1 2016-02-29 Filip Pizlo <fpizlo@apple.com>
3 Make it cheap to #include "JITOperations.h"
4 https://bugs.webkit.org/show_bug.cgi?id=154836
8 Prior to this change, this header included the whole world even though it did't have any
9 definitions. This patch turns almost all of the includes into forward declarations. Right
10 now this header is very cheap to include.
12 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
13 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
14 * JavaScriptCore.xcodeproj/project.pbxproj:
15 * dfg/DFGSpeculativeJIT.h:
16 * jit/JITOperations.cpp:
17 * jit/JITOperations.h:
19 * runtime/CommonSlowPaths.h:
20 (JSC::encodeResult): Deleted.
21 (JSC::decodeResult): Deleted.
22 * runtime/SlowPathReturnType.h: Added.
26 2016-02-28 Filip Pizlo <fpizlo@apple.com>
28 FTL should be able to run everything in Octane/regexp
29 https://bugs.webkit.org/show_bug.cgi?id=154266
31 Reviewed by Saam Barati.
33 Adds FTL support for NewRegexp, RegExpTest, and RegExpExec. I couldn't figure out how to
34 make the RegExpExec peephole optimization work in FTL. This optimizations shouldn't be a
35 DFG backend optimization anyway - if we need this optimization then it should be a
36 strength reduction rule over IR. That way, it can be shared by all backends.
38 I measured whether removing that optimization had any effect on performance separately
39 from measuring the performance of this patch. Removing that optimization did not change
40 our score on any benchmarks.
42 This patch does have an overall negative effect on the Octane/regexp score. This is
43 presumably because tiering up to the FTL has no value to the code in the regexp test. Or
44 maybe it's something else. No matter - the overall effect on the Octane score is not
45 statistically significant and we don't want this kind of coverage blocked by the fact
46 that adding coverage hurts a benchmark.
48 * dfg/DFGByteCodeParser.cpp:
49 (JSC::DFG::ByteCodeParser::parseBlock):
51 (JSC::DFG::Node::setIndexingType):
52 (JSC::DFG::Node::hasRegexpIndex):
53 * dfg/DFGSpeculativeJIT.cpp:
54 (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
55 (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
56 (JSC::DFG::SpeculativeJIT::compileRegExpExec): Deleted.
57 * dfg/DFGSpeculativeJIT32_64.cpp:
58 (JSC::DFG::SpeculativeJIT::compile):
59 * dfg/DFGSpeculativeJIT64.cpp:
60 (JSC::DFG::SpeculativeJIT::compile):
61 * ftl/FTLCapabilities.cpp:
62 (JSC::FTL::canCompile):
63 * ftl/FTLLowerDFGToB3.cpp:
64 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
65 (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
66 (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
67 (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
68 (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
69 (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
70 * tests/stress/ftl-regexp-exec.js: Added.
71 * tests/stress/ftl-regexp-test.js: Added.
73 2016-02-28 Andreas Kling <akling@apple.com>
75 Make JSFunction.name allocation fully lazy.
76 <https://webkit.org/b/154806>
78 Reviewed by Saam Barati.
80 We were reifying the "name" field on functions lazily, but created the string
81 value itself up front. This patch gets rid of the up-front allocation,
82 saving us a JSString allocation per function in most cases.
84 * builtins/BuiltinExecutables.cpp:
85 (JSC::createExecutableInternal):
86 * bytecode/UnlinkedFunctionExecutable.cpp:
87 (JSC::UnlinkedFunctionExecutable::visitChildren):
88 * bytecode/UnlinkedFunctionExecutable.h:
89 * runtime/CodeCache.cpp:
90 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
91 * runtime/Executable.h:
92 * runtime/JSFunction.cpp:
93 (JSC::JSFunction::reifyName):
95 2016-02-28 Andreas Kling <akling@apple.com>
97 REGRESSION(r197303): 4 jsc tests failing on bots.
99 Unreviewed follow-up fix.
101 * bytecode/UnlinkedCodeBlock.cpp:
102 (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): This function
103 can still get called with !m_rareData, in case the type profiler is active but this
104 particular code block doesn't have type profiler data. Handle it gracefully.
106 2016-02-28 Andreas Kling <akling@apple.com>
108 Shrink UnlinkedCodeBlock a bit.
109 <https://webkit.org/b/154797>
111 Reviewed by Anders Carlsson.
113 Move profiler-related members of UnlinkedCodeBlock into its RareData
114 structure, saving 40 bytes, and then reorder the other members of
115 UnlinkedCodeBlock to save another 24 bytes, netting a nice total 64.
117 The VM member was removed entirely since UnlinkedCodeBlock is a cell
118 and can retrieve its VM through MarkedBlock header lookup.
120 * bytecode/UnlinkedCodeBlock.cpp:
121 (JSC::UnlinkedCodeBlock::vm):
122 (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
123 (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
124 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
125 * bytecode/UnlinkedCodeBlock.h:
126 (JSC::UnlinkedCodeBlock::addRegExp):
127 (JSC::UnlinkedCodeBlock::addConstant):
128 (JSC::UnlinkedCodeBlock::addFunctionDecl):
129 (JSC::UnlinkedCodeBlock::addFunctionExpr):
130 (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
131 (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
132 (JSC::UnlinkedCodeBlock::vm): Deleted.
134 2016-02-27 Filip Pizlo <fpizlo@apple.com>
136 FTL should lower its abstract heaps to B3 heap ranges
137 https://bugs.webkit.org/show_bug.cgi?id=154782
139 Reviewed by Saam Barati.
141 The FTL can describe the abstract heaps (points-to sets) that a memory operation will
142 affect. The abstract heaps are arranged as a hierarchy. We used to transform this into
143 TBAA hierarchies in LLVM, but we never got around to wiring this up to B3's equivalent
144 notion - the HeapRange. That's what this patch fixes.
146 B3 has a minimalistic alias analysis. It represents abstract heaps using unsigned 32-bit
147 integers. There are 1<<32 abstract heaps. The B3 client can describe what an operation
148 affects by specifying a heap range: a begin...end pair that says that the operation
149 affects all abstract heaps H such that begin <= H < end.
151 This peculiar scheme was a deliberate attempt to distill what the abstract heap
152 hierarchy is all about. We can assign begin...end numbers to abstract heaps so that:
154 - A heap's end is greater than its begin.
155 - A heap's begin is greater than or equal to its parent's begin.
156 - A heap's end is less than or equal to its parent's end.
158 This is easy to do using a recursive traversal of the abstract heap hierarchy. I almost
159 went for the iterative traversal, which is a splendid algorithm, but it's totally
160 unnecessary here since we tightly control the height of the heap hierarchy.
162 Because abstract heaps are produced on-the-fly by FTL lowering, due to the fact that we
163 generate new ones for field names and constant indices we encounter, we can't actually
164 decorate the B3 instructions we create in lowering until all lowering is done. Adding a
165 new abstract heap to the hierarchy after ranges were already computed would require
166 updating the ranges of any heaps "to the right" of that heap in the hierarchy. This
167 patch solves that problem by recording the associations between abstract heaps and their
168 intended roles in the generated IR, and then decorating all of the relevant B3 values
169 after we compute the ranges of the hierarchy after lowering.
171 This is perf-neutral. I was hoping for a small speed-up, but I could not detect a
172 speed-up on any benchmark. That's not too surprising. We already have very precise CSE
173 in the DFG, so there aren't many opportunities left for the B3 CSE and it may have
174 already been getting the big ones even without alias analysis.
176 Even without a speed-up, this patch is valuable because it makes it easier to implement
177 other optimizations, like store elimination.
180 (JSC::B3::HeapRange::HeapRange):
181 * ftl/FTLAbstractHeap.cpp:
182 (JSC::FTL::AbstractHeap::AbstractHeap):
183 (JSC::FTL::AbstractHeap::changeParent):
184 (JSC::FTL::AbstractHeap::compute):
185 (JSC::FTL::AbstractHeap::shallowDump):
186 (JSC::FTL::AbstractHeap::dump):
187 (JSC::FTL::AbstractHeap::deepDump):
188 (JSC::FTL::AbstractHeap::badRangeError):
189 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
190 (JSC::FTL::IndexedAbstractHeap::baseIndex):
191 (JSC::FTL::IndexedAbstractHeap::atSlow):
192 (JSC::FTL::IndexedAbstractHeap::initialize):
193 (JSC::FTL::AbstractHeap::decorateInstruction): Deleted.
194 (JSC::FTL::AbstractField::dump): Deleted.
195 * ftl/FTLAbstractHeap.h:
196 (JSC::FTL::AbstractHeap::AbstractHeap):
197 (JSC::FTL::AbstractHeap::isInitialized):
198 (JSC::FTL::AbstractHeap::initialize):
199 (JSC::FTL::AbstractHeap::parent):
200 (JSC::FTL::AbstractHeap::heapName):
201 (JSC::FTL::AbstractHeap::range):
202 (JSC::FTL::AbstractHeap::offset):
203 (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
204 (JSC::FTL::IndexedAbstractHeap::at):
205 (JSC::FTL::IndexedAbstractHeap::operator[]):
206 (JSC::FTL::IndexedAbstractHeap::returnInitialized):
207 (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::constructDeletedValue):
208 (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::isDeletedValue):
209 (JSC::FTL::AbstractHeap::changeParent): Deleted.
210 (JSC::FTL::AbstractField::AbstractField): Deleted.
211 (JSC::FTL::AbstractField::initialize): Deleted.
212 (JSC::FTL::AbstractField::offset): Deleted.
213 * ftl/FTLAbstractHeapRepository.cpp:
214 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
215 (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
216 (JSC::FTL::AbstractHeapRepository::decorateMemory):
217 (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
218 (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
219 (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
220 (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
221 (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
222 * ftl/FTLAbstractHeapRepository.h:
223 (JSC::FTL::AbstractHeapRepository::forArrayType):
224 (JSC::FTL::AbstractHeapRepository::HeapForValue::HeapForValue):
225 * ftl/FTLLowerDFGToB3.cpp:
226 (JSC::FTL::DFG::LowerDFGToB3::lower):
228 (JSC::FTL::Output::load):
229 (JSC::FTL::Output::load8SignExt32):
230 (JSC::FTL::Output::load8ZeroExt32):
231 (JSC::FTL::Output::load16SignExt32):
232 (JSC::FTL::Output::load16ZeroExt32):
233 (JSC::FTL::Output::store):
234 (JSC::FTL::Output::store32As8):
235 (JSC::FTL::Output::store32As16):
236 (JSC::FTL::Output::baseIndex):
238 (JSC::FTL::Output::address):
239 (JSC::FTL::Output::absolute):
240 (JSC::FTL::Output::load8SignExt32):
241 (JSC::FTL::Output::load8ZeroExt32):
242 (JSC::FTL::Output::load16SignExt32):
243 (JSC::FTL::Output::load16ZeroExt32):
244 (JSC::FTL::Output::load32):
245 (JSC::FTL::Output::load64):
246 (JSC::FTL::Output::loadPtr):
247 (JSC::FTL::Output::loadDouble):
248 (JSC::FTL::Output::store32):
249 (JSC::FTL::Output::store64):
250 (JSC::FTL::Output::storePtr):
251 (JSC::FTL::Output::storeDouble):
252 (JSC::FTL::Output::ascribeRange):
253 (JSC::FTL::Output::nonNegative32):
254 (JSC::FTL::Output::load32NonNegative):
255 (JSC::FTL::Output::equal):
256 (JSC::FTL::Output::notEqual):
257 * ftl/FTLTypedPointer.h:
258 (JSC::FTL::TypedPointer::operator!):
259 (JSC::FTL::TypedPointer::heap):
260 (JSC::FTL::TypedPointer::value):
262 2016-02-28 Skachkov Oleksandr <gskachkov@gmail.com>
264 [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
265 https://bugs.webkit.org/show_bug.cgi?id=153981
267 Reviewed by Saam Barati.
269 In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
270 'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function.
271 Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
272 During syntax analyze parser store information about using variables in arrow function inside of
273 the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
275 * bytecompiler/BytecodeGenerator.cpp:
276 (JSC::BytecodeGenerator::BytecodeGenerator):
277 (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
278 (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
279 (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
280 (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
281 (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
282 (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
283 (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
284 (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
285 (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
286 (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
287 (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
288 (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
289 * bytecompiler/BytecodeGenerator.h:
290 * bytecompiler/NodesCodegen.cpp:
291 (JSC::ThisNode::emitBytecode):
292 (JSC::EvalFunctionCallNode::emitBytecode):
293 (JSC::FunctionNode::emitBytecode):
294 * parser/ASTBuilder.h:
295 (JSC::ASTBuilder::createBracketAccess):
296 (JSC::ASTBuilder::createDotAccess):
297 (JSC::ASTBuilder::usesSuperCall):
298 (JSC::ASTBuilder::usesSuperProperty):
299 (JSC::ASTBuilder::makeFunctionCallNode):
301 (JSC::ScopeNode::ScopeNode):
302 (JSC::ProgramNode::ProgramNode):
303 (JSC::ModuleProgramNode::ModuleProgramNode):
304 (JSC::EvalNode::EvalNode):
305 (JSC::FunctionNode::FunctionNode):
307 (JSC::ScopeNode::innerArrowFunctionCodeFeatures):
308 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseArguments):
309 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperCall):
310 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperProperty):
311 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseEval):
312 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseThis):
313 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseNewTarget):
314 (JSC::ScopeNode::doAnyInnerArrowFunctionUseAnyFeature):
315 (JSC::ScopeNode::usesSuperCall):
316 (JSC::ScopeNode::usesSuperProperty):
318 (JSC::Parser<LexerType>::parseProperty):
319 (JSC::Parser<LexerType>::parsePrimaryExpression):
320 (JSC::Parser<LexerType>::parseMemberExpression):
323 (JSC::Scope::isArrowFunctionBoundary):
324 (JSC::Scope::innerArrowFunctionFeatures):
325 (JSC::Scope::setInnerArrowFunctionUsesSuperCall):
326 (JSC::Scope::setInnerArrowFunctionUsesSuperProperty):
327 (JSC::Scope::setInnerArrowFunctionUsesEval):
328 (JSC::Scope::setInnerArrowFunctionUsesThis):
329 (JSC::Scope::setInnerArrowFunctionUsesNewTarget):
330 (JSC::Scope::setInnerArrowFunctionUsesArguments):
331 (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
332 (JSC::Scope::collectFreeVariables):
333 (JSC::Scope::mergeInnerArrowFunctionFeatures):
334 (JSC::Scope::fillParametersForSourceProviderCache):
335 (JSC::Scope::restoreFromSourceProviderCache):
336 (JSC::Scope::setIsFunction):
337 (JSC::Scope::setIsArrowFunction):
338 (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
339 (JSC::Parser::pushScope):
340 (JSC::Parser::popScopeInternal):
341 (JSC::Parser<LexerType>::parse):
342 * parser/ParserModes.h:
343 * parser/SourceProviderCacheItem.h:
344 (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
345 * parser/SyntaxChecker.h:
346 (JSC::SyntaxChecker::createFunctionMetadata):
347 * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
348 * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
349 * tests/stress/arrowfunction-lexical-bind-newtarget.js:
350 * tests/stress/arrowfunction-lexical-bind-superproperty.js:
351 * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
353 2016-02-28 Saam barati <sbarati@apple.com>
355 ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot
356 https://bugs.webkit.org/show_bug.cgi?id=154768
358 Reviewed by Ryosuke Niwa.
360 This fixes a big bug with ProxyObject.[[GetOwnProperty]]:
361 http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
362 We weren't correctly propagating the result of this operation to the
363 out PropertySlot& parameter. This patch fixes that and adds tests.
365 * runtime/ObjectConstructor.cpp:
366 (JSC::objectConstructorGetOwnPropertyDescriptor):
367 I added a missing exception check after object allocation
368 because I saw that it was missing while reading the code.
370 * runtime/PropertyDescriptor.cpp:
371 (JSC::PropertyDescriptor::setUndefined):
372 (JSC::PropertyDescriptor::slowGetterSetter):
373 (JSC::PropertyDescriptor::getter):
374 * runtime/PropertyDescriptor.h:
375 (JSC::PropertyDescriptor::attributes):
376 (JSC::PropertyDescriptor::value):
377 * runtime/ProxyObject.cpp:
378 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
380 * tests/stress/proxy-get-own-property.js:
381 (let.handler.getOwnPropertyDescriptor):
382 (set get let.handler.return):
383 (set get let.handler.getOwnPropertyDescriptor):
390 2016-02-27 Andy VanWagoner <thetalecrafter@gmail.com>
392 Intl.Collator uses POSIX locale (detected by js/intl-collator.html on iOS Simulator)
393 https://bugs.webkit.org/show_bug.cgi?id=152448
395 Reviewed by Darin Adler.
397 Add defaultLanguage to the globalObjectMethodTable and use it for the
398 default locale in Intl object initializations. Fall back to ICU default
399 locale only if the defaultLanguage function is null, or returns an
403 * runtime/IntlCollator.cpp:
404 (JSC::IntlCollator::initializeCollator):
405 * runtime/IntlDateTimeFormat.cpp:
406 (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
407 * runtime/IntlNumberFormat.cpp:
408 (JSC::IntlNumberFormat::initializeNumberFormat):
409 * runtime/IntlObject.cpp:
410 (JSC::defaultLocale):
411 (JSC::lookupMatcher):
412 (JSC::bestFitMatcher):
413 (JSC::resolveLocale):
414 * runtime/IntlObject.h:
415 * runtime/JSGlobalObject.cpp:
416 * runtime/JSGlobalObject.h:
417 * runtime/StringPrototype.cpp:
420 2016-02-27 Oliver Hunt <oliver@apple.com>
424 * jit/ExecutableAllocatorFixedVMPool.cpp:
426 2016-02-26 Oliver Hunt <oliver@apple.com>
428 Remove the on demand executable allocator
429 https://bugs.webkit.org/show_bug.cgi?id=154749
431 Reviewed by Geoffrey Garen.
433 Remove all the DemandExecutable code and executable allocator ifdefs.
436 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
437 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
438 * JavaScriptCore.xcodeproj/project.pbxproj:
439 * jit/ExecutableAllocator.cpp: Removed.
440 (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
441 (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
442 (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
443 (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
444 (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
445 (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
446 (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
447 (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
448 (JSC::DemandExecutableAllocator::allocators): Deleted.
449 (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
450 (JSC::ExecutableAllocator::initializeAllocator): Deleted.
451 (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
452 (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
453 (JSC::ExecutableAllocator::isValid): Deleted.
454 (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
455 (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
456 (JSC::ExecutableAllocator::allocate): Deleted.
457 (JSC::ExecutableAllocator::committedByteCount): Deleted.
458 (JSC::ExecutableAllocator::dumpProfile): Deleted.
459 (JSC::ExecutableAllocator::getLock): Deleted.
460 (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
461 (JSC::ExecutableAllocator::reprotectRegion): Deleted.
462 * jit/ExecutableAllocator.h:
463 * jit/ExecutableAllocatorFixedVMPool.cpp:
464 * jit/JITStubRoutine.h:
465 (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
466 (JSC::JITStubRoutine::filteringStartAddress): Deleted.
467 (JSC::JITStubRoutine::filteringExtentSize): Deleted.
469 2016-02-26 Joseph Pecoraro <pecoraro@apple.com>
471 Reduce direct callers of Structure::findStructuresAndMapForMaterialization
472 https://bugs.webkit.org/show_bug.cgi?id=154751
474 Reviewed by Mark Lam.
476 * runtime/Structure.cpp:
477 (JSC::Structure::toStructureShape):
478 This property name iteration is identical to Structure::forEachPropertyConcurrently.
479 Share the code and reduce callers to the subtle findStructuresAndMapForMaterialization.
481 2016-02-26 Mark Lam <mark.lam@apple.com>
483 Function.name and Function.length should be configurable.
484 https://bugs.webkit.org/show_bug.cgi?id=154604
486 Reviewed by Saam Barati.
488 According to https://tc39.github.io/ecma262/#sec-ecmascript-language-functions-and-classes,
489 "Unless otherwise specified, the name property of a built-in Function object,
490 if it exists, has the attributes { [[Writable]]: false, [[Enumerable]]: false,
491 [[Configurable]]: true }."
493 Similarly, "the length property of a built-in Function object has the attributes
494 { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }."
496 This patch makes Function.name and Function.length configurable.
498 We do this by lazily reifying the JSFunction name and length properties on first
499 access. We track whether each of these properties have been reified using flags
500 in the FunctionRareData. On first access, if not already reified, we will put
501 the property into the object with its default value and attributes and set the
502 reified flag. Thereafter, we rely on the base JSObject to handle access to the
505 Also, lots of test results have to be re-baselined because the old Function.length
506 has attribute DontDelete, which is in conflict with the ES6 requirement that it
509 * runtime/FunctionRareData.h:
510 (JSC::FunctionRareData::hasReifiedLength):
511 (JSC::FunctionRareData::setHasReifiedLength):
512 (JSC::FunctionRareData::hasReifiedName):
513 (JSC::FunctionRareData::setHasReifiedName):
514 - Flags for tracking whether each property has been reified.
516 * runtime/JSFunction.cpp:
517 (JSC::JSFunction::finishCreation):
518 (JSC::JSFunction::createBuiltinFunction):
519 - Host and builtin functions currently always reify their name and length
520 properties. Currently, for builtins, the default names that are used may
521 differ from the executable name. For now, we'll stay with keeping this
522 alternate approach to getting the name and length properties for host and
524 However, we need their default attribute to be configurable as well.
526 (JSC::JSFunction::getOwnPropertySlot):
527 (JSC::JSFunction::getOwnNonIndexPropertyNames):
528 (JSC::JSFunction::put):
529 (JSC::JSFunction::deleteProperty):
530 (JSC::JSFunction::defineOwnProperty):
531 (JSC::JSFunction::reifyLength):
532 (JSC::JSFunction::reifyName):
533 (JSC::JSFunction::reifyLazyPropertyIfNeeded):
534 (JSC::JSFunction::lengthGetter): Deleted.
535 (JSC::JSFunction::nameGetter): Deleted.
536 * runtime/JSFunction.h:
537 * runtime/JSFunctionInlines.h:
538 (JSC::JSFunction::hasReifiedLength):
539 (JSC::JSFunction::hasReifiedName):
542 - 4 new passing tests.
544 * tests/mozilla/ecma/Array/15.4.4.3-1.js:
545 * tests/mozilla/ecma/Array/15.4.4.4-1.js:
546 * tests/mozilla/ecma/Array/15.4.4.4-2.js:
547 * tests/mozilla/ecma/GlobalObject/15.1.2.1-1.js:
548 * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
549 * tests/mozilla/ecma/GlobalObject/15.1.2.3-1.js:
550 * tests/mozilla/ecma/GlobalObject/15.1.2.4.js:
551 * tests/mozilla/ecma/GlobalObject/15.1.2.5-1.js:
552 * tests/mozilla/ecma/GlobalObject/15.1.2.6.js:
553 * tests/mozilla/ecma/GlobalObject/15.1.2.7.js:
554 * tests/mozilla/ecma/String/15.5.4.10-1.js:
555 * tests/mozilla/ecma/String/15.5.4.11-1.js:
556 * tests/mozilla/ecma/String/15.5.4.11-5.js:
557 * tests/mozilla/ecma/String/15.5.4.12-1.js:
558 * tests/mozilla/ecma/String/15.5.4.6-2.js:
559 * tests/mozilla/ecma/String/15.5.4.7-2.js:
560 * tests/mozilla/ecma/String/15.5.4.8-1.js:
561 * tests/mozilla/ecma/String/15.5.4.9-1.js:
562 - Rebase expected test results.
564 * tests/stress/function-configurable-properties.js: Added.
566 2016-02-26 Keith Miller <keith_miller@apple.com>
568 Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup
569 https://bugs.webkit.org/show_bug.cgi?id=154743
571 Reviewed by Mark Lam.
573 * dfg/DFGConstantFoldingPhase.cpp:
574 (JSC::DFG::ConstantFoldingPhase::foldConstants):
575 * dfg/DFGFixupPhase.cpp:
576 (JSC::DFG::FixupPhase::fixupNode):
578 2016-02-26 Keith Miller <keith_miller@apple.com>
580 Native Typed Array functions should use Symbol.species
581 https://bugs.webkit.org/show_bug.cgi?id=154569
583 Reviewed by Michael Saboff.
585 This patch adds support for Symbol.species in the native Typed Array prototype
586 functions. Additionally, now that other types of typedarrays are creatable inside
587 the slice we use the JSGenericTypedArrayView::set function, which has been beefed
588 up, to put everything into the correct place.
590 * runtime/JSDataView.cpp:
591 (JSC::JSDataView::set):
592 * runtime/JSDataView.h:
593 * runtime/JSGenericTypedArrayView.h:
594 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
595 (JSC::constructGenericTypedArrayViewFromIterator):
596 (JSC::constructGenericTypedArrayViewWithArguments):
597 (JSC::constructGenericTypedArrayView):
598 * runtime/JSGenericTypedArrayViewInlines.h:
599 (JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
600 (JSC::JSGenericTypedArrayView<Adaptor>::set):
601 * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
602 (JSC::speciesConstruct):
603 (JSC::genericTypedArrayViewProtoFuncSet):
604 (JSC::genericTypedArrayViewProtoFuncSlice):
605 (JSC::genericTypedArrayViewProtoFuncSubarray):
606 * tests/stress/typedarray-slice.js:
607 (subclasses.typedArrays.map):
610 (subclasses.forEach):
611 (testSpeciesRemoveConstructor):
612 (testSpeciesWithSameBuffer):
613 * tests/stress/typedarray-subarray.js: Added.
614 (subclasses.typedArrays.map):
617 (subclasses.forEach):
618 (testSpeciesRemoveConstructor):
620 2016-02-26 Benjamin Poulain <bpoulain@apple.com>
622 [JSC] Add32(Imm, Tmp, Tmp) does not ZDef the destination if Imm is zero
623 https://bugs.webkit.org/show_bug.cgi?id=154704
625 Reviewed by Geoffrey Garen.
627 If the Imm is zero, we should still zero the top bits
628 to match the definition in AirOpcodes.
630 * assembler/MacroAssemblerX86Common.h:
631 (JSC::MacroAssemblerX86Common::add32):
634 2016-02-26 Oliver Hunt <oliver@apple.com>
636 Make testRegExp not crash when given an invalid regexp
637 https://bugs.webkit.org/show_bug.cgi?id=154732
639 Reviewed by Mark Lam.
644 2016-02-26 Benjamin Poulain <benjamin@webkit.org>
646 [JSC] Add the test for r197155
647 https://bugs.webkit.org/show_bug.cgi?id=154715
649 Reviewed by Mark Lam.
651 Silly me. I forgot the test in the latest patch update.
653 * tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.
655 2016-02-26 Yusuke Suzuki <utatane.tea@gmail.com>
657 [DFG] Drop unnecessary proved type branch in ToPrimitive
658 https://bugs.webkit.org/show_bug.cgi?id=154716
660 Reviewed by Geoffrey Garen.
662 This branching based on the proved types is unnecessary because this is already handled in constant folding phase.
663 In fact, the DFGSpeculativeJIT64.cpp case is already removed in r164243.
664 This patch removes the remaining JIT32_64 case.
666 * dfg/DFGSpeculativeJIT32_64.cpp:
667 (JSC::DFG::SpeculativeJIT::compile):
669 2016-02-25 Benjamin Poulain <bpoulain@apple.com>
671 [JSC] Be aggressive with OSR Entry to FTL if the DFG function was only used for OSR Entry itself
672 https://bugs.webkit.org/show_bug.cgi?id=154575
674 Reviewed by Filip Pizlo.
676 I noticed that imaging-gaussian-blur spends most of its
677 samples in DFG code despite executing most of the loop
680 On this particular test, the main function is only entered
681 once and have a very heavy loop there. What happens is DFG
682 starts by compiling the full function in FTL. That takes about
683 8 to 10 milliseconds during which the DFG code makes very little
684 progress. The calls to triggerOSREntryNow() try to OSR Enter
685 for a while then finally start compiling something. By the time
686 the function is ready, we have wasted a lot of time in DFG code.
688 What this patch does is set a flag when a DFG function is entered.
689 If we try to triggerOSREntryNow() and the flag was never set,
690 we start compiling both the full function and the one for OSR Entry.
693 * dfg/DFGJITCompiler.cpp:
694 (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
695 (JSC::DFG::JITCompiler::compile):
696 (JSC::DFG::JITCompiler::compileFunction):
697 * dfg/DFGJITCompiler.h:
698 * dfg/DFGOperations.cpp:
700 (JSC::DFG::Plan::Plan): Deleted.
702 * dfg/DFGTierUpCheckInjectionPhase.cpp:
703 (JSC::DFG::TierUpCheckInjectionPhase::run):
705 2016-02-25 Benjamin Poulain <benjamin@webkit.org>
707 [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
708 https://bugs.webkit.org/show_bug.cgi?id=154664
710 Reviewed by Saam Barati.
712 When doing OSR Enter into a constructor, we lose the information
713 that this may have been set to empty by a previously executed block.
715 All the code just assumed the type for a FlushedJS value and thus
716 not an empty value. It was then okay to eliminate the TDZ checks.
718 In this patch, the values on root entry now assume they may be empty.
719 As a result, the SetArgument() for "this" has "empty" as possible
720 type and the TDZ checks are no longer eliminated.
722 * dfg/DFGInPlaceAbstractState.cpp:
723 (JSC::DFG::InPlaceAbstractState::initialize):
725 2016-02-25 Ada Chan <adachan@apple.com>
727 Update the definition of ENABLE_VIDEO_PRESENTATION_MODE for Mac platform
728 https://bugs.webkit.org/show_bug.cgi?id=154702
730 Reviewed by Dan Bernstein.
732 * Configurations/FeatureDefines.xcconfig:
734 2016-02-25 Saam barati <sbarati@apple.com>
736 [ES6] for...in iteration doesn't comply with the specification
737 https://bugs.webkit.org/show_bug.cgi?id=154665
739 Reviewed by Michael Saboff.
741 If you read ForIn/OfHeadEvaluation inside the spec:
742 https://tc39.github.io/ecma262/#sec-runtime-semantics-forin-div-ofheadevaluation-tdznames-expr-iterationkind
743 It calls EnumerateObjectProperties(obj) to get a set of properties
744 to enumerate over (it models this "set" as en ES6 generator function).
745 EnumerateObjectProperties is defined in section 13.7.5.15:
746 https://tc39.github.io/ecma262/#sec-enumerate-object-properties
747 The implementation calls Reflect.getOwnPropertyDescriptor(.) on the
748 properties it sees. We must do the same by modeling the operation as
749 a [[GetOwnProperty]] instead of a [[HasProperty]] internal method call.
751 * jit/JITOperations.cpp:
752 * jit/JITOperations.h:
753 * runtime/CommonSlowPaths.cpp:
754 (JSC::SLOW_PATH_DECL):
755 * runtime/JSObject.cpp:
756 (JSC::JSObject::hasProperty):
757 (JSC::JSObject::hasPropertyGeneric):
758 * runtime/JSObject.h:
759 * tests/stress/proxy-get-own-property.js:
761 (let.handler.getOwnPropertyDescriptor):
764 2016-02-25 Saam barati <sbarati@apple.com>
766 [ES6] Implement Proxy.[[Set]]
767 https://bugs.webkit.org/show_bug.cgi?id=154511
769 Reviewed by Filip Pizlo.
771 This patch is mostly an implementation of
772 Proxy.[[Set]] with respect to section 9.5.9
773 of the ECMAScript spec.
774 https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-set-p-v-receiver
776 This patch also changes JSObject::putInline and JSObject::putByIndex
777 to be aware that a Proxy in the prototype chain will intercept
780 * runtime/JSObject.cpp:
781 (JSC::JSObject::putInlineSlow):
782 (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
783 * runtime/JSObject.h:
784 * runtime/JSObjectInlines.h:
785 (JSC::JSObject::canPerformFastPutInline):
786 (JSC::JSObject::putInline):
788 * runtime/ProxyObject.cpp:
789 (JSC::ProxyObject::getOwnPropertySlotByIndex):
790 (JSC::ProxyObject::performPut):
791 (JSC::ProxyObject::put):
792 (JSC::ProxyObject::putByIndexCommon):
793 (JSC::ProxyObject::putByIndex):
794 (JSC::performProxyCall):
795 (JSC::ProxyObject::getCallData):
796 (JSC::performProxyConstruct):
797 (JSC::ProxyObject::deletePropertyByIndex):
798 (JSC::ProxyObject::visitChildren):
799 * runtime/ProxyObject.h:
800 (JSC::ProxyObject::create):
801 (JSC::ProxyObject::createStructure):
802 (JSC::ProxyObject::target):
803 (JSC::ProxyObject::handler):
805 * tests/stress/proxy-set.js: Added.
807 (throw.new.Error.let.handler.set 45):
813 2016-02-25 Benjamin Poulain <bpoulain@apple.com>
815 [JSC] Remove a useless "Move" in the lowering of Select
816 https://bugs.webkit.org/show_bug.cgi?id=154670
818 Reviewed by Geoffrey Garen.
820 I left the Move instruction when creating the aliasing form
823 On ARM64, that meant a useless move for any case that can't
826 On x86, that meant an extra constraint on child2, making it
827 stupidly hard to alias child1.
829 * b3/B3LowerToAir.cpp:
830 (JSC::B3::Air::LowerToAir::createSelect): Deleted.
832 2016-02-24 Joseph Pecoraro <pecoraro@apple.com>
834 Web Inspector: Expose Proxy target and handler internal properties to Inspector
835 https://bugs.webkit.org/show_bug.cgi?id=154663
837 Reviewed by Timothy Hatcher.
839 * inspector/JSInjectedScriptHost.cpp:
840 (Inspector::JSInjectedScriptHost::getInternalProperties):
841 Expose the ProxyObject's target and handler.
843 2016-02-24 Nikos Andronikos <nikos.andronikos-webkit@cisra.canon.com.au>
845 [web-animations] Add AnimationTimeline, DocumentTimeline and add extensions to Document interface
846 https://bugs.webkit.org/show_bug.cgi?id=151688
848 Reviewed by Dean Jackson.
850 Enables the WEB_ANIMATIONS compiler switch.
852 * Configurations/FeatureDefines.xcconfig:
854 2016-02-24 Konstantin Tokarev <annulen@yandex.ru>
856 [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
857 https://bugs.webkit.org/show_bug.cgi?id=154651
859 Reviewed by Alex Christensen.
861 * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
863 2016-02-24 Commit Queue <commit-queue@webkit.org>
865 Unreviewed, rolling out r197033.
866 https://bugs.webkit.org/show_bug.cgi?id=154649
868 "It broke JSC tests when 'this' was loaded from global scope"
869 (Requested by saamyjoon on #webkit).
873 "[ES6] Arrow function syntax. Emit loading&putting this/super
874 only if they are used in arrow function"
875 https://bugs.webkit.org/show_bug.cgi?id=153981
876 http://trac.webkit.org/changeset/197033
878 2016-02-24 Saam Barati <sbarati@apple.com>
880 [ES6] Implement Proxy.[[Delete]]
881 https://bugs.webkit.org/show_bug.cgi?id=154607
883 Reviewed by Mark Lam.
885 This patch implements Proxy.[[Delete]] with respect to section 9.5.10 of the ECMAScript spec.
886 https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-delete-p
888 * runtime/ProxyObject.cpp:
889 (JSC::ProxyObject::getConstructData):
890 (JSC::ProxyObject::performDelete):
891 (JSC::ProxyObject::deleteProperty):
892 (JSC::ProxyObject::deletePropertyByIndex):
893 * runtime/ProxyObject.h:
895 * tests/stress/proxy-delete.js: Added.
897 (throw.new.Error.let.handler.get deleteProperty):
899 (assert.let.handler.deleteProperty):
900 (let.handler.deleteProperty):
902 2016-02-24 Filip Pizlo <fpizlo@apple.com>
904 Stackmaps have problems with double register constraints
905 https://bugs.webkit.org/show_bug.cgi?id=154643
907 Reviewed by Geoffrey Garen.
909 This is currently a benign bug. I found it while playing.
911 * b3/B3LowerToAir.cpp:
912 (JSC::B3::Air::LowerToAir::fillStackmap):
914 (JSC::B3::testURShiftSelf64):
915 (JSC::B3::testPatchpointDoubleRegs):
919 2016-02-24 Skachkov Oleksandr <gskachkov@gmail.com>
921 [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
922 https://bugs.webkit.org/show_bug.cgi?id=153981
924 Reviewed by Saam Barati.
926 In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
927 'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function.
928 Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
929 During syntax analyze parser store information about using variables in arrow function inside of
930 the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
932 * bytecode/ExecutableInfo.h:
933 (JSC::ExecutableInfo::ExecutableInfo):
934 (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
935 * bytecode/UnlinkedCodeBlock.cpp:
936 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
937 * bytecode/UnlinkedCodeBlock.h:
938 (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
939 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
940 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
941 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
942 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
943 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
944 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
945 * bytecode/UnlinkedFunctionExecutable.cpp:
946 (JSC::generateUnlinkedFunctionCodeBlock):
947 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
948 * bytecode/UnlinkedFunctionExecutable.h:
949 * bytecompiler/BytecodeGenerator.cpp:
950 (JSC::BytecodeGenerator::BytecodeGenerator):
951 (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
952 (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
953 (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
954 (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
955 (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
956 (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
957 (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
958 (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
959 (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
960 (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
961 (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
962 (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
963 * bytecompiler/BytecodeGenerator.h:
964 * bytecompiler/NodesCodegen.cpp:
965 (JSC::ThisNode::emitBytecode):
966 (JSC::EvalFunctionCallNode::emitBytecode):
967 (JSC::FunctionCallValueNode::emitBytecode):
968 (JSC::FunctionNode::emitBytecode):
969 * parser/ASTBuilder.h:
970 (JSC::ASTBuilder::createFunctionMetadata):
972 (JSC::FunctionMetadataNode::FunctionMetadataNode):
975 (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
976 (JSC::Parser<LexerType>::parseFunctionBody):
977 (JSC::Parser<LexerType>::parseFunctionInfo):
978 (JSC::Parser<LexerType>::parseProperty):
979 (JSC::Parser<LexerType>::parsePrimaryExpression):
980 (JSC::Parser<LexerType>::parseMemberExpression):
983 (JSC::Scope::isArrowFunctionBoundary):
984 (JSC::Scope::innerArrowFunctionFeatures):
985 (JSC::Scope::setInnerArrowFunctionUseSuperCall):
986 (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
987 (JSC::Scope::setInnerArrowFunctionUseEval):
988 (JSC::Scope::setInnerArrowFunctionUseThis):
989 (JSC::Scope::setInnerArrowFunctionUseNewTarget):
990 (JSC::Scope::setInnerArrowFunctionUseArguments):
991 (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
992 (JSC::Scope::collectFreeVariables):
993 (JSC::Scope::mergeInnerArrowFunctionFeatures):
994 (JSC::Scope::fillParametersForSourceProviderCache):
995 (JSC::Scope::restoreFromSourceProviderCache):
996 (JSC::Scope::setIsFunction):
997 (JSC::Scope::setIsArrowFunction):
998 (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
999 (JSC::Parser::pushScope):
1000 (JSC::Parser::popScopeInternal):
1001 * parser/ParserModes.h:
1002 * parser/SourceProviderCacheItem.h:
1003 (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1004 * parser/SyntaxChecker.h:
1005 (JSC::SyntaxChecker::createFunctionMetadata):
1006 * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1007 * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1008 * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1009 * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1010 * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1012 2016-02-23 Brian Burg <bburg@apple.com>
1014 Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
1015 https://bugs.webkit.org/show_bug.cgi?id=154615
1016 <rdar://problem/24804330>
1018 Reviewed by Timothy Hatcher.
1020 Some of the generated Objective-C bindings are only relevant to code acting as the
1021 protocol backend. Add a per-generator setting mechanism and propagate --frontend and
1022 --backend to all generators. Use the setting in a few generators to omit code that's
1025 Also fix a few places where the code emits the wrong Objective-C class prefix.
1026 There is some common non-generated code that must always have the RWIProtocol prefix.
1028 Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
1029 macros defined in the internal header now need to be used outside of the framework.
1031 * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1032 Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
1033 depending on the target framework.
1035 * inspector/scripts/codegen/generate_objc_header.py:
1036 (ObjCHeaderGenerator.generate_output):
1037 For now, omit generating command protocol and event dispatchers when generating for --frontend.
1039 (ObjCHeaderGenerator._generate_type_interface):
1040 Use OBJC_STATIC_PREFIX along with the unprefixed file name.
1042 * inspector/scripts/codegen/generate_objc_internal_header.py:
1043 Use RWIProtocolJSONObjectPrivate.h instead.
1045 * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1046 (ObjCProtocolTypesImplementationGenerator.generate_output):
1047 Include the Internal header if it's being generated (only for --backend).
1049 * inspector/scripts/codegen/generator.py:
1050 (Generator.__init__):
1051 (Generator.set_generator_setting):
1053 (Generator.get_generator_setting):
1054 Crib a simple setting system from the Framework class. Make the names more obnoxious.
1056 (Generator.string_for_file_include):
1057 Inspired by the replay input generator, this is a function that uses the proper syntax
1058 for a file include depending on the file's framework and target framework.
1060 * inspector/scripts/codegen/objc_generator.py:
1061 (ObjCGenerator.and):
1062 (ObjCGenerator.and.objc_prefix):
1064 (ObjCGenerator.objc_type_for_raw_name):
1065 (ObjCGenerator.objc_class_for_raw_name):
1066 Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
1068 * inspector/scripts/generate-inspector-protocol-bindings.py:
1069 (generate_from_specification):
1070 Change the generators to use for the frontend. Propagate --frontend and --backend.
1072 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1073 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1074 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1075 * inspector/scripts/tests/expected/enum-values.json-result:
1076 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1077 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1078 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1079 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1080 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1081 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1082 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1083 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1084 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1085 Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
1087 2016-02-23 Saam barati <sbarati@apple.com>
1089 arrayProtoFuncConcat doesn't check for an exception after allocating an array
1090 https://bugs.webkit.org/show_bug.cgi?id=154621
1092 Reviewed by Michael Saboff.
1094 * runtime/ArrayPrototype.cpp:
1095 (JSC::arrayProtoFuncConcat):
1097 2016-02-23 Dan Bernstein <mitz@apple.com>
1099 [Xcode] Linker errors display mangled names, but no longer should
1100 https://bugs.webkit.org/show_bug.cgi?id=154632
1102 Reviewed by Sam Weinig.
1104 * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
1106 2016-02-23 Gavin Barraclough <barraclough@apple.com>
1108 Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
1109 https://bugs.webkit.org/show_bug.cgi?id=112323
1111 Reviewed by Chris Dumez.
1113 This feature is controlled by a runtime switch, and defaults off.
1115 * Configurations/FeatureDefines.xcconfig:
1117 2016-02-23 Keith Miller <keith_miller@apple.com>
1119 JSC stress tests' standalone-pre.js should exit on the first failure by default
1120 https://bugs.webkit.org/show_bug.cgi?id=154565
1122 Reviewed by Mark Lam.
1124 Currently, if a test writer does not call finishJSTest() at the end of
1125 any test using stress/resources/standalone-pre.js then the test can fail
1126 without actually reporting an error to the harness. By default, we
1127 should throw on the first error so, in the event someone does not call
1128 finishJSTest() the harness will still notice the error.
1130 * tests/stress/regress-151324.js:
1131 * tests/stress/resources/standalone-pre.js:
1134 2016-02-23 Saam barati <sbarati@apple.com>
1136 Make JSObject::getMethod have fewer branches
1137 https://bugs.webkit.org/show_bug.cgi?id=154603
1139 Reviewed by Mark Lam.
1141 Writing code with fewer branches is almost always better.
1143 * runtime/JSObject.cpp:
1144 (JSC::JSObject::getMethod):
1146 2016-02-23 Filip Pizlo <fpizlo@apple.com>
1148 B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
1149 https://bugs.webkit.org/show_bug.cgi?id=154592
1151 Reviewed by Saam Barati.
1153 If Foo has a virtual destructor, then:
1155 foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
1156 subclass of Foo that overrides the destructor, this syntax will not call that override.
1158 foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
1159 get the subclass's override.
1161 In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
1162 This caused leaks because this didn't actually call the subclass's override. This fixes the
1163 problem by using this->~Value() instead.
1165 * b3/B3ControlValue.cpp:
1166 (JSC::B3::ControlValue::convertToJump):
1167 (JSC::B3::ControlValue::convertToOops):
1169 (JSC::B3::Value::replaceWithIdentity):
1170 (JSC::B3::Value::replaceWithNop):
1171 (JSC::B3::Value::replaceWithPhi):
1173 2016-02-23 Brian Burg <bburg@apple.com>
1175 Web Inspector: the protocol generator's Objective-C name prefix should be configurable
1176 https://bugs.webkit.org/show_bug.cgi?id=154596
1177 <rdar://problem/24794962>
1179 Reviewed by Timothy Hatcher.
1181 In order to support different generated protocol sets that don't have conflicting
1182 file and type names, allow the Objective-C prefix to be configurable based on the
1183 target framework. Each name also has the implicit prefix 'Protocol' appended to the
1184 per-target framework prefix.
1186 For example, the existing protocol for remote inspection has the prefix 'RWI'
1187 and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
1188 and is generated as 'AutomationProtocol'.
1190 To make this change, convert ObjCGenerator to be a subclass of Generator and use
1191 the instance method model() to find the target framework and its setting for
1192 'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
1193 these instance methods that used to be static methods. This is a large but
1194 mechanical change to use self instead of ObjCGenerator.
1196 * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1197 (ObjCBackendDispatcherHeaderGenerator):
1198 (ObjCBackendDispatcherHeaderGenerator.__init__):
1199 (ObjCBackendDispatcherHeaderGenerator.output_filename):
1200 (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
1201 (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
1202 * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1203 (ObjCConfigurationImplementationGenerator):
1204 (ObjCConfigurationImplementationGenerator.__init__):
1205 (ObjCConfigurationImplementationGenerator.output_filename):
1206 (ObjCConfigurationImplementationGenerator.generate_output):
1207 (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
1208 (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
1209 (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
1210 * inspector/scripts/codegen/generate_objc_configuration_header.py:
1211 (ObjCConfigurationHeaderGenerator):
1212 (ObjCConfigurationHeaderGenerator.__init__):
1213 (ObjCConfigurationHeaderGenerator.output_filename):
1214 (ObjCConfigurationHeaderGenerator.generate_output):
1215 (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1216 (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
1217 * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1218 (ObjCBackendDispatcherImplementationGenerator):
1219 (ObjCBackendDispatcherImplementationGenerator.__init__):
1220 (ObjCBackendDispatcherImplementationGenerator.output_filename):
1221 (ObjCBackendDispatcherImplementationGenerator.generate_output):
1222 (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1223 (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
1224 (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
1225 (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
1226 * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1227 (ObjCConversionHelpersGenerator):
1228 (ObjCConversionHelpersGenerator.__init__):
1229 (ObjCConversionHelpersGenerator.output_filename):
1230 (ObjCConversionHelpersGenerator.generate_output):
1231 (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
1232 (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
1233 (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
1234 * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1235 (ObjCFrontendDispatcherImplementationGenerator):
1236 (ObjCFrontendDispatcherImplementationGenerator.__init__):
1237 (ObjCFrontendDispatcherImplementationGenerator.output_filename):
1238 (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1239 (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
1240 (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1241 (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
1242 (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
1243 (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1244 * inspector/scripts/codegen/generate_objc_header.py:
1245 (ObjCHeaderGenerator):
1246 (ObjCHeaderGenerator.__init__):
1247 (ObjCHeaderGenerator.output_filename):
1248 (ObjCHeaderGenerator.generate_output):
1249 (ObjCHeaderGenerator._generate_forward_declarations):
1250 (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
1251 (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
1252 (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
1253 (ObjCHeaderGenerator._generate_type_interface):
1254 (ObjCHeaderGenerator._generate_init_method_for_required_members):
1255 (ObjCHeaderGenerator._generate_member_property):
1256 (ObjCHeaderGenerator._generate_command_protocols):
1257 (ObjCHeaderGenerator._generate_single_command_protocol):
1258 (ObjCHeaderGenerator._callback_block_for_command):
1259 (ObjCHeaderGenerator._generate_event_interfaces):
1260 (ObjCHeaderGenerator._generate_single_event_interface):
1261 * inspector/scripts/codegen/generate_objc_internal_header.py:
1262 (ObjCInternalHeaderGenerator):
1263 (ObjCInternalHeaderGenerator.__init__):
1264 (ObjCInternalHeaderGenerator.output_filename):
1265 (ObjCInternalHeaderGenerator.generate_output):
1266 (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
1267 * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1268 (ObjCProtocolTypesImplementationGenerator):
1269 (ObjCProtocolTypesImplementationGenerator.__init__):
1270 (ObjCProtocolTypesImplementationGenerator.output_filename):
1271 (ObjCProtocolTypesImplementationGenerator.generate_output):
1272 (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1273 (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
1274 (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
1275 (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
1276 (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
1277 (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
1278 * inspector/scripts/codegen/models.py:
1279 * inspector/scripts/codegen/objc_generator.py:
1280 (ObjCTypeCategory.category_for_type):
1282 (ObjCGenerator.__init__):
1283 (ObjCGenerator.objc_prefix):
1284 (ObjCGenerator.objc_name_for_type):
1285 (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
1286 (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
1287 (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
1288 (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
1289 (ObjCGenerator.objc_class_for_type):
1290 (ObjCGenerator.objc_class_for_array_type):
1291 (ObjCGenerator.objc_accessor_type_for_member):
1292 (ObjCGenerator.objc_accessor_type_for_member_internal):
1293 (ObjCGenerator.objc_type_for_member):
1294 (ObjCGenerator.objc_type_for_member_internal):
1295 (ObjCGenerator.objc_type_for_param):
1296 (ObjCGenerator.objc_type_for_param_internal):
1297 (ObjCGenerator.objc_protocol_export_expression_for_variable):
1298 (ObjCGenerator.objc_protocol_import_expression_for_member):
1299 (ObjCGenerator.objc_protocol_import_expression_for_parameter):
1300 (ObjCGenerator.objc_protocol_import_expression_for_variable):
1301 (ObjCGenerator.objc_to_protocol_expression_for_member):
1302 (ObjCGenerator.protocol_to_objc_expression_for_member):
1304 Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
1306 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1307 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1308 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1309 * inspector/scripts/tests/expected/enum-values.json-result:
1310 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1311 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1312 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1313 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1314 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1315 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1316 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1317 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1318 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1320 2016-02-23 Mark Lam <mark.lam@apple.com>
1322 Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
1323 https://bugs.webkit.org/show_bug.cgi?id=154542
1325 Reviewed by Saam Barati.
1327 According to the spec, the constructors of the following types "are not intended
1328 to be called as a function and will throw an exception". These types are:
1329 TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
1330 Map - https://tc39.github.io/ecma262/#sec-map-constructor
1331 Set - https://tc39.github.io/ecma262/#sec-set-constructor
1332 WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
1333 WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
1334 ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
1335 DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
1336 Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
1337 Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
1339 This patch does the foillowing:
1340 1. Ensures that these constructors can be called but will throw a TypeError
1342 2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
1343 in their implementation to be consistent.
1344 3. Change the error message to "calling XXX constructor without new is invalid".
1345 This is clearer because the error is likely due to the user forgetting to use
1346 the new operator on these constructors.
1349 * runtime/Error.cpp:
1350 (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
1351 - Added a convenience function to throw the TypeError.
1353 * runtime/JSArrayBufferConstructor.cpp:
1354 (JSC::constructArrayBuffer):
1355 (JSC::callArrayBuffer):
1356 (JSC::JSArrayBufferConstructor::getCallData):
1357 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1358 (JSC::callGenericTypedArrayView):
1359 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
1360 * runtime/JSPromiseConstructor.cpp:
1362 * runtime/MapConstructor.cpp:
1364 * runtime/ProxyConstructor.cpp:
1366 (JSC::ProxyConstructor::getCallData):
1367 * runtime/SetConstructor.cpp:
1369 * runtime/WeakMapConstructor.cpp:
1371 * runtime/WeakSetConstructor.cpp:
1375 - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
1377 * tests/stress/call-non-calleable-constructors-as-function.js: Added.
1380 * tests/stress/map-constructor.js:
1381 (testCallTypeError):
1382 * tests/stress/promise-cannot-be-called.js:
1384 * tests/stress/proxy-basic.js:
1385 * tests/stress/set-constructor.js:
1386 * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
1388 * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
1390 * tests/stress/throw-from-ftl-call-ic-slow-path.js:
1392 * tests/stress/weak-map-constructor.js:
1393 (testCallTypeError):
1394 * tests/stress/weak-set-constructor.js:
1395 - Updated error message string.
1397 2016-02-23 Alexey Proskuryakov <ap@apple.com>
1401 Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
1403 * inspector/InspectorBackendDispatcher.h:
1405 2016-02-23 Brian Burg <bburg@apple.com>
1407 Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
1408 https://bugs.webkit.org/show_bug.cgi?id=154518
1409 <rdar://problem/24761096>
1411 Reviewed by Timothy Hatcher.
1413 * inspector/InspectorBackendDispatcher.h:
1414 Export all the classes since they are used by WebKit::WebAutomationSession.
1416 2016-02-22 Brian Burg <bburg@apple.com>
1418 Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
1419 https://bugs.webkit.org/show_bug.cgi?id=154509
1420 <rdar://problem/24759098>
1422 Reviewed by Timothy Hatcher.
1424 Add a new 'WebKit' framework, which is used to generate protocol code
1427 Add --backend and --frontend flags to the main generator script.
1428 These allow a framework to trigger two different sets of generators
1429 so they can be separately generated and compiled.
1431 * inspector/scripts/codegen/models.py:
1432 (Framework.fromString):
1433 (Frameworks): Add new framework.
1435 * inspector/scripts/generate-inspector-protocol-bindings.py:
1436 If neither --backend or --frontend is specified, assume both are wanted.
1437 This matches the behavior for JavaScriptCore and WebInspector frameworks.
1439 (generate_from_specification):
1440 Generate C++ files for the backend and Objective-C files for the frontend.
1442 2016-02-22 Saam barati <sbarati@apple.com>
1444 JSGlobalObject doesn't visit ProxyObjectStructure during GC
1445 https://bugs.webkit.org/show_bug.cgi?id=154564
1447 Rubber stamped by Mark Lam.
1449 * runtime/JSGlobalObject.cpp:
1450 (JSC::JSGlobalObject::visitChildren):
1452 2016-02-22 Saam barati <sbarati@apple.com>
1454 InternalFunction::createSubclassStructure doesn't take into account that get() might throw
1455 https://bugs.webkit.org/show_bug.cgi?id=154548
1457 Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
1459 InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw
1460 an exception. Neither the function nor the call sites of the function took this into
1461 account. This patch audits the call sites of the function to make it work in
1462 the event that an exception is thrown.
1464 * runtime/BooleanConstructor.cpp:
1465 (JSC::constructWithBooleanConstructor):
1466 * runtime/DateConstructor.cpp:
1467 (JSC::constructDate):
1468 * runtime/ErrorConstructor.cpp:
1469 (JSC::Interpreter::constructWithErrorConstructor):
1470 * runtime/FunctionConstructor.cpp:
1471 (JSC::constructFunctionSkippingEvalEnabledCheck):
1472 * runtime/InternalFunction.cpp:
1473 (JSC::InternalFunction::createSubclassStructure):
1474 * runtime/JSArrayBufferConstructor.cpp:
1475 (JSC::constructArrayBuffer):
1476 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1477 (JSC::constructGenericTypedArrayView):
1478 * runtime/JSGlobalObject.h:
1479 (JSC::constructEmptyArray):
1480 (JSC::constructArray):
1481 (JSC::constructArrayNegativeIndexed):
1482 * runtime/JSPromiseConstructor.cpp:
1483 (JSC::constructPromise):
1484 * runtime/MapConstructor.cpp:
1485 (JSC::constructMap):
1486 * runtime/NativeErrorConstructor.cpp:
1487 (JSC::Interpreter::constructWithNativeErrorConstructor):
1488 * runtime/NumberConstructor.cpp:
1489 (JSC::constructWithNumberConstructor):
1490 * runtime/RegExpConstructor.cpp:
1491 (JSC::getRegExpStructure):
1492 (JSC::constructRegExp):
1493 (JSC::constructWithRegExpConstructor):
1494 * runtime/SetConstructor.cpp:
1495 (JSC::constructSet):
1496 * runtime/StringConstructor.cpp:
1497 (JSC::constructWithStringConstructor):
1498 (JSC::StringConstructor::getConstructData):
1499 * runtime/WeakMapConstructor.cpp:
1500 (JSC::constructWeakMap):
1501 * runtime/WeakSetConstructor.cpp:
1502 (JSC::constructWeakSet):
1503 * tests/stress/create-subclass-structure-might-throw.js: Added.
1506 2016-02-22 Ting-Wei Lan <lantw44@gmail.com>
1508 Fix build and implement functions to retrieve registers on FreeBSD
1509 https://bugs.webkit.org/show_bug.cgi?id=152258
1511 Reviewed by Michael Catanzaro.
1513 * heap/MachineStackMarker.cpp:
1514 (pthreadSignalHandlerSuspendResume):
1515 struct ucontext is not specified in POSIX and it is not available on
1516 FreeBSD. Replacing it with ucontext_t fixes the build problem.
1517 (JSC::MachineThreads::Thread::Registers::stackPointer):
1518 (JSC::MachineThreads::Thread::Registers::framePointer):
1519 (JSC::MachineThreads::Thread::Registers::instructionPointer):
1520 (JSC::MachineThreads::Thread::Registers::llintPC):
1521 * heap/MachineStackMarker.h:
1523 2016-02-22 Saam barati <sbarati@apple.com>
1525 JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
1526 https://bugs.webkit.org/show_bug.cgi?id=154552
1528 Reviewed by Mark Lam.
1530 ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
1531 They return false on a Proxy with internal [[Call]] and [[Construct]]
1532 properties. It seems safest, most forward looking, and most adherent
1533 to the specification to check getCallData() and getConstructData() to
1534 implement these functions.
1536 * runtime/InternalFunction.cpp:
1537 (JSC::InternalFunction::createSubclassStructure):
1538 * runtime/JSCJSValueInlines.h:
1539 (JSC::JSValue::isFunction):
1540 (JSC::JSValue::isConstructor):
1542 2016-02-22 Keith Miller <keith_miller@apple.com>
1544 Bound functions should use the prototype of the function being bound
1545 https://bugs.webkit.org/show_bug.cgi?id=154195
1547 Reviewed by Geoffrey Garen.
1549 Per ES6, the result of Function.prototype.bind should have the same
1550 prototype as the the function being bound. In order to avoid creating
1551 a new structure each time a function is bound we store the new
1552 structure in our structure map. However, we cannot currently store
1553 structures that have a different GlobalObject than their prototype.
1554 In the rare case that the GlobalObject differs or the prototype of
1555 the bindee is null we create a new structure each time. To further
1556 minimize new structures, as well as making structure lookup faster,
1557 we also store the structure in the RareData of the function we
1560 * runtime/FunctionRareData.cpp:
1561 (JSC::FunctionRareData::visitChildren):
1562 * runtime/FunctionRareData.h:
1563 (JSC::FunctionRareData::getBoundFunctionStructure):
1564 (JSC::FunctionRareData::setBoundFunctionStructure):
1565 * runtime/JSBoundFunction.cpp:
1566 (JSC::getBoundFunctionStructure):
1567 (JSC::JSBoundFunction::create):
1569 * tests/stress/bound-function-uses-prototype.js: Added.
1570 (testChangeProto.foo):
1573 * tests/stress/class-subclassing-function.js:
1575 2016-02-22 Keith Miller <keith_miller@apple.com>
1577 Unreviewed, fix stress test to not print on success.
1579 * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
1582 2016-02-22 Keith Miller <keith_miller@apple.com>
1584 Use Symbol.species in the builtin TypedArray.prototype functions
1585 https://bugs.webkit.org/show_bug.cgi?id=153384
1587 Reviewed by Geoffrey Garen.
1589 This patch adds the use of species constructors to the TypedArray.prototype map and filter
1590 functions. It also adds a new private function typedArrayGetOriginalConstructor that
1591 returns the TypedArray constructor used to originally create a TypedArray instance.
1593 There are no ES6 tests to update for this patch as species creation for these functions is
1594 not tested in the compatibility table.
1596 * builtins/TypedArrayPrototype.js:
1599 * bytecode/BytecodeIntrinsicRegistry.cpp:
1600 (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1601 * bytecode/BytecodeIntrinsicRegistry.h:
1602 * runtime/CommonIdentifiers.h:
1603 * runtime/JSGlobalObject.cpp:
1604 (JSC::JSGlobalObject::init):
1605 (JSC::JSGlobalObject::visitChildren):
1606 * runtime/JSGlobalObject.h:
1607 (JSC::JSGlobalObject::typedArrayConstructor):
1608 * runtime/JSTypedArrayViewPrototype.cpp:
1609 (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
1610 * runtime/JSTypedArrayViewPrototype.h:
1611 * tests/stress/typedarray-filter.js:
1612 (subclasses.typedArrays.map):
1617 (subclasses.forEach):
1618 (testSpeciesRemoveConstructor):
1619 * tests/stress/typedarray-map.js:
1620 (subclasses.typedArrays.map):
1625 (subclasses.forEach):
1626 (testSpeciesRemoveConstructor):
1628 2016-02-22 Keith Miller <keith_miller@apple.com>
1630 Builtins that should not rely on iteration do.
1631 https://bugs.webkit.org/show_bug.cgi?id=154475
1633 Reviewed by Geoffrey Garen.
1635 When changing the behavior of varargs calls to use ES6 iterators the
1636 call builtin function's use of a varargs call was overlooked. The use
1637 of iterators is observable outside the scope of the the call function,
1638 thus it must be reimplemented.
1640 * builtins/FunctionPrototype.js:
1642 * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
1647 2016-02-22 Konstantin Tokarev <annulen@yandex.ru>
1649 [JSC shell] Don't put empty arguments array to VM.
1650 https://bugs.webkit.org/show_bug.cgi?id=154516
1652 Reviewed by Geoffrey Garen.
1654 This allows arrowfunction-lexical-bind-arguments-top-level test to pass
1655 in jsc as well as in browser.
1658 (GlobalObject::finishCreation):
1660 2016-02-22 Konstantin Tokarev <annulen@yandex.ru>
1662 [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
1663 https://bugs.webkit.org/show_bug.cgi?id=154450
1665 Reviewed by Alex Christensen.
1669 2016-02-22 Commit Queue <commit-queue@webkit.org>
1671 Unreviewed, rolling out r196891.
1672 https://bugs.webkit.org/show_bug.cgi?id=154539
1674 it broke Production builds (Requested by brrian on #webkit).
1678 "Web Inspector: add 'Automation' protocol domain and generate
1679 its backend classes separately in WebKit2"
1680 https://bugs.webkit.org/show_bug.cgi?id=154509
1681 http://trac.webkit.org/changeset/196891
1683 2016-02-21 Joseph Pecoraro <pecoraro@apple.com>
1685 CodeBlock always visits its unlinked code twice
1686 https://bugs.webkit.org/show_bug.cgi?id=154494
1688 Reviewed by Saam Barati.
1690 * bytecode/CodeBlock.cpp:
1691 (JSC::CodeBlock::visitChildren):
1692 The unlinked code is always visited in stronglyVisitStrongReferences.
1694 2016-02-21 Brian Burg <bburg@apple.com>
1696 Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
1697 https://bugs.webkit.org/show_bug.cgi?id=154509
1698 <rdar://problem/24759098>
1700 Reviewed by Timothy Hatcher.
1702 Add a new 'WebKit' framework, which is used to generate protocol code
1705 Add --backend and --frontend flags to the main generator script.
1706 These allow a framework to trigger two different sets of generators
1707 so they can be separately generated and compiled.
1709 * inspector/scripts/codegen/models.py:
1710 (Framework.fromString):
1711 (Frameworks): Add new framework.
1713 * inspector/scripts/generate-inspector-protocol-bindings.py:
1714 If neither --backend or --frontend is specified, assume both are wanted.
1715 This matches the behavior for JavaScriptCore and WebInspector frameworks.
1717 (generate_from_specification):
1718 Generate C++ files for the backend and Objective-C files for the frontend.
1720 2016-02-21 Sukolsak Sakshuwong <sukolsak@gmail.com>
1722 Improvements to Intl code
1723 https://bugs.webkit.org/show_bug.cgi?id=154486
1725 Reviewed by Darin Adler.
1727 This patch does several things:
1728 - Use std::unique_ptr to store ICU objects.
1729 - Pass Vector::size() to ICU functions that take a buffer size instead
1730 of Vector::capacity().
1731 - If U_SUCCESS(status) is true, it means there is no error, but there
1732 could be warnings. ICU functions ignore warnings. So, there is no need
1733 to reset status to U_ZERO_ERROR.
1734 - Remove the initialization of the String instance variables of
1735 IntlDateTimeFormat. These values are never read and cause unnecessary
1738 - Some small optimization.
1740 * runtime/IntlCollator.cpp:
1741 (JSC::IntlCollator::UCollatorDeleter::operator()):
1742 (JSC::IntlCollator::createCollator):
1743 (JSC::IntlCollator::compareStrings):
1744 (JSC::IntlCollator::~IntlCollator): Deleted.
1745 * runtime/IntlCollator.h:
1746 * runtime/IntlDateTimeFormat.cpp:
1747 (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
1748 (JSC::defaultTimeZone):
1749 (JSC::canonicalizeTimeZoneName):
1750 (JSC::toDateTimeOptionsAnyDate):
1751 (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1752 (JSC::IntlDateTimeFormat::weekdayString):
1753 (JSC::IntlDateTimeFormat::format):
1754 (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
1755 (JSC::localeData): Deleted.
1756 * runtime/IntlDateTimeFormat.h:
1757 * runtime/IntlDateTimeFormatConstructor.cpp:
1758 * runtime/IntlNumberFormatConstructor.cpp:
1759 * runtime/IntlObject.cpp:
1760 (JSC::numberingSystemsForLocale):
1762 2016-02-21 Skachkov Oleksandr <gskachkov@gmail.com>
1764 Remove arrowfunction test cases that rely on arguments variable in jsc
1765 https://bugs.webkit.org/show_bug.cgi?id=154517
1767 Reviewed by Yusuke Suzuki.
1769 Allow to jsc has the same behavior in javascript as browser has
1771 * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1772 * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1774 2016-02-21 Brian Burg <bburg@apple.com>
1776 Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
1777 https://bugs.webkit.org/show_bug.cgi?id=154508
1778 <rdar://problem/24759077>
1780 Reviewed by Timothy Hatcher.
1782 In preparation for being able to generate protocol files for WebKit2,
1783 make it possible to not emit generated code that's guarded by
1784 ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
1785 backend dispatchers generated outside of JavaScriptCore. We can't just
1786 define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
1787 in the configurations where the code is actually used.
1789 Add a new opt-in Framework configuration option that turns on generating
1790 this code. Adjust how the code is generated so that it can be easily excluded.
1792 * inspector/scripts/codegen/cpp_generator_templates.py:
1793 Make a separate template for the declarations that are guarded.
1794 Add an initializer expression so the order of initalizers doesn't matter.
1796 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1797 (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
1798 (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1799 If the declarations are needed, they will be appended to the end of the
1802 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1803 (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
1804 (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
1806 * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
1807 to True for Framework.JavaScriptCore only. It's not needed elsewhere.
1809 Rebaseline affected tests.
1811 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1812 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1813 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1814 * inspector/scripts/tests/expected/enum-values.json-result:
1815 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1817 2016-02-21 Brian Burg <bburg@apple.com>
1819 Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
1820 https://bugs.webkit.org/show_bug.cgi?id=154505
1821 <rdar://problem/24758042>
1823 Reviewed by Timothy Hatcher.
1825 It should be possible to generate code for a framework using some generators
1826 that other frameworks also use. Right now the generator selection code assumes
1827 that use of a generator is mutually exclusive among non-test frameworks.
1829 Make this code explicitly switch on the framework. Reorder generators
1830 alpabetically within each case.
1832 * inspector/scripts/generate-inspector-protocol-bindings.py:
1833 (generate_from_specification):
1835 Rebaseline tests that are affected by generator reorderings.
1837 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1838 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1839 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1840 * inspector/scripts/tests/expected/enum-values.json-result:
1841 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1842 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1843 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1844 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1845 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1846 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1847 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1848 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1849 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1851 2016-02-19 Saam Barati <sbarati@apple.com>
1853 [ES6] Implement Proxy.[[Construct]]
1854 https://bugs.webkit.org/show_bug.cgi?id=154440
1856 Reviewed by Oliver Hunt.
1858 This patch is mostly an implementation of
1859 Proxy.[[Construct]] with respect to section 9.5.13
1860 of the ECMAScript spec.
1861 https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
1863 This patch also changes op_create_this to accept new.target's
1864 that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]]
1865 because we might construct a JSFunction with a new.target being
1866 a Proxy. This will also be needed when we implement Reflect.construct.
1868 * dfg/DFGOperations.cpp:
1869 * dfg/DFGSpeculativeJIT32_64.cpp:
1870 (JSC::DFG::SpeculativeJIT::compile):
1871 * dfg/DFGSpeculativeJIT64.cpp:
1872 (JSC::DFG::SpeculativeJIT::compile):
1873 * jit/JITOpcodes.cpp:
1874 (JSC::JIT::emit_op_create_this):
1875 (JSC::JIT::emitSlow_op_create_this):
1876 * jit/JITOpcodes32_64.cpp:
1877 (JSC::JIT::emit_op_create_this):
1878 (JSC::JIT::emitSlow_op_create_this):
1879 * llint/LLIntData.cpp:
1880 (JSC::LLInt::Data::performAssertions):
1881 * llint/LowLevelInterpreter.asm:
1882 * llint/LowLevelInterpreter32_64.asm:
1883 * llint/LowLevelInterpreter64.asm:
1884 * runtime/CommonSlowPaths.cpp:
1885 (JSC::SLOW_PATH_DECL):
1886 * runtime/ProxyObject.cpp:
1887 (JSC::ProxyObject::finishCreation):
1888 (JSC::ProxyObject::visitChildren):
1889 (JSC::performProxyConstruct):
1890 (JSC::ProxyObject::getConstructData):
1891 * runtime/ProxyObject.h:
1893 * tests/stress/proxy-construct.js: Added.
1895 (throw.new.Error.let.target):
1897 (assert.let.target):
1898 (assert.let.handler.get construct):
1900 (let.handler.construct):
1902 (assert.let.handler.construct):
1903 (assert.let.construct):
1904 (assert.else.assert.let.target):
1905 (assert.else.assert.let.construct):
1906 (assert.else.assert):
1907 (new.proxy.let.target):
1908 (new.proxy.let.construct):
1911 2016-02-19 Sukolsak Sakshuwong <sukolsak@gmail.com>
1913 [INTL] Implement Number Format Functions
1914 https://bugs.webkit.org/show_bug.cgi?id=147605
1916 Reviewed by Darin Adler.
1918 This patch implements Intl.NumberFormat.prototype.format() according
1919 to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
1921 * runtime/IntlNumberFormat.cpp:
1922 (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
1923 (JSC::IntlNumberFormat::initializeNumberFormat):
1924 (JSC::IntlNumberFormat::createNumberFormat):
1925 (JSC::IntlNumberFormat::formatNumber):
1926 (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
1927 * runtime/IntlNumberFormat.h:
1928 * runtime/IntlNumberFormatPrototype.cpp:
1929 (JSC::IntlNumberFormatFuncFormatNumber):
1931 2016-02-18 Gavin Barraclough <barraclough@apple.com>
1933 JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
1934 https://bugs.webkit.org/show_bug.cgi?id=154416
1936 Reviewed by Geoff Garen.
1938 Here's the bug. Suppose you call JSObject::getOwnProperty and -
1939 - PropertyName contains an index,
1940 - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
1941 - The base of the access (or another object on the prototype chain) shadows that property.
1943 JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
1944 index, and as such walks up the prototype chain looking for non-index properties before it
1945 tries calling parseIndex.
1947 At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
1948 would potentially return the property) we may have already skipped over non-overriding
1949 objects that contain the property in index storage.
1951 * runtime/JSObject.h:
1952 (JSC::JSObject::getOwnNonIndexPropertySlot):
1953 - renamed from inlineGetOwnPropertySlot to better describe behaviour;
1954 added ASSERT guarding that this method never returns index properties -
1955 if it ever does, this is unsafe for getPropertySlot.
1956 (JSC::JSObject::getOwnPropertySlot):
1957 - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
1958 (JSC::JSObject::getPropertySlot):
1959 - In case of object overriding getOwnPropertySlot check if propertyName is an index.
1960 (JSC::JSObject::getNonIndexPropertySlot):
1961 - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
1962 in order to avoid repeated calls to parseIndex.
1963 (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
1964 - this was renamed to getOwnNonIndexPropertySlot.
1965 (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
1966 - this was folded back in to getPropertySlot.
1968 2016-02-19 Saam Barati <sbarati@apple.com>
1970 [ES6] Implement Proxy.[[Call]]
1971 https://bugs.webkit.org/show_bug.cgi?id=154425
1973 Reviewed by Mark Lam.
1975 This patch is a straight forward implementation of
1976 Proxy.[[Call]] with respect to section 9.5.12
1977 of the ECMAScript spec.
1978 https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
1980 * runtime/ProxyObject.cpp:
1981 (JSC::ProxyObject::finishCreation):
1982 (JSC::performProxyGet):
1983 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1984 (JSC::ProxyObject::performHasProperty):
1985 (JSC::ProxyObject::getOwnPropertySlotByIndex):
1986 (JSC::performProxyCall):
1987 (JSC::ProxyObject::getCallData):
1988 (JSC::ProxyObject::visitChildren):
1989 * runtime/ProxyObject.h:
1990 (JSC::ProxyObject::create):
1992 * tests/stress/proxy-call.js: Added.
1994 (throw.new.Error.let.target):
1995 (throw.new.Error.let.handler.apply):
1997 (assert.let.target):
1998 (assert.let.handler.get apply):
2000 (let.handler.apply):
2002 (assert.let.handler.apply):
2004 2016-02-19 Csaba Osztrogonác <ossy@webkit.org>
2006 Remove more LLVM related dead code after r196729
2007 https://bugs.webkit.org/show_bug.cgi?id=154387
2009 Reviewed by Filip Pizlo.
2011 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
2012 * Configurations/LLVMForJSC.xcconfig: Removed.
2013 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
2014 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
2015 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
2016 * JavaScriptCore.xcodeproj/project.pbxproj:
2017 * disassembler/X86Disassembler.cpp:
2019 2016-02-19 Joseph Pecoraro <pecoraro@apple.com>
2021 Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
2022 https://bugs.webkit.org/show_bug.cgi?id=154442
2024 Reviewed by Saam Barati.
2026 * runtime/JSString.h:
2029 2016-02-19 Joseph Pecoraro <pecoraro@apple.com>
2031 Remove unused SymbolTable::createNameScopeTable
2032 https://bugs.webkit.org/show_bug.cgi?id=154443
2034 Reviewed by Saam Barati.
2036 * runtime/SymbolTable.h:
2038 2016-02-18 Benjamin Poulain <bpoulain@apple.com>
2040 [JSC] Improve the instruction selection of Select
2041 https://bugs.webkit.org/show_bug.cgi?id=154432
2043 Reviewed by Filip Pizlo.
2045 Plenty of code but this patch is pretty dumb:
2046 -On ARM64: use the 3 operand form of CSEL instead of forcing a source
2047 to be alised to the destination. This gives more freedom to the register
2048 allocator and it is one less Move to process per Select.
2049 -On x86, introduce a fake 3 operands form and use aggressive aliasing
2050 to try to alias both sources to the destination.
2052 If aliasing succeed on the "elseCase", the condition of the Select
2053 is reverted in the MacroAssembler.
2055 If no aliasing is possible and we end up with 3 registers, the missing
2056 move instruction is generated by the MacroAssembler.
2058 The missing move is generated after testing the values because the destination
2059 can use the same register as one of the test operand.
2060 Experimental testing seems to indicate there is no macro-fusion on CMOV,
2061 there is no measurable cost to having the move there.
2063 * assembler/MacroAssembler.h:
2064 (JSC::MacroAssembler::isInvertible):
2065 (JSC::MacroAssembler::invert):
2066 * assembler/MacroAssemblerARM64.h:
2067 (JSC::MacroAssemblerARM64::moveConditionallyDouble):
2068 (JSC::MacroAssemblerARM64::moveConditionallyFloat):
2069 (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
2070 (JSC::MacroAssemblerARM64::moveConditionally32):
2071 (JSC::MacroAssemblerARM64::moveConditionally64):
2072 (JSC::MacroAssemblerARM64::moveConditionallyTest32):
2073 (JSC::MacroAssemblerARM64::moveConditionallyTest64):
2074 * assembler/MacroAssemblerX86Common.h:
2075 (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2076 (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2077 (JSC::MacroAssemblerX86Common::moveConditionally32):
2078 (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
2079 (JSC::MacroAssemblerX86Common::invert):
2080 (JSC::MacroAssemblerX86Common::isInvertible):
2081 * assembler/MacroAssemblerX86_64.h:
2082 (JSC::MacroAssemblerX86_64::moveConditionally64):
2083 (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
2084 * b3/B3LowerToAir.cpp:
2085 (JSC::B3::Air::LowerToAir::createSelect):
2086 (JSC::B3::Air::LowerToAir::lower):
2087 * b3/air/AirInstInlines.h:
2088 (JSC::B3::Air::Inst::shouldTryAliasingDef):
2089 * b3/air/AirOpcode.opcodes:
2091 2016-02-18 Gyuyoung Kim <gyuyoung.kim@webkit.org>
2093 [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
2094 https://bugs.webkit.org/show_bug.cgi?id=154430
2096 Reviewed by Saam Barati.
2098 llvm isn't used anymore.
2100 * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
2102 2016-02-18 Saam Barati <sbarati@apple.com>
2104 Implement Proxy.[[HasProperty]]
2105 https://bugs.webkit.org/show_bug.cgi?id=154313
2107 Reviewed by Filip Pizlo.
2109 This patch is a straight forward implementation of
2110 Proxy.[[HasProperty]] with respect to section 9.5.7
2111 of the ECMAScript spec.
2112 https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
2114 * runtime/ProxyObject.cpp:
2115 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2116 (JSC::ProxyObject::performHasProperty):
2117 (JSC::ProxyObject::getOwnPropertySlotCommon):
2118 * runtime/ProxyObject.h:
2120 * tests/stress/proxy-basic.js:
2123 * tests/stress/proxy-has-property.js: Added.
2125 (throw.new.Error.let.handler.get has):
2127 (assert.let.handler.has):
2129 (getOwnPropertyDescriptor):
2132 2016-02-18 Saam Barati <sbarati@apple.com>
2134 Proxy's don't properly handle Symbols as PropertyKeys.
2135 https://bugs.webkit.org/show_bug.cgi?id=154385
2137 Reviewed by Mark Lam and Yusuke Suzuki.
2139 We were converting all PropertyKeys to strings, even when
2140 the PropertyName was a Symbol. In the spec, PropertyKeys are
2141 either a Symbol or a String. We now respect that in Proxy.[[Get]] and
2142 Proxy.[[GetOwnProperty]].
2144 * runtime/Completion.cpp:
2145 (JSC::profiledEvaluate):
2146 (JSC::createSymbolForEntryPointModule):
2147 (JSC::identifierToJSValue): Deleted.
2148 * runtime/Identifier.h:
2150 * runtime/IdentifierInlines.h:
2151 (JSC::Identifier::fromString):
2152 (JSC::identifierToJSValue):
2153 (JSC::identifierToSafePublicJSValue):
2154 * runtime/ProxyObject.cpp:
2155 (JSC::performProxyGet):
2156 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2158 * tests/stress/proxy-basic.js:
2159 (let.handler.getOwnPropertyDescriptor):
2161 2016-02-18 Saam Barati <sbarati@apple.com>
2163 Follow up fix to Implement Proxy.[[GetOwnProperty]]
2164 https://bugs.webkit.org/show_bug.cgi?id=154314
2166 Reviewed by Filip Pizlo.
2168 Part of the implementation was broken because
2169 of how JSObject::getOwnPropertyDescriptor worked.
2170 I've fixed JSObject::getOwnPropertyDescriptor to
2171 be able to handle ProxyObject.
2173 * runtime/JSObject.cpp:
2174 (JSC::JSObject::getOwnPropertyDescriptor):
2175 * runtime/ProxyObject.cpp:
2176 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2177 * tests/stress/proxy-get-own-property.js:
2179 (assert.let.handler.get getOwnPropertyDescriptor):
2181 2016-02-18 Saam Barati <sbarati@apple.com>
2183 Implement Proxy.[[GetOwnProperty]]
2184 https://bugs.webkit.org/show_bug.cgi?id=154314
2186 Reviewed by Filip Pizlo.
2188 This patch implements Proxy.[[GetOwnProperty]].
2189 It's a straight forward implementation as described
2190 in section 9.5.5 of the specification:
2191 http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
2193 * runtime/FunctionPrototype.cpp:
2194 (JSC::functionProtoFuncBind):
2195 * runtime/JSObject.cpp:
2196 (JSC::validateAndApplyPropertyDescriptor):
2197 (JSC::JSObject::defineOwnNonIndexProperty):
2198 (JSC::JSObject::defineOwnProperty):
2199 (JSC::JSObject::getGenericPropertyNames):
2200 (JSC::JSObject::getMethod):
2201 * runtime/JSObject.h:
2202 (JSC::JSObject::butterflyAddress):
2203 (JSC::makeIdentifier):
2204 * runtime/ProxyObject.cpp:
2205 (JSC::performProxyGet):
2206 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2207 (JSC::ProxyObject::getOwnPropertySlotCommon):
2208 (JSC::ProxyObject::getOwnPropertySlot):
2209 (JSC::ProxyObject::getOwnPropertySlotByIndex):
2210 (JSC::ProxyObject::visitChildren):
2211 * runtime/ProxyObject.h:
2213 * tests/stress/proxy-basic.js:
2214 (let.handler.get null):
2215 * tests/stress/proxy-get-own-property.js: Added.
2217 (throw.new.Error.let.handler.getOwnPropertyDescriptor):
2219 (let.handler.getOwnPropertyDescriptor):
2221 (assert.let.handler.getOwnPropertyDescriptor):
2223 2016-02-18 Andreas Kling <akling@apple.com>
2225 JSString resolution of substrings should use StringImpl sharing optimization.
2226 <https://webkit.org/b/154068>
2227 <rdar://problem/24629358>
2229 Reviewed by Antti Koivisto.
2231 When resolving a JSString that's actually a substring of another JSString,
2232 use the StringImpl sharing optimization to create a new string pointing into
2233 the parent one, instead of copying out the bytes of the string.
2235 This dramatically reduces peak memory usage on Gerrit diff viewer pages.
2237 Another approach to this would be to induce GC far more frequently due to
2238 the added cost of copying out these substrings. It would reduce the risk
2239 of prolonging the life of strings only kept alive by substrings.
2241 This patch chooses to trade that risk for less GC and lower peak memory.
2243 * runtime/JSString.cpp:
2244 (JSC::JSRopeString::resolveRope):
2246 2016-02-18 Chris Dumez <cdumez@apple.com>
2248 Crash on SES selftest page when loading the page while WebInspector is open
2249 https://bugs.webkit.org/show_bug.cgi?id=154378
2250 <rdar://problem/24713422>
2252 Reviewed by Mark Lam.
2254 Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
2255 returns early again if it detects that getOwnPropertySlot() returns a
2256 non-own property. This check was removed in r196676 because we assumed that
2257 only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
2258 However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
2261 Not having the check would lead to crashes when using the debugger because
2262 we would get a slot with the CustomAccessor attribute but getDirect() would
2263 then fail to return the property (because it is not an own property). We
2264 would then cast the value returned by getDirect() to a CustomGetterSetter*
2267 * runtime/JSObject.cpp:
2268 (JSC::JSObject::getOwnPropertyDescriptor):
2270 2016-02-18 Filip Pizlo <fpizlo@apple.com>
2272 Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
2275 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2276 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2278 2016-02-18 Filip Pizlo <fpizlo@apple.com>
2280 Unreviewed, fix CMake build. This got messed up when rebasing.
2284 2016-02-18 Csaba Osztrogonác <ossy@webkit.org>
2286 Fix the !ENABLE(DFG_JIT) build after r195865
2287 https://bugs.webkit.org/show_bug.cgi?id=154391
2289 Reviewed by Filip Pizlo.
2291 * runtime/SamplingProfiler.cpp:
2292 (JSC::tryGetBytecodeIndex):
2294 2016-02-17 Filip Pizlo <fpizlo@apple.com>
2296 Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
2297 https://bugs.webkit.org/show_bug.cgi?id=154383
2299 Reviewed by Saam Barati.
2301 I did a grep -i llvm of all of our code and did one of the following for each occurence:
2303 - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
2306 - Removed the reference because I found it to be dead. In some cases it was a dead
2307 comment: it was telling us things about what LLVM did and that's just not relevant
2308 anymore. In other cases it was dead code that I forgot to delete in a previous patch.
2310 - Edited the comment in some smart way. There were comments talking about what LLVM did
2311 that were still of interest. In some cases, I added a FIXME to consider changing the
2312 code below the comment on the grounds that it was written in a weird way to placate
2313 LLVM and so we can do it better now.
2316 * JavaScriptCore.xcodeproj/project.pbxproj:
2317 * dfg/DFGArgumentsEliminationPhase.cpp:
2318 * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2320 (JSC::DFG::Plan::compileInThread):
2321 (JSC::DFG::Plan::compileInThreadImpl):
2322 (JSC::DFG::Plan::compileTimeStats):
2323 * dfg/DFGPutStackSinkingPhase.cpp:
2324 * dfg/DFGSSAConversionPhase.h:
2325 * dfg/DFGStaticExecutionCountEstimationPhase.h:
2326 * dfg/DFGUnificationPhase.cpp:
2327 (JSC::DFG::UnificationPhase::run):
2328 * disassembler/ARM64Disassembler.cpp:
2329 (JSC::tryToDisassemble): Deleted.
2330 * disassembler/X86Disassembler.cpp:
2331 (JSC::tryToDisassemble):
2332 * ftl/FTLAbstractHeap.cpp:
2333 (JSC::FTL::IndexedAbstractHeap::initialize):
2334 * ftl/FTLAbstractHeap.h:
2335 * ftl/FTLFormattedValue.h:
2336 * ftl/FTLJITFinalizer.cpp:
2337 (JSC::FTL::JITFinalizer::finalizeFunction):
2340 * ftl/FTLLocation.cpp:
2341 (JSC::FTL::Location::restoreInto):
2342 * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
2343 (JSC::FTL::DFG::ftlUnreachable):
2344 (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2345 (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
2346 (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2347 (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
2348 (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
2349 (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
2350 (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
2351 (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
2352 (JSC::FTL::lowerDFGToB3):
2353 (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
2354 (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
2355 (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
2356 (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
2357 (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
2358 (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
2359 (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
2360 (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
2361 (JSC::FTL::lowerDFGToLLVM): Deleted.
2362 * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
2363 * ftl/FTLLowerDFGToLLVM.cpp: Removed.
2364 * ftl/FTLLowerDFGToLLVM.h: Removed.
2365 * ftl/FTLOSRExitCompiler.cpp:
2366 (JSC::FTL::compileStub):
2368 (JSC::FTL::Weight::frequencyClass):
2369 (JSC::FTL::Weight::inverse):
2370 (JSC::FTL::Weight::scaleToTotal): Deleted.
2371 * ftl/FTLWeightedTarget.h:
2374 * jit/CallFrameShuffler64.cpp:
2375 (JSC::CallFrameShuffler::emitDisplace):
2376 * jit/RegisterSet.cpp:
2377 (JSC::RegisterSet::ftlCalleeSaveRegisters):
2379 * llvm/InitializeLLVMLinux.cpp: Removed.
2380 * llvm/InitializeLLVMWin.cpp: Removed.
2381 * llvm/library: Removed.
2382 * llvm/library/LLVMTrapCallback.h: Removed.
2383 * llvm/library/libllvmForJSC.version: Removed.
2384 * runtime/Options.cpp:
2385 (JSC::recomputeDependentOptions):
2386 (JSC::Options::initialize):
2387 * runtime/Options.h:
2388 * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
2389 * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
2390 * wasm/WASMFunctionParser.cpp:
2392 2016-02-18 Csaba Osztrogonác <ossy@webkit.org>
2394 [cmake] Build system cleanup
2395 https://bugs.webkit.org/show_bug.cgi?id=154337
2397 Reviewed by Žan Doberšek.
2401 2016-02-17 Mark Lam <mark.lam@apple.com>
2403 Callers of JSString::value() should check for exceptions thereafter.
2404 https://bugs.webkit.org/show_bug.cgi?id=154346
2406 Reviewed by Geoffrey Garen.
2408 JSString::value() can throw an exception if the JS string is a rope and value()
2409 needs to resolve the rope but encounters an OutOfMemory error. If value() is not
2410 able to resolve the rope, it will return a null string (in addition to throwing
2411 the exception). If a caller does not check for exceptions after calling
2412 JSString::value(), they may eventually use the returned null string and crash the
2415 The fix is to add all the necessary exception checks, and do the appropriate
2422 (functionCheckSyntax):
2423 (functionLoadWebAssembly):
2424 (functionLoadModule):
2425 (functionCheckModuleSyntax):
2426 * runtime/DateConstructor.cpp:
2429 * runtime/JSGlobalObjectFunctions.cpp:
2430 (JSC::globalFuncEval):
2431 * tools/JSDollarVMPrototype.cpp:
2432 (JSC::functionPrint):
2434 2016-02-17 Benjamin Poulain <bpoulain@apple.com>
2436 [JSC] ARM64: Support the immediate format used for bit operations in Air
2437 https://bugs.webkit.org/show_bug.cgi?id=154327
2439 Reviewed by Filip Pizlo.
2441 ARM64 supports a pretty rich form of immediates for bit operation.
2442 There are two formats used to encode repeating patterns and common
2443 input in a dense form.
2445 In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
2446 Those represents the valid immediate forms for bit operation.
2447 On x86, any 32bits value is valid. On ARM64, all the encoding
2448 form are tried and the immediate is used when possible.
2450 The arg type Imm64 is renamed to BigImm to better represent what
2451 it is: an immediate that does not fit into Imm.
2453 * assembler/ARM64Assembler.h:
2454 (JSC::LogicalImmediate::create32): Deleted.
2455 (JSC::LogicalImmediate::create64): Deleted.
2456 (JSC::LogicalImmediate::value): Deleted.
2457 (JSC::LogicalImmediate::isValid): Deleted.
2458 (JSC::LogicalImmediate::is64bit): Deleted.
2459 (JSC::LogicalImmediate::LogicalImmediate): Deleted.
2460 (JSC::LogicalImmediate::mask): Deleted.
2461 (JSC::LogicalImmediate::partialHSB): Deleted.
2462 (JSC::LogicalImmediate::highestSetBit): Deleted.
2463 (JSC::LogicalImmediate::findBitRange): Deleted.
2464 (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
2465 * assembler/AssemblerCommon.h:
2466 (JSC::ARM64LogicalImmediate::create32):
2467 (JSC::ARM64LogicalImmediate::create64):
2468 (JSC::ARM64LogicalImmediate::value):
2469 (JSC::ARM64LogicalImmediate::isValid):
2470 (JSC::ARM64LogicalImmediate::is64bit):
2471 (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
2472 (JSC::ARM64LogicalImmediate::mask):
2473 (JSC::ARM64LogicalImmediate::partialHSB):
2474 (JSC::ARM64LogicalImmediate::highestSetBit):
2475 (JSC::ARM64LogicalImmediate::findBitRange):
2476 (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
2477 * assembler/MacroAssemblerARM64.h:
2478 (JSC::MacroAssemblerARM64::and64):
2479 (JSC::MacroAssemblerARM64::or64):
2480 (JSC::MacroAssemblerARM64::xor64):
2481 * b3/B3LowerToAir.cpp:
2482 (JSC::B3::Air::LowerToAir::bitImm):
2483 (JSC::B3::Air::LowerToAir::bitImm64):
2484 (JSC::B3::Air::LowerToAir::appendBinOp):
2485 * b3/air/AirArg.cpp:
2486 (JSC::B3::Air::Arg::dump):
2487 (WTF::printInternal):
2489 (JSC::B3::Air::Arg::bitImm):
2490 (JSC::B3::Air::Arg::bitImm64):
2491 (JSC::B3::Air::Arg::isBitImm):
2492 (JSC::B3::Air::Arg::isBitImm64):
2493 (JSC::B3::Air::Arg::isSomeImm):
2494 (JSC::B3::Air::Arg::value):
2495 (JSC::B3::Air::Arg::isGP):
2496 (JSC::B3::Air::Arg::isFP):
2497 (JSC::B3::Air::Arg::hasType):
2498 (JSC::B3::Air::Arg::isValidBitImmForm):
2499 (JSC::B3::Air::Arg::isValidBitImm64Form):
2500 (JSC::B3::Air::Arg::isValidForm):
2501 (JSC::B3::Air::Arg::asTrustedImm32):
2502 (JSC::B3::Air::Arg::asTrustedImm64):
2503 * b3/air/AirOpcode.opcodes:
2504 * b3/air/opcode_generator.rb:
2506 2016-02-17 Keith Miller <keith_miller@apple.com>
2508 Spread operator should be allowed when not the first argument of parameter list
2509 https://bugs.webkit.org/show_bug.cgi?id=152721
2511 Reviewed by Saam Barati.
2513 Spread arguments to functions should now be ES6 compliant. Before we
2514 would only take a spread operator if it was the sole argument to a
2515 function. Additionally, we would not use the Symbol.iterator on the
2516 object to generate the arguments. Instead we would do a loop up to the
2517 length mapping indexed properties to the corresponding argument. We fix
2518 both these issues by doing an AST transformation from foo(...a, b, ...c, d)
2519 to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
2520 old spread semantics). This solution has the downside of requiring the
2521 allocation of another object and copying each element twice but avoids a
2522 large change to the vm calling convention.
2524 * interpreter/Interpreter.cpp:
2526 * parser/ASTBuilder.h:
2527 (JSC::ASTBuilder::createElementList):
2528 * parser/Parser.cpp:
2529 (JSC::Parser<LexerType>::parseArguments):
2530 (JSC::Parser<LexerType>::parseArgument):
2531 (JSC::Parser<LexerType>::parseMemberExpression):
2533 * parser/SyntaxChecker.h:
2534 (JSC::SyntaxChecker::createElementList):
2536 * tests/stress/spread-calling.js: Added.
2540 (otherIterator.return.next):
2543 (throwingIter.return.next):
2547 2016-02-17 Brian Burg <bburg@apple.com>
2549 Remove a wrong cast in RemoteInspector::receivedSetupMessage
2550 https://bugs.webkit.org/show_bug.cgi?id=154361
2551 <rdar://problem/24709281>
2553 Reviewed by Joseph Pecoraro.
2555 * inspector/remote/RemoteInspector.mm:
2556 (Inspector::RemoteInspector::receivedSetupMessage):
2557 Not only is this cast unnecessary (the constructor accepts the base class),
2558 but it is wrong since the target could be an automation target. Remove it.
2560 2016-02-17 Filip Pizlo <fpizlo@apple.com>
2562 Rename FTLB3Blah to FTLBlah
2563 https://bugs.webkit.org/show_bug.cgi?id=154365
2565 Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
2568 * JavaScriptCore.xcodeproj/project.pbxproj:
2569 * ftl/FTLB3Compile.cpp: Removed.
2570 * ftl/FTLB3Output.cpp: Removed.
2571 * ftl/FTLB3Output.h: Removed.
2572 * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
2573 * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
2574 * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
2576 2016-02-17 Filip Pizlo <fpizlo@apple.com>
2578 Remove LLVM dependencies from WebKit
2579 https://bugs.webkit.org/show_bug.cgi?id=154323
2581 Reviewed by Antti Koivisto and Benjamin Poulain.
2583 We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
2584 LLVM-related code dead, including the disassembler, which was only reachable when you were on
2585 a platform that already had an in-tree disassembler.
2588 * JavaScriptCore.xcodeproj/project.pbxproj:
2591 (JSC::DFG::Plan::compileInThread):
2592 (JSC::DFG::Plan::compileInThreadImpl):
2593 (JSC::DFG::Plan::compileTimeStats):
2594 * disassembler/ARM64Disassembler.cpp:
2595 (JSC::tryToDisassemble):
2596 * disassembler/ARMv7Disassembler.cpp:
2597 (JSC::tryToDisassemble):
2598 * disassembler/Disassembler.cpp:
2600 (JSC::disassembleAsynchronously):
2601 * disassembler/Disassembler.h:
2602 (JSC::tryToDisassemble):
2603 * disassembler/LLVMDisassembler.cpp: Removed.
2604 * disassembler/LLVMDisassembler.h: Removed.
2605 * disassembler/UDis86Disassembler.cpp:
2606 (JSC::tryToDisassembleWithUDis86):
2607 * disassembler/UDis86Disassembler.h:
2608 (JSC::tryToDisassembleWithUDis86):
2609 * disassembler/X86Disassembler.cpp:
2610 (JSC::tryToDisassemble):
2611 * ftl/FTLAbbreviatedTypes.h:
2612 * ftl/FTLAbbreviations.h: Removed.
2613 * ftl/FTLAbstractHeap.cpp:
2614 (JSC::FTL::AbstractHeap::decorateInstruction):
2615 (JSC::FTL::AbstractHeap::dump):
2616 (JSC::FTL::AbstractField::dump):
2617 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
2618 (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
2619 (JSC::FTL::IndexedAbstractHeap::baseIndex):
2620 (JSC::FTL::IndexedAbstractHeap::dump):
2621 (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
2622 (JSC::FTL::NumberedAbstractHeap::dump):
2623 (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
2624 (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
2625 * ftl/FTLAbstractHeap.h:
2626 (JSC::FTL::AbstractHeap::AbstractHeap):
2627 (JSC::FTL::AbstractHeap::heapName):
2628 (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
2629 (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
2630 (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
2631 (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
2632 * ftl/FTLAbstractHeapRepository.cpp:
2633 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2634 * ftl/FTLAbstractHeapRepository.h:
2635 * ftl/FTLB3Compile.cpp:
2636 * ftl/FTLB3Output.cpp:
2637 (JSC::FTL::Output::Output):
2638 (JSC::FTL::Output::check):
2639 (JSC::FTL::Output::load):
2640 (JSC::FTL::Output::store):
2641 * ftl/FTLB3Output.h:
2642 * ftl/FTLCommonValues.cpp:
2643 (JSC::FTL::CommonValues::CommonValues):
2644 (JSC::FTL::CommonValues::initializeConstants):
2645 * ftl/FTLCommonValues.h:
2646 (JSC::FTL::CommonValues::initialize): Deleted.
2647 * ftl/FTLCompile.cpp: Removed.
2648 * ftl/FTLCompileBinaryOp.cpp: Removed.
2649 * ftl/FTLCompileBinaryOp.h: Removed.
2650 * ftl/FTLDWARFDebugLineInfo.cpp: Removed.
2651 * ftl/FTLDWARFDebugLineInfo.h: Removed.
2652 * ftl/FTLDWARFRegister.cpp: Removed.
2653 * ftl/FTLDWARFRegister.h: Removed.
2654 * ftl/FTLDataSection.cpp: Removed.
2655 * ftl/FTLDataSection.h: Removed.
2656 * ftl/FTLExceptionHandlerManager.cpp: Removed.
2657 * ftl/FTLExceptionHandlerManager.h: Removed.
2658 * ftl/FTLExceptionTarget.cpp:
2659 * ftl/FTLExceptionTarget.h:
2660 * ftl/FTLExitThunkGenerator.cpp: Removed.
2661 * ftl/FTLExitThunkGenerator.h: Removed.
2664 * ftl/FTLInlineCacheDescriptor.h: Removed.
2665 * ftl/FTLInlineCacheSize.cpp: Removed.
2666 * ftl/FTLInlineCacheSize.h: Removed.
2667 * ftl/FTLIntrinsicRepository.cpp: Removed.
2668 * ftl/FTLIntrinsicRepository.h: Removed.
2669 * ftl/FTLJITCode.cpp:
2670 (JSC::FTL::JITCode::~JITCode):
2671 (JSC::FTL::JITCode::initializeB3Code):
2672 (JSC::FTL::JITCode::initializeB3Byproducts):
2673 (JSC::FTL::JITCode::initializeAddressForCall):
2674 (JSC::FTL::JITCode::contains):
2675 (JSC::FTL::JITCode::ftl):
2676 (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2677 (JSC::FTL::JITCode::initializeExitThunks): Deleted.
2678 (JSC::FTL::JITCode::addHandle): Deleted.
2679 (JSC::FTL::JITCode::addDataSection): Deleted.
2680 (JSC::FTL::JITCode::exitThunks): Deleted.
2682 (JSC::FTL::JITCode::b3Code):
2683 (JSC::FTL::JITCode::handles): Deleted.
2684 (JSC::FTL::JITCode::dataSections): Deleted.
2685 * ftl/FTLJITFinalizer.cpp:
2686 (JSC::FTL::JITFinalizer::codeSize):
2687 (JSC::FTL::JITFinalizer::finalizeFunction):
2688 * ftl/FTLJITFinalizer.h:
2689 * ftl/FTLJSCall.cpp: Removed.
2690 * ftl/FTLJSCall.h: Removed.
2691 * ftl/FTLJSCallBase.cpp: Removed.
2692 * ftl/FTLJSCallBase.h: Removed.
2693 * ftl/FTLJSCallVarargs.cpp: Removed.
2694 * ftl/FTLJSCallVarargs.h: Removed.
2695 * ftl/FTLJSTailCall.cpp: Removed.
2696 * ftl/FTLJSTailCall.h: Removed.
2697 * ftl/FTLLazySlowPath.cpp:
2698 (JSC::FTL::LazySlowPath::LazySlowPath):
2699 (JSC::FTL::LazySlowPath::generate):
2700 * ftl/FTLLazySlowPath.h:
2701 (JSC::FTL::LazySlowPath::createGenerator):
2702 (JSC::FTL::LazySlowPath::patchableJump):
2703 (JSC::FTL::LazySlowPath::done):
2704 (JSC::FTL::LazySlowPath::usedRegisters):
2705 (JSC::FTL::LazySlowPath::callSiteIndex):
2706 (JSC::FTL::LazySlowPath::stub):
2707 (JSC::FTL::LazySlowPath::patchpoint): Deleted.
2710 * ftl/FTLLocation.cpp:
2711 (JSC::FTL::Location::forValueRep):
2712 (JSC::FTL::Location::dump):
2713 (JSC::FTL::Location::forStackmaps): Deleted.
2714 * ftl/FTLLocation.h:
2715 (JSC::FTL::Location::forRegister):
2716 (JSC::FTL::Location::forIndirect):
2717 (JSC::FTL::Location::forConstant):
2718 (JSC::FTL::Location::kind):
2719 (JSC::FTL::Location::hasReg):
2720 * ftl/FTLLowerDFGToLLVM.cpp:
2721 (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM):
2722 (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2723 (JSC::FTL::DFG::LowerDFGToLLVM::createPhiVariables):
2724 (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2725 (JSC::FTL::DFG::LowerDFGToLLVM::compileUpsilon):
2726 (JSC::FTL::DFG::LowerDFGToLLVM::compilePhi):
2727 (JSC::FTL::DFG::LowerDFGToLLVM::compileDoubleConstant):
2728 (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
2729 (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
2730 (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
2731 (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2732 (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
2733 (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
2734 (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
2735 (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
2736 (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
2737 (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
2738 (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
2739 (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
2740 (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
2741 (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
2742 (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
2743 (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
2744 (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
2745 (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
2746 (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadVarargs):
2747 (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
2748 (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
2749 (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2750 (JSC::FTL::DFG::LowerDFGToLLVM::getById):
2751 (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
2752 (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
2753 (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
2754 (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2755 (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
2756 (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
2757 (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
2758 (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
2759 (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
2760 (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
2761 (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2762 (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
2763 (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
2764 (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForAvailability):
2765 (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
2766 (JSC::FTL::DFG::LowerDFGToLLVM::probe):
2767 (JSC::FTL::DFG::LowerDFGToLLVM::crash):
2768 (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp): Deleted.
2769 (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException): Deleted.
2770 (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall): Deleted.
2771 (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap): Deleted.
2772 * ftl/FTLOSRExit.cpp:
2773 (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
2774 (JSC::FTL::OSRExitDescriptor::validateReferences):
2775 (JSC::FTL::OSRExitDescriptor::emitOSRExit):
2776 (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
2777 (JSC::FTL::OSRExit::OSRExit):
2778 (JSC::FTL::OSRExit::codeLocationForRepatch):
2779 (JSC::FTL::OSRExit::gatherRegistersToSpillForCallIfException): Deleted.
2780 (JSC::FTL::OSRExit::spillRegistersToSpillSlot): Deleted.
2781 (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot): Deleted.
2782 (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck): Deleted.
2783 (JSC::FTL::OSRExit::willArriveAtOSRExitFromCallOperation): Deleted.
2784 (JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath): Deleted.
2786 (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2787 (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl): Deleted.
2788 * ftl/FTLOSRExitCompilationInfo.h: Removed.
2789 * ftl/FTLOSRExitCompiler.cpp:
2790 (JSC::FTL::compileRecovery):
2791 (JSC::FTL::compileStub):
2792 (JSC::FTL::compileFTLOSRExit):
2793 * ftl/FTLOSRExitHandle.cpp:
2794 * ftl/FTLOSRExitHandle.h:
2795 * ftl/FTLOutput.cpp: Removed.
2796 * ftl/FTLOutput.h: Removed.
2797 * ftl/FTLPatchpointExceptionHandle.cpp:
2798 * ftl/FTLPatchpointExceptionHandle.h:
2799 * ftl/FTLStackMaps.cpp: Removed.
2800 * ftl/FTLStackMaps.h: Removed.
2802 (JSC::FTL::State::State):
2803 (JSC::FTL::State::~State):
2804 (JSC::FTL::State::dumpState): Deleted.
2806 * ftl/FTLUnwindInfo.cpp: Removed.
2807 * ftl/FTLUnwindInfo.h: Removed.
2808 * ftl/FTLValueRange.cpp:
2809 (JSC::FTL::ValueRange::decorateInstruction):
2810 * ftl/FTLValueRange.h:
2811 (JSC::FTL::ValueRange::ValueRange):
2812 (JSC::FTL::ValueRange::begin):
2813 (JSC::FTL::ValueRange::end):
2815 (JSC::FTL::Weight::value):
2816 (JSC::FTL::Weight::frequencyClass):
2817 (JSC::FTL::Weight::scaleToTotal):
2818 * llvm/InitializeLLVM.cpp: Removed.
2819 * llvm/InitializeLLVM.h: Removed.
2820 * llvm/InitializeLLVMMac.cpp: Removed.
2821 * llvm/InitializeLLVMPOSIX.cpp: Removed.
2822 * llvm/InitializeLLVMPOSIX.h: Removed.
2823 * llvm/LLVMAPI.cpp: Removed.
2824 * llvm/LLVMAPI.h: Removed.
2825 * llvm/LLVMAPIFunctions.h: Removed.
2826 * llvm/LLVMHeaders.h: Removed.
2827 * llvm/library/LLVMAnchor.cpp: Removed.
2828 * llvm/library/LLVMExports.cpp: Removed.
2829 * llvm/library/LLVMOverrides.cpp: Removed.
2830 * llvm/library/config_llvm.h: Removed.
2832 2016-02-17 Benjamin Poulain <bpoulain@apple.com>
2834 [JSC] Remove the overflow check on ArithAbs when possible
2835 https://bugs.webkit.org/show_bug.cgi?id=154325
2837 Reviewed by Filip Pizlo.
2839 This patch adds support for ArithMode for ArithAbs.
2841 It is useful for kraken tests where Math.abs() is used
2842 on values for which the range is known.
2844 For example, imaging-gaussian-blur has two Math.abs() with
2845 integers that are always in a small range around zero.
2846 The IntegerRangeOptimizationPhase detects the range correctly
2847 so we can just update the ArithMode depending on the input.
2849 * dfg/DFGFixupPhase.cpp:
2850 (JSC::DFG::FixupPhase::fixupNode):
2851 * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2853 (JSC::DFG::Node::convertToArithNegate):
2854 (JSC::DFG::Node::hasArithMode):
2855 * dfg/DFGSpeculativeJIT64.cpp:
2856 (JSC::DFG::SpeculativeJIT::compile):
2857 * ftl/FTLLowerDFGToLLVM.cpp:
2858 (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAbs):
2859 * tests/stress/arith-abs-integer-range-optimization.js: Added.
2861 (negativeRangeIncludingZero):
2862 (negativeRangeWithOverflow):
2864 (positiveRangeIncludingZero):
2865 (rangeWithoutOverflow):
2866 * tests/stress/arith-abs-with-bitwise-or-zero.js: Added.
2869 2016-02-17 Chris Dumez <cdumez@apple.com>
2871 SES selftest page crashes on nightly r196694
2872 https://bugs.webkit.org/show_bug.cgi?id=154350
2873 <rdar://problem/24704334>
2875 Reviewed by Mark Lam.
2877 SES selftest page crashes after r196001 / r196145 when calling
2878 Object.getOwnPropertyDescriptor(window, "length") after the window
2879 has been reified and "length" has been shadowed by a value property.
2881 It was crashing in JSObject::getOwnPropertyDescriptor() because
2882 we are getting a slot that has attribute "CustomAccessor" but
2883 the property is not a CustomGetterSetter. In this case, since
2884 window.length is [Replaceable] and has been set to a numeric value,
2885 it makes that the property is not a CustomGetterSetter. However,
2886 the "CustomAccessor" attribute should have been dropped from the
2887 slot when window.length was shadowed. Therefore, this code path
2888 should not be exercised at all when calling
2889 getOwnPropertyDescriptor().
2891 The issue was that putDirectInternal() was updating the slot
2892 attributes only if the "Accessor" flag has changed, but not
2893 the "customAccessor" flag. This patch fixes the issue.
2895 * runtime/JSObject.h:
2896 (JSC::JSObject::putDirectInternal):
2898 2016-02-17 Saam barati <sbarati@apple.com>
2900 Implement Proxy [[Get]]
2901 https://bugs.webkit.org/show_bug.cgi?id=154081
2903 Reviewed by Michael Saboff.
2905 This patch implements ProxyObject and ProxyConstructor. Their
2906 implementations are straight forward and follow the spec.
2907 The largest change in this patch is adding a second parameter
2908 to PropertySlot's constructor that specifies the internal method type of
2909 the getOwnPropertySlot inquiry. We use getOwnPropertySlot to
2910 implement more than one Internal Method in the spec. Because
2911 of this, we need InternalMethodType to give us context about
2912 which Internal Method we're executing. Specifically, Proxy will
2913 call into different handlers based on this information.
2915 InternalMethodType is an enum with the following values:
2917 This corresponds to [[Get]] internal method in the spec.
2919 This corresponds to [[GetOwnProperty]] internal method in the spec.
2921 This corresponds to [[HasProperty]] internal method in the spec.
2923 This is basically everything else that isn't one of the above
2924 types. This value also mandates that getOwnPropertySlot does
2925 not perform any user observable effects. I.e, it can't call
2928 The other non-VMInquiry InternalMethodTypes are allowed to perform user
2929 observable effects. I.e, in future patches, ProxyObject will implement
2930 InternalMethodType::HasProperty and InternalMethodType::GetOwnProperty, which will both be defined
2931 to call user defined JS functions, which clearly have the right to perform
2932 user observable effects.
2934 This patch implements getOwnPropertySlot of ProxyObject under
2935 InternalMethodType::Get.
2937 * API/JSCallbackObjectFunctions.h:
2938 (JSC::JSCallbackObject<Parent>::put):
2939 (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2941 * JavaScriptCore.xcodeproj/project.pbxproj:
2942 * debugger/DebuggerScope.cpp:
2943 (JSC::DebuggerScope::caughtValue):
2944 * interpreter/Interpreter.cpp:
2945 (JSC::Interpreter::execute):
2946 * jit/JITOperations.cpp:
2947 * llint/LLIntSlowPaths.cpp:
2948 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2949 * runtime/ArrayPrototype.cpp:
2951 * runtime/CommonIdentifiers.h:
2952 * runtime/JSCJSValueInlines.h:
2953 (JSC::JSValue::get):
2954 * runtime/JSFunction.cpp:
2955 (JSC::JSFunction::getOwnNonIndexPropertyNames):
2956 (JSC::JSFunction::put):
2957 (JSC::JSFunction::defineOwnProperty):
2958 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2959 (JSC::constructGenericTypedArrayViewWithArguments):
2960 * runtime/JSGlobalObject.cpp:
2961 (JSC::JSGlobalObject::init):
2962 (JSC::JSGlobalObject::defineOwnProperty):
2963 * runtime/JSGlobalObject.h:
2964 (JSC::JSGlobalObject::regExpMatchesArrayStructure):
2965 (JSC::JSGlobalObject::moduleRecordStructure):
2966 (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
2967 (JSC::JSGlobalObject::proxyObjectStructure):
2968 (JSC::JSGlobalObject::wasmModuleStructure):
2969 * runtime/JSModuleEnvironment.cpp:
2970 (JSC::JSModuleEnvironment::getOwnPropertySlot):
2971 * runtime/JSModuleNamespaceObject.cpp:
2972 (JSC::callbackGetter):
2973 * runtime/JSONObject.cpp:
2974 (JSC::Stringifier::Holder::appendNextProperty):
2975 (JSC::Walker::walk):
2976 * runtime/JSObject.cpp:
2977 (JSC::JSObject::calculatedClassName):
2978 (JSC::JSObject::putDirectNonIndexAccessor):
2979 (JSC::JSObject::hasProperty):
2980 (JSC::JSObject::deleteProperty):
2981 (JSC::JSObject::hasOwnProperty):
2982 (JSC::JSObject::getOwnPropertyDescriptor):
2983 * runtime/JSObject.h:
2984 (JSC::JSObject::getDirectIndex):
2985 (JSC::JSObject::get):
2986 * runtime/JSScope.cpp:
2987 (JSC::abstractAccess):
2988 * runtime/ObjectConstructor.cpp:
2989 (JSC::toPropertyDescriptor):
2990 * runtime/ObjectPrototype.cpp:
2991 (JSC::objectProtoFuncLookupGetter):
2992 (JSC::objectProtoFuncLookupSetter):
2993 (JSC::objectProtoFuncToString):
2994 * runtime/PropertySlot.h:
2995 (JSC::attributesForStructure):
2996 (JSC::PropertySlot::PropertySlot):
2997 (JSC::PropertySlot::isCacheableGetter):
2998 (JSC::PropertySlot::isCacheableCustom):
2999 (JSC::PropertySlot::internalMethodType):
3000 (JSC::PropertySlot::disableCaching):
3001 (JSC::PropertySlot::getValue):
3002 * runtime/ProxyConstructor.cpp: Added.
3003 (JSC::ProxyConstructor::create):
3004 (JSC::ProxyConstructor::ProxyConstructor):
3005 (JSC::ProxyConstructor::finishCreation):
3006 (JSC::constructProxyObject):
3007 (JSC::ProxyConstructor::getConstructData):
3008 (JSC::ProxyConstructor::getCallData):
3009 * runtime/ProxyConstructor.h: Added.
3010 (JSC::ProxyConstructor::createStructure):
3011 * runtime/ProxyObject.cpp: Added.
3012 (JSC::ProxyObject::ProxyObject):
3013 (JSC::ProxyObject::finishCreation):
3014 (JSC::performProxyGet):
3015 (JSC::ProxyObject::getOwnPropertySlotCommon):
3016 (JSC::ProxyObject::getOwnPropertySlot):
3017 (JSC::ProxyObject::getOwnPropertySlotByIndex):
3018 (JSC::ProxyObject::visitChildren):
3019 * runtime/ProxyObject.h: Added.
3020 (JSC::ProxyObject::create):
3021 (JSC::ProxyObject::createStructure):
3022 (JSC::ProxyObject::target):
3023 (JSC::ProxyObject::handler):
3024 * runtime/ReflectObject.cpp:
3025 (JSC::reflectObjectGet):
3026 * runtime/SamplingProfiler.cpp:
3027 (JSC::SamplingProfiler::StackFrame::nameFromCallee):
3029 * tests/stress/proxy-basic.js: Added.
3031 (let.handler.get null):
3033 (let.handler.get switch):
3035 (let.theTarget.get x):
3036 * tests/stress/proxy-in-proto-chain.js: Added.
3038 * tests/stress/proxy-of-a-proxy.js: Added.
3041 * tests/stress/proxy-property-descriptor.js: Added.
3044 * wasm/WASMModuleParser.cpp:
3045 (JSC::WASMModuleParser::getImportedValue):
3047 2016-02-17 Mark Lam <mark.lam@apple.com>
3049 StringPrototype functions should check for exceptions after calling JSString::value().
3050 https://bugs.webkit.org/show_bug.cgi?id=154340
3052 Reviewed by Filip Pizlo.
3054 JSString::value() can throw an exception if the JS string is a rope and value()
3055 needs to resolve the rope but encounters an OutOfMemory error. If value() is not
3056 able to resolve the rope, it will return a null string (in addition to throwing
3057 the exception). If StringPrototype functions do not check for exceptions after
3058 calling JSString::value(), they may eventually use the returned null string and
3061 The fix is to add all the necessary exception checks, and do the appropriate
3064 Also in a few place where when an exception is detected, we return JSValue(), I
3065 changed it to return jsUndefined() instead to be consistent with the rest of the
3068 * runtime/StringPrototype.cpp:
3069 (JSC::replaceUsingRegExpSearch):
3070 (JSC::stringProtoFuncMatch):
3071 (JSC::stringProtoFuncSlice):
3072 (JSC::stringProtoFuncSplit):
3073 (JSC::stringProtoFuncLocaleCompare):
3074 (JSC::stringProtoFuncBig):
3075 (JSC::stringProtoFuncSmall):
3076 (JSC::stringProtoFuncBlink):
3077 (JSC::stringProtoFuncBold):
3078 (JSC::stringProtoFuncFixed):
3079 (JSC::stringProtoFuncItalics):
3080 (JSC::stringProtoFuncStrike):
3081 (JSC::stringProtoFuncSub):
3082 (JSC::stringProtoFuncSup):
3083 (JSC::stringProtoFuncFontcolor):
3084 (JSC::stringProtoFuncFontsize):
3085 (JSC::stringProtoFuncAnchor):
3086 (JSC::stringProtoFuncLink):
3089 2016-02-17 Commit Queue <commit-queue@webkit.org>
3091 Unreviewed, rolling out r196675.
3092 https://bugs.webkit.org/show_bug.cgi?id=154344
3094 "Causes major slowdowns on deltablue-varargs" (Requested by
3095 keith_miller on #webkit).
3099 "Spread operator should be allowed when not the first argument
3101 https://bugs.webkit.org/show_bug.cgi?id=152721
3102 http://trac.webkit.org/changeset/196675
3104 2016-02-17 Gavin Barraclough <barraclough@apple.com>
3106 JSDOMWindow::put should not do the same thing twice
3107 https://bugs.webkit.org/show_bug.cgi?id=154334
3109 Reviewed by Chris Dumez.
3111 It either calls JSGlobalObject::put or Base::put. Hint: these are basically the same thing.
3112 In the latter case it might call lookupPut. That's redundant; JSObject::put handles static
3115 * runtime/JSGlobalObject.h:
3116 (JSC::JSGlobalObject::hasOwnPropertyForWrite): Deleted.
3119 2016-02-16 Filip Pizlo <fpizlo@apple.com>
3121 FTL_USES_B3 should be unconditionally true
3122 https://bugs.webkit.org/show_bug.cgi?id=154324
3124 Reviewed by Benjamin Poulain.
3128 2016-02-16 Filip Pizlo <fpizlo@apple.com>
3130 FTL should support CompareEq(String:, String:)
3131 https://bugs.webkit.org/show_bug.cgi?id=154269
3132 rdar://problem/24499921
3134 Reviewed by Benjamin Poulain.
3136 Looks like a slight pdfjs slow-down, probably because we're having some recompilations. I
3137 think we should land the increased coverage first and fix the issues after, especially since
3138 the regression is so small and doesn't have a statistically significant effect on the overall
3141 * ftl/FTLCapabilities.cpp:
3142 (JSC::FTL::canCompile):
3143 * ftl/FTLLowerDFGToLLVM.cpp:
3144 (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
3145 (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
3146 (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
3147 (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
3148 * tests/stress/ftl-string-equality.js: Added.
3149 * tests/stress/ftl-string-ident-equality.js: Added.
3150 * tests/stress/ftl-string-strict-equality.js: Added.
3152 2016-02-16 Filip Pizlo <fpizlo@apple.com>
3154 FTL should support NewTypedArray
3155 https://bugs.webkit.org/show_bug.cgi?id=154268
3157 Reviewed by Saam Barati.
3159 3% speed-up on pdfjs. This was already covered by many different tests.
3161 Rolling this back in after fixing the butterfly argument.
3163 * ftl/FTLCapabilities.cpp:
3164 (JSC::FTL::canCompile):
3165 * ftl/FTLLowerDFGToLLVM.cpp:
3166 (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3167 (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
3168 (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
3169 (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
3170 (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
3171 (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
3172 (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
3174 2016-02-16 Gavin Barraclough <barraclough@apple.com>
3176 JSDOMWindow::getOwnPropertySlot should just call getStaticPropertySlot
3177 https://bugs.webkit.org/show_bug.cgi?id=154257
3179 Reviewed by Chris Dumez.
3182 (JSC::getStaticPropertySlot):
3183 (JSC::getStaticFunctionSlot):
3184 (JSC::getStaticValueSlot):
3185 - this could all do with a little more love.
3186 But enforce the basic precedence:
3187 (1) regular storage properties always win over static table properties.
3188 (2) if properties have been reified, don't consult the static tables.
3189 (3) only if the property is not present on the object & not reified
3190 should the static hashtable be consulted.
3192 2016-02-16 Gavin Barraclough <barraclough@apple.com>
3194 JSDOMWindow::getOwnPropertySlot should not search photo chain
3195 https://bugs.webkit.org/show_bug.cgi?id=154102
3197 Reviewed by Chris Dumez.
3199 Should only return *own* properties.
3201 * runtime/JSObject.cpp:
3202 (JSC::JSObject::getOwnPropertyDescriptor):
3203 - remove hack/special-case for DOMWindow; we no longer need this.
3205 2016-02-16 Keith Miller <keith_miller@apple.com>
3207 Spread operator should be allowed when not the first argument of parameter list
3208 https://bugs.webkit.org/show_bug.cgi?id=152721
3210 Reviewed by Saam Barati.
3212 Spread arguments to functions should now be ES6 compliant. Before we
3213 would only take a spread operator if it was the sole argument to a
3214 function. Additionally, we would not use the Symbol.iterator on the
3215 object to generate the arguments. Instead we would do a loop up to the
3216 length mapping indexed properties to the corresponding argument. We fix
3217 both these issues by doing an AST transformation from foo(...a, b, ...c, d)
3218 to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
3219 old spread semantics). This solution has the downside of requiring the
3220 allocation of another object and copying each element twice but avoids a
3221 large change to the vm calling convention.
3223 * interpreter/Interpreter.cpp:
3225 * parser/ASTBuilder.h:
3226 (JSC::ASTBuilder::createElementList):
3227 * parser/Parser.cpp:
3228 (JSC::Parser<LexerType>::parseArguments):
3229 (JSC::Parser<LexerType>::parseArgument):
3230 (JSC::Parser<LexerType>::parseMemberExpression):
3232 * parser/SyntaxChecker.h:
3233 (JSC::SyntaxChecker::createElementList):
3235 * tests/stress/spread-calling.js: Added.
3239 (otherIterator.return.next):
3242 (throwingIter.return.next):
3246 2016-02-16 Benjamin Poulain <bpoulain@apple.com>
3248 [JSC] Enable B3 on ARM64
3249 https://bugs.webkit.org/show_bug.cgi?id=154275
3251 Reviewed by Mark Lam.
3253 The port passes more tests than LLVM now, let's use it by default.
3257 2016-02-16 Commit Queue <commit-queue@webkit.org>
3259 Unreviewed, rolling out r196652.
3260 https://bugs.webkit.org/show_bug.cgi?id=154315
3262 This change caused LayoutTest crashes (Requested by ryanhaddad
3267 "FTL should support NewTypedArray"
3268 https://bugs.webkit.org/show_bug.cgi?id=154268
3269 http://trac.webkit.org/changeset/196652
3271 2016-02-16 Brian Burg <bburg@apple.com>
3273 RemoteInspector should forward new automation session requests to its client
3274 https://bugs.webkit.org/show_bug.cgi?id=154260
3275 <rdar://problem/24663313>
3277 Reviewed by Timothy Hatcher.
3279 * inspector/remote/RemoteInspector.h:
3280 * inspector/remote/RemoteInspector.mm:
3281 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3282 (Inspector::RemoteInspector::listingForAutomationTarget):
3283 Use the correct key for the session identifier in the listing. The name()
3284 override for RemoteAutomationTarget is actually the session identifier.
3286 (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
3287 * inspector/remote/RemoteInspectorConstants.h: Add new constants.
3289 2016-02-16 Saam barati <sbarati@apple.com>
3291 SamplingProfiler still fails with ASan enabled
3292 https://bugs.webkit.org/show_bug.cgi?id=154301
3293 <rdar://problem/24679502>
3295 Reviewed by Filip Pizlo.
3297 To fix this issue, I've come up with unsafe versions
3298 of all operations that load memory from the thread's call
3299 frame. All these new unsafe methods are marked with SUPPRESS_ASAN.
3301 * interpreter/CallFrame.cpp:
3302 (JSC::CallFrame::callSiteAsRawBits):
3303 (JSC::CallFrame::unsafeCallSiteAsRawBits):
3304 (JSC::CallFrame::callSiteIndex):
3305 (JSC::CallFrame::unsafeCallSiteIndex):
3306 (JSC::CallFrame::stack):
3307 (JSC::CallFrame::callerFrame):
3308 (JSC::CallFrame::unsafeCallerFrame):
3309 (JSC::CallFrame::friendlyFunctionName):
3310 * interpreter/CallFrame.h:
3311 (JSC::ExecState::calleeAsValue):
3312 (JSC::ExecState::callee):
3313 (JSC::ExecState::unsafeCallee):
3314 (JSC::ExecState::codeBlock):
3315 (JSC::ExecState::unsafeCodeBlock):
3316 (JSC::ExecState::scope):
3317 (JSC::ExecState::callerFrame):
3318 (JSC::ExecState::callerFrameOrVMEntryFrame):
3319 (JSC::ExecState::unsafeCallerFrameOrVMEntryFrame):
3320 (JSC::ExecState::callerFrameOffset):
3321 (JSC::ExecState::callerFrameAndPC):
3322 (JSC::ExecState::unsafeCallerFrameAndPC):
3323 * interpreter/Register.h:
3324 (JSC::Register::codeBlock):
3325 (JSC::Register::asanUnsafeCodeBlock):
3326 (JSC::Register::unboxedInt32):
3327 (JSC::Register::tag):
3328 (JSC::Register::unsafeTag):
3329 (JSC::Register::payload):
3330 * interpreter/VMEntryRecord.h:
3331 (JSC::VMEntryRecord::prevTopCallFrame):
3332 (JSC::VMEntryRecord::unsafePrevTopCallFrame):
3333 (JSC::VMEntryRecord::prevTopVMEntryFrame):
3334 (JSC::VMEntryRecord::unsafePrevTopVMEntryFrame):
3335 * runtime/SamplingProfiler.cpp:
3336 (JSC::FrameWalker::walk):
3337 (JSC::FrameWalker::advanceToParentFrame):
3338 (JSC::FrameWalker::isAtTop):
3339 (JSC::FrameWalker::resetAtMachineFrame):
3341 2016-02-16 Filip Pizlo <fpizlo@apple.com>
3343 FTL should support NewTypedArray
3344 https://bugs.webkit.org/show_bug.cgi?id=154268
3346 Reviewed by Saam Barati.
3348 3% speed-up on pdfjs. This was already covered by many different tests.
3350 * ftl/FTLCapabilities.cpp:
3351 (JSC::FTL::canCompile):
3352 * ftl/FTLLowerDFGToLLVM.cpp:
3353 (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3354 (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
3355 (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
3356 (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
3357 (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
3358 (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
3359 (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
3361 2016-02-16 Saam barati <sbarati@apple.com>
3363 stress/sampling-profiler-deep-stack.js fails on ARM 32bit
3364 https://bugs.webkit.org/show_bug.cgi?id=154255
3365 <rdar://problem/24662996>
3367 Reviewed by Mark Lam.
3369 The bug here wasn't in the implementation of the sampling profiler
git://git.webkit.org / WebKit-https.git / blob