjamin Poulain  <bpoulain@apple.com>
635
636         [JSC] fixSpillSlotZDef() crashes on ARM64
637         https://bugs.webkit.org/show_bug.cgi?id=153246
638
639         Reviewed by Geoffrey Garen.
640
641         Moving an immediate to memory is not a valid instruction on ARM64.
642         This patch adds a small workaround for this specific case: an instruction
643         to zero a chunk of memory.
644
645         * assembler/MacroAssemblerARM64.h:
646         (JSC::MacroAssemblerARM64::storeZero32):
647         * assembler/MacroAssemblerX86Common.h:
648         (JSC::MacroAssemblerX86Common::storeZero32):
649         * b3/air/AirFixSpillSlotZDef.h:
650         (JSC::B3::Air::fixSpillSlotZDef):
651         * b3/air/AirOpcode.opcodes:
652
653 2016-01-19  Enrica Casucci  <enrica@apple.com>
654
655         Add support for DataDetectors in WK (iOS).
656         https://bugs.webkit.org/show_bug.cgi?id=152989
657         rdar://problem/22855960
658
659         Reviewed by Tim Horton.
660
661         Adding feature definition for data detection.
662
663         * Configurations/FeatureDefines.xcconfig:
664
665 2016-01-19  Per Arne Vollan  <peavo@outlook.com>
666
667         [B3][Win64] Compile and warning fixes.
668         https://bugs.webkit.org/show_bug.cgi?id=153234
669
670         Reviewed by Alex Christensen.
671
672         The size of 'long' is 4 bytes on Win64. We can use 'long long' instead,
673         when we want the size to be 8 bytes.
674
675         * b3/B3LowerMacrosAfterOptimizations.cpp:
676         * b3/B3ReduceStrength.cpp:
677
678 2016-01-19  Csaba Osztrogonác  <ossy@webkit.org>
679
680         [cmake] Fix the B3 build after r195159
681         https://bugs.webkit.org/show_bug.cgi?id=153232
682
683         Reviewed by Yusuke Suzuki.
684
685         * CMakeLists.txt:
686
687 2016-01-19  Commit Queue  <commit-queue@webkit.org>
688
689         Unreviewed, rolling out r195300.
690         https://bugs.webkit.org/show_bug.cgi?id=153244
691
692         enrica wants more time to fix Windows (Requested by thorton on
693         #webkit).
694
695         Reverted changeset:
696
697         "Add support for DataDetectors in WK (iOS)."
698         https://bugs.webkit.org/show_bug.cgi?id=152989
699         http://trac.webkit.org/changeset/195300
700
701 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
702
703         Reconsider B3's constant motion policy
704         https://bugs.webkit.org/show_bug.cgi?id=152202
705
706         Reviewed by Geoffrey Garen.
707
708         This changes moveConstants() to hoist constants. This is a speed-up on things like mandreel.
709         It has a generally positive impact on the Octane score, but it's within margin of error.
710
711         This also changes IRC to make it a bit more likely to spill constants. We don't want it to
712         spill them too much, because we can't rely on fixObviousSpills() to always replace a load of
713         a constant from the stack with the constant itself, especially in case of instructions that
714         need an extra register to materialize the immediate.
715
716         Also fixed DFG graph dumping to print a bit less things. It was trying to print the results of
717         constant property inference, and this sometimes caused crashes when you dumped the graph at an
718         inopportune time.
719
720         * JavaScriptCore.xcodeproj/project.pbxproj:
721         * b3/B3MoveConstants.cpp:
722         * b3/air/AirArg.h:
723         * b3/air/AirArgInlines.h: Added.
724         (JSC::B3::Air::ArgThingHelper<Tmp>::is):
725         (JSC::B3::Air::ArgThingHelper<Tmp>::as):
726         (JSC::B3::Air::ArgThingHelper<Tmp>::forEachFast):
727         (JSC::B3::Air::ArgThingHelper<Tmp>::forEach):
728         (JSC::B3::Air::ArgThingHelper<Arg>::is):
729         (JSC::B3::Air::ArgThingHelper<Arg>::as):
730         (JSC::B3::Air::ArgThingHelper<Arg>::forEachFast):
731         (JSC::B3::Air::ArgThingHelper<Arg>::forEach):
732         (JSC::B3::Air::Arg::is):
733         (JSC::B3::Air::Arg::as):
734         (JSC::B3::Air::Arg::forEachFast):
735         (JSC::B3::Air::Arg::forEach):
736         * b3/air/AirIteratedRegisterCoalescing.cpp:
737         * b3/air/AirUseCounts.h:
738         (JSC::B3::Air::UseCounts::UseCounts):
739         * dfg/DFGGraph.cpp:
740         (JSC::DFG::Graph::dump):
741
742 2016-01-19  Enrica Casucci  <enrica@apple.com>
743
744         Add support for DataDetectors in WK (iOS).
745         https://bugs.webkit.org/show_bug.cgi?id=152989
746         rdar://problem/22855960
747
748         Reviewed by Tim Horton.
749
750         Adding feature definition.
751
752         * Configurations/FeatureDefines.xcconfig:
753
754 2016-01-17  Filip Pizlo  <fpizlo@apple.com>
755
756         FTL B3 should be just as fast as FTL LLVM on Octane/crypto
757         https://bugs.webkit.org/show_bug.cgi?id=153113
758
759         Reviewed by Saam Barati.
760
761         This is the result of a hacking rampage to close the gap between FTL B3 and FTL LLVM on
762         Octane/crypto. It was a very successful rampage.
763
764         The biggest change in this patch is the introduction of a phase called fixObviousSpills()
765         that fixes patterns like:
766
767         Store register to stack slot and then use stack slot:
768             Move %rcx, (stack42)
769             Foo use:(stack42) // replace (stack42) with %rcx here.
770
771         Load stack slot into register and then use stack slot:
772             Move (stack42), %rcx
773             Foo use:(stack42) // replace (stack42) with %rcx here.
774
775         Store constant into stack slot and then use stack slot:
776             Move $42, %rcx
777             Move %rcx, (stack42)
778             Bar def:%rcx // %rcx isn't available anymore, but we still know that (stack42) is $42
779             Foo use:(stack42) // replace (stack42) with $42 here.
780
781         This phases does these fixups by doing a global forward flow that propagates sets of
782         must-aliases.
783
784         Also added a phase to report register pressure. It pretty-prints code alongside the set of
785         in-use registers above each instruction. Using this phase, I found that our register
786         allocator is actually doing a pretty awesome job. I had previously feared that we'd have to
787         make substantial changes to register allocation. I don't have such a fear anymore, at least
788         for Octane/crypto. In the future, we can check how the regalloc is performing just by
789         enabling logAirRegisterPressure.
790
791         Also fixed some FTL codegen pathologies. We were using bitOr where we meant to use a
792         conditional or. LLVM likes to canonicalize boolean expressions this way. B3, on the other
793         hand, doesn't do this canonicalization and doesn't have logic to decompose it into sequences
794         of branches.
795
796         Also added strength reductions for checked arithmetic. It turns out that LLVM learned how to
797         reduce checked multiply to unchecked multiply in some obvious cases that our existing DFG
798         optimizations lacked. Ideally, our DFG integer range optimization phase would cover this. But
799         the cases of interest were dead simple - the incoming values to the CheckMul were obviously
800         too small to cause overflow. I added such reasoning to B3's strength reduction.
801
802         Finally, this fixes some bugs with how we were handling subwidth spill slots. The register
803         allocator was making two mistakes. First, it might cause a Width64 def or use of a 4-byte
804         spill slot. In that case, it would extend the size of the spill slot to ensure that the use
805         or def is safe. Second, it emulates ZDef on Tmp behavior by emitting a Move32 to initialize
806         the high bits of a spill slot. But this is unsound because of the liveness semantics of spill
807         slots. They cannot have more than one def to initialize their value. I fixed that by making
808         allocateStack() be the thing that fixes ZDefs. That's a change to ZDef semantics: now, ZDef
809         on an anonymous stack slot means that the high bits are zero-filled. I wasn't able to
810         construct a test for this. It might be a hypothetical bug, but still, I like how this
811         simplifies the register allocator.
812
813         This is a ~0.7% speed-up on Octane.
814
815         * CMakeLists.txt:
816         * JavaScriptCore.xcodeproj/project.pbxproj:
817         * b3/B3CheckSpecial.cpp:
818         (JSC::B3::CheckSpecial::hiddenBranch):
819         (JSC::B3::CheckSpecial::forEachArg):
820         (JSC::B3::CheckSpecial::commitHiddenBranch): Deleted.
821         * b3/B3CheckSpecial.h:
822         * b3/B3LowerToAir.cpp:
823         (JSC::B3::Air::LowerToAir::fillStackmap):
824         (JSC::B3::Air::LowerToAir::lower):
825         * b3/B3StackmapValue.h:
826         * b3/air/AirAllocateStack.cpp:
827         (JSC::B3::Air::allocateStack):
828         * b3/air/AirAllocateStack.h:
829         * b3/air/AirArg.h:
830         (JSC::B3::Air::Arg::callArg):
831         (JSC::B3::Air::Arg::stackAddr):
832         (JSC::B3::Air::Arg::isValidScale):
833         * b3/air/AirBasicBlock.cpp:
834         (JSC::B3::Air::BasicBlock::deepDump):
835         (JSC::B3::Air::BasicBlock::dumpHeader):
836         (JSC::B3::Air::BasicBlock::dumpFooter):
837         * b3/air/AirBasicBlock.h:
838         * b3/air/AirCCallSpecial.cpp:
839         (JSC::B3::Air::CCallSpecial::CCallSpecial):
840         (JSC::B3::Air::CCallSpecial::~CCallSpecial):
841         * b3/air/AirCode.h:
842         (JSC::B3::Air::Code::lastPhaseName):
843         (JSC::B3::Air::Code::setEnableRCRS):
844         (JSC::B3::Air::Code::enableRCRS):
845         * b3/air/AirCustom.cpp:
846         (JSC::B3::Air::PatchCustom::isValidForm):
847         (JSC::B3::Air::CCallCustom::isValidForm):
848         * b3/air/AirCustom.h:
849         (JSC::B3::Air::PatchCustom::isValidFormStatic):
850         (JSC::B3::Air::PatchCustom::admitsStack):
851         (JSC::B3::Air::PatchCustom::isValidForm): Deleted.
852         * b3/air/AirEmitShuffle.cpp:
853         (JSC::B3::Air::ShufflePair::dump):
854         (JSC::B3::Air::createShuffle):
855         (JSC::B3::Air::emitShuffle):
856         * b3/air/AirEmitShuffle.h:
857         * b3/air/AirFixObviousSpills.cpp: Added.
858         (JSC::B3::Air::fixObviousSpills):
859         * b3/air/AirFixObviousSpills.h: Added.
860         * b3/air/AirFixSpillSlotZDef.h: Removed.
861         * b3/air/AirGenerate.cpp:
862         (JSC::B3::Air::prepareForGeneration):
863         (JSC::B3::Air::generate):
864         * b3/air/AirHandleCalleeSaves.cpp:
865         (JSC::B3::Air::handleCalleeSaves):
866         * b3/air/AirInst.h:
867         * b3/air/AirInstInlines.h:
868         (JSC::B3::Air::Inst::reportUsedRegisters):
869         (JSC::B3::Air::Inst::admitsStack):
870         (JSC::B3::Air::isShiftValid):
871         * b3/air/AirIteratedRegisterCoalescing.cpp:
872         * b3/air/AirLiveness.h:
873         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
874         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::begin):
875         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::end):
876         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::contains):
877         (JSC::B3::Air::AbstractLiveness::LocalCalc::live):
878         (JSC::B3::Air::AbstractLiveness::LocalCalc::isLive):
879         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
880         (JSC::B3::Air::AbstractLiveness::rawLiveAtHead):
881         (JSC::B3::Air::AbstractLiveness::Iterable::begin):
882         (JSC::B3::Air::AbstractLiveness::Iterable::end):
883         (JSC::B3::Air::AbstractLiveness::Iterable::contains):
884         (JSC::B3::Air::AbstractLiveness::liveAtTail):
885         (JSC::B3::Air::AbstractLiveness::workset):
886         * b3/air/AirLogRegisterPressure.cpp: Added.
887         (JSC::B3::Air::logRegisterPressure):
888         * b3/air/AirLogRegisterPressure.h: Added.
889         * b3/air/AirOptimizeBlockOrder.cpp:
890         (JSC::B3::Air::blocksInOptimizedOrder):
891         (JSC::B3::Air::optimizeBlockOrder):
892         * b3/air/AirOptimizeBlockOrder.h:
893         * b3/air/AirReportUsedRegisters.cpp:
894         (JSC::B3::Air::reportUsedRegisters):
895         * b3/air/AirReportUsedRegisters.h:
896         * b3/air/AirSpillEverything.cpp:
897         (JSC::B3::Air::spillEverything):
898         * b3/air/AirStackSlot.h:
899         (JSC::B3::Air::StackSlot::isLocked):
900         (JSC::B3::Air::StackSlot::index):
901         (JSC::B3::Air::StackSlot::ensureSize):
902         (JSC::B3::Air::StackSlot::alignment):
903         * b3/air/AirValidate.cpp:
904         * ftl/FTLB3Compile.cpp:
905         (JSC::FTL::compile):
906         * ftl/FTLLowerDFGToLLVM.cpp:
907         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
908         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
909         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMod):
910         * jit/RegisterSet.h:
911         (JSC::RegisterSet::get):
912         (JSC::RegisterSet::setAll):
913         (JSC::RegisterSet::merge):
914         (JSC::RegisterSet::filter):
915         * runtime/Options.h:
916
917 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
918
919         Unreviewed, undo unintended commit.
920
921         * dfg/DFGCommon.h:
922
923 2016-01-18  Filip Pizlo  <fpizlo@apple.com>
924
925         Fix Air shuffling assertions
926         https://bugs.webkit.org/show_bug.cgi?id=153213
927
928         Reviewed by Saam Barati.
929
930         Fixes some assertions that I was seeing running JSC tests. Adds a new Air test.
931
932         * assembler/MacroAssemblerX86Common.h:
933         (JSC::MacroAssemblerX86Common::store8):
934         (JSC::MacroAssemblerX86Common::getUnusedRegister):
935         * b3/air/AirEmitShuffle.cpp:
936         (JSC::B3::Air::emitShuffle):
937         * b3/air/AirLowerAfterRegAlloc.cpp:
938         (JSC::B3::Air::lowerAfterRegAlloc):
939         * b3/air/testair.cpp:
940         (JSC::B3::Air::testShuffleRotateWithFringe):
941         (JSC::B3::Air::testShuffleRotateWithFringeInWeirdOrder):
942         (JSC::B3::Air::testShuffleRotateWithLongFringe):
943         (JSC::B3::Air::run):
944
945 2016-01-19  Konstantin Tokarev  <annulen@yandex.ru>
946
947         [mips] Logical instructions allow immediates in range 0..0xffff, not 0x7fff
948         https://bugs.webkit.org/show_bug.cgi?id=152693
949
950         Reviewed by Michael Saboff.
951
952         * offlineasm/mips.rb:
953
954 2016-01-18  Saam barati  <sbarati@apple.com>
955
956         assertions in BytecodeUseDef.h about opcode length are off by one
957         https://bugs.webkit.org/show_bug.cgi?id=153215
958
959         Reviewed by Dan Bernstein.
960
961         * bytecode/BytecodeUseDef.h:
962         (JSC::computeUsesForBytecodeOffset):
963
964 2016-01-18  Saam barati  <sbarati@apple.com>
965
966         FTL doesn't do proper spilling for exception handling when GetById/Snippets go to slow path
967         https://bugs.webkit.org/show_bug.cgi?id=153186
968
969         Reviewed by Michael Saboff.
970
971         Michael was investigating a bug he found while doing the new JSC calling 
972         convention work and it turns out to be a latent bug in FTL try/catch machinery.
973         After I looked at the code again, I realized that what I had previously
974         written is wrong in a subtle way. The FTL callOperation machinery will remove
975         its result register from the set of registers it needs to spill. This is not
976         correct when we have try/catch. We may want to do value recovery on
977         the value that the result register is prior to the call after the call
978         throws an exception. The case that we were solving before was when the 
979         resultRegister == baseRegister in a GetById, or left/rightRegister == resultRegister in a Snippet.
980         This code is correct in wanting to spill in that case, even though it might spill
981         when we don't need it to (i.e the result is not needed for value recovery). Once I
982         investigated this bug further, I realized that the previous rule is just a
983         partial subset of the rule that says we should spill anytime the result is
984         a register we might do value recovery on. This patch implements the rule that
985         says we always want to spill the result when we will do value recovery on it 
986         if an exception is thrown.
987
988         * ftl/FTLCompile.cpp:
989         (JSC::FTL::mmAllocateDataSection):
990         * tests/stress/ftl-try-catch-getter-throw-interesting-value-recovery.js: Added.
991         (assert):
992         (random):
993         (identity):
994         (let.o2.get f):
995         (let.o3.get f):
996         (foo):
997         (i.else):
998
999 2016-01-18  Konstantin Tokarev  <annulen@yandex.ru>
1000
1001         [MIPS] LLInt: fix calculation of Global Offset Table
1002         https://bugs.webkit.org/show_bug.cgi?id=150381
1003
1004         Offlineasm adds a .cpload $t9 when we create a label in MIPS, which
1005         computes address of GOT. However, this instruction requires $t9 to
1006         contain address of current function. So we need to set $t9 to pcBase,
1007         otherwise GOT-related calculations will be invalid.
1008
1009         Since offlineasm does not allow direct move to $t9 on MIPS, added new
1010         instruction setcallreg which does exactly that.
1011
1012         Reviewed by Michael Saboff.
1013
1014         * llint/LowLevelInterpreter.asm:
1015         * offlineasm/instructions.rb:
1016         * offlineasm/mips.rb:
1017
1018 2016-01-18  Csaba Osztrogonác  <ossy@webkit.org>
1019
1020         REGRESSION(r194601): Fix the jsc timeout option of jsc.cpp
1021         https://bugs.webkit.org/show_bug.cgi?id=153204
1022
1023         Reviewed by Michael Catanzaro.
1024
1025         * jsc.cpp:
1026         (main):
1027
1028 2016-01-18  Csaba Osztrogonác  <ossy@webkit.org>
1029
1030         [cmake] Add testair to the build system
1031         https://bugs.webkit.org/show_bug.cgi?id=153126
1032
1033         Reviewed by Michael Catanzaro.
1034
1035         * shell/CMakeLists.txt:
1036
1037 2016-01-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>
1038
1039         Ensure that CF_AVAILABLE is undefined when building webkit-gtk
1040
1041         https://bugs.webkit.org/show_bug.cgi?id=152720
1042
1043         This change ensures that CF_AVAILABLE is correctly a no-op to
1044         address build failure that was observed when building on older
1045         versions of OSX.  Previously, CF_AVAILABLE may have been unexpectedly
1046         re-defined to the system header value based on include-order.
1047
1048         Reviewed by Michael Catanzaro.
1049
1050         * API/WebKitAvailability.h:
1051
1052 2016-01-17  Julien Brianceau  <jbriance@cisco.com>
1053
1054         [mips] Fix regT2 and regT3 trampling in MacroAssembler
1055         https://bugs.webkit.org/show_bug.cgi?id=153131
1056
1057         Mips $t2 and $t3 registers were used as temporary registers
1058         in MacroAssemblerMIPS.h, whereas they are mapped to regT2
1059         and regT3 in LLInt and GPRInfo.
1060
1061         This patch rearranges register mapping for the mips architecture:
1062         - use $t0 and $t1 as temp registers in LLInt (as in MacroAssembler)
1063         - use $t7 and $t8 as temp registers in MacroAssembler (as in LLInt)
1064         - remove $t6 from temp registers list in LLInt
1065         - update GPRInfo.h accordingly
1066         - add mips macroScratchRegisters() list in RegisterSet.cpp
1067
1068         Reviewed by Michael Saboff.
1069
1070         * assembler/MacroAssemblerMIPS.h:
1071         * jit/GPRInfo.h:
1072         (JSC::GPRInfo::toRegister):
1073         (JSC::GPRInfo::toIndex):
1074         * jit/RegisterSet.cpp:
1075         (JSC::RegisterSet::macroScratchRegisters):
1076         (JSC::RegisterSet::calleeSaveRegisters):
1077         * offlineasm/mips.rb:
1078
1079 2016-01-16  Skachkov Oleksandr  <gskachkov@gmail.com>
1080
1081         [ES6] Arrow function syntax. Arrow function should support the destructuring parameters.
1082         https://bugs.webkit.org/show_bug.cgi?id=146934
1083
1084         Reviewed by Saam Barati.
1085         
1086         Added support of destructuring parameters, before arrow function expect only simple parameters,
1087         e.g. (), (x), (x, y) or x in assigment expressio. To support destructuring parameters added
1088         additional check that check for destructuring paramters if check does not pass for simple parameters.
1089
1090         * parser/Parser.cpp:
1091         (JSC::Parser<LexerType>::isArrowFunctionParameters):
1092         (JSC::Parser<LexerType>::parseAssignmentExpression):
1093         * parser/Parser.h:
1094
1095 2016-01-15  Benjamin Poulain  <bpoulain@apple.com>
1096
1097         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
1098         https://bugs.webkit.org/show_bug.cgi?id=153065
1099
1100         Reviewed by Mark Lam.
1101         Reviewed by Filip Pizlo.
1102
1103         On ARM64, we cannot use signed 32bits offset for memory addressing.
1104         There are two available addressing: signed 9bits and unsigned scaled 12bits.
1105         Air already knows about it.
1106
1107         In this patch, the offsets are changed to something valid for ARM64
1108         prior to lowering. When an offset is invalid, it is just computed
1109         before the instruction and used as the base for addressing.
1110
1111         * JavaScriptCore.xcodeproj/project.pbxproj:
1112         * b3/B3Generate.cpp:
1113         (JSC::B3::generateToAir):
1114         * b3/B3LegalizeMemoryOffsets.cpp: Added.
1115         (JSC::B3::legalizeMemoryOffsets):
1116         * b3/B3LegalizeMemoryOffsets.h: Added.
1117         * b3/B3LowerToAir.cpp:
1118         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
1119         * b3/testb3.cpp:
1120         (JSC::B3::testLoadWithOffsetImpl):
1121         (JSC::B3::testLoadOffsetImm9Max):
1122         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
1123         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
1124         (JSC::B3::testLoadOffsetImm9Min):
1125         (JSC::B3::testLoadOffsetImm9MinMinusOne):
1126         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
1127         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
1128         (JSC::B3::run):
1129
1130 2016-01-15  Alex Christensen  <achristensen@webkit.org>
1131
1132         Fix internal Windows build
1133         https://bugs.webkit.org/show_bug.cgi?id=153142
1134
1135         Reviewed by Brent Fulgham.
1136
1137         The internal Windows build builds JavaScriptCore from a directory that is not called JavaScriptCore.
1138         Searching for JavaScriptCore/API/APICast.h fails because it is in SomethingElse/API/APICast.h.
1139         Since we are including the JavaScriptCore directory, it is not necessary to have JavaScriptCore in
1140         the forwarding headers, but removing it allows builds form directories that are not named JavaScriptCore.
1141
1142         * ForwardingHeaders/JavaScriptCore/APICast.h:
1143         * ForwardingHeaders/JavaScriptCore/JSBase.h:
1144         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h:
1145         * ForwardingHeaders/JavaScriptCore/JSContextRef.h:
1146         * ForwardingHeaders/JavaScriptCore/JSObjectRef.h:
1147         * ForwardingHeaders/JavaScriptCore/JSRetainPtr.h:
1148         * ForwardingHeaders/JavaScriptCore/JSStringRef.h:
1149         * ForwardingHeaders/JavaScriptCore/JSStringRefCF.h:
1150         * ForwardingHeaders/JavaScriptCore/JSValueRef.h:
1151         * ForwardingHeaders/JavaScriptCore/JavaScript.h:
1152         * ForwardingHeaders/JavaScriptCore/JavaScriptCore.h:
1153         * ForwardingHeaders/JavaScriptCore/OpaqueJSString.h:
1154         * ForwardingHeaders/JavaScriptCore/WebKitAvailability.h:
1155
1156 2016-01-15  Per Arne Vollan  <peavo@outlook.com>
1157
1158         [B3][Win64] Compile fixes.
1159         https://bugs.webkit.org/show_bug.cgi?id=153127
1160
1161         Reviewed by Alex Christensen.
1162
1163         MSVC have several overloads of fmod, pow, and ceil. We need to suggest to MSVC
1164         which one we want to use.
1165
1166         * b3/B3LowerMacros.cpp:
1167         * b3/B3LowerMacrosAfterOptimizations.cpp:
1168         * b3/B3MathExtras.cpp:
1169         (JSC::B3::powDoubleInt32):
1170         * b3/B3ReduceStrength.cpp:
1171
1172 2016-01-15  Filip Pizlo  <fpizlo@apple.com>
1173
1174         Air needs a Shuffle instruction
1175         https://bugs.webkit.org/show_bug.cgi?id=152952
1176
1177         Reviewed by Saam Barati.
1178
1179         This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
1180         multiple moves to perform arbitrary permutations over registers and memory. We call these
1181         rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
1182         c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
1183         use immediates as their source.
1184
1185         Shuffle is added as a custom instruction, since it has a variable number of arguments. It
1186         takes any number of triplets of arguments, where each triplet describes one mapping of the
1187         shuffle. For example, to represent (a => b, b => c), we might say:
1188
1189             Shuffle %a, %b, 64, %b, %c, 64
1190
1191         Note the "64"s, those are width arguments that describe how many bits of the register are
1192         being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
1193         most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
1194         of the pairs in the example). For GP arguments, the width follows ZDef semantics.
1195
1196         In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
1197         how to use it:
1198
1199         - C calling convention argument marshalling. Previously we used move instructions. But that's
1200           problematic since it introduces artificial interference between the argument registers and
1201           the inputs. Using Shuffle removes that interference. This helps a bit.
1202
1203         - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
1204           a cold path, then we want it to appear to the register allocator like it doesn't clobber
1205           any registers. Only after register allocation should we handle the clobbering by simply
1206           saving all of the live volatile registers to the stack. If you imagine the saving and the
1207           argument marshalling, you can see how before the call, we want to have a Shuffle that does
1208           both of those things. This is important. If argument marshalling was separate from the
1209           saving, then we'd still appear to clobber argument registers. Doing them together as one
1210           Shuffle means that the cold call doesn't appear to even clobber the argument registers.
1211
1212         Unfortunately, I was wrong about cold C calls being the dominant problem with our register
1213         allocator right now. Fixing this revealed other problems in my current tuning benchmark,
1214         Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
1215         functionality we will need to implement other optimizations.
1216
1217         Relanding after fixing production build.
1218
1219         * CMakeLists.txt:
1220         * JavaScriptCore.xcodeproj/project.pbxproj:
1221         * assembler/AbstractMacroAssembler.h:
1222         (JSC::isX86_64):
1223         (JSC::isIOS):
1224         (JSC::optimizeForARMv7IDIVSupported):
1225         * assembler/MacroAssemblerX86Common.h:
1226         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
1227         (JSC::MacroAssemblerX86Common::swap32):
1228         (JSC::MacroAssemblerX86Common::moveConditionally32):
1229         * assembler/MacroAssemblerX86_64.h:
1230         (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
1231         (JSC::MacroAssemblerX86_64::swap64):
1232         (JSC::MacroAssemblerX86_64::move64ToDouble):
1233         * assembler/X86Assembler.h:
1234         (JSC::X86Assembler::xchgl_rr):
1235         (JSC::X86Assembler::xchgl_rm):
1236         (JSC::X86Assembler::xchgq_rr):
1237         (JSC::X86Assembler::xchgq_rm):
1238         (JSC::X86Assembler::movl_rr):
1239         * b3/B3CCallValue.h:
1240         * b3/B3Compilation.cpp:
1241         (JSC::B3::Compilation::Compilation):
1242         (JSC::B3::Compilation::~Compilation):
1243         * b3/B3Compilation.h:
1244         (JSC::B3::Compilation::code):
1245         * b3/B3LowerToAir.cpp:
1246         (JSC::B3::Air::LowerToAir::run):
1247         (JSC::B3::Air::LowerToAir::createSelect):
1248         (JSC::B3::Air::LowerToAir::lower):
1249         (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
1250         * b3/B3OpaqueByproducts.h:
1251         (JSC::B3::OpaqueByproducts::count):
1252         * b3/B3StackmapSpecial.cpp:
1253         (JSC::B3::StackmapSpecial::isArgValidForValue):
1254         (JSC::B3::StackmapSpecial::isArgValidForRep):
1255         * b3/air/AirArg.cpp:
1256         (JSC::B3::Air::Arg::isStackMemory):
1257         (JSC::B3::Air::Arg::isRepresentableAs):
1258         (JSC::B3::Air::Arg::usesTmp):
1259         (JSC::B3::Air::Arg::canRepresent):
1260         (JSC::B3::Air::Arg::isCompatibleType):
1261         (JSC::B3::Air::Arg::dump):
1262         (WTF::printInternal):
1263         * b3/air/AirArg.h:
1264         (JSC::B3::Air::Arg::forEachType):
1265         (JSC::B3::Air::Arg::isWarmUse):
1266         (JSC::B3::Air::Arg::cooled):
1267         (JSC::B3::Air::Arg::isEarlyUse):
1268         (JSC::B3::Air::Arg::imm64):
1269         (JSC::B3::Air::Arg::immPtr):
1270         (JSC::B3::Air::Arg::addr):
1271         (JSC::B3::Air::Arg::special):
1272         (JSC::B3::Air::Arg::widthArg):
1273         (JSC::B3::Air::Arg::operator==):
1274         (JSC::B3::Air::Arg::isImm64):
1275         (JSC::B3::Air::Arg::isSomeImm):
1276         (JSC::B3::Air::Arg::isAddr):
1277         (JSC::B3::Air::Arg::isIndex):
1278         (JSC::B3::Air::Arg::isMemory):
1279         (JSC::B3::Air::Arg::isRelCond):
1280         (JSC::B3::Air::Arg::isSpecial):
1281         (JSC::B3::Air::Arg::isWidthArg):
1282         (JSC::B3::Air::Arg::isAlive):
1283         (JSC::B3::Air::Arg::base):
1284         (JSC::B3::Air::Arg::hasOffset):
1285         (JSC::B3::Air::Arg::offset):
1286         (JSC::B3::Air::Arg::width):
1287         (JSC::B3::Air::Arg::isGPTmp):
1288         (JSC::B3::Air::Arg::isGP):
1289         (JSC::B3::Air::Arg::isFP):
1290         (JSC::B3::Air::Arg::isType):
1291         (JSC::B3::Air::Arg::isGPR):
1292         (JSC::B3::Air::Arg::isValidForm):
1293         (JSC::B3::Air::Arg::forEachTmpFast):
1294         * b3/air/AirBasicBlock.h:
1295         (JSC::B3::Air::BasicBlock::insts):
1296         (JSC::B3::Air::BasicBlock::appendInst):
1297         (JSC::B3::Air::BasicBlock::append):
1298         * b3/air/AirCCallingConvention.cpp: Added.
1299         (JSC::B3::Air::computeCCallingConvention):
1300         (JSC::B3::Air::cCallResult):
1301         (JSC::B3::Air::buildCCall):
1302         * b3/air/AirCCallingConvention.h: Added.
1303         * b3/air/AirCode.h:
1304         (JSC::B3::Air::Code::proc):
1305         * b3/air/AirCustom.cpp: Added.
1306         (JSC::B3::Air::CCallCustom::isValidForm):
1307         (JSC::B3::Air::CCallCustom::generate):
1308         (JSC::B3::Air::ShuffleCustom::isValidForm):
1309         (JSC::B3::Air::ShuffleCustom::generate):
1310         * b3/air/AirCustom.h:
1311         (JSC::B3::Air::PatchCustom::forEachArg):
1312         (JSC::B3::Air::PatchCustom::generate):
1313         (JSC::B3::Air::CCallCustom::forEachArg):
1314         (JSC::B3::Air::CCallCustom::isValidFormStatic):
1315         (JSC::B3::Air::CCallCustom::admitsStack):
1316         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
1317         (JSC::B3::Air::ColdCCallCustom::forEachArg):
1318         (JSC::B3::Air::ShuffleCustom::forEachArg):
1319         (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
1320         (JSC::B3::Air::ShuffleCustom::admitsStack):
1321         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
1322         * b3/air/AirEmitShuffle.cpp: Added.
1323         (JSC::B3::Air::ShufflePair::dump):
1324         (JSC::B3::Air::emitShuffle):
1325         * b3/air/AirEmitShuffle.h: Added.
1326         (JSC::B3::Air::ShufflePair::ShufflePair):
1327         (JSC::B3::Air::ShufflePair::src):
1328         (JSC::B3::Air::ShufflePair::dst):
1329         (JSC::B3::Air::ShufflePair::width):
1330         * b3/air/AirGenerate.cpp:
1331         (JSC::B3::Air::prepareForGeneration):
1332         * b3/air/AirGenerate.h:
1333         * b3/air/AirInsertionSet.cpp:
1334         (JSC::B3::Air::InsertionSet::insertInsts):
1335         (JSC::B3::Air::InsertionSet::execute):
1336         * b3/air/AirInsertionSet.h:
1337         (JSC::B3::Air::InsertionSet::insertInst):
1338         (JSC::B3::Air::InsertionSet::insert):
1339         * b3/air/AirInst.h:
1340         (JSC::B3::Air::Inst::operator bool):
1341         (JSC::B3::Air::Inst::append):
1342         * b3/air/AirLowerAfterRegAlloc.cpp: Added.
1343         (JSC::B3::Air::lowerAfterRegAlloc):
1344         * b3/air/AirLowerAfterRegAlloc.h: Added.
1345         * b3/air/AirLowerMacros.cpp: Added.
1346         (JSC::B3::Air::lowerMacros):
1347         * b3/air/AirLowerMacros.h: Added.
1348         * b3/air/AirOpcode.opcodes:
1349         * b3/air/AirRegisterPriority.h:
1350         (JSC::B3::Air::regsInPriorityOrder):
1351         * b3/air/testair.cpp: Added.
1352         (hiddenTruthBecauseNoReturnIsStupid):
1353         (usage):
1354         (JSC::B3::Air::compile):
1355         (JSC::B3::Air::invoke):
1356         (JSC::B3::Air::compileAndRun):
1357         (JSC::B3::Air::testSimple):
1358         (JSC::B3::Air::loadConstantImpl):
1359         (JSC::B3::Air::loadConstant):
1360         (JSC::B3::Air::loadDoubleConstant):
1361         (JSC::B3::Air::testShuffleSimpleSwap):
1362         (JSC::B3::Air::testShuffleSimpleShift):
1363         (JSC::B3::Air::testShuffleLongShift):
1364         (JSC::B3::Air::testShuffleLongShiftBackwards):
1365         (JSC::B3::Air::testShuffleSimpleRotate):
1366         (JSC::B3::Air::testShuffleSimpleBroadcast):
1367         (JSC::B3::Air::testShuffleBroadcastAllRegs):
1368         (JSC::B3::Air::testShuffleTreeShift):
1369         (JSC::B3::Air::testShuffleTreeShiftBackward):
1370         (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
1371         (JSC::B3::Air::testShuffleMultipleShifts):
1372         (JSC::B3::Air::testShuffleRotateWithFringe):
1373         (JSC::B3::Air::testShuffleRotateWithLongFringe):
1374         (JSC::B3::Air::testShuffleMultipleRotates):
1375         (JSC::B3::Air::testShuffleShiftAndRotate):
1376         (JSC::B3::Air::testShuffleShiftAllRegs):
1377         (JSC::B3::Air::testShuffleRotateAllRegs):
1378         (JSC::B3::Air::testShuffleSimpleSwap64):
1379         (JSC::B3::Air::testShuffleSimpleShift64):
1380         (JSC::B3::Air::testShuffleSwapMixedWidth):
1381         (JSC::B3::Air::testShuffleShiftMixedWidth):
1382         (JSC::B3::Air::testShuffleShiftMemory):
1383         (JSC::B3::Air::testShuffleShiftMemoryLong):
1384         (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
1385         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
1386         (JSC::B3::Air::combineHiLo):
1387         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
1388         (JSC::B3::Air::testShuffleRotateMemory):
1389         (JSC::B3::Air::testShuffleRotateMemory64):
1390         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
1391         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
1392         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
1393         (JSC::B3::Air::testShuffleSwapDouble):
1394         (JSC::B3::Air::testShuffleShiftDouble):
1395         (JSC::B3::Air::run):
1396         (run):
1397         (main):
1398         * b3/testb3.cpp:
1399         (JSC::B3::testCallSimple):
1400         (JSC::B3::testCallRare):
1401         (JSC::B3::testCallRareLive):
1402         (JSC::B3::testCallSimplePure):
1403         (JSC::B3::run):
1404
1405 2016-01-15  Andy VanWagoner  <thetalecrafter@gmail.com>
1406
1407         [INTL] Implement Date.prototype.toLocaleString in ECMA-402
1408         https://bugs.webkit.org/show_bug.cgi?id=147611
1409
1410         Reviewed by Benjamin Poulain.
1411
1412         Expose dateProtoFuncGetTime as thisTimeValue for builtins.
1413         Remove unused code in DateTimeFormat toDateTimeOptions, and make the
1414         function specific to the call in initializeDateTimeFormat. Properly
1415         throw when the options parameter is null.
1416         Add toLocaleString in builtin JavaScript, with it's own specific branch
1417         of toDateTimeOptions.
1418
1419         * CMakeLists.txt:
1420         * DerivedSources.make:
1421         * JavaScriptCore.xcodeproj/project.pbxproj:
1422         * builtins/DatePrototype.js: Added.
1423         (toLocaleString.toDateTimeOptionsAnyAll):
1424         (toLocaleString):
1425         * runtime/CommonIdentifiers.h:
1426         * runtime/DatePrototype.cpp:
1427         (JSC::DatePrototype::finishCreation):
1428         * runtime/DatePrototype.h:
1429         * runtime/IntlDateTimeFormat.cpp:
1430         (JSC::toDateTimeOptionsAnyDate):
1431         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1432         (JSC::toDateTimeOptions): Deleted.
1433         * runtime/JSGlobalObject.cpp:
1434         (JSC::JSGlobalObject::init):
1435
1436 2016-01-15  Konstantin Tokarev  <annulen@yandex.ru>
1437
1438         [mips] Implemented emitFunctionPrologue/Epilogue
1439         https://bugs.webkit.org/show_bug.cgi?id=152947
1440
1441         Reviewed by Michael Saboff.
1442
1443         * assembler/MacroAssemblerMIPS.h:
1444         (JSC::MacroAssemblerMIPS::popPair):
1445         (JSC::MacroAssemblerMIPS::pushPair):
1446         * jit/AssemblyHelpers.h:
1447         (JSC::AssemblyHelpers::emitFunctionPrologue):
1448         (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
1449         (JSC::AssemblyHelpers::emitFunctionEpilogue):
1450
1451 2016-01-15  Commit Queue  <commit-queue@webkit.org>
1452
1453         Unreviewed, rolling out r195084.
1454         https://bugs.webkit.org/show_bug.cgi?id=153132
1455
1456         Broke Production build (Requested by ap on #webkit).
1457
1458         Reverted changeset:
1459
1460         "Air needs a Shuffle instruction"
1461         https://bugs.webkit.org/show_bug.cgi?id=152952
1462         http://trac.webkit.org/changeset/195084
1463
1464 2016-01-15  Julien Brianceau  <jbriance@cisco.com>
1465
1466         [mips] Add countLeadingZeros32 implementation in macro assembler
1467         https://bugs.webkit.org/show_bug.cgi?id=152886
1468
1469         Reviewed by Michael Saboff.
1470
1471         * assembler/MIPSAssembler.h:
1472         (JSC::MIPSAssembler::lui):
1473         (JSC::MIPSAssembler::clz):
1474         (JSC::MIPSAssembler::addiu):
1475         * assembler/MacroAssemblerMIPS.h:
1476         (JSC::MacroAssemblerMIPS::and32):
1477         (JSC::MacroAssemblerMIPS::countLeadingZeros32):
1478         (JSC::MacroAssemblerMIPS::lshift32):
1479
1480 2016-01-14  Filip Pizlo  <fpizlo@apple.com>
1481
1482         Air needs a Shuffle instruction
1483         https://bugs.webkit.org/show_bug.cgi?id=152952
1484
1485         Reviewed by Saam Barati.
1486
1487         This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
1488         multiple moves to perform arbitrary permutations over registers and memory. We call these
1489         rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
1490         c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
1491         use immediates as their source.
1492
1493         Shuffle is added as a custom instruction, since it has a variable number of arguments. It
1494         takes any number of triplets of arguments, where each triplet describes one mapping of the
1495         shuffle. For example, to represent (a => b, b => c), we might say:
1496
1497             Shuffle %a, %b, 64, %b, %c, 64
1498
1499         Note the "64"s, those are width arguments that describe how many bits of the register are
1500         being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
1501         most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
1502         of the pairs in the example). For GP arguments, the width follows ZDef semantics.
1503
1504         In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
1505         how to use it:
1506
1507         - C calling convention argument marshalling. Previously we used move instructions. But that's
1508           problematic since it introduces artificial interference between the argument registers and
1509           the inputs. Using Shuffle removes that interference. This helps a bit.
1510
1511         - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
1512           a cold path, then we want it to appear to the register allocator like it doesn't clobber
1513           any registers. Only after register allocation should we handle the clobbering by simply
1514           saving all of the live volatile registers to the stack. If you imagine the saving and the
1515           argument marshalling, you can see how before the call, we want to have a Shuffle that does
1516           both of those things. This is important. If argument marshalling was separate from the
1517           saving, then we'd still appear to clobber argument registers. Doing them together as one
1518           Shuffle means that the cold call doesn't appear to even clobber the argument registers.
1519
1520         Unfortunately, I was wrong about cold C calls being the dominant problem with our register
1521         allocator right now. Fixing this revealed other problems in my current tuning benchmark,
1522         Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
1523         functionality we will need to implement other optimizations.
1524
1525         * CMakeLists.txt:
1526         * JavaScriptCore.xcodeproj/project.pbxproj:
1527         * assembler/AbstractMacroAssembler.h:
1528         (JSC::isX86_64):
1529         (JSC::isIOS):
1530         (JSC::optimizeForARMv7IDIVSupported):
1531         * assembler/MacroAssemblerX86Common.h:
1532         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
1533         (JSC::MacroAssemblerX86Common::swap32):
1534         (JSC::MacroAssemblerX86Common::moveConditionally32):
1535         * assembler/MacroAssemblerX86_64.h:
1536         (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
1537         (JSC::MacroAssemblerX86_64::swap64):
1538         (JSC::MacroAssemblerX86_64::move64ToDouble):
1539         * assembler/X86Assembler.h:
1540         (JSC::X86Assembler::xchgl_rr):
1541         (JSC::X86Assembler::xchgl_rm):
1542         (JSC::X86Assembler::xchgq_rr):
1543         (JSC::X86Assembler::xchgq_rm):
1544         (JSC::X86Assembler::movl_rr):
1545         * b3/B3CCallValue.h:
1546         * b3/B3Compilation.cpp:
1547         (JSC::B3::Compilation::Compilation):
1548         (JSC::B3::Compilation::~Compilation):
1549         * b3/B3Compilation.h:
1550         (JSC::B3::Compilation::code):
1551         * b3/B3LowerToAir.cpp:
1552         (JSC::B3::Air::LowerToAir::run):
1553         (JSC::B3::Air::LowerToAir::createSelect):
1554         (JSC::B3::Air::LowerToAir::lower):
1555         (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
1556         * b3/B3OpaqueByproducts.h:
1557         (JSC::B3::OpaqueByproducts::count):
1558         * b3/B3StackmapSpecial.cpp:
1559         (JSC::B3::StackmapSpecial::isArgValidForValue):
1560         (JSC::B3::StackmapSpecial::isArgValidForRep):
1561         * b3/air/AirArg.cpp:
1562         (JSC::B3::Air::Arg::isStackMemory):
1563         (JSC::B3::Air::Arg::isRepresentableAs):
1564         (JSC::B3::Air::Arg::usesTmp):
1565         (JSC::B3::Air::Arg::canRepresent):
1566         (JSC::B3::Air::Arg::isCompatibleType):
1567         (JSC::B3::Air::Arg::dump):
1568         (WTF::printInternal):
1569         * b3/air/AirArg.h:
1570         (JSC::B3::Air::Arg::forEachType):
1571         (JSC::B3::Air::Arg::isWarmUse):
1572         (JSC::B3::Air::Arg::cooled):
1573         (JSC::B3::Air::Arg::isEarlyUse):
1574         (JSC::B3::Air::Arg::imm64):
1575         (JSC::B3::Air::Arg::immPtr):
1576         (JSC::B3::Air::Arg::addr):
1577         (JSC::B3::Air::Arg::special):
1578         (JSC::B3::Air::Arg::widthArg):
1579         (JSC::B3::Air::Arg::operator==):
1580         (JSC::B3::Air::Arg::isImm64):
1581         (JSC::B3::Air::Arg::isSomeImm):
1582         (JSC::B3::Air::Arg::isAddr):
1583         (JSC::B3::Air::Arg::isIndex):
1584         (JSC::B3::Air::Arg::isMemory):
1585         (JSC::B3::Air::Arg::isRelCond):
1586         (JSC::B3::Air::Arg::isSpecial):
1587         (JSC::B3::Air::Arg::isWidthArg):
1588         (JSC::B3::Air::Arg::isAlive):
1589         (JSC::B3::Air::Arg::base):
1590         (JSC::B3::Air::Arg::hasOffset):
1591         (JSC::B3::Air::Arg::offset):
1592         (JSC::B3::Air::Arg::width):
1593         (JSC::B3::Air::Arg::isGPTmp):
1594         (JSC::B3::Air::Arg::isGP):
1595         (JSC::B3::Air::Arg::isFP):
1596         (JSC::B3::Air::Arg::isType):
1597         (JSC::B3::Air::Arg::isGPR):
1598         (JSC::B3::Air::Arg::isValidForm):
1599         (JSC::B3::Air::Arg::forEachTmpFast):
1600         * b3/air/AirBasicBlock.h:
1601         (JSC::B3::Air::BasicBlock::insts):
1602         (JSC::B3::Air::BasicBlock::appendInst):
1603         (JSC::B3::Air::BasicBlock::append):
1604         * b3/air/AirCCallingConvention.cpp: Added.
1605         (JSC::B3::Air::computeCCallingConvention):
1606         (JSC::B3::Air::cCallResult):
1607         (JSC::B3::Air::buildCCall):
1608         * b3/air/AirCCallingConvention.h: Added.
1609         * b3/air/AirCode.h:
1610         (JSC::B3::Air::Code::proc):
1611         * b3/air/AirCustom.cpp: Added.
1612         (JSC::B3::Air::CCallCustom::isValidForm):
1613         (JSC::B3::Air::CCallCustom::generate):
1614         (JSC::B3::Air::ShuffleCustom::isValidForm):
1615         (JSC::B3::Air::ShuffleCustom::generate):
1616         * b3/air/AirCustom.h:
1617         (JSC::B3::Air::PatchCustom::forEachArg):
1618         (JSC::B3::Air::PatchCustom::generate):
1619         (JSC::B3::Air::CCallCustom::forEachArg):
1620         (JSC::B3::Air::CCallCustom::isValidFormStatic):
1621         (JSC::B3::Air::CCallCustom::admitsStack):
1622         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
1623         (JSC::B3::Air::ColdCCallCustom::forEachArg):
1624         (JSC::B3::Air::ShuffleCustom::forEachArg):
1625         (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
1626         (JSC::B3::Air::ShuffleCustom::admitsStack):
1627         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
1628         * b3/air/AirEmitShuffle.cpp: Added.
1629         (JSC::B3::Air::ShufflePair::dump):
1630         (JSC::B3::Air::emitShuffle):
1631         * b3/air/AirEmitShuffle.h: Added.
1632         (JSC::B3::Air::ShufflePair::ShufflePair):
1633         (JSC::B3::Air::ShufflePair::src):
1634         (JSC::B3::Air::ShufflePair::dst):
1635         (JSC::B3::Air::ShufflePair::width):
1636         * b3/air/AirGenerate.cpp:
1637         (JSC::B3::Air::prepareForGeneration):
1638         * b3/air/AirGenerate.h:
1639         * b3/air/AirInsertionSet.cpp:
1640         (JSC::B3::Air::InsertionSet::insertInsts):
1641         (JSC::B3::Air::InsertionSet::execute):
1642         * b3/air/AirInsertionSet.h:
1643         (JSC::B3::Air::InsertionSet::insertInst):
1644         (JSC::B3::Air::InsertionSet::insert):
1645         * b3/air/AirInst.h:
1646         (JSC::B3::Air::Inst::operator bool):
1647         (JSC::B3::Air::Inst::append):
1648         * b3/air/AirLowerAfterRegAlloc.cpp: Added.
1649         (JSC::B3::Air::lowerAfterRegAlloc):
1650         * b3/air/AirLowerAfterRegAlloc.h: Added.
1651         * b3/air/AirLowerMacros.cpp: Added.
1652         (JSC::B3::Air::lowerMacros):
1653         * b3/air/AirLowerMacros.h: Added.
1654         * b3/air/AirOpcode.opcodes:
1655         * b3/air/AirRegisterPriority.h:
1656         (JSC::B3::Air::regsInPriorityOrder):
1657         * b3/air/testair.cpp: Added.
1658         (hiddenTruthBecauseNoReturnIsStupid):
1659         (usage):
1660         (JSC::B3::Air::compile):
1661         (JSC::B3::Air::invoke):
1662         (JSC::B3::Air::compileAndRun):
1663         (JSC::B3::Air::testSimple):
1664         (JSC::B3::Air::loadConstantImpl):
1665         (JSC::B3::Air::loadConstant):
1666         (JSC::B3::Air::loadDoubleConstant):
1667         (JSC::B3::Air::testShuffleSimpleSwap):
1668         (JSC::B3::Air::testShuffleSimpleShift):
1669         (JSC::B3::Air::testShuffleLongShift):
1670         (JSC::B3::Air::testShuffleLongShiftBackwards):
1671         (JSC::B3::Air::testShuffleSimpleRotate):
1672         (JSC::B3::Air::testShuffleSimpleBroadcast):
1673         (JSC::B3::Air::testShuffleBroadcastAllRegs):
1674         (JSC::B3::Air::testShuffleTreeShift):
1675         (JSC::B3::Air::testShuffleTreeShiftBackward):
1676         (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
1677         (JSC::B3::Air::testShuffleMultipleShifts):
1678         (JSC::B3::Air::testShuffleRotateWithFringe):
1679         (JSC::B3::Air::testShuffleRotateWithLongFringe):
1680         (JSC::B3::Air::testShuffleMultipleRotates):
1681         (JSC::B3::Air::testShuffleShiftAndRotate):
1682         (JSC::B3::Air::testShuffleShiftAllRegs):
1683         (JSC::B3::Air::testShuffleRotateAllRegs):
1684         (JSC::B3::Air::testShuffleSimpleSwap64):
1685         (JSC::B3::Air::testShuffleSimpleShift64):
1686         (JSC::B3::Air::testShuffleSwapMixedWidth):
1687         (JSC::B3::Air::testShuffleShiftMixedWidth):
1688         (JSC::B3::Air::testShuffleShiftMemory):
1689         (JSC::B3::Air::testShuffleShiftMemoryLong):
1690         (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
1691         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
1692         (JSC::B3::Air::combineHiLo):
1693         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
1694         (JSC::B3::Air::testShuffleRotateMemory):
1695         (JSC::B3::Air::testShuffleRotateMemory64):
1696         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
1697         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
1698         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
1699         (JSC::B3::Air::testShuffleSwapDouble):
1700         (JSC::B3::Air::testShuffleShiftDouble):
1701         (JSC::B3::Air::run):
1702         (run):
1703         (main):
1704         * b3/testb3.cpp:
1705         (JSC::B3::testCallSimple):
1706         (JSC::B3::testCallRare):
1707         (JSC::B3::testCallRareLive):
1708         (JSC::B3::testCallSimplePure):
1709         (JSC::B3::run):
1710
1711 2016-01-14  Keith Miller  <keith_miller@apple.com>
1712
1713         Unreviewed mark passing es6 tests as no longer failing.
1714
1715         * tests/es6.yaml:
1716
1717 2016-01-14  Keith Miller  <keith_miller@apple.com>
1718
1719         [ES6] Support subclassing Function.
1720         https://bugs.webkit.org/show_bug.cgi?id=153081
1721
1722         Reviewed by Geoffrey Garen.
1723
1724         This patch enables subclassing the Function object. It also fixes an existing
1725         bug that prevented users from subclassing functions that have a function in
1726         the superclass's prototype property.
1727
1728         * bytecompiler/NodesCodegen.cpp:
1729         (JSC::ClassExprNode::emitBytecode):
1730         * runtime/FunctionConstructor.cpp:
1731         (JSC::constructWithFunctionConstructor):
1732         (JSC::constructFunction):
1733         (JSC::constructFunctionSkippingEvalEnabledCheck):
1734         * runtime/FunctionConstructor.h:
1735         * runtime/JSFunction.cpp:
1736         (JSC::JSFunction::create):
1737         * runtime/JSFunction.h:
1738         (JSC::JSFunction::createImpl):
1739         * runtime/JSFunctionInlines.h:
1740         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1741         (JSC::JSFunction::JSFunction): Deleted.
1742         * tests/stress/class-subclassing-function.js: Added.
1743
1744 2016-01-13  Carlos Garcia Campos  <cgarcia@igalia.com>
1745
1746         [CMake] Do not use LLVM static libraries for FTL JIT
1747         https://bugs.webkit.org/show_bug.cgi?id=151559
1748
1749         Reviewed by Michael Catanzaro.
1750
1751         Allow ports decide whether to prefer linking to llvm static or
1752         dynamic libraries. This patch only changes the behavior of the GTK
1753         port, other ports can change the default behavior by setting
1754         llvmForJSC_LIBRARIES in their platform specific cmake files.
1755
1756         * CMakeLists.txt: Move llvmForJSC library definition after the
1757         WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS, to allow platform specific
1758         files to set their own llvmForJSC_LIBRARIES. When not set, it
1759         defaults to LLVM_STATIC_LIBRARIES. The command to create
1760         WebKitLLVMLibraryToken.h no longer depends on the static
1761         libraries, since we are going to make the build fail anyway when
1762         not found in case of linking to the static libraries. If platform
1763         specific file defined llvmForJSC_INSTALL_DIR llvmForJSC is also
1764         installed to the given destination.
1765         * PlatformGTK.cmake: Set llvmForJSC_LIBRARIES and
1766         llvmForJSC_INSTALL_DIR.
1767
1768 2016-01-13  Saam barati  <sbarati@apple.com>
1769
1770         NativeExecutable should have a name field
1771         https://bugs.webkit.org/show_bug.cgi?id=153083
1772
1773         Reviewed by Geoffrey Garen.
1774
1775         This is going to help the SamplingProfiler come up
1776         with names for NativeExecutable objects it encounters.
1777
1778         * jit/JITThunks.cpp:
1779         (JSC::JITThunks::finalize):
1780         (JSC::JITThunks::hostFunctionStub):
1781         * jit/JITThunks.h:
1782         * runtime/Executable.h:
1783         * runtime/JSBoundFunction.cpp:
1784         (JSC::JSBoundFunction::create):
1785         * runtime/JSFunction.cpp:
1786         (JSC::JSFunction::create):
1787         (JSC::JSFunction::lookUpOrCreateNativeExecutable):
1788         * runtime/JSFunction.h:
1789         (JSC::JSFunction::createImpl):
1790         * runtime/JSNativeStdFunction.cpp:
1791         (JSC::JSNativeStdFunction::create):
1792         * runtime/VM.cpp:
1793         (JSC::thunkGeneratorForIntrinsic):
1794         (JSC::VM::getHostFunction):
1795         * runtime/VM.h:
1796         (JSC::VM::getCTIStub):
1797         (JSC::VM::exceptionOffset):
1798
1799 2016-01-13  Keith Miller  <keith_miller@apple.com>
1800
1801         [ES6] Support subclassing the String builtin object
1802         https://bugs.webkit.org/show_bug.cgi?id=153068
1803
1804         Reviewed by Michael Saboff.
1805
1806         This patch adds subclassing of strings. Also, this patch fixes a bug where we could have
1807         the wrong indexing type for builtins constructed without storage.
1808
1809         * runtime/PrototypeMap.cpp:
1810         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
1811         * runtime/StringConstructor.cpp:
1812         (JSC::constructWithStringConstructor):
1813         * tests/stress/class-subclassing-string.js: Added.
1814         (test):
1815
1816 2016-01-13  Mark Lam  <mark.lam@apple.com>
1817
1818         The StringFromCharCode DFG intrinsic should support untyped operands.
1819         https://bugs.webkit.org/show_bug.cgi?id=153046
1820
1821         Reviewed by Geoffrey Garen.
1822
1823         The current StringFromCharCode DFG intrinsic assumes that its operand charCode
1824         must be an Int32.  This results in 26000+ BadType OSR exits in the LongSpider
1825         crypto-aes benchmark.  With support for Untyped operands, the number of OSR
1826         exits drops to 202.
1827
1828         * dfg/DFGClobberize.h:
1829         (JSC::DFG::clobberize):
1830         * dfg/DFGFixupPhase.cpp:
1831         (JSC::DFG::FixupPhase::fixupNode):
1832         * dfg/DFGOperations.cpp:
1833         * dfg/DFGOperations.h:
1834         * dfg/DFGSpeculativeJIT.cpp:
1835         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1836         * dfg/DFGSpeculativeJIT.h:
1837         (JSC::DFG::SpeculativeJIT::callOperation):
1838         * dfg/DFGValidate.cpp:
1839         (JSC::DFG::Validate::validate):
1840         * runtime/JSCJSValueInlines.h:
1841         (JSC::JSValue::toUInt32):
1842
1843 2016-01-13  Mark Lam  <mark.lam@apple.com>
1844
1845         Use DFG Graph::binary/unaryArithShouldSpeculateInt32/MachineInt() functions consistently.
1846         https://bugs.webkit.org/show_bug.cgi?id=153080
1847
1848         Reviewed by Geoffrey Garen.
1849
1850         We currently have Graph::mulShouldSpeculateInt32/machineInt() and
1851         Graph::negateShouldSpeculateInt32/MachineInt() functions which are only used by
1852         the ArithMul and ArithNegate nodes.  However, the same tests need to be done for
1853         many other arith nodes in the DFG.  This patch renames these functions as
1854         Graph::binaryArithShouldSpeculateInt32/machineInt() and
1855         Graph::unaryArithShouldSpeculateInt32/MachineInt(), and uses them consistently
1856         in the DFG.
1857
1858         * dfg/DFGFixupPhase.cpp:
1859         (JSC::DFG::FixupPhase::fixupNode):
1860         * dfg/DFGGraph.h:
1861         (JSC::DFG::Graph::addShouldSpeculateMachineInt):
1862         (JSC::DFG::Graph::binaryArithShouldSpeculateInt32):
1863         (JSC::DFG::Graph::binaryArithShouldSpeculateMachineInt):
1864         (JSC::DFG::Graph::unaryArithShouldSpeculateInt32):
1865         (JSC::DFG::Graph::unaryArithShouldSpeculateMachineInt):
1866         (JSC::DFG::Graph::mulShouldSpeculateInt32): Deleted.
1867         (JSC::DFG::Graph::mulShouldSpeculateMachineInt): Deleted.
1868         (JSC::DFG::Graph::negateShouldSpeculateInt32): Deleted.
1869         (JSC::DFG::Graph::negateShouldSpeculateMachineInt): Deleted.
1870         * dfg/DFGPredictionPropagationPhase.cpp:
1871         (JSC::DFG::PredictionPropagationPhase::propagate):
1872         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1873
1874 2016-01-13  Joseph Pecoraro  <pecoraro@apple.com>
1875
1876         Web Inspector: Inspector should use the last sourceURL / sourceMappingURL directive
1877         https://bugs.webkit.org/show_bug.cgi?id=153072
1878         <rdar://problem/24168312>
1879
1880         Reviewed by Timothy Hatcher.
1881
1882         * parser/Lexer.cpp:
1883         (JSC::Lexer<T>::parseCommentDirective):
1884         Just keep overwriting the member variable so we end up with
1885         the last directive value.
1886
1887 2016-01-13  Commit Queue  <commit-queue@webkit.org>
1888
1889         Unreviewed, rolling out r194969.
1890         https://bugs.webkit.org/show_bug.cgi?id=153075
1891
1892         This change broke the iOS build (Requested by ryanhaddad on
1893         #webkit).
1894
1895         Reverted changeset:
1896
1897         "[JSC] Legalize Memory Offsets for ARM64 before lowering to
1898         Air"
1899         https://bugs.webkit.org/show_bug.cgi?id=153065
1900         http://trac.webkit.org/changeset/194969
1901
1902 2016-01-13  Benjamin Poulain  <bpoulain@apple.com>
1903
1904         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
1905         https://bugs.webkit.org/show_bug.cgi?id=153065
1906
1907         Reviewed by Mark Lam.
1908         Reviewed by Filip Pizlo.
1909
1910         On ARM64, we cannot use signed 32bits offset for memory addressing.
1911         There are two available addressing: signed 9bits and unsigned scaled 12bits.
1912         Air already knows about it.
1913
1914         In this patch, the offsets are changed to something valid for ARM64
1915         prior to lowering. When an offset is invalid, it is just computed
1916         before the instruction and used as the base for addressing.
1917
1918         * JavaScriptCore.xcodeproj/project.pbxproj:
1919         * b3/B3Generate.cpp:
1920         (JSC::B3::generateToAir):
1921         * b3/B3LegalizeMemoryOffsets.cpp: Added.
1922         (JSC::B3::legalizeMemoryOffsets):
1923         * b3/B3LegalizeMemoryOffsets.h: Added.
1924         * b3/B3LowerToAir.cpp:
1925         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
1926         * b3/testb3.cpp:
1927         (JSC::B3::testLoadWithOffsetImpl):
1928         (JSC::B3::testLoadOffsetImm9Max):
1929         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
1930         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
1931         (JSC::B3::testLoadOffsetImm9Min):
1932         (JSC::B3::testLoadOffsetImm9MinMinusOne):
1933         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
1934         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
1935         (JSC::B3::run):
1936
1937 2016-01-12  Per Arne Vollan  <peavo@outlook.com>
1938
1939         [FTL][Win64] Compile error.
1940         https://bugs.webkit.org/show_bug.cgi?id=153031
1941
1942         Reviewed by Brent Fulgham.
1943
1944         The header file dlfcn.h does not exist on Windows.
1945
1946         * ftl/FTLLowerDFGToLLVM.cpp:
1947
1948 2016-01-12  Ryosuke Niwa  <rniwa@webkit.org>
1949
1950         Add a build flag for custom element
1951         https://bugs.webkit.org/show_bug.cgi?id=153005
1952
1953         Reviewed by Alex Christensen.
1954
1955         * Configurations/FeatureDefines.xcconfig:
1956
1957 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
1958
1959         [JSC] Remove some invalid immediate instruction forms from ARM64 Air
1960         https://bugs.webkit.org/show_bug.cgi?id=153024
1961
1962         Reviewed by Michael Saboff.
1963
1964         * b3/B3BasicBlock.h:
1965         Export the symbols for testb3.
1966
1967         * b3/air/AirOpcode.opcodes:
1968         We had 2 invalid opcodes:
1969         -Compare with immediate just does not exist.
1970         -Test64 with immediate exists but Air does not recognize
1971          the valid form of bit-immediates.
1972
1973         * b3/testb3.cpp:
1974         (JSC::B3::genericTestCompare):
1975         (JSC::B3::testCompareImpl):
1976         Extend the tests to cover what was invalid.
1977
1978 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
1979
1980         [JSC] JSC does not build with FTL_USES_B3 on ARM64
1981         https://bugs.webkit.org/show_bug.cgi?id=153011
1982
1983         Reviewed by Saam Barati.
1984
1985         Apparently the static const member can only be used for constexpr.
1986         C++ is weird.
1987
1988         * jit/GPRInfo.cpp:
1989         * jit/GPRInfo.h:
1990
1991 2016-01-11  Johan K. Jensen  <jj@johanjensen.dk>
1992
1993         Web Inspector: console.count() shouldn't show a colon in front of a number
1994         https://bugs.webkit.org/show_bug.cgi?id=152038
1995
1996         Reviewed by Brian Burg.
1997
1998         * inspector/agents/InspectorConsoleAgent.cpp:
1999         (Inspector::InspectorConsoleAgent::count):
2000         Do not include title and colon if the title is empty.
2001
2002 2016-01-11  Dan Bernstein  <mitz@apple.com>
2003
2004         Reverted r194317.
2005
2006         Reviewed by Joseph Pecoraro.
2007
2008         r194317 did not contain a change log entry, did not explain the motivation, did not name a
2009         reviewer, and does not seem necessary.
2010
2011         * JavaScriptCore.xcodeproj/project.pbxproj:
2012
2013 2016-01-11  Joseph Pecoraro  <pecoraro@apple.com>
2014
2015         keywords ("super", "delete", etc) should be valid method names
2016         https://bugs.webkit.org/show_bug.cgi?id=144281
2017
2018         Reviewed by Ryosuke Niwa.
2019
2020         * parser/Parser.cpp:
2021         (JSC::Parser<LexerType>::parseClass):
2022         - When parsing "static(" treat it as a method named "static" and not a static method.
2023         - When parsing a keyword treat it like a string method name (get and set are not keywords)
2024         - When parsing a getter / setter method name identifier, allow lookahead to be a keyword
2025
2026         (JSC::Parser<LexerType>::parseGetterSetter):
2027         - When parsing the getter / setter's name, allow it to be a keyword.
2028
2029 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
2030
2031         [JSC] Add Div/Mod and fix Mul for B3 ARM64
2032         https://bugs.webkit.org/show_bug.cgi?id=152978
2033
2034         Reviewed by Filip Pizlo.
2035
2036         Add the 3 operands forms of Mul.
2037         Remove the form taking immediate on ARM64, there are no such instruction.
2038
2039         Add Div with sdiv.
2040
2041         Unfortunately, I discovered ChillMod's division by zero
2042         makes it non-trivial on ARM64. I just made it into a macro like on x86.
2043
2044         * assembler/MacroAssemblerARM64.h:
2045         (JSC::MacroAssemblerARM64::mul32):
2046         (JSC::MacroAssemblerARM64::mul64):
2047         (JSC::MacroAssemblerARM64::div32):
2048         (JSC::MacroAssemblerARM64::div64):
2049         * b3/B3LowerMacros.cpp:
2050         * b3/B3LowerToAir.cpp:
2051         (JSC::B3::Air::LowerToAir::lower):
2052         * b3/air/AirOpcode.opcodes:
2053
2054 2016-01-11  Keith Miller  <keith_miller@apple.com>
2055
2056         Arrays should use the InternalFunctionAllocationProfile when constructing new Arrays
2057         https://bugs.webkit.org/show_bug.cgi?id=152949
2058
2059         Reviewed by Michael Saboff.
2060
2061         This patch updates Array constructors to use the new InternalFunctionAllocationProfile.
2062
2063         * runtime/ArrayConstructor.cpp:
2064         (JSC::constructArrayWithSizeQuirk):
2065         (JSC::constructWithArrayConstructor):
2066         * runtime/InternalFunction.h:
2067         (JSC::InternalFunction::createStructure):
2068         * runtime/JSGlobalObject.h:
2069         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
2070         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
2071         (JSC::constructEmptyArray):
2072         (JSC::constructArray):
2073         (JSC::constructArrayNegativeIndexed):
2074         * runtime/PrototypeMap.cpp:
2075         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
2076         * runtime/Structure.h:
2077         * runtime/StructureInlines.h:
2078
2079 2016-01-08  Keith Miller  <keith_miller@apple.com>
2080
2081         Use a profile to store allocation structures for subclasses of InternalFunctions
2082         https://bugs.webkit.org/show_bug.cgi?id=152942
2083
2084         Reviewed by Michael Saboff.
2085
2086         This patch adds InternalFunctionAllocationProfile to FunctionRareData, which holds
2087         a cached structure that can be used to quickly allocate any derived class of an InternalFunction.
2088         InternalFunctionAllocationProfile ended up being distinct from ObjectAllocationProfile, due to
2089         constraints imposed by Reflect.construct. Reflect.construct allows the user to pass an arbitrary
2090         constructor as a new.target to any other constructor. This means that a user can pass some
2091         non-derived constructor to an InternalFunction (they can even pass another InternalFunction as the
2092         new.target). If we use the same profile for both InternalFunctions and JS allocations then we always
2093         need to check in both JS code and C++ code that the profiled structure has the same ClassInfo as the
2094         current constructor. By using different profiles, we only need to check the profile in InternalFunctions
2095         as all JS constructed objects share the same ClassInfo (JSFinalObject). This comes at the relatively
2096         low cost of using slightly more memory on FunctionRareData and being slightly more conceptually complex.
2097
2098         Additionally, this patch adds subclassing to some omitted classes.
2099
2100         * API/JSObjectRef.cpp:
2101         (JSObjectMakeDate):
2102         (JSObjectMakeRegExp):
2103         * JavaScriptCore.xcodeproj/project.pbxproj:
2104         * bytecode/InternalFunctionAllocationProfile.h: Added.
2105         (JSC::InternalFunctionAllocationProfile::structure):
2106         (JSC::InternalFunctionAllocationProfile::clear):
2107         (JSC::InternalFunctionAllocationProfile::visitAggregate):
2108         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
2109         * dfg/DFGByteCodeParser.cpp:
2110         (JSC::DFG::ByteCodeParser::parseBlock):
2111         * dfg/DFGOperations.cpp:
2112         * dfg/DFGSpeculativeJIT32_64.cpp:
2113         (JSC::DFG::SpeculativeJIT::compile):
2114         * dfg/DFGSpeculativeJIT64.cpp:
2115         (JSC::DFG::SpeculativeJIT::compile):
2116         * jit/JITOpcodes.cpp:
2117         (JSC::JIT::emit_op_create_this):
2118         * jit/JITOpcodes32_64.cpp:
2119         (JSC::JIT::emit_op_create_this):
2120         * llint/LowLevelInterpreter32_64.asm:
2121         * llint/LowLevelInterpreter64.asm:
2122         * runtime/BooleanConstructor.cpp:
2123         (JSC::constructWithBooleanConstructor):
2124         * runtime/CommonSlowPaths.cpp:
2125         (JSC::SLOW_PATH_DECL):
2126         * runtime/DateConstructor.cpp:
2127         (JSC::constructDate):
2128         (JSC::constructWithDateConstructor):
2129         * runtime/DateConstructor.h:
2130         * runtime/ErrorConstructor.cpp:
2131         (JSC::Interpreter::constructWithErrorConstructor):
2132         * runtime/FunctionRareData.cpp:
2133         (JSC::FunctionRareData::create):
2134         (JSC::FunctionRareData::visitChildren):
2135         (JSC::FunctionRareData::FunctionRareData):
2136         (JSC::FunctionRareData::initializeObjectAllocationProfile):
2137         (JSC::FunctionRareData::clear):
2138         (JSC::FunctionRareData::finishCreation): Deleted.
2139         (JSC::FunctionRareData::initialize): Deleted.
2140         * runtime/FunctionRareData.h:
2141         (JSC::FunctionRareData::offsetOfObjectAllocationProfile):
2142         (JSC::FunctionRareData::objectAllocationProfile):
2143         (JSC::FunctionRareData::objectAllocationStructure):
2144         (JSC::FunctionRareData::allocationProfileWatchpointSet):
2145         (JSC::FunctionRareData::isObjectAllocationProfileInitialized):
2146         (JSC::FunctionRareData::internalFunctionAllocationStructure):
2147         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
2148         (JSC::FunctionRareData::offsetOfAllocationProfile): Deleted.
2149         (JSC::FunctionRareData::allocationProfile): Deleted.
2150         (JSC::FunctionRareData::allocationStructure): Deleted.
2151         (JSC::FunctionRareData::isInitialized): Deleted.
2152         * runtime/InternalFunction.cpp:
2153         (JSC::InternalFunction::createSubclassStructure):
2154         * runtime/InternalFunction.h:
2155         * runtime/JSArrayBufferConstructor.cpp:
2156         (JSC::constructArrayBuffer):
2157         * runtime/JSFunction.cpp:
2158         (JSC::JSFunction::allocateRareData):
2159         (JSC::JSFunction::allocateAndInitializeRareData):
2160         (JSC::JSFunction::initializeRareData):
2161         * runtime/JSFunction.h:
2162         (JSC::JSFunction::rareData):
2163         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2164         (JSC::constructGenericTypedArrayView):
2165         * runtime/JSObject.h:
2166         (JSC::JSFinalObject::typeInfo):
2167         (JSC::JSFinalObject::createStructure):
2168         * runtime/JSPromiseConstructor.cpp:
2169         (JSC::constructPromise):
2170         * runtime/JSPromiseConstructor.h:
2171         * runtime/JSWeakMap.cpp:
2172         * runtime/JSWeakSet.cpp:
2173         * runtime/MapConstructor.cpp:
2174         (JSC::constructMap):
2175         * runtime/NativeErrorConstructor.cpp:
2176         (JSC::Interpreter::constructWithNativeErrorConstructor):
2177         * runtime/NumberConstructor.cpp:
2178         (JSC::constructWithNumberConstructor):
2179         * runtime/PrototypeMap.cpp:
2180         (JSC::PrototypeMap::createEmptyStructure):
2181         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
2182         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
2183         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
2184         * runtime/PrototypeMap.h:
2185         * runtime/RegExpConstructor.cpp:
2186         (JSC::getRegExpStructure):
2187         (JSC::constructRegExp):
2188         (JSC::constructWithRegExpConstructor):
2189         * runtime/RegExpConstructor.h:
2190         * runtime/SetConstructor.cpp:
2191         (JSC::constructSet):
2192         * runtime/WeakMapConstructor.cpp:
2193         (JSC::constructWeakMap):
2194         * runtime/WeakSetConstructor.cpp:
2195         (JSC::constructWeakSet):
2196         * tests/stress/class-subclassing-misc.js:
2197         (A):
2198         (D):
2199         (E):
2200         (WM):
2201         (WS):
2202         (test):
2203         * tests/stress/class-subclassing-typedarray.js: Added.
2204         (test):
2205
2206 2016-01-11  Per Arne Vollan  <peavo@outlook.com>
2207
2208         [B3][Win64] Compile error.
2209         https://bugs.webkit.org/show_bug.cgi?id=152984
2210
2211         Reviewed by Alex Christensen.
2212
2213         Windows does not have bzero, use memset instead.
2214
2215         * b3/air/AirIteratedRegisterCoalescing.cpp:
2216
2217 2016-01-11  Konstantin Tokarev  <annulen@yandex.ru>
2218
2219         Fixed compilation of JavaScriptCore with GCC 4.8 on 32-bit platforms
2220         https://bugs.webkit.org/show_bug.cgi?id=152923
2221
2222         Reviewed by Alex Christensen.
2223
2224         * jit/CallFrameShuffler.h:
2225         (JSC::CallFrameShuffler::assumeCalleeIsCell):
2226
2227 2016-01-11  Csaba Osztrogonác  <ossy@webkit.org>
2228
2229         [B3] Fix control reaches end of non-void function GCC warnings on Linux
2230         https://bugs.webkit.org/show_bug.cgi?id=152887
2231
2232         Reviewed by Mark Lam.
2233
2234         * b3/B3LowerToAir.cpp:
2235         (JSC::B3::Air::LowerToAir::createBranch):
2236         (JSC::B3::Air::LowerToAir::createCompare):
2237         (JSC::B3::Air::LowerToAir::createSelect):
2238         * b3/B3Type.h:
2239         (JSC::B3::sizeofType):
2240         * b3/air/AirArg.cpp:
2241         (JSC::B3::Air::Arg::isRepresentableAs):
2242         * b3/air/AirArg.h:
2243         (JSC::B3::Air::Arg::isAnyUse):
2244         (JSC::B3::Air::Arg::isColdUse):
2245         (JSC::B3::Air::Arg::isEarlyUse):
2246         (JSC::B3::Air::Arg::isLateUse):
2247         (JSC::B3::Air::Arg::isAnyDef):
2248         (JSC::B3::Air::Arg::isEarlyDef):
2249         (JSC::B3::Air::Arg::isLateDef):
2250         (JSC::B3::Air::Arg::isZDef):
2251         (JSC::B3::Air::Arg::widthForB3Type):
2252         (JSC::B3::Air::Arg::isGP):
2253         (JSC::B3::Air::Arg::isFP):
2254         (JSC::B3::Air::Arg::isType):
2255         (JSC::B3::Air::Arg::isValidForm):
2256         * b3/air/AirCode.h:
2257         (JSC::B3::Air::Code::newTmp):
2258         (JSC::B3::Air::Code::numTmps):
2259
2260 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
2261
2262         Make it easier to introduce exotic instructions to Air
2263         https://bugs.webkit.org/show_bug.cgi?id=152953
2264
2265         Reviewed by Benjamin Poulain.
2266
2267         Currently, you can define new "opcodes" in Air using either:
2268
2269         1) New opcode declared in AirOpcode.opcodes.
2270         2) Patch opcode with a new implementation of Air::Special.
2271
2272         With (1), you are limited to fixed-argument-length instructions. There are other
2273         restrictions as well, like that you can only use the roles that the AirOpcode syntax
2274         supports.
2275
2276         With (2), you can do anything you like, but the instruction will be harder to match
2277         since it will share the same opcode as any other Patch. Also, the instruction will have
2278         the Special argument, which means more busy-work when creating the instruction and
2279         validating it.
2280
2281         This introduces an in-between facility called "custom". This replaces what AirOpcode
2282         previously called "special". A custom instruction is one whose behavior is defined by a
2283         FooCustom struct with some static methods. Calls to those methods are emitted by
2284         opcode_generator.rb.
2285
2286         The "custom" facility is powerful enough to be used to implement Patch, with the caveat
2287         that we now treat the Patch instruction specially in a few places. Those places were
2288         already effectively treating it specially by assuming that only Patch instructions have
2289         a Special as their first argument.
2290
2291         This will let me implement the Shuffle instruction (bug 152952), which I think is needed
2292         for performance work.
2293
2294         * JavaScriptCore.xcodeproj/project.pbxproj:
2295         * b3/air/AirCustom.h: Added.
2296         (JSC::B3::Air::PatchCustom::forEachArg):
2297         (JSC::B3::Air::PatchCustom::isValidFormStatic):
2298         (JSC::B3::Air::PatchCustom::isValidForm):
2299         (JSC::B3::Air::PatchCustom::admitsStack):
2300         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
2301         (JSC::B3::Air::PatchCustom::generate):
2302         * b3/air/AirHandleCalleeSaves.cpp:
2303         (JSC::B3::Air::handleCalleeSaves):
2304         * b3/air/AirInst.h:
2305         * b3/air/AirInstInlines.h:
2306         (JSC::B3::Air::Inst::forEach):
2307         (JSC::B3::Air::Inst::extraClobberedRegs):
2308         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
2309         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
2310         (JSC::B3::Air::Inst::reportUsedRegisters):
2311         (JSC::B3::Air::Inst::hasSpecial): Deleted.
2312         * b3/air/AirOpcode.opcodes:
2313         * b3/air/AirReportUsedRegisters.cpp:
2314         (JSC::B3::Air::reportUsedRegisters):
2315         * b3/air/opcode_generator.rb:
2316
2317 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
2318
2319         Turn Check(true) into Patchpoint() followed by Oops
2320         https://bugs.webkit.org/show_bug.cgi?id=152968
2321
2322         Reviewed by Benjamin Poulain.
2323
2324         This is an obvious strength reduction to have, especially since if we discover that the
2325         input to the Check is true after some amount of B3 optimization, then stubbing out the rest
2326         of the basic block unlocks CFG simplification opportunities.
2327
2328         It's also a proof-of-concept for the Check->Patchpoint conversion that I'll use once I
2329         implement sinking (bug 152162).
2330
2331         * b3/B3ControlValue.cpp:
2332         (JSC::B3::ControlValue::convertToJump):
2333         (JSC::B3::ControlValue::convertToOops):
2334         (JSC::B3::ControlValue::dumpMeta):
2335         * b3/B3ControlValue.h:
2336         * b3/B3InsertionSet.h:
2337         (JSC::B3::InsertionSet::insertValue):
2338         * b3/B3InsertionSetInlines.h:
2339         (JSC::B3::InsertionSet::insert):
2340         * b3/B3ReduceStrength.cpp:
2341         * b3/B3StackmapValue.h:
2342         * b3/B3Value.h:
2343         * tests/stress/ftl-force-osr-exit.js: Added.
2344
2345 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
2346
2347         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
2348         https://bugs.webkit.org/show_bug.cgi?id=152840
2349
2350         Reviewed by Mark Lam.
2351
2352         ARM64 has two kinds of addressing with immediates:
2353         -Signed 9bits direct (really only -256 to 255).
2354         -Unsigned 12bits scaled by the load/store size.
2355
2356         When resolving the stack addresses, we easily run
2357         past -256 bytes from FP. Addressing from SP gives us more
2358         room to address the stack efficiently because we can
2359         use unsigned immediates.
2360
2361         * b3/B3StackmapSpecial.cpp:
2362         (JSC::B3::StackmapSpecial::repForArg):
2363         * b3/air/AirAllocateStack.cpp:
2364         (JSC::B3::Air::allocateStack):
2365
2366 2016-01-10  Saam barati  <sbarati@apple.com>
2367
2368         Implement a sampling profiler
2369         https://bugs.webkit.org/show_bug.cgi?id=151713
2370
2371         Reviewed by Filip Pizlo.
2372
2373         This patch implements a sampling profiler for JavaScriptCore
2374         that will be used in the Inspector UI. The implementation works as follows:
2375         We queue the sampling profiler to run a task on a background
2376         thread every 1ms. When the queued task executes, the sampling profiler
2377         will pause the JSC execution thread and attempt to take a stack trace. 
2378         The sampling profiler does everything it can to be very careful
2379         while taking this stack trace. Because it's reading arbitrary memory,
2380         the sampling profiler must validate every pointer it reads from.
2381
2382         The sampling profiler tries to get an ExecutableBase for every call frame
2383         it reads. It first tries to read the CodeBlock slot. It does this because
2384         it can be 100% certain that a pointer is a CodeBlock while it's taking a
2385         stack trace. But, not every call frame will have a CodeBlock. So we must read
2386         the call frame's callee. For these stack traces where we read the callee, we
2387         must verify the callee pointer, and the pointer traversal to an ExecutableBase,
2388         on the main JSC execution thread, and not on the thread taking the stack
2389         trace. We do this verification either before we run the marking phase in
2390         GC, or when somebody asks the SamplingProfiler to materialize its data.
2391
2392         The SamplingProfiler must also be careful to not grab any locks while the JSC execution
2393         thread is paused (this means it can't do anything that mallocs) because
2394         that could cause a deadlock. Therefore, the sampling profiler grabs
2395         locks for all data structures it consults before it pauses the JSC
2396         execution thread.
2397
2398         * CMakeLists.txt:
2399         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2400         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2401         * JavaScriptCore.xcodeproj/project.pbxproj:
2402         * bytecode/CodeBlock.h:
2403         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
2404         (JSC::CodeBlockSet::mark):
2405         * dfg/DFGNodeType.h:
2406         * heap/CodeBlockSet.cpp:
2407         (JSC::CodeBlockSet::add):
2408         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
2409         (JSC::CodeBlockSet::clearMarksForFullCollection):
2410         (JSC::CodeBlockSet::lastChanceToFinalize):
2411         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2412         (JSC::CodeBlockSet::contains):
2413         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
2414         (JSC::CodeBlockSet::remove): Deleted.
2415         * heap/CodeBlockSet.h:
2416         (JSC::CodeBlockSet::getLock):
2417         (JSC::CodeBlockSet::iterate):
2418         The sampling pofiler uses the heap's CodeBlockSet to validate
2419         CodeBlock pointers. This data structure must now be under a lock
2420         because we must be certain we're not pausing the JSC execution thread
2421         while it's manipulating this data structure.
2422
2423         * heap/ConservativeRoots.cpp:
2424         (JSC::ConservativeRoots::ConservativeRoots):
2425         (JSC::ConservativeRoots::grow):
2426         (JSC::ConservativeRoots::genericAddPointer):
2427         (JSC::ConservativeRoots::genericAddSpan):
2428         (JSC::ConservativeRoots::add):
2429         (JSC::CompositeMarkHook::CompositeMarkHook):
2430         (JSC::CompositeMarkHook::mark):
2431         * heap/ConservativeRoots.h:
2432         * heap/Heap.cpp:
2433         (JSC::Heap::markRoots):
2434         (JSC::Heap::visitHandleStack):
2435         (JSC::Heap::visitSamplingProfiler):
2436         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2437         (JSC::Heap::snapshotMarkedSpace):
2438         * heap/Heap.h:
2439         (JSC::Heap::structureIDTable):
2440         (JSC::Heap::codeBlockSet):
2441         * heap/MachineStackMarker.cpp:
2442         (pthreadSignalHandlerSuspendResume):
2443         (JSC::getCurrentPlatformThread):
2444         (JSC::MachineThreads::MachineThreads):
2445         (JSC::MachineThreads::~MachineThreads):
2446         (JSC::MachineThreads::Thread::createForCurrentThread):
2447         (JSC::MachineThreads::Thread::operator==):
2448         (JSC::isThreadInList):
2449         (JSC::MachineThreads::addCurrentThread):
2450         (JSC::MachineThreads::machineThreadForCurrentThread):
2451         (JSC::MachineThreads::removeThread):
2452         (JSC::MachineThreads::gatherFromCurrentThread):
2453         (JSC::MachineThreads::Thread::Thread):
2454         (JSC::MachineThreads::Thread::~Thread):
2455         (JSC::MachineThreads::Thread::suspend):
2456         (JSC::MachineThreads::Thread::resume):
2457         (JSC::MachineThreads::Thread::getRegisters):
2458         (JSC::MachineThreads::Thread::Registers::stackPointer):
2459         (JSC::MachineThreads::Thread::Registers::framePointer):
2460         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2461         (JSC::MachineThreads::Thread::freeRegisters):
2462         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2463         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
2464         (JSC::MachineThreads::Thread::operator!=): Deleted.
2465         * heap/MachineStackMarker.h:
2466         (JSC::MachineThreads::Thread::operator!=):
2467         (JSC::MachineThreads::getLock):
2468         (JSC::MachineThreads::threadsListHead):
2469         We can now ask a MachineThreads::Thread for its frame pointer
2470         and program counter on darwin and windows platforms. efl
2471         and gtk implementations will happen in another patch.
2472
2473         * heap/MarkedBlockSet.h:
2474         (JSC::MarkedBlockSet::getLock):
2475         (JSC::MarkedBlockSet::add):
2476         (JSC::MarkedBlockSet::remove):
2477         (JSC::MarkedBlockSet::recomputeFilter):
2478         (JSC::MarkedBlockSet::filter):
2479         (JSC::MarkedBlockSet::set):
2480         * heap/MarkedSpace.cpp:
2481         (JSC::Free::Free):
2482         (JSC::Free::operator()):
2483         (JSC::FreeOrShrink::FreeOrShrink):
2484         (JSC::FreeOrShrink::operator()):
2485         (JSC::MarkedSpace::~MarkedSpace):
2486         (JSC::MarkedSpace::isPagedOut):
2487         (JSC::MarkedSpace::freeBlock):
2488         (JSC::MarkedSpace::freeOrShrinkBlock):
2489         (JSC::MarkedSpace::shrink):
2490         * heap/MarkedSpace.h:
2491         (JSC::MarkedSpace::forEachLiveCell):
2492         (JSC::MarkedSpace::forEachDeadCell):
2493         * interpreter/CallFrame.h:
2494         (JSC::ExecState::calleeAsValue):
2495         (JSC::ExecState::callee):
2496         (JSC::ExecState::unsafeCallee):
2497         (JSC::ExecState::codeBlock):
2498         (JSC::ExecState::scope):
2499         * jit/ExecutableAllocator.cpp:
2500         (JSC::ExecutableAllocator::dumpProfile):
2501         (JSC::ExecutableAllocator::getLock):
2502         (JSC::ExecutableAllocator::isValidExecutableMemory):
2503         * jit/ExecutableAllocator.h:
2504         * jit/ExecutableAllocatorFixedVMPool.cpp:
2505         (JSC::ExecutableAllocator::allocate):
2506         (JSC::ExecutableAllocator::isValidExecutableMemory):
2507         (JSC::ExecutableAllocator::getLock):
2508         (JSC::ExecutableAllocator::committedByteCount):
2509         The sampling profiler consults the ExecutableAllocator to check
2510         if the frame pointer it reads is in executable allocated memory.
2511
2512         * jsc.cpp:
2513         (GlobalObject::finishCreation):
2514         (functionCheckModuleSyntax):
2515         (functionStartSamplingProfiler):
2516         (functionSamplingProfilerStackTraces):
2517         * llint/LLIntPCRanges.h: Added.
2518         (JSC::LLInt::isLLIntPC):
2519         * offlineasm/asm.rb:
2520         I added the ability to test whether the PC is executing
2521         LLInt code because this code is not part of the memory
2522         our executable allocator allocates.
2523
2524         * runtime/Executable.h:
2525         (JSC::ExecutableBase::isModuleProgramExecutable):
2526         (JSC::ExecutableBase::isExecutableType):
2527         (JSC::ExecutableBase::isHostFunction):
2528         * runtime/JSLock.cpp:
2529         (JSC::JSLock::didAcquireLock):
2530         (JSC::JSLock::unlock):
2531         * runtime/Options.h:
2532         * runtime/SamplingProfiler.cpp: Added.
2533         (JSC::reportStats):
2534         (JSC::FrameWalker::FrameWalker):
2535         (JSC::FrameWalker::walk):
2536         (JSC::FrameWalker::wasValidWalk):
2537         (JSC::FrameWalker::advanceToParentFrame):
2538         (JSC::FrameWalker::isAtTop):
2539         (JSC::FrameWalker::resetAtMachineFrame):
2540         (JSC::FrameWalker::isValidFramePointer):
2541         (JSC::FrameWalker::isValidCodeBlock):
2542         (JSC::FrameWalker::tryToGetExecutableFromCallee):
2543         The FrameWalker class is used to walk the stack in a safe
2544         manner. It doesn't do anything that would deadlock, and it
2545         validates all pointers that it sees.
2546
2547         (JSC::SamplingProfiler::SamplingProfiler):
2548         (JSC::SamplingProfiler::~SamplingProfiler):
2549         (JSC::SamplingProfiler::visit):
2550         (JSC::SamplingProfiler::shutdown):
2551         (JSC::SamplingProfiler::start):
2552         (JSC::SamplingProfiler::stop):
2553         (JSC::SamplingProfiler::pause):
2554         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2555         (JSC::SamplingProfiler::dispatchIfNecessary):
2556         (JSC::SamplingProfiler::dispatchFunction):
2557         (JSC::SamplingProfiler::noticeJSLockAcquisition):
2558         (JSC::SamplingProfiler::noticeVMEntry):
2559         (JSC::SamplingProfiler::observeStackTrace):
2560         (JSC::SamplingProfiler::clearData):
2561         (JSC::displayName):
2562         (JSC::startLine):
2563         (JSC::startColumn):
2564         (JSC::sourceID):
2565         (JSC::url):
2566         (JSC::SamplingProfiler::stacktracesAsJSON):
2567         * runtime/SamplingProfiler.h: Added.
2568         (JSC::SamplingProfiler::getLock):
2569         (JSC::SamplingProfiler::setTimingInterval):
2570         (JSC::SamplingProfiler::stackTraces):
2571         * runtime/VM.cpp:
2572         (JSC::VM::VM):
2573         (JSC::VM::~VM):
2574         (JSC::VM::setLastStackTop):
2575         (JSC::VM::createContextGroup):
2576         (JSC::VM::ensureWatchdog):
2577         (JSC::VM::ensureSamplingProfiler):
2578         (JSC::thunkGeneratorForIntrinsic):
2579         * runtime/VM.h:
2580         (JSC::VM::watchdog):
2581         (JSC::VM::isSafeToRecurse):
2582         (JSC::VM::lastStackTop):
2583         (JSC::VM::scratchBufferForSize):
2584         (JSC::VM::samplingProfiler):
2585         (JSC::VM::setShouldRewriteConstAsVar):
2586         (JSC::VM::setLastStackTop): Deleted.
2587         * runtime/VMEntryScope.cpp:
2588         (JSC::VMEntryScope::VMEntryScope):
2589         * tests/stress/sampling-profiler: Added.
2590         * tests/stress/sampling-profiler-anonymous-function.js: Added.
2591         (foo):
2592         (baz):
2593         * tests/stress/sampling-profiler-basic.js: Added.
2594         (bar):
2595         (foo):
2596         (nothing):
2597         (top):
2598         (jaz):
2599         (kaz):
2600         (checkInlining):
2601         * tests/stress/sampling-profiler-deep-stack.js: Added.
2602         (foo):
2603         (hellaDeep):
2604         (start):
2605         * tests/stress/sampling-profiler-microtasks.js: Added.
2606         (testResults):
2607         (loop.jaz):
2608         (loop):
2609         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
2610         (assert):
2611         (let.nodePrototype.makeChildIfNeeded):
2612         (makeNode):
2613         (updateCallingContextTree):
2614         (doesTreeHaveStackTrace):
2615         (makeTree):
2616         (runTest):
2617         (dumpTree):
2618         * tools/JSDollarVMPrototype.cpp:
2619         (JSC::JSDollarVMPrototype::isInObjectSpace):
2620         (JSC::JSDollarVMPrototype::isInStorageSpace):
2621         * yarr/YarrJIT.cpp:
2622         (JSC::Yarr::YarrGenerator::generateEnter):
2623         (JSC::Yarr::YarrGenerator::generateReturn):
2624         (JSC::Yarr::YarrGenerator::YarrGenerator):
2625         (JSC::Yarr::YarrGenerator::compile):
2626         (JSC::Yarr::jitCompile):
2627         We now have a boolean that's set to true when
2628         we're executing a RegExp, and to false otherwise.
2629         The boolean lives off of VM.
2630
2631         * CMakeLists.txt:
2632         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2633         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2634         * JavaScriptCore.xcodeproj/project.pbxproj:
2635         * bytecode/CodeBlock.h:
2636         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
2637         (JSC::CodeBlockSet::mark):
2638         * dfg/DFGNodeType.h:
2639         * heap/CodeBlockSet.cpp:
2640         (JSC::CodeBlockSet::add):
2641         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
2642         (JSC::CodeBlockSet::clearMarksForFullCollection):
2643         (JSC::CodeBlockSet::lastChanceToFinalize):
2644         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2645         (JSC::CodeBlockSet::contains):
2646         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
2647         (JSC::CodeBlockSet::remove): Deleted.
2648         * heap/CodeBlockSet.h:
2649         (JSC::CodeBlockSet::getLock):
2650         (JSC::CodeBlockSet::iterate):
2651         * heap/ConservativeRoots.cpp:
2652         (JSC::ConservativeRoots::ConservativeRoots):
2653         (JSC::ConservativeRoots::genericAddPointer):
2654         (JSC::ConservativeRoots::add):
2655         (JSC::CompositeMarkHook::CompositeMarkHook):
2656         (JSC::CompositeMarkHook::mark):
2657         * heap/ConservativeRoots.h:
2658         * heap/Heap.cpp:
2659         (JSC::Heap::markRoots):
2660         (JSC::Heap::visitHandleStack):
2661         (JSC::Heap::visitSamplingProfiler):
2662         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2663         * heap/Heap.h:
2664         (JSC::Heap::structureIDTable):
2665         (JSC::Heap::codeBlockSet):
2666         * heap/HeapInlines.h:
2667         (JSC::Heap::didFreeBlock):
2668         (JSC::Heap::isPointerGCObject):
2669         (JSC::Heap::isValueGCObject):
2670         * heap/MachineStackMarker.cpp:
2671         (pthreadSignalHandlerSuspendResume):
2672         (JSC::getCurrentPlatformThread):
2673         (JSC::MachineThreads::MachineThreads):
2674         (JSC::MachineThreads::~MachineThreads):
2675         (JSC::MachineThreads::Thread::createForCurrentThread):
2676         (JSC::MachineThreads::Thread::operator==):
2677         (JSC::isThreadInList):
2678         (JSC::MachineThreads::addCurrentThread):
2679         (JSC::MachineThreads::machineThreadForCurrentThread):
2680         (JSC::MachineThreads::removeThread):
2681         (JSC::MachineThreads::gatherFromCurrentThread):
2682         (JSC::MachineThreads::Thread::Thread):
2683         (JSC::MachineThreads::Thread::~Thread):
2684         (JSC::MachineThreads::Thread::suspend):
2685         (JSC::MachineThreads::Thread::resume):
2686         (JSC::MachineThreads::Thread::getRegisters):
2687         (JSC::MachineThreads::Thread::Registers::stackPointer):
2688         (JSC::MachineThreads::Thread::Registers::framePointer):
2689         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2690         (JSC::MachineThreads::Thread::freeRegisters):
2691         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
2692         (JSC::MachineThreads::Thread::operator!=): Deleted.
2693         * heap/MachineStackMarker.h:
2694         (JSC::MachineThreads::Thread::operator!=):
2695         (JSC::MachineThreads::getLock):
2696         (JSC::MachineThreads::threadsListHead):
2697         * heap/MarkedBlockSet.h:
2698         * heap/MarkedSpace.cpp:
2699         (JSC::Free::Free):
2700         (JSC::Free::operator()):
2701         (JSC::FreeOrShrink::FreeOrShrink):
2702         (JSC::FreeOrShrink::operator()):
2703         * interpreter/CallFrame.h:
2704         (JSC::ExecState::calleeAsValue):
2705         (JSC::ExecState::callee):
2706         (JSC::ExecState::unsafeCallee):
2707         (JSC::ExecState::codeBlock):
2708         (JSC::ExecState::scope):
2709         * jit/ExecutableAllocator.cpp:
2710         (JSC::ExecutableAllocator::dumpProfile):
2711         (JSC::ExecutableAllocator::getLock):
2712         (JSC::ExecutableAllocator::isValidExecutableMemory):
2713         * jit/ExecutableAllocator.h:
2714         * jit/ExecutableAllocatorFixedVMPool.cpp:
2715         (JSC::ExecutableAllocator::allocate):
2716         (JSC::ExecutableAllocator::isValidExecutableMemory):
2717         (JSC::ExecutableAllocator::getLock):
2718         (JSC::ExecutableAllocator::committedByteCount):
2719         * jsc.cpp:
2720         (GlobalObject::finishCreation):
2721         (functionCheckModuleSyntax):
2722         (functionPlatformSupportsSamplingProfiler):
2723         (functionStartSamplingProfiler):
2724         (functionSamplingProfilerStackTraces):
2725         * llint/LLIntPCRanges.h: Added.
2726         (JSC::LLInt::isLLIntPC):
2727         * offlineasm/asm.rb:
2728         * runtime/Executable.h:
2729         (JSC::ExecutableBase::isModuleProgramExecutable):
2730         (JSC::ExecutableBase::isExecutableType):
2731         (JSC::ExecutableBase::isHostFunction):
2732         * runtime/JSLock.cpp:
2733         (JSC::JSLock::didAcquireLock):
2734         (JSC::JSLock::unlock):
2735         * runtime/Options.h:
2736         * runtime/SamplingProfiler.cpp: Added.
2737         (JSC::reportStats):
2738         (JSC::FrameWalker::FrameWalker):
2739         (JSC::FrameWalker::walk):
2740         (JSC::FrameWalker::wasValidWalk):
2741         (JSC::FrameWalker::advanceToParentFrame):
2742         (JSC::FrameWalker::isAtTop):
2743         (JSC::FrameWalker::resetAtMachineFrame):
2744         (JSC::FrameWalker::isValidFramePointer):
2745         (JSC::FrameWalker::isValidCodeBlock):
2746         (JSC::SamplingProfiler::SamplingProfiler):
2747         (JSC::SamplingProfiler::~SamplingProfiler):
2748         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2749         (JSC::SamplingProfiler::visit):
2750         (JSC::SamplingProfiler::shutdown):
2751         (JSC::SamplingProfiler::start):
2752         (JSC::SamplingProfiler::stop):
2753         (JSC::SamplingProfiler::pause):
2754         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2755         (JSC::SamplingProfiler::dispatchIfNecessary):
2756         (JSC::SamplingProfiler::dispatchFunction):
2757         (JSC::SamplingProfiler::noticeJSLockAcquisition):
2758         (JSC::SamplingProfiler::noticeVMEntry):
2759         (JSC::SamplingProfiler::clearData):
2760         (JSC::displayName):
2761         (JSC::SamplingProfiler::stacktracesAsJSON):
2762         (WTF::printInternal):
2763         * runtime/SamplingProfiler.h: Added.
2764         (JSC::SamplingProfiler::StackFrame::StackFrame):
2765         (JSC::SamplingProfiler::getLock):
2766         (JSC::SamplingProfiler::setTimingInterval):
2767         (JSC::SamplingProfiler::stackTraces):
2768         * runtime/VM.cpp:
2769         (JSC::VM::VM):
2770         (JSC::VM::~VM):
2771         (JSC::VM::setLastStackTop):
2772         (JSC::VM::createContextGroup):
2773         (JSC::VM::ensureWatchdog):
2774         (JSC::VM::ensureSamplingProfiler):
2775         (JSC::thunkGeneratorForIntrinsic):
2776         * runtime/VM.h:
2777         (JSC::VM::watchdog):
2778         (JSC::VM::samplingProfiler):
2779         (JSC::VM::isSafeToRecurse):
2780         (JSC::VM::lastStackTop):
2781         (JSC::VM::scratchBufferForSize):
2782         (JSC::VM::setLastStackTop): Deleted.
2783         * runtime/VMEntryScope.cpp:
2784         (JSC::VMEntryScope::VMEntryScope):
2785         * tests/stress/sampling-profiler: Added.
2786         * tests/stress/sampling-profiler-anonymous-function.js: Added.
2787         (platformSupportsSamplingProfiler.foo):
2788         (platformSupportsSamplingProfiler.baz):
2789         (platformSupportsSamplingProfiler):
2790         * tests/stress/sampling-profiler-basic.js: Added.
2791         (platformSupportsSamplingProfiler.bar):
2792         (platformSupportsSamplingProfiler.foo):
2793         (platformSupportsSamplingProfiler.nothing):
2794         (platformSupportsSamplingProfiler.top):
2795         (platformSupportsSamplingProfiler.jaz):
2796         (platformSupportsSamplingProfiler.kaz):
2797         (platformSupportsSamplingProfiler.checkInlining):
2798         (platformSupportsSamplingProfiler):
2799         * tests/stress/sampling-profiler-deep-stack.js: Added.
2800         (platformSupportsSamplingProfiler.foo):
2801         (platformSupportsSamplingProfiler.let.hellaDeep):
2802         (platformSupportsSamplingProfiler.let.start):
2803         (platformSupportsSamplingProfiler):
2804         * tests/stress/sampling-profiler-microtasks.js: Added.
2805         (platformSupportsSamplingProfiler.testResults):
2806         (platformSupportsSamplingProfiler):
2807         (platformSupportsSamplingProfiler.loop.jaz):
2808         (platformSupportsSamplingProfiler.loop):
2809         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
2810         (assert):
2811         (let.nodePrototype.makeChildIfNeeded):
2812         (makeNode):
2813         (updateCallingContextTree):
2814         (doesTreeHaveStackTrace):
2815         (makeTree):
2816         (runTest):
2817         (dumpTree):
2818         * yarr/YarrJIT.cpp:
2819         (JSC::Yarr::YarrGenerator::generateEnter):
2820         (JSC::Yarr::YarrGenerator::generateReturn):
2821         (JSC::Yarr::YarrGenerator::YarrGenerator):
2822         (JSC::Yarr::YarrGenerator::compile):
2823         (JSC::Yarr::jitCompile):
2824
2825 2016-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2826
2827         [JSC] Iterating over a Set/Map is too slow
2828         https://bugs.webkit.org/show_bug.cgi?id=152691
2829
2830         Reviewed by Saam Barati.
2831
2832         Set#forEach and Set & for-of are very slow. There are 2 reasons.
2833
2834         1. forEach is implemented in C++. And typically, taking JS callback and calling it from C++.
2835
2836         C++ to JS transition seems costly. perf result in Linux machine shows this.
2837
2838             Samples: 23K of event 'cycles', Event count (approx.): 21446074385
2839             34.04%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Interpreter::execute(JSC::CallFrameClosure&)
2840             20.48%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] vmEntryToJavaScript
2841              9.80%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
2842              7.95%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::setProtoFuncForEach(JSC::ExecState*)
2843              5.65%  jsc  perf-22854.map                      [.] 0x00007f5d2c204a6f
2844
2845         Writing forEach in JS eliminates this.
2846
2847             Samples: 23K of event 'cycles', Event count (approx.): 21255691651
2848             62.91%  jsc  perf-22890.map                      [.] 0x00007fd117c0a3b9
2849             24.89%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::privateFuncSetIteratorNext(JSC::ExecState*)
2850              0.29%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&)
2851              0.24%  jsc  [vdso]                              [.] 0x00000000000008e8
2852              0.22%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::predictedMachineCodeSize()
2853              0.16%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] WTF::MetaAllocator::currentStatistics()
2854              0.15%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Lexer<unsigned char>::lex(JSC::JSToken*, unsigned int, bool)
2855
2856         2. Iterator result object allocation is costly.
2857
2858         Iterator result object allocation is costly. Even if the (1) is solved, when executing Set & for-of, perf result shows very slow performance due to (2).
2859
2860             Samples: 108K of event 'cycles', Event count (approx.): 95529273748
2861             18.02%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::createIteratorResultObject(JSC::ExecState*, JSC::JSValue, bool)
2862             15.68%  jsc  jsc                                 [.] JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int)
2863             14.18%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::PrototypeMap::emptyObjectStructureForPrototype(JSC::JSObject*, unsigned int)
2864             13.40%  jsc  perf-25420.map                      [.] 0x00007fce158006a1
2865              6.79%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::StructureTransitionTable::get(WTF::UniquedStringImpl*, unsigned int) const
2866
2867         In the long term, we should implement SetIterator#next in JS and make the iterator result object allocation written in JS to encourage object allocation elimination in FTL.
2868         But seeing the perf result, we can find the easy to fix bottleneck in the current implementation.
2869         Every time createIteratorResultObject creates the empty object and use putDirect to store properties.
2870         The pre-baked Structure* with `done` and `value` properties makes this implementation fast.
2871
2872         After these improvements, the micro benchmark[1] shows the following.
2873
2874         old:
2875             Linked List x 212,776 ops/sec ±0.21% (162 runs sampled)
2876             Array x 376,156 ops/sec ±0.20% (162 runs sampled)
2877             Array forEach x 17,345 ops/sec ±0.99% (137 runs sampled)
2878             Array for-of x 16,518 ops/sec ±0.58% (160 runs sampled)
2879             Set forEach x 13,263 ops/sec ±0.20% (162 runs sampled)
2880             Set for-of x 4,732 ops/sec ±0.34% (123 runs sampled)
2881
2882         new:
2883             Linked List x 210,833 ops/sec ±0.28% (161 runs sampled)
2884             Array x 371,347 ops/sec ±0.36% (162 runs sampled)
2885             Array forEach x 17,460 ops/sec ±0.84% (136 runs sampled)
2886             Array for-of x 16,188 ops/sec ±1.27% (158 runs sampled)
2887             Set forEach x 23,684 ops/sec ±2.46% (139 runs sampled)
2888             Set for-of x 12,176 ops/sec ±0.54% (157 runs sampled)
2889
2890         Set#forEach becomes comparable to Array#forEach. And Set#forEach and Set & for-of are improved (1.79x, and 2.57x).
2891         After this optimizations, they are still much slower than linked list and array.
2892         This should be optimized in the long term.
2893
2894         [1]: https://gist.github.com/Constellation/8db5f5b8f12fe7e283d0
2895
2896         * CMakeLists.txt:
2897         * DerivedSources.make:
2898         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2899         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2900         * JavaScriptCore.xcodeproj/project.pbxproj:
2901         * builtins/MapPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
2902         (forEach):
2903         * builtins/SetPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
2904         (forEach):
2905         * runtime/CommonIdentifiers.h:
2906         * runtime/IteratorOperations.cpp:
2907         (JSC::createIteratorResultObjectStructure):
2908         (JSC::createIteratorResultObject):
2909         * runtime/IteratorOperations.h:
2910         * runtime/JSGlobalObject.cpp:
2911         (JSC::JSGlobalObject::init):
2912         (JSC::JSGlobalObject::visitChildren):
2913         * runtime/JSGlobalObject.h:
2914         (JSC::JSGlobalObject::iteratorResultObjectStructure):
2915         (JSC::JSGlobalObject::iteratorResultStructure): Deleted.
2916         (JSC::JSGlobalObject::iteratorResultStructureOffset): Deleted.
2917         * runtime/MapPrototype.cpp:
2918         (JSC::MapPrototype::getOwnPropertySlot):
2919         (JSC::privateFuncIsMap):
2920         (JSC::privateFuncMapIterator):
2921         (JSC::privateFuncMapIteratorNext):
2922         (JSC::MapPrototype::finishCreation): Deleted.
2923         (JSC::mapProtoFuncForEach): Deleted.
2924         * runtime/MapPrototype.h:
2925         * runtime/SetPrototype.cpp:
2926         (JSC::SetPrototype::getOwnPropertySlot):
2927         (JSC::privateFuncIsSet):
2928         (JSC::privateFuncSetIterator):
2929         (JSC::privateFuncSetIteratorNext):
2930         (JSC::SetPrototype::finishCreation): Deleted.
2931         (JSC::setProtoFuncForEach): Deleted.
2932         * runtime/SetPrototype.h:
2933
2934 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
2935
2936         Unreviewed, fix ARM64 build.
2937
2938         * b3/air/AirOpcode.opcodes:
2939
2940 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
2941
2942         B3 should reduce Trunc(BitOr(value, constant)) where !(constant & 0xffffffff) to Trunc(value)
2943         https://bugs.webkit.org/show_bug.cgi?id=152955
2944
2945         Reviewed by Saam Barati.
2946
2947         This happens when we box an int32 and then immediately unbox it.
2948
2949         This makes an enormous difference on AsmBench/FloatMM. It's a 2x speed-up on that
2950         benchmark. It's neutral elsewhere.
2951
2952         * b3/B3ReduceStrength.cpp:
2953         * b3/testb3.cpp:
2954         (JSC::B3::testPowDoubleByIntegerLoop):
2955         (JSC::B3::testTruncOrHigh):
2956         (JSC::B3::testTruncOrLow):
2957         (JSC::B3::testBitAndOrHigh):
2958         (JSC::B3::testBitAndOrLow):
2959         (JSC::B3::zero):
2960         (JSC::B3::run):
2961
2962 2016-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
2963
2964         [ES6] Arrow function syntax. Get rid of JSArrowFunction and use standard JSFunction class
2965         https://bugs.webkit.org/show_bug.cgi?id=149855
2966
2967         Reviewed by Saam Barati.
2968
2969         JSArrowFunction.h/cpp were removed from JavaScriptCore, because now is used new approach for storing 
2970         'this', 'arguments' and 'super'
2971
2972         * CMakeLists.txt:
2973         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2974         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2975         * JavaScriptCore.xcodeproj/project.pbxproj:
2976         * dfg/DFGAbstractInterpreterInlines.h:
2977         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2978         * dfg/DFGSpeculativeJIT.cpp:
2979         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2980         * dfg/DFGStructureRegistrationPhase.cpp:
2981         (JSC::DFG::StructureRegistrationPhase::run):
2982         * ftl/FTLAbstractHeapRepository.cpp:
2983         * ftl/FTLAbstractHeapRepository.h:
2984         * ftl/FTLLowerDFGToLLVM.cpp:
2985         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2986         * interpreter/Interpreter.cpp:
2987         * interpreter/Interpreter.h:
2988         * jit/JITOpcodes.cpp:
2989         * jit/JITOpcodes32_64.cpp:
2990         * jit/JITOperations.cpp:
2991         * jit/JITOperations.h:
2992         * llint/LLIntOffsetsExtractor.cpp:
2993         * llint/LLIntSlowPaths.cpp:
2994         * runtime/JSArrowFunction.cpp: Removed.
2995         * runtime/JSArrowFunction.h: Removed.
2996         * runtime/JSGlobalObject.cpp:
2997         * runtime/JSGlobalObject.h:
2998
2999 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
3000
3001         It should be possible to run liveness over registers without also tracking Tmps
3002         https://bugs.webkit.org/show_bug.cgi?id=152963
3003
3004         Reviewed by Saam Barati.
3005
3006         This adds a RegLivenessAdapter so that we can run Liveness over registers. This makes it
3007         easier to write certain kinds of phases, like ReportUsedRegisters. I anticipate writing more
3008         code like that for handling cold function calls. It also makes code like that somewhat more
3009         scalable, since we're no longer using HashSets.
3010
3011         Currently, the way we track sets of registers is with a BitVector. Normally, we use the
3012         RegisterSet class, which wraps BitVector, so that we can add()/contains() on Reg's. But in
3013         the liveness analysis, everything gets turned into an index. So, we want to use BitVector
3014         directly. To do that, I needed to make the BitVector API look a bit more like a set API. I
3015         think that this is good, because the lack of set methods (add/remove/contains) has caused
3016         bugs in the past. This makes BitVector have methods both for set operations on bits and array
3017         operations on bits. I think that's good, since BitVector gets used in both contexts.
3018
3019         * b3/B3IndexSet.h:
3020         (JSC::B3::IndexSet::Iterable::iterator::iterator):
3021         (JSC::B3::IndexSet::Iterable::begin):
3022         (JSC::B3::IndexSet::dump):
3023         * b3/air/AirInstInlines.h:
3024         (JSC::B3::Air::ForEach<Tmp>::forEach):
3025         (JSC::B3::Air::ForEach<Arg>::forEach):
3026         (JSC::B3::Air::ForEach<Reg>::forEach):
3027         (JSC::B3::Air::Inst::forEach):
3028         * b3/air/AirLiveness.h:
3029         (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter):
3030         (JSC::B3::Air::RegLivenessAdapter::maxIndex):
3031         (JSC::B3::Air::RegLivenessAdapter::acceptsType):
3032         (JSC::B3::Air::RegLivenessAdapter::valueToIndex):
3033         (JSC::B3::Air::RegLivenessAdapter::indexToValue):
3034         * b3/air/AirReportUsedRegisters.cpp:
3035         (JSC::B3::Air::reportUsedRegisters):
3036         * jit/Reg.h:
3037         (JSC::Reg::next):
3038         (JSC::Reg::index):
3039         (JSC::Reg::maxIndex):
3040         (JSC::Reg::isSet):
3041         (JSC::Reg::operator bool):
3042         * jit/RegisterSet.h:
3043         (JSC::RegisterSet::forEach):
3044
3045 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
3046
3047         [JSC] Make branchMul functional in ARM B3 and minor fixes
3048         https://bugs.webkit.org/show_bug.cgi?id=152889
3049
3050         Reviewed by Mark Lam.
3051
3052         ARM64 does not have a "S" version of MUL setting the flags.
3053         What we do is abstract that in the MacroAssembler. The problem
3054         is that form requires scratch registers.
3055
3056         For simplicity, I just exposed the two scratch registers
3057         for Air. Filip already added the concept of Scratch role,
3058         all I needed was to expose it for opcodes.
3059
3060         * assembler/MacroAssemblerARM64.h:
3061         (JSC::MacroAssemblerARM64::branchMul32):
3062         (JSC::MacroAssemblerARM64::branchMul64):
3063         Expose a version with the scratch registers as arguments.
3064
3065         * b3/B3LowerToAir.cpp:
3066         (JSC::B3::Air::LowerToAir::lower):
3067         Add the new form of CheckMul lowering.
3068
3069         * b3/air/AirOpcode.opcodes:
3070         Expose the new BranchMuls.
3071         Remove all the Test variants that use immediates
3072         since Air can't handle those immediates correctly yet.
3073
3074         * b3/air/opcode_generator.rb:
3075         Expose the Scratch role.
3076
3077         * b3/testb3.cpp:
3078         (JSC::B3::testPatchpointLotsOfLateAnys):
3079         Ooops, the scratch registers were not clobbered. We were just lucky
3080         on x86.
3081
3082 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
3083
3084         [JSC] B3 is unable to do function calls on ARM64
3085         https://bugs.webkit.org/show_bug.cgi?id=152895
3086
3087         Reviewed by Mark Lam.
3088
3089         Apparently iOS does not follow the ARM64 ABI for function calls.
3090         Instead of giving each value a 8 bytes slot, it must be packed
3091         while preserving alignment.
3092
3093         This patch adds a #ifdef to make function calls functional.
3094
3095         * b3/B3LowerToAir.cpp:
3096         (JSC::B3::Air::LowerToAir::marshallCCallArgument):
3097         (JSC::B3::Air::LowerToAir::lower):
3098
3099 2016-01-09  Filip Pizlo  <fpizlo@apple.com>
3100
3101         Air should support Branch64 with immediates
3102         https://bugs.webkit.org/show_bug.cgi?id=152951
3103
3104         Reviewed by Oliver Hunt.
3105
3106         This doesn't significantly improve performance on any benchmarks, but it's great to get this
3107         obvious omission out of the way.
3108
3109         * assembler/MacroAssemblerX86_64.h:
3110         (JSC::MacroAssemblerX86_64::branch64):
3111         * b3/air/AirOpcode.opcodes:
3112         * b3/testb3.cpp:
3113         (JSC::B3::testPowDoubleByIntegerLoop):
3114         (JSC::B3::testBranch64Equal):
3115         (JSC::B3::testBranch64EqualImm):
3116         (JSC::B3::testBranch64EqualMem):
3117         (JSC::B3::testBranch64EqualMemImm):
3118         (JSC::B3::zero):
3119         (JSC::B3::run):
3120
3121 2016-01-09  Dan Bernstein  <mitz@apple.com>
3122
3123         [Cocoa] Allow overriding the frameworks directory independently of using a staging install path
3124         https://bugs.webkit.org/show_bug.cgi?id=152926
3125
3126         Reviewed by Tim Horton.
3127
3128         Introduce a new build setting, WK_OVERRIDE_FRAMEWORKS_DIR. When not empty, it determines
3129         where the frameworks are installed. Setting USE_STAGING_INSTALL_PATH to YES sets
3130         WK_OVERRIDE_FRAMEWORKS_DIR to $(SYSTEM_LIBRARY_DIR)/StagedFrameworks/Safari.
3131
3132         Account for the possibility of WK_OVERRIDE_FRAMEWORKS_DIR containing spaces.
3133
3134         * Configurations/Base.xcconfig:
3135         - Replace STAGED_FRAMEWORKS_SEARCH_PATH in FRAMEWORK_SEARCH_PATHS with
3136           WK_OVERRIDE_FRAMEWORKS_DIR and add quotes to account for spaces.
3137         - Define JAVASCRIPTCORE_FRAMEWORKS_DIR based on WK_OVERRIDE_FRAMEWORKS_DIR.
3138         * Configurations/JSC.xcconfig:
3139           Add quotes to account for spaces.
3140         * Configurations/ToolExecutable.xcconfig:
3141           Ditto.
3142         * postprocess-headers.sh:
3143           Ditto.
3144
3145 2016-01-09  Mark Lam  <mark.lam@apple.com>
3146
3147         The FTL allocated spill slots for BinaryOps is sometimes inaccurate.
3148         https://bugs.webkit.org/show_bug.cgi?id=152918
3149
3150         Reviewed by Filip Pizlo and Saam Barati.
3151
3152         * ftl/FTLCompile.cpp:
3153         - Updated a comment.
3154         * ftl/FTLLowerDFGToLLVM.cpp:
3155         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3156         - The code to compute maxNumberOfCatchSpills was unnecessarily allocating an
3157           extra slot for BinaryOps that don't have Untyped operands, and failing to
3158           allocate that extra slot for some binary ops.  This is now fixed.
3159
3160         * tests/stress/ftl-shr-exception.js:
3161         * tests/stress/ftl-xor-exception.js:
3162         - Un-skipped these tests.  They now pass with this patch.
3163
3164 2016-01-09  Andreas Kling  <akling@apple.com>
3165
3166         Use NeverDestroyed instead of DEPRECATED_DEFINE_STATIC_LOCAL
3167         <https://webkit.org/b/152902>
3168
3169         Reviewed by Anders Carlsson.
3170
3171         Mostly mechanical conversion to NeverDestroyed throughout JavaScriptCore.
3172
3173         * API/JSAPIWrapperObject.mm:
3174         (jsAPIWrapperObjectHandleOwner):
3175         * API/JSManagedValue.mm:
3176         (managedValueHandleOwner):
3177         * inspector/agents/InspectorDebuggerAgent.cpp:
3178         (Inspector::objectGroupForBreakpointAction):
3179         * jit/ExecutableAllocator.cpp:
3180         (JSC::DemandExecutableAllocator::allocators):
3181
3182 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3183
3184         FTL B3 should do varargs tail calls and stack overflows
3185         https://bugs.webkit.org/show_bug.cgi?id=152934
3186
3187         Reviewed by Saam Barati.
3188
3189         I was trying to get tail-call-varargs-no-stack-overflow.js.ftl-no-cjit-validate to work and
3190         at first I hit the stack overflow issue and then I hit the varargs tail call issue. That's
3191         why I have two fixes in one change. Now the test passes.
3192
3193         This reduces the number of failures from 13 to 0.
3194
3195         * ftl/FTLLowerDFGToLLVM.cpp:
3196         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Implement stack overflow handling.
3197         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs): Varargs tail calls need to
3198         append an Oops (i.e. "unreachable").
3199
3200 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3201
3202         B3 needs Neg()
3203         https://bugs.webkit.org/show_bug.cgi?id=152925
3204
3205         Reviewed by Mark Lam.
3206
3207         Previously we said that negation should be represented as Sub(0, x). That's wrong, since
3208         for floats, Sub(0, 0) == 0 while Neg(0) == -0.
3209
3210         One way to solve this would be to say that anyone trying to say Neg(x) where x is a float
3211         should instead say BitXor(x, -0). That's actually correct, but I think that it would be odd
3212         to use bitops to represent floating point operations. Whatever cuteness this would have
3213         bought us would be outweighed by the annoyance of having to write code that matches
3214         Sub(0, x) for integer negation and BitXor(x, -0) for double negation. For example, this
3215         would mean strictly more code for anyone implementing a Neg(Neg(x))=>x strength reduction.
3216         Also, I suspect that the omission of Neg would cause others to make the mistake of using
3217         Sub to represent floating point negation.
3218
3219         So, this introduces a proper Neg() opcode to B3. It's now the canonical way of saying
3220         negation for both ints and floats. For ints, we canonicalize Sub(0, x) to Neg(x). For
3221         floats, we lower it to BitXor(x, -0) on x86.
3222
3223         This reduces the number of failures from 13 to 12.
3224
3225         * assembler/MacroAssemblerX86Common.h:
3226         (JSC::MacroAssemblerX86Common::andFloat):
3227         (JSC::MacroAssemblerX86Common::xorDouble):
3228         (JSC::MacroAssemblerX86Common::xorFloat):
3229         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
3230         * b3/B3LowerMacrosAfterOptimizations.cpp:
3231         * b3/B3LowerToAir.cpp:
3232         (JSC::B3::Air::LowerToAir::lower):
3233         * b3/B3Opcode.cpp:
3234         (WTF::printInternal):
3235         * b3/B3Opcode.h:
3236         * b3/B3ReduceStrength.cpp:
3237         * b3/B3Validate.cpp:
3238         * b3/B3Value.cpp:
3239         (JSC::B3::Value::effects):
3240         (JSC::B3::Value::key):
3241         (JSC::B3::Value::typeFor):
3242         * b3/air/AirOpcode.opcodes:
3243         * ftl/FTLB3Output.cpp:
3244         (JSC::FTL::Output::lockedStackSlot):
3245         (JSC::FTL::Output::neg):
3246         (JSC::FTL::Output::bitNot):
3247         * ftl/FTLB3Output.h:
3248         (JSC::FTL::Output::chillDiv):
3249         (JSC::FTL::Output::mod):
3250         (JSC::FTL::Output::chillMod):
3251         (JSC::FTL::Output::doubleAdd):
3252         (JSC::FTL::Output::doubleSub):
3253         (JSC::FTL::Output::doubleMul):
3254         (JSC::FTL::Output::doubleDiv):
3255         (JSC::FTL::Output::doubleMod):
3256         (JSC::FTL::Output::doubleNeg):
3257         (JSC::FTL::Output::bitAnd):
3258         (JSC::FTL::Output::bitOr):
3259         (JSC::FTL::Output::neg): Deleted.
3260         * tests/stress/ftl-negate-zero.js: Added. This was already covered by op_negate but since
3261         it's such a glaring bug, I thought having a test for it specifically would be good.
3262
3263 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3264
3265         FTL B3 compile() doesn't clear exception handlers before we add FTL-specific ones
3266         https://bugs.webkit.org/show_bug.cgi?id=152922
3267
3268         Reviewed by Saam Barati.
3269
3270         FTL B3 was generating a handler table that first contained the old baseline handlers keyed
3271         by baseline's bytecode indices and then the FTL handlers keyed by FTL callsite index. That's
3272         wrong, since the FTL code block should not contain any baseline handlers. The fix is to
3273         clear the handlers before generation, sort of like FTL LLVM does.
3274
3275         Also added some stuff to make it easier to inspect the handler table.
3276
3277         This reduces the numbe rof failures from 25 to 13.
3278
3279         * bytecode/CodeBlock.cpp:
3280         (JSC::CodeBlock::dumpBytecode):
3281         (JSC::CodeBlock::dumpExceptionHandlers):
3282         (JSC::CodeBlock::beginDumpProfiling):
3283         * bytecode/CodeBlock.h:
3284         * ftl/FTLB3Compile.cpp:
3285         (JSC::FTL::compile):
3286
3287 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3288
3289         B3 incorrectly turns NotEqual(bool, 1) into Equal(bool, 1) instead of Equal(bool, 0)
3290         https://bugs.webkit.org/show_bug.cgi?id=152916
3291
3292         Reviewed by Mark Lam.
3293
3294         This was causing a failure in an ancient DFG layout test. Thanks, ftl-eager-no-cjit!
3295
3296         This reduces the number of failures from 27 to 25.
3297
3298         * b3/B3ReduceStrength.cpp:
3299
3300 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3301
3302         FTL B3 allocateCell() should not crash
3303         https://bugs.webkit.org/show_bug.cgi?id=152909
3304
3305         Reviewed by Mark Lam.
3306
3307         This code was crashing in some tests that forced GC slow paths because it was stubbed out
3308         due to the use of undef. B3 doesn't have undef. In this case, there's no good reason to use
3309         undef. We can just use zero. Since the path is dead anyway in that case, we weren't gaining
3310         any LLVM optimizations by using undef.
3311
3312         This reduces the number of failures from 35 to 27.
3313
3314         * ftl/FTLLowerDFGToLLVM.cpp:
3315         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
3316
3317 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3318
3319         FTL B3 fails to realize that binary snippets might choose to omit their fast path
3320         https://bugs.webkit.org/show_bug.cgi?id=152901
3321
3322         Reviewed by Mark Lam.
3323
3324         This reduces the number of failures from 99 to 35.
3325
3326         * ftl/FTLLowerDFGToLLVM.cpp:
3327         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
3328
3329 2016-01-08  Saam barati  <sbarati@apple.com>
3330
3331         restoreCalleeSavesFromVMCalleeSavesBuffer should use the scratch register
3332         https://bugs.webkit.org/show_bug.cgi?id=152879
3333
3334         Reviewed by Filip Pizlo.
3335
3336         We were clobbering a register we needed when picking
3337         a scratch register inside an FTL OSR Exit.
3338
3339         * dfg/DFGThunks.cpp:
3340         (JSC::DFG::osrEntryThunkGenerator):
3341         * jit/AssemblyHelpers.cpp:
3342         (JSC::AssemblyHelpers::emitRandomThunk):
3343         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer):
3344         * jit/AssemblyHelpers.h:
3345         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer):
3346         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
3347         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
3348         (foo):
3349
3350 2016-01-08  Mark Lam  <mark.lam@apple.com>
3351
3352         Rolling out: Rename StringFromCharCode to StringFromSingleCharCode.
3353         https://bugs.webkit.org/show_bug.cgi?id=152897
3354
3355         Not reviewed.
3356
3357         * dfg/DFGAbstractInterpreterInlines.h:
3358         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3359         * dfg/DFGByteCodeParser.cpp:
3360         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3361         * dfg/DFGClobberize.h:
3362         (JSC::DFG::clobberize):
3363         * dfg/DFGDoesGC.cpp:
3364         (JSC::DFG::doesGC):
3365         * dfg/DFGFixupPhase.cpp:
3366         (JSC::DFG::FixupPhase::fixupNode):
3367         * dfg/DFGNodeType.h:
3368         * dfg/DFGOperations.cpp:
3369         * dfg/DFGOperations.h:
3370         * dfg/DFGPredictionPropagationPhase.cpp:
3371         (JSC::DFG::PredictionPropagationPhase::propagate):
3372         * dfg/DFGSafeToExecute.h:
3373         (JSC::DFG::safeToExecute):
3374         * dfg/DFGSpeculativeJIT.cpp:
3375         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
3376         * dfg/DFGSpeculativeJIT32_64.cpp:
3377         (JSC::DFG::SpeculativeJIT::compile):
3378         * dfg/DFGSpeculativeJIT64.cpp:
3379         (JSC::DFG::SpeculativeJIT::compile):
3380         * runtime/StringConstructor.cpp:
3381         (JSC::stringFromCharCode):
3382         (JSC::stringFromSingleCharCode): Deleted.
3383         * runtime/StringConstructor.h:
3384
3385 2016-01-08  Per Arne Vollan  <peavo@outlook.com>
3386
3387         [JSC] Use std::call_once instead of pthread_once when initializing LLVM.
3388         https://bugs.webkit.org/show_bug.cgi?id=152893
3389
3390         Reviewed by Mark Lam.
3391
3392         Use std::call_once since pthreads is not present on all platforms.
3393
3394         * llvm/InitializeLLVM.cpp:
3395         (JSC::initializeLLVMImpl):
3396         (JSC::initializeLLVM):
3397
3398 2016-01-08  Mark Lam  <mark.lam@apple.com>
3399
3400         Rename StringFromCharCode to StringFromSingleCharCode.
3401         https://bugs.webkit.org/show_bug.cgi?id=152897
3402
3403         Reviewed by Daniel Bates.
3404
3405         StringFromSingleCharCode is a better name because the intrinsic it represents
3406         only applies when we are converting from a single char code.  This is purely
3407         a refactoring patch.  There is no semantic change.
3408
3409         * dfg/DFGAbstractInterpreterInlines.h:
3410         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3411         * dfg/DFGByteCodeParser.cpp:
3412         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3413         * dfg/DFGClobberize.h:
3414         (JSC::DFG::clobberize):
3415         * dfg/DFGDoesGC.cpp:
3416         (JSC::DFG::doesGC):
3417         * dfg/DFGFixupPhase.cpp:
3418         (JSC::DFG::FixupPhase::fixupNode):
3419         * dfg/DFGNodeType.h:
3420         * dfg/DFGOperations.cpp:
3421         * dfg/DFGOperations.h:
3422         * dfg/DFGPredictionPropagationPhase.cpp:
3423         (JSC::DFG::PredictionPropagationPhase::propagate):
3424         * dfg/DFGSafeToExecute.h:
3425         (JSC::DFG::safeToExecute):
3426         * dfg/DFGSpeculativeJIT.cpp:
3427         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
3428         * dfg/DFGSpeculativeJIT32_64.cpp:
3429         (JSC::DFG::SpeculativeJIT::compile):
3430         * dfg/DFGSpeculativeJIT64.cpp:
3431         (JSC::DFG::SpeculativeJIT::compile):
3432         * runtime/StringConstructor.cpp:
3433         (JSC::stringFromCharCode):
3434         (JSC::stringFromSingleCharCode):
3435         * runtime/StringConstructor.h:
3436
3437 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
3438
3439         [mips] Fixed unused parameter warnings
3440         https://bugs.webkit.org/show_bug.cgi?id=152885
3441
3442         Reviewed by Mark Lam.
3443
3444         * jit/CCallHelpers.h:
3445         (JSC::CCallHelpers::setupArgumentsWithExecState):
3446
3447 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
3448
3449         [mips] Max value of immediate arg of logical ops is 0xffff
3450         https://bugs.webkit.org/show_bug.cgi?id=152884
3451
3452         Reviewed by Michael Saboff.
3453
3454         Replaced imm.m_value < 65535 checks with imm.m_value <= 65535
3455
3456         * assembler/MacroAssemblerMIPS.h:
3457         (JSC::MacroAssemblerMIPS::and32):
3458         (JSC::MacroAssemblerMIPS::or32):
3459
3460 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
3461
3462         [mips] Add new or32 implementation after r194613
3463         https://bugs.webkit.org/show_bug.cgi?id=152865
3464
3465         Reviewed by Michael Saboff.
3466
3467         * assembler/MacroAssemblerMIPS.h:
3468         (JSC::MacroAssemblerMIPS::or32):
3469
3470 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3471
3472         FTL B3 lazy slow paths should do exceptions
3473         https://bugs.webkit.org/show_bug.cgi?id=152853
3474
3475         Reviewed by Saam Barati.
3476
3477         This reduces the number of JSC test failures to 97.
3478
3479         * ftl/FTLLowerDFGToLLVM.cpp:
3480         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
3481         * tests/stress/ftl-new-negative-array-size.js: Added.
3482         (foo):
3483
3484 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3485
3486         Unreviewed, skip more tests that fail.
3487
3488         * tests/stress/ftl-shr-exception.js:
3489         (foo):
3490         * tests/stress/ftl-xor-exception.js:
3491         (foo):
3492
3493 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3494
3495         FTL B3 binary snippets should do exceptions
3496         https://bugs.webkit.org/show_bug.cgi?id=152852
3497
3498         Reviewed by Saam Barati.
3499
3500         This reduces the number of JSC test failures to 110.
3501
3502         * ftl/FTLLowerDFGToLLVM.cpp:
3503         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
3504         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
3505         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
3506         * tests/stress/ftl-shr-exception.js: Added.
3507         (foo):
3508         (result.foo.valueOf):
3509         * tests/stress/ftl-sub-exception.js: Added.
3510         (foo):
3511         (result.foo.valueOf):
3512         * tests/stress/ftl-xor-exception.js: Added.
3513         (foo):
3514         (result.foo.valueOf):
3515
3516 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3517
3518         Unreviewed, skipping this test. Looks like LLVM can't handle this one, either.
3519
3520         * tests/stress/ftl-call-varargs-bad-args-exception-interesting-live-state.js:
3521         (foo):
3522
3523 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3524
3525         Unreviewed, skipping this test. Looks like LLVM can't handle it.
3526
3527         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
3528         (foo):
3529
3530 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3531
3532         FTL B3 JS calls should do exceptions
3533         https://bugs.webkit.org/show_bug.cgi?id=152851
3534
3535         Reviewed by Geoffrey Garen.
3536
3537         This reduces the number of JSC test failures with FTL B3 to 111.
3538
3539         * dfg/DFGSpeculativeJIT64.cpp:
3540         (JSC::DFG::SpeculativeJIT::emitCall):
3541         * ftl/FTLLowerDFGToLLVM.cpp:
3542         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
3543         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
3544         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
3545         * tests/stress/ftl-call-bad-args-exception-interesting-live-state.js: Added.
3546         * tests/stress/ftl-call-bad-callee-exception-interesting-live-state.js: Added.
3547         * tests/stress/ftl-call-exception-interesting-live-state.js: Added.
3548         * tests/stress/ftl-call-exception-no-catch.js: Added.
3549         * tests/stress/ftl-call-exception.js: Added.
3550         * tests/stress/ftl-call-varargs-bad-callee-exception-interesting-live-state.js: Added.
3551         * tests/stress/ftl-call-varargs-exception-interesting-live-state.js: Added.
3552         * tests/stress/ftl-call-varargs-exception-no-catch.js: Added.
3553         * tests/stress/ftl-call-varargs-exception.js: Added.
3554
3555 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3556
3557         FTL B3 PutById should do exceptions
3558         https://bugs.webkit.org/show_bug.cgi?id=152850
3559
3560         Reviewed by Saam Barati.
3561
3562         Implemented PutById exception handling by following the idiom used in GetById. Reduces the
3563         number of JSC test failures to 128.
3564
3565         * ftl/FTLLowerDFGToLLVM.cpp:
3566         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
3567         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js: Added.
3568         * tests/stress/ftl-put-by-id-setter-exception-no-catch.js: Added.
3569         * tests/stress/ftl-put-by-id-setter-exception.js: Added.
3570         * tests/stress/ftl-put-by-id-slow-exception-interesting-live-state.js: Added.
3571         * tests/stress/ftl-put-by-id-slow-exception-no-catch.js: Added.
3572         * tests/stress/ftl-put-by-id-slow-exception.js: Added.
3573
3574 2016-01-07  Commit Queue  <commit-queue@webkit.org>
3575
3576         Unreviewed, rolling out r194714.
3577         https://bugs.webkit.org/show_bug.cgi?id=152864
3578
3579         it broke many JSC tests when FTL B3 is enabled (Requested by
3580         pizlo on #webkit).
3581
3582         Reverted changeset:
3583
3584         "[JSC] When resolving Stack arguments, use addressing from SP
3585         when addressing from FP is invalid"
3586         https://bugs.webkit.org/show_bug.cgi?id=152840
3587         http://trac.webkit.org/changeset/194714
3588
3589 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3590
3591         [mips] Lower immediates of logical operations.
3592         https://bugs.webkit.org/show_bug.cgi?id=152693
3593
3594         On MIPS immediate operands of andi, ori, and xori are required to be 16-bit
3595         non-negative numbers.
3596
3597         Reviewed by Michael Saboff.
3598
3599         * offlineasm/mips.rb:
3600
3601 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
3602
3603         [JSC] Update testCheckSubBadImm() for ARM64
3604         https://bugs.webkit.org/show_bug.cgi?id=152846
3605
3606         Reviewed by Mark Lam.
3607
3608         * b3/testb3.cpp:
3609         (JSC::B3::testCheckSubBadImm):
3610         The test was assuming the constant can always be used
3611         as immediate. That's obviously not the case on ARM64.
3612
3613 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3614
3615         FTL B3 getById() should do exceptions
3616         https://bugs.webkit.org/show_bug.cgi?id=152810
3617
3618         Reviewed by Saam Barati.
3619
3620         This adds abstractions for doing exceptions from patchpoints, and uses them to implement
3621         exceptions from GetById. This covers all of the following ways that a GetById might throw an
3622         exceptions:
3623
3624         - Throw without try/catch from the vmCall() in a GetById(Untyped:)
3625         - Throw with try/catch from the vmCall() in a GetById(Untyped:)
3626         - Throw without try/catch from the callOperation() in the patchpoint of a GetById
3627         - Throw with try/catch from the callOperation() in the patchpoint of a GetById
3628         - Throw without try/catch from the Call IC generated in the patchpoint of a GetById
3629         - Throw with try/catch from the Call IC generated in the patchpoint of a GetById
3630
3631         This requires having a default exception target in FTL-generated code, and ensuring that this
3632         target is generated regardless of whether we have branches to the B3 basic block of the
3633         default exception target. This also requires adding some extra arguments to a
3634         PatchpointValue, and then knowing that the arguments are used for OSR exit and not anything
3635         else. This also requires associating the CallSiteIndex of the patchpoint with the register
3636         set used for exit and with the OSR exit label for the unwind exit.
3637
3638         All of the stuff that you have to worry about when wiring a patchpoint to exception handling
3639         is covered by the new PatchpointExceptionHandle object. You create one by calling
3640         preparePatchpointForExceptions(). This sets up the B3 IR representation of the patchpoint
3641         with stackmap arguments for the exceptional exit, and creates a PatchpointExceptionHandle
3642         object that can be used to create zero or more actual OSR exits. It can create both OSR exits
3643         for operation calls and OSR exits for unwind. You call the
3644         PatchpointExceptionHandle::scheduleExitCreationXXX() methods from the generator callback to
3645         actually get OSR exits.
3646
3647         This API makes heavy use of Box<>, late paths, and link tasks. For example, you can use the
3648         PatchpointExceptionHandle to get a Box<JumpList> that you can append exception jumps to. When
3649         you use this API, it automatically registers a link task that will link the JumpList to the
3650         actual OSR exit label.
3651
3652         This API is very flexible about how you get to the label of the OSR exit. You are encouraged
3653         to use the Box<JumpList> approach, but if you really just need the label, you can also get
3654         a RefPtr<ExceptionTarget> and rely on the fact that the ExceptionTarget object will be able
3655         to vend you the OSR exit label at link-time.
3656
3657         This reduces the number of JSC test failures with FTL B3 from 186 to 133. It also adds a
3658         bunch of new tests specifically for all of the ways you might throw from GetById, and B3
3659         passes all of these new tests. Note that I'm not counting the new tests as part of the
3660         previous 186 test failures (FTL B3 failed all of the new tests prior to this change).
3661
3662         After this change, it should be easy to make all of the other patchpoints also handle
3663         exceptions by just following the preparePatchpointForExceptions() idiom.
3664
3665         * CMakeLists.txt:
3666         * JavaScriptCore.xcodeproj/project.pbxproj:
3667         * b3/B3StackmapValue.h:
3668         * b3/B3ValueRep.cpp:
3669         (JSC::B3::ValueRep::addUsedRegistersTo):
3670         (JSC::B3::ValueRep::usedRegisters):
3671         (JSC::B3::ValueRep::dump):
3672         * b3/B3ValueRep.h:
3673         (JSC::B3::ValueRep::doubleValue):
3674         (JSC::B3::ValueRep::withOffset):
3675         (JSC::B3::ValueRep::usedRegisters):
3676         * ftl/FTLB3Compile.cpp:
3677         (JSC::FTL::compile):
3678         * ftl/FTLB3Output.h:
3679         (JSC::FTL::Output::unreachable):
3680         (JSC::FTL::Output::speculate):
3681         * ftl/FTLExceptionTarget.cpp: Added.
3682         (JSC::FTL::ExceptionTarget::~ExceptionTarget):
3683         (JSC::FTL::ExceptionTarget::label):
3684         (JSC::FTL::ExceptionTarget::jumps):
3685         (JSC::FTL::ExceptionTarget::ExceptionTarget):
3686         * ftl/FTLExceptionTarget.h: Added.
3687         * ftl/FTLJITCode.cpp:
3688         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3689         * ftl/FTLLowerDFGToLLVM.cpp:
3690         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3691         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
3692         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
3693         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
3694         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
3695         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
3696         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
3697         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
3698         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
3699         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
3700         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
3701         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
3702         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
3703         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
3704         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
3705         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
3706         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
3707         * ftl/FTLPatchpointExceptionHandle.cpp: Added.
3708         (JSC::FTL::PatchpointExceptionHandle::create):
3709         (JSC::FTL::PatchpointExceptionHandle::defaultHandle):
3710         (JSC::FTL::PatchpointExceptionHandle::~PatchpointExceptionHandle):
3711         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreation):
3712         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
3713         (JSC::FTL::PatchpointExceptionHandle::PatchpointExceptionHandle):
3714         (JSC::FTL::PatchpointExceptionHandle::createHandle):
3715         * ftl/FTLPatchpointExceptionHandle.h: Added.
3716         * ftl/FTLState.cpp:
3717         * ftl/FTLState.h:
3718         (JSC::FTL::verboseCompilationEnabled):
3719         * tests/stress/ftl-get-by-id-getter-exception-interesting-live-state.js: Added.
3720         * tests/stress/ftl-get-by-id-getter-exception-no-catch.js: Added.
3721         * tests/stress/ftl-get-by-id-getter-exception.js: Added.
3722         * tests/stress/ftl-get-by-id-slow-exception-interesting-live-state.js: Added.
3723         * tests/stress/ftl-get-by-id-slow-exception-no-catch.js: Added.
3724         * tests/stress/ftl-get-by-id-slow-exception.js: Added.
3725         * tests/stress/ftl-operation-exception-interesting-live-state.js: Added.
3726         * tests/stress/ftl-operation-exception-no-catch.js: Added.
3727
3728 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3729
3730         [mips] Implemented missing branch patching methods.
3731         https://bugs.webkit.org/show_bug.cgi?id=152845
3732
3733         Reviewed by Michael Saboff.
3734
3735         * assembler/MacroAssemblerMIPS.h:
3736         (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranch32WithPatch):
3737         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
3738         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
3739
3740 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
3741
3742         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
3743         https://bugs.webkit.org/show_bug.cgi?id=152840
3744
3745         Reviewed by Mark Lam.
3746
3747         ARM64 has two kinds of addressing with immediates:
3748         -Signed 9bits direct (really only -256 to 255).
3749         -Unsigned 12bits scaled by the load/store size.
3750
3751         When resolving the stack addresses, we easily run
3752         past -256 bytes from FP. Addressing from SP gives us more
3753         room to address the stack efficiently because we can
3754         use unsigned immediates.
3755
3756         * b3/B3StackmapSpecial.cpp:
3757         (JSC::B3::StackmapSpecial::repForArg):
3758         * b3/air/AirAllocateStack.cpp:
3759         (JSC::B3::Air::allocateStack):
3760
3761 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3762
3763         [mips] Make repatchCall public to fix compilation.
3764         https://bugs.webkit.org/show_bug.cgi?id=152843
3765
3766         Reviewed by Michael Saboff.
3767
3768         * assembler/MacroAssemblerMIPS.h:
3769         (JSC::MacroAssemblerMIPS::repatchCall):
3770         (JSC::MacroAssemblerMIPS::linkCall): Deleted.
3771
3772 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3773
3774         [mips] Replaced subi with addi in getHostCallReturnValue
3775         https://bugs.webkit.org/show_bug.cgi?id=152841
3776
3777         Reviewed by Michael Saboff.
3778
3779         MIPS architecture does not have subi instruction, addi with negative
3780         number should be used instead.
3781
3782         * jit/JITOperations.cpp:
3783
3784 2016-01-07  Mark Lam  <mark.lam@apple.com>
3785
3786         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
3787         https://bugs.webkit.org/show_bug.cgi?id=152833
3788
3789         Reviewed by Michael Saboff.
3790
3791         Follow-up patch to fix illegal use of memoryTempRegister as the src for ARM64's
3792         store32.
3793
3794         * assembler/MacroAssemblerARM64.h:
3795         (JSC::MacroAssemblerARM64::or32):
3796         (JSC::MacroAssemblerARM64::store):
3797
3798 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3799
3800         [mips] GPRInfo::toArgumentRegister missing
3801         https://bugs.webkit.org/show_bug.cgi?id=152838
3802
3803         Reviewed by Michael Saboff.
3804
3805         * jit/GPRInfo.h:
3806         (JSC::GPRInfo::toArgumentRegister):
3807
3808 2016-01-07  Mark Lam  <mark.lam@apple.com>
3809
3810         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
3811         https://bugs.webkit.org/show_bug.cgi?id=152833
3812
3813         Reviewed by Benjamin Poulain.
3814
3815         * assembler/MacroAssemblerARM.h:
3816         (JSC::MacroAssemblerARM::or32):
3817         - Added some assertions to make sure it is safe to use ARMRegisters::S0 as a temp.
3818         * assembler/MacroAssemblerARM64.h:
3819         (JSC::MacroAssemblerARM64::or32):
3820         - Implement an optimization that avoids reloading the memoryTempRegister when
3821           the immediate is encodable as an instruction immediate.
3822         * assembler/MacroAssemblerARMv7.h:
3823         (JSC::MacroAssemblerARMv7::or32):
3824         - Added an assertion to make sure it is safe to use the dataTempRegister as a temp.
3825         - Implement an optimization that avoids reloading the memoryTempRegister when
3826           the immediate is encodable as an instruction immediate.  In the event that we
3827           cannot encode the immediate, we'll use the addressTempRegister as a temp, and
3828           reload it later.
3829
3830 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3831
3832         [CMake] JSC shell sources should include JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
3833         https://bugs.webkit.org/show_bug.cgi?id=152664
3834
3835         Reviewed by Alex Christensen.
3836
3837         * shell/CMakeLists.txt:
3838
3839 2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>
3840
3841         Web Inspector: CRASH Attempting to pause on CSP violation not inside of script
3842         https://bugs.webkit.org/show_bug.cgi?id=152825
3843         <rdar://problem/24021276>
3844
3845         Reviewed by Timothy Hatcher.
3846
3847         * debugger/Debugger.cpp:
3848         (JSC::Debugger::breakProgram):
3849         We cannot pause if we are not evaluating JavaScript, so bail.
3850
3851 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
3852
3853         [JSC] Re-enable lea() in Air on ARM64
3854         https://bugs.webkit.org/show_bug.cgi?id=152832
3855
3856         Reviewed by Michael Saboff.
3857
3858         Lea() on the MacroAssembler is not the full x86 Lea (the real one being
3859         x86Lea32()). Instead, it is a addPtr() with SP and a constant.
3860
3861         The instruction is required to implement B3's StackSlot. It is not
3862         safe for big offsets but none of the stack operations are at the moment.
3863
3864         * b3/air/AirOpcode.opcodes:
3865
3866 2016-01-07  Julien Brianceau  <jbriance@cisco.com>
3867
3868         [mips] Add two missing abortWithReason implementations
3869         https://bugs.webkit.org/show_bug.cgi?id=136753
3870
3871         Reviewed by Benjamin Poulain.
3872
3873         * assembler/MacroAssemblerMIPS.h:
3874         (JSC::MacroAssemblerMIPS::memoryFence):
3875         (JSC::MacroAssemblerMIPS::abortWithReason):
3876         (JSC::MacroAssemblerMIPS::readCallTarget):
3877
3878 2016-01-07  Csaba Osztrogonác  <ossy@webkit.org>
3879
3880         Add new or32 implementation to MacroAssemblerARM after r194613
3881         https://bugs.webkit.org/show_bug.cgi?id=152784
3882
3883         Reviewed by Benjamin Poulain.
3884
3885         * assembler/MacroAssemblerARM.h:
3886         (JSC::MacroAssemblerARM::or32):
3887
3888 2016-01-06  Mark Lam  <mark.lam@apple.com>
3889
3890         REGRESSION(r194613): JITMulGenerator needs a scratch GPR on 32-bit too.
3891         https://bugs.webkit.org/show_bug.cgi?id=152805
3892
3893         Reviewed by Michael Saboff.
3894
3895         There aren't enough registers on x86 32-bit to allocate the needed scratch GPR.
3896         So, we'll continue to use one of the result registers as the scratch, and
3897         re-compute the result at the end.
3898
3899         * jit/JITMulGenerator.cpp:
3900         (JSC::JITMulGenerator::generateFastPath):
3901
3902 2016-01-06  Anders Carlsson  <andersca@apple.com>
3903
3904         Add a smart block pointer
3905         https://bugs.webkit.org/show_bug.cgi?id=152799
3906
3907         Reviewed by Tim Horton.
3908
3909         Get rid of RemoteTargetBlock and replace it with WTF::BlockPtr<void ()>.
3910
3911         * inspector/remote/RemoteConnectionToTarget.h:
3912         (Inspector::RemoteTargetBlock::RemoteTargetBlock): Deleted.
3913         (Inspector::RemoteTargetBlock::~RemoteTargetBlock): Deleted.
3914         (Inspector::RemoteTargetBlock::operator=): Deleted.
3915         (Inspector::RemoteTargetBlock::operator()): Deleted.
3916         * inspector/remote/RemoteConnectionToTarget.mm:
3917         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
3918         (Inspector::RemoteConnectionToTarget::queueTaskOnPrivateRunLoop):
3919
3920 2016-01-06  Benjamin Poulain  <bpoulain@apple.com>
3921
3922         [JSC] More B3 tests passing on ARM64
3923         https://bugs.webkit.org/show_bug.cgi?id=152787
3924
3925         Reviewed by Michael Saboff.
3926
3927         Some more minor bugs.
3928
3929         * assembler/MacroAssemblerARM64.h:
3930         (JSC::MacroAssemblerARM64::urshift64):
3931         The offset was being truncated. That code was just copied
3932         from the 32bits version of urshift.
3933
3934         * b3/B3LowerToAir.cpp:
3935         (JSC::B3::Air::LowerToAir::createGenericCompare):
3936         Very few instructions can encode -1 as immediate.
3937         TST certainly can't. The fallback works for ARM.
3938
3939         * b3/air/AirOpcode.opcodes:
3940         Bit instructions have very specific immediate encoding.
3941         B3 cannot express that properly yet. I disabled those
3942         forms for now. Immediates encoding is something we'll really 
3943         have to look into at some point for B3 ARM64.
3944
3945 2016-01-06  Michael Catanzaro  <mcatanzaro@igalia.com>
3946
3947         Silence -Wtautological-compare
3948         https://bugs.webkit.org/show_bug.cgi?id=152768
3949
3950         Reviewed by Saam Barati.
3951
3952         * runtime/Options.cpp: