Make it cheap to #include "JITOperations.h"
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
2
3         Make it cheap to #include "JITOperations.h"
4         https://bugs.webkit.org/show_bug.cgi?id=154836
5
6         Reviewed by Mark Lam.
7
8         Prior to this change, this header included the whole world even though it did't have any
9         definitions. This patch turns almost all of the includes into forward declarations. Right
10         now this header is very cheap to include.
11
12         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
13         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
14         * JavaScriptCore.xcodeproj/project.pbxproj:
15         * dfg/DFGSpeculativeJIT.h:
16         * jit/JITOperations.cpp:
17         * jit/JITOperations.h:
18         * jit/Repatch.h:
19         * runtime/CommonSlowPaths.h:
20         (JSC::encodeResult): Deleted.
21         (JSC::decodeResult): Deleted.
22         * runtime/SlowPathReturnType.h: Added.
23         (JSC::encodeResult):
24         (JSC::decodeResult):
25
26 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
27
28         FTL should be able to run everything in Octane/regexp
29         https://bugs.webkit.org/show_bug.cgi?id=154266
30
31         Reviewed by Saam Barati.
32
33         Adds FTL support for NewRegexp, RegExpTest, and RegExpExec. I couldn't figure out how to
34         make the RegExpExec peephole optimization work in FTL. This optimizations shouldn't be a
35         DFG backend optimization anyway - if we need this optimization then it should be a
36         strength reduction rule over IR. That way, it can be shared by all backends.
37
38         I measured whether removing that optimization had any effect on performance separately
39         from measuring the performance of this patch. Removing that optimization did not change
40         our score on any benchmarks.
41
42         This patch does have an overall negative effect on the Octane/regexp score. This is
43         presumably because tiering up to the FTL has no value to the code in the regexp test. Or
44         maybe it's something else. No matter - the overall effect on the Octane score is not
45         statistically significant and we don't want this kind of coverage blocked by the fact
46         that adding coverage hurts a benchmark.
47
48         * dfg/DFGByteCodeParser.cpp:
49         (JSC::DFG::ByteCodeParser::parseBlock):
50         * dfg/DFGNode.h:
51         (JSC::DFG::Node::setIndexingType):
52         (JSC::DFG::Node::hasRegexpIndex):
53         * dfg/DFGSpeculativeJIT.cpp:
54         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
55         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
56         (JSC::DFG::SpeculativeJIT::compileRegExpExec): Deleted.
57         * dfg/DFGSpeculativeJIT32_64.cpp:
58         (JSC::DFG::SpeculativeJIT::compile):
59         * dfg/DFGSpeculativeJIT64.cpp:
60         (JSC::DFG::SpeculativeJIT::compile):
61         * ftl/FTLCapabilities.cpp:
62         (JSC::FTL::canCompile):
63         * ftl/FTLLowerDFGToB3.cpp:
64         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
65         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
66         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
67         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
68         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
69         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
70         * tests/stress/ftl-regexp-exec.js: Added.
71         * tests/stress/ftl-regexp-test.js: Added.
72
73 2016-02-28  Andreas Kling  <akling@apple.com>
74
75         Make JSFunction.name allocation fully lazy.
76         <https://webkit.org/b/154806>
77
78         Reviewed by Saam Barati.
79
80         We were reifying the "name" field on functions lazily, but created the string
81         value itself up front. This patch gets rid of the up-front allocation,
82         saving us a JSString allocation per function in most cases.
83
84         * builtins/BuiltinExecutables.cpp:
85         (JSC::createExecutableInternal):
86         * bytecode/UnlinkedFunctionExecutable.cpp:
87         (JSC::UnlinkedFunctionExecutable::visitChildren):
88         * bytecode/UnlinkedFunctionExecutable.h:
89         * runtime/CodeCache.cpp:
90         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
91         * runtime/Executable.h:
92         * runtime/JSFunction.cpp:
93         (JSC::JSFunction::reifyName):
94
95 2016-02-28  Andreas Kling  <akling@apple.com>
96
97         REGRESSION(r197303): 4 jsc tests failing on bots.
98
99         Unreviewed follow-up fix.
100
101         * bytecode/UnlinkedCodeBlock.cpp:
102         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): This function
103         can still get called with !m_rareData, in case the type profiler is active but this
104         particular code block doesn't have type profiler data. Handle it gracefully.
105
106 2016-02-28  Andreas Kling  <akling@apple.com>
107
108         Shrink UnlinkedCodeBlock a bit.
109         <https://webkit.org/b/154797>
110
111         Reviewed by Anders Carlsson.
112
113         Move profiler-related members of UnlinkedCodeBlock into its RareData
114         structure, saving 40 bytes, and then reorder the other members of
115         UnlinkedCodeBlock to save another 24 bytes, netting a nice total 64.
116
117         The VM member was removed entirely since UnlinkedCodeBlock is a cell
118         and can retrieve its VM through MarkedBlock header lookup.
119
120         * bytecode/UnlinkedCodeBlock.cpp:
121         (JSC::UnlinkedCodeBlock::vm):
122         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
123         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
124         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
125         * bytecode/UnlinkedCodeBlock.h:
126         (JSC::UnlinkedCodeBlock::addRegExp):
127         (JSC::UnlinkedCodeBlock::addConstant):
128         (JSC::UnlinkedCodeBlock::addFunctionDecl):
129         (JSC::UnlinkedCodeBlock::addFunctionExpr):
130         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
131         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
132         (JSC::UnlinkedCodeBlock::vm): Deleted.
133
134 2016-02-27  Filip Pizlo  <fpizlo@apple.com>
135
136         FTL should lower its abstract heaps to B3 heap ranges
137         https://bugs.webkit.org/show_bug.cgi?id=154782
138
139         Reviewed by Saam Barati.
140
141         The FTL can describe the abstract heaps (points-to sets) that a memory operation will
142         affect. The abstract heaps are arranged as a hierarchy. We used to transform this into
143         TBAA hierarchies in LLVM, but we never got around to wiring this up to B3's equivalent
144         notion - the HeapRange. That's what this patch fixes.
145
146         B3 has a minimalistic alias analysis. It represents abstract heaps using unsigned 32-bit
147         integers. There are 1<<32 abstract heaps. The B3 client can describe what an operation
148         affects by specifying a heap range: a begin...end pair that says that the operation
149         affects all abstract heaps H such that begin <= H < end.
150
151         This peculiar scheme was a deliberate attempt to distill what the abstract heap
152         hierarchy is all about. We can assign begin...end numbers to abstract heaps so that:
153
154         - A heap's end is greater than its begin.
155         - A heap's begin is greater than or equal to its parent's begin.
156         - A heap's end is less than or equal to its parent's end.
157
158         This is easy to do using a recursive traversal of the abstract heap hierarchy. I almost
159         went for the iterative traversal, which is a splendid algorithm, but it's totally
160         unnecessary here since we tightly control the height of the heap hierarchy.
161
162         Because abstract heaps are produced on-the-fly by FTL lowering, due to the fact that we
163         generate new ones for field names and constant indices we encounter, we can't actually
164         decorate the B3 instructions we create in lowering until all lowering is done. Adding a
165         new abstract heap to the hierarchy after ranges were already computed would require
166         updating the ranges of any heaps "to the right" of that heap in the hierarchy. This
167         patch solves that problem by recording the associations between abstract heaps and their
168         intended roles in the generated IR, and then decorating all of the relevant B3 values
169         after we compute the ranges of the hierarchy after lowering.
170
171         This is perf-neutral. I was hoping for a small speed-up, but I could not detect a
172         speed-up on any benchmark. That's not too surprising. We already have very precise CSE
173         in the DFG, so there aren't many opportunities left for the B3 CSE and it may have
174         already been getting the big ones even without alias analysis.
175
176         Even without a speed-up, this patch is valuable because it makes it easier to implement
177         other optimizations, like store elimination.
178
179         * b3/B3HeapRange.h:
180         (JSC::B3::HeapRange::HeapRange):
181         * ftl/FTLAbstractHeap.cpp:
182         (JSC::FTL::AbstractHeap::AbstractHeap):
183         (JSC::FTL::AbstractHeap::changeParent):
184         (JSC::FTL::AbstractHeap::compute):
185         (JSC::FTL::AbstractHeap::shallowDump):
186         (JSC::FTL::AbstractHeap::dump):
187         (JSC::FTL::AbstractHeap::deepDump):
188         (JSC::FTL::AbstractHeap::badRangeError):
189         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
190         (JSC::FTL::IndexedAbstractHeap::baseIndex):
191         (JSC::FTL::IndexedAbstractHeap::atSlow):
192         (JSC::FTL::IndexedAbstractHeap::initialize):
193         (JSC::FTL::AbstractHeap::decorateInstruction): Deleted.
194         (JSC::FTL::AbstractField::dump): Deleted.
195         * ftl/FTLAbstractHeap.h:
196         (JSC::FTL::AbstractHeap::AbstractHeap):
197         (JSC::FTL::AbstractHeap::isInitialized):
198         (JSC::FTL::AbstractHeap::initialize):
199         (JSC::FTL::AbstractHeap::parent):
200         (JSC::FTL::AbstractHeap::heapName):
201         (JSC::FTL::AbstractHeap::range):
202         (JSC::FTL::AbstractHeap::offset):
203         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
204         (JSC::FTL::IndexedAbstractHeap::at):
205         (JSC::FTL::IndexedAbstractHeap::operator[]):
206         (JSC::FTL::IndexedAbstractHeap::returnInitialized):
207         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::constructDeletedValue):
208         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::isDeletedValue):
209         (JSC::FTL::AbstractHeap::changeParent): Deleted.
210         (JSC::FTL::AbstractField::AbstractField): Deleted.
211         (JSC::FTL::AbstractField::initialize): Deleted.
212         (JSC::FTL::AbstractField::offset): Deleted.
213         * ftl/FTLAbstractHeapRepository.cpp:
214         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
215         (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
216         (JSC::FTL::AbstractHeapRepository::decorateMemory):
217         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
218         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
219         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
220         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
221         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
222         * ftl/FTLAbstractHeapRepository.h:
223         (JSC::FTL::AbstractHeapRepository::forArrayType):
224         (JSC::FTL::AbstractHeapRepository::HeapForValue::HeapForValue):
225         * ftl/FTLLowerDFGToB3.cpp:
226         (JSC::FTL::DFG::LowerDFGToB3::lower):
227         * ftl/FTLOutput.cpp:
228         (JSC::FTL::Output::load):
229         (JSC::FTL::Output::load8SignExt32):
230         (JSC::FTL::Output::load8ZeroExt32):
231         (JSC::FTL::Output::load16SignExt32):
232         (JSC::FTL::Output::load16ZeroExt32):
233         (JSC::FTL::Output::store):
234         (JSC::FTL::Output::store32As8):
235         (JSC::FTL::Output::store32As16):
236         (JSC::FTL::Output::baseIndex):
237         * ftl/FTLOutput.h:
238         (JSC::FTL::Output::address):
239         (JSC::FTL::Output::absolute):
240         (JSC::FTL::Output::load8SignExt32):
241         (JSC::FTL::Output::load8ZeroExt32):
242         (JSC::FTL::Output::load16SignExt32):
243         (JSC::FTL::Output::load16ZeroExt32):
244         (JSC::FTL::Output::load32):
245         (JSC::FTL::Output::load64):
246         (JSC::FTL::Output::loadPtr):
247         (JSC::FTL::Output::loadDouble):
248         (JSC::FTL::Output::store32):
249         (JSC::FTL::Output::store64):
250         (JSC::FTL::Output::storePtr):
251         (JSC::FTL::Output::storeDouble):
252         (JSC::FTL::Output::ascribeRange):
253         (JSC::FTL::Output::nonNegative32):
254         (JSC::FTL::Output::load32NonNegative):
255         (JSC::FTL::Output::equal):
256         (JSC::FTL::Output::notEqual):
257         * ftl/FTLTypedPointer.h:
258         (JSC::FTL::TypedPointer::operator!):
259         (JSC::FTL::TypedPointer::heap):
260         (JSC::FTL::TypedPointer::value):
261
262 2016-02-28  Skachkov Oleksandr  <gskachkov@gmail.com>
263
264         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
265         https://bugs.webkit.org/show_bug.cgi?id=153981
266
267         Reviewed by Saam Barati.
268        
269         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
270         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
271         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
272         During syntax analyze parser store information about using variables in arrow function inside of 
273         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
274
275         * bytecompiler/BytecodeGenerator.cpp:
276         (JSC::BytecodeGenerator::BytecodeGenerator):
277         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
278         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
279         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
280         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
281         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
282         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
283         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
284         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
285         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
286         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
287         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
288         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
289         * bytecompiler/BytecodeGenerator.h:
290         * bytecompiler/NodesCodegen.cpp:
291         (JSC::ThisNode::emitBytecode):
292         (JSC::EvalFunctionCallNode::emitBytecode):
293         (JSC::FunctionNode::emitBytecode):
294         * parser/ASTBuilder.h:
295         (JSC::ASTBuilder::createBracketAccess):
296         (JSC::ASTBuilder::createDotAccess):
297         (JSC::ASTBuilder::usesSuperCall):
298         (JSC::ASTBuilder::usesSuperProperty):
299         (JSC::ASTBuilder::makeFunctionCallNode):
300         * parser/Nodes.cpp:
301         (JSC::ScopeNode::ScopeNode):
302         (JSC::ProgramNode::ProgramNode):
303         (JSC::ModuleProgramNode::ModuleProgramNode):
304         (JSC::EvalNode::EvalNode):
305         (JSC::FunctionNode::FunctionNode):
306         * parser/Nodes.h:
307         (JSC::ScopeNode::innerArrowFunctionCodeFeatures):
308         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseArguments):
309         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperCall):
310         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperProperty):
311         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseEval):
312         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseThis):
313         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseNewTarget):
314         (JSC::ScopeNode::doAnyInnerArrowFunctionUseAnyFeature):
315         (JSC::ScopeNode::usesSuperCall):
316         (JSC::ScopeNode::usesSuperProperty):
317         * parser/Parser.cpp:
318         (JSC::Parser<LexerType>::parseProperty):
319         (JSC::Parser<LexerType>::parsePrimaryExpression):
320         (JSC::Parser<LexerType>::parseMemberExpression):
321         * parser/Parser.h:
322         (JSC::Scope::Scope):
323         (JSC::Scope::isArrowFunctionBoundary):
324         (JSC::Scope::innerArrowFunctionFeatures):
325         (JSC::Scope::setInnerArrowFunctionUsesSuperCall):
326         (JSC::Scope::setInnerArrowFunctionUsesSuperProperty):
327         (JSC::Scope::setInnerArrowFunctionUsesEval):
328         (JSC::Scope::setInnerArrowFunctionUsesThis):
329         (JSC::Scope::setInnerArrowFunctionUsesNewTarget):
330         (JSC::Scope::setInnerArrowFunctionUsesArguments):
331         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
332         (JSC::Scope::collectFreeVariables):
333         (JSC::Scope::mergeInnerArrowFunctionFeatures):
334         (JSC::Scope::fillParametersForSourceProviderCache):
335         (JSC::Scope::restoreFromSourceProviderCache):
336         (JSC::Scope::setIsFunction):
337         (JSC::Scope::setIsArrowFunction):
338         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
339         (JSC::Parser::pushScope):
340         (JSC::Parser::popScopeInternal):
341         (JSC::Parser<LexerType>::parse):
342         * parser/ParserModes.h:
343         * parser/SourceProviderCacheItem.h:
344         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
345         * parser/SyntaxChecker.h:
346         (JSC::SyntaxChecker::createFunctionMetadata):
347         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
348         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
349         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
350         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
351         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
352
353 2016-02-28  Saam barati  <sbarati@apple.com>
354
355         ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot
356         https://bugs.webkit.org/show_bug.cgi?id=154768
357
358         Reviewed by Ryosuke Niwa.
359
360         This fixes a big bug with ProxyObject.[[GetOwnProperty]]:
361         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
362         We weren't correctly propagating the result of this operation to the
363         out PropertySlot& parameter. This patch fixes that and adds tests.
364
365         * runtime/ObjectConstructor.cpp:
366         (JSC::objectConstructorGetOwnPropertyDescriptor):
367         I added a missing exception check after object allocation
368         because I saw that it was missing while reading the code.
369
370         * runtime/PropertyDescriptor.cpp:
371         (JSC::PropertyDescriptor::setUndefined):
372         (JSC::PropertyDescriptor::slowGetterSetter):
373         (JSC::PropertyDescriptor::getter):
374         * runtime/PropertyDescriptor.h:
375         (JSC::PropertyDescriptor::attributes):
376         (JSC::PropertyDescriptor::value):
377         * runtime/ProxyObject.cpp:
378         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
379         * tests/es6.yaml:
380         * tests/stress/proxy-get-own-property.js:
381         (let.handler.getOwnPropertyDescriptor):
382         (set get let.handler.return):
383         (set get let.handler.getOwnPropertyDescriptor):
384         (set get let):
385         (set get let.a):
386         (let.b):
387         (let.setter):
388         (let.getter):
389
390 2016-02-27  Andy VanWagoner  <thetalecrafter@gmail.com>
391
392         Intl.Collator uses POSIX locale (detected by js/intl-collator.html on iOS Simulator)
393         https://bugs.webkit.org/show_bug.cgi?id=152448
394
395         Reviewed by Darin Adler.
396
397         Add defaultLanguage to the globalObjectMethodTable and use it for the
398         default locale in Intl object initializations. Fall back to ICU default
399         locale only if the defaultLanguage function is null, or returns an
400         empty string.
401
402         * jsc.cpp:
403         * runtime/IntlCollator.cpp:
404         (JSC::IntlCollator::initializeCollator):
405         * runtime/IntlDateTimeFormat.cpp:
406         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
407         * runtime/IntlNumberFormat.cpp:
408         (JSC::IntlNumberFormat::initializeNumberFormat):
409         * runtime/IntlObject.cpp:
410         (JSC::defaultLocale):
411         (JSC::lookupMatcher):
412         (JSC::bestFitMatcher):
413         (JSC::resolveLocale):
414         * runtime/IntlObject.h:
415         * runtime/JSGlobalObject.cpp:
416         * runtime/JSGlobalObject.h:
417         * runtime/StringPrototype.cpp:
418         (JSC::toLocaleCase):
419
420 2016-02-27  Oliver Hunt  <oliver@apple.com>
421
422         CLoop build fix.
423
424         * jit/ExecutableAllocatorFixedVMPool.cpp:
425
426 2016-02-26  Oliver Hunt  <oliver@apple.com>
427
428         Remove the on demand executable allocator
429         https://bugs.webkit.org/show_bug.cgi?id=154749
430
431         Reviewed by Geoffrey Garen.
432
433         Remove all the DemandExecutable code and executable allocator ifdefs.
434
435         * CMakeLists.txt:
436         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
437         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
438         * JavaScriptCore.xcodeproj/project.pbxproj:
439         * jit/ExecutableAllocator.cpp: Removed.
440         (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
441         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
442         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
443         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
444         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
445         (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
446         (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
447         (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
448         (JSC::DemandExecutableAllocator::allocators): Deleted.
449         (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
450         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
451         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
452         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
453         (JSC::ExecutableAllocator::isValid): Deleted.
454         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
455         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
456         (JSC::ExecutableAllocator::allocate): Deleted.
457         (JSC::ExecutableAllocator::committedByteCount): Deleted.
458         (JSC::ExecutableAllocator::dumpProfile): Deleted.
459         (JSC::ExecutableAllocator::getLock): Deleted.
460         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
461         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
462         * jit/ExecutableAllocator.h:
463         * jit/ExecutableAllocatorFixedVMPool.cpp:
464         * jit/JITStubRoutine.h:
465         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
466         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
467         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
468
469 2016-02-26  Joseph Pecoraro  <pecoraro@apple.com>
470
471         Reduce direct callers of Structure::findStructuresAndMapForMaterialization
472         https://bugs.webkit.org/show_bug.cgi?id=154751
473
474         Reviewed by Mark Lam.
475
476         * runtime/Structure.cpp:
477         (JSC::Structure::toStructureShape):
478         This property name iteration is identical to Structure::forEachPropertyConcurrently.
479         Share the code and reduce callers to the subtle findStructuresAndMapForMaterialization.
480
481 2016-02-26  Mark Lam  <mark.lam@apple.com>
482
483         Function.name and Function.length should be configurable.
484         https://bugs.webkit.org/show_bug.cgi?id=154604
485
486         Reviewed by Saam Barati.
487
488         According to https://tc39.github.io/ecma262/#sec-ecmascript-language-functions-and-classes,
489         "Unless otherwise specified, the name property of a built-in Function object,
490         if it exists, has the attributes { [[Writable]]: false, [[Enumerable]]: false,
491         [[Configurable]]: true }."
492
493         Similarly, "the length property of a built-in Function object has the attributes
494         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }."
495
496         This patch makes Function.name and Function.length configurable.
497
498         We do this by lazily reifying the JSFunction name and length properties on first
499         access.  We track whether each of these properties have been reified using flags
500         in the FunctionRareData.  On first access, if not already reified, we will put
501         the property into the object with its default value and attributes and set the
502         reified flag.  Thereafter, we rely on the base JSObject to handle access to the
503         property.
504
505         Also, lots of test results have to be re-baselined because the old Function.length
506         has attribute DontDelete, which is in conflict with the ES6 requirement that it
507         is configurable.
508
509         * runtime/FunctionRareData.h:
510         (JSC::FunctionRareData::hasReifiedLength):
511         (JSC::FunctionRareData::setHasReifiedLength):
512         (JSC::FunctionRareData::hasReifiedName):
513         (JSC::FunctionRareData::setHasReifiedName):
514         - Flags for tracking whether each property has been reified.
515
516         * runtime/JSFunction.cpp:
517         (JSC::JSFunction::finishCreation):
518         (JSC::JSFunction::createBuiltinFunction):
519         - Host and builtin functions currently always reify their name and length
520           properties.  Currently, for builtins, the default names that are used may
521           differ from the executable name.  For now, we'll stay with keeping this
522           alternate approach to getting the name and length properties for host and
523           builtin functions.
524           However, we need their default attribute to be configurable as well.
525
526         (JSC::JSFunction::getOwnPropertySlot):
527         (JSC::JSFunction::getOwnNonIndexPropertyNames):
528         (JSC::JSFunction::put):
529         (JSC::JSFunction::deleteProperty):
530         (JSC::JSFunction::defineOwnProperty):
531         (JSC::JSFunction::reifyLength):
532         (JSC::JSFunction::reifyName):
533         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
534         (JSC::JSFunction::lengthGetter): Deleted.
535         (JSC::JSFunction::nameGetter): Deleted.
536         * runtime/JSFunction.h:
537         * runtime/JSFunctionInlines.h:
538         (JSC::JSFunction::hasReifiedLength):
539         (JSC::JSFunction::hasReifiedName):
540
541         * tests/es6.yaml:
542         - 4 new passing tests.
543
544         * tests/mozilla/ecma/Array/15.4.4.3-1.js:
545         * tests/mozilla/ecma/Array/15.4.4.4-1.js:
546         * tests/mozilla/ecma/Array/15.4.4.4-2.js:
547         * tests/mozilla/ecma/GlobalObject/15.1.2.1-1.js:
548         * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
549         * tests/mozilla/ecma/GlobalObject/15.1.2.3-1.js:
550         * tests/mozilla/ecma/GlobalObject/15.1.2.4.js:
551         * tests/mozilla/ecma/GlobalObject/15.1.2.5-1.js:
552         * tests/mozilla/ecma/GlobalObject/15.1.2.6.js:
553         * tests/mozilla/ecma/GlobalObject/15.1.2.7.js:
554         * tests/mozilla/ecma/String/15.5.4.10-1.js:
555         * tests/mozilla/ecma/String/15.5.4.11-1.js:
556         * tests/mozilla/ecma/String/15.5.4.11-5.js:
557         * tests/mozilla/ecma/String/15.5.4.12-1.js:
558         * tests/mozilla/ecma/String/15.5.4.6-2.js:
559         * tests/mozilla/ecma/String/15.5.4.7-2.js:
560         * tests/mozilla/ecma/String/15.5.4.8-1.js:
561         * tests/mozilla/ecma/String/15.5.4.9-1.js:
562         - Rebase expected test results.
563
564         * tests/stress/function-configurable-properties.js: Added.
565
566 2016-02-26  Keith Miller  <keith_miller@apple.com>
567
568         Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup
569         https://bugs.webkit.org/show_bug.cgi?id=154743
570
571         Reviewed by Mark Lam.
572
573         * dfg/DFGConstantFoldingPhase.cpp:
574         (JSC::DFG::ConstantFoldingPhase::foldConstants):
575         * dfg/DFGFixupPhase.cpp:
576         (JSC::DFG::FixupPhase::fixupNode):
577
578 2016-02-26  Keith Miller  <keith_miller@apple.com>
579
580         Native Typed Array functions should use Symbol.species
581         https://bugs.webkit.org/show_bug.cgi?id=154569
582
583         Reviewed by Michael Saboff.
584
585         This patch adds support for Symbol.species in the native Typed Array prototype
586         functions. Additionally, now that other types of typedarrays are creatable inside
587         the slice we use the JSGenericTypedArrayView::set function, which has been beefed
588         up, to put everything into the correct place.
589
590         * runtime/JSDataView.cpp:
591         (JSC::JSDataView::set):
592         * runtime/JSDataView.h:
593         * runtime/JSGenericTypedArrayView.h:
594         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
595         (JSC::constructGenericTypedArrayViewFromIterator):
596         (JSC::constructGenericTypedArrayViewWithArguments):
597         (JSC::constructGenericTypedArrayView):
598         * runtime/JSGenericTypedArrayViewInlines.h:
599         (JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
600         (JSC::JSGenericTypedArrayView<Adaptor>::set):
601         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
602         (JSC::speciesConstruct):
603         (JSC::genericTypedArrayViewProtoFuncSet):
604         (JSC::genericTypedArrayViewProtoFuncSlice):
605         (JSC::genericTypedArrayViewProtoFuncSubarray):
606         * tests/stress/typedarray-slice.js:
607         (subclasses.typedArrays.map):
608         (testSpecies):
609         (forEach):
610         (subclasses.forEach):
611         (testSpeciesRemoveConstructor):
612         (testSpeciesWithSameBuffer):
613         * tests/stress/typedarray-subarray.js: Added.
614         (subclasses.typedArrays.map):
615         (testSpecies):
616         (forEach):
617         (subclasses.forEach):
618         (testSpeciesRemoveConstructor):
619
620 2016-02-26  Benjamin Poulain  <bpoulain@apple.com>
621
622         [JSC] Add32(Imm, Tmp, Tmp) does not ZDef the destination if Imm is zero
623         https://bugs.webkit.org/show_bug.cgi?id=154704
624
625         Reviewed by Geoffrey Garen.
626
627         If the Imm is zero, we should still zero the top bits
628         to match the definition in AirOpcodes.
629
630         * assembler/MacroAssemblerX86Common.h:
631         (JSC::MacroAssemblerX86Common::add32):
632         * b3/testb3.cpp:
633
634 2016-02-26  Oliver Hunt  <oliver@apple.com>
635
636         Make testRegExp not crash when given an invalid regexp
637         https://bugs.webkit.org/show_bug.cgi?id=154732
638
639         Reviewed by Mark Lam.
640
641         * testRegExp.cpp:
642         (parseRegExpLine):
643
644 2016-02-26  Benjamin Poulain  <benjamin@webkit.org>
645
646         [JSC] Add the test for r197155
647         https://bugs.webkit.org/show_bug.cgi?id=154715
648
649         Reviewed by Mark Lam.
650
651         Silly me. I forgot the test in the latest patch update.
652
653         * tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.
654
655 2016-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
656
657         [DFG] Drop unnecessary proved type branch in ToPrimitive
658         https://bugs.webkit.org/show_bug.cgi?id=154716
659
660         Reviewed by Geoffrey Garen.
661
662         This branching based on the proved types is unnecessary because this is already handled in constant folding phase.
663         In fact, the DFGSpeculativeJIT64.cpp case is already removed in r164243.
664         This patch removes the remaining JIT32_64 case.
665
666         * dfg/DFGSpeculativeJIT32_64.cpp:
667         (JSC::DFG::SpeculativeJIT::compile):
668
669 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
670
671         [JSC] Be aggressive with OSR Entry to FTL if the DFG function was only used for OSR Entry itself
672         https://bugs.webkit.org/show_bug.cgi?id=154575
673
674         Reviewed by Filip Pizlo.
675
676         I noticed that imaging-gaussian-blur spends most of its
677         samples in DFG code despite executing most of the loop
678         iterations in FTL.
679
680         On this particular test, the main function is only entered
681         once and have a very heavy loop there. What happens is DFG
682         starts by compiling the full function in FTL. That takes about
683         8 to 10 milliseconds during which the DFG code makes very little
684         progress. The calls to triggerOSREntryNow() try to OSR Enter
685         for a while then finally start compiling something. By the time
686         the function is ready, we have wasted a lot of time in DFG code.
687
688         What this patch does is set a flag when a DFG function is entered.
689         If we try to triggerOSREntryNow() and the flag was never set,
690         we start compiling both the full function and the one for OSR Entry.
691
692         * dfg/DFGJITCode.h:
693         * dfg/DFGJITCompiler.cpp:
694         (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
695         (JSC::DFG::JITCompiler::compile):
696         (JSC::DFG::JITCompiler::compileFunction):
697         * dfg/DFGJITCompiler.h:
698         * dfg/DFGOperations.cpp:
699         * dfg/DFGPlan.cpp:
700         (JSC::DFG::Plan::Plan): Deleted.
701         * dfg/DFGPlan.h:
702         * dfg/DFGTierUpCheckInjectionPhase.cpp:
703         (JSC::DFG::TierUpCheckInjectionPhase::run):
704
705 2016-02-25  Benjamin Poulain  <benjamin@webkit.org>
706
707         [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
708         https://bugs.webkit.org/show_bug.cgi?id=154664
709
710         Reviewed by Saam Barati.
711
712         When doing OSR Enter into a constructor, we lose the information
713         that this may have been set to empty by a previously executed block.
714
715         All the code just assumed the type for a FlushedJS value and thus
716         not an empty value. It was then okay to eliminate the TDZ checks.
717
718         In this patch, the values on root entry now assume they may be empty.
719         As a result, the SetArgument() for "this" has "empty" as possible
720         type and the TDZ checks are no longer eliminated.
721
722         * dfg/DFGInPlaceAbstractState.cpp:
723         (JSC::DFG::InPlaceAbstractState::initialize):
724
725 2016-02-25  Ada Chan  <adachan@apple.com>
726
727         Update the definition of ENABLE_VIDEO_PRESENTATION_MODE for Mac platform
728         https://bugs.webkit.org/show_bug.cgi?id=154702
729
730         Reviewed by Dan Bernstein.
731
732         * Configurations/FeatureDefines.xcconfig:
733
734 2016-02-25  Saam barati  <sbarati@apple.com>
735
736         [ES6] for...in iteration doesn't comply with the specification
737         https://bugs.webkit.org/show_bug.cgi?id=154665
738
739         Reviewed by Michael Saboff.
740
741         If you read ForIn/OfHeadEvaluation inside the spec:
742         https://tc39.github.io/ecma262/#sec-runtime-semantics-forin-div-ofheadevaluation-tdznames-expr-iterationkind
743         It calls EnumerateObjectProperties(obj) to get a set of properties
744         to enumerate over (it models this "set" as en ES6 generator function).
745         EnumerateObjectProperties is defined in section 13.7.5.15:
746         https://tc39.github.io/ecma262/#sec-enumerate-object-properties
747         The implementation calls Reflect.getOwnPropertyDescriptor(.) on the
748         properties it sees. We must do the same by modeling the operation as
749         a [[GetOwnProperty]] instead of a [[HasProperty]] internal method call.
750
751         * jit/JITOperations.cpp:
752         * jit/JITOperations.h:
753         * runtime/CommonSlowPaths.cpp:
754         (JSC::SLOW_PATH_DECL):
755         * runtime/JSObject.cpp:
756         (JSC::JSObject::hasProperty):
757         (JSC::JSObject::hasPropertyGeneric):
758         * runtime/JSObject.h:
759         * tests/stress/proxy-get-own-property.js:
760         (assert):
761         (let.handler.getOwnPropertyDescriptor):
762         (i.set assert):
763
764 2016-02-25  Saam barati  <sbarati@apple.com>
765
766         [ES6] Implement Proxy.[[Set]]
767         https://bugs.webkit.org/show_bug.cgi?id=154511
768
769         Reviewed by Filip Pizlo.
770
771         This patch is mostly an implementation of
772         Proxy.[[Set]] with respect to section 9.5.9
773         of the ECMAScript spec.
774         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-set-p-v-receiver
775
776         This patch also changes JSObject::putInline and JSObject::putByIndex
777         to be aware that a Proxy in the prototype chain will intercept
778         property accesses.
779
780         * runtime/JSObject.cpp:
781         (JSC::JSObject::putInlineSlow):
782         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
783         * runtime/JSObject.h:
784         * runtime/JSObjectInlines.h:
785         (JSC::JSObject::canPerformFastPutInline):
786         (JSC::JSObject::putInline):
787         * runtime/JSType.h:
788         * runtime/ProxyObject.cpp:
789         (JSC::ProxyObject::getOwnPropertySlotByIndex):
790         (JSC::ProxyObject::performPut):
791         (JSC::ProxyObject::put):
792         (JSC::ProxyObject::putByIndexCommon):
793         (JSC::ProxyObject::putByIndex):
794         (JSC::performProxyCall):
795         (JSC::ProxyObject::getCallData):
796         (JSC::performProxyConstruct):
797         (JSC::ProxyObject::deletePropertyByIndex):
798         (JSC::ProxyObject::visitChildren):
799         * runtime/ProxyObject.h:
800         (JSC::ProxyObject::create):
801         (JSC::ProxyObject::createStructure):
802         (JSC::ProxyObject::target):
803         (JSC::ProxyObject::handler):
804         * tests/es6.yaml:
805         * tests/stress/proxy-set.js: Added.
806         (assert):
807         (throw.new.Error.let.handler.set 45):
808         (throw.new.Error):
809         (let.target.set x):
810         (let.target.get x):
811         (set let):
812
813 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
814
815         [JSC] Remove a useless "Move" in the lowering of Select
816         https://bugs.webkit.org/show_bug.cgi?id=154670
817
818         Reviewed by Geoffrey Garen.
819
820         I left the Move instruction when creating the aliasing form
821         of Select.
822
823         On ARM64, that meant a useless move for any case that can't
824         be coalesced.
825
826         On x86, that meant an extra constraint on child2, making it
827         stupidly hard to alias child1.
828
829         * b3/B3LowerToAir.cpp:
830         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
831
832 2016-02-24  Joseph Pecoraro  <pecoraro@apple.com>
833
834         Web Inspector: Expose Proxy target and handler internal properties to Inspector
835         https://bugs.webkit.org/show_bug.cgi?id=154663
836
837         Reviewed by Timothy Hatcher.
838
839         * inspector/JSInjectedScriptHost.cpp:
840         (Inspector::JSInjectedScriptHost::getInternalProperties):
841         Expose the ProxyObject's target and handler.
842
843 2016-02-24  Nikos Andronikos  <nikos.andronikos-webkit@cisra.canon.com.au>
844
845         [web-animations] Add AnimationTimeline, DocumentTimeline and add extensions to Document interface
846         https://bugs.webkit.org/show_bug.cgi?id=151688
847
848         Reviewed by Dean Jackson.
849
850         Enables the WEB_ANIMATIONS compiler switch.
851
852         * Configurations/FeatureDefines.xcconfig:
853
854 2016-02-24  Konstantin Tokarev  <annulen@yandex.ru>
855
856         [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
857         https://bugs.webkit.org/show_bug.cgi?id=154651
858
859         Reviewed by Alex Christensen.
860
861         * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
862
863 2016-02-24  Commit Queue  <commit-queue@webkit.org>
864
865         Unreviewed, rolling out r197033.
866         https://bugs.webkit.org/show_bug.cgi?id=154649
867
868         "It broke JSC tests when 'this' was loaded from global scope"
869         (Requested by saamyjoon on #webkit).
870
871         Reverted changeset:
872
873         "[ES6] Arrow function syntax. Emit loading&putting this/super
874         only if they are used in arrow function"
875         https://bugs.webkit.org/show_bug.cgi?id=153981
876         http://trac.webkit.org/changeset/197033
877
878 2016-02-24  Saam Barati  <sbarati@apple.com>
879
880         [ES6] Implement Proxy.[[Delete]]
881         https://bugs.webkit.org/show_bug.cgi?id=154607
882
883         Reviewed by Mark Lam.
884
885         This patch implements Proxy.[[Delete]] with respect to section 9.5.10 of the ECMAScript spec.
886         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-delete-p
887
888         * runtime/ProxyObject.cpp:
889         (JSC::ProxyObject::getConstructData):
890         (JSC::ProxyObject::performDelete):
891         (JSC::ProxyObject::deleteProperty):
892         (JSC::ProxyObject::deletePropertyByIndex):
893         * runtime/ProxyObject.h:
894         * tests/es6.yaml:
895         * tests/stress/proxy-delete.js: Added.
896         (assert):
897         (throw.new.Error.let.handler.get deleteProperty):
898         (throw.new.Error):
899         (assert.let.handler.deleteProperty):
900         (let.handler.deleteProperty):
901
902 2016-02-24  Filip Pizlo  <fpizlo@apple.com>
903
904         Stackmaps have problems with double register constraints
905         https://bugs.webkit.org/show_bug.cgi?id=154643
906
907         Reviewed by Geoffrey Garen.
908
909         This is currently a benign bug. I found it while playing.
910
911         * b3/B3LowerToAir.cpp:
912         (JSC::B3::Air::LowerToAir::fillStackmap):
913         * b3/testb3.cpp:
914         (JSC::B3::testURShiftSelf64):
915         (JSC::B3::testPatchpointDoubleRegs):
916         (JSC::B3::zero):
917         (JSC::B3::run):
918
919 2016-02-24  Skachkov Oleksandr  <gskachkov@gmail.com>
920
921         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
922         https://bugs.webkit.org/show_bug.cgi?id=153981
923
924         Reviewed by Saam Barati.
925        
926         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
927         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
928         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
929         During syntax analyze parser store information about using variables in arrow function inside of 
930         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
931
932         * bytecode/ExecutableInfo.h:
933         (JSC::ExecutableInfo::ExecutableInfo):
934         (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
935         * bytecode/UnlinkedCodeBlock.cpp:
936         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
937         * bytecode/UnlinkedCodeBlock.h:
938         (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
939         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
940         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
941         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
942         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
943         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
944         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
945         * bytecode/UnlinkedFunctionExecutable.cpp:
946         (JSC::generateUnlinkedFunctionCodeBlock):
947         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
948         * bytecode/UnlinkedFunctionExecutable.h:
949         * bytecompiler/BytecodeGenerator.cpp:
950         (JSC::BytecodeGenerator::BytecodeGenerator):
951         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
952         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
953         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
954         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
955         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
956         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
957         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
958         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
959         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
960         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
961         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
962         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
963         * bytecompiler/BytecodeGenerator.h:
964         * bytecompiler/NodesCodegen.cpp:
965         (JSC::ThisNode::emitBytecode):
966         (JSC::EvalFunctionCallNode::emitBytecode):
967         (JSC::FunctionCallValueNode::emitBytecode):
968         (JSC::FunctionNode::emitBytecode):
969         * parser/ASTBuilder.h:
970         (JSC::ASTBuilder::createFunctionMetadata):
971         * parser/Nodes.cpp:
972         (JSC::FunctionMetadataNode::FunctionMetadataNode):
973         * parser/Nodes.h:
974         * parser/Parser.cpp:
975         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
976         (JSC::Parser<LexerType>::parseFunctionBody):
977         (JSC::Parser<LexerType>::parseFunctionInfo):
978         (JSC::Parser<LexerType>::parseProperty):
979         (JSC::Parser<LexerType>::parsePrimaryExpression):
980         (JSC::Parser<LexerType>::parseMemberExpression):
981         * parser/Parser.h:
982         (JSC::Scope::Scope):
983         (JSC::Scope::isArrowFunctionBoundary):
984         (JSC::Scope::innerArrowFunctionFeatures):
985         (JSC::Scope::setInnerArrowFunctionUseSuperCall):
986         (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
987         (JSC::Scope::setInnerArrowFunctionUseEval):
988         (JSC::Scope::setInnerArrowFunctionUseThis):
989         (JSC::Scope::setInnerArrowFunctionUseNewTarget):
990         (JSC::Scope::setInnerArrowFunctionUseArguments):
991         (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
992         (JSC::Scope::collectFreeVariables):
993         (JSC::Scope::mergeInnerArrowFunctionFeatures):
994         (JSC::Scope::fillParametersForSourceProviderCache):
995         (JSC::Scope::restoreFromSourceProviderCache):
996         (JSC::Scope::setIsFunction):
997         (JSC::Scope::setIsArrowFunction):
998         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
999         (JSC::Parser::pushScope):
1000         (JSC::Parser::popScopeInternal):
1001         * parser/ParserModes.h:
1002         * parser/SourceProviderCacheItem.h:
1003         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1004         * parser/SyntaxChecker.h:
1005         (JSC::SyntaxChecker::createFunctionMetadata):
1006         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1007         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1008         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1009         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1010         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1011
1012 2016-02-23  Brian Burg  <bburg@apple.com>
1013
1014         Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
1015         https://bugs.webkit.org/show_bug.cgi?id=154615
1016         <rdar://problem/24804330>
1017
1018         Reviewed by Timothy Hatcher.
1019
1020         Some of the generated Objective-C bindings are only relevant to code acting as the
1021         protocol backend. Add a per-generator setting mechanism and propagate --frontend and
1022         --backend to all generators. Use the setting in a few generators to omit code that's
1023         not needed.
1024
1025         Also fix a few places where the code emits the wrong Objective-C class prefix.
1026         There is some common non-generated code that must always have the RWIProtocol prefix.
1027
1028         Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
1029         macros defined in the internal header now need to be used outside of the framework.
1030
1031         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1032         Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
1033         depending on the target framework.
1034
1035         * inspector/scripts/codegen/generate_objc_header.py:
1036         (ObjCHeaderGenerator.generate_output):
1037         For now, omit generating command protocol and event dispatchers when generating for --frontend.
1038
1039         (ObjCHeaderGenerator._generate_type_interface):
1040         Use OBJC_STATIC_PREFIX along with the unprefixed file name.
1041
1042         * inspector/scripts/codegen/generate_objc_internal_header.py:
1043         Use RWIProtocolJSONObjectPrivate.h instead.
1044
1045         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1046         (ObjCProtocolTypesImplementationGenerator.generate_output):
1047         Include the Internal header if it's being generated (only for --backend).
1048
1049         * inspector/scripts/codegen/generator.py:
1050         (Generator.__init__):
1051         (Generator.set_generator_setting):
1052         (Generator):
1053         (Generator.get_generator_setting):
1054         Crib a simple setting system from the Framework class. Make the names more obnoxious.
1055
1056         (Generator.string_for_file_include):
1057         Inspired by the replay input generator, this is a function that uses the proper syntax
1058         for a file include depending on the file's framework and target framework.
1059
1060         * inspector/scripts/codegen/objc_generator.py:
1061         (ObjCGenerator.and):
1062         (ObjCGenerator.and.objc_prefix):
1063         (ObjCGenerator):
1064         (ObjCGenerator.objc_type_for_raw_name):
1065         (ObjCGenerator.objc_class_for_raw_name):
1066         Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
1067
1068         * inspector/scripts/generate-inspector-protocol-bindings.py:
1069         (generate_from_specification):
1070         Change the generators to use for the frontend. Propagate --frontend and --backend.
1071
1072         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1073         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1074         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1075         * inspector/scripts/tests/expected/enum-values.json-result:
1076         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1077         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1078         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1079         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1080         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1081         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1082         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1083         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1084         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1085         Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
1086
1087 2016-02-23  Saam barati  <sbarati@apple.com>
1088
1089         arrayProtoFuncConcat doesn't check for an exception after allocating an array
1090         https://bugs.webkit.org/show_bug.cgi?id=154621
1091
1092         Reviewed by Michael Saboff.
1093
1094         * runtime/ArrayPrototype.cpp:
1095         (JSC::arrayProtoFuncConcat):
1096
1097 2016-02-23  Dan Bernstein  <mitz@apple.com>
1098
1099         [Xcode] Linker errors display mangled names, but no longer should
1100         https://bugs.webkit.org/show_bug.cgi?id=154632
1101
1102         Reviewed by Sam Weinig.
1103
1104         * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
1105
1106 2016-02-23  Gavin Barraclough  <barraclough@apple.com>
1107
1108         Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
1109         https://bugs.webkit.org/show_bug.cgi?id=112323
1110
1111         Reviewed by Chris Dumez.
1112
1113         This feature is controlled by a runtime switch, and defaults off.
1114
1115         * Configurations/FeatureDefines.xcconfig:
1116
1117 2016-02-23  Keith Miller  <keith_miller@apple.com>
1118
1119         JSC stress tests' standalone-pre.js should exit on the first failure by default
1120         https://bugs.webkit.org/show_bug.cgi?id=154565
1121
1122         Reviewed by Mark Lam.
1123
1124         Currently, if a test writer does not call finishJSTest() at the end of
1125         any test using stress/resources/standalone-pre.js then the test can fail
1126         without actually reporting an error to the harness. By default, we
1127         should throw on the first error so, in the event someone does not call
1128         finishJSTest() the harness will still notice the error.
1129
1130         * tests/stress/regress-151324.js:
1131         * tests/stress/resources/standalone-pre.js:
1132         (testFailed):
1133
1134 2016-02-23  Saam barati  <sbarati@apple.com>
1135
1136         Make JSObject::getMethod have fewer branches
1137         https://bugs.webkit.org/show_bug.cgi?id=154603
1138
1139         Reviewed by Mark Lam.
1140
1141         Writing code with fewer branches is almost always better.
1142
1143         * runtime/JSObject.cpp:
1144         (JSC::JSObject::getMethod):
1145
1146 2016-02-23  Filip Pizlo  <fpizlo@apple.com>
1147
1148         B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
1149         https://bugs.webkit.org/show_bug.cgi?id=154592
1150
1151         Reviewed by Saam Barati.
1152
1153         If Foo has a virtual destructor, then:
1154
1155         foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
1156         subclass of Foo that overrides the destructor, this syntax will not call that override.
1157
1158         foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
1159         get the subclass's override.
1160
1161         In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
1162         This caused leaks because this didn't actually call the subclass's override. This fixes the
1163         problem by using this->~Value() instead.
1164
1165         * b3/B3ControlValue.cpp:
1166         (JSC::B3::ControlValue::convertToJump):
1167         (JSC::B3::ControlValue::convertToOops):
1168         * b3/B3Value.cpp:
1169         (JSC::B3::Value::replaceWithIdentity):
1170         (JSC::B3::Value::replaceWithNop):
1171         (JSC::B3::Value::replaceWithPhi):
1172
1173 2016-02-23  Brian Burg  <bburg@apple.com>
1174
1175         Web Inspector: the protocol generator's Objective-C name prefix should be configurable
1176         https://bugs.webkit.org/show_bug.cgi?id=154596
1177         <rdar://problem/24794962>
1178
1179         Reviewed by Timothy Hatcher.
1180
1181         In order to support different generated protocol sets that don't have conflicting
1182         file and type names, allow the Objective-C prefix to be configurable based on the
1183         target framework. Each name also has the implicit prefix 'Protocol' appended to the
1184         per-target framework prefix.
1185
1186         For example, the existing protocol for remote inspection has the prefix 'RWI'
1187         and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
1188         and is generated as 'AutomationProtocol'.
1189
1190         To make this change, convert ObjCGenerator to be a subclass of Generator and use
1191         the instance method model() to find the target framework and its setting for
1192         'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
1193         these instance methods that used to be static methods. This is a large but
1194         mechanical change to use self instead of ObjCGenerator.
1195
1196         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1197         (ObjCBackendDispatcherHeaderGenerator):
1198         (ObjCBackendDispatcherHeaderGenerator.__init__):
1199         (ObjCBackendDispatcherHeaderGenerator.output_filename):
1200         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
1201         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
1202         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1203         (ObjCConfigurationImplementationGenerator):
1204         (ObjCConfigurationImplementationGenerator.__init__):
1205         (ObjCConfigurationImplementationGenerator.output_filename):
1206         (ObjCConfigurationImplementationGenerator.generate_output):
1207         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
1208         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
1209         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
1210         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1211         (ObjCConfigurationHeaderGenerator):
1212         (ObjCConfigurationHeaderGenerator.__init__):
1213         (ObjCConfigurationHeaderGenerator.output_filename):
1214         (ObjCConfigurationHeaderGenerator.generate_output):
1215         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1216         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
1217         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1218         (ObjCBackendDispatcherImplementationGenerator):
1219         (ObjCBackendDispatcherImplementationGenerator.__init__):
1220         (ObjCBackendDispatcherImplementationGenerator.output_filename):
1221         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1222         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1223         (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
1224         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
1225         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
1226         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1227         (ObjCConversionHelpersGenerator):
1228         (ObjCConversionHelpersGenerator.__init__):
1229         (ObjCConversionHelpersGenerator.output_filename):
1230         (ObjCConversionHelpersGenerator.generate_output):
1231         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
1232         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
1233         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
1234         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1235         (ObjCFrontendDispatcherImplementationGenerator):
1236         (ObjCFrontendDispatcherImplementationGenerator.__init__):
1237         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
1238         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1239         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
1240         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1241         (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
1242         (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
1243         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1244         * inspector/scripts/codegen/generate_objc_header.py:
1245         (ObjCHeaderGenerator):
1246         (ObjCHeaderGenerator.__init__):
1247         (ObjCHeaderGenerator.output_filename):
1248         (ObjCHeaderGenerator.generate_output):
1249         (ObjCHeaderGenerator._generate_forward_declarations):
1250         (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
1251         (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
1252         (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
1253         (ObjCHeaderGenerator._generate_type_interface):
1254         (ObjCHeaderGenerator._generate_init_method_for_required_members):
1255         (ObjCHeaderGenerator._generate_member_property):
1256         (ObjCHeaderGenerator._generate_command_protocols):
1257         (ObjCHeaderGenerator._generate_single_command_protocol):
1258         (ObjCHeaderGenerator._callback_block_for_command):
1259         (ObjCHeaderGenerator._generate_event_interfaces):
1260         (ObjCHeaderGenerator._generate_single_event_interface):
1261         * inspector/scripts/codegen/generate_objc_internal_header.py:
1262         (ObjCInternalHeaderGenerator):
1263         (ObjCInternalHeaderGenerator.__init__):
1264         (ObjCInternalHeaderGenerator.output_filename):
1265         (ObjCInternalHeaderGenerator.generate_output):
1266         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
1267         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1268         (ObjCProtocolTypesImplementationGenerator):
1269         (ObjCProtocolTypesImplementationGenerator.__init__):
1270         (ObjCProtocolTypesImplementationGenerator.output_filename):
1271         (ObjCProtocolTypesImplementationGenerator.generate_output):
1272         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1273         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
1274         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
1275         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
1276         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
1277         (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
1278         * inspector/scripts/codegen/models.py:
1279         * inspector/scripts/codegen/objc_generator.py:
1280         (ObjCTypeCategory.category_for_type):
1281         (ObjCGenerator):
1282         (ObjCGenerator.__init__):
1283         (ObjCGenerator.objc_prefix):
1284         (ObjCGenerator.objc_name_for_type):
1285         (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
1286         (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
1287         (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
1288         (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
1289         (ObjCGenerator.objc_class_for_type):
1290         (ObjCGenerator.objc_class_for_array_type):
1291         (ObjCGenerator.objc_accessor_type_for_member):
1292         (ObjCGenerator.objc_accessor_type_for_member_internal):
1293         (ObjCGenerator.objc_type_for_member):
1294         (ObjCGenerator.objc_type_for_member_internal):
1295         (ObjCGenerator.objc_type_for_param):
1296         (ObjCGenerator.objc_type_for_param_internal):
1297         (ObjCGenerator.objc_protocol_export_expression_for_variable):
1298         (ObjCGenerator.objc_protocol_import_expression_for_member):
1299         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
1300         (ObjCGenerator.objc_protocol_import_expression_for_variable):
1301         (ObjCGenerator.objc_to_protocol_expression_for_member):
1302         (ObjCGenerator.protocol_to_objc_expression_for_member):
1303
1304         Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
1305
1306         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1307         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1308         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1309         * inspector/scripts/tests/expected/enum-values.json-result:
1310         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1311         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1312         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1313         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1314         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1315         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1316         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1317         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1318         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1319
1320 2016-02-23  Mark Lam  <mark.lam@apple.com>
1321
1322         Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
1323         https://bugs.webkit.org/show_bug.cgi?id=154542
1324
1325         Reviewed by Saam Barati.
1326
1327         According to the spec, the constructors of the following types "are not intended
1328         to be called as a function and will throw an exception".  These types are:
1329             TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
1330             Map - https://tc39.github.io/ecma262/#sec-map-constructor
1331             Set - https://tc39.github.io/ecma262/#sec-set-constructor
1332             WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
1333             WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
1334             ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
1335             DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
1336             Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
1337             Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
1338
1339         This patch does the foillowing:
1340         1. Ensures that these constructors can be called but will throw a TypeError
1341            when called.
1342         2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
1343            in their implementation to be consistent.
1344         3. Change the error message to "calling XXX constructor without new is invalid".
1345            This is clearer because the error is likely due to the user forgetting to use
1346            the new operator on these constructors.
1347
1348         * runtime/Error.h:
1349         * runtime/Error.cpp:
1350         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
1351         - Added a convenience function to throw the TypeError.
1352
1353         * runtime/JSArrayBufferConstructor.cpp:
1354         (JSC::constructArrayBuffer):
1355         (JSC::callArrayBuffer):
1356         (JSC::JSArrayBufferConstructor::getCallData):
1357         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1358         (JSC::callGenericTypedArrayView):
1359         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
1360         * runtime/JSPromiseConstructor.cpp:
1361         (JSC::callPromise):
1362         * runtime/MapConstructor.cpp:
1363         (JSC::callMap):
1364         * runtime/ProxyConstructor.cpp:
1365         (JSC::callProxy):
1366         (JSC::ProxyConstructor::getCallData):
1367         * runtime/SetConstructor.cpp:
1368         (JSC::callSet):
1369         * runtime/WeakMapConstructor.cpp:
1370         (JSC::callWeakMap):
1371         * runtime/WeakSetConstructor.cpp:
1372         (JSC::callWeakSet):
1373
1374         * tests/es6.yaml:
1375         - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
1376
1377         * tests/stress/call-non-calleable-constructors-as-function.js: Added.
1378         (test):
1379
1380         * tests/stress/map-constructor.js:
1381         (testCallTypeError):
1382         * tests/stress/promise-cannot-be-called.js:
1383         (shouldThrow):
1384         * tests/stress/proxy-basic.js:
1385         * tests/stress/set-constructor.js:
1386         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
1387         (i.catch):
1388         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
1389         (i.catch):
1390         * tests/stress/throw-from-ftl-call-ic-slow-path.js:
1391         (i.catch):
1392         * tests/stress/weak-map-constructor.js:
1393         (testCallTypeError):
1394         * tests/stress/weak-set-constructor.js:
1395         - Updated error message string.
1396
1397 2016-02-23  Alexey Proskuryakov  <ap@apple.com>
1398
1399         ASan build fix.
1400
1401         Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
1402
1403         * inspector/InspectorBackendDispatcher.h:
1404
1405 2016-02-23  Brian Burg  <bburg@apple.com>
1406
1407         Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
1408         https://bugs.webkit.org/show_bug.cgi?id=154518
1409         <rdar://problem/24761096>
1410
1411         Reviewed by Timothy Hatcher.
1412
1413         * inspector/InspectorBackendDispatcher.h:
1414         Export all the classes since they are used by WebKit::WebAutomationSession.
1415
1416 2016-02-22  Brian Burg  <bburg@apple.com>
1417
1418         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
1419         https://bugs.webkit.org/show_bug.cgi?id=154509
1420         <rdar://problem/24759098>
1421
1422         Reviewed by Timothy Hatcher.
1423
1424         Add a new 'WebKit' framework, which is used to generate protocol code
1425         in WebKit2.
1426
1427         Add --backend and --frontend flags to the main generator script.
1428         These allow a framework to trigger two different sets of generators
1429         so they can be separately generated and compiled.
1430
1431         * inspector/scripts/codegen/models.py:
1432         (Framework.fromString):
1433         (Frameworks): Add new framework.
1434
1435         * inspector/scripts/generate-inspector-protocol-bindings.py:
1436         If neither --backend or --frontend is specified, assume both are wanted.
1437         This matches the behavior for JavaScriptCore and WebInspector frameworks.
1438
1439         (generate_from_specification):
1440         Generate C++ files for the backend and Objective-C files for the frontend.
1441
1442 2016-02-22  Saam barati  <sbarati@apple.com>
1443
1444         JSGlobalObject doesn't visit ProxyObjectStructure during GC
1445         https://bugs.webkit.org/show_bug.cgi?id=154564
1446
1447         Rubber stamped by Mark Lam.
1448
1449         * runtime/JSGlobalObject.cpp:
1450         (JSC::JSGlobalObject::visitChildren):
1451
1452 2016-02-22  Saam barati  <sbarati@apple.com>
1453
1454         InternalFunction::createSubclassStructure doesn't take into account that get() might throw
1455         https://bugs.webkit.org/show_bug.cgi?id=154548
1456
1457         Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
1458
1459         InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw 
1460         an exception. Neither the function nor the call sites of the function took this into
1461         account. This patch audits the call sites of the function to make it work in
1462         the event that an exception is thrown.
1463
1464         * runtime/BooleanConstructor.cpp:
1465         (JSC::constructWithBooleanConstructor):
1466         * runtime/DateConstructor.cpp:
1467         (JSC::constructDate):
1468         * runtime/ErrorConstructor.cpp:
1469         (JSC::Interpreter::constructWithErrorConstructor):
1470         * runtime/FunctionConstructor.cpp:
1471         (JSC::constructFunctionSkippingEvalEnabledCheck):
1472         * runtime/InternalFunction.cpp:
1473         (JSC::InternalFunction::createSubclassStructure):
1474         * runtime/JSArrayBufferConstructor.cpp:
1475         (JSC::constructArrayBuffer):
1476         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1477         (JSC::constructGenericTypedArrayView):
1478         * runtime/JSGlobalObject.h:
1479         (JSC::constructEmptyArray):
1480         (JSC::constructArray):
1481         (JSC::constructArrayNegativeIndexed):
1482         * runtime/JSPromiseConstructor.cpp:
1483         (JSC::constructPromise):
1484         * runtime/MapConstructor.cpp:
1485         (JSC::constructMap):
1486         * runtime/NativeErrorConstructor.cpp:
1487         (JSC::Interpreter::constructWithNativeErrorConstructor):
1488         * runtime/NumberConstructor.cpp:
1489         (JSC::constructWithNumberConstructor):
1490         * runtime/RegExpConstructor.cpp:
1491         (JSC::getRegExpStructure):
1492         (JSC::constructRegExp):
1493         (JSC::constructWithRegExpConstructor):
1494         * runtime/SetConstructor.cpp:
1495         (JSC::constructSet):
1496         * runtime/StringConstructor.cpp:
1497         (JSC::constructWithStringConstructor):
1498         (JSC::StringConstructor::getConstructData):
1499         * runtime/WeakMapConstructor.cpp:
1500         (JSC::constructWeakMap):
1501         * runtime/WeakSetConstructor.cpp:
1502         (JSC::constructWeakSet):
1503         * tests/stress/create-subclass-structure-might-throw.js: Added.
1504         (assert):
1505
1506 2016-02-22  Ting-Wei Lan  <lantw44@gmail.com>
1507
1508         Fix build and implement functions to retrieve registers on FreeBSD
1509         https://bugs.webkit.org/show_bug.cgi?id=152258
1510
1511         Reviewed by Michael Catanzaro.
1512
1513         * heap/MachineStackMarker.cpp:
1514         (pthreadSignalHandlerSuspendResume):
1515         struct ucontext is not specified in POSIX and it is not available on
1516         FreeBSD. Replacing it with ucontext_t fixes the build problem.
1517         (JSC::MachineThreads::Thread::Registers::stackPointer):
1518         (JSC::MachineThreads::Thread::Registers::framePointer):
1519         (JSC::MachineThreads::Thread::Registers::instructionPointer):
1520         (JSC::MachineThreads::Thread::Registers::llintPC):
1521         * heap/MachineStackMarker.h:
1522
1523 2016-02-22  Saam barati  <sbarati@apple.com>
1524
1525         JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
1526         https://bugs.webkit.org/show_bug.cgi?id=154552
1527
1528         Reviewed by Mark Lam.
1529
1530         ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
1531         They return false on a Proxy with internal [[Call]] and [[Construct]]
1532         properties. It seems safest, most forward looking, and most adherent
1533         to the specification to check getCallData() and getConstructData() to
1534         implement these functions.
1535
1536         * runtime/InternalFunction.cpp:
1537         (JSC::InternalFunction::createSubclassStructure):
1538         * runtime/JSCJSValueInlines.h:
1539         (JSC::JSValue::isFunction):
1540         (JSC::JSValue::isConstructor):
1541
1542 2016-02-22  Keith Miller  <keith_miller@apple.com>
1543
1544         Bound functions should use the prototype of the function being bound
1545         https://bugs.webkit.org/show_bug.cgi?id=154195
1546
1547         Reviewed by Geoffrey Garen.
1548
1549         Per ES6, the result of Function.prototype.bind should have the same
1550         prototype as the the function being bound. In order to avoid creating
1551         a new structure each time a function is bound we store the new
1552         structure in our structure map. However, we cannot currently store
1553         structures that have a different GlobalObject than their prototype.
1554         In the rare case that the GlobalObject differs or the prototype of
1555         the bindee is null we create a new structure each time. To further
1556         minimize new structures, as well as making structure lookup faster,
1557         we also store the structure in the RareData of the function we
1558         are binding.
1559
1560         * runtime/FunctionRareData.cpp:
1561         (JSC::FunctionRareData::visitChildren):
1562         * runtime/FunctionRareData.h:
1563         (JSC::FunctionRareData::getBoundFunctionStructure):
1564         (JSC::FunctionRareData::setBoundFunctionStructure):
1565         * runtime/JSBoundFunction.cpp:
1566         (JSC::getBoundFunctionStructure):
1567         (JSC::JSBoundFunction::create):
1568         * tests/es6.yaml:
1569         * tests/stress/bound-function-uses-prototype.js: Added.
1570         (testChangeProto.foo):
1571         (testChangeProto):
1572         (testBuiltins):
1573         * tests/stress/class-subclassing-function.js:
1574
1575 2016-02-22  Keith Miller  <keith_miller@apple.com>
1576
1577         Unreviewed, fix stress test to not print on success.
1578
1579         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
1580         (catch): Deleted.
1581
1582 2016-02-22  Keith Miller  <keith_miller@apple.com>
1583
1584         Use Symbol.species in the builtin TypedArray.prototype functions
1585         https://bugs.webkit.org/show_bug.cgi?id=153384
1586
1587         Reviewed by Geoffrey Garen.
1588
1589         This patch adds the use of species constructors to the TypedArray.prototype map and filter
1590         functions. It also adds a new private function typedArrayGetOriginalConstructor that
1591         returns the TypedArray constructor used to originally create a TypedArray instance.
1592
1593         There are no ES6 tests to update for this patch as species creation for these functions is
1594         not tested in the compatibility table.
1595
1596         * builtins/TypedArrayPrototype.js:
1597         (map):
1598         (filter):
1599         * bytecode/BytecodeIntrinsicRegistry.cpp:
1600         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1601         * bytecode/BytecodeIntrinsicRegistry.h:
1602         * runtime/CommonIdentifiers.h:
1603         * runtime/JSGlobalObject.cpp:
1604         (JSC::JSGlobalObject::init):
1605         (JSC::JSGlobalObject::visitChildren):
1606         * runtime/JSGlobalObject.h:
1607         (JSC::JSGlobalObject::typedArrayConstructor):
1608         * runtime/JSTypedArrayViewPrototype.cpp:
1609         (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
1610         * runtime/JSTypedArrayViewPrototype.h:
1611         * tests/stress/typedarray-filter.js:
1612         (subclasses.typedArrays.map):
1613         (prototype.accept):
1614         (testSpecies):
1615         (accept):
1616         (forEach):
1617         (subclasses.forEach):
1618         (testSpeciesRemoveConstructor):
1619         * tests/stress/typedarray-map.js:
1620         (subclasses.typedArrays.map):
1621         (prototype.id):
1622         (testSpecies):
1623         (id):
1624         (forEach):
1625         (subclasses.forEach):
1626         (testSpeciesRemoveConstructor):
1627
1628 2016-02-22  Keith Miller  <keith_miller@apple.com>
1629
1630         Builtins that should not rely on iteration do.
1631         https://bugs.webkit.org/show_bug.cgi?id=154475
1632
1633         Reviewed by Geoffrey Garen.
1634
1635         When changing the behavior of varargs calls to use ES6 iterators the
1636         call builtin function's use of a varargs call was overlooked. The use
1637         of iterators is observable outside the scope of the the call function,
1638         thus it must be reimplemented.
1639
1640         * builtins/FunctionPrototype.js:
1641         (call):
1642         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
1643         (test):
1644         (addAll):
1645         (catch):
1646
1647 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
1648
1649         [JSC shell] Don't put empty arguments array to VM.
1650         https://bugs.webkit.org/show_bug.cgi?id=154516
1651
1652         Reviewed by Geoffrey Garen.
1653
1654         This allows arrowfunction-lexical-bind-arguments-top-level test to pass
1655         in jsc as well as in browser.
1656
1657         * jsc.cpp:
1658         (GlobalObject::finishCreation):
1659
1660 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
1661
1662         [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
1663         https://bugs.webkit.org/show_bug.cgi?id=154450
1664
1665         Reviewed by Alex Christensen.
1666
1667         * CMakeLists.txt:
1668
1669 2016-02-22  Commit Queue  <commit-queue@webkit.org>
1670
1671         Unreviewed, rolling out r196891.
1672         https://bugs.webkit.org/show_bug.cgi?id=154539
1673
1674         it broke Production builds (Requested by brrian on #webkit).
1675
1676         Reverted changeset:
1677
1678         "Web Inspector: add 'Automation' protocol domain and generate
1679         its backend classes separately in WebKit2"
1680         https://bugs.webkit.org/show_bug.cgi?id=154509
1681         http://trac.webkit.org/changeset/196891
1682
1683 2016-02-21  Joseph Pecoraro  <pecoraro@apple.com>
1684
1685         CodeBlock always visits its unlinked code twice
1686         https://bugs.webkit.org/show_bug.cgi?id=154494
1687
1688         Reviewed by Saam Barati.
1689
1690         * bytecode/CodeBlock.cpp:
1691         (JSC::CodeBlock::visitChildren):
1692         The unlinked code is always visited in stronglyVisitStrongReferences.
1693
1694 2016-02-21  Brian Burg  <bburg@apple.com>
1695
1696         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
1697         https://bugs.webkit.org/show_bug.cgi?id=154509
1698         <rdar://problem/24759098>
1699
1700         Reviewed by Timothy Hatcher.
1701
1702         Add a new 'WebKit' framework, which is used to generate protocol code
1703         in WebKit2.
1704
1705         Add --backend and --frontend flags to the main generator script.
1706         These allow a framework to trigger two different sets of generators
1707         so they can be separately generated and compiled.
1708
1709         * inspector/scripts/codegen/models.py:
1710         (Framework.fromString):
1711         (Frameworks): Add new framework.
1712
1713         * inspector/scripts/generate-inspector-protocol-bindings.py:
1714         If neither --backend or --frontend is specified, assume both are wanted.
1715         This matches the behavior for JavaScriptCore and WebInspector frameworks.
1716
1717         (generate_from_specification):
1718         Generate C++ files for the backend and Objective-C files for the frontend.
1719
1720 2016-02-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1721
1722         Improvements to Intl code
1723         https://bugs.webkit.org/show_bug.cgi?id=154486
1724
1725         Reviewed by Darin Adler.
1726
1727         This patch does several things:
1728         - Use std::unique_ptr to store ICU objects.
1729         - Pass Vector::size() to ICU functions that take a buffer size instead
1730           of Vector::capacity().
1731         - If U_SUCCESS(status) is true, it means there is no error, but there
1732           could be warnings. ICU functions ignore warnings. So, there is no need
1733           to reset status to U_ZERO_ERROR.
1734         - Remove the initialization of the String instance variables of
1735           IntlDateTimeFormat. These values are never read and cause unnecessary
1736           memory allocation.
1737         - Fix coding style.
1738         - Some small optimization.
1739
1740         * runtime/IntlCollator.cpp:
1741         (JSC::IntlCollator::UCollatorDeleter::operator()):
1742         (JSC::IntlCollator::createCollator):
1743         (JSC::IntlCollator::compareStrings):
1744         (JSC::IntlCollator::~IntlCollator): Deleted.
1745         * runtime/IntlCollator.h:
1746         * runtime/IntlDateTimeFormat.cpp:
1747         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
1748         (JSC::defaultTimeZone):
1749         (JSC::canonicalizeTimeZoneName):
1750         (JSC::toDateTimeOptionsAnyDate):
1751         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1752         (JSC::IntlDateTimeFormat::weekdayString):
1753         (JSC::IntlDateTimeFormat::format):
1754         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
1755         (JSC::localeData): Deleted.
1756         * runtime/IntlDateTimeFormat.h:
1757         * runtime/IntlDateTimeFormatConstructor.cpp:
1758         * runtime/IntlNumberFormatConstructor.cpp:
1759         * runtime/IntlObject.cpp:
1760         (JSC::numberingSystemsForLocale):
1761
1762 2016-02-21  Skachkov Oleksandr  <gskachkov@gmail.com>
1763
1764         Remove arrowfunction test cases that rely on arguments variable in jsc
1765         https://bugs.webkit.org/show_bug.cgi?id=154517
1766
1767         Reviewed by Yusuke Suzuki.
1768
1769         Allow to jsc has the same behavior in javascript as browser has
1770
1771         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1772         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1773
1774 2016-02-21  Brian Burg  <bburg@apple.com>
1775
1776         Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
1777         https://bugs.webkit.org/show_bug.cgi?id=154508
1778         <rdar://problem/24759077>
1779
1780         Reviewed by Timothy Hatcher.
1781
1782         In preparation for being able to generate protocol files for WebKit2,
1783         make it possible to not emit generated code that's guarded by
1784         ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
1785         backend dispatchers generated outside of JavaScriptCore. We can't just
1786         define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
1787         in the configurations where the code is actually used.
1788
1789         Add a new opt-in Framework configuration option that turns on generating
1790         this code. Adjust how the code is generated so that it can be easily excluded.
1791
1792         * inspector/scripts/codegen/cpp_generator_templates.py:
1793         Make a separate template for the declarations that are guarded.
1794         Add an initializer expression so the order of initalizers doesn't matter.
1795
1796         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1797         (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
1798         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1799         If the declarations are needed, they will be appended to the end of the
1800         declarations list.
1801
1802         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1803         (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
1804         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
1805
1806         * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
1807         to True for Framework.JavaScriptCore only. It's not needed elsewhere.
1808
1809         Rebaseline affected tests.
1810
1811         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1812         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1813         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1814         * inspector/scripts/tests/expected/enum-values.json-result:
1815         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1816
1817 2016-02-21  Brian Burg  <bburg@apple.com>
1818
1819         Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
1820         https://bugs.webkit.org/show_bug.cgi?id=154505
1821         <rdar://problem/24758042>
1822
1823         Reviewed by Timothy Hatcher.
1824
1825         It should be possible to generate code for a framework using some generators
1826         that other frameworks also use. Right now the generator selection code assumes
1827         that use of a generator is mutually exclusive among non-test frameworks.
1828
1829         Make this code explicitly switch on the framework. Reorder generators
1830         alpabetically within each case.
1831
1832         * inspector/scripts/generate-inspector-protocol-bindings.py:
1833         (generate_from_specification):
1834
1835         Rebaseline tests that are affected by generator reorderings.
1836
1837         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1838         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1839         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1840         * inspector/scripts/tests/expected/enum-values.json-result:
1841         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1842         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1843         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1844         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1845         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1846         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1847         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1848         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1849         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1850
1851 2016-02-19  Saam Barati  <sbarati@apple.com>
1852
1853         [ES6] Implement Proxy.[[Construct]]
1854         https://bugs.webkit.org/show_bug.cgi?id=154440
1855
1856         Reviewed by Oliver Hunt.
1857
1858         This patch is mostly an implementation of
1859         Proxy.[[Construct]] with respect to section 9.5.13
1860         of the ECMAScript spec.
1861         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
1862
1863         This patch also changes op_create_this to accept new.target's
1864         that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]] 
1865         because we might construct a JSFunction with a new.target being
1866         a Proxy. This will also be needed when we implement Reflect.construct.
1867
1868         * dfg/DFGOperations.cpp:
1869         * dfg/DFGSpeculativeJIT32_64.cpp:
1870         (JSC::DFG::SpeculativeJIT::compile):
1871         * dfg/DFGSpeculativeJIT64.cpp:
1872         (JSC::DFG::SpeculativeJIT::compile):
1873         * jit/JITOpcodes.cpp:
1874         (JSC::JIT::emit_op_create_this):
1875         (JSC::JIT::emitSlow_op_create_this):
1876         * jit/JITOpcodes32_64.cpp:
1877         (JSC::JIT::emit_op_create_this):
1878         (JSC::JIT::emitSlow_op_create_this):
1879         * llint/LLIntData.cpp:
1880         (JSC::LLInt::Data::performAssertions):
1881         * llint/LowLevelInterpreter.asm:
1882         * llint/LowLevelInterpreter32_64.asm:
1883         * llint/LowLevelInterpreter64.asm:
1884         * runtime/CommonSlowPaths.cpp:
1885         (JSC::SLOW_PATH_DECL):
1886         * runtime/ProxyObject.cpp:
1887         (JSC::ProxyObject::finishCreation):
1888         (JSC::ProxyObject::visitChildren):
1889         (JSC::performProxyConstruct):
1890         (JSC::ProxyObject::getConstructData):
1891         * runtime/ProxyObject.h:
1892         * tests/es6.yaml:
1893         * tests/stress/proxy-construct.js: Added.
1894         (assert):
1895         (throw.new.Error.let.target):
1896         (throw.new.Error):
1897         (assert.let.target):
1898         (assert.let.handler.get construct):
1899         (let.target):
1900         (let.handler.construct):
1901         (i.catch):
1902         (assert.let.handler.construct):
1903         (assert.let.construct):
1904         (assert.else.assert.let.target):
1905         (assert.else.assert.let.construct):
1906         (assert.else.assert):
1907         (new.proxy.let.target):
1908         (new.proxy.let.construct):
1909         (new.proxy):
1910
1911 2016-02-19  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1912
1913         [INTL] Implement Number Format Functions
1914         https://bugs.webkit.org/show_bug.cgi?id=147605
1915
1916         Reviewed by Darin Adler.
1917
1918         This patch implements Intl.NumberFormat.prototype.format() according
1919         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
1920
1921         * runtime/IntlNumberFormat.cpp:
1922         (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
1923         (JSC::IntlNumberFormat::initializeNumberFormat):
1924         (JSC::IntlNumberFormat::createNumberFormat):
1925         (JSC::IntlNumberFormat::formatNumber):
1926         (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
1927         * runtime/IntlNumberFormat.h:
1928         * runtime/IntlNumberFormatPrototype.cpp:
1929         (JSC::IntlNumberFormatFuncFormatNumber):
1930
1931 2016-02-18  Gavin Barraclough  <barraclough@apple.com>
1932
1933         JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
1934         https://bugs.webkit.org/show_bug.cgi?id=154416
1935
1936         Reviewed by Geoff Garen.
1937
1938         Here's the bug. Suppose you call JSObject::getOwnProperty and -
1939           - PropertyName contains an index,
1940           - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
1941           - The base of the access (or another object on the prototype chain) shadows that property.
1942
1943         JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
1944         index, and as such walks up the prototype chain looking for non-index properties before it
1945         tries calling parseIndex.
1946
1947         At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
1948         would potentially return the property) we may have already skipped over non-overriding
1949         objects that contain the property in index storage.
1950
1951         * runtime/JSObject.h:
1952         (JSC::JSObject::getOwnNonIndexPropertySlot):
1953             - renamed from inlineGetOwnPropertySlot to better describe behaviour;
1954               added ASSERT guarding that this method never returns index properties -
1955               if it ever does, this is unsafe for getPropertySlot.
1956         (JSC::JSObject::getOwnPropertySlot):
1957             - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
1958         (JSC::JSObject::getPropertySlot):
1959             - In case of object overriding getOwnPropertySlot check if propertyName is an index.
1960         (JSC::JSObject::getNonIndexPropertySlot):
1961             - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
1962               in order to avoid repeated calls to parseIndex.
1963         (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
1964             - this was renamed to getOwnNonIndexPropertySlot.
1965         (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
1966             - this was folded back in to getPropertySlot.
1967
1968 2016-02-19  Saam Barati  <sbarati@apple.com>
1969
1970         [ES6] Implement Proxy.[[Call]]
1971         https://bugs.webkit.org/show_bug.cgi?id=154425
1972
1973         Reviewed by Mark Lam.
1974
1975         This patch is a straight forward implementation of
1976         Proxy.[[Call]] with respect to section 9.5.12
1977         of the ECMAScript spec.
1978         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
1979
1980         * runtime/ProxyObject.cpp:
1981         (JSC::ProxyObject::finishCreation):
1982         (JSC::performProxyGet):
1983         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1984         (JSC::ProxyObject::performHasProperty):
1985         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1986         (JSC::performProxyCall):
1987         (JSC::ProxyObject::getCallData):
1988         (JSC::ProxyObject::visitChildren):
1989         * runtime/ProxyObject.h:
1990         (JSC::ProxyObject::create):
1991         * tests/es6.yaml:
1992         * tests/stress/proxy-call.js: Added.
1993         (assert):
1994         (throw.new.Error.let.target):
1995         (throw.new.Error.let.handler.apply):
1996         (throw.new.Error):
1997         (assert.let.target):
1998         (assert.let.handler.get apply):
1999         (let.target):
2000         (let.handler.apply):
2001         (i.catch):
2002         (assert.let.handler.apply):
2003
2004 2016-02-19  Csaba Osztrogonác  <ossy@webkit.org>
2005
2006         Remove more LLVM related dead code after r196729
2007         https://bugs.webkit.org/show_bug.cgi?id=154387
2008
2009         Reviewed by Filip Pizlo.
2010
2011         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
2012         * Configurations/LLVMForJSC.xcconfig: Removed.
2013         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
2014         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
2015         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
2016         * JavaScriptCore.xcodeproj/project.pbxproj:
2017         * disassembler/X86Disassembler.cpp:
2018
2019 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2020
2021         Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
2022         https://bugs.webkit.org/show_bug.cgi?id=154442
2023
2024         Reviewed by Saam Barati.
2025
2026         * runtime/JSString.h:
2027         (JSC::isJSString):
2028
2029 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2030
2031         Remove unused SymbolTable::createNameScopeTable
2032         https://bugs.webkit.org/show_bug.cgi?id=154443
2033
2034         Reviewed by Saam Barati.
2035
2036         * runtime/SymbolTable.h:
2037
2038 2016-02-18  Benjamin Poulain  <bpoulain@apple.com>
2039
2040         [JSC] Improve the instruction selection of Select
2041         https://bugs.webkit.org/show_bug.cgi?id=154432
2042
2043         Reviewed by Filip Pizlo.
2044
2045         Plenty of code but this patch is pretty dumb:
2046         -On ARM64: use the 3 operand form of CSEL instead of forcing a source
2047          to be alised to the destination. This gives more freedom to the register
2048          allocator and it is one less Move to process per Select.
2049         -On x86, introduce a fake 3 operands form and use aggressive aliasing
2050          to try to alias both sources to the destination.
2051
2052          If aliasing succeed on the "elseCase", the condition of the Select
2053          is reverted in the MacroAssembler.
2054
2055          If no aliasing is possible and we end up with 3 registers, the missing
2056          move instruction is generated by the MacroAssembler.
2057
2058          The missing move is generated after testing the values because the destination
2059          can use the same register as one of the test operand.
2060          Experimental testing seems to indicate there is no macro-fusion on CMOV,
2061          there is no measurable cost to having the move there.
2062
2063         * assembler/MacroAssembler.h:
2064         (JSC::MacroAssembler::isInvertible):
2065         (JSC::MacroAssembler::invert):
2066         * assembler/MacroAssemblerARM64.h:
2067         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
2068         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
2069         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
2070         (JSC::MacroAssemblerARM64::moveConditionally32):
2071         (JSC::MacroAssemblerARM64::moveConditionally64):
2072         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
2073         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
2074         * assembler/MacroAssemblerX86Common.h:
2075         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2076         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2077         (JSC::MacroAssemblerX86Common::moveConditionally32):
2078         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
2079         (JSC::MacroAssemblerX86Common::invert):
2080         (JSC::MacroAssemblerX86Common::isInvertible):
2081         * assembler/MacroAssemblerX86_64.h:
2082         (JSC::MacroAssemblerX86_64::moveConditionally64):
2083         (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
2084         * b3/B3LowerToAir.cpp:
2085         (JSC::B3::Air::LowerToAir::createSelect):
2086         (JSC::B3::Air::LowerToAir::lower):
2087         * b3/air/AirInstInlines.h:
2088         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2089         * b3/air/AirOpcode.opcodes:
2090
2091 2016-02-18  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2092
2093         [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
2094         https://bugs.webkit.org/show_bug.cgi?id=154430
2095
2096         Reviewed by Saam Barati.
2097
2098         llvm isn't used anymore.
2099
2100         * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
2101
2102 2016-02-18  Saam Barati  <sbarati@apple.com>
2103
2104         Implement Proxy.[[HasProperty]]
2105         https://bugs.webkit.org/show_bug.cgi?id=154313
2106
2107         Reviewed by Filip Pizlo.
2108
2109         This patch is a straight forward implementation of
2110         Proxy.[[HasProperty]] with respect to section 9.5.7
2111         of the ECMAScript spec.
2112         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
2113
2114         * runtime/ProxyObject.cpp:
2115         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2116         (JSC::ProxyObject::performHasProperty):
2117         (JSC::ProxyObject::getOwnPropertySlotCommon):
2118         * runtime/ProxyObject.h:
2119         * tests/es6.yaml:
2120         * tests/stress/proxy-basic.js:
2121         (assert):
2122         (let.handler.has):
2123         * tests/stress/proxy-has-property.js: Added.
2124         (assert):
2125         (throw.new.Error.let.handler.get has):
2126         (throw.new.Error):
2127         (assert.let.handler.has):
2128         (let.handler.has):
2129         (getOwnPropertyDescriptor):
2130         (i.catch):
2131
2132 2016-02-18  Saam Barati  <sbarati@apple.com>
2133
2134         Proxy's don't properly handle Symbols as PropertyKeys.
2135         https://bugs.webkit.org/show_bug.cgi?id=154385
2136
2137         Reviewed by Mark Lam and Yusuke Suzuki.
2138
2139         We were converting all PropertyKeys to strings, even when
2140         the PropertyName was a Symbol. In the spec, PropertyKeys are
2141         either a Symbol or a String. We now respect that in Proxy.[[Get]] and
2142         Proxy.[[GetOwnProperty]].
2143
2144         * runtime/Completion.cpp:
2145         (JSC::profiledEvaluate):
2146         (JSC::createSymbolForEntryPointModule):
2147         (JSC::identifierToJSValue): Deleted.
2148         * runtime/Identifier.h:
2149         (JSC::parseIndex):
2150         * runtime/IdentifierInlines.h:
2151         (JSC::Identifier::fromString):
2152         (JSC::identifierToJSValue):
2153         (JSC::identifierToSafePublicJSValue):
2154         * runtime/ProxyObject.cpp:
2155         (JSC::performProxyGet):
2156         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2157         * tests/es6.yaml:
2158         * tests/stress/proxy-basic.js:
2159         (let.handler.getOwnPropertyDescriptor):
2160
2161 2016-02-18  Saam Barati  <sbarati@apple.com>
2162
2163         Follow up fix to Implement Proxy.[[GetOwnProperty]]
2164         https://bugs.webkit.org/show_bug.cgi?id=154314
2165
2166         Reviewed by Filip Pizlo.
2167
2168         Part of the implementation was broken because
2169         of how JSObject::getOwnPropertyDescriptor worked.
2170         I've fixed JSObject::getOwnPropertyDescriptor to
2171         be able to handle ProxyObject.
2172
2173         * runtime/JSObject.cpp:
2174         (JSC::JSObject::getOwnPropertyDescriptor):
2175         * runtime/ProxyObject.cpp:
2176         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2177         * tests/stress/proxy-get-own-property.js:
2178         (assert):
2179         (assert.let.handler.get getOwnPropertyDescriptor):
2180
2181 2016-02-18  Saam Barati  <sbarati@apple.com>
2182
2183         Implement Proxy.[[GetOwnProperty]]
2184         https://bugs.webkit.org/show_bug.cgi?id=154314
2185
2186         Reviewed by Filip Pizlo.
2187
2188         This patch implements Proxy.[[GetOwnProperty]].
2189         It's a straight forward implementation as described
2190         in section 9.5.5 of the specification:
2191         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
2192
2193         * runtime/FunctionPrototype.cpp:
2194         (JSC::functionProtoFuncBind):
2195         * runtime/JSObject.cpp:
2196         (JSC::validateAndApplyPropertyDescriptor):
2197         (JSC::JSObject::defineOwnNonIndexProperty):
2198         (JSC::JSObject::defineOwnProperty):
2199         (JSC::JSObject::getGenericPropertyNames):
2200         (JSC::JSObject::getMethod):
2201         * runtime/JSObject.h:
2202         (JSC::JSObject::butterflyAddress):
2203         (JSC::makeIdentifier):
2204         * runtime/ProxyObject.cpp:
2205         (JSC::performProxyGet):
2206         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2207         (JSC::ProxyObject::getOwnPropertySlotCommon):
2208         (JSC::ProxyObject::getOwnPropertySlot):
2209         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2210         (JSC::ProxyObject::visitChildren):
2211         * runtime/ProxyObject.h:
2212         * tests/es6.yaml:
2213         * tests/stress/proxy-basic.js:
2214         (let.handler.get null):
2215         * tests/stress/proxy-get-own-property.js: Added.
2216         (assert):
2217         (throw.new.Error.let.handler.getOwnPropertyDescriptor):
2218         (throw.new.Error):
2219         (let.handler.getOwnPropertyDescriptor):
2220         (i.catch):
2221         (assert.let.handler.getOwnPropertyDescriptor):
2222
2223 2016-02-18  Andreas Kling  <akling@apple.com>
2224
2225         JSString resolution of substrings should use StringImpl sharing optimization.
2226         <https://webkit.org/b/154068>
2227         <rdar://problem/24629358>
2228
2229         Reviewed by Antti Koivisto.
2230
2231         When resolving a JSString that's actually a substring of another JSString,
2232         use the StringImpl sharing optimization to create a new string pointing into
2233         the parent one, instead of copying out the bytes of the string.
2234
2235         This dramatically reduces peak memory usage on Gerrit diff viewer pages.
2236
2237         Another approach to this would be to induce GC far more frequently due to
2238         the added cost of copying out these substrings. It would reduce the risk
2239         of prolonging the life of strings only kept alive by substrings.
2240
2241         This patch chooses to trade that risk for less GC and lower peak memory.
2242
2243         * runtime/JSString.cpp:
2244         (JSC::JSRopeString::resolveRope):
2245
2246 2016-02-18  Chris Dumez  <cdumez@apple.com>
2247
2248         Crash on SES selftest page when loading the page while WebInspector is open
2249         https://bugs.webkit.org/show_bug.cgi?id=154378
2250         <rdar://problem/24713422>
2251
2252         Reviewed by Mark Lam.
2253
2254         Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
2255         returns early again if it detects that getOwnPropertySlot() returns a
2256         non-own property. This check was removed in r196676 because we assumed that
2257         only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
2258         However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
2259         well.
2260
2261         Not having the check would lead to crashes when using the debugger because
2262         we would get a slot with the CustomAccessor attribute but getDirect() would
2263         then fail to return the property (because it is not an own property). We
2264         would then cast the value returned by getDirect() to a CustomGetterSetter*
2265         and dereference it.
2266
2267         * runtime/JSObject.cpp:
2268         (JSC::JSObject::getOwnPropertyDescriptor):
2269
2270 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
2271
2272         Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
2273         for that.
2274
2275         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2276         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2277
2278 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
2279
2280         Unreviewed, fix CMake build. This got messed up when rebasing.
2281
2282         * CMakeLists.txt:
2283
2284 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
2285
2286         Fix the !ENABLE(DFG_JIT) build after r195865
2287         https://bugs.webkit.org/show_bug.cgi?id=154391
2288
2289         Reviewed by Filip Pizlo.
2290
2291         * runtime/SamplingProfiler.cpp:
2292         (JSC::tryGetBytecodeIndex):
2293
2294 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
2295
2296         Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
2297         https://bugs.webkit.org/show_bug.cgi?id=154383
2298
2299         Reviewed by Saam Barati.
2300
2301         I did a grep -i llvm of all of our code and did one of the following for each occurence:
2302
2303         - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
2304           backend".
2305
2306         - Removed the reference because I found it to be dead. In some cases it was a dead
2307           comment: it was telling us things about what LLVM did and that's just not relevant
2308           anymore. In other cases it was dead code that I forgot to delete in a previous patch.
2309
2310         - Edited the comment in some smart way. There were comments talking about what LLVM did
2311           that were still of interest. In some cases, I added a FIXME to consider changing the
2312           code below the comment on the grounds that it was written in a weird way to placate
2313           LLVM and so we can do it better now.
2314
2315         * CMakeLists.txt:
2316         * JavaScriptCore.xcodeproj/project.pbxproj:
2317         * dfg/DFGArgumentsEliminationPhase.cpp:
2318         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2319         * dfg/DFGPlan.cpp:
2320         (JSC::DFG::Plan::compileInThread):
2321         (JSC::DFG::Plan::compileInThreadImpl):
2322         (JSC::DFG::Plan::compileTimeStats):
2323         * dfg/DFGPutStackSinkingPhase.cpp:
2324         * dfg/DFGSSAConversionPhase.h:
2325         * dfg/DFGStaticExecutionCountEstimationPhase.h:
2326         * dfg/DFGUnificationPhase.cpp:
2327         (JSC::DFG::UnificationPhase::run):
2328         * disassembler/ARM64Disassembler.cpp:
2329         (JSC::tryToDisassemble): Deleted.
2330         * disassembler/X86Disassembler.cpp:
2331         (JSC::tryToDisassemble):
2332         * ftl/FTLAbstractHeap.cpp:
2333         (JSC::FTL::IndexedAbstractHeap::initialize):
2334         * ftl/FTLAbstractHeap.h:
2335         * ftl/FTLFormattedValue.h:
2336         * ftl/FTLJITFinalizer.cpp:
2337         (JSC::FTL::JITFinalizer::finalizeFunction):
2338         * ftl/FTLLink.cpp:
2339         (JSC::FTL::link):
2340         * ftl/FTLLocation.cpp:
2341         (JSC::FTL::Location::restoreInto):
2342         * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
2343         (JSC::FTL::DFG::ftlUnreachable):
2344         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2345         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
2346         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2347         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
2348         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
2349         (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
2350         (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
2351         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
2352         (JSC::FTL::lowerDFGToB3):
2353         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
2354         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
2355         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
2356         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
2357         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
2358         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
2359         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
2360         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
2361         (JSC::FTL::lowerDFGToLLVM): Deleted.
2362         * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
2363         * ftl/FTLLowerDFGToLLVM.cpp: Removed.
2364         * ftl/FTLLowerDFGToLLVM.h: Removed.
2365         * ftl/FTLOSRExitCompiler.cpp:
2366         (JSC::FTL::compileStub):
2367         * ftl/FTLWeight.h:
2368         (JSC::FTL::Weight::frequencyClass):
2369         (JSC::FTL::Weight::inverse):
2370         (JSC::FTL::Weight::scaleToTotal): Deleted.
2371         * ftl/FTLWeightedTarget.h:
2372         (JSC::FTL::rarely):
2373         (JSC::FTL::unsure):
2374         * jit/CallFrameShuffler64.cpp:
2375         (JSC::CallFrameShuffler::emitDisplace):
2376         * jit/RegisterSet.cpp:
2377         (JSC::RegisterSet::ftlCalleeSaveRegisters):
2378         * llvm: Removed.
2379         * llvm/InitializeLLVMLinux.cpp: Removed.
2380         * llvm/InitializeLLVMWin.cpp: Removed.
2381         * llvm/library: Removed.
2382         * llvm/library/LLVMTrapCallback.h: Removed.
2383         * llvm/library/libllvmForJSC.version: Removed.
2384         * runtime/Options.cpp:
2385         (JSC::recomputeDependentOptions):
2386         (JSC::Options::initialize):
2387         * runtime/Options.h:
2388         * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
2389         * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
2390         * wasm/WASMFunctionParser.cpp:
2391
2392 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
2393
2394         [cmake] Build system cleanup
2395         https://bugs.webkit.org/show_bug.cgi?id=154337
2396
2397         Reviewed by Žan Doberšek.
2398
2399         * CMakeLists.txt:
2400
2401 2016-02-17  Mark Lam  <mark.lam@apple.com>
2402
2403         Callers of JSString::value() should check for exceptions thereafter.
2404         https://bugs.webkit.org/show_bug.cgi?id=154346
2405
2406         Reviewed by Geoffrey Garen.
2407
2408         JSString::value() can throw an exception if the JS string is a rope and value() 
2409         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
2410         able to resolve the rope, it will return a null string (in addition to throwing
2411         the exception).  If a caller does not check for exceptions after calling
2412         JSString::value(), they may eventually use the returned null string and crash the
2413         VM.
2414
2415         The fix is to add all the necessary exception checks, and do the appropriate
2416         handling if needed.
2417
2418         * jsc.cpp:
2419         (functionRun):
2420         (functionLoad):
2421         (functionReadFile):
2422         (functionCheckSyntax):
2423         (functionLoadWebAssembly):
2424         (functionLoadModule):
2425         (functionCheckModuleSyntax):
2426         * runtime/DateConstructor.cpp:
2427         (JSC::dateParse):
2428         (JSC::dateNow):
2429         * runtime/JSGlobalObjectFunctions.cpp:
2430         (JSC::globalFuncEval):
2431         * tools/JSDollarVMPrototype.cpp:
2432         (JSC::functionPrint):
2433
2434 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
2435
2436         [JSC] ARM64: Support the immediate format used for bit operations in Air
2437         https://bugs.webkit.org/show_bug.cgi?id=154327
2438
2439         Reviewed by Filip Pizlo.
2440
2441         ARM64 supports a pretty rich form of immediates for bit operation.
2442         There are two formats used to encode repeating patterns and common
2443         input in a dense form.
2444
2445         In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
2446         Those represents the valid immediate forms for bit operation.
2447         On x86, any 32bits value is valid. On ARM64, all the encoding
2448         form are tried and the immediate is used when possible.
2449
2450         The arg type Imm64 is renamed to BigImm to better represent what
2451         it is: an immediate that does not fit into Imm.
2452
2453         * assembler/ARM64Assembler.h:
2454         (JSC::LogicalImmediate::create32): Deleted.
2455         (JSC::LogicalImmediate::create64): Deleted.
2456         (JSC::LogicalImmediate::value): Deleted.
2457         (JSC::LogicalImmediate::isValid): Deleted.
2458         (JSC::LogicalImmediate::is64bit): Deleted.
2459         (JSC::LogicalImmediate::LogicalImmediate): Deleted.
2460         (JSC::LogicalImmediate::mask): Deleted.
2461         (JSC::LogicalImmediate::partialHSB): Deleted.
2462         (JSC::LogicalImmediate::highestSetBit): Deleted.
2463         (JSC::LogicalImmediate::findBitRange): Deleted.
2464         (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
2465         * assembler/AssemblerCommon.h:
2466         (JSC::ARM64LogicalImmediate::create32):
2467         (JSC::ARM64LogicalImmediate::create64):
2468         (JSC::ARM64LogicalImmediate::value):
2469         (JSC::ARM64LogicalImmediate::isValid):
2470         (JSC::ARM64LogicalImmediate::is64bit):
2471         (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
2472         (JSC::ARM64LogicalImmediate::mask):
2473         (JSC::ARM64LogicalImmediate::partialHSB):
2474         (JSC::ARM64LogicalImmediate::highestSetBit):
2475         (JSC::ARM64LogicalImmediate::findBitRange):
2476         (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
2477         * assembler/MacroAssemblerARM64.h:
2478         (JSC::MacroAssemblerARM64::and64):
2479         (JSC::MacroAssemblerARM64::or64):
2480         (JSC::MacroAssemblerARM64::xor64):
2481         * b3/B3LowerToAir.cpp:
2482         (JSC::B3::Air::LowerToAir::bitImm):
2483         (JSC::B3::Air::LowerToAir::bitImm64):
2484         (JSC::B3::Air::LowerToAir::appendBinOp):
2485         * b3/air/AirArg.cpp:
2486         (JSC::B3::Air::Arg::dump):
2487         (WTF::printInternal):
2488         * b3/air/AirArg.h:
2489         (JSC::B3::Air::Arg::bitImm):
2490         (JSC::B3::Air::Arg::bitImm64):
2491         (JSC::B3::Air::Arg::isBitImm):
2492         (JSC::B3::Air::Arg::isBitImm64):
2493         (JSC::B3::Air::Arg::isSomeImm):
2494         (JSC::B3::Air::Arg::value):
2495         (JSC::B3::Air::Arg::isGP):
2496         (JSC::B3::Air::Arg::isFP):
2497         (JSC::B3::Air::Arg::hasType):
2498         (JSC::B3::Air::Arg::isValidBitImmForm):
2499         (JSC::B3::Air::Arg::isValidBitImm64Form):
2500         (JSC::B3::Air::Arg::isValidForm):
2501         (JSC::B3::Air::Arg::asTrustedImm32):
2502         (JSC::B3::Air::Arg::asTrustedImm64):
2503         * b3/air/AirOpcode.opcodes:
2504         * b3/air/opcode_generator.rb:
2505
2506 2016-02-17  Keith Miller  <keith_miller@apple.com>
2507
2508         Spread operator should be allowed when not the first argument of parameter list
2509         https://bugs.webkit.org/show_bug.cgi?id=152721
2510
2511         Reviewed by Saam Barati.
2512
2513         Spread arguments to functions should now be ES6 compliant. Before we
2514         would only take a spread operator if it was the sole argument to a
2515         function. Additionally, we would not use the Symbol.iterator on the
2516         object to generate the arguments. Instead we would do a loop up to the
2517         length mapping indexed properties to the corresponding argument. We fix
2518         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
2519         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
2520         old spread semantics). This solution has the downside of requiring the
2521         allocation of another object and copying each element twice but avoids a
2522         large change to the vm calling convention.
2523
2524         * interpreter/Interpreter.cpp:
2525         (JSC::loadVarargs):
2526         * parser/ASTBuilder.h:
2527         (JSC::ASTBuilder::createElementList):
2528         * parser/Parser.cpp:
2529         (JSC::Parser<LexerType>::parseArguments):
2530         (JSC::Parser<LexerType>::parseArgument):
2531         (JSC::Parser<LexerType>::parseMemberExpression):
2532         * parser/Parser.h:
2533         * parser/SyntaxChecker.h:
2534         (JSC::SyntaxChecker::createElementList):
2535         * tests/es6.yaml:
2536         * tests/stress/spread-calling.js: Added.
2537         (testFunction):
2538         (testEmpty):
2539         (makeObject):
2540         (otherIterator.return.next):
2541         (otherIterator):
2542         (totalIter):
2543         (throwingIter.return.next):
2544         (throwingIter):
2545         (i.catch):
2546
2547 2016-02-17  Brian Burg  <bburg@apple.com>
2548
2549         Remove a wrong cast in RemoteInspector::receivedSetupMessage
2550         https://bugs.webkit.org/show_bug.cgi?id=154361
2551         <rdar://problem/24709281>
2552
2553         Reviewed by Joseph Pecoraro.
2554
2555         * inspector/remote/RemoteInspector.mm:
2556         (Inspector::RemoteInspector::receivedSetupMessage):
2557         Not only is this cast unnecessary (the constructor accepts the base class),
2558         but it is wrong since the target could be an automation target. Remove it.
2559
2560 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
2561
2562         Rename FTLB3Blah to FTLBlah
2563         https://bugs.webkit.org/show_bug.cgi?id=154365
2564
2565         Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
2566
2567         * CMakeLists.txt:
2568         * JavaScriptCore.xcodeproj/project.pbxproj:
2569         * ftl/FTLB3Compile.cpp: Removed.
2570         * ftl/FTLB3Output.cpp: Removed.
2571         * ftl/FTLB3Output.h: Removed.
2572         * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
2573         * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
2574         * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
2575
2576 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
2577
2578         Remove LLVM dependencies from WebKit
2579         https://bugs.webkit.org/show_bug.cgi?id=154323
2580
2581         Reviewed by Antti Koivisto and Benjamin Poulain.
2582
2583         We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
2584         LLVM-related code dead, including the disassembler, which was only reachable when you were on
2585         a platform that already had an in-tree disassembler.
2586
2587         * CMakeLists.txt:
2588         * JavaScriptCore.xcodeproj/project.pbxproj:
2589         * dfg/DFGCommon.h:
2590         * dfg/DFGPlan.cpp:
2591         (JSC::DFG::Plan::compileInThread):
2592         (JSC::DFG::Plan::compileInThreadImpl):
2593         (JSC::DFG::Plan::compileTimeStats):
2594         * disassembler/ARM64Disassembler.cpp:
2595         (JSC::tryToDisassemble):
2596         * disassembler/ARMv7Disassembler.cpp:
2597         (JSC::tryToDisassemble):
2598         * disassembler/Disassembler.cpp:
2599         (JSC::disassemble):
2600         (JSC::disassembleAsynchronously):
2601         * disassembler/Disassembler.h:
2602         (JSC::tryToDisassemble):
2603         * disassembler/LLVMDisassembler.cpp: Removed.
2604         * disassembler/LLVMDisassembler.h: Removed.
2605         * disassembler/UDis86Disassembler.cpp:
2606         (JSC::tryToDisassembleWithUDis86):
2607         * disassembler/UDis86Disassembler.h:
2608         (JSC::tryToDisassembleWithUDis86):
2609         * disassembler/X86Disassembler.cpp:
2610         (JSC::tryToDisassemble):
2611         * ftl/FTLAbbreviatedTypes.h:
2612         * ftl/FTLAbbreviations.h: Removed.
2613         * ftl/FTLAbstractHeap.cpp:
2614         (JSC::FTL::AbstractHeap::decorateInstruction):
2615         (JSC::FTL::AbstractHeap::dump):
2616         (JSC::FTL::AbstractField::dump):
2617         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
2618         (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
2619         (JSC::FTL::IndexedAbstractHeap::baseIndex):
2620         (JSC::FTL::IndexedAbstractHeap::dump):
2621         (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
2622         (JSC::FTL::NumberedAbstractHeap::dump):
2623         (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
2624         (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
2625         * ftl/FTLAbstractHeap.h:
2626         (JSC::FTL::AbstractHeap::AbstractHeap):
2627         (JSC::FTL::AbstractHeap::heapName):
2628         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
2629         (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
2630         (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
2631         (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
2632         * ftl/FTLAbstractHeapRepository.cpp:
2633         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2634         * ftl/FTLAbstractHeapRepository.h:
2635         * ftl/FTLB3Compile.cpp:
2636         * ftl/FTLB3Output.cpp:
2637         (JSC::FTL::Output::Output):
2638         (JSC::FTL::Output::check):
2639         (JSC::FTL::Output::load):
2640         (JSC::FTL::Output::store):
2641         * ftl/FTLB3Output.h:
2642         * ftl/FTLCommonValues.cpp:
2643         (JSC::FTL::CommonValues::CommonValues):
2644         (JSC::FTL::CommonValues::initializeConstants):
2645         * ftl/FTLCommonValues.h:
2646         (JSC::FTL::CommonValues::initialize): Deleted.
2647         * ftl/FTLCompile.cpp: Removed.
2648         * ftl/FTLCompileBinaryOp.cpp: Removed.
2649         * ftl/FTLCompileBinaryOp.h: Removed.
2650         * ftl/FTLDWARFDebugLineInfo.cpp: Removed.
2651         * ftl/FTLDWARFDebugLineInfo.h: Removed.
2652         * ftl/FTLDWARFRegister.cpp: Removed.
2653         * ftl/FTLDWARFRegister.h: Removed.
2654         * ftl/FTLDataSection.cpp: Removed.
2655         * ftl/FTLDataSection.h: Removed.
2656         * ftl/FTLExceptionHandlerManager.cpp: Removed.
2657         * ftl/FTLExceptionHandlerManager.h: Removed.
2658         * ftl/FTLExceptionTarget.cpp:
2659         * ftl/FTLExceptionTarget.h:
2660         * ftl/FTLExitThunkGenerator.cpp: Removed.
2661         * ftl/FTLExitThunkGenerator.h: Removed.
2662         * ftl/FTLFail.cpp:
2663         (JSC::FTL::fail):
2664         * ftl/FTLInlineCacheDescriptor.h: Removed.
2665         * ftl/FTLInlineCacheSize.cpp: Removed.
2666         * ftl/FTLInlineCacheSize.h: Removed.
2667         * ftl/FTLIntrinsicRepository.cpp: Removed.
2668         * ftl/FTLIntrinsicRepository.h: Removed.
2669         * ftl/FTLJITCode.cpp:
2670         (JSC::FTL::JITCode::~JITCode):
2671         (JSC::FTL::JITCode::initializeB3Code):
2672         (JSC::FTL::JITCode::initializeB3Byproducts):
2673         (JSC::FTL::JITCode::initializeAddressForCall):
2674         (JSC::FTL::JITCode::contains):
2675         (JSC::FTL::JITCode::ftl):
2676         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2677         (JSC::FTL::JITCode::initializeExitThunks): Deleted.
2678         (JSC::FTL::JITCode::addHandle): Deleted.
2679         (JSC::FTL::JITCode::addDataSection): Deleted.
2680         (JSC::FTL::JITCode::exitThunks): Deleted.
2681         * ftl/FTLJITCode.h:
2682         (JSC::FTL::JITCode::b3Code):
2683         (JSC::FTL::JITCode::handles): Deleted.
2684         (JSC::FTL::JITCode::dataSections): Deleted.
2685         * ftl/FTLJITFinalizer.cpp:
2686         (JSC::FTL::JITFinalizer::codeSize):
2687         (JSC::FTL::JITFinalizer::finalizeFunction):
2688         * ftl/FTLJITFinalizer.h:
2689         * ftl/FTLJSCall.cpp: Removed.
2690         * ftl/FTLJSCall.h: Removed.
2691         * ftl/FTLJSCallBase.cpp: Removed.
2692         * ftl/FTLJSCallBase.h: Removed.
2693         * ftl/FTLJSCallVarargs.cpp: Removed.
2694         * ftl/FTLJSCallVarargs.h: Removed.
2695         * ftl/FTLJSTailCall.cpp: Removed.
2696         * ftl/FTLJSTailCall.h: Removed.
2697         * ftl/FTLLazySlowPath.cpp:
2698         (JSC::FTL::LazySlowPath::LazySlowPath):
2699         (JSC::FTL::LazySlowPath::generate):
2700         * ftl/FTLLazySlowPath.h:
2701         (JSC::FTL::LazySlowPath::createGenerator):
2702         (JSC::FTL::LazySlowPath::patchableJump):
2703         (JSC::FTL::LazySlowPath::done):
2704         (JSC::FTL::LazySlowPath::usedRegisters):
2705         (JSC::FTL::LazySlowPath::callSiteIndex):
2706         (JSC::FTL::LazySlowPath::stub):
2707         (JSC::FTL::LazySlowPath::patchpoint): Deleted.
2708         * ftl/FTLLink.cpp:
2709         (JSC::FTL::link):
2710         * ftl/FTLLocation.cpp:
2711         (JSC::FTL::Location::forValueRep):
2712         (JSC::FTL::Location::dump):
2713         (JSC::FTL::Location::forStackmaps): Deleted.
2714         * ftl/FTLLocation.h:
2715         (JSC::FTL::Location::forRegister):
2716         (JSC::FTL::Location::forIndirect):
2717         (JSC::FTL::Location::forConstant):
2718         (JSC::FTL::Location::kind):
2719         (JSC::FTL::Location::hasReg):
2720         * ftl/FTLLowerDFGToLLVM.cpp:
2721         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM):
2722         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2723         (JSC::FTL::DFG::LowerDFGToLLVM::createPhiVariables):
2724         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2725         (JSC::FTL::DFG::LowerDFGToLLVM::compileUpsilon):
2726         (JSC::FTL::DFG::LowerDFGToLLVM::compilePhi):
2727         (JSC::FTL::DFG::LowerDFGToLLVM::compileDoubleConstant):
2728         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
2729         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
2730         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
2731         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2732         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
2733         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
2734         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
2735         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
2736         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
2737         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
2738         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
2739         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
2740         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
2741         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
2742         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
2743         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
2744         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
2745         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
2746         (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadVarargs):
2747         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
2748         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
2749         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2750         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
2751         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
2752         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
2753         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
2754         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2755         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
2756         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
2757         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
2758         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
2759         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
2760         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
2761         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2762         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
2763         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
2764         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForAvailability):
2765         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
2766         (JSC::FTL::DFG::LowerDFGToLLVM::probe):
2767         (JSC::FTL::DFG::LowerDFGToLLVM::crash):
2768         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp): Deleted.
2769         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException): Deleted.
2770         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall): Deleted.
2771         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap): Deleted.
2772         * ftl/FTLOSRExit.cpp:
2773         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
2774         (JSC::FTL::OSRExitDescriptor::validateReferences):
2775         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
2776         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
2777         (JSC::FTL::OSRExit::OSRExit):
2778         (JSC::FTL::OSRExit::codeLocationForRepatch):
2779         (JSC::FTL::OSRExit::gatherRegistersToSpillForCallIfException): Deleted.
2780         (JSC::FTL::OSRExit::spillRegistersToSpillSlot): Deleted.
2781         (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot): Deleted.
2782         (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck): Deleted.
2783         (JSC::FTL::OSRExit::willArriveAtOSRExitFromCallOperation): Deleted.
2784         (JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath): Deleted.
2785         * ftl/FTLOSRExit.h:
2786         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2787         (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl): Deleted.
2788         * ftl/FTLOSRExitCompilationInfo.h: Removed.
2789         * ftl/FTLOSRExitCompiler.cpp:
2790         (JSC::FTL::compileRecovery):
2791         (JSC::FTL::compileStub):
2792         (JSC::FTL::compileFTLOSRExit):
2793         * ftl/FTLOSRExitHandle.cpp:
2794         * ftl/FTLOSRExitHandle.h:
2795         * ftl/FTLOutput.cpp: Removed.
2796         * ftl/FTLOutput.h: Removed.
2797         * ftl/FTLPatchpointExceptionHandle.cpp:
2798         * ftl/FTLPatchpointExceptionHandle.h:
2799         * ftl/FTLStackMaps.cpp: Removed.
2800         * ftl/FTLStackMaps.h: Removed.
2801         * ftl/FTLState.cpp:
2802         (JSC::FTL::State::State):
2803         (JSC::FTL::State::~State):
2804         (JSC::FTL::State::dumpState): Deleted.
2805         * ftl/FTLState.h:
2806         * ftl/FTLUnwindInfo.cpp: Removed.
2807         * ftl/FTLUnwindInfo.h: Removed.
2808         * ftl/FTLValueRange.cpp:
2809         (JSC::FTL::ValueRange::decorateInstruction):
2810         * ftl/FTLValueRange.h:
2811         (JSC::FTL::ValueRange::ValueRange):
2812         (JSC::FTL::ValueRange::begin):
2813         (JSC::FTL::ValueRange::end):
2814         * ftl/FTLWeight.h:
2815         (JSC::FTL::Weight::value):
2816         (JSC::FTL::Weight::frequencyClass):
2817         (JSC::FTL::Weight::scaleToTotal):
2818         * llvm/InitializeLLVM.cpp: Removed.
2819         * llvm/InitializeLLVM.h: Removed.
2820         * llvm/InitializeLLVMMac.cpp: Removed.
2821         * llvm/InitializeLLVMPOSIX.cpp: Removed.
2822         * llvm/InitializeLLVMPOSIX.h: Removed.
2823         * llvm/LLVMAPI.cpp: Removed.
2824         * llvm/LLVMAPI.h: Removed.
2825         * llvm/LLVMAPIFunctions.h: Removed.
2826         * llvm/LLVMHeaders.h: Removed.
2827         * llvm/library/LLVMAnchor.cpp: Removed.
2828         * llvm/library/LLVMExports.cpp: Removed.
2829         * llvm/library/LLVMOverrides.cpp: Removed.
2830         * llvm/library/config_llvm.h: Removed.
2831
2832 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
2833
2834         [JSC] Remove the overflow check on ArithAbs when possible
2835         https://bugs.webkit.org/show_bug.cgi?id=154325
2836
2837         Reviewed by Filip Pizlo.
2838
2839         This patch adds support for ArithMode for ArithAbs.
2840
2841         It is useful for kraken tests where Math.abs() is used
2842         on values for which the range is known.
2843
2844         For example, imaging-gaussian-blur has two Math.abs() with
2845         integers that are always in a small range around zero.
2846         The IntegerRangeOptimizationPhase detects the range correctly
2847         so we can just update the ArithMode depending on the input.
2848
2849         * dfg/DFGFixupPhase.cpp:
2850         (JSC::DFG::FixupPhase::fixupNode):
2851         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2852         * dfg/DFGNode.h:
2853         (JSC::DFG::Node::convertToArithNegate):
2854         (JSC::DFG::Node::hasArithMode):
2855         * dfg/DFGSpeculativeJIT64.cpp:
2856         (JSC::DFG::SpeculativeJIT::compile):
2857         * ftl/FTLLowerDFGToLLVM.cpp:
2858         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAbs):
2859         * tests/stress/arith-abs-integer-range-optimization.js: Added.
2860         (negativeRange):
2861         (negativeRangeIncludingZero):
2862         (negativeRangeWithOverflow):
2863         (positiveRange):
2864         (positiveRangeIncludingZero):
2865         (rangeWithoutOverflow):
2866         * tests/stress/arith-abs-with-bitwise-or-zero.js: Added.
2867         (opaqueAbs):
2868
2869 2016-02-17  Chris Dumez  <cdumez@apple.com>
2870
2871         SES selftest page crashes on nightly r196694
2872         https://bugs.webkit.org/show_bug.cgi?id=154350
2873         <rdar://problem/24704334>
2874
2875         Reviewed by Mark Lam.
2876
2877         SES selftest page crashes after r196001 / r196145 when calling
2878         Object.getOwnPropertyDescriptor(window, "length") after the window
2879         has been reified and "length" has been shadowed by a value property.
2880
2881         It was crashing in JSObject::getOwnPropertyDescriptor() because
2882         we are getting a slot that has attribute "CustomAccessor" but
2883         the property is not a CustomGetterSetter. In this case, since
2884         window.length is [Replaceable] and has been set to a numeric value,
2885         it makes that the property is not a CustomGetterSetter. However,
2886         the "CustomAccessor" attribute should have been dropped from the
2887         slot when window.length was shadowed. Therefore, this code path
2888         should not be exercised at all when calling
2889         getOwnPropertyDescriptor().
2890
2891         The issue was that putDirectInternal() was updating the slot
2892         attributes only if the "Accessor" flag has changed, but not
2893         the "customAccessor" flag. This patch fixes the issue.
2894
2895         * runtime/JSObject.h:
2896         (JSC::JSObject::putDirectInternal):
2897
2898 2016-02-17  Saam barati  <sbarati@apple.com>
2899
2900         Implement Proxy [[Get]]
2901         https://bugs.webkit.org/show_bug.cgi?id=154081
2902
2903         Reviewed by Michael Saboff.
2904
2905         This patch implements ProxyObject and ProxyConstructor. Their
2906         implementations are straight forward and follow the spec.
2907         The largest change in this patch is adding a second parameter
2908         to PropertySlot's constructor that specifies the internal method type of
2909         the getOwnPropertySlot inquiry. We use getOwnPropertySlot to 
2910         implement more than one Internal Method in the spec. Because 
2911         of this, we need InternalMethodType to give us context about 
2912         which Internal Method we're executing. Specifically, Proxy will 
2913         call into different handlers based on this information.
2914
2915         InternalMethodType is an enum with the following values:
2916         - Get
2917           This corresponds to [[Get]] internal method in the spec.
2918         - GetOwnProperty
2919           This corresponds to [[GetOwnProperty]] internal method in the spec.
2920         - HasProperty
2921           This corresponds to [[HasProperty]] internal method in the spec.
2922         - VMInquiry
2923           This is basically everything else that isn't one of the above
2924           types. This value also mandates that getOwnPropertySlot does
2925           not perform any user observable effects. I.e, it can't call
2926           a JS function.
2927
2928         The other non-VMInquiry InternalMethodTypes are allowed to perform user
2929         observable effects. I.e, in future patches, ProxyObject will implement
2930         InternalMethodType::HasProperty and InternalMethodType::GetOwnProperty, which will both be defined
2931         to call user defined JS functions, which clearly have the right to perform
2932         user observable effects.
2933
2934         This patch implements getOwnPropertySlot of ProxyObject under
2935         InternalMethodType::Get. 
2936
2937         * API/JSCallbackObjectFunctions.h:
2938         (JSC::JSCallbackObject<Parent>::put):
2939         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2940         * CMakeLists.txt:
2941         * JavaScriptCore.xcodeproj/project.pbxproj:
2942         * debugger/DebuggerScope.cpp:
2943         (JSC::DebuggerScope::caughtValue):
2944         * interpreter/Interpreter.cpp:
2945         (JSC::Interpreter::execute):
2946         * jit/JITOperations.cpp:
2947         * llint/LLIntSlowPaths.cpp:
2948         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2949         * runtime/ArrayPrototype.cpp:
2950         (JSC::getProperty):
2951         * runtime/CommonIdentifiers.h:
2952         * runtime/JSCJSValueInlines.h:
2953         (JSC::JSValue::get):
2954         * runtime/JSFunction.cpp:
2955         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2956         (JSC::JSFunction::put):
2957         (JSC::JSFunction::defineOwnProperty):
2958         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2959         (JSC::constructGenericTypedArrayViewWithArguments):
2960         * runtime/JSGlobalObject.cpp:
2961         (JSC::JSGlobalObject::init):
2962         (JSC::JSGlobalObject::defineOwnProperty):
2963         * runtime/JSGlobalObject.h:
2964         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
2965         (JSC::JSGlobalObject::moduleRecordStructure):
2966         (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
2967         (JSC::JSGlobalObject::proxyObjectStructure):
2968         (JSC::JSGlobalObject::wasmModuleStructure):
2969         * runtime/JSModuleEnvironment.cpp:
2970         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2971         * runtime/JSModuleNamespaceObject.cpp:
2972         (JSC::callbackGetter):
2973         * runtime/JSONObject.cpp:
2974         (JSC::Stringifier::Holder::appendNextProperty):
2975         (JSC::Walker::walk):
2976         * runtime/JSObject.cpp:
2977         (JSC::JSObject::calculatedClassName):
2978         (JSC::JSObject::putDirectNonIndexAccessor):
2979         (JSC::JSObject::hasProperty):
2980         (JSC::JSObject::deleteProperty):
2981         (JSC::JSObject::hasOwnProperty):
2982         (JSC::JSObject::getOwnPropertyDescriptor):
2983         * runtime/JSObject.h:
2984         (JSC::JSObject::getDirectIndex):
2985         (JSC::JSObject::get):
2986         * runtime/JSScope.cpp:
2987         (JSC::abstractAccess):
2988         * runtime/ObjectConstructor.cpp:
2989         (JSC::toPropertyDescriptor):
2990         * runtime/ObjectPrototype.cpp:
2991         (JSC::objectProtoFuncLookupGetter):
2992         (JSC::objectProtoFuncLookupSetter):
2993         (JSC::objectProtoFuncToString):
2994         * runtime/PropertySlot.h:
2995         (JSC::attributesForStructure):
2996         (JSC::PropertySlot::PropertySlot):
2997         (JSC::PropertySlot::isCacheableGetter):
2998         (JSC::PropertySlot::isCacheableCustom):
2999         (JSC::PropertySlot::internalMethodType):
3000         (JSC::PropertySlot::disableCaching):
3001         (JSC::PropertySlot::getValue):
3002         * runtime/ProxyConstructor.cpp: Added.
3003         (JSC::ProxyConstructor::create):
3004         (JSC::ProxyConstructor::ProxyConstructor):
3005         (JSC::ProxyConstructor::finishCreation):
3006         (JSC::constructProxyObject):
3007         (JSC::ProxyConstructor::getConstructData):
3008         (JSC::ProxyConstructor::getCallData):
3009         * runtime/ProxyConstructor.h: Added.
3010         (JSC::ProxyConstructor::createStructure):
3011         * runtime/ProxyObject.cpp: Added.
3012         (JSC::ProxyObject::ProxyObject):
3013         (JSC::ProxyObject::finishCreation):
3014         (JSC::performProxyGet):
3015         (JSC::ProxyObject::getOwnPropertySlotCommon):
3016         (JSC::ProxyObject::getOwnPropertySlot):
3017         (JSC::ProxyObject::getOwnPropertySlotByIndex):
3018         (JSC::ProxyObject::visitChildren):
3019         * runtime/ProxyObject.h: Added.
3020         (JSC::ProxyObject::create):
3021         (JSC::ProxyObject::createStructure):
3022         (JSC::ProxyObject::target):
3023         (JSC::ProxyObject::handler):
3024         * runtime/ReflectObject.cpp:
3025         (JSC::reflectObjectGet):
3026         * runtime/SamplingProfiler.cpp:
3027         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
3028         * tests/es6.yaml:
3029         * tests/stress/proxy-basic.js: Added.
3030         (assert):
3031         (let.handler.get null):
3032         (get let):
3033         (let.handler.get switch):
3034         (let.handler):
3035         (let.theTarget.get x):
3036         * tests/stress/proxy-in-proto-chain.js: Added.
3037         (assert):
3038         * tests/stress/proxy-of-a-proxy.js: Added.
3039         (assert):
3040         (throw.new.Error.):
3041         * tests/stress/proxy-property-descriptor.js: Added.
3042         (assert):
3043         (set Object):
3044         * wasm/WASMModuleParser.cpp:
3045         (JSC::WASMModuleParser::getImportedValue):
3046
3047 2016-02-17  Mark Lam  <mark.lam@apple.com>
3048
3049         StringPrototype functions should check for exceptions after calling JSString::value().
3050         https://bugs.webkit.org/show_bug.cgi?id=154340
3051
3052         Reviewed by Filip Pizlo.
3053
3054         JSString::value() can throw an exception if the JS string is a rope and value()
3055         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
3056         able to resolve the rope, it will return a null string (in addition to throwing
3057         the exception).  If StringPrototype functions do not check for exceptions after
3058         calling JSString::value(), they may eventually use the returned null string and
3059         crash the VM.
3060
3061         The fix is to add all the necessary exception checks, and do the appropriate
3062         handling if needed.
3063
3064         Also in a few place where when an exception is detected, we return JSValue(), I
3065         changed it to return jsUndefined() instead to be consistent with the rest of the
3066         file.
3067
3068         * runtime/StringPrototype.cpp:
3069         (JSC::replaceUsingRegExpSearch):
3070         (JSC::stringProtoFuncMatch):
3071         (JSC::stringProtoFuncSlice):
3072         (JSC::stringProtoFuncSplit):
3073         (JSC::stringProtoFuncLocaleCompare):
3074         (JSC::stringProtoFuncBig):
3075         (JSC::stringProtoFuncSmall):
3076         (JSC::stringProtoFuncBlink):
3077         (JSC::stringProtoFuncBold):
3078         (JSC::stringProtoFuncFixed):
3079         (JSC::stringProtoFuncItalics):
3080         (JSC::stringProtoFuncStrike):
3081         (JSC::stringProtoFuncSub):
3082         (JSC::stringProtoFuncSup):
3083         (JSC::stringProtoFuncFontcolor):
3084         (JSC::stringProtoFuncFontsize):
3085         (JSC::stringProtoFuncAnchor):
3086         (JSC::stringProtoFuncLink):
3087         (JSC::trimString):
3088
3089 2016-02-17  Commit Queue  <commit-queue@webkit.org>
3090
3091         Unreviewed, rolling out r196675.
3092         https://bugs.webkit.org/show_bug.cgi?id=154344
3093
3094          "Causes major slowdowns on deltablue-varargs" (Requested by
3095         keith_miller on #webkit).
3096
3097         Reverted changeset:
3098
3099         "Spread operator should be allowed when not the first argument
3100         of parameter list"
3101         https://bugs.webkit.org/show_bug.cgi?id=152721
3102         http://trac.webkit.org/changeset/196675
3103
3104 2016-02-17  Gavin Barraclough  <barraclough@apple.com>
3105
3106         JSDOMWindow::put should not do the same thing twice
3107         https://bugs.webkit.org/show_bug.cgi?id=154334
3108
3109         Reviewed by Chris Dumez.
3110
3111         It either calls JSGlobalObject::put or Base::put. Hint: these are basically the same thing.
3112         In the latter case it might call lookupPut. That's redundant; JSObject::put handles static
3113         table entries.
3114
3115         * runtime/JSGlobalObject.h:
3116         (JSC::JSGlobalObject::hasOwnPropertyForWrite): Deleted.
3117             - no longer needed.
3118
3119 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3120
3121         FTL_USES_B3 should be unconditionally true
3122         https://bugs.webkit.org/show_bug.cgi?id=154324
3123
3124         Reviewed by Benjamin Poulain.
3125
3126         * dfg/DFGCommon.h:
3127
3128 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3129
3130         FTL should support CompareEq(String:, String:)
3131         https://bugs.webkit.org/show_bug.cgi?id=154269
3132         rdar://problem/24499921
3133
3134         Reviewed by Benjamin Poulain.
3135
3136         Looks like a slight pdfjs slow-down, probably because we're having some recompilations. I
3137         think we should land the increased coverage first and fix the issues after, especially since
3138         the regression is so small and doesn't have a statistically significant effect on the overall
3139         score.
3140
3141         * ftl/FTLCapabilities.cpp:
3142         (JSC::FTL::canCompile):
3143         * ftl/FTLLowerDFGToLLVM.cpp:
3144         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
3145         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
3146         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
3147         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
3148         * tests/stress/ftl-string-equality.js: Added.
3149         * tests/stress/ftl-string-ident-equality.js: Added.
3150         * tests/stress/ftl-string-strict-equality.js: Added.
3151
3152 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3153
3154         FTL should support NewTypedArray
3155         https://bugs.webkit.org/show_bug.cgi?id=154268
3156
3157         Reviewed by Saam Barati.
3158
3159         3% speed-up on pdfjs. This was already covered by many different tests.
3160
3161         Rolling this back in after fixing the butterfly argument.
3162
3163         * ftl/FTLCapabilities.cpp:
3164         (JSC::FTL::canCompile):
3165         * ftl/FTLLowerDFGToLLVM.cpp:
3166         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3167         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
3168         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
3169         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
3170         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
3171         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
3172         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
3173
3174 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
3175
3176         JSDOMWindow::getOwnPropertySlot should just call getStaticPropertySlot
3177         https://bugs.webkit.org/show_bug.cgi?id=154257
3178
3179         Reviewed by Chris Dumez.
3180
3181         * runtime/Lookup.h:
3182         (JSC::getStaticPropertySlot):
3183         (JSC::getStaticFunctionSlot):
3184         (JSC::getStaticValueSlot):
3185             - this could all do with a little more love.
3186               But enforce the basic precedence:
3187                 (1) regular storage properties always win over static table properties.
3188                 (2) if properties have been reified, don't consult the static tables.
3189                 (3) only if the property is not present on the object & not reified
3190                     should the static hashtable be consulted.
3191
3192 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
3193
3194         JSDOMWindow::getOwnPropertySlot should not search photo chain
3195         https://bugs.webkit.org/show_bug.cgi?id=154102
3196
3197         Reviewed by Chris Dumez.
3198
3199         Should only return *own* properties.
3200
3201         * runtime/JSObject.cpp:
3202         (JSC::JSObject::getOwnPropertyDescriptor):
3203             - remove hack/special-case for DOMWindow; we no longer need this.
3204
3205 2016-02-16  Keith Miller  <keith_miller@apple.com>
3206
3207         Spread operator should be allowed when not the first argument of parameter list
3208         https://bugs.webkit.org/show_bug.cgi?id=152721
3209
3210         Reviewed by Saam Barati.
3211
3212         Spread arguments to functions should now be ES6 compliant. Before we
3213         would only take a spread operator if it was the sole argument to a
3214         function. Additionally, we would not use the Symbol.iterator on the
3215         object to generate the arguments. Instead we would do a loop up to the
3216         length mapping indexed properties to the corresponding argument. We fix
3217         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
3218         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
3219         old spread semantics). This solution has the downside of requiring the
3220         allocation of another object and copying each element twice but avoids a
3221         large change to the vm calling convention.
3222
3223         * interpreter/Interpreter.cpp:
3224         (JSC::loadVarargs):
3225         * parser/ASTBuilder.h:
3226         (JSC::ASTBuilder::createElementList):
3227         * parser/Parser.cpp:
3228         (JSC::Parser<LexerType>::parseArguments):
3229         (JSC::Parser<LexerType>::parseArgument):
3230         (JSC::Parser<LexerType>::parseMemberExpression):
3231         * parser/Parser.h:
3232         * parser/SyntaxChecker.h:
3233         (JSC::SyntaxChecker::createElementList):
3234         * tests/es6.yaml:
3235         * tests/stress/spread-calling.js: Added.
3236         (testFunction):
3237         (testEmpty):
3238         (makeObject):
3239         (otherIterator.return.next):
3240         (otherIterator):
3241         (totalIter):
3242         (throwingIter.return.next):
3243         (throwingIter):
3244         (i.catch):
3245
3246 2016-02-16  Benjamin Poulain  <bpoulain@apple.com>
3247
3248         [JSC] Enable B3 on ARM64
3249         https://bugs.webkit.org/show_bug.cgi?id=154275
3250
3251         Reviewed by Mark Lam.
3252
3253         The port passes more tests than LLVM now, let's use it by default.
3254
3255         * dfg/DFGCommon.h:
3256
3257 2016-02-16  Commit Queue  <commit-queue@webkit.org>
3258
3259         Unreviewed, rolling out r196652.
3260         https://bugs.webkit.org/show_bug.cgi?id=154315
3261
3262         This change caused LayoutTest crashes (Requested by ryanhaddad
3263         on #webkit).
3264
3265         Reverted changeset:
3266
3267         "FTL should support NewTypedArray"
3268         https://bugs.webkit.org/show_bug.cgi?id=154268
3269         http://trac.webkit.org/changeset/196652
3270
3271 2016-02-16  Brian Burg  <bburg@apple.com>
3272
3273         RemoteInspector should forward new automation session requests to its client
3274         https://bugs.webkit.org/show_bug.cgi?id=154260
3275         <rdar://problem/24663313>
3276
3277         Reviewed by Timothy Hatcher.
3278
3279         * inspector/remote/RemoteInspector.h:
3280         * inspector/remote/RemoteInspector.mm:
3281         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3282         (Inspector::RemoteInspector::listingForAutomationTarget):
3283         Use the correct key for the session identifier in the listing. The name()
3284         override for RemoteAutomationTarget is actually the session identifier.
3285
3286         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
3287         * inspector/remote/RemoteInspectorConstants.h: Add new constants.
3288
3289 2016-02-16  Saam barati  <sbarati@apple.com>
3290
3291         SamplingProfiler still fails with ASan enabled
3292         https://bugs.webkit.org/show_bug.cgi?id=154301
3293         <rdar://problem/24679502>
3294
3295         Reviewed by Filip Pizlo.
3296
3297         To fix this issue, I've come up with unsafe versions
3298         of all operations that load memory from the thread's call
3299         frame. All these new unsafe methods are marked with SUPPRESS_ASAN.
3300
3301         * interpreter/CallFrame.cpp:
3302         (JSC::CallFrame::callSiteAsRawBits):
3303         (JSC::CallFrame::unsafeCallSiteAsRawBits):
3304         (JSC::CallFrame::callSiteIndex):
3305         (JSC::CallFrame::unsafeCallSiteIndex):
3306         (JSC::CallFrame::stack):
3307         (JSC::CallFrame::callerFrame):
3308         (JSC::CallFrame::unsafeCallerFrame):
3309         (JSC::CallFrame::friendlyFunctionName):
3310         * interpreter/CallFrame.h:
3311         (JSC::ExecState::calleeAsValue):
3312         (JSC::ExecState::callee):
3313         (JSC::ExecState::unsafeCallee):
3314         (JSC::ExecState::codeBlock):
3315         (JSC::ExecState::unsafeCodeBlock):
3316         (JSC::ExecState::scope):
3317         (JSC::ExecState::callerFrame):
3318         (JSC::ExecState::callerFrameOrVMEntryFrame):
3319         (JSC::ExecState::unsafeCallerFrameOrVMEntryFrame):
3320         (JSC::ExecState::callerFrameOffset):
3321         (JSC::ExecState::callerFrameAndPC):
3322         (JSC::ExecState::unsafeCallerFrameAndPC):
3323         * interpreter/Register.h:
3324         (JSC::Register::codeBlock):
3325         (JSC::Register::asanUnsafeCodeBlock):
3326         (JSC::Register::unboxedInt32):
3327         (JSC::Register::tag):
3328         (JSC::Register::unsafeTag):
3329         (JSC::Register::payload):
3330         * interpreter/VMEntryRecord.h:
3331         (JSC::VMEntryRecord::prevTopCallFrame):
3332         (JSC::VMEntryRecord::unsafePrevTopCallFrame):
3333         (JSC::VMEntryRecord::prevTopVMEntryFrame):
3334         (JSC::VMEntryRecord::unsafePrevTopVMEntryFrame):
3335         * runtime/SamplingProfiler.cpp:
3336         (JSC::FrameWalker::walk):
3337         (JSC::FrameWalker::advanceToParentFrame):
3338         (JSC::FrameWalker::isAtTop):
3339         (JSC::FrameWalker::resetAtMachineFrame):
3340
3341 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3342
3343         FTL should support NewTypedArray
3344         https://bugs.webkit.org/show_bug.cgi?id=154268
3345
3346         Reviewed by Saam Barati.
3347
3348         3% speed-up on pdfjs. This was already covered by many different tests.
3349
3350         * ftl/FTLCapabilities.cpp:
3351         (JSC::FTL::canCompile):
3352         * ftl/FTLLowerDFGToLLVM.cpp:
3353         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3354         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
3355         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
3356         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
3357         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
3358         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
3359         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
3360
3361 2016-02-16  Saam barati  <sbarati@apple.com>
3362
3363         stress/sampling-profiler-deep-stack.js fails on ARM 32bit
3364         https://bugs.webkit.org/show_bug.cgi?id=154255
3365         <rdar://problem/24662996>
3366
3367         Reviewed by Mark Lam.
3368
3369         The bug here wasn't in the implementation of the sampling profiler