6059c172d5a947a79864baefcc6ee9bbab08dba5
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-09-18  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2
3         Implement type conversion instructions in WebAssembly
4         https://bugs.webkit.org/show_bug.cgi?id=149340
5
6         Reviewed by Mark Lam.
7
8         This patch implements some type conversion instructions in WebAssembly.
9         The WebAssembly spec has a lot more type conversion instructions than
10         what are available in asm.js.[1] We only implement the ones that are in
11         asm.js for now because we can only test those.
12
13         [1]: https://github.com/WebAssembly/design/blob/master/AstSemantics.md
14
15         * tests/stress/wasm-type-conversion.js:
16         * tests/stress/wasm/type-conversion.wasm:
17         * wasm/WASMConstants.h:
18         * wasm/WASMFunctionCompiler.h:
19         (JSC::operationConvertUnsignedInt32ToDouble):
20         (JSC::WASMFunctionCompiler::buildConvertType):
21         (JSC::WASMFunctionCompiler::callOperation):
22         * wasm/WASMFunctionParser.cpp:
23         (JSC::WASMFunctionParser::parseExpressionI32):
24         (JSC::WASMFunctionParser::parseExpressionF32):
25         (JSC::WASMFunctionParser::parseExpressionF64):
26         (JSC::WASMFunctionParser::parseConvertType):
27         * wasm/WASMFunctionParser.h:
28         * wasm/WASMFunctionSyntaxChecker.h:
29         (JSC::WASMFunctionSyntaxChecker::buildConvertType):
30
31 2015-09-18  Alex Christensen  <achristensen@webkit.org>
32
33         Fix tests on Windows after switching to CMake.
34         https://bugs.webkit.org/show_bug.cgi?id=149339
35
36         Reviewed by Brent Fulgham.
37
38         * shell/PlatformWin.cmake:
39         Build testapi and testRegExp (which doesn't seem to be used any more).
40
41 2015-09-17  Brian Burg  <bburg@apple.com>
42
43         ASSERT(!m_frontendRouter->hasLocalFrontend()) when running Web Inspector tests
44         https://bugs.webkit.org/show_bug.cgi?id=149006
45
46         Reviewed by Joseph Pecoraro.
47
48         Prior to disconnecting, we need to know how many frontends remain connected.
49
50         * inspector/InspectorFrontendRouter.h: Add frontendCount().
51
52 2015-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
53
54         Explicitly specify builtin JS files dependency
55         https://bugs.webkit.org/show_bug.cgi?id=149323
56
57         Reviewed by Alex Christensen.
58
59         JSCBuiltins.{h,cpp} in CMakeLists.txt and DerivedSources.make just depend on the builtins directory.
60         As a result, even if we modify builtins/*.js code, regenerating JSCBuiltins.{h,cpp} does not occur.
61         As the same to the cpp sources, let's list up the JS files explicitly.
62
63         * CMakeLists.txt:
64         * DerivedSources.make:
65
66 2015-09-18  Michael Saboff  <msaboff@apple.com>
67
68         Remove register preservation and restoration stub code
69         https://bugs.webkit.org/show_bug.cgi?id=149335
70
71         Reviewed by Mark Lam.
72
73         Delete the register preservation and restoration thunks and related plumbing.
74
75         Much of this change is removing the unneeded RegisterPreservationMode parameter
76         from various functions.
77
78         * CMakeLists.txt:
79         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
80         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
81         * JavaScriptCore.xcodeproj/project.pbxproj:
82         * bytecode/CallLinkInfo.h:
83         (JSC::CallLinkInfo::isVarargsCallType):
84         (JSC::CallLinkInfo::CallLinkInfo):
85         (JSC::CallLinkInfo::isVarargs):
86         (JSC::CallLinkInfo::isLinked):
87         (JSC::CallLinkInfo::setUpCallFromFTL):
88         (JSC::CallLinkInfo::registerPreservationMode): Deleted.
89         * ftl/FTLJITCode.cpp:
90         (JSC::FTL::JITCode::initializeAddressForCall):
91         (JSC::FTL::JITCode::addressForCall):
92         * ftl/FTLJITCode.h:
93         * ftl/FTLOSREntry.cpp:
94         (JSC::FTL::prepareOSREntry):
95         * ftl/FTLOSRExitCompiler.cpp:
96         (JSC::FTL::compileStub):
97         * jit/JITCode.cpp:
98         (JSC::JITCode::execute):
99         (JSC::DirectJITCode::initializeCodeRef):
100         (JSC::DirectJITCode::addressForCall):
101         (JSC::NativeJITCode::initializeCodeRef):
102         (JSC::NativeJITCode::addressForCall):
103         (JSC::DirectJITCode::ensureWrappers): Deleted.
104         * jit/JITCode.h:
105         (JSC::JITCode::jitTypeFor):
106         (JSC::JITCode::executableAddress):
107         * jit/JITOperations.cpp:
108         * jit/RegisterPreservationWrapperGenerator.cpp: Removed.
109         * jit/RegisterPreservationWrapperGenerator.h: Removed.
110         * jit/Repatch.cpp:
111         (JSC::linkPolymorphicCall):
112         * jit/ThunkGenerators.cpp:
113         (JSC::virtualThunkFor):
114         * jit/ThunkGenerators.h:
115         * llint/LLIntSlowPaths.cpp:
116         (JSC::LLInt::entryOSR):
117         (JSC::LLInt::setUpCall):
118         * runtime/Executable.cpp:
119         (JSC::ExecutableBase::clearCode):
120         (JSC::ScriptExecutable::installCode):
121         (JSC::WebAssemblyExecutable::prepareForExecution):
122         * runtime/Executable.h:
123         (JSC::ExecutableBase::generatedJITCodeFor):
124         (JSC::ExecutableBase::entrypointFor):
125         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
126         * runtime/RegisterPreservationMode.h: Removed.
127
128 2015-09-17  Joseph Pecoraro  <pecoraro@apple.com>
129
130         Web Inspector: Remove unused canClearBrowserCookies / canClearBrowserCache protocol methods
131         https://bugs.webkit.org/show_bug.cgi?id=149307
132
133         Reviewed by Brian Burg.
134
135         * inspector/protocol/Network.json:
136         Remove unused protocol methods.
137
138 2015-09-17  Commit Queue  <commit-queue@webkit.org>
139
140         Unreviewed, rolling out r189938, r189952, and r189956.
141         https://bugs.webkit.org/show_bug.cgi?id=149329
142
143         Broke Web Workers (Requested by ap on #webkit).
144
145         Reverted changesets:
146
147         "Implement try/catch in the DFG."
148         https://bugs.webkit.org/show_bug.cgi?id=147374
149         http://trac.webkit.org/changeset/189938
150
151         "CLoop build fix after r189938."
152         http://trac.webkit.org/changeset/189952
153
154         "add a regress test for richards with try/catch."
155         https://bugs.webkit.org/show_bug.cgi?id=149301
156         http://trac.webkit.org/changeset/189956
157
158 2015-09-17  Ryosuke Niwa  <rniwa@webkit.org>
159
160         CLoop build fix after r189938.
161
162         * interpreter/StackVisitor.cpp:
163         (JSC::StackVisitor::unwindToMachineCodeBlockFrame):
164
165 2015-09-17  Sukolsak Sakshuwong  <sukolsak@gmail.com>
166
167         Convert return values from JavaScript functions to the expected types in WebAssembly
168         https://bugs.webkit.org/show_bug.cgi?id=149200
169
170         Reviewed by Mark Lam.
171
172         When a WebAssembly function calls a JavaScript function, there is no
173         guarantee that the JavaScript function will always return values of the
174         type we expect. This patch converts the return values to the expected
175         types.
176
177         (The reverse is also true: When a WebAssembly function is called from a
178         JavaScript function, there is no guarantee that the arguments to the
179         WebAssembly function will always be of the types we expect. We have
180         fixed this in Bug 149033.)
181
182         We don't need to type check the return values if the callee is a
183         WebAssembly function. We don't need to type check the arguments if the
184         caller is a WebAssembly function. This optimization will be
185         implemented in the future. See https://bugs.webkit.org/show_bug.cgi?id=149310
186
187         * tests/stress/wasm-type-conversion.js:
188         * tests/stress/wasm/type-conversion.wasm:
189         * wasm/WASMFunctionCompiler.h:
190         (JSC::WASMFunctionCompiler::startFunction):
191         (JSC::WASMFunctionCompiler::buildReturn):
192         (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer):
193         (JSC::WASMFunctionCompiler::callAndUnboxResult):
194         (JSC::WASMFunctionCompiler::convertValueToInt32):
195         (JSC::WASMFunctionCompiler::convertValueToDouble):
196         (JSC::WASMFunctionCompiler::convertDoubleToValue):
197         (JSC::WASMFunctionCompiler::loadValueAndConvertToInt32): Deleted.
198         (JSC::WASMFunctionCompiler::loadValueAndConvertToDouble): Deleted.
199         * wasm/WASMFunctionParser.cpp:
200         (JSC::WASMFunctionParser::parseExpressionI32):
201         (JSC::WASMFunctionParser::parseExpressionF32):
202         (JSC::WASMFunctionParser::parseExpressionF64):
203         (JSC::WASMFunctionParser::parseCallInternalExpressionI32): Deleted.
204         * wasm/WASMFunctionParser.h:
205
206 2015-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
207
208         [ES6] Add more fine-grained APIs and additional hooks to control module loader from WebCore
209         https://bugs.webkit.org/show_bug.cgi?id=149129
210
211         Reviewed by Saam Barati.
212
213         No behavior change.
214
215         Module tag `<script type="module>` will be executed asynchronously.
216         But we would like to fetch the resources before when the postTask-ed task is performed.
217         So instead of 1 API that fetch, instantiate and execute the module,
218         we need 2 fine-grained APIs.
219
220         1. Fetch and initialize a module, but not execute it yet.
221         2. Link and execute a module specified by the key (this will be invoked asynchronously).
222
223         And to instrument the script execution (like reporting the execution time of the module to
224         the inspector), we need a hook to inject code around an execution of a module body.
225
226         * builtins/ModuleLoaderObject.js:
227         (moduleEvaluation):
228         (loadAndEvaluateModule):
229         (loadModule):
230         (linkAndEvaluateModule):
231         * jsc.cpp:
232         (functionLoadModule):
233         (runWithScripts):
234         * runtime/Completion.cpp:
235         (JSC::identifierToJSValue):
236         (JSC::createSymbolForEntryPointModule):
237         (JSC::rejectPromise):
238         (JSC::loadAndEvaluateModule):
239         (JSC::loadModule):
240         (JSC::linkAndEvaluateModule):
241         (JSC::evaluateModule): Deleted.
242         * runtime/Completion.h:
243         * runtime/JSGlobalObject.cpp:
244         * runtime/JSGlobalObject.h:
245         * runtime/JSModuleRecord.cpp:
246         (JSC::JSModuleRecord::evaluate):
247         (JSC::JSModuleRecord::execute): Deleted.
248         * runtime/JSModuleRecord.h:
249         * runtime/ModuleLoaderObject.cpp:
250         (JSC::ModuleLoaderObject::loadAndEvaluateModule):
251         (JSC::ModuleLoaderObject::linkAndEvaluateModule):
252         (JSC::ModuleLoaderObject::evaluate):
253         (JSC::moduleLoaderObjectEvaluate):
254         * runtime/ModuleLoaderObject.h:
255
256 2015-09-17  Saam barati  <sbarati@apple.com>
257
258         Implement try/catch in the DFG.
259         https://bugs.webkit.org/show_bug.cgi?id=147374
260
261         Reviewed by Filip Pizlo.
262
263         This patch implements try/catch inside the DFG JIT.
264         It also prevents tier up to the FTL for any functions
265         that have an op_catch in them that are DFG compiled.
266
267         This patch accomplishes implementing try/catch inside
268         the DFG by OSR exiting to op_catch when an exception is thrown.
269         We can OSR exit from an exception inside the DFG in two ways:
270         1) We have a JS call (can also be via implicit getter/setter in GetById/PutById)
271         2) We have an exception when returing from a callOperation
272
273         In the case of (1), we get to the OSR exit from genericUnwind because
274         the exception was thrown in a child call frame. This means these
275         OSR exits must act as defacto op_catches (even though we will still OSR
276         exit to a baseline op_catch). That means they must restore the stack pointer
277         and call frame.
278
279         In the case of (2), we can skip genericUnwind because we know the exception 
280         check will take us to a particular OSR exit. Instead, we link these
281         exception checks as jumps to a particular OSR exit.
282
283         Both types of OSR exits will exit into op_catch inside the baseline JIT.
284         Because they exit to op_catch, these OSR exits must set callFrameForCatch
285         to the proper call frame pointer.
286
287         We "handle" all exceptions inside the machine frame of the DFG code
288         block. This means the machine code block is responsible for "catching"
289         exceptions of any inlined frames' try/catch. OSR exit will then exit to 
290         the proper baseline CodeBlock after reifying the inlined frames
291         (DFG::OSRExit::m_codeOrigin corresponds to the op_catch we will exit to). 
292         Also, genericUnwind will never consult an inlined call frame's CodeBlock to 
293         see if they can catch the exception because they can't. We always unwind to the 
294         next machine code block frame. The DFG CodeBlock changes how the exception 
295         handler table is keyed: it is now keyed by CallSiteIndex for DFG code blocks. 
296
297         So, when consulting call sites that throw, we keep track of the CallSiteIndex,
298         and the HandlerInfo for the corresponding baseline exception handler for
299         that particular CallSiteIndex (if an exception at that call site will be caught). 
300         Then, when we're inside DFG::JITCompiler::link(), we install new HandlerInfo's
301         inside the DFG CodeBlock and key it by the corresponding CallSiteIndex.
302         (The CodeBlock only has HandlerInfos for the OSR exits that are to be arrived
303         at from genericUnwind).
304
305         Also, each OSR exit will know if it acting as an exception handler, and
306         whether or not it will be arrived at from genericUnwind. When we know we 
307         will arrive at an OSR exit from genericUnwind, we set the corresponding 
308         HandlerInfo's nativeCode CodeLocationLabel field to be the OSR exit.
309
310         This patch also introduces a new Phase inside the DFG that ensures
311         that DFG CodeBlocks that handle exceptions take the necessary
312         steps to keep live variables at "op_catch" live according the
313         OSR exit value recovery machinery. We accomplish this by flushing
314         all live op_catch variables to the stack when inside a "try" block.
315
316         * CMakeLists.txt:
317         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
318         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
319         * JavaScriptCore.xcodeproj/project.pbxproj:
320         * bytecode/CodeBlock.cpp:
321         (JSC::CodeBlock::handlerForBytecodeOffset):
322         (JSC::CodeBlock::handlerForIndex):
323         * bytecode/CodeBlock.h:
324         (JSC::CodeBlock::clearExceptionHandlers):
325         (JSC::CodeBlock::appendExceptionHandler):
326         * bytecode/PreciseJumpTargets.cpp:
327         (JSC::computePreciseJumpTargets):
328         * dfg/DFGByteCodeParser.cpp:
329         (JSC::DFG::ByteCodeParser::getLocal):
330         (JSC::DFG::ByteCodeParser::setLocal):
331         (JSC::DFG::ByteCodeParser::parseBlock):
332         * dfg/DFGCapabilities.cpp:
333         (JSC::DFG::capabilityLevel):
334         * dfg/DFGCommonData.cpp:
335         (JSC::DFG::CommonData::addCodeOrigin):
336         (JSC::DFG::CommonData::lastCallSite):
337         (JSC::DFG::CommonData::shrinkToFit):
338         * dfg/DFGCommonData.h:
339         * dfg/DFGGraph.h:
340         * dfg/DFGJITCompiler.cpp:
341         (JSC::DFG::JITCompiler::linkOSRExits):
342         (JSC::DFG::JITCompiler::link):
343         (JSC::DFG::JITCompiler::compile):
344         (JSC::DFG::JITCompiler::noticeOSREntry):
345         (JSC::DFG::JITCompiler::appendExceptionHandlingOSRExit):
346         (JSC::DFG::JITCompiler::willCatchExceptionInMachineFrame):
347         (JSC::DFG::JITCompiler::exceptionCheck):
348         (JSC::DFG::JITCompiler::recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded):
349         * dfg/DFGJITCompiler.h:
350         (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
351         (JSC::DFG::JITCompiler::emitStoreCallSiteIndex):
352         (JSC::DFG::JITCompiler::appendCall):
353         (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
354         (JSC::DFG::JITCompiler::blockHeads):
355         (JSC::DFG::JITCompiler::exceptionCheck): Deleted.
356         * dfg/DFGLiveCatchVariablePreservationPhase.cpp: Added.
357         (JSC::DFG::FlushLiveCatchVariablesInsertionPhase::FlushLiveCatchVariablesInsertionPhase):
358         (JSC::DFG::FlushLiveCatchVariablesInsertionPhase::run):
359         (JSC::DFG::FlushLiveCatchVariablesInsertionPhase::willCatchException):
360         (JSC::DFG::FlushLiveCatchVariablesInsertionPhase::handleBlock):
361         (JSC::DFG::FlushLiveCatchVariablesInsertionPhase::newVariableAccessData):
362         (JSC::DFG::performLiveCatchVariablePreservationPhase):
363         * dfg/DFGLiveCatchVariablePreservationPhase.h: Added.
364         * dfg/DFGOSRExit.cpp:
365         (JSC::DFG::OSRExit::OSRExit):
366         (JSC::DFG::OSRExit::setPatchableCodeOffset):
367         * dfg/DFGOSRExit.h:
368         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
369         * dfg/DFGOSRExitCompiler.cpp:
370         * dfg/DFGOSRExitCompiler32_64.cpp:
371         (JSC::DFG::OSRExitCompiler::compileExit):
372         * dfg/DFGOSRExitCompiler64.cpp:
373         (JSC::DFG::OSRExitCompiler::compileExit):
374         * dfg/DFGOSRExitCompilerCommon.cpp:
375         (JSC::DFG::osrWriteBarrier):
376         (JSC::DFG::adjustAndJumpToTarget):
377         * dfg/DFGOSRExitCompilerCommon.h:
378         * dfg/DFGPlan.cpp:
379         (JSC::DFG::Plan::compileInThreadImpl):
380         * dfg/DFGSlowPathGenerator.h:
381         (JSC::DFG::SlowPathGenerator::SlowPathGenerator):
382         (JSC::DFG::SlowPathGenerator::~SlowPathGenerator):
383         (JSC::DFG::SlowPathGenerator::generate):
384         * dfg/DFGSpeculativeJIT.h:
385         * dfg/DFGSpeculativeJIT32_64.cpp:
386         (JSC::DFG::SpeculativeJIT::cachedGetById):
387         (JSC::DFG::SpeculativeJIT::cachedPutById):
388         (JSC::DFG::SpeculativeJIT::emitCall):
389         * dfg/DFGSpeculativeJIT64.cpp:
390         (JSC::DFG::SpeculativeJIT::cachedGetById):
391         (JSC::DFG::SpeculativeJIT::cachedPutById):
392         (JSC::DFG::SpeculativeJIT::emitCall):
393         * dfg/DFGTierUpCheckInjectionPhase.cpp:
394         (JSC::DFG::TierUpCheckInjectionPhase::run):
395         * ftl/FTLOSRExitCompiler.cpp:
396         (JSC::FTL::compileStub):
397         * interpreter/Interpreter.cpp:
398         (JSC::GetCatchHandlerFunctor::operator()):
399         (JSC::UnwindFunctor::operator()):
400         * interpreter/StackVisitor.cpp:
401         (JSC::StackVisitor::gotoNextFrame):
402         (JSC::StackVisitor::unwindToMachineCodeBlockFrame):
403         (JSC::StackVisitor::readFrame):
404         * interpreter/StackVisitor.h:
405         (JSC::StackVisitor::operator*):
406         (JSC::StackVisitor::operator->):
407         * jit/AssemblyHelpers.cpp:
408         (JSC::AssemblyHelpers::emitExceptionCheck):
409         (JSC::AssemblyHelpers::emitNonPatchableExceptionCheck):
410         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
411         * jit/AssemblyHelpers.h:
412         (JSC::AssemblyHelpers::emitCount):
413         * jit/JITExceptions.cpp:
414         (JSC::genericUnwind):
415         * jit/JITOpcodes.cpp:
416         (JSC::JIT::emit_op_catch):
417         * jit/JITOpcodes32_64.cpp:
418         (JSC::JIT::emit_op_catch):
419         * llint/LowLevelInterpreter32_64.asm:
420         * llint/LowLevelInterpreter64.asm:
421         * runtime/VM.h:
422         (JSC::VM::clearException):
423         (JSC::VM::clearLastException):
424         (JSC::VM::addressOfCallFrameForCatch):
425         (JSC::VM::exception):
426         (JSC::VM::addressOfException):
427         * tests/stress/dfg-exception-try-catch-in-constructor-with-inlined-throw.js: Added.
428         (f):
429         (bar):
430         (Foo):
431         * tests/stress/es6-for-of-loop-exception.js: Added.
432         (assert):
433         (shouldThrowInvalidConstAssignment):
434         (baz):
435         (foo):
436         * tests/stress/exception-dfg-inlined-frame-not-strict-equal.js: Added.
437         (assert):
438         (o.valueOf):
439         (o.toString):
440         (read):
441         (bar):
442         (foo):
443         * tests/stress/exception-dfg-not-strict-equal.js: Added.
444         (foo):
445         (o.valueOf):
446         (o.toString):
447         (assert):
448         (shouldDoSomethingInFinally):
449         (catch):
450         * tests/stress/exception-dfg-operation-read-value.js: Added.
451         (assert):
452         (o.valueOf):
453         (o.toString):
454         (read):
455         (foo):
456         * tests/stress/exception-dfg-throw-from-catch-block.js: Added.
457         (assert):
458         (baz):
459         (bar):
460         (foo):
461
462 2015-09-17  Filip Pizlo  <fpizlo@apple.com>
463
464         0.0 should really be 0.0
465         https://bugs.webkit.org/show_bug.cgi?id=149283
466
467         Reviewed by Mark Lam.
468
469         A while ago (http://trac.webkit.org/changeset/180813) we introduced the idea that if the
470         user wrote a number with a decimal point (like "0.0") then we should treat that number as
471         a double. That's probably a pretty good idea. But, we ended up doing it inconsistently.
472         The DFG would indeed treat such a number as a double by consulting the
473         SourceCodeRepresentation, but the other execution engines would still see Int32:0.
474
475         This patch makes it consistent.
476
477         This is necessary for property type inference to perform well. Otherwise, a store of a
478         constant would change type from the baseline engine to the DFG, which would then cause
479         a storm of property type invalidations and recompilations.
480
481         * bytecompiler/BytecodeGenerator.cpp:
482         (JSC::BytecodeGenerator::addConstantValue):
483
484 2015-09-17  Filip Pizlo  <fpizlo@apple.com>
485
486         stress/exit-from-getter.js.ftl-eager occasionally traps in debug
487         https://bugs.webkit.org/show_bug.cgi?id=149096
488
489         Reviewed by Geoffrey Garen.
490
491         JS calls to getters/setters in get/put inline caches need to reset SP after the call, as our
492         calling convention requires.
493
494         * bytecode/PolymorphicAccess.cpp:
495         (JSC::AccessCase::generate): Fix the bug.
496         * ftl/FTLLink.cpp:
497         (JSC::FTL::link): Adds some verbiage about why the FTL stack offset logic is correct.
498         * tests/stress/getter-arity.js: Added. Other tests would flaky crash before the patch. This test instacrashes before the patch.
499
500 2015-09-17  Saam barati  <sbarati@apple.com>
501
502         Interpreter::unwind() shouldn't be responsible for filtering out uncatchable exceptions
503         https://bugs.webkit.org/show_bug.cgi?id=149228
504
505         Reviewed by Mark Lam.
506
507         op_catch is now responsible for filtering exceptions that
508         aren't catchable. When op_catch encounters an uncatchable
509         exception, it will call back into genericUnwind and throw
510         the exception further down the call stack. This is necessary
511         in a later patch that will implement exception handling
512         in the DFG, and part of that patch includes exception
513         handling that doesn't go through genericUnwind. The DFG try/catch
514         patch will not go through genericUnwind when it knows that
515         an exception check after a callOperation will be caught inside the 
516         machine frame or any inlined frames. This patch enables that 
517         patch by destroying the notion that all exception handling must 
518         filter through genericUnwind.
519
520         This patch maintains compatibility with the debugger and
521         profiler by ensuring we notify the debugger when an
522         exception is thrown inside VM::throwException and not
523         in genericUnwind. It also notifies the profiler that we've
524         potentially changed call frames inside op_catch.
525
526         * debugger/Debugger.cpp:
527         (JSC::Debugger::pauseIfNeeded):
528         * interpreter/Interpreter.cpp:
529         (JSC::unwindCallFrame):
530         (JSC::getStackFrameCodeType):
531         (JSC::UnwindFunctor::operator()):
532         (JSC::Interpreter::unwind):
533         (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
534         (JSC::checkedReturn):
535         * interpreter/Interpreter.h:
536         (JSC::SuspendExceptionScope::SuspendExceptionScope):
537         (JSC::SuspendExceptionScope::~SuspendExceptionScope):
538         (JSC::Interpreter::sampler):
539         * jit/JIT.h:
540         * jit/JITInlines.h:
541         (JSC::JIT::callOperation):
542         (JSC::JIT::callOperationNoExceptionCheck):
543         * jit/JITOpcodes.cpp:
544         (JSC::JIT::emit_op_catch):
545         * jit/JITOpcodes32_64.cpp:
546         (JSC::JIT::emit_op_catch):
547         * jit/JITOperations.cpp:
548         * jit/JITOperations.h:
549         * llint/LLIntSlowPaths.cpp:
550         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
551         (JSC::LLInt::llint_throw_stack_overflow_error):
552         * llint/LLIntSlowPaths.h:
553         * llint/LowLevelInterpreter32_64.asm:
554         * llint/LowLevelInterpreter64.asm:
555         * runtime/ExceptionHelpers.cpp:
556         (JSC::isTerminatedExecutionException):
557         * runtime/VM.cpp:
558         (JSC::VM::throwException):
559         * runtime/VM.h:
560         (JSC::VM::targetMachinePCForThrowOffset):
561         (JSC::VM::restorePreviousException):
562         (JSC::VM::clearException):
563         (JSC::VM::clearLastException):
564         (JSC::VM::exception):
565         (JSC::VM::addressOfException):
566         (JSC::VM::setException):
567
568 2015-09-17  Sukolsak Sakshuwong  <sukolsak@gmail.com>
569
570         Calling a float function on x86 in WebAssembly incorrectly returns a double
571         https://bugs.webkit.org/show_bug.cgi?id=149254
572
573         Reviewed by Michael Saboff.
574
575         In WebAssembly on x86 (32-bit), when we call a function that returns a
576         float or a double, we use the FSTP instruction to read the return value
577         from the FPU register stack. The FSTP instruction converts the value to
578         single-precision or double-precision floating-point format, depending on
579         the destination operand. Currently, we always use double as the
580         destination, which is wrong. This patch uses the correct return type.
581         This should fix the test errors in tests/stress/wasm-arithmetic-float32.js
582
583         * assembler/X86Assembler.h:
584         (JSC::X86Assembler::fstps):
585         * wasm/WASMFunctionCompiler.h:
586         (JSC::WASMFunctionCompiler::appendCallSetResult):
587         (JSC::WASMFunctionCompiler::callOperation):
588
589 2015-09-17  Sukolsak Sakshuwong  <sukolsak@gmail.com>
590
591         Save and restore callee save registers in WebAssembly
592         https://bugs.webkit.org/show_bug.cgi?id=149247
593
594         Reviewed by Michael Saboff.
595
596         Save callee save registers when entering WebAssembly functions
597         and restore them when returning.
598
599         * jit/RegisterSet.cpp:
600         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
601         * jit/RegisterSet.h:
602         * wasm/WASMFunctionCompiler.h:
603         (JSC::WASMFunctionCompiler::startFunction):
604         (JSC::WASMFunctionCompiler::endFunction):
605         (JSC::WASMFunctionCompiler::buildReturn):
606         (JSC::WASMFunctionCompiler::localAddress):
607         (JSC::WASMFunctionCompiler::temporaryAddress):
608         (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer):
609         (JSC::WASMFunctionCompiler::callAndUnboxResult):
610
611 2015-09-16  Sukolsak Sakshuwong  <sukolsak@gmail.com>
612
613         Implement indirect calls in WebAssembly
614         https://bugs.webkit.org/show_bug.cgi?id=149100
615
616         Reviewed by Geoffrey Garen.
617
618         This patch implement indirect calls for WebAssembly files generated by
619         pack-asmjs <https://github.com/WebAssembly/polyfill-prototype-1>.
620         pack-asmjs uses the same indirect call model as asm.js. In asm.js, an
621         indirect call looks like this:
622             t[i & n](...)
623         where t is a variable referring to an array of functions with the same
624         signature, i is an integer expression, n is an integer that is equal to
625         (t.length - 1), and t.length is a power of two. pack-asmjs does not
626         use the '&' operator nor n in the WebAssembly output, but the semantics
627         is still the same as asm.js.
628
629         * tests/stress/wasm-calls.js:
630         * tests/stress/wasm/calls.wasm:
631         * wasm/WASMFormat.h:
632         * wasm/WASMFunctionCompiler.h:
633         (JSC::WASMFunctionCompiler::buildCallIndirect):
634         * wasm/WASMFunctionParser.cpp:
635         (JSC::WASMFunctionParser::parseExpressionI32):
636         (JSC::WASMFunctionParser::parseExpressionF32):
637         (JSC::WASMFunctionParser::parseExpressionF64):
638         (JSC::WASMFunctionParser::parseCallIndirect):
639         * wasm/WASMFunctionParser.h:
640         * wasm/WASMFunctionSyntaxChecker.h:
641         (JSC::WASMFunctionSyntaxChecker::buildCallIndirect):
642         * wasm/WASMModuleParser.cpp:
643         (JSC::WASMModuleParser::parseFunctionPointerTableSection):
644         (JSC::WASMModuleParser::parseFunctionDefinitionSection):
645
646 2015-09-16  Sukolsak Sakshuwong  <sukolsak@gmail.com>
647
648         Fix 32-bit build issues in WebAssembly
649         https://bugs.webkit.org/show_bug.cgi?id=149240
650
651         Reviewed by Geoffrey Garen.
652
653         Fix the syntax error and replace the instructions that are not available on
654         64-bit platforms.
655
656         * wasm/WASMFunctionCompiler.h:
657         (JSC::WASMFunctionCompiler::startFunction):
658         (JSC::WASMFunctionCompiler::endFunction):
659         (JSC::WASMFunctionCompiler::buildReturn):
660         (JSC::WASMFunctionCompiler::callAndUnboxResult):
661         (JSC::WASMFunctionCompiler::loadValueAndConvertToDouble):
662
663 2015-09-16  Geoffrey Garen  <ggaren@apple.com>
664
665         JavaScriptCore should discard baseline code after some time
666         https://bugs.webkit.org/show_bug.cgi?id=149220
667
668         Reviewed by Saam Barati.
669
670         This is a bit more complicated than discarding optimized code because
671         the engine previously assumed that we would never discard baseline code.
672
673         * bytecode/CodeBlock.cpp:
674         (JSC::CodeBlock::CodeBlock): Record creation time (and compute time since
675         creation) instead of install time because CodeBlocks can be installed
676         more than once, and we don't want to have to worry about edge cases
677         created by CodeBlocks seeming to get younger.
678
679         (JSC::CodeBlock::visitAggregate): Be explicit about only doing the 
680         weak reference fixpoint for optimized CodeBlocks. We used to avoid the
681         fixpoint for baseline CodeBlocks implicitly, since they would always
682         visit themselves strongly right away. But now baseline CodeBlocks might
683         not visit themselves strongly, since they might choose to jettison due
684         to old age.
685
686         (JSC::CodeBlock::shouldVisitStrongly): Add old age as a reason not to
687         visit ourselves strongly, so that baseline CodeBlocks can jettison due
688         to old age.
689
690         (JSC::CodeBlock::shouldJettisonDueToWeakReference): Be explicit about
691         only jettisoning optimized CodeBlocks due to weak references so that we
692         don't confuse ourselves into thinking that we will jettison a baseline
693         CodeBlock due to weak references.
694
695         (JSC::CodeBlock::shouldJettisonDueToOldAge): Updated to use creation time.
696
697         (JSC::CodeBlock::visitOSRExitTargets): Clarify a comment and add an
698         ASSERT to help record some things I discovered while debugging.
699
700         (JSC::CodeBlock::jettison): Allow a baseline CodeBlock to jettison. Don't
701         assume that we have an alternative or a profiler.
702
703         (JSC::CodeBlock::install): Deleted.
704         * bytecode/CodeBlock.h:
705         (JSC::CodeBlock::releaseAlternative): Deleted.
706         (JSC::CodeBlock::setInstallTime): Deleted.
707         (JSC::CodeBlock::timeSinceInstall): Deleted.
708
709         * dfg/DFGOSRExitPreparation.cpp:
710         (JSC::DFG::prepareCodeOriginForOSRExit): Simplified the computation of
711         baseline CodeBlock.
712
713         * dfg/DFGPlan.cpp:
714         (JSC::DFG::Plan::checkLivenessAndVisitChildren): Be sure to strongly
715         visit our inline callframes because we assume that an optimized CodeBlock
716         will keep its OSR exit targets alive, but the CodeBlock object won't be
717         able to mark them for itself until compilation has completed (since it
718         won't have a JITCode object yet).
719
720         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
721         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
722         Updated for interface change.
723
724         * jit/JITCode.h:
725         (JSC::JITCode::timeToLive): Provide a time to live for interpreter and
726         baseline code, so they will jettison when old. Use seconds in our
727         code so that we don't need comments. Make DFG 2X interpreter+baseline,
728         and FTL 2X DFG+interpreter+baseline, also matching the time we allot
729         before throwing away all code.
730
731         * jit/JITToDFGDeferredCompilationCallback.cpp:
732         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
733         * llint/LLIntSlowPaths.cpp:
734         (JSC::LLInt::jitCompileAndSetHeuristics): Updated for interface change.
735
736         * runtime/Executable.cpp:
737         (JSC::ScriptExecutable::installCode): Allow our caller to install nullptr,
738         since we need to do this when jettisoning a baseline CodeBlock. Require
739         our caller to specify the details of the installation because we can't
740         rely on a non-null CodeBlock in order to compute them.
741
742         (JSC::ScriptExecutable::newCodeBlockFor):
743         (JSC::ScriptExecutable::prepareForExecutionImpl):
744         * runtime/Executable.h:
745         (JSC::ScriptExecutable::recordParse): Updated for interface change.
746
747         * runtime/Options.h: Renamed the CodeBlock liveness option since it now
748         controls baseline and optimized code.
749
750 2015-09-16  Geoffrey Garen  <ggaren@apple.com>
751
752         Remove obsolete code for deleting CodeBlocks
753         https://bugs.webkit.org/show_bug.cgi?id=149231
754
755         Reviewed by Mark Lam.
756
757         * heap/Heap.cpp:
758         (JSC::Heap::deleteAllCodeBlocks): ASSERT that we're called in a valid
759         state, and do the compiler waiting ourselves instead of having our
760         caller do it. This is more appropriate to our new limited use.
761
762         (JSC::Heap::collectImpl):
763         (JSC::Heap::deleteOldCode): Deleted. Don't call deleteAllCodeBlocks
764         periodically because it's not such a good idea to delete everything
765         at once, and CodeBlocks now have a more precise individual policy for
766         when to delete. Also, this function used to fail all or nearly all of
767         the time because its invariants that we were not executing or compiling
768         could not be met.
769
770         * heap/Heap.h:
771
772         * jsc.cpp:
773         (GlobalObject::finishCreation):
774         (functionDeleteAllCompiledCode): Deleted.
775         * tests/stress/deleteAllCompiledCode.js: Removed. Removed this testing
776         code because it did not do what it thought it did. All of this code
777         was guaranteed to no-op since it would run JavaScript to call a function
778         that would return early because JavaScript was running.
779
780         * runtime/VM.cpp:
781         (JSC::VM::deleteAllCode): This code is simpler now becaue 
782         heap.deleteAllCodeBlocks does some work for us.
783
784         * runtime/VMEntryScope.cpp:
785         (JSC::VMEntryScope::VMEntryScope): Don't delete code on VM entry. This
786         policy was old, and it dated back to a time when we 
787
788             (a) couldn't run in the interpreter if compilation failed;
789
790             (b) didn't reduce the rate of compilation in response to executable
791             memory pressure;
792
793             (c) didn't throw away individual CodeBlocks automatically.
794
795 2015-09-16  Michael Saboff  <msaboff@apple.com>
796
797         [ES6] Implement tail calls in the LLInt and Baseline JIT
798         https://bugs.webkit.org/show_bug.cgi?id=148661
799
800         Fix for the breakage of Speedometer/Full.html (https://bugs.webkit.org/show_bug.cgi?id=149162).
801
802         Reviewed by Filip Pizlo.
803         Changed SetupVarargsFrame.cpp::emitSetVarargsFrame to align the callframe size to be a
804         multiple of stackAlignmentRegisters() in addition to the location of the new frame.
805
806         Fixed Reviewed by Filip Pizlo.
807
808         * CMakeLists.txt:
809         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
810         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
811         * JavaScriptCore.xcodeproj/project.pbxproj:
812         * assembler/AbortReason.h:
813         * assembler/AbstractMacroAssembler.h:
814         (JSC::AbstractMacroAssembler::Call::Call):
815         (JSC::AbstractMacroAssembler::repatchNearCall):
816         (JSC::AbstractMacroAssembler::repatchCompact):
817         * assembler/CodeLocation.h:
818         (JSC::CodeLocationNearCall::CodeLocationNearCall):
819         (JSC::CodeLocationNearCall::callMode):
820         (JSC::CodeLocationCommon::callAtOffset):
821         (JSC::CodeLocationCommon::nearCallAtOffset):
822         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
823         * assembler/LinkBuffer.h:
824         (JSC::LinkBuffer::locationOfNearCall):
825         (JSC::LinkBuffer::locationOf):
826         * assembler/MacroAssemblerARM.h:
827         (JSC::MacroAssemblerARM::nearCall):
828         (JSC::MacroAssemblerARM::nearTailCall):
829         (JSC::MacroAssemblerARM::call):
830         (JSC::MacroAssemblerARM::linkCall):
831         * assembler/MacroAssemblerARM64.h:
832         (JSC::MacroAssemblerARM64::nearCall):
833         (JSC::MacroAssemblerARM64::nearTailCall):
834         (JSC::MacroAssemblerARM64::ret):
835         (JSC::MacroAssemblerARM64::linkCall):
836         * assembler/MacroAssemblerARMv7.h:
837         (JSC::MacroAssemblerARMv7::nearCall):
838         (JSC::MacroAssemblerARMv7::nearTailCall):
839         (JSC::MacroAssemblerARMv7::call):
840         (JSC::MacroAssemblerARMv7::linkCall):
841         * assembler/MacroAssemblerMIPS.h:
842         (JSC::MacroAssemblerMIPS::nearCall):
843         (JSC::MacroAssemblerMIPS::nearTailCall):
844         (JSC::MacroAssemblerMIPS::call):
845         (JSC::MacroAssemblerMIPS::linkCall):
846         (JSC::MacroAssemblerMIPS::repatchCall):
847         * assembler/MacroAssemblerSH4.h:
848         (JSC::MacroAssemblerSH4::call):
849         (JSC::MacroAssemblerSH4::nearTailCall):
850         (JSC::MacroAssemblerSH4::nearCall):
851         (JSC::MacroAssemblerSH4::linkCall):
852         (JSC::MacroAssemblerSH4::repatchCall):
853         * assembler/MacroAssemblerX86.h:
854         (JSC::MacroAssemblerX86::linkCall):
855         * assembler/MacroAssemblerX86Common.h:
856         (JSC::MacroAssemblerX86Common::breakpoint):
857         (JSC::MacroAssemblerX86Common::nearTailCall):
858         (JSC::MacroAssemblerX86Common::nearCall):
859         * assembler/MacroAssemblerX86_64.h:
860         (JSC::MacroAssemblerX86_64::linkCall):
861         * bytecode/BytecodeList.json:
862         * bytecode/BytecodeUseDef.h:
863         (JSC::computeUsesForBytecodeOffset):
864         (JSC::computeDefsForBytecodeOffset):
865         * bytecode/CallLinkInfo.h:
866         (JSC::CallLinkInfo::callTypeFor):
867         (JSC::CallLinkInfo::isVarargsCallType):
868         (JSC::CallLinkInfo::CallLinkInfo):
869         (JSC::CallLinkInfo::specializationKind):
870         (JSC::CallLinkInfo::callModeFor):
871         (JSC::CallLinkInfo::callMode):
872         (JSC::CallLinkInfo::isTailCall):
873         (JSC::CallLinkInfo::isVarargs):
874         (JSC::CallLinkInfo::registerPreservationMode):
875         * bytecode/CallLinkStatus.cpp:
876         (JSC::CallLinkStatus::computeFromLLInt):
877         * bytecode/CodeBlock.cpp:
878         (JSC::CodeBlock::dumpBytecode):
879         (JSC::CodeBlock::CodeBlock):
880         * bytecompiler/BytecodeGenerator.cpp:
881         (JSC::BytecodeGenerator::BytecodeGenerator):
882         (JSC::BytecodeGenerator::emitCallInTailPosition):
883         (JSC::BytecodeGenerator::emitCallEval):
884         (JSC::BytecodeGenerator::emitCall):
885         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
886         (JSC::BytecodeGenerator::emitConstructVarargs):
887         * bytecompiler/NodesCodegen.cpp:
888         (JSC::CallArguments::CallArguments):
889         (JSC::LabelNode::emitBytecode):
890         * dfg/DFGByteCodeParser.cpp:
891         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
892         * ftl/FTLLowerDFGToLLVM.cpp:
893         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
894         * interpreter/Interpreter.h:
895         (JSC::Interpreter::isCallBytecode):
896         (JSC::calleeFrameForVarargs):
897         * jit/CCallHelpers.h:
898         (JSC::CCallHelpers::jumpToExceptionHandler):
899         (JSC::CCallHelpers::prepareForTailCallSlow):
900         * jit/JIT.cpp:
901         (JSC::JIT::privateCompileMainPass):
902         (JSC::JIT::privateCompileSlowCases):
903         * jit/JIT.h:
904         * jit/JITCall.cpp:
905         (JSC::JIT::compileOpCall):
906         (JSC::JIT::compileOpCallSlowCase):
907         (JSC::JIT::emit_op_call):
908         (JSC::JIT::emit_op_tail_call):
909         (JSC::JIT::emit_op_call_eval):
910         (JSC::JIT::emit_op_call_varargs):
911         (JSC::JIT::emit_op_tail_call_varargs):
912         (JSC::JIT::emit_op_construct_varargs):
913         (JSC::JIT::emitSlow_op_call):
914         (JSC::JIT::emitSlow_op_tail_call):
915         (JSC::JIT::emitSlow_op_call_eval):
916         (JSC::JIT::emitSlow_op_call_varargs):
917         (JSC::JIT::emitSlow_op_tail_call_varargs):
918         (JSC::JIT::emitSlow_op_construct_varargs):
919         * jit/JITCall32_64.cpp:
920         (JSC::JIT::emitSlow_op_call):
921         (JSC::JIT::emitSlow_op_tail_call):
922         (JSC::JIT::emitSlow_op_call_eval):
923         (JSC::JIT::emitSlow_op_call_varargs):
924         (JSC::JIT::emitSlow_op_tail_call_varargs):
925         (JSC::JIT::emitSlow_op_construct_varargs):
926         (JSC::JIT::emit_op_call):
927         (JSC::JIT::emit_op_tail_call):
928         (JSC::JIT::emit_op_call_eval):
929         (JSC::JIT::emit_op_call_varargs):
930         (JSC::JIT::emit_op_tail_call_varargs):
931         (JSC::JIT::emit_op_construct_varargs):
932         (JSC::JIT::compileOpCall):
933         (JSC::JIT::compileOpCallSlowCase):
934         * jit/JITInlines.h:
935         (JSC::JIT::emitNakedCall):
936         (JSC::JIT::emitNakedTailCall):
937         (JSC::JIT::updateTopCallFrame):
938         * jit/JITOperations.cpp:
939         * jit/JITOperations.h:
940         * jit/Repatch.cpp:
941         (JSC::linkVirtualFor):
942         (JSC::linkPolymorphicCall):
943         * jit/SetupVarargsFrame.cpp:
944         (JSC::emitSetVarargsFrame):
945         * jit/ThunkGenerators.cpp:
946         (JSC::throwExceptionFromCallSlowPathGenerator):
947         (JSC::slowPathFor):
948         (JSC::linkCallThunkGenerator):
949         (JSC::virtualThunkFor):
950         (JSC::arityFixupGenerator):
951         (JSC::unreachableGenerator):
952         (JSC::baselineGetterReturnThunkGenerator):
953         * jit/ThunkGenerators.h:
954         * llint/LowLevelInterpreter.asm:
955         * llint/LowLevelInterpreter32_64.asm:
956         * llint/LowLevelInterpreter64.asm:
957         * runtime/CommonSlowPaths.h:
958         (JSC::CommonSlowPaths::arityCheckFor):
959         (JSC::CommonSlowPaths::opIn):
960
961 2015-09-15  Michael Saboff  <msaboff@apple.com>
962
963         Rollout r189774 and 189818.
964
965         Broke Speedometer/Full.html
966
967         Not reviewed.
968
969         * CMakeLists.txt:
970         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
971         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
972         * JavaScriptCore.xcodeproj/project.pbxproj:
973         * assembler/AbortReason.h:
974         * assembler/AbstractMacroAssembler.h:
975         (JSC::AbstractMacroAssembler::Call::Call):
976         (JSC::AbstractMacroAssembler::repatchNearCall):
977         (JSC::AbstractMacroAssembler::repatchCompact):
978         * assembler/CodeLocation.h:
979         (JSC::CodeLocationNearCall::CodeLocationNearCall):
980         (JSC::CodeLocationCommon::callAtOffset):
981         (JSC::CodeLocationCommon::nearCallAtOffset):
982         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
983         (JSC::CodeLocationNearCall::callMode): Deleted.
984         * assembler/LinkBuffer.h:
985         (JSC::LinkBuffer::locationOfNearCall):
986         (JSC::LinkBuffer::locationOf):
987         * assembler/MacroAssemblerARM.h:
988         (JSC::MacroAssemblerARM::nearCall):
989         (JSC::MacroAssemblerARM::call):
990         (JSC::MacroAssemblerARM::linkCall):
991         (JSC::MacroAssemblerARM::nearTailCall): Deleted.
992         * assembler/MacroAssemblerARM64.h:
993         (JSC::MacroAssemblerARM64::nearCall):
994         (JSC::MacroAssemblerARM64::ret):
995         (JSC::MacroAssemblerARM64::linkCall):
996         (JSC::MacroAssemblerARM64::nearTailCall): Deleted.
997         * assembler/MacroAssemblerARMv7.h:
998         (JSC::MacroAssemblerARMv7::nearCall):
999         (JSC::MacroAssemblerARMv7::call):
1000         (JSC::MacroAssemblerARMv7::linkCall):
1001         (JSC::MacroAssemblerARMv7::nearTailCall): Deleted.
1002         * assembler/MacroAssemblerMIPS.h:
1003         (JSC::MacroAssemblerMIPS::nearCall):
1004         (JSC::MacroAssemblerMIPS::call):
1005         (JSC::MacroAssemblerMIPS::linkCall):
1006         (JSC::MacroAssemblerMIPS::repatchCall):
1007         (JSC::MacroAssemblerMIPS::nearTailCall): Deleted.
1008         * assembler/MacroAssemblerSH4.h:
1009         (JSC::MacroAssemblerSH4::call):
1010         (JSC::MacroAssemblerSH4::nearCall):
1011         (JSC::MacroAssemblerSH4::linkCall):
1012         (JSC::MacroAssemblerSH4::repatchCall):
1013         (JSC::MacroAssemblerSH4::nearTailCall): Deleted.
1014         * assembler/MacroAssemblerX86.h:
1015         (JSC::MacroAssemblerX86::linkCall):
1016         * assembler/MacroAssemblerX86Common.h:
1017         (JSC::MacroAssemblerX86Common::breakpoint):
1018         (JSC::MacroAssemblerX86Common::nearCall):
1019         (JSC::MacroAssemblerX86Common::nearTailCall): Deleted.
1020         * assembler/MacroAssemblerX86_64.h:
1021         (JSC::MacroAssemblerX86_64::linkCall):
1022         * bytecode/BytecodeList.json:
1023         * bytecode/BytecodeUseDef.h:
1024         (JSC::computeUsesForBytecodeOffset):
1025         (JSC::computeDefsForBytecodeOffset):
1026         * bytecode/CallLinkInfo.h:
1027         (JSC::CallLinkInfo::callTypeFor):
1028         (JSC::CallLinkInfo::CallLinkInfo):
1029         (JSC::CallLinkInfo::specializationKind):
1030         (JSC::CallLinkInfo::registerPreservationMode):
1031         (JSC::CallLinkInfo::isVarargsCallType): Deleted.
1032         (JSC::CallLinkInfo::callModeFor): Deleted.
1033         (JSC::CallLinkInfo::callMode): Deleted.
1034         (JSC::CallLinkInfo::isTailCall): Deleted.
1035         (JSC::CallLinkInfo::isVarargs): Deleted.
1036         * bytecode/CallLinkStatus.cpp:
1037         (JSC::CallLinkStatus::computeFromLLInt):
1038         * bytecode/CodeBlock.cpp:
1039         (JSC::CodeBlock::dumpBytecode):
1040         (JSC::CodeBlock::CodeBlock):
1041         * bytecompiler/BytecodeGenerator.cpp:
1042         (JSC::BytecodeGenerator::BytecodeGenerator):
1043         (JSC::BytecodeGenerator::emitCallInTailPosition):
1044         (JSC::BytecodeGenerator::emitCallEval):
1045         (JSC::BytecodeGenerator::emitCall):
1046         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
1047         (JSC::BytecodeGenerator::emitConstructVarargs):
1048         * bytecompiler/NodesCodegen.cpp:
1049         (JSC::CallArguments::CallArguments):
1050         (JSC::LabelNode::emitBytecode):
1051         * dfg/DFGByteCodeParser.cpp:
1052         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
1053         * ftl/FTLLowerDFGToLLVM.cpp:
1054         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
1055         * interpreter/Interpreter.h:
1056         (JSC::Interpreter::isCallBytecode):
1057         * jit/CCallHelpers.h:
1058         (JSC::CCallHelpers::jumpToExceptionHandler):
1059         (JSC::CCallHelpers::prepareForTailCallSlow): Deleted.
1060         * jit/JIT.cpp:
1061         (JSC::JIT::privateCompileMainPass):
1062         (JSC::JIT::privateCompileSlowCases):
1063         * jit/JIT.h:
1064         * jit/JITCall.cpp:
1065         (JSC::JIT::compileOpCall):
1066         (JSC::JIT::compileOpCallSlowCase):
1067         (JSC::JIT::emit_op_call):
1068         (JSC::JIT::emit_op_call_eval):
1069         (JSC::JIT::emit_op_call_varargs):
1070         (JSC::JIT::emit_op_construct_varargs):
1071         (JSC::JIT::emitSlow_op_call):
1072         (JSC::JIT::emitSlow_op_call_eval):
1073         (JSC::JIT::emitSlow_op_call_varargs):
1074         (JSC::JIT::emitSlow_op_construct_varargs):
1075         (JSC::JIT::emit_op_tail_call): Deleted.
1076         (JSC::JIT::emit_op_tail_call_varargs): Deleted.
1077         (JSC::JIT::emitSlow_op_tail_call): Deleted.
1078         (JSC::JIT::emitSlow_op_tail_call_varargs): Deleted.
1079         * jit/JITCall32_64.cpp:
1080         (JSC::JIT::emitSlow_op_call):
1081         (JSC::JIT::emitSlow_op_call_eval):
1082         (JSC::JIT::emitSlow_op_call_varargs):
1083         (JSC::JIT::emitSlow_op_construct_varargs):
1084         (JSC::JIT::emit_op_call):
1085         (JSC::JIT::emit_op_call_eval):
1086         (JSC::JIT::emit_op_call_varargs):
1087         (JSC::JIT::emit_op_construct_varargs):
1088         (JSC::JIT::compileOpCall):
1089         (JSC::JIT::compileOpCallSlowCase):
1090         (JSC::JIT::emitSlow_op_tail_call): Deleted.
1091         (JSC::JIT::emitSlow_op_tail_call_varargs): Deleted.
1092         (JSC::JIT::emit_op_tail_call): Deleted.
1093         (JSC::JIT::emit_op_tail_call_varargs): Deleted.
1094         * jit/JITInlines.h:
1095         (JSC::JIT::emitNakedCall):
1096         (JSC::JIT::updateTopCallFrame):
1097         (JSC::JIT::emitNakedTailCall): Deleted.
1098         * jit/JITOperations.cpp:
1099         * jit/JITOperations.h:
1100         * jit/Repatch.cpp:
1101         (JSC::linkVirtualFor):
1102         (JSC::linkPolymorphicCall):
1103         * jit/ThunkGenerators.cpp:
1104         (JSC::throwExceptionFromCallSlowPathGenerator):
1105         (JSC::slowPathFor):
1106         (JSC::linkCallThunkGenerator):
1107         (JSC::virtualThunkFor):
1108         (JSC::arityFixupGenerator):
1109         (JSC::baselineGetterReturnThunkGenerator):
1110         (JSC::unreachableGenerator): Deleted.
1111         * jit/ThunkGenerators.h:
1112         * llint/LowLevelInterpreter.asm:
1113         * llint/LowLevelInterpreter32_64.asm:
1114         * llint/LowLevelInterpreter64.asm:
1115         * runtime/CommonSlowPaths.h:
1116         (JSC::CommonSlowPaths::arityCheckFor):
1117         (JSC::CommonSlowPaths::opIn):
1118         * tests/stress/mutual-tail-call-no-stack-overflow.js: Removed.
1119         * tests/stress/tail-call-no-stack-overflow.js: Removed.
1120         * tests/stress/tail-call-recognize.js: Removed.
1121         * tests/stress/tail-call-varargs-no-stack-overflow.js: Removed.
1122         * tests/stress/tail-calls-dont-overwrite-live-stack.js: Removed.
1123
1124 2015-09-15  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1125
1126         Implement imported global variables in WebAssembly
1127         https://bugs.webkit.org/show_bug.cgi?id=149206
1128
1129         Reviewed by Filip Pizlo.
1130
1131         Values can now be imported to a WebAssembly module through properties of
1132         the imports object that is passed to loadWebAssembly(). In order to
1133         avoid any side effect when accessing the imports object, we check that
1134         the properties are data properties. We also check that each value is a
1135         primitive and is not a Symbol. According to the ECMA262 6.0 spec,
1136         calling ToNumber() on a primitive that is not a Symbol should not cause
1137         any side effect.[1]
1138
1139         [1]: http://www.ecma-international.org/ecma-262/6.0/#sec-tonumber
1140
1141         * tests/stress/wasm-globals.js:
1142         * tests/stress/wasm/globals.wasm:
1143         * wasm/WASMModuleParser.cpp:
1144         (JSC::WASMModuleParser::parseModule):
1145         (JSC::WASMModuleParser::parseGlobalSection):
1146         * wasm/WASMModuleParser.h:
1147
1148 2015-09-15  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1149
1150         Fix asm.js errors in WebAssembly tests
1151         https://bugs.webkit.org/show_bug.cgi?id=149203
1152
1153         Reviewed by Geoffrey Garen.
1154
1155         Our WebAssembly implementation uses asm.js for testing. Using Firefox to
1156         parse asm.js reveals many errors that are not caught by pack-asmjs. For
1157         example,
1158         - asm.js does not allow the use of the multiplication operator (*) to
1159           multiply two integers, because the result can be so large that some
1160           lower bits of precision are lost. Math.imul is used instead.
1161         - an int variable must be coerced to either signed (via x|0) or unsigned
1162           (via x>>>0) before it's returned.
1163
1164         * tests/stress/wasm-arithmetic-int32.js:
1165         * tests/stress/wasm-calls.js:
1166         * tests/stress/wasm-control-flow.js:
1167         * tests/stress/wasm-globals.js:
1168         * tests/stress/wasm-locals.js:
1169         * tests/stress/wasm-relational.js:
1170         * tests/stress/wasm/control-flow.wasm:
1171
1172 2015-09-15  Ryosuke Niwa  <rniwa@webkit.org>
1173
1174         Add ShadowRoot interface and Element.prototype.attachShadow
1175         https://bugs.webkit.org/show_bug.cgi?id=149187
1176
1177         Reviewed by Antti Koivisto.
1178
1179         * Configurations/FeatureDefines.xcconfig:
1180
1181 2015-09-15  Joseph Pecoraro  <pecoraro@apple.com>
1182
1183         Web Inspector: Paused Debugger prevents page reload
1184         https://bugs.webkit.org/show_bug.cgi?id=148174
1185
1186         Reviewed by Brian Burg.
1187
1188         * debugger/Debugger.h:
1189         (JSC::Debugger::suppressAllPauses):
1190         (JSC::Debugger::setSuppressAllPauses):
1191         * debugger/Debugger.cpp:
1192         (JSC::Debugger::Debugger):
1193         (JSC::Debugger::pauseIfNeeded):
1194         * inspector/agents/InspectorDebuggerAgent.h:
1195         * inspector/agents/InspectorDebuggerAgent.cpp:
1196         (Inspector::InspectorDebuggerAgent::setSuppressAllPauses):
1197         Provide a way to suppress pauses.
1198
1199 2015-09-15  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1200
1201         Implement calls to JavaScript functions in WebAssembly
1202         https://bugs.webkit.org/show_bug.cgi?id=149093
1203
1204         Reviewed by Filip Pizlo.
1205
1206         This patch implements calls to JavaScript functions in WebAssembly.
1207         WebAssembly functions can only call JavaScript functions that are
1208         imported to their module via an object that is passed into
1209         loadWebAssembly(). References to JavaScript functions are resolved at
1210         the module's load time, just like asm.js.
1211
1212         * jsc.cpp:
1213         (GlobalObject::finishCreation):
1214         (functionLoadWebAssembly):
1215         * tests/stress/wasm-calls.js:
1216         * tests/stress/wasm/calls.wasm:
1217         * wasm/JSWASMModule.cpp:
1218         (JSC::JSWASMModule::visitChildren):
1219         * wasm/JSWASMModule.h:
1220         (JSC::JSWASMModule::importedFunctions):
1221         * wasm/WASMFunctionCompiler.h:
1222         (JSC::WASMFunctionCompiler::buildCallImport):
1223         * wasm/WASMFunctionParser.cpp:
1224         (JSC::WASMFunctionParser::parseExpressionI32):
1225         (JSC::WASMFunctionParser::parseExpressionF64):
1226         (JSC::WASMFunctionParser::parseCallImport):
1227         * wasm/WASMFunctionParser.h:
1228         * wasm/WASMFunctionSyntaxChecker.h:
1229         (JSC::WASMFunctionSyntaxChecker::buildCallInternal):
1230         (JSC::WASMFunctionSyntaxChecker::buildCallImport):
1231         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeightForCall):
1232         * wasm/WASMModuleParser.cpp:
1233         (JSC::WASMModuleParser::WASMModuleParser):
1234         (JSC::WASMModuleParser::parse):
1235         (JSC::WASMModuleParser::parseModule):
1236         (JSC::WASMModuleParser::parseFunctionImportSection):
1237         (JSC::WASMModuleParser::getImportedValue):
1238         (JSC::parseWebAssembly):
1239         * wasm/WASMModuleParser.h:
1240
1241 2015-09-15  Csaba Osztrogon√°c  <ossy@webkit.org>
1242
1243         Fix the !ENABLE(DFG_JIT) build after r188696
1244         https://bugs.webkit.org/show_bug.cgi?id=149158
1245
1246         Reviewed by Yusuke Suzuki.
1247
1248         * bytecode/GetByIdStatus.cpp:
1249         * bytecode/GetByIdStatus.h:
1250
1251 2015-09-15  Saam barati  <sbarati@apple.com>
1252
1253         functions that use try/catch will allocate a top level JSLexicalEnvironment even when it is not necessary
1254         https://bugs.webkit.org/show_bug.cgi?id=148169
1255
1256         Reviewed by Geoffrey Garen.
1257
1258         We used to do this before we had proper lexical scoping
1259         in the bytecode generator. There is absolutely no reason
1260         why need to allocate a top-level "var" activation when a
1261         function/program uses a "catch" block.
1262
1263         * parser/ASTBuilder.h:
1264         (JSC::ASTBuilder::createTryStatement):
1265         (JSC::ASTBuilder::incConstants):
1266         (JSC::ASTBuilder::usesThis):
1267         (JSC::ASTBuilder::usesArguments):
1268         (JSC::ASTBuilder::usesWith):
1269         (JSC::ASTBuilder::usesEval):
1270         (JSC::ASTBuilder::usesCatch): Deleted.
1271         * parser/Nodes.h:
1272         (JSC::ScopeNode::isStrictMode):
1273         (JSC::ScopeNode::setUsesArguments):
1274         (JSC::ScopeNode::usesThis):
1275         (JSC::ScopeNode::needsActivation):
1276         (JSC::ScopeNode::hasCapturedVariables):
1277         (JSC::ScopeNode::captures):
1278         (JSC::ScopeNode::needsActivationForMoreThanVariables): Deleted.
1279         * parser/ParserModes.h:
1280         * runtime/Executable.h:
1281         (JSC::ScriptExecutable::usesEval):
1282         (JSC::ScriptExecutable::usesArguments):
1283         (JSC::ScriptExecutable::needsActivation):
1284         (JSC::ScriptExecutable::isStrictMode):
1285         (JSC::ScriptExecutable::ecmaMode):
1286
1287 2015-09-15  Michael Saboff  <msaboff@apple.com>
1288
1289         REGRESSION(r189774): CLoop doesn't build after r189774
1290         https://bugs.webkit.org/show_bug.cgi?id=149171
1291
1292         Unreviewed build fix for the C Loop.
1293
1294         Added needed C Loop label opcodes.
1295
1296         * bytecode/BytecodeList.json:
1297
1298 2015-09-15  Andy VanWagoner  <thetalecrafter@gmail.com>
1299
1300         [INTL] Implement supportedLocalesOf on Intl Constructors
1301         https://bugs.webkit.org/show_bug.cgi?id=147599
1302
1303         Reviewed by Benjamin Poulain.
1304
1305         Implements all of the abstract operations used by supportedLocalesOf,
1306         except during canonicalization it does not replace redundant tags,
1307         or subtags with their preferred values.
1308
1309         * icu/unicode/ucal.h: Added.
1310         * icu/unicode/udat.h: Added.
1311         * icu/unicode/umisc.h: Added.
1312         * icu/unicode/unum.h: Added.
1313         * icu/unicode/utypes.h: Clear the U_SHOW_CPLUSPLUS_API flag to prevent C++ headers from being included.
1314         * runtime/CommonIdentifiers.h: Adde localeMatcher.
1315         * runtime/IntlCollatorConstructor.cpp:
1316         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): Implemented.
1317         * runtime/IntlDateTimeFormatConstructor.cpp:
1318         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): Implemented.
1319         * runtime/IntlNumberFormatConstructor.cpp:
1320         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): Implemented.
1321         * runtime/IntlObject.cpp:
1322         (JSC::canonicalizeLanguageTag):
1323         (JSC::getCanonicalLangTag):
1324         (JSC::getPrivateUseLangTag):
1325         (JSC::getGrandfatheredLangTag):
1326         (JSC::canonicalizeLocaleList):
1327         (JSC::bestAvailableLocale):
1328         (JSC::lookupSupportedLocales):
1329         (JSC::bestFitSupportedLocales):
1330         (JSC::supportedLocales):
1331         (JSC::getIntlStringOption):
1332         (JSC::getIntlBooleanOption):
1333         * runtime/IntlObject.h:
1334         * runtime/JSCJSValue.h: Added toLength.
1335         * runtime/JSCJSValue.cpp: Added toLength.
1336         (JSC::JSValue::toLength): Implement ToLength from ECMA 262 6.0 7.1.15
1337         * runtime/JSGlobalObject.cpp:
1338         (JSC::JSGlobalObject::intlCollatorAvailableLocales): Added lazy locale list.
1339         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales): Added lazy locale list.
1340         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales): Added lazy locale list.
1341         * runtime/JSGlobalObject.h:
1342
1343 2015-09-14  Saam barati  <sbarati@apple.com>
1344
1345         rename callFrameForThrow to callFrameForCatch
1346         https://bugs.webkit.org/show_bug.cgi?id=149136
1347
1348         Reviewed by Michael Saboff.
1349
1350         We use "callFrameForThrow" to mean the call frame in
1351         which we're catching the exception. The field name
1352         should accurately represent its purpose by being
1353         named "callFrameForCatch".
1354
1355         * jit/CCallHelpers.h:
1356         (JSC::CCallHelpers::jumpToExceptionHandler):
1357         * jit/JITExceptions.cpp:
1358         (JSC::genericUnwind):
1359         * jit/JITOpcodes.cpp:
1360         (JSC::JIT::emit_op_catch):
1361         * jit/JITOpcodes32_64.cpp:
1362         (JSC::JIT::emit_op_catch):
1363         * jit/JITOperations.cpp:
1364         * llint/LowLevelInterpreter32_64.asm:
1365         * llint/LowLevelInterpreter64.asm:
1366         * runtime/VM.h:
1367         (JSC::VM::exceptionOffset):
1368         (JSC::VM::callFrameForCatchOffset):
1369         (JSC::VM::targetMachinePCForThrowOffset):
1370         (JSC::VM::callFrameForThrowOffset): Deleted.
1371
1372 2015-09-14  Basile Clement  <basile_clement@apple.com>
1373
1374         [ES6] Implement tail calls in the LLInt and Baseline JIT
1375         https://bugs.webkit.org/show_bug.cgi?id=148661
1376
1377         Reviewed by Filip Pizlo.
1378
1379         This patch introduces two new opcodes, op_tail_call and
1380         op_tail_call_varargs, to perform tail calls, and implements them in the
1381         LLInt and baseline JIT. Their use prevents DFG and FTL compilation for
1382         now. They are currently implemented by sliding the call frame and
1383         masquerading as our own caller right before performing an actual call.
1384
1385         This required to change the operationLink family of operation to return
1386         a SlowPathReturnType instead of a char* in order to distinguish between
1387         exception cases and actual call cases. We introduce a new FrameAction
1388         enum that indicates whether to reuse (non-exceptional tail call) or
1389         keep the current call frame (non-tail call, and exceptional cases).
1390
1391         This is also a semantics change, since the Function.caller property is
1392         now leaking tail calls. Since tail calls are only used in strict mode,
1393         which poisons this property, the only way of seeing this semantics
1394         change is when a sloppy function calls a strict function that then
1395         tail-calls a sloppy function. Previously, the second sloppy function's
1396         caller would have been the strict function (i.e. raises a TypeError
1397         when the .caller attribute is accessed), while it is now the first
1398         sloppy function. Tests have been updated to reflect that.
1399
1400         This also changes the assumptions we make about call frames. In order
1401         to be relatively efficient, we want to be able to compute the frame
1402         size based only on the argument count, which was not possible
1403         previously. To enable this, we now enforce at the bytecode generator,
1404         DFG and FTL level that any space reserved for a call frame is
1405         stack-aligned, which allows to easily compute its size when performing
1406         a tail call. In all the "special call cases" (calls from native code,
1407         inlined cache calls, etc.), we are starting the frame at the current
1408         stack pointer and thus will always have a stack-aligned frame size.
1409
1410         Finally, this patch adds a couple of tests to check that tail calls run
1411         in constant stack space, as well as tests checking that tail calls are
1412         recognized correctly. Those tests use the handy aforementioned leaking
1413         of tail calls through Function.caller to detect tail calls. 
1414
1415         Given that this patch only implements tail calls for the LLInt and
1416         Baseline JIT, tail calls are disabled by default.  Until changes are
1417         landed for all tiers, tail call testing and use requires the
1418         --enableTailCalls=true or equivalent.
1419
1420         * CMakeLists.txt:
1421         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1422         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1423         * JavaScriptCore.xcodeproj/project.pbxproj:
1424         * assembler/AbortReason.h:
1425         * assembler/AbstractMacroAssembler.h:
1426         (JSC::AbstractMacroAssembler::Call::Call):
1427         (JSC::AbstractMacroAssembler::repatchNearCall):
1428         (JSC::AbstractMacroAssembler::repatchCompact):
1429         * assembler/CodeLocation.h:
1430         (JSC::CodeLocationNearCall::CodeLocationNearCall):
1431         (JSC::CodeLocationNearCall::callMode):
1432         (JSC::CodeLocationCommon::callAtOffset):
1433         (JSC::CodeLocationCommon::nearCallAtOffset):
1434         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
1435         * assembler/LinkBuffer.h:
1436         (JSC::LinkBuffer::locationOfNearCall):
1437         (JSC::LinkBuffer::locationOf):
1438         * assembler/MacroAssemblerARM.h:
1439         (JSC::MacroAssemblerARM::nearCall):
1440         (JSC::MacroAssemblerARM::nearTailCall):
1441         (JSC::MacroAssemblerARM::call):
1442         (JSC::MacroAssemblerARM::linkCall):
1443         * assembler/MacroAssemblerARM64.h:
1444         (JSC::MacroAssemblerARM64::nearCall):
1445         (JSC::MacroAssemblerARM64::nearTailCall):
1446         (JSC::MacroAssemblerARM64::ret):
1447         (JSC::MacroAssemblerARM64::linkCall):
1448         * assembler/MacroAssemblerARMv7.h:
1449         (JSC::MacroAssemblerARMv7::nearCall):
1450         (JSC::MacroAssemblerARMv7::nearTailCall):
1451         (JSC::MacroAssemblerARMv7::call):
1452         (JSC::MacroAssemblerARMv7::linkCall):
1453         * assembler/MacroAssemblerMIPS.h:
1454         (JSC::MacroAssemblerMIPS::nearCall):
1455         (JSC::MacroAssemblerMIPS::nearTailCall):
1456         (JSC::MacroAssemblerMIPS::call):
1457         (JSC::MacroAssemblerMIPS::linkCall):
1458         (JSC::MacroAssemblerMIPS::repatchCall):
1459         * assembler/MacroAssemblerSH4.h:
1460         (JSC::MacroAssemblerSH4::call):
1461         (JSC::MacroAssemblerSH4::nearTailCall):
1462         (JSC::MacroAssemblerSH4::nearCall):
1463         (JSC::MacroAssemblerSH4::linkCall):
1464         (JSC::MacroAssemblerSH4::repatchCall):
1465         * assembler/MacroAssemblerX86.h:
1466         (JSC::MacroAssemblerX86::linkCall):
1467         * assembler/MacroAssemblerX86Common.h:
1468         (JSC::MacroAssemblerX86Common::breakpoint):
1469         (JSC::MacroAssemblerX86Common::nearTailCall):
1470         (JSC::MacroAssemblerX86Common::nearCall):
1471         * assembler/MacroAssemblerX86_64.h:
1472         (JSC::MacroAssemblerX86_64::linkCall):
1473         * bytecode/BytecodeList.json:
1474         * bytecode/BytecodeUseDef.h:
1475         (JSC::computeUsesForBytecodeOffset):
1476         (JSC::computeDefsForBytecodeOffset):
1477         * bytecode/CallLinkInfo.h:
1478         (JSC::CallLinkInfo::callTypeFor):
1479         (JSC::CallLinkInfo::isVarargsCallType):
1480         (JSC::CallLinkInfo::CallLinkInfo):
1481         (JSC::CallLinkInfo::specializationKind):
1482         (JSC::CallLinkInfo::callModeFor):
1483         (JSC::CallLinkInfo::callMode):
1484         (JSC::CallLinkInfo::isTailCall):
1485         (JSC::CallLinkInfo::isVarargs):
1486         (JSC::CallLinkInfo::registerPreservationMode):
1487         * bytecode/CallLinkStatus.cpp:
1488         (JSC::CallLinkStatus::computeFromLLInt):
1489         * bytecode/CallMode.cpp: Added.
1490         (WTF::printInternal):
1491         * bytecode/CallMode.h: Added.
1492         * bytecode/CodeBlock.cpp:
1493         (JSC::CodeBlock::dumpBytecode):
1494         (JSC::CodeBlock::CodeBlock):
1495         * bytecompiler/BytecodeGenerator.cpp:
1496         (JSC::BytecodeGenerator::BytecodeGenerator):
1497         (JSC::BytecodeGenerator::emitCallInTailPosition):
1498         (JSC::BytecodeGenerator::emitCallEval):
1499         (JSC::BytecodeGenerator::emitCall):
1500         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
1501         (JSC::BytecodeGenerator::emitConstructVarargs):
1502         * bytecompiler/NodesCodegen.cpp:
1503         (JSC::CallArguments::CallArguments):
1504         (JSC::LabelNode::emitBytecode):
1505         * dfg/DFGByteCodeParser.cpp:
1506         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
1507         * ftl/FTLLowerDFGToLLVM.cpp:
1508         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
1509         * interpreter/Interpreter.h:
1510         (JSC::Interpreter::isCallBytecode):
1511         * jit/CCallHelpers.h:
1512         (JSC::CCallHelpers::jumpToExceptionHandler):
1513         (JSC::CCallHelpers::prepareForTailCallSlow):
1514         * jit/JIT.cpp:
1515         (JSC::JIT::privateCompileMainPass):
1516         (JSC::JIT::privateCompileSlowCases):
1517         * jit/JIT.h:
1518         * jit/JITCall.cpp:
1519         (JSC::JIT::compileOpCall):
1520         (JSC::JIT::compileOpCallSlowCase):
1521         (JSC::JIT::emit_op_call):
1522         (JSC::JIT::emit_op_tail_call):
1523         (JSC::JIT::emit_op_call_eval):
1524         (JSC::JIT::emit_op_call_varargs):
1525         (JSC::JIT::emit_op_tail_call_varargs):
1526         (JSC::JIT::emit_op_construct_varargs):
1527         (JSC::JIT::emitSlow_op_call):
1528         (JSC::JIT::emitSlow_op_tail_call):
1529         (JSC::JIT::emitSlow_op_call_eval):
1530         (JSC::JIT::emitSlow_op_call_varargs):
1531         (JSC::JIT::emitSlow_op_tail_call_varargs):
1532         (JSC::JIT::emitSlow_op_construct_varargs):
1533         * jit/JITCall32_64.cpp:
1534         (JSC::JIT::emitSlow_op_call):
1535         (JSC::JIT::emitSlow_op_tail_call):
1536         (JSC::JIT::emitSlow_op_call_eval):
1537         (JSC::JIT::emitSlow_op_call_varargs):
1538         (JSC::JIT::emitSlow_op_tail_call_varargs):
1539         (JSC::JIT::emitSlow_op_construct_varargs):
1540         (JSC::JIT::emit_op_call):
1541         (JSC::JIT::emit_op_tail_call):
1542         (JSC::JIT::emit_op_call_eval):
1543         (JSC::JIT::emit_op_call_varargs):
1544         (JSC::JIT::emit_op_tail_call_varargs):
1545         (JSC::JIT::emit_op_construct_varargs):
1546         (JSC::JIT::compileOpCall):
1547         (JSC::JIT::compileOpCallSlowCase):
1548         * jit/JITInlines.h:
1549         (JSC::JIT::emitNakedCall):
1550         (JSC::JIT::emitNakedTailCall):
1551         (JSC::JIT::updateTopCallFrame):
1552         * jit/JITOperations.cpp:
1553         * jit/JITOperations.h:
1554         * jit/Repatch.cpp:
1555         (JSC::linkVirtualFor):
1556         (JSC::linkPolymorphicCall):
1557         * jit/ThunkGenerators.cpp:
1558         (JSC::throwExceptionFromCallSlowPathGenerator):
1559         (JSC::slowPathFor):
1560         (JSC::linkCallThunkGenerator):
1561         (JSC::virtualThunkFor):
1562         (JSC::arityFixupGenerator):
1563         (JSC::unreachableGenerator):
1564         (JSC::baselineGetterReturnThunkGenerator):
1565         * jit/ThunkGenerators.h:
1566         * llint/LowLevelInterpreter.asm:
1567         * llint/LowLevelInterpreter32_64.asm:
1568         * llint/LowLevelInterpreter64.asm:
1569         * runtime/CommonSlowPaths.h:
1570         (JSC::CommonSlowPaths::arityCheckFor):
1571         (JSC::CommonSlowPaths::opIn):
1572         * runtime/Options.h:
1573         * tests/stress/mutual-tail-call-no-stack-overflow.js: Added.
1574         (shouldThrow):
1575         (sloppyCountdown.even):
1576         (sloppyCountdown.odd):
1577         (strictCountdown.even):
1578         (strictCountdown.odd):
1579         (strictCountdown):
1580         (odd):
1581         (even):
1582         * tests/stress/tail-call-no-stack-overflow.js: Added.
1583         (shouldThrow):
1584         (strictLoop):
1585         (strictLoopArityFixup1):
1586         (strictLoopArityFixup2):
1587         * tests/stress/tail-call-recognize.js: Added.
1588         (callerMustBeRun):
1589         (callerMustBeStrict):
1590         (runTests):
1591         * tests/stress/tail-call-varargs-no-stack-overflow.js: Added.
1592         (shouldThrow):
1593         (strictLoop):
1594         * tests/stress/tail-calls-dont-overwrite-live-stack.js: Added.
1595         (tail):
1596         (obj.method):
1597         (obj.get fromNative):
1598         (getThis):
1599
1600 2015-09-14  Filip Pizlo  <fpizlo@apple.com>
1601
1602         LLInt get/put inline caches shouldn't use tons of opcodes
1603         https://bugs.webkit.org/show_bug.cgi?id=149106
1604
1605         Reviewed by Geoffrey Garen.
1606
1607         Our LLInt get/put inline caches currently use separate opcodes to reduce branching. For
1608         example, instead of having get_by_id branch on the kind of offset (inline or
1609         out-of-line), we have two get_by_id instructions: get_by_id and get_by_id_out_of_line.
1610         But the problem with this approach is that it doesn't scale. In the property type
1611         inference work (https://bugs.webkit.org/show_bug.cgi?id=148610), we need each kind of put
1612         inline cache to support 11 different kinds of type checks. It seemed ridiculous to add 60
1613         new put_by_id opcodes (there are currently 6 variants of put_by_id, so after adding type
1614         checks, we'd have 6 * 11 = 66 variants of put_by_id).
1615
1616         So, this patch completely changes the strategy to mostly using branching inside the
1617         opcode implementation. It's unlikely to have a performance effect. For example, the long
1618         road to generational GC caused a seemingly prohibitive regression in LLInt inline caches,
1619         and yet nobody noticed. The regression was because the inline cache was in terms of the
1620         structure, not the structure ID, so the code was doing a structure ID table lookup. If we
1621         didn't notice that, then we probably won't notice a couple new branches. (Also, this
1622         patch fixes that regression - the code no longer does such lookups except in the one
1623         unavoidable case in put_by_id transition chain checking.)
1624
1625         This patch also turns the isDirect operand of put_by_id into a flags field. I will use
1626         this flags field to encode the desired type check in bug 148610.
1627
1628         This patch has no effect on performance according to run-jsc-benchmarks.
1629
1630         Relanding this patch with LLInt fixes for non-x86. Previous attempts to fix non-x86 LLInt
1631         build also caused every 64-bit test to crash on every platform. So the patch got rolled
1632         out. This fixes the non-x86 LLInt build while also ensuring that 64-bit platforms don't
1633         crash.
1634
1635         * CMakeLists.txt:
1636         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1637         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1638         * JavaScriptCore.xcodeproj/project.pbxproj:
1639         * bytecode/BytecodeList.json:
1640         * bytecode/BytecodeUseDef.h:
1641         (JSC::computeUsesForBytecodeOffset):
1642         (JSC::computeDefsForBytecodeOffset):
1643         * bytecode/CodeBlock.cpp:
1644         (JSC::CodeBlock::printGetByIdOp):
1645         (JSC::CodeBlock::printGetByIdCacheStatus):
1646         (JSC::CodeBlock::printPutByIdCacheStatus):
1647         (JSC::CodeBlock::dumpBytecode):
1648         (JSC::CodeBlock::CodeBlock):
1649         (JSC::CodeBlock::propagateTransitions):
1650         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1651         * bytecode/CodeBlock.h:
1652         * bytecode/GetByIdStatus.cpp:
1653         (JSC::GetByIdStatus::computeFromLLInt):
1654         * bytecode/Instruction.h:
1655         (JSC::Instruction::Instruction):
1656         * bytecode/PutByIdFlags.cpp: Added.
1657         (WTF::printInternal):
1658         * bytecode/PutByIdFlags.h: Added.
1659         * bytecode/PutByIdStatus.cpp:
1660         (JSC::PutByIdStatus::computeFromLLInt):
1661         * bytecode/UnlinkedCodeBlock.h:
1662         (JSC::UnlinkedInstruction::UnlinkedInstruction):
1663         * bytecompiler/BytecodeGenerator.cpp:
1664         (JSC::BytecodeGenerator::emitPutById):
1665         (JSC::BytecodeGenerator::emitDirectPutById):
1666         * dfg/DFGByteCodeParser.cpp:
1667         (JSC::DFG::ByteCodeParser::parseBlock):
1668         * dfg/DFGCapabilities.cpp:
1669         (JSC::DFG::capabilityLevel):
1670         * jit/JIT.cpp:
1671         (JSC::JIT::privateCompileMainPass):
1672         (JSC::JIT::privateCompileSlowCases):
1673         * jit/JITPropertyAccess.cpp:
1674         (JSC::JIT::emit_op_put_by_id):
1675         * jit/JITPropertyAccess32_64.cpp:
1676         (JSC::JIT::emit_op_put_by_id):
1677         * llint/LLIntSlowPaths.cpp:
1678         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1679         * llint/LowLevelInterpreter32_64.asm:
1680         * llint/LowLevelInterpreter64.asm:
1681
1682 2015-09-14  Commit Queue  <commit-queue@webkit.org>
1683
1684         Unreviewed, rolling out r189751, r189752, and r189754.
1685         https://bugs.webkit.org/show_bug.cgi?id=149143
1686
1687         caused crashes everywhere (Requested by alexchristensen on
1688         #webkit).
1689
1690         Reverted changesets:
1691
1692         "LLInt get/put inline caches shouldn't use tons of opcodes"
1693         https://bugs.webkit.org/show_bug.cgi?id=149106
1694         http://trac.webkit.org/changeset/189751
1695
1696         "Unreviewed, fix non-x86 LLInt build."
1697         http://trac.webkit.org/changeset/189752
1698
1699         "Unreviewed, really fix non-x86 LLInt build without also
1700         breaking everything else."
1701         http://trac.webkit.org/changeset/189754
1702
1703 2015-09-14  Filip Pizlo  <fpizlo@apple.com>
1704
1705         Unreviewed, really fix non-x86 LLInt build without also breaking everything else.
1706
1707         * llint/LowLevelInterpreter64.asm:
1708
1709 2015-09-14  Filip Pizlo  <fpizlo@apple.com>
1710
1711         Unreviewed, fix non-x86 LLInt build.
1712
1713         * llint/LowLevelInterpreter64.asm:
1714
1715 2015-09-13  Filip Pizlo  <fpizlo@apple.com>
1716
1717         LLInt get/put inline caches shouldn't use tons of opcodes
1718         https://bugs.webkit.org/show_bug.cgi?id=149106
1719
1720         Reviewed by Geoffrey Garen.
1721
1722         Our LLInt get/put inline caches currently use separate opcodes to reduce branching. For
1723         example, instead of having get_by_id branch on the kind of offset (inline or
1724         out-of-line), we have two get_by_id instructions: get_by_id and get_by_id_out_of_line.
1725         But the problem with this approach is that it doesn't scale. In the property type
1726         inference work (https://bugs.webkit.org/show_bug.cgi?id=148610), we need each kind of put
1727         inline cache to support 11 different kinds of type checks. It seemed ridiculous to add 60
1728         new put_by_id opcodes (there are currently 6 variants of put_by_id, so after adding type
1729         checks, we'd have 6 * 11 = 66 variants of put_by_id).
1730
1731         So, this patch completely changes the strategy to mostly using branching inside the
1732         opcode implementation. It's unlikely to have a performance effect. For example, the long
1733         road to generational GC caused a seemingly prohibitive regression in LLInt inline caches,
1734         and yet nobody noticed. The regression was because the inline cache was in terms of the
1735         structure, not the structure ID, so the code was doing a structure ID table lookup. If we
1736         didn't notice that, then we probably won't notice a couple new branches. (Also, this
1737         patch fixes that regression - the code no longer does such lookups except in the one
1738         unavoidable case in put_by_id transition chain checking.)
1739
1740         This patch also turns the isDirect operand of put_by_id into a flags field. I will use
1741         this flags field to encode the desired type check in bug 148610.
1742
1743         This patch has no effect on performance according to run-jsc-benchmarks.
1744
1745         * CMakeLists.txt:
1746         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1747         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1748         * JavaScriptCore.xcodeproj/project.pbxproj:
1749         * bytecode/BytecodeList.json:
1750         * bytecode/BytecodeUseDef.h:
1751         (JSC::computeUsesForBytecodeOffset):
1752         (JSC::computeDefsForBytecodeOffset):
1753         * bytecode/CodeBlock.cpp:
1754         (JSC::CodeBlock::printGetByIdOp):
1755         (JSC::CodeBlock::printGetByIdCacheStatus):
1756         (JSC::CodeBlock::printPutByIdCacheStatus):
1757         (JSC::CodeBlock::dumpBytecode):
1758         (JSC::CodeBlock::CodeBlock):
1759         (JSC::CodeBlock::propagateTransitions):
1760         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1761         * bytecode/CodeBlock.h:
1762         * bytecode/GetByIdStatus.cpp:
1763         (JSC::GetByIdStatus::computeFromLLInt):
1764         * bytecode/Instruction.h:
1765         (JSC::Instruction::Instruction):
1766         * bytecode/PutByIdFlags.cpp: Added.
1767         (WTF::printInternal):
1768         * bytecode/PutByIdFlags.h: Added.
1769         * bytecode/PutByIdStatus.cpp:
1770         (JSC::PutByIdStatus::computeFromLLInt):
1771         * bytecode/UnlinkedCodeBlock.h:
1772         (JSC::UnlinkedInstruction::UnlinkedInstruction):
1773         * bytecompiler/BytecodeGenerator.cpp:
1774         (JSC::BytecodeGenerator::emitPutById):
1775         (JSC::BytecodeGenerator::emitDirectPutById):
1776         * dfg/DFGAbstractInterpreterInlines.h:
1777         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1778         * dfg/DFGByteCodeParser.cpp:
1779         (JSC::DFG::ByteCodeParser::parseBlock):
1780         * dfg/DFGCapabilities.cpp:
1781         (JSC::DFG::capabilityLevel):
1782         * jit/JIT.cpp:
1783         (JSC::JIT::privateCompileMainPass):
1784         (JSC::JIT::privateCompileSlowCases):
1785         * jit/JITPropertyAccess.cpp:
1786         (JSC::JIT::emit_op_put_by_id):
1787         * jit/JITPropertyAccess32_64.cpp:
1788         (JSC::JIT::emit_op_put_by_id):
1789         * llint/LLIntSlowPaths.cpp:
1790         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1791         * llint/LowLevelInterpreter32_64.asm:
1792         * llint/LowLevelInterpreter64.asm:
1793
1794 2015-09-14  Alex Christensen  <achristensen@webkit.org>
1795
1796         Progress towards CMake on Mac.
1797         https://bugs.webkit.org/show_bug.cgi?id=149123
1798
1799         Reviewed by Chris Dumez.
1800
1801         * CMakeLists.txt:
1802         Make forwarding headers for the replay subdirectory.
1803         * PlatformMac.cmake:
1804         Make forwarding headers for the generated inspector headers. 
1805         They should eventually either be packaged correctly with JavaScriptCore headers and included correctly.
1806
1807 2015-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1808
1809         [ES6] Cache the resolution result in JSModuleRecord
1810         https://bugs.webkit.org/show_bug.cgi?id=148896
1811
1812         Reviewed by Saam Barati.
1813
1814         The resolveExport operation is frequently called. For example,
1815         1. When instantiating the module environment, we call it for each exported name and imported
1816            name.
1817         2. When linking the imported module environment to the code block, we call it to resolve the
1818            resolution.
1819         3. When looking up the property from the namespace object, we call it to look up the original
1820            module for the imported binding.
1821         4. When creating the namespace object, we need to collect all the exported names from the module
1822            and need to resolve them by calling resolveExport.
1823
1824         However, resolveExport takes some cost. It traces the imported modules and resolves the reference
1825         queried by the original module.
1826
1827         The resolveExport operation is pure function; given a module record and an export name,
1828         it always returns the same result. So we cache resolution results in the module record to avoid
1829         repeated resolveExport calls with the same arguments.
1830         Here, we only cache the correctly resolved references, since,
1831         1. We rarely looked up the non-correctly-resolved ones. In the linking phase, attempting to
1832            resolve non-correctly-resolved ones throws a syntax error. So only namespace object creation
1833            phase does it in a syntax valid script.
1834         2. This strategy limits the size of the cache map. The number of the correctly exported bindings
1835            is defined by the modules' code. So the size does not become infinitely large.
1836
1837         Currently, the all modules cannot be linked twice. For example,
1838
1839           graph 1
1840
1841           -> (A) -> (B)
1842
1843           graph 2
1844
1845           -> (C) -> (A) -> (B)
1846
1847         We cannot test the behavior now because when executing the graph 2, (A) and (B) are already linked,
1848         it raises an error in the current loader spec. But it should be allowed[1] since it will occur when
1849         there is multiple module tag in WebCore.
1850
1851         [1]: https://github.com/whatwg/loader/issues/41
1852
1853         * runtime/JSModuleRecord.cpp:
1854         (JSC::JSModuleRecord::ResolveQuery::Hash::hash):
1855         (JSC::JSModuleRecord::ResolveQuery::Hash::equal):
1856         (JSC::JSModuleRecord::cacheResolution):
1857         (JSC::ResolveQueryHash::hash): Deleted.
1858         (JSC::ResolveQueryHash::equal): Deleted.
1859         (JSC::resolveExportLoop): Deleted.
1860         * runtime/JSModuleRecord.h:
1861         * tests/modules/caching-should-not-make-ambiguous.js: Added.
1862         * tests/modules/caching-should-not-make-ambiguous/A.js: Added.
1863         * tests/modules/caching-should-not-make-ambiguous/B.js: Added.
1864         * tests/modules/caching-should-not-make-ambiguous/C.js: Added.
1865         * tests/modules/caching-should-not-make-ambiguous/D.js: Added.
1866         * tests/modules/caching-should-not-make-ambiguous/main.js: Added.
1867         * tests/modules/different-view.js: Added.
1868         (from.string_appeared_here.shouldThrow):
1869         * tests/modules/different-view/A.js: Added.
1870         * tests/modules/different-view/B.js: Added.
1871         * tests/modules/different-view/C.js: Added.
1872         * tests/modules/different-view/D.js: Added.
1873         * tests/modules/different-view/E.js: Added.
1874         * tests/modules/different-view/main.js: Added.
1875         * tests/modules/fallback-ambiguous.js: Added.
1876         (from.string_appeared_here.shouldThrow):
1877         * tests/modules/fallback-ambiguous/A.js: Added.
1878         * tests/modules/fallback-ambiguous/B.js: Added.
1879         * tests/modules/fallback-ambiguous/C.js: Added.
1880         * tests/modules/fallback-ambiguous/D.js: Added.
1881         * tests/modules/fallback-ambiguous/E.js: Added.
1882         * tests/modules/fallback-ambiguous/main.js: Added.
1883         * tests/modules/self-star-link.js: Added.
1884         * tests/modules/self-star-link/A.js: Added.
1885         * tests/modules/self-star-link/B.js: Added.
1886         * tests/modules/self-star-link/C.js: Added.
1887         * tests/modules/self-star-link/D.js: Added.
1888         * tests/modules/self-star-link/E.js: Added.
1889         * tests/modules/uncacheable-when-see-star.js: Added.
1890         * tests/modules/uncacheable-when-see-star/A-pre.js: Added.
1891         * tests/modules/uncacheable-when-see-star/A.js: Added.
1892         * tests/modules/uncacheable-when-see-star/B.js: Added.
1893         * tests/modules/uncacheable-when-see-star/C.js: Added.
1894         * tests/modules/uncacheable-when-see-star/D.js: Added.
1895         * tests/modules/uncacheable-when-see-star/E-pre.js: Added.
1896         * tests/modules/uncacheable-when-see-star/E.js: Added.
1897         * tests/modules/uncacheable-when-see-star/main1.js: Added.
1898         * tests/modules/uncacheable-when-see-star/main2.js: Added.
1899
1900 2015-09-14  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1901
1902         Implement the arithmetic instructions for floats in WebAssembly
1903         https://bugs.webkit.org/show_bug.cgi?id=149102
1904
1905         Reviewed by Geoffrey Garen.
1906
1907         This patch implements the arithmetic instructions for floats (float32)
1908         in WebAssembly by converting the float operands to doubles, performing
1909         the equivalent double instructions, and converting the result back to
1910         float. The asm.js spec says that "As proved in 'When is double rounding
1911         innocuous?' (Figueroa 1995), both the 32- and 64-bit versions of
1912         standard arithmetic operations produce equivalent results when given
1913         32-bit inputs and coerced to 32-bit outputs."
1914         (http://asmjs.org/spec/latest/#floatish)
1915
1916         This patch also pads WebAssembly call frames by maxFrameExtentForSlowPathCall,
1917         so that there is no need to adjust the stack pointer every time we make
1918         a slow path call.
1919
1920         * tests/stress/wasm-arithmetic-float32.js:
1921         * tests/stress/wasm/arithmetic-float32.wasm:
1922         * wasm/WASMFunctionCompiler.h:
1923         (JSC::WASMFunctionCompiler::startFunction):
1924         (JSC::WASMFunctionCompiler::buildUnaryF32):
1925         (JSC::WASMFunctionCompiler::buildBinaryF32):
1926         (JSC::WASMFunctionCompiler::callOperation):
1927         (JSC::WASMFunctionCompiler::callAndUnboxResult):
1928         (JSC::WASMFunctionCompiler::endFunction): Deleted.
1929         (JSC::WASMFunctionCompiler::buildBinaryI32): Deleted.
1930         * wasm/WASMFunctionParser.cpp:
1931         (JSC::WASMFunctionParser::parseExpressionF32):
1932         (JSC::WASMFunctionParser::parseUnaryExpressionF32):
1933         (JSC::WASMFunctionParser::parseBinaryExpressionF32):
1934         * wasm/WASMFunctionParser.h:
1935         * wasm/WASMFunctionSyntaxChecker.h:
1936         (JSC::WASMFunctionSyntaxChecker::buildUnaryF32):
1937         (JSC::WASMFunctionSyntaxChecker::buildBinaryF32):
1938
1939 2015-09-13  Geoffrey Garen  <ggaren@apple.com>
1940
1941         Eden GC should not try to jettison old CodeBlocks in the remembered set
1942         https://bugs.webkit.org/show_bug.cgi?id=149108
1943
1944         Reviewed by Saam Barati.
1945
1946         All we know about objects in the remembered set is that they must be
1947         visited. We don't know whether they're referenced or not because we
1948         won't mark the objects that point to them.
1949
1950         Therefore, it's incorrect for a CodeBlock to consider jettisoning
1951         itself when it's marked as a part of the remembered set: Some
1952         old object might have visited the CodeBlock strongly if given the chance.
1953
1954         I believe this doesn't cause any problems currently because we happen
1955         to visit all strong references to all CodeBlocks elligible for jettison
1956         during every GC.
1957
1958         However, this behavior is a logical oddity that tripped me up, and I
1959         believe it will start causing real problems once we start to jettison
1960         baseline CodeBlocks, since we do not visit all strong references to all
1961         baseline CodeBlocks during every GC.
1962
1963         * heap/CodeBlockSet.cpp:
1964         (JSC::CodeBlockSet::clearMarksForEdenCollection):
1965         (JSC::CodeBlockSet::traceMarked): Be sure to visit the remembered set
1966         strongly, in order to prohibit jettisoning.
1967
1968         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
1969         * heap/CodeBlockSet.h: Track the remembered set during eden GCs.
1970
1971 2015-09-11  Filip Pizlo  <fpizlo@apple.com>
1972
1973         REGRESSION(r189585): run-perf-tests Speedometer fails with a console error
1974         https://bugs.webkit.org/show_bug.cgi?id=149066
1975
1976         Reviewed by Michael Saboff.
1977
1978         The bug here was that the new IC code was calling actionForCell() more than once. That's
1979         illegal, since when actionForCell() returns RetryCacheLater, it means that it changed some
1980         object's Structure. The Repatch code was doing things like "if (actionForCell(blah) ==
1981         AttemptToCache)" in more than one place, so that if the first such expression was false, then
1982         we'd fall through to the next one. It's possible for the first call to return RetryCacheLater,
1983         in which case our view of the world just got clobbered and we need to return, and then the
1984         second call will probably return AttemptToCache because it *thinks* that we had bailed the last
1985         time and we're now in a future IC invocation.
1986
1987         The solution is to cache the actionForCell() result. This is a bit tricky, because we need to
1988         do this after we check if we're in a proxy.
1989
1990         Debugging bugs like these requires adding ad hoc bisection code in various places. We already
1991         had the basic hooks for this. This patch makes those hooks a bit more useful. In the case of
1992         the LLInt->JIT tier-up hooks, it adds a CodeBlock* argument so that we can bisect based on the
1993         CodeBlock. In the case of Repatch, it puts the Options::forceICFailure() check in a helper
1994         function that also takes ExecState*, which allows us to bisect on either CodeBlock or
1995         CodeOrigin.
1996
1997         * jit/Repatch.cpp:
1998         (JSC::actionForCell):
1999         (JSC::forceICFailure):
2000         (JSC::tryCacheGetByID):
2001         (JSC::tryCachePutByID):
2002         (JSC::tryRepatchIn):
2003         * llint/LLIntSlowPaths.cpp:
2004         (JSC::LLInt::shouldJIT):
2005         (JSC::LLInt::jitCompileAndSetHeuristics):
2006         (JSC::LLInt::entryOSR):
2007         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2008         * tests/stress/retry-cache-later.js:
2009
2010 2015-09-11  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2011
2012         Implement the relational instructions for floats in WebAssembly
2013         https://bugs.webkit.org/show_bug.cgi?id=149080
2014
2015         Reviewed by Geoffrey Garen.
2016
2017         This patch implements the relational instructions for floats (float32)
2018         in WebAssembly by converting float operands to doubles and then
2019         comparing them using the existing double comparison instructions in the
2020         macro assembler.
2021
2022         * tests/stress/wasm-relational.js:
2023         * tests/stress/wasm/relational.wasm:
2024         * wasm/WASMFunctionCompiler.h:
2025         (JSC::WASMFunctionCompiler::buildRelationalF32):
2026         * wasm/WASMFunctionParser.cpp:
2027         (JSC::WASMFunctionParser::parseExpressionI32):
2028         (JSC::WASMFunctionParser::parseRelationalF32ExpressionI32):
2029         * wasm/WASMFunctionParser.h:
2030         * wasm/WASMFunctionSyntaxChecker.h:
2031         (JSC::WASMFunctionSyntaxChecker::buildRelationalF32):
2032
2033 2015-09-11  Nan Wang  <n_wang@apple.com>
2034
2035         AX: ARIA 1.1 @aria-current
2036         https://bugs.webkit.org/show_bug.cgi?id=146012
2037
2038         Reviewed by Chris Fleizach.
2039
2040         Updated inspector to support aria-current.
2041
2042         * inspector/protocol/DOM.json:
2043
2044 2015-09-11  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2045
2046         Add initial support for floats in WebAsssembly
2047         https://bugs.webkit.org/show_bug.cgi?id=149062
2048
2049         Reviewed by Geoffrey Garen.
2050
2051         Implement the ConstantPoolIndex, Immediate, GetLocal, and GetGlobal
2052         instructions for floats (float32) in WebAssembly.
2053
2054         * tests/stress/wasm-arithmetic-float32.js: Added.
2055         (shouldBe):
2056         * tests/stress/wasm-globals.js:
2057         * tests/stress/wasm-type-conversion.js:
2058         * tests/stress/wasm/arithmetic-float32.wasm: Added.
2059         * tests/stress/wasm/globals.wasm:
2060         * tests/stress/wasm/type-conversion.wasm:
2061         * wasm/WASMConstants.h:
2062         * wasm/WASMFunctionCompiler.h:
2063         (JSC::WASMFunctionCompiler::buildSetLocal):
2064         (JSC::WASMFunctionCompiler::buildReturn):
2065         (JSC::WASMFunctionCompiler::buildImmediateF32):
2066         (JSC::WASMFunctionCompiler::buildGetLocal):
2067         * wasm/WASMFunctionParser.cpp:
2068         (JSC::WASMFunctionParser::parseExpression):
2069         (JSC::WASMFunctionParser::parseExpressionF32):
2070         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF32):
2071         (JSC::WASMFunctionParser::parseImmediateExpressionF32):
2072         (JSC::WASMFunctionParser::parseGetLocalExpressionF32):
2073         (JSC::WASMFunctionParser::parseGetGlobalExpressionF32):
2074         * wasm/WASMFunctionParser.h:
2075         * wasm/WASMFunctionSyntaxChecker.h:
2076         (JSC::WASMFunctionSyntaxChecker::buildImmediateF32):
2077         * wasm/WASMReader.cpp:
2078         (JSC::WASMReader::readOpExpressionF32):
2079         * wasm/WASMReader.h:
2080
2081 2015-09-11  Geoffrey Garen  <ggaren@apple.com>
2082
2083         Try to fix the CLOOP build.
2084
2085         Unreviewed.
2086
2087         * bytecode/CodeBlock.cpp:
2088         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2089         (JSC::CodeBlock::finalizeUnconditionally):
2090
2091 2015-09-11  Csaba Osztrogon√°c  <ossy@webkit.org>
2092
2093         [EFL] Fix WASM build
2094         https://bugs.webkit.org/show_bug.cgi?id=149065
2095
2096         Reviewed by Darin Adler.
2097
2098         * wasm/WASMFunctionParser.cpp:
2099
2100 2015-09-11  Geoffrey Garen  <ggaren@apple.com>
2101
2102         JavaScriptCore should discard optimized code after some time
2103         https://bugs.webkit.org/show_bug.cgi?id=149048
2104
2105         Reviewed by Michael Saboff.
2106
2107         This patch adds a new jettison type -- JettisonDueToOldAge -- and starts
2108         using it for DFG and FTL code. Baseline and LLInt code will come in a
2109         follow-up patch.
2110
2111         The primary goal is to save memory. Some popular websites leave about 10MB
2112         of dead code sitting around immediately after they finish loading.
2113
2114         Throwing away code periodically might also save us from profiling
2115         pathologies that lead to performance dead ends.
2116
2117         * bytecode/CodeBlock.cpp:
2118         (JSC::CodeBlock::visitAggregate): Updated for rename, and removed a
2119         stale comment.
2120
2121         (JSC::CodeBlock::shouldVisitStrongly): Renamed to shouldVisitStrongly
2122         because the practical effect of this function is to trigger a call to
2123         visitStrongly.
2124
2125         (JSC::CodeBlock::isKnownToBeLiveDuringGC): Check the
2126         m_visitStronglyHasBeenCalled flag instead of
2127         shouldImmediatelyAssumeLivenessDuringScan / shouldVisitStrongly because
2128         m_visitStronglyHasBeenCalled can be set by anybody even if the CodeBlock
2129         would not otherwise visit itself strongly.
2130
2131         (JSC::CodeBlock::shouldJettisonDueToWeakReference): New helper function
2132         for readability.
2133
2134         (JSC::CodeBlock::shouldJettisonDueToOldAge): New helper function that
2135         tells if a CodeBlock is old enough for deletion.
2136
2137         (JSC::CodeBlock::determineLiveness): There's no need to check
2138         shouldImmediatelyAssumeLivenessDuringScan here because we will not call
2139         this function if shouldImmediatelyAssumeLivenessDuringScan is true.
2140         Also, it's just not clear -- if someone chooses to call this function --
2141         that it would be safe to ignore them simply because
2142         shouldImmediatelyAssumeLivenessDuringScan was true.
2143
2144         (JSC::CodeBlock::finalizeLLIntInlineCaches): Moved code out into a helper
2145         function to make the main function more readable.
2146
2147         (JSC::CodeBlock::finalizeBaselineJITInlineCaches): Ditto.
2148
2149         (JSC::CodeBlock::finalizeUnconditionally): Added code for jettisoning a
2150         CodeBlock if it is too old. Moved large sections of code into helper
2151         functions to aid readability in this function.
2152
2153         (JSC::CodeBlock::jettison): Account for the fact that we might jettison
2154         a CodeBlock without OSR exit and without requiring a stack shoot-down.
2155
2156         * bytecode/CodeBlock.h:
2157         (JSC::CodeBlock::setInstallTime):
2158         (JSC::CodeBlock::timeSinceInstall): Track CodeBlock age to help us
2159         decide when to delete.
2160
2161         * jit/JITCode.h:
2162         (JSC::JITCode::timeToLive): Static limits on CodeBlock lifetime. I got
2163         these numbers from the place where numbers come from. 
2164
2165         * profiler/ProfilerJettisonReason.cpp:
2166         (WTF::printInternal):
2167         * profiler/ProfilerJettisonReason.h: Updated for new jettison type.
2168
2169         * runtime/Executable.cpp:
2170         (JSC::ScriptExecutable::installCode): Record install time so that we
2171         can measure how old a CodeBlock is.
2172
2173 2015-09-11  Andreas Kling  <akling@apple.com>
2174
2175         [JSC] Weak should only accept cell pointees.
2176         <https://webkit.org/b/148955>
2177
2178         Reviewed by Geoffrey Garen.
2179
2180         Since WeakImpls only support pointing to JSCell derived objects,
2181         enforce that at compile time by having the API use JSCell* instead of JSValue.
2182
2183         WeakHandleOwner callbacks now get JSCell& and JSCell*& respectively instead
2184         of wrapping the cell pointer in a Handle<Unknown>.
2185
2186         Also added a static_assert so Weak<T> can't be instantiated with a T that's
2187         not convertible to JSCell.
2188
2189         * API/JSAPIWrapperObject.mm:
2190         (JSAPIWrapperObjectHandleOwner::finalize):
2191         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2192         (JSC::JSAPIWrapperObject::finishCreation):
2193         * API/JSManagedValue.mm:
2194         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
2195         (JSManagedValueHandleOwner::finalize):
2196         * builtins/BuiltinExecutables.cpp:
2197         (JSC::BuiltinExecutables::finalize):
2198         * builtins/BuiltinExecutables.h:
2199         * heap/Heap.cpp:
2200         (JSC::Heap::addFinalizer):
2201         (JSC::Heap::FinalizerOwner::finalize):
2202         * heap/Heap.h:
2203         * heap/WeakBlock.cpp:
2204         (JSC::WeakBlock::visit):
2205         (JSC::WeakBlock::reap):
2206         * heap/WeakHandleOwner.cpp:
2207         (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
2208         (JSC::WeakHandleOwner::finalize):
2209         * heap/WeakHandleOwner.h:
2210         * heap/WeakImpl.h:
2211         (JSC::WeakImpl::WeakImpl):
2212         (JSC::WeakImpl::state):
2213         (JSC::WeakImpl::cell):
2214         (JSC::WeakImpl::asWeakImpl):
2215         (JSC::WeakImpl::jsValue): Deleted.
2216         * heap/WeakInlines.h:
2217         (JSC::Weak<T>::Weak):
2218         (JSC::>):
2219         (JSC::Weak<T>::operator):
2220         (JSC::Weak<T>::get):
2221         (JSC::Weak<T>::was):
2222         * heap/WeakSet.h:
2223         * heap/WeakSetInlines.h:
2224         (JSC::WeakSet::allocate):
2225         (JSC::WeakBlock::finalize):
2226         * jit/JITThunks.cpp:
2227         (JSC::JITThunks::finalize):
2228         * jit/JITThunks.h:
2229         * jsc.cpp:
2230         (WTF::ElementHandleOwner::isReachableFromOpaqueRoots): Deleted.
2231         * runtime/JSCell.h:
2232         (JSC::jsCast):
2233         * runtime/RegExpCache.cpp:
2234         (JSC::RegExpCache::finalize):
2235         * runtime/RegExpCache.h:
2236         * runtime/Structure.cpp:
2237         (JSC::StructureTransitionTable::singleTransition):
2238         (JSC::StructureTransitionTable::setSingleTransition):
2239
2240 2015-09-10  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2241
2242         Implement switch statements in WebAssembly
2243         https://bugs.webkit.org/show_bug.cgi?id=149051
2244
2245         Reviewed by Geoffrey Garen.
2246
2247         This patch implements switch statements in WebAssembly using the
2248         JSC::BinarySwitch class.
2249
2250         * tests/stress/wasm-control-flow.js:
2251         * tests/stress/wasm/control-flow.wasm:
2252         * wasm/WASMFunctionCompiler.h:
2253         (JSC::WASMFunctionCompiler::buildSwitch):
2254         * wasm/WASMFunctionParser.cpp:
2255         (JSC::WASMFunctionParser::parseSwitchStatement):
2256         * wasm/WASMFunctionSyntaxChecker.h:
2257         (JSC::WASMFunctionSyntaxChecker::buildSwitch):
2258
2259 2015-09-10  Filip Pizlo  <fpizlo@apple.com>
2260
2261         Structure should be able to tell you if it had ever been a dictionary
2262         https://bugs.webkit.org/show_bug.cgi?id=149047
2263
2264         Reviewed by Mark Lam.
2265
2266         Introduces the hasBeenDictionary flag to Structure, which tells you if this structure or
2267         any of its ancestors is a dictionary. We already implicitly tracked this for DFG
2268         watchpoint optimizations, so this is mainly just decoupling that existing logic from
2269         watchpoints. Having Structure::hasBeenDictionary() enables some of the heuristics in the
2270         property type inference work (https://bugs.webkit.org/show_bug.cgi?id=148610).
2271
2272         * runtime/Structure.cpp:
2273         (JSC::Structure::Structure):
2274         (JSC::Structure::toDictionaryTransition):
2275         (JSC::Structure::dump):
2276         * runtime/Structure.h:
2277
2278 2015-09-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2279
2280         Unreviewed, fix Windows file loading in JSC shell after r189583
2281         https://bugs.webkit.org/show_bug.cgi?id=148917
2282
2283         Should load the script files with the binary mode.
2284         Since these loading functions are only used for the simple test scripts,
2285         we just use ftell / fseek now.
2286
2287         * jsc.cpp:
2288         (fillBufferWithContentsOfFile):
2289
2290 2015-09-10  Michael Saboff  <msaboff@apple.com>
2291
2292         REGRESSION(r189575): Appears to break ARM64 linux builds
2293         https://bugs.webkit.org/show_bug.cgi?id=149044
2294
2295         Reviewed by Filip Pizlo.
2296
2297         Changed the use of the ARM64 "fp", a register alias, to be "x29", the real register name.
2298
2299         * llint/LowLevelInterpreter.asm:
2300
2301 2015-09-09  Filip Pizlo  <fpizlo@apple.com>
2302
2303         There should be one stub hanging off an inline cache that contains code for all of the cases, rather than forming a linked list consisting of one stub per case
2304         https://bugs.webkit.org/show_bug.cgi?id=148717
2305
2306         Reviewed by Michael Saboff.
2307
2308         This is a major rewrite of the JSC get/put/in inline caches (ICs), motivated by the need to add
2309         fancy new kinds of inline caches for property type inference (https://webkit.org/b/148610).
2310
2311         Previously, our inline caches had some problems that made them difficult to work with. It was
2312         impossible to change any code that was previously generated by the IC except by blowing the
2313         whole IC away, the ICs scaled poorly if there were many cases, and there was a lot of duplicate
2314         and ad hoc code.
2315
2316         Impossible to regenerate a previously generated stub: Say that some access (o.f = v) causes our
2317         IC code to emit some stub; let's call it stub1. Then later we find that we need to emit a
2318         different stub, stub2, where we think that stub2 might subsume stub1. We say that stub2
2319         subsumes stub1 if failing to execute stub2 to completion means that we are guaranteed to fail
2320         to execute stub1 to completion. This could happen in trunk if stub2 has the same base structure
2321         as stub1 but different prototype conditions. It could happen with property type inference if
2322         stub2 has a looser type check on v than stub1 did. Currently, if this happened, we would emit
2323         stub2 and have its slow path jump to stub1. Hence, we would still end up executing the checks
2324         of stub1 before falling through to the slow path. This gets bad when there are many stubs.
2325         Stub1 might be in front of a bunch of other stubs, so when we add stub2, we will end up
2326         executing both stub2's and stub1's checks before falling through to the other stubs. It would
2327         be better if we could remove stub1 from the list at this point. But since stub1 could be linked
2328         to from a different stub that we had already generated, we'd have to have a way of patching
2329         stubs or regenerating them from scratch. This is currenty impossible because we just don't keep
2330         around enough meta-data to mess with a stub after it's generated. After this change, we never
2331         link new stubs onto a linked list of pre-existing stubs; instead each IC will have one stub
2332         hanging off of it and we always regenerate that one stub from scratch. That one stub contains
2333         either a BinarySwitch or a branch cascade to select one of the AccessCases. Each AccessCase is
2334         an object that describes everything we need to regenerate it in the future. This means that
2335         when we add a new case to an IC stub, we can figure out which previous cases this one subsumes.
2336
2337         Poor scalability when there are many cases: Previously, the cases of a polymorphic inline cache
2338         formed a linked list of branches. This meant that the complexity of an inline cache grew
2339         linearly with the number of cases. This change turns this into a BinarySwitch in most cases,
2340         leading to logarithmic scaling.
2341
2342         Duplicate code between get, put, and in: The code for op_get_by_id, op_put_by_id, and op_in
2343         inline caches grew independently and ended up having a lot of duplicate code. We had the worst
2344         kinds of duplicate code. In some cases, the code was copy-pasted. In other cases, we wrote code
2345         that felt like it was new despite the fact that it was logically identical to code that was
2346         already written elsewhere. The main sources of duplication were in selecting a scratch
2347         register, checking all of the ObjectPropertyConditions and the base structure, the pro forma
2348         involved in generating a stub, and the data structures needed to describe all of the access
2349         cases. This change deduplicates all of that code. Now, all of those ICs use the same classes:
2350         the PolymorphicAccess and AccessCase. There is code in those classes that handles all of the
2351         common things, and for the most part the only code that actually specializes for the kind of
2352         access is in some switch statement in AccessCase::generate().
2353
2354         Special-casing of array length and string length: Previously, array.length and string.length
2355         were handled in an ad hoc manner in the get_by_id repatching code. The handling was separate
2356         from the polymorphic get_by_id handling, which meant that we could not handle polymorphic
2357         length accesses if one of the length cases was either array or string length. For example, if
2358         you had "o.length" where the length was either array length or a vanilla length property, then
2359         the get_by_id inline cache would either emit a monomorphic stub for array length, or a
2360         monomorphic stub for the vanilla length property, but never a polymorphic stub (or list) that
2361         could do both. This change addresses this problem by folding array length and string length
2362         into the polymorphic get_by_id code.
2363
2364         This was meant to be a perf-neutral change to enable property type inference, but it ended up
2365         being a 1% Octane speed-up, mainly because of a 14% speed-up in raytrace. This isn't too
2366         surprising, since that test does use inline caches a lot and this change makes inline caches
2367         more scalable.
2368
2369         This also fixes and adds a test for a BinarySwitch bug. BinarySwitch had an optimization for
2370         consecutive integer cases. Using it on typed array structures triggers this bug. It's a hard
2371         bug to trigger any other way because our other switch optimizations will usually use a jump
2372         table in case of consecutive integers.
2373
2374         * CMakeLists.txt:
2375         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2376         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2377         * JavaScriptCore.xcodeproj/project.pbxproj:
2378         * assembler/MacroAssemblerCodeRef.h:
2379         (JSC::MacroAssemblerCodePtr::dumpWithName):
2380         * bytecode/CodeBlock.cpp:
2381         (JSC::CodeBlock::printGetByIdCacheStatus):
2382         (JSC::CodeBlock::printPutByIdCacheStatus):
2383         (JSC::CodeBlock::propagateTransitions):
2384         (JSC::CodeBlock::getByValInfoMap):
2385         (JSC::CodeBlock::addStubInfo):
2386         (JSC::CodeBlock::findStubInfo):
2387         * bytecode/CodeBlock.h:
2388         (JSC::CodeBlock::stubInfoBegin):
2389         (JSC::CodeBlock::stubInfoEnd):
2390         * bytecode/GetByIdStatus.cpp:
2391         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2392         * bytecode/PolymorphicAccess.cpp: Copied from Source/JavaScriptCore/bytecode/PolymorphicGetByIdList.cpp.
2393         (JSC::AccessGenerationState::addWatchpoint):
2394         (JSC::AccessGenerationState::restoreScratch):
2395         (JSC::AccessGenerationState::succeed):
2396         (JSC::AccessCase::AccessCase):
2397         (JSC::AccessCase::get):
2398         (JSC::AccessCase::replace):
2399         (JSC::AccessCase::transition):
2400         (JSC::AccessCase::setter):
2401         (JSC::AccessCase::in):
2402         (JSC::AccessCase::getLength):
2403         (JSC::AccessCase::~AccessCase):
2404         (JSC::AccessCase::fromStructureStubInfo):
2405         (JSC::AccessCase::clone):
2406         (JSC::AccessCase::guardedByStructureCheck):
2407         (JSC::AccessCase::alternateBase):
2408         (JSC::AccessCase::canReplace):
2409         (JSC::AccessCase::dump):
2410         (JSC::AccessCase::visitWeak):
2411         (JSC::AccessCase::generateWithGuard):
2412         (JSC::AccessCase::generate):
2413         (JSC::PolymorphicAccess::PolymorphicAccess):
2414         (JSC::PolymorphicAccess::~PolymorphicAccess):
2415         (JSC::PolymorphicAccess::regenerateWithCases):
2416         (JSC::PolymorphicAccess::regenerateWithCase):
2417         (JSC::PolymorphicAccess::visitWeak):
2418         (JSC::PolymorphicAccess::dump):
2419         (JSC::PolymorphicAccess::regenerate):
2420         (WTF::printInternal):
2421         (JSC::GetByIdAccess::GetByIdAccess): Deleted.
2422         (JSC::GetByIdAccess::~GetByIdAccess): Deleted.
2423         (JSC::GetByIdAccess::fromStructureStubInfo): Deleted.
2424         (JSC::GetByIdAccess::visitWeak): Deleted.
2425         (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList): Deleted.
2426         (JSC::PolymorphicGetByIdList::from): Deleted.
2427         (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList): Deleted.
2428         (JSC::PolymorphicGetByIdList::currentSlowPathTarget): Deleted.
2429         (JSC::PolymorphicGetByIdList::addAccess): Deleted.
2430         (JSC::PolymorphicGetByIdList::isFull): Deleted.
2431         (JSC::PolymorphicGetByIdList::isAlmostFull): Deleted.
2432         (JSC::PolymorphicGetByIdList::didSelfPatching): Deleted.
2433         (JSC::PolymorphicGetByIdList::visitWeak): Deleted.
2434         * bytecode/PolymorphicAccess.h: Copied from Source/JavaScriptCore/bytecode/PolymorphicGetByIdList.h.
2435         (JSC::AccessCase::isGet):
2436         (JSC::AccessCase::isPut):
2437         (JSC::AccessCase::isIn):
2438         (JSC::AccessCase::type):
2439         (JSC::AccessCase::offset):
2440         (JSC::AccessCase::viaProxy):
2441         (JSC::AccessCase::structure):
2442         (JSC::AccessCase::newStructure):
2443         (JSC::AccessCase::conditionSet):
2444         (JSC::AccessCase::additionalSet):
2445         (JSC::AccessCase::customSlotBase):
2446         (JSC::AccessCase::doesCalls):
2447         (JSC::AccessCase::callLinkInfo):
2448         (JSC::AccessCase::RareData::RareData):
2449         (JSC::PolymorphicAccess::isEmpty):
2450         (JSC::PolymorphicAccess::size):
2451         (JSC::PolymorphicAccess::at):
2452         (JSC::PolymorphicAccess::operator[]):
2453         (JSC::GetByIdAccess::GetByIdAccess): Deleted.
2454         (JSC::GetByIdAccess::isSet): Deleted.
2455         (JSC::GetByIdAccess::operator!): Deleted.
2456         (JSC::GetByIdAccess::type): Deleted.
2457         (JSC::GetByIdAccess::structure): Deleted.
2458         (JSC::GetByIdAccess::conditionSet): Deleted.
2459         (JSC::GetByIdAccess::stubRoutine): Deleted.
2460         (JSC::GetByIdAccess::doesCalls): Deleted.
2461         (JSC::PolymorphicGetByIdList::isEmpty): Deleted.
2462         (JSC::PolymorphicGetByIdList::size): Deleted.
2463         (JSC::PolymorphicGetByIdList::at): Deleted.
2464         (JSC::PolymorphicGetByIdList::operator[]): Deleted.
2465         * bytecode/PolymorphicAccessStructureList.h: Removed.
2466         * bytecode/PolymorphicGetByIdList.cpp: Removed.
2467         * bytecode/PolymorphicGetByIdList.h: Removed.
2468         * bytecode/PolymorphicPutByIdList.cpp: Removed.
2469         * bytecode/PolymorphicPutByIdList.h: Removed.
2470         * bytecode/PutByIdStatus.cpp:
2471         (JSC::PutByIdStatus::computeForStubInfo):
2472         * bytecode/StructureStubInfo.cpp:
2473         (JSC::StructureStubInfo::deref):
2474         (JSC::StructureStubInfo::addAccessCase):
2475         (JSC::StructureStubInfo::reset):
2476         (JSC::StructureStubInfo::visitWeakReferences):
2477         * bytecode/StructureStubInfo.h:
2478         (JSC::StructureStubInfo::StructureStubInfo):
2479         (JSC::StructureStubInfo::initGetByIdSelf):
2480         (JSC::StructureStubInfo::initPutByIdReplace):
2481         (JSC::StructureStubInfo::initStub):
2482         (JSC::StructureStubInfo::setSeen):
2483         (JSC::getStructureStubInfoCodeOrigin):
2484         (JSC::isGetByIdAccess): Deleted.
2485         (JSC::isPutByIdAccess): Deleted.
2486         (JSC::isInAccess): Deleted.
2487         (JSC::StructureStubInfo::initGetByIdList): Deleted.
2488         (JSC::StructureStubInfo::initPutByIdTransition): Deleted.
2489         (JSC::StructureStubInfo::initPutByIdList): Deleted.
2490         (JSC::StructureStubInfo::initInList): Deleted.
2491         (JSC::StructureStubInfo::addWatchpoint): Deleted.
2492         * dfg/DFGSpeculativeJIT.cpp:
2493         (JSC::DFG::SpeculativeJIT::compileIn):
2494         * ftl/FTLCompile.cpp:
2495         (JSC::FTL::mmAllocateDataSection):
2496         * jit/AccessorCallJITStubRoutine.cpp: Removed.
2497         * jit/AccessorCallJITStubRoutine.h: Removed.
2498         * jit/AssemblyHelpers.h:
2499         (JSC::AssemblyHelpers::branchIfEmpty):
2500         (JSC::AssemblyHelpers::branchStructure):
2501         (JSC::AssemblyHelpers::boxBooleanPayload):
2502         (JSC::AssemblyHelpers::boxBoolean):
2503         (JSC::AssemblyHelpers::boxInt32):
2504         * jit/BinarySwitch.cpp:
2505         (JSC::BinarySwitch::BinarySwitch):
2506         (JSC::BinarySwitch::build):
2507         (JSC::BinarySwitch::Case::dump):
2508         (JSC::BinarySwitch::BranchCode::dump):
2509         * jit/BinarySwitch.h:
2510         (JSC::BinarySwitch::Case::operator<):
2511         (JSC::BinarySwitch::BranchCode::BranchCode):
2512         * jit/JIT.h:
2513         * jit/JITInlineCacheGenerator.cpp:
2514         (JSC::garbageStubInfo):
2515         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
2516         (JSC::JITByIdGenerator::JITByIdGenerator):
2517         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2518         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2519         * jit/JITInlineCacheGenerator.h:
2520         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
2521         (JSC::JITInlineCacheGenerator::stubInfo):
2522         (JSC::JITByIdGenerator::JITByIdGenerator):
2523         (JSC::JITByIdGenerator::reportSlowPathCall):
2524         * jit/JITOperations.cpp:
2525         * jit/Repatch.cpp:
2526         (JSC::repatchCall):
2527         (JSC::repatchByIdSelfAccess):
2528         (JSC::resetGetByIDCheckAndLoad):
2529         (JSC::resetPutByIDCheckAndLoad):
2530         (JSC::replaceWithJump):
2531         (JSC::tryCacheGetByID):
2532         (JSC::repatchGetByID):
2533         (JSC::appropriateGenericPutByIdFunction):
2534         (JSC::appropriateOptimizingPutByIdFunction):
2535         (JSC::tryCachePutByID):
2536         (JSC::repatchPutByID):
2537         (JSC::tryRepatchIn):
2538         (JSC::repatchIn):
2539         (JSC::resetGetByID):
2540         (JSC::resetPutByID):
2541         (JSC::checkObjectPropertyCondition): Deleted.
2542         (JSC::checkObjectPropertyConditions): Deleted.
2543         (JSC::emitRestoreScratch): Deleted.
2544         (JSC::linkRestoreScratch): Deleted.
2545         (JSC::toString): Deleted.
2546         (JSC::kindFor): Deleted.
2547         (JSC::customFor): Deleted.
2548         (JSC::generateByIdStub): Deleted.
2549         (JSC::patchJumpToGetByIdStub): Deleted.
2550         (JSC::tryBuildGetByIDList): Deleted.
2551         (JSC::buildGetByIDList): Deleted.
2552         (JSC::appropriateListBuildingPutByIdFunction): Deleted.
2553         (JSC::emitPutReplaceStub): Deleted.
2554         (JSC::emitPutTransitionStub): Deleted.
2555         (JSC::tryBuildPutByIdList): Deleted.
2556         (JSC::buildPutByIdList): Deleted.
2557         * jit/ScratchRegisterAllocator.cpp:
2558         (JSC::ScratchRegisterAllocator::lock):
2559         (JSC::ScratchRegisterAllocator::allocateScratch):
2560         * jit/ScratchRegisterAllocator.h:
2561         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
2562         * jsc.cpp:
2563         (GlobalObject::finishCreation):
2564         (functionQuit):
2565         (functionAbort):
2566         (functionFalse1):
2567         (functionFalse2):
2568         * runtime/Options.h:
2569         * tests/stress/array-message-passing.js: Added.
2570         (window.addEventListener):
2571         (window.postMessage):
2572         (window._handleEvents):
2573         (testPassed):
2574         (testFailed):
2575         (classCompare):
2576         (bufferCompare):
2577         (viewCompare):
2578         (typedArrayCompare):
2579         (dataViewCompare):
2580         (dataViewCompare2):
2581         (dataViewCompare3):
2582         (createBuffer):
2583         (createTypedArray):
2584         (createTypedArrayOverBuffer):
2585         (new.DataView):
2586         (testList.testList.concat.basicBufferTypes.map):
2587         (doneTest):
2588
2589 2015-09-10  Geoffrey Garen  <ggaren@apple.com>
2590
2591         CodeBlock::codeType() doesn't need to compute anything
2592         https://bugs.webkit.org/show_bug.cgi?id=149039
2593
2594         Reviewed by Michael Saboff.
2595
2596         CodeBlock already has an m_codeType data member.
2597
2598         * bytecode/CodeBlock.h:
2599         (JSC::CodeBlock::codeType):
2600         (JSC::CodeBlock::putByIdContext):
2601
2602 2015-09-10  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2603
2604         Implement global variables in WebAssembly
2605         https://bugs.webkit.org/show_bug.cgi?id=149031
2606
2607         Reviewed by Geoffrey Garen.
2608
2609         This patch implements global variables in WebAssembly. There are two
2610         types of global variables in the current format that we use (the format
2611         used by <https://github.com/WebAssembly/polyfill-prototype-1>): internal
2612         global variables and imported global variables. This patch does not yet
2613         import values for imported global variables. It will be done in a
2614         subsequent patch.
2615
2616         * tests/stress/wasm-globals.js: Added.
2617         (shouldBe):
2618         * tests/stress/wasm/globals.wasm: Added.
2619         * wasm/JSWASMModule.h:
2620         (JSC::JSWASMModule::globalVariables):
2621         * wasm/WASMFunctionCompiler.h:
2622         (JSC::WASMFunctionCompiler::buildSetGlobal):
2623         (JSC::WASMFunctionCompiler::buildGetGlobal):
2624         * wasm/WASMFunctionParser.cpp:
2625         (JSC::WASMFunctionParser::parseStatement):
2626         (JSC::WASMFunctionParser::parseSetGlobalStatement):
2627         (JSC::WASMFunctionParser::parseExpressionI32):
2628         (JSC::WASMFunctionParser::parseGetGlobalExpressionI32):
2629         (JSC::WASMFunctionParser::parseExpressionF64):
2630         (JSC::WASMFunctionParser::parseGetGlobalExpressionF64):
2631         * wasm/WASMFunctionParser.h:
2632         * wasm/WASMFunctionSyntaxChecker.h:
2633         (JSC::WASMFunctionSyntaxChecker::buildSetGlobal):
2634         (JSC::WASMFunctionSyntaxChecker::buildGetGlobal):
2635         * wasm/WASMModuleParser.cpp:
2636         (JSC::WASMModuleParser::parseGlobalSection):
2637
2638 2015-09-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2639
2640         Consider long module path name case in Windows
2641         https://bugs.webkit.org/show_bug.cgi?id=148917
2642
2643         Reviewed by Alex Christensen.
2644
2645         The local file system module loader in the JSC shell manages the module files by the absolute path.
2646         However, in Windows, _MAX_PATH is defined as 260. So if the path like the current working directory or the path to the module is long,
2647         it will be truncated by the API and it fail to open the file.
2648         In JSC tests in Apple Windows buildbot, since the current working directory is long enough, the tests failed.
2649
2650         This patch introduces the following 3 tweaks.
2651
2652         1. When retrieving the current working path, we use GetCurrentDirectoryW instead of _getcwd.
2653            GetCurrentDirectoryW allows the long path while _getcwd automatically truncate the result by the _MAX_PATH.
2654
2655         2. Before opening the module file, we prepend "\\?\" to the path. It converts the local file path to the long UNC path
2656            which allows longer path names.
2657
2658         3. Since Windows ASCII API accepts the characters in the current code page, we use the Unicode APIs like _wfopen instead.
2659
2660         And enable the once disabled module tests in Windows.
2661
2662         Since this functionality is the part of the JSC shell to run the module tests, it is now implemented in jsc.cpp.
2663
2664         * jsc.cpp:
2665         (stringFromUTF):
2666         (jscSource):
2667         (extractDirectoryName):
2668         (currentWorkingDirectory):
2669         (convertShebangToJSComment):
2670         (fillBufferWithContentsOfFile):
2671         (fetchScriptFromLocalFileSystem):
2672         (fetchModuleFromLocalFileSystem):
2673         (GlobalObject::moduleLoaderFetch):
2674         (functionRun):
2675         (functionLoad):
2676         (functionReadFile):
2677         (functionCheckSyntax):
2678         (functionLoadModule):
2679         (runWithScripts):
2680         (runInteractive):
2681         * tests/modules.yaml:
2682
2683 2015-09-10  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2684
2685         Convert arguments to WebAssembly functions to the declared types
2686         https://bugs.webkit.org/show_bug.cgi?id=149033
2687
2688         Reviewed by Geoffrey Garen.
2689
2690         This patch checks the types of arguments to WebAssembly functions and
2691         converts them to the declared types. This is necessary because:
2692         - For example, if a function expects an argument of type double and we
2693           pass 1.0 to it, it will get a JSValue of an integer, not a double.
2694         - We should follow asm.js's behavior for now, because we want to be able
2695           to test WebAssembly apps against asm.js apps. asm.js does type
2696           coercion on arguments by using int|0, Math.fround(float), and +double.
2697
2698         * jit/JITOperations.h:
2699         * tests/stress/wasm-type-conversion.js: Added.
2700         (shouldBe):
2701         (two.valueOf):
2702         * tests/stress/wasm/type-conversion.wasm: Added.
2703         * wasm/WASMFunctionCompiler.h:
2704         (JSC::operationConvertJSValueToInt32):
2705         (JSC::operationConvertJSValueToDouble):
2706         (JSC::WASMFunctionCompiler::startFunction):
2707         (JSC::WASMFunctionCompiler::appendCallSetResult):
2708         (JSC::WASMFunctionCompiler::callOperation):
2709         (JSC::WASMFunctionCompiler::loadValueAndConvertToInt32):
2710         (JSC::WASMFunctionCompiler::loadValueAndConvertToDouble):
2711
2712 2015-09-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2713
2714         JSInternalPromiseDeferred should inherit JSPromiseDeferred
2715         https://bugs.webkit.org/show_bug.cgi?id=149027
2716
2717         Reviewed by Darin Adler.
2718
2719         JSInternalPromiseDeferred is constructed by using JSPromiseDeferred implementation.
2720         So the class info of JSInternalPromiseDeferred should inherit JSPromiseDeferred.
2721
2722         * runtime/JSInternalPromiseDeferred.cpp:
2723
2724 2015-09-10  Michael Saboff  <msaboff@apple.com>
2725
2726         Add support for Callee-Saves registers
2727         https://bugs.webkit.org/show_bug.cgi?id=148666
2728
2729         Reviewed by Filip Pizlo.
2730
2731         We save platform callee save registers right below the call frame header,
2732         in the location(s) starting with VirtualRegister 0.  This local space is
2733         allocated in the bytecode compiler.  This space is the maximum space
2734         needed for the callee registers that the LLInt and baseline JIT use,
2735         rounded up to a stack aligned number of VirtualRegisters.
2736         The LLInt explicitly saves and restores the registers in the macros
2737         preserveCalleeSavesUsedByLLInt and restoreCalleeSavesUsedByLLInt.
2738         The JITs saves and restores callee saves registers by what registers
2739         are included in m_calleeSaveRegisters in the code block.
2740
2741         Added handling of callee save register restoration to exception handling.
2742         The basic flow is when an exception is thrown or one is recognized to
2743         have been generated in C++ code, we save the current state of all
2744         callee save registers to VM::calleeSaveRegistersBuffer.  As we unwind
2745         looking for the corresponding catch, we copy the callee saves from call 
2746         frames to the same VM::calleeSaveRegistersBuffer.  This is done for all
2747         call frames on the stack up to but not including the call frame that has
2748         the corresponding catch block.  When we process the catch, we restore
2749         the callee save registers with the contents of VM::calleeSaveRegistersBuffer.
2750         If there isn't a catch, then handleUncaughtException will restore callee
2751         saves before it returns back to the calling C++.
2752
2753         Eliminated callee saves registers as free registers for various thunk
2754         generators as the callee saves may not have been saved by the function
2755         calling the thunk.
2756
2757         Added code to transition callee saves from one VM's format to the another
2758         as part of OSR entry and OSR exit.
2759
2760         Cleaned up the static RegisterSet's including adding one for LLInt and 
2761         baseline JIT callee saves and one to be used to allocate local registers
2762         not including the callee saves or other special registers.
2763
2764         Moved ftl/FTLRegisterAtOffset.{cpp,h} to jit/RegisterAtOffset.{cpp,h}.
2765         Factored out the vector of RegisterAtOffsets in ftl/FTLUnwindInfo.{cpp,h}
2766         into a new class in jit/RegisterAtOffsetList.{cpp,h}.
2767         Eliminted UnwindInfo and changed UnwindInfo::parse() into a standalone
2768         function named parseUnwindInfo.  That standalone function now returns
2769         the callee saves RegisterAtOffsetList.  This is stored in the CodeBlock
2770         and used instead of UnwindInfo.
2771
2772         Turned off register preservation thunks for outgoing calls from FTL
2773         generated code.  THey'll be removed in a subsequent patch.
2774
2775         Changed specialized thinks to save and restore the contents of
2776         tagTypeNumberRegister and tagMaskRegister as they can be called by FTL
2777         compiled functions.  We materialize those tag registers for the thunk's
2778         use and then restore the prior contents on function exit.
2779
2780         Also removed the arity check fail return thunk since it is now the
2781         caller's responsibility to restore the stack pointer.
2782
2783         Removed saving of callee save registers and materialization of special
2784         tag registers for 64 bit platforms from vmEntryToJavaScript and
2785         vmEntryToNative.
2786
2787         * CMakeLists.txt:
2788         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2789         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2790         * JavaScriptCore.xcodeproj/project.pbxproj:
2791         * ftl/FTLJITCode.h:
2792         * ftl/FTLRegisterAtOffset.cpp: Removed.
2793         * ftl/FTLRegisterAtOffset.h: Removed.
2794         * ftl/FTLUnwindInfo.cpp:
2795         (JSC::FTL::parseUnwindInfo):
2796         (JSC::FTL::UnwindInfo::UnwindInfo): Deleted.
2797         (JSC::FTL::UnwindInfo::~UnwindInfo): Deleted.
2798         (JSC::FTL::UnwindInfo::parse): Deleted.
2799         (JSC::FTL::UnwindInfo::dump): Deleted.
2800         (JSC::FTL::UnwindInfo::find): Deleted.
2801         (JSC::FTL::UnwindInfo::indexOf): Deleted.
2802         * ftl/FTLUnwindInfo.h:
2803         (JSC::RegisterAtOffset::dump):
2804         * jit/RegisterAtOffset.cpp: Added.
2805         * jit/RegisterAtOffset.h: Added.
2806         (JSC::RegisterAtOffset::RegisterAtOffset):
2807         (JSC::RegisterAtOffset::operator!):
2808         (JSC::RegisterAtOffset::reg):
2809         (JSC::RegisterAtOffset::offset):
2810         (JSC::RegisterAtOffset::offsetAsIndex):
2811         (JSC::RegisterAtOffset::operator==):
2812         (JSC::RegisterAtOffset::operator<):
2813         (JSC::RegisterAtOffset::getReg):
2814         * jit/RegisterAtOffsetList.cpp: Added.
2815         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
2816         (JSC::RegisterAtOffsetList::sort):
2817         (JSC::RegisterAtOffsetList::dump):
2818         (JSC::RegisterAtOffsetList::find):
2819         (JSC::RegisterAtOffsetList::indexOf):
2820         * jit/RegisterAtOffsetList.h: Added.
2821         (JSC::RegisterAtOffsetList::clear):
2822         (JSC::RegisterAtOffsetList::size):
2823         (JSC::RegisterAtOffsetList::at):
2824         (JSC::RegisterAtOffsetList::append):
2825         Move and refactored use of FTLRegisterAtOffset to RegisterAtOffset.
2826         Added RegisterAtOffset and RegisterAtOffsetList to build configurations.
2827         Remove FTLRegisterAtOffset files.
2828
2829         * bytecode/CallLinkInfo.h:
2830         (JSC::CallLinkInfo::setUpCallFromFTL):
2831         Turned off FTL register preservation thunks.
2832
2833         * bytecode/CodeBlock.cpp:
2834         (JSC::CodeBlock::CodeBlock):
2835         (JSC::CodeBlock::setCalleeSaveRegisters):
2836         (JSC::roundCalleeSaveSpaceAsVirtualRegisters):
2837         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
2838         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
2839         * bytecode/CodeBlock.h:
2840         (JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters):
2841         (JSC::CodeBlock::calleeSaveRegisters):
2842         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
2843         (JSC::CodeBlock::optimizeAfterWarmUp):
2844         (JSC::CodeBlock::numberOfDFGCompiles):
2845         Methods to manage a set of callee save registers.  Also to allocate the appropriate
2846         number of VirtualRegisters for callee saves.
2847
2848         * bytecompiler/BytecodeGenerator.cpp:
2849         (JSC::BytecodeGenerator::BytecodeGenerator):
2850         (JSC::BytecodeGenerator::allocateCalleeSaveSpace):
2851         * bytecompiler/BytecodeGenerator.h:
2852         Allocate the appropriate number of VirtualRegisters for callee saves needed by LLInt or baseline JIT.
2853
2854         * dfg/DFGJITCompiler.cpp:
2855         (JSC::DFG::JITCompiler::compileEntry):
2856         (JSC::DFG::JITCompiler::compileSetupRegistersForEntry):
2857         (JSC::DFG::JITCompiler::compileBody):
2858         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2859         (JSC::DFG::JITCompiler::compile):
2860         (JSC::DFG::JITCompiler::compileFunction):
2861         * dfg/DFGJITCompiler.h:
2862         * interpreter/Interpreter.cpp:
2863         (JSC::UnwindFunctor::operator()):
2864         (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer):
2865         * dfg/DFGPlan.cpp:
2866         (JSC::DFG::Plan::compileInThreadImpl):
2867         * dfg/DFGSpeculativeJIT.cpp:
2868         (JSC::DFG::SpeculativeJIT::usedRegisters):
2869         * dfg/DFGSpeculativeJIT32_64.cpp:
2870         (JSC::DFG::SpeculativeJIT::compile):
2871         * dfg/DFGSpeculativeJIT64.cpp:
2872         (JSC::DFG::SpeculativeJIT::compile):
2873         * dfg/DFGStackLayoutPhase.cpp:
2874         (JSC::DFG::StackLayoutPhase::run):
2875         * ftl/FTLCompile.cpp:
2876         (JSC::FTL::fixFunctionBasedOnStackMaps):
2877         (JSC::FTL::compile):
2878         * ftl/FTLLink.cpp:
2879         (JSC::FTL::link):
2880         * ftl/FTLOSRExitCompiler.cpp:
2881         (JSC::FTL::compileStub):
2882         * ftl/FTLThunks.cpp:
2883         (JSC::FTL::osrExitGenerationThunkGenerator):
2884         * jit/ArityCheckFailReturnThunks.cpp: Removed.
2885         * jit/ArityCheckFailReturnThunks.h: Removed.
2886         * jit/JIT.cpp:
2887         (JSC::JIT::emitEnterOptimizationCheck):
2888         (JSC::JIT::privateCompile):
2889         (JSC::JIT::privateCompileExceptionHandlers):
2890         * jit/JITCall32_64.cpp:
2891         (JSC::JIT::emit_op_ret):
2892         * jit/JITExceptions.cpp:
2893         (JSC::genericUnwind):
2894         * jit/JITExceptions.h:
2895         * jit/JITOpcodes.cpp:
2896         (JSC::JIT::emit_op_end):
2897         (JSC::JIT::emit_op_ret):
2898         (JSC::JIT::emit_op_throw):
2899         (JSC::JIT::emit_op_catch):
2900         (JSC::JIT::emit_op_enter):
2901         (JSC::JIT::emitSlow_op_loop_hint):
2902         * jit/JITOpcodes32_64.cpp:
2903         (JSC::JIT::emit_op_end):
2904         (JSC::JIT::emit_op_throw):
2905         (JSC::JIT::emit_op_catch):
2906         * jit/JITOperations.cpp:
2907         * jit/Repatch.cpp:
2908         (JSC::generateByIdStub):
2909         * jit/ThunkGenerators.cpp:
2910         * llint/LLIntData.cpp:
2911         (JSC::LLInt::Data::performAssertions):
2912         * llint/LLIntSlowPaths.cpp:
2913         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2914         * llint/LowLevelInterpreter.asm:
2915         * llint/LowLevelInterpreter32_64.asm:
2916         * llint/LowLevelInterpreter64.asm:
2917         (JSC::throwExceptionFromCallSlowPathGenerator):
2918         (JSC::arityFixupGenerator):
2919         * runtime/CommonSlowPaths.cpp:
2920         (JSC::setupArityCheckData):
2921         * runtime/CommonSlowPaths.h:
2922         (JSC::CommonSlowPaths::arityCheckFor):
2923         Emit code to save and restore callee save registers and materialize tagTypeNumberRegister
2924         and tagMaskRegister.
2925         Handle callee saves when tiering up.
2926         Copy callee saves register contents to VM::calleeSaveRegistersBuffer at beginning of
2927         exception processing.
2928         Process callee save registers in frames when unwinding from an exception.
2929         Restore callee saves register contents from VM::calleeSaveRegistersBuffer on catch.
2930         Use appropriate register set to make sure we don't allocate a callee save register when
2931         compiling a thunk.
2932         Helper to populate tagTypeNumberRegister and tagMaskRegister with the appropriate
2933         constants.
2934         Removed arity fixup return thunks.
2935
2936         * dfg/DFGOSREntry.cpp:
2937         (JSC::DFG::prepareOSREntry):
2938         * dfg/DFGOSRExitCompiler32_64.cpp:
2939         (JSC::DFG::OSRExitCompiler::compileExit):
2940         * dfg/DFGOSRExitCompiler64.cpp:
2941         (JSC::DFG::OSRExitCompiler::compileExit):
2942         * dfg/DFGOSRExitCompilerCommon.cpp:
2943         (JSC::DFG::reifyInlinedCallFrames):
2944         (JSC::DFG::adjustAndJumpToTarget):
2945         Restore callee saves from the DFG and save the appropriate ones for the baseline JIT.
2946         Materialize the tag registers on 64 bit platforms.
2947
2948         * jit/AssemblyHelpers.h:
2949         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
2950         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
2951         (JSC::AssemblyHelpers::emitSaveCalleeSaves):
2952         (JSC::AssemblyHelpers::emitRestoreCalleeSaves):
2953         (JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer):
2954         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer):
2955         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer):
2956         (JSC::AssemblyHelpers::emitMaterializeTagCheckRegisters):
2957         New helpers to save and restore callee saves as well as materialize the tag registers
2958         contents.
2959
2960         * jit/FPRInfo.h:
2961         * jit/GPRInfo.h:
2962         (JSC::GPRInfo::toRegister):
2963         Updated to include FP callee save registers.  Added number of callee saves registers and
2964         cleanup register aliases that collide with callee save registers.
2965
2966         * jit/JITPropertyAccess.cpp:
2967         (JSC::JIT::emitGetByValWithCachedId):
2968         (JSC::JIT::emitPutByValWithCachedId):
2969         (JSC::JIT::emit_op_get_by_id):
2970         (JSC::JIT::emit_op_put_by_id):
2971         * jit/JITPropertyAccess32_64.cpp:
2972         (JSC::JIT::emitGetByValWithCachedId):
2973         (JSC::JIT::emitPutByValWithCachedId):
2974         (JSC::JIT::emit_op_get_by_id):
2975         (JSC::JIT::emit_op_put_by_id):
2976         Uses new stubUnavailableRegisters register set to limit what registers are available for 
2977         temporaries.
2978
2979         * jit/RegisterSet.cpp:
2980         (JSC::RegisterSet::stubUnavailableRegisters):
2981         (JSC::RegisterSet::calleeSaveRegisters):
2982         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
2983         (JSC::RegisterSet::dfgCalleeSaveRegisters):
2984         (JSC::RegisterSet::ftlCalleeSaveRegisters):
2985         * jit/RegisterSet.h:
2986         New register sets with the callee saves used by various tiers as well as one listing registers
2987         not availble to stub code.
2988
2989         * jit/SpecializedThunkJIT.h:
2990         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
2991         (JSC::SpecializedThunkJIT::loadDoubleArgument):
2992         (JSC::SpecializedThunkJIT::returnJSValue):
2993         (JSC::SpecializedThunkJIT::returnDouble):
2994         (JSC::SpecializedThunkJIT::returnInt32):
2995         (JSC::SpecializedThunkJIT::returnJSCell):
2996         (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
2997         (JSC::SpecializedThunkJIT::emitSaveThenMaterializeTagRegisters):
2998         (JSC::SpecializedThunkJIT::emitRestoreSavedTagRegisters):
2999         (JSC::SpecializedThunkJIT::tagReturnAsInt32):
3000         * jit/ThunkGenerators.cpp:
3001         (JSC::nativeForGenerator):
3002         Changed to save and restore existing tag register contents as the may contain other values.
3003         After saving the existing values, we materialize the tag constants.
3004
3005         * jit/TempRegisterSet.h:
3006         (JSC::TempRegisterSet::getFPRByIndex):
3007         (JSC::TempRegisterSet::getFreeFPR):
3008         (JSC::TempRegisterSet::setByIndex):
3009         * offlineasm/arm64.rb:
3010         * offlineasm/registers.rb:
3011         Added methods for floating point registers to support callee save FP registers.
3012
3013         * jit/JITArithmetic32_64.cpp:
3014         (JSC::JIT::emit_op_mod):
3015         Removed unnecessary #if CPU(X86_64) check to this 32 bit only file.
3016
3017         * offlineasm/x86.rb:
3018         Fixed Windows callee saves naming.
3019
3020         * runtime/VM.cpp:
3021         (JSC::VM::VM):
3022         * runtime/VM.h:
3023         (JSC::VM::calleeSaveRegistersBufferOffset):
3024         (JSC::VM::getAllCalleeSaveRegistersMap):
3025         Provide a RegisterSaveMap that has all registers that might be saved.  Added a callee save buffer to be
3026         used for OSR exit and for exception processing in a future patch.
3027
3028 2015-09-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3029
3030         ModuleProgramExecutable should provide CodeBlock to ScriptExecutable::forEachCodeBlock
3031         https://bugs.webkit.org/show_bug.cgi?id=149028
3032
3033         Reviewed by Michael Saboff.
3034
3035         ModuleProgramExecutable should provide CodeBlock since ModuleProgramExecutable inherits
3036         ScriptExecutable.
3037
3038         * bytecode/CodeBlock.h:
3039         (JSC::ScriptExecutable::forEachCodeBlock):
3040
3041 2015-09-09  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3042
3043         Implement internal calls in WebAssembly
3044         https://bugs.webkit.org/show_bug.cgi?id=148998
3045
3046         Reviewed by Filip Pizlo.
3047
3048         This patch implements internal calls to functions that return a 32-bit
3049         integer in WebAssembly.
3050
3051         * tests/stress/wasm-calls.js: Added.
3052         (shouldBe):
3053         * tests/stress/wasm/calls.wasm: Added.
3054         * wasm/WASMFunctionCompiler.h:
3055         (JSC::WASMFunctionCompiler::WASMFunctionCompiler):
3056         (JSC::WASMFunctionCompiler::endFunction):
3057         (JSC::WASMFunctionCompiler::buildCallInternal):
3058         (JSC::WASMFunctionCompiler::appendExpressionList):
3059         (JSC::WASMFunctionCompiler::emitNakedCall):
3060         (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer):
3061         (JSC::WASMFunctionCompiler::callAndUnboxResult):
3062         * wasm/WASMFunctionParser.cpp:
3063         (JSC::WASMFunctionParser::compile):
3064         (JSC::WASMFunctionParser::parseExpressionI32):
3065         (JSC::WASMFunctionParser::parseCallInternalExpressionI32):
3066         (JSC::WASMFunctionParser::parseCallArguments):
3067         (JSC::WASMFunctionParser::parseCallInternal):
3068         * wasm/WASMFunctionParser.h:
3069         * wasm/WASMFunctionSyntaxChecker.h:
3070         (JSC::WASMFunctionSyntaxChecker::buildCallInternal):
3071         (JSC::WASMFunctionSyntaxChecker::appendExpressionList):
3072
3073 2015-09-09  Commit Queue  <commit-queue@webkit.org>
3074
3075         Unreviewed, rolling out r189522.
3076         https://bugs.webkit.org/show_bug.cgi?id=149020
3077
3078         "Caused a ~4% Speedometer regression" (Requested by cdumez on
3079         #webkit).
3080
3081         Reverted changeset:
3082
3083         "Function.prototype.bind: Bound functions must use the
3084         [[Prototype]] of their target function instead of
3085         Function.prototype"
3086         https://bugs.webkit.org/show_bug.cgi?id=145605
3087         http://trac.webkit.org/changeset/189522
3088
3089 2015-09-09  Geoffrey Garen  <ggaren@apple.com>
3090
3091         Fix the no-DFG build.
3092
3093         Unreviewed.
3094
3095         * bytecode/CodeBlock.cpp:
3096         (JSC::CodeBlock::visitOSRExitTargets):
3097         (JSC::CodeBlock::stronglyVisitStrongReferences):
3098
3099 2015-09-09  Geoffrey Garen  <ggaren@apple.com>
3100
3101         CodeBlocks should strongly visit their OSR exit targets
3102         https://bugs.webkit.org/show_bug.cgi?id=148988
3103
3104         Reviewed by Saam Barati.
3105
3106         CodeBlocks jump to their OSR exit targets, so we need to keep them alive
3107         explicitly.
3108
3109         This is a step toward throwing away CodeBlocks, which is only safe
3110         if we keep alive logically in-use CodeBlocks.
3111
3112         * bytecode/CodeBlock.cpp:
3113         (JSC::CodeBlock::CodeBlock):
3114         (JSC::CodeBlock::visitStrongly): Added a flag to indicate if visit
3115         strongly had been performed yet, since we are likely to revisit
3116         the same CodeBlock many times now.
3117
3118         (JSC::CodeBlock::visitOSRExitTargets):
3119         (JSC::CodeBlock::stronglyVisitStrongReferences): Do the visiting.
3120
3121         * bytecode/CodeBlock.h:
3122         (JSC::CodeBlock::clearMarks):
3123         (JSC::CodeBlockSet::mark): Added a helper function for clearing out
3124         two flags.
3125
3126 2015-09-09  Geoffrey Garen  <ggaren@apple.com>
3127
3128         Unreviewed, rolling back in r189516.
3129         https://bugs.webkit.org/show_bug.cgi?id=148989
3130
3131         Restored changeset:
3132
3133         "GC should be able to discover new strong CodeBlock references
3134         during marking"
3135         https://bugs.webkit.org/show_bug.cgi?id=148981
3136         http://trac.webkit.org/changeset/189516
3137
3138         This patch caused infinite recursion on Windows because of a pre-existing
3139         logical error in the non-parallel GC configuration. Even in non-parallel
3140         GC, we must set the mark bit on a CodeBlock to avoid marking it twice
3141         (or, in the case of our crash, infinitely recursively).
3142
3143 2015-09-09  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3144
3145         Implement the relational instructions for doubles in WebAssembly
3146         https://bugs.webkit.org/show_bug.cgi?id=148999
3147
3148         Reviewed by Filip Pizlo.
3149
3150         Implements the relational instructions for doubles (float64) in
3151         WebAssembly. Also pass the values into the test functions as Mark Lam
3152         suggested in https://bugs.webkit.org/show_bug.cgi?id=148882#c3
3153
3154         * tests/stress/wasm-relational.js:
3155         * tests/stress/wasm/relational.wasm:
3156         * wasm/WASMFunctionCompiler.h:
3157         (JSC::WASMFunctionCompiler::buildRelationalF64):
3158         * wasm/WASMFunctionParser.cpp:
3159         (JSC::WASMFunctionParser::parseExpressionI32):
3160         (JSC::WASMFunctionParser::parseRelationalF64ExpressionI32):
3161         * wasm/WASMFunctionParser.h:
3162         * wasm/WASMFunctionSyntaxChecker.h:
3163         (JSC::WASMFunctionSyntaxChecker::buildRelationalI32):
3164         (JSC::WASMFunctionSyntaxChecker::buildRelationalF64):
3165
3166 2015-09-09  Saam barati  <sbarati@apple.com>
3167
3168         DFG should have a debugging option that runs a phase that flushes all locals
3169         https://bugs.webkit.org/show_bug.cgi?id=148916
3170
3171         Reviewed by Filip Pizlo.
3172
3173         There is now an option to enable the DFG's new MaximalFlushInsertionPhase
3174         phase to run. This phase ensures that we keep all locals and arguments flushed
3175         to the stack at all places in the CFG. This phase is helpful for finding
3176         a class of bugs where enabling this phase to run removes the bug.
3177         This may also be useful in the development of a faster debugger
3178         that doesn't capture all variables.
3179
3180         * CMakeLists.txt:
3181         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3182         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3183         * JavaScriptCore.xcodeproj/project.pbxproj:
3184         * dfg/DFGMaximalFlushInsertionPhase.cpp: Added.
3185         (JSC::DFG::MaximalFlushInsertionPhase::MaximalFlushInsertionPhase):
3186         (JSC::DFG::MaximalFlushInsertionPhase::run):
3187         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
3188         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
3189         (JSC::DFG::MaximalFlushInsertionPhase::newVariableAccessData):
3190         (JSC::DFG::performMaximalFlushInsertion):
3191         * dfg/DFGMaximalFlushInsertionPhase.h: Added.
3192         * dfg/DFGPlan.cpp:
3193         (JSC::DFG::Plan::compileInThreadImpl):
3194         * runtime/Options.cpp:
3195         (JSC::recomputeDependentOptions):
3196         * runtime/Options.h:
3197
3198 2015-09-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3199
3200         Refactor the test for the arithmetic instructions in WebAssembly
3201         https://bugs.webkit.org/show_bug.cgi?id=148983
3202
3203         Reviewed by Mark Lam.
3204
3205         Pass the values into the test functions as Mark Lam suggested in
3206         https://bugs.webkit.org/show_bug.cgi?id=148882#c3
3207
3208         * tests/stress/wasm-arithmetic-int32.js: Added.
3209         (shouldBe):
3210         (shouldThrow):
3211         * tests/stress/wasm-arithmetic.js: Removed.
3212         (shouldBe): Deleted.
3213         (shouldThrow): Deleted.
3214         * tests/stress/wasm/arithmetic-int32.wasm: Added.
3215         * tests/stress/wasm/arithmetic.wasm: Removed.
3216
3217 2015-09-08  Benjamin Poulain  <bpoulain@apple.com>
3218
3219         [JSC] reduce the amount of memory access needed for LivenessAnalysisPhase
3220         https://bugs.webkit.org/show_bug.cgi?id=148414
3221
3222         Reviewed by Mark Lam.
3223
3224         LivenessAnalysisPhase still causes a huge number of cache miss.
3225         This patch reduces the amount of accesses needed by the HashTables.
3226
3227         * dfg/DFGBasicBlock.h:
3228         * dfg/DFGLivenessAnalysisPhase.cpp:
3229         (JSC::DFG::LivenessAnalysisPhase::run):
3230         (JSC::DFG::LivenessAnalysisPhase::process):
3231
3232 2015-09-08  Myles C. Maxfield  <mmaxfield@apple.com>
3233
3234         Prospective build fix after r189517
3235
3236         Unreviewed.
3237
3238         * heap/MachineStackMarker.cpp:
3239         (JSC::MachineThreads::Thread::captureStack):
3240
3241 2015-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3242
3243         Unify symbolTableGet and Put in JSLexicalEnvironment and JSSymbolTableObject
3244         https://bugs.webkit.org/show_bug.cgi?id=148783
3245
3246         Reviewed by Geoffrey Garen.
3247
3248         Unify the symbolTableGet and symbolTablePut into JSSymbolTableObject's one.
3249         Since symbolTablePutWithAttributes in JSLexicalEnvironment is not used, we drop that function.
3250
3251         * runtime/JSEnvironmentRecord.h:
3252         (JSC::JSEnvironmentRecord::isValidScopeOffset):
3253         (JSC::JSEnvironmentRecord::variableAt):
3254         (JSC::JSEnvironmentRecord::isValid): Deleted.
3255         * runtime/JSGlobalLexicalEnvironment.cpp:
3256         (JSC::JSGlobalLexicalEnvironment::put):
3257         * runtime/JSGlobalObject.cpp:
3258         (JSC::JSGlobalObject::put):
3259         * runtime/JSLexicalEnvironment.cpp:
3260         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
3261         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
3262         (JSC::JSLexicalEnvironment::put):
3263         (JSC::JSLexicalEnvironment::symbolTableGet): Deleted.
3264         (JSC::JSLexicalEnvironment::symbolTablePut): Deleted.
3265         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes): Deleted.
3266         * runtime/JSLexicalEnvironment.h:
3267         * runtime/JSModuleRecord.cpp:
3268         (JSC::JSModuleRecord::instantiateDeclarations):
3269         * runtime/JSSegmentedVariableObject.h:
3270         (JSC::JSSegmentedVariableObject::isValidScopeOffset):
3271         * runtime/JSSymbolTableObject.h:
3272         (JSC::symbolTableGet):
3273         (JSC::symbolTablePut):
3274         (JSC::symbolTablePutTouchWatchpointSet):
3275         (JSC::symbolTablePutInvalidateWatchpointSet):
3276         (JSC::symbolTablePutWithAttributesTouchWatchpointSet):
3277         (JSC::symbolTablePutWithAttributes): Deleted.
3278
3279 2015-09-08  Commit Queue  <commit-queue@webkit.org>
3280
3281         Unreviewed, rolling out r189516.
3282         https://bugs.webkit.org/show_bug.cgi?id=148989
3283
3284         broke tests on windows (Requested by alexchristensen on
3285         #webkit).
3286
3287         Reverted changeset:
3288
3289         "GC should be able to discover new strong CodeBlock references
3290         during marking"
3291         https://bugs.webkit.org/show_bug.cgi?id=148981
3292         http://trac.webkit.org/changeset/189516
3293
3294 2015-09-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3295
3296         Remove unused DFG::dfgConvertJSValueToInt32()
3297         https://bugs.webkit.org/show_bug.cgi?id=148986
3298
3299         Reviewed by Geoffrey Garen.
3300
3301         Remove unused DFG::dfgConvertJSValueToInt32() and also remove
3302         DFG::JITCompiler::callOperation(D_JITOperation_EJ operation, ...) which
3303         was introduced in Bug 69806 for dfgConvertJSValueToNumber() and is no
3304         longer used.
3305
3306         * dfg/DFGOperations.cpp:
3307         * dfg/DFGOperations.h:
3308         * dfg/DFGSpeculativeJIT.h:
3309         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
3310
3311 2015-09-08  Matthew Hill  <matthew.jh@outlook.com>
3312
3313         Function.prototype.bind: Bound functions must use the [[Prototype]] of their target function instead of Function.prototype
3314         https://bugs.webkit.org/show_bug.cgi?id=145605
3315
3316         Reviewed by Geoffrey Garen.
3317
3318         * runtime/JSBoundFunction.cpp:
3319         (JSC::JSBoundFunction::create):
3320         * tests/es6.yaml:
3321
3322 2015-09-08  Mark Lam  <mark.lam@apple.com>
3323
3324         Fixed a bad comment r189517.
3325
3326         Not reviewed.
3327
3328         * heap/MachineStackMarker.cpp:
3329         (JSC::osRedZoneAdjustment):
3330
3331 2015-09-08  Geoffrey Garen  <ggaren@apple.com>
3332
3333         InlineCallFrames shouldn't be strongly marked by CodeBlock
3334         https://bugs.webkit.org/show_bug.cgi?id=146613
3335
3336         Reviewed by Saam Barati.
3337
3338         This code was vestigial an unnecessary, so I removed it.
3339
3340         * bytecode/CodeBlock.cpp:
3341         (JSC::CodeBlock::stronglyVisitStrongReferences):
3342         * bytecode/InlineCallFrame.cpp:
3343         (JSC::InlineCallFrame::calleeConstant):
3344         (JSC::InlineCallFrame::calleeForCallFrame):
3345         (JSC::InlineCallFrame::visitAggregate): Deleted.
3346         * bytecode/InlineCallFrame.h:
3347         (JSC::InlineCallFrame::specializationKind):
3348         * bytecode/InlineCallFrameSet.cpp:
3349         (JSC::InlineCallFrameSet::add):
3350         (JSC::InlineCallFrameSet::visitAggregate): Deleted.
3351         * bytecode/InlineCallFrameSet.h:
3352         (JSC::InlineCallFrameSet::begin):
3353         (JSC::InlineCallFrameSet::end):
3354
3355 2015-09-08  Mark Lam  <mark.lam@apple.com>
3356
3357         GC stack scan should include ABI red zone.
3358         https://bugs.webkit.org/show_bug.cgi?id=148976
3359
3360         Reviewed by Geoffrey Garen and Benjamin Poulain.
3361
3362         The x86_64 ABI section 3.2.2[1] and ARM64 ABI[2] both state that there is a
3363         128 byte red zone below the stack pointer (reserved by the OS), and that
3364         "functions may use this area for temporary data that is not needed across
3365         function calls".
3366
3367         Hence, it is possible for a thread to store JSCell pointers in the red zone
3368         area, and the conservative GC thread scanner needs to scan that area as well.
3369
3370         Note: the red zone should not be scanned for the GC thread itself (in
3371         gatherFromCurrentThread()).  This because we're guaranteed that there will
3372         be GC frames below the lowest (top of stack) frame that we need to scan.
3373         Hence, we are guaranteed that there are no red zone areas there containing
3374         JSObject pointers of relevance.
3375
3376         No test added for this issue because the issue relies on:
3377         1. the compiler tool chain generating code that stores local variables
3378            containing the sole reference to a JS object (that needs to be kept
3379            alive) in the stack red zone, and
3380         2. GC has to run on another thread while that red zone containing the
3381            JS object reference is in use. 
3382
3383         These conditions require a race that cannot be reliably reproduced.
3384
3385         [1]: http://people.freebsd.org/~obrien/amd64-elf-abi.pdf
3386         [2]: https://developer.apple.com/library/ios/documentation/Xcode/Conceptual/iPhoneOSABIReference/Articles/ARM64FunctionCallingConventions.html#//apple_ref/doc/uid/TP40013702-SW7
3387
3388         * heap/MachineStackMarker.cpp:
3389         (JSC::MachineThreads::Thread::Thread):
3390         (JSC::MachineThreads::Thread::createForCurrentThread):
3391         (JSC::MachineThreads::Thread::freeRegisters):
3392         (JSC::osRedZoneAdjustment):
3393         (JSC::MachineThreads::Thread::captureStack):
3394
3395 2015-09-08  Geoffrey Garen  <ggaren@apple.com>
3396
3397         GC should be able to discover new strong CodeBlock references during marking
3398         https://bugs.webkit.org/show_bug.cgi?id=148981
3399
3400         Reviewed by Mark Lam.
3401
3402         Previously, we required a strong reference to register itself before the
3403         first visit to a CodeBlock. Now, we can discover a strong reference at
3404         any time during the marking phase.
3405
3406         * bytecode/CodeBlock.cpp:
3407         (JSC::CodeBlock::CodeBlock): Remove the two strong reference state
3408         variables from CodeBlock. Now, a strong reference immediately marks
3409         the CodeBlock and its references at the moment of its discovery, and no
3410         separate state is required.
3411
3412         (JSC::CodeBlock::visitStrongly): New helper function for establishing
3413         a strong reference to a CodeBlock.
3414
3415         (JSC::CodeBlock::visitAggregate): Adopt helper function above.
3416
3417         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Updated
3418         for state removal.
3419
3420         (JSC::CodeBlock::isKnownToBeLiveDuringGC): Ditto.
3421
3422         (JSC::CodeBlock::stronglyVisitWeakReferences): Be sure to record that
3423         we have proven liveness (by virtue of marking all the references the
3424         proof would check). This is required so that the CodeBlock knows itself
3425         to be live, and it is also an optimization to avoid testing weak references
3426         after we have already visited them.
3427
3428         * bytecode/CodeBlock.h:
3429         (JSC::CodeBlock::clearMarks):
3430         (JSC::CodeBlockSet::mark):
3431         (JSC::CodeBlockSet::clearMarks): Deleted. Updated for state removal.
3432
3433         * dfg/DFGPlan.cpp:
3434         (JSC::DFG::Plan::clearCodeBlockMarks):
3435         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
3436         * dfg/DFGPlan.h: No need to use a CodeBlockSet in order to mark anymore.
3437
3438         * dfg/DFGWorklist.cpp:
3439         (JSC::DFG::Worklist::completeAllPlansForVM):
3440         (JSC::DFG::Worklist::clearCodeBlockMarks):
3441         (JSC::DFG::Worklist::resumeAllThreads):
3442         (JSC::DFG::Worklist::visitWeakReferences):
3443         (JSC::DFG::completeAllPlansForVM):
3444         (JSC::DFG::clearCodeBlockMarks):
3445         * dfg/DFGWorklist.h:
3446         (JSC::DFG::worklistForIndexOrNull): No need to use a CodeBlockSet in order
3447         to mark anymore.
3448
3449         * heap/CodeBlockSet.cpp:
3450         (JSC::CodeBlockSet::clearMarksForFullCollection):
3451         (JSC::CodeBlockSet::clearMarksForEdenCollection):
3452         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
3453         (JSC::CodeBlockSet::traceMarked):
3454         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
3455         (JSC::CodeBlockSet::dump):
3456         * heap/CodeBlockSet.h: Keep the currently executing CodeBlocks in RefPtrs
3457         since we can no longer rely on the m_currentlyExecuting bit to keep them
3458         alive. (A currently executing CodeBlock may not be referenced by its
3459         Executable because it may since have been replaced by another CodeBlock.
3460         This is common in the cases of OSR entry and exit.)
3461
3462         * heap/Heap.cpp:
3463         (JSC::Heap::markRoots):
3464         (JSC::Heap::visitCompilerWorklistWeakReferences):
3465         (JSC::Heap::visitWeakHandles): No need to trace the list of CodeBlocks
3466         on the stack in the weak reference fixpoint because we no longer overload
3467         "on the stack" to include CodeBlocks referenced by the compiler.
3468
3469 2015-09-08  Andreas Kling  <akling@apple.com>
3470
3471         [JSC] Remove unused Heap::getConservativeRegisterRoots().
3472         <https://webkit.org/b/148974>
3473
3474         Reviewed by Geoffrey Garen.
3475
3476         Spotted this unused stack root gathering helper in Heap. Let's lose it.
3477
3478         * heap/Heap.cpp:
3479         (JSC::Heap::getConservativeRegisterRoots): Deleted.
3480         * interpreter/JSStack.cpp:
3481         (JSC::JSStack::gatherConservativeRoots): Deleted.
3482         * interpreter/JSStack.h:
3483         (JSC::JSStack::gatherConservativeRoots): Deleted.
3484
3485 2015-09-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3486
3487         Implement control flow statements in WebAssembly
3488         https://bugs.webkit.org/show_bug.cgi?id=148934
3489
3490         Reviewed by Geoffrey Garen.
3491
3492         This patch implements if, while, do, label, break, and continue
3493         statements in WebAssembly. Switches will be implemented in a subsequent
3494         patch.
3495
3496         * tests/stress/wasm-control-flow.js: Added.
3497         (shouldBe):
3498         * tests/stress/wasm/control-flow.wasm: Added.
3499         * wasm/WASMFunctionCompiler.h:
3500         (JSC::WASMFunctionCompiler::linkTarget):
3501         (JSC::WASMFunctionCompiler::jumpToTarget):
3502         (JSC::WASMFunctionCompiler::jumpToTargetIf):
3503         (JSC::WASMFunctionCompiler::startLoop):
3504         (JSC::WASMFunctionCompiler::endLoop):
3505         (JSC::WASMFunctionCompiler::startSwitch):
3506         (JSC::WASMFunctionCompiler::endSwitch):
3507         (JSC::WASMFunctionCompiler::startLabel):
3508         (JSC::WASMFunctionCompiler::endLabel):
3509         (JSC::WASMFunctionCompiler::breakTarget):
3510         (JSC::WASMFunctionCompiler::continueTarget):
3511         (JSC::WASMFunctionCompiler::breakLabelTarget):
3512         (JSC::WASMFunctionCompiler::continueLabelTarget):
3513         * wasm/WASMFunctionParser.cpp:
3514         (JSC::WASMFunctionParser::parseIfStatement):
3515         (JSC::WASMFunctionParser::parseIfElseStatement):
3516         (JSC::WASMFunctionParser::parseWhileStatement):
3517         (JSC::WASMFunctionParser::parseDoStatement):
3518         (JSC::WASMFunctionParser::parseLabelStatement):
3519         (JSC::WASMFunctionParser::parseBreakStatement):
3520         (JSC::WASMFunctionParser::parseBreakLabelStatement):
3521         (JSC::WASMFunctionParser::parseContinueStatement):
3522         (JSC::WASMFunctionParser::parseContinueLabelStatement):
3523         * wasm/WASMFunctionParser.h:
3524         * wasm/WASMFunctionSyntaxChecker.h:
3525         (JSC::WASMFunctionSyntaxChecker::linkTarget):
3526         (JSC::WASMFunctionSyntaxChecker::jumpToTarget):
3527         (JSC::WASMFunctionSyntaxChecker::jumpToTargetIf):
3528         (JSC::WASMFunctionSyntaxChecker::startLoop):
3529         (JSC::WASMFunctionSyntaxChecker::endLoop):
3530         (JSC::WASMFunctionSyntaxChecker::startSwitch):
3531         (JSC::WASMFunctionSyntaxChecker::endSwitch):
3532         (JSC::WASMFunctionSyntaxChecker::startLabel):
3533         (JSC::WASMFunctionSyntaxChecker::endLabel):
3534         (JSC::WASMFunctionSyntaxChecker::breakTarget):
3535         (JSC::WASMFunctionSyntaxChecker::continueTarget):
3536         (JSC::WASMFunctionSyntaxChecker::breakLabelTarget):
3537         (JSC::WASMFunctionSyntaxChecker::continueLabelTarget):
3538
3539 2015-09-08  Per Arne Vollan  <peavo@outlook.com>
3540
3541         [Win] Compile errors in inspector code.
3542         https://bugs.webkit.org/show_bug.cgi?id=148977
3543
3544         Reviewed by Alex Christensen.
3545
3546         Include definition of class FrontendRouter before use.
3547
3548         * inspector/InspectorBackendDispatcher.h:
3549         * inspector/JSGlobalObjectInspectorController.h:
3550
3551 2015-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3552
3553         [ES6] Implement computed accessors
3554         https://bugs.webkit.org/show_bug.cgi?id=147883
3555
3556         Reviewed by Geoffrey Garen.
3557
3558         Patch by Yusuke Suzuki <utatane.tea@gmail.com> and Matthew Mirman <mmirman@apple.com>.
3559
3560         Implement the computed accessors functionality for class syntax and object literal syntax.
3561         Added new opcodes, op_put_getter_by_val and op_put_setter_by_val. LLInt and baseline JIT support them.
3562         As the same to the other accessor opcodes (like op_put_getter_by_id etc.), DFG / FTL does not support
3563         them. This is handled here[1].
3564
3565         [1]: https://bugs.webkit.org/show_bug.cgi?id=148860
3566
3567         * bytecode/BytecodeList.json:
3568         * bytecode/BytecodeUseDef.h:
3569         (JSC::computeUsesForBytecodeOffset):
3570         (JSC::computeDefsForBytecodeOffset):
3571         * bytecode/CodeBlock.cpp:
3572         (JSC::CodeBlock::dumpBytecode):
3573         * bytecompiler/BytecodeGenerator.cpp:
3574         (JSC::BytecodeGenerator::emitPutGetterByVal):
3575         (JSC::BytecodeGenerator::emitPutSetterByVal):
3576         * bytecompiler/BytecodeGenerator.h:
3577         * bytecompiler/NodesCodegen.cpp:
3578         (JSC::PropertyListNode::emitBytecode):
3579         * jit/JIT.cpp:
3580         (JSC::JIT::privateCompileMainPass):
3581         * jit/JIT.h:
3582         * jit/JITInlines.h:
3583         (JSC::JIT::callOperation):
3584         * jit/JITOperations.cpp:
3585         * jit/JITOperations.h:
3586         * jit/JITPropertyAccess.cpp:
3587         (JSC::JIT::emit_op_put_getter_by_val):
3588         (JSC::JIT::emit_op_put_setter_by_val):
3589         * jit/JITPropertyAccess32_64.cpp:
3590         (JSC::JIT::emit_op_put_getter_by_val):
3591         (JSC::JIT::emit_op_put_setter_by_val):
3592         * llint/LLIntSlowPaths.cpp:
3593         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3594         * llint/LLIntSlowPaths.h:
3595         * llint/LowLevelInterpreter.asm:
3596         * parser/ASTBuilder.h:
3597         (JSC::ASTBuilder::createGetterOrSetterProperty):
3598         * parser/Parser.cpp:
3599         (JSC::Parser<LexerType>::parseClass):
3600         (JSC::Parser<LexerType>::parseGetterSetter):
3601         * parser/SyntaxChecker.h:
3602         (JSC::SyntaxChecker::createGetterOrSetterProperty):
3603         * tests/es6.yaml:
3604         * tests/stress/computed-accessor-parsing.js: Added.
3605         (testShouldNotThrow):
3606         (testShouldThrow):
3607         (Val.prototype.get string_appeared_here):
3608         (Val):
3609         * tests/stress/computed-accessor.js: Added.
3610         (shouldBe):
3611         (.):
3612         * tests/stress/duplicate-computed-accessors.js: Added.
3613         (shouldBe):
3614
3615 2015-09-08  Saam barati  <sbarati@apple.com>
3616
3617         baseline JIT should emit better code for UnresolvedProperty in resolve_scope/get_from_scope/put_to_scope
3618         https://bugs.webkit.org/show_bug.cgi?id=148895
3619
3620         Reviewed by Geoffrey Garen.
3621
3622         Previously, if a resolve_scope/get_from_scope/put_to_scope with
3623         UnresolvedProperty made it to the baseline JIT, we would hard compile
3624         a jump to the slow path. This is bad and slow. Because UnresolvedProperty
3625         tries to update itself to something more useful, and succeeds at doing so
3626         with high probability, we should be emitting code that checks to see if the 
3627         slow path has performed an update, and if it has, execute more efficient code 
3628         and not go to the slow path (unless it needs to for var injection check failure, 
3629         or other check failures). This increases the speed of this code greatly because 
3630         we may decide to compile a program/function before certain resolve_scope/get_from_scope/put_to_scope 
3631         operations ever execute. And now, the baseline JIT code better adapts to such
3632         compilation scenarios.
3633
3634         * bytecode/Watchpoint.h:
3635         (JSC::WatchpointSet::isBeingWatched):
3636         (JSC::WatchpointSet::addressOfState):
3637         (JSC::WatchpointSet::offsetOfState):
3638         (JSC::WatchpointSet::addressOfSetIsNotEmpty):
3639         * jit/JIT.cpp:
3640         (JSC::JIT::emitNotifyWrite):
3641         (JSC::JIT::assertStackPointerOffset):
3642         * jit/JIT.h:
3643         * jit/JITPropertyAccess.cpp:
3644         (JSC::JIT::emit_op_resolve_scope):
3645         (JSC::JIT::emitSlow_op_resolve_scope):
3646         (JSC::JIT::emitGetGlobalProperty):
3647         (JSC::JIT::emitGetVarFromPointer):
3648         (JSC::JIT::emitGetVarFromIndirectPointer):
3649         (JSC::JIT::emitGetClosureVar):
3650         (JSC::JIT::emit_op_get_from_scope):
3651         (JSC::JIT::emitSlow_op_get_from_scope):
3652         (JSC::JIT::emitPutGlobalProperty):
3653         (JSC::JIT::emitPutGlobalVariable):
3654         (JSC::JIT::emitPutGlobalVariableIndirect):
3655         (JSC::JIT::emitPutClosureVar):
3656         (JSC::JIT::emit_op_put_to_scope):
3657         (JSC::JIT::emitSlow_op_put_to_scope):
3658         * jit/JITPropertyAccess32_64.cpp:
3659         (JSC::JIT::emit_op_resolve_scope):
3660         (JSC::JIT::emitSlow_op_resolve_scope):
3661         (JSC::JIT::emitGetGlobalProperty):
3662         (JSC::JIT::emitGetVarFromPointer):
3663         (JSC::JIT::emitGetVarFromIndirectPointer):
3664         (JSC::JIT::emitGetClosureVar):
3665         (JSC::JIT::emit_op_get_from_scope):
3666         (JSC::JIT::emitSlow_op_get_from_scope):
3667         (JSC::JIT::emitPutGlobalProperty):
3668         (JSC::JIT::emitPutGlobalVariable):
3669         (JSC::JIT::emitPutGlobalVariableIndirect):
3670         (JSC::JIT::emitPutClosureVar):
3671         (JSC::JIT::emit_op_put_to_scope):
3672         (JSC::JIT::emitSlow_op_put_to_scope):
3673         * runtime/CommonSlowPaths.h:
3674         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
3675         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
3676         * runtime/JSScope.cpp:
3677         (JSC::abstractAccess):
3678         * tests/stress/multiple-files-tests/global-lexical-variable-unresolved-property/first.js:
3679         (foo):
3680
3681 2015-09-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3682
3683         Implement all the arithmetic and logical instructions in WebAssembly
3684         https://bugs.webkit.org/show_bug.cgi?id=148882
3685
3686         Reviewed by Mark Lam.
3687
3688         This patch implements all the arithmetic and logical instructions for
3689         32-bit integers in WebAssembly.
3690
3691         * tests/stress/wasm-arithmetic.js:
3692         * tests/stress/wasm/arithmetic.wasm:
3693         * wasm/WASMFunctionCompiler.h:
3694         (JSC::WASMFunctionCompiler::buildUnaryI32):
3695         (JSC::WASMFunctionCompiler::buildBinaryI32):
3696         * wasm/WASMFunctionParser.cpp:
3697         (JSC::WASMFunctionParser::parseExpressionI32):
3698         (JSC::WASMFunctionParser::parseUnaryExpressionI32):
3699         * wasm/WASMFunctionParser.h:
3700         * wasm/WASMFunctionSyntaxChecker.h:
3701         (JSC::WASMFunctionSyntaxChecker::buildUnaryI32):
3702
3703 2015-09-08  Filip Pizlo  <fpizlo@apple.com>
3704
3705         Unreviewed, fix debug by removing an assertion that is not correct anymore.
3706
3707         * jit/Repatch.cpp:
3708         (JSC::linkFor):
3709
3710 2015-09-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3711
3712         Add initial support for doubles in WebAssembly
3713         https://bugs.webkit.org/show_bug.cgi?id=148913
3714
3715         Reviewed by Filip Pizlo.
3716
3717         Implement the ConstantPoolIndex, Immediate, and GetLocal instructions
3718         for doubles (float64) in WebAssembly.
3719
3720         * tests/stress/wasm-arithmetic-float64.js: Added.
3721         (shouldBe):
3722         * tests/stress/wasm/arithmetic-float64.wasm: Added.
3723         * wasm/WASMConstants.h:
3724         * wasm/WASMFunctionCompiler.h:
3725         (JSC::WASMFunctionCompiler::buildSetLocal):
3726         (JSC::WASMFunctionCompiler::buildReturn):
3727         (JSC::WASMFunctionCompiler::buildImmediateI32):
3728         (JSC::WASMFunctionCompiler::buildImmediateF64):
3729         (JSC::WASMFunctionCompiler::buildGetLocal):
3730         * wasm/WASMFunctionParser.cpp:
3731         (JSC::WASMFunctionParser::parseExpression):
3732         (JSC::WASMFunctionParser::parseExpressionF64):
3733         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF64):
3734         (JSC::WASMFunctionParser::parseImmediateExpressionF64):
3735         (JSC::WASMFunctionParser::parseGetLocalExpressionF64):
3736         * wasm/WASMFunctionParser.h:
3737         * wasm/WASMFunctionSyntaxChecker.h:
3738         (JSC::WASMFunctionSyntaxChecker::buildImmediateF64):
3739         * wasm/WASMReader.cpp:
3740         (JSC::WASMReader::readOpExpressionF64):
3741         * wasm/WASMReader.h:
3742
3743 2015-09-06  Filip Pizlo  <fpizlo@apple.com>
3744
3745         CallLinkInfo inside StructureStubInfo should not use polymorphic stubs
3746         https://bugs.webkit.org/show_bug.cgi?id=148915
3747
3748         Reviewed by Mark Lam.
3749
3750         There is a subtle bug where if we reset a get_by_id IC that had a getter stub that in
3751         turn had a polymorphic call stub, then the GC won't know to keep the getter stub alive.
3752         This patch documents the bug in a FIXME and disables polymorphic call optimizations for
3753         getters. It also just so happens that the polymorphic call optimizations usually don't
3754         benefit getters, since it's hard to create polymorphism at the point of call without also
3755         introducing polymorphism in the base object's structure.
3756
3757         The added test doesn't reproduce the problem, because it's hard to get the GC to delete
3758         all of the stubs.
3759
3760         * bytecode/CallLinkInfo.h:
3761         (JSC::CallLinkInfo::CallLinkInfo):
3762         (JSC::CallLinkInfo::setCallLocations):
3763         (JSC::CallLinkInfo::allowStubs):
3764         (JSC::CallLinkInfo::disallowStubs):
3765         (JSC::CallLinkInfo::setUpCallFromFTL):
3766         * jit/Repatch.cpp:
3767         (JSC::generateByIdStub):
3768         (JSC::linkFor):
3769         (JSC::linkPolymorphicCall):
3770         * tests/stress/poly-call-stub-in-getter-stub.js: Added.
3771         (foo):
3772         (makeGetter):
3773
3774 2015-09-07  Filip Pizlo  <fpizlo@apple.com>
3775
3776         The put_by_id IC store barrier contract should benefit transition over replace
3777         https://bugs.webkit.org/show_bug.cgi?id=148943
3778
3779         Reviewed by Mark Lam.
3780
3781         Previously, we would only emit a barrier if the value being stored was possibly a cell, so
3782         the transition stub code generator would have to emit a barrier for the store of the
3783         structure, just in case the structure was newer than the base object.
3784
3785         This changes the contract so that the put_by_id callsite would always have a barrier on the
3786         base (except if it proved that the base was brand new). That way, the transition doesn't have
3787         to have a barrier unless it allocates.
3788
3789         This is meant to be a perf-neutral change that I need for the IC refactoring in
3790         https://bugs.webkit.org/show_bug.cgi?id=148717.
3791
3792         * dfg/DFGFixupPhase.cpp:
3793         (JSC::DFG::FixupPhase::fixupNode):
3794         * dfg/DFGStoreBarrierInsertionPhase.cpp:
3795         * jit/Repatch.cpp:
3796         (JSC::emitPutTransitionStub):
3797
3798 2015-09-07  Alex Christensen  <achristensen@webkit.org>
3799
3800         Windows non-cygwin build fix after r189333.
3801
3802         SVN on Windows (non-cygwin) doesn't like having the * character in file names.
3803         I replaced "*" with "star" in some of Geoff's new tests.
3804
3805         * tests/es6.yaml:
3806         Changed all _*_ to _star_
3807         * tests/es6/generators_yield_*_arrays.js: Removed.
3808         * tests/es6/generators_yield_*_astral_plane_strings.js: Removed.
3809         * tests/es6/generators_yield_*_generator_instances.js: Removed.
3810         * tests/es6/generators_yield_*_generic_iterables.js: Removed.
3811         * tests/es6/generators_yield_*_instances_of_iterables.js: Removed.
3812         * tests/es6/generators_yield_*_iterator_closing.js: Removed.
3813         * tests/es6/generators_yield_*_iterator_closing_via_throw.js: Removed.
3814         * tests/es6/generators_yield_*_on_non-iterables_is_a_runtime_error.js: Removed.
3815         * tests/es6/generators_yield_*_sparse_arrays.js: Removed.
3816         * tests/es6/generators_yield_*_strings.js: Removed.
3817         * tests/es6/generators_yield_star_arrays.js: Copied from tests/es6/generators_yield_*_arrays.js.
3818         * tests/es6/generators_yield_star_astral_plane_strings.js: Copied from tests/es6/generators_yield_*_astral_plane_strings.js.
3819         * tests/es6/generators_yield_star_generator_instances.js: Copied from tests/es6/generators_yield_*_generator_instances.js.
3820         * tests/es6/generators_yield_star_generic_iterables.js: Copied from tests/es6/generators_yield_*_generic_iterables.js.
3821         * tests/es6/generators_yield_star_instances_of_iterables.js: Copied from tests/es6/generators_yield_*_instances_of_iterables.js.
3822         * tests/es6/generators_yield_star_iterator_closing.js: Copied from tests/es6/generators_yield_*_iterator_closing.js.
3823         * tests/es6/generators_yield_star_iterator_closing_via_throw.js: Copied from tests/es6/generators_yield_*_iterator_closing_via_throw.js.
3824         * tests/es6/generators_yield_star_on_non-iterables_is_a_runtime_error.js: Copied from tests/es6/generators_yield_*_on_non-iterables_is_a_runtime_error.js.
3825         * tests/es6/generators_yield_star_sparse_arrays.js: Copied from tests/es6/generators_yield_*_sparse_arrays.js.
3826         * tests/es6/generators_yield_star_strings.js: Copied from tests/es6/generators_yield_*_strings.js.
3827
3828 2015-09-06  Mark Lam  <mark.lam@apple.com>
3829
3830         Gardening: fix broken Windows build after r189454.
3831
3832         Not reviewed.
3833
3834         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
3835         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
3836
3837 2015-09-06  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3838
3839         Implement the relational instructions in WebAssembly
3840         https://bugs.webkit.org/show_bug.cgi?id=148838
3841
3842         Reviewed by Saam Barati.
3843
3844         This patch implements the relational instructions for 32-bit integers in
3845         WebAssembly.
3846
3847         * tests/stress/wasm-arithmetic.js:
3848         * tests/stress/wasm-locals.js:
3849         * tests/stress/wasm-relational.js: Added.
3850         (shouldBe):
3851         * tests/stress/wasm/arithmetic.wasm: Renamed from Source/JavaScriptCore/tests/stress/wasm-arithmetic.wasm.
3852         * tests/stress/wasm/locals.wasm: Renamed from Source/JavaScriptCore/tests/stress/wasm-locals.wasm.
3853         * tests/stress/wasm/relational.wasm: Added.
3854         * wasm/WASMFunctionCompiler.h:
3855         (JSC::WASMFunctionCompiler::buildRelationalI32):
3856         * wasm/WASMFunctionParser.cpp:
3857         (JSC::WASMFunctionParser::parseExpressionI32):
3858         (JSC::WASMFunctionParser::parseRelationalI32ExpressionI32):
3859         * wasm/WASMFunctionParser.h:
3860         * wasm/WASMFunctionSyntaxChecker.h:
3861         (JSC::WASMFunctionSyntaxChecker::buildRelationalI32):
3862
3863 2015-09-06  Mark Lam  <mark.lam@apple.com>
3864
3865         StackOverflow stack unwinding should stop at native frames.
3866         https://bugs.webkit.org/show_bug.cgi?id=148749
3867
3868         Reviewed by Michael Saboff.
3869
3870         In the present code, after ping-pong'ing back and forth between native and JS
3871         code a few times, if we have a stack overflow on re-entry into the VM to run
3872         JS code's whose stack frame would overflow the JS stack, the code will end up
3873         unwinding past the native function that is making the call to re-enter the VM.
3874         As a result, any clean up code (e.g. destructors for stack variables) in the
3875         skipped native function frame (and its chain of native function callers) will
3876         not be called.
3877
3878         This patch is based on the Michael Saboff's fix of this issue landed on the
3879         jsc-tailcall branch: http://trac.webkit.org/changeset/188555
3880
3881         We now check for the case where there are no JS frames to unwind since the
3882         last native frame, and treat the exception as an unhandled exception.  The
3883         native function is responsible for further propagating the exception if needed.
3884
3885         Other supporting work:
3886         1. Remove vm->vmEntryFrameForThrow.  It should always be the same as
3887            vm->topVMEntryFrame.
3888         2. Change operationThrowStackOverflowError() to use the throwStackOverflowError()
3889            helper function instead of rolling its own.
3890         3. Added a test that exercises this edge case.  The test should not hang or crash.
3891