Fix internal Windows build
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-01-22  Alex Christensen  <achristensen@webkit.org>
2
3         Fix internal Windows build
4         https://bugs.webkit.org/show_bug.cgi?id=153364
5         <rdar://problem/24296328>
6
7         Reviewed by Brent Fulgham.
8
9         * PlatformWin.cmake:
10         The internal build does not build JavaScriptCore with WTF, so it does not automatically link to winmm.lib
11         like it does when everything is built together.
12
13 2016-01-22  Keith Miller  <keith_miller@apple.com>
14
15         Equivalence PropertyCondition needs to check the offset it uses to load the value from is not invalidOffset
16         https://bugs.webkit.org/show_bug.cgi?id=152912
17
18         Reviewed by Mark Lam.
19
20         When checking the validity of an Equivalence PropertyCondition we do not check that the offset returned by
21         the structure of the object in the equivalence condition is valid. The offset might be wrong for many reasons.
22         The one we now test for is when the GlobalObject has a property that becomes a variable the property is deleted
23         thus the offset is now invalid.
24
25         * bytecode/PropertyCondition.cpp:
26         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
27         * tests/stress/global-property-into-variable-get-from-scope.js: Added.
28
29 2016-01-22  Keith Miller  <keith_miller@apple.com>
30
31         [ES6] Add Symbol.species properties to the relevant constructors
32         https://bugs.webkit.org/show_bug.cgi?id=153339
33
34         Reviewed by Michael Saboff.
35
36         This patch adds Symbol.species to the RegExp, Array, TypedArray, Map, Set, ArrayBuffer, and
37         Promise constructors.  The functions that use these properties will be added in a later
38         patch.
39
40         * builtins/GlobalObject.js:
41         (speciesGetter):
42         * runtime/ArrayConstructor.cpp:
43         (JSC::ArrayConstructor::finishCreation):
44         * runtime/ArrayConstructor.h:
45         (JSC::ArrayConstructor::create):
46         * runtime/BooleanConstructor.h:
47         (JSC::BooleanConstructor::create):
48         * runtime/CommonIdentifiers.h:
49         * runtime/DateConstructor.h:
50         (JSC::DateConstructor::create):
51         * runtime/ErrorConstructor.h:
52         (JSC::ErrorConstructor::create):
53         * runtime/JSArrayBufferConstructor.cpp:
54         (JSC::JSArrayBufferConstructor::finishCreation):
55         (JSC::JSArrayBufferConstructor::create):
56         * runtime/JSArrayBufferConstructor.h:
57         * runtime/JSGlobalObject.cpp:
58         (JSC::JSGlobalObject::init):
59         * runtime/JSInternalPromiseConstructor.cpp:
60         (JSC::JSInternalPromiseConstructor::create):
61         * runtime/JSInternalPromiseConstructor.h:
62         * runtime/JSPromiseConstructor.cpp:
63         (JSC::JSPromiseConstructor::create):
64         (JSC::JSPromiseConstructor::finishCreation):
65         * runtime/JSPromiseConstructor.h:
66         * runtime/JSTypedArrayViewConstructor.cpp:
67         (JSC::JSTypedArrayViewConstructor::finishCreation):
68         (JSC::JSTypedArrayViewConstructor::create): Deleted.
69         * runtime/JSTypedArrayViewConstructor.h:
70         (JSC::JSTypedArrayViewConstructor::create):
71         * runtime/MapConstructor.cpp:
72         (JSC::MapConstructor::finishCreation):
73         * runtime/MapConstructor.h:
74         (JSC::MapConstructor::create):
75         * runtime/NumberConstructor.h:
76         (JSC::NumberConstructor::create):
77         * runtime/RegExpConstructor.cpp:
78         (JSC::RegExpConstructor::finishCreation):
79         * runtime/RegExpConstructor.h:
80         (JSC::RegExpConstructor::create):
81         * runtime/SetConstructor.cpp:
82         (JSC::SetConstructor::finishCreation):
83         * runtime/SetConstructor.h:
84         (JSC::SetConstructor::create):
85         * runtime/StringConstructor.h:
86         (JSC::StringConstructor::create):
87         * runtime/SymbolConstructor.h:
88         (JSC::SymbolConstructor::create):
89         * runtime/WeakMapConstructor.h:
90         (JSC::WeakMapConstructor::create):
91         * runtime/WeakSetConstructor.h:
92         (JSC::WeakSetConstructor::create):
93         * tests/stress/symbol-species.js: Added.
94         (testSymbolSpeciesOnConstructor):
95
96 2016-01-21  Benjamin Poulain  <benjamin@webkit.org>
97
98         [JSC] The IRC allocator can mess up the degree of Tmps interfering with move-related Tmps
99         https://bugs.webkit.org/show_bug.cgi?id=153340
100
101         Reviewed by Filip Pizlo.
102
103         The JavaScriptCore tests uncovered an interested bug in the iterated register
104         coalescing allocator. When coalescing a move under the right conditions, it is
105         possible to mess-up the graph for the Tmps interfering with the coalesced Tmps.
106
107         Some context first:
108         -When coalescing a move, we alias one Tmp to another. Let say that we had
109              Move X, Y
110          the coalescing may alias Y to X: Y->X.
111         -Since X and Y are equivalent after coalescing, any interference
112          edge with Y is "moved" to X.
113          The way this was done was to add an edge to X for every edge there was with Y.
114          Say we had an edge R--Y, we add an edge R--X.
115          Adding an edge increases the degree of R and Y. The degree of R was then
116          fixed by calling decrementDegree() on it.
117         -decrementDegree() is non trivial. It will move the Tmp to the right list
118          for further processing if the Tmp's degree becomes lower than the number
119          of available registers.
120
121         The bug appear in a particular case. Say we have 3 Tmp, A, B, and C.
122         -A and B are move related, they can be coalesced.
123         -A has an interference edge with C.
124         -B does not have and interfence edge with C.
125         -C's degree is exactly the number of avaialble registers/colors minus one (k - 1).
126          -> This implies C is already in its list.
127
128         We coalesce A and B into B (A->B).
129         -The first step, addEdgeDistinct() adds an edge between B and C. The degrees of
130          B and C are increased by one. The degree of C becomes k.
131         -Next, decrementDegree() is called on C. Its degree decreases to k-1.
132          Because of the change from k to k-1, decrementDegree() adds C to a list again.
133
134         We have two kinds of bugs depending on the test:
135         -A Tmp can be added to the simplifyWorklist several time.
136         -A Tmp can be in both simplifyWorklist and freezeWorklist (because its move-related
137          status changed since the last decrementDegree()).
138         In both cases, the Tmps interfering with the duplicated Tmp will end up with
139         a degree lower than their real value.
140
141         * b3/air/AirIteratedRegisterCoalescing.cpp:
142
143 2016-01-21  Andreas Kling  <akling@apple.com>
144
145         Add some missing WTF_MAKE_FAST_ALLOCATED in JavaScriptCore.
146         <https://webkit.org/b/153335>
147
148         Reviewed by Alex Christensen.
149
150         Saw these things getting system malloc()'ed in an Instruments trace.
151
152         * inspector/InspectorAgentBase.h:
153         * jit/CallFrameShuffleData.h:
154         * jit/CallFrameShuffler.h:
155         * jit/RegisterAtOffsetList.h:
156         * runtime/GenericOffset.h:
157
158 2016-01-21  Yusuke Suzuki  <utatane.tea@gmail.com>
159
160         [ES6] Catch parameter should accept BindingPattern
161         https://bugs.webkit.org/show_bug.cgi?id=152385
162
163         Reviewed by Saam Barati.
164
165         This patch implements destructuring in catch parameter.
166         Catch parameter accepts binding pattern and binding identifier.
167         It creates lexical bindings. And "yield" and "let" are specially
168         handled as is the same to function parameters.
169
170         In addition to that, we make destructuring parsing errors more descriptive.
171
172         * bytecompiler/BytecodeGenerator.cpp:
173         (JSC::BytecodeGenerator::emitPushCatchScope):
174         * bytecompiler/BytecodeGenerator.h:
175         * bytecompiler/NodesCodegen.cpp:
176         (JSC::TryNode::emitBytecode):
177         * parser/ASTBuilder.h:
178         (JSC::ASTBuilder::createTryStatement):
179         * parser/NodeConstructors.h:
180         (JSC::TryNode::TryNode):
181         * parser/Nodes.h:
182         * parser/Parser.cpp:
183         (JSC::Parser<LexerType>::createBindingPattern):
184         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
185         (JSC::Parser<LexerType>::parseBindingOrAssignmentElement):
186         (JSC::destructuringKindToVariableKindName):
187         (JSC::Parser<LexerType>::parseDestructuringPattern):
188         (JSC::Parser<LexerType>::parseTryStatement):
189         (JSC::Parser<LexerType>::parseFormalParameters):
190         (JSC::Parser<LexerType>::parseFunctionParameters):
191         * parser/Parser.h:
192         (JSC::Parser::destructuringKindFromDeclarationType):
193         * parser/SyntaxChecker.h:
194         (JSC::SyntaxChecker::createTryStatement):
195         * tests/es6.yaml:
196         * tests/es6/destructuring_in_catch_heads.js: Added.
197         (test):
198         * tests/stress/catch-parameter-destructuring.js: Added.
199         (shouldBe):
200         (shouldThrow):
201         (prototype.call):
202         (catch):
203         (shouldThrow.try.throw.get error):
204         (initialize):
205         (array):
206         (generator.gen):
207         (generator):
208         * tests/stress/catch-parameter-syntax.js: Added.
209         (testSyntax):
210         (testSyntaxError):
211         * tests/stress/reserved-word-with-escape.js:
212         (testSyntaxError.String.raw.a):
213         (String.raw.SyntaxError.Cannot.use.the.keyword.string_appeared_here.as.a.name):
214         * tests/stress/yield-named-variable.js:
215
216 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
217
218         Unreviewed, fix build.
219
220         * b3/B3EliminateCommonSubexpressions.cpp:
221
222 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
223
224         B3 CSE should be able to match a full redundancy even if none of the matches dominate the value in question
225         https://bugs.webkit.org/show_bug.cgi?id=153321
226
227         Reviewed by Benjamin Poulain.
228
229         I once learned that LLVM's GVN can manufacture Phi functions. I don't know the details
230         but I'm presuming that it involves:
231
232             if (p)
233                 tmp1 = *ptr
234             else
235                 tmp2 = *ptr
236             tmp3 = *ptr // Replace this with Phi(tmp1, tmp2).
237
238         This adds such an optimization to our CSE. The idea is that we search through basic
239         blocks until we find the value we want, a side effect, or the start of the procedure. If
240         we find a value that matches our search criteria, we record it and ignore the
241         predecessors. If we find a side effect or the start of the procedure, we give up the
242         whole search. This ensures that if we come out of the search without giving up, we'll
243         have a set of matches that are fully redundant.
244
245         CSE could then create a Phi graph by using SSACalculator. But the recent work on FixSSA
246         revealed a much more exciting option: create a stack slot! In case there is more than one
247         match, CSE now creates a stack slot that each match stores to, and replaces the redundant
248         instruction with a loadfrom the stack slot. The stack slot is anonymous, which ensures
249         that FixSSA will turn it into an optimal Phi graph or whatever.
250
251         This is a significant speed-up on Octane/richards.
252
253         * b3/B3DuplicateTails.cpp:
254         * b3/B3EliminateCommonSubexpressions.cpp:
255         * b3/B3FixSSA.cpp:
256         (JSC::B3::fixSSA):
257         * b3/B3Generate.cpp:
258         (JSC::B3::generateToAir):
259         * b3/B3Procedure.h:
260         (JSC::B3::Procedure::setFrontendData):
261         (JSC::B3::Procedure::frontendData):
262         * b3/testb3.cpp:
263         * ftl/FTLState.cpp:
264         (JSC::FTL::State::State):
265
266 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
267
268         Air should know that CeilDouble has the partial register stall issue
269         https://bugs.webkit.org/show_bug.cgi?id=153338
270
271         Rubber stamped by Benjamin Poulain.
272
273         This is a 8% speed-up on Kraken with B3 enabled, mostly because of a 2.4x speed-up on
274         audio-oscillator.
275
276         * b3/air/AirFixPartialRegisterStalls.cpp:
277
278 2016-01-21  Andy VanWagoner  <andy@instructure.com>
279
280         [INTL] Implement Array.prototype.toLocaleString in ECMA-402
281         https://bugs.webkit.org/show_bug.cgi?id=147614
282
283         Reviewed by Benjamin Poulain.
284
285         The primary changes in the ECMA-402 version, and the existing implementation
286         are passing the arguments on to each element's toLocaleString call, and
287         missing/undefined/null elements become empty string instead of being skipped.
288
289         * runtime/ArrayPrototype.cpp:
290         (JSC::arrayProtoFuncToLocaleString):
291
292 2016-01-21  Per Arne Vollan  <peavo@outlook.com>
293
294         [B3][Win64] Compile fixes.
295         https://bugs.webkit.org/show_bug.cgi?id=153312
296
297         Reviewed by Alex Christensen.
298
299         Since MSVC has several overloads of sin, cos, pow, and log, we need to specify
300         which one we want to use.
301
302         * ftl/FTLB3Output.h:
303         (JSC::FTL::Output::doubleSin):
304         (JSC::FTL::Output::doubleCos):
305         (JSC::FTL::Output::doublePow):
306         (JSC::FTL::Output::doubleLog):
307
308 2016-01-21  Benjamin Poulain  <benjamin@webkit.org>
309
310         [JSC] foldPathConstants() makes invalid assumptions with Switch
311         https://bugs.webkit.org/show_bug.cgi?id=153324
312
313         Reviewed by Filip Pizlo.
314
315         If a Switch() has two cases pointing to the same basic block, foldPathConstants()
316         was adding two override for that block with two different constants.
317         If the block with the Switch dominates the target, both override were equally valid
318         and we were assuming any of the constants as the value in the target block.
319
320         See testSwitchTargettingSameBlockFoldPathConstant() for an example that breaks.
321
322         This patch adds checks to ignore any block that is reached more than
323         once by the control value.
324
325         * b3/B3FoldPathConstants.cpp:
326         * b3/B3Generate.cpp:
327         (JSC::B3::generateToAir):
328         * b3/testb3.cpp:
329         (JSC::B3::testSwitchTargettingSameBlock):
330         (JSC::B3::testSwitchTargettingSameBlockFoldPathConstant):
331         (JSC::B3::run):
332
333 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
334
335         Unreviewed, undo DFGCommon.h change that accidentally enabled the B3 JIT.
336
337         * dfg/DFGCommon.h:
338
339 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
340
341         Move32 should have an Imm, Tmp form
342         https://bugs.webkit.org/show_bug.cgi?id=153313
343
344         Reviewed by Mark Lam.
345
346         This enables some useful optimizations, like constant propagation in fixObviousSpills().
347
348         * assembler/MacroAssemblerX86Common.h:
349         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
350         (JSC::MacroAssemblerX86Common::move):
351         * b3/air/AirOpcode.opcodes:
352
353 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
354
355         B3 should have load elimination
356         https://bugs.webkit.org/show_bug.cgi?id=153288
357
358         Reviewed by Geoffrey Garen.
359
360         This adds a complete GCSE pass that includes load elimination. It would have been super hard
361         to make this work as part of the reduceStrength() fixpoint, since GCSE needs to analyze
362         control flow and reduceStrength() is messing with control flow. So, I did a compromise: I
363         factored out the pure CSE that reduceStrength() was already doing, and now we have:
364
365         - reduceStrength() still does pure CSE using the new PureCSE helper.
366
367         - eliminateCommonSubexpressions() is a separate phase that does general CSE. It uses the
368           PureCSE helper for pure values and does its own special thing for memory values.
369         
370         Unfortunately, this doesn't help any benchmark right now. It doesn't hurt anything, either,
371         and it's likely to become a bigger pay-off once we implement other features, like mapping
372         FTL's abstract heaps onto B3's heap ranges.
373
374         * CMakeLists.txt:
375         * JavaScriptCore.xcodeproj/project.pbxproj:
376         * b3/B3EliminateCommonSubexpressions.cpp: Added.
377         (JSC::B3::eliminateCommonSubexpressions):
378         * b3/B3EliminateCommonSubexpressions.h: Added.
379         * b3/B3Generate.cpp:
380         (JSC::B3::generateToAir):
381         * b3/B3HeapRange.h:
382         (JSC::B3::HeapRange::HeapRange):
383         * b3/B3InsertionSet.h:
384         (JSC::B3::InsertionSet::InsertionSet):
385         (JSC::B3::InsertionSet::isEmpty):
386         (JSC::B3::InsertionSet::code):
387         (JSC::B3::InsertionSet::appendInsertion):
388         * b3/B3MemoryValue.h:
389         * b3/B3PureCSE.cpp: Added.
390         (JSC::B3::PureCSE::PureCSE):
391         (JSC::B3::PureCSE::~PureCSE):
392         (JSC::B3::PureCSE::clear):
393         (JSC::B3::PureCSE::process):
394         * b3/B3PureCSE.h: Added.
395         * b3/B3ReduceStrength.cpp:
396         * b3/B3ReduceStrength.h:
397         * b3/B3Validate.cpp:
398
399 2016-01-21  Keith Miller  <keith_miller@apple.com>
400
401         Fix bug in TypedArray.prototype.set and add tests
402         https://bugs.webkit.org/show_bug.cgi?id=153309
403
404         Reviewed by Michael Saboff.
405
406         This patch fixes an issue with TypedArray.prototype.set where we would
407         assign a double to an unsigned without checking that the double was
408         in the range of the unsigned. Additionally, the patch also adds
409         tests for set for cases that were not covered before.
410
411         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
412         (JSC::genericTypedArrayViewProtoFuncSet):
413         * tests/stress/typedarray-set.js: Added.
414
415 2016-01-19  Ada Chan  <adachan@apple.com>
416
417         Make it possible to enable VIDEO_PRESENTATION_MODE on other Cocoa platforms.
418         https://bugs.webkit.org/show_bug.cgi?id=153218
419
420         Reviewed by Eric Carlson.
421
422         * Configurations/FeatureDefines.xcconfig:
423
424 2016-01-21  Per Arne Vollan  <peavo@outlook.com>
425
426         [B3][CMake] Add missing source file.
427         https://bugs.webkit.org/show_bug.cgi?id=153303
428
429         Reviewed by Csaba Osztrogonác.
430
431         * CMakeLists.txt:
432
433 2016-01-20  Commit Queue  <commit-queue@webkit.org>
434
435         Unreviewed, rolling out r195375.
436         https://bugs.webkit.org/show_bug.cgi?id=153300
437
438         Caused crashes on GuardMalloc (Requested by ap on #webkit).
439
440         Reverted changeset:
441
442         "TypedArray's .buffer does not return the JSArrayBuffer that
443         was passed to it on creation."
444         https://bugs.webkit.org/show_bug.cgi?id=153281
445         http://trac.webkit.org/changeset/195375
446
447 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
448
449         B3 should have basic path specialization
450         https://bugs.webkit.org/show_bug.cgi?id=153200
451
452         Reviewed by Benjamin Poulain.
453
454         This adds two different kind of path specializations:
455
456         - Check(Select) where the Select results are constants is specialized into a Branch
457           instead of a Select and duplicated paths where the results of the Select are folded.
458
459         - Tail duplication. A jump to a small block causes the block's contents to be copied over
460           the Jump.
461
462         Both optimizations required being able to clone Values. We can now do that using
463         proc.clone(value).
464
465         Check(Select) specialization needed some utilities for walking graphs of Values.
466
467         Tail duplication needed SSA fixup, so I added a way to demote values to anonymous stack
468         slots (B3's equivalent of non-SSA variables) and a way to "fix SSA", i.e. to allocate
469         anonymous stack slots to SSA values along with an optimal Phi graph.
470
471         This is a big speed-up on Octane/deltablue. It's a 2.2% speed-up on Octane overall.
472
473         * CMakeLists.txt:
474         * JavaScriptCore.xcodeproj/project.pbxproj:
475         * b3/B3ArgumentRegValue.cpp:
476         (JSC::B3::ArgumentRegValue::dumpMeta):
477         (JSC::B3::ArgumentRegValue::cloneImpl):
478         * b3/B3ArgumentRegValue.h:
479         * b3/B3BasicBlock.cpp:
480         (JSC::B3::BasicBlock::append):
481         (JSC::B3::BasicBlock::appendNonTerminal):
482         (JSC::B3::BasicBlock::removeLast):
483         * b3/B3BasicBlock.h:
484         (JSC::B3::BasicBlock::values):
485         * b3/B3BasicBlockInlines.h:
486         (JSC::B3::BasicBlock::appendNew):
487         (JSC::B3::BasicBlock::appendNewNonTerminal):
488         (JSC::B3::BasicBlock::replaceLastWithNew):
489         * b3/B3BlockInsertionSet.h:
490         * b3/B3BreakCriticalEdges.cpp: Added.
491         (JSC::B3::breakCriticalEdges):
492         * b3/B3BreakCriticalEdges.h: Added.
493         * b3/B3CCallValue.cpp:
494         (JSC::B3::CCallValue::~CCallValue):
495         (JSC::B3::CCallValue::cloneImpl):
496         * b3/B3CCallValue.h:
497         * b3/B3CheckValue.cpp:
498         (JSC::B3::CheckValue::convertToAdd):
499         (JSC::B3::CheckValue::cloneImpl):
500         (JSC::B3::CheckValue::CheckValue):
501         * b3/B3CheckValue.h:
502         * b3/B3Const32Value.cpp:
503         (JSC::B3::Const32Value::dumpMeta):
504         (JSC::B3::Const32Value::cloneImpl):
505         * b3/B3Const32Value.h:
506         * b3/B3Const64Value.cpp:
507         (JSC::B3::Const64Value::dumpMeta):
508         (JSC::B3::Const64Value::cloneImpl):
509         * b3/B3Const64Value.h:
510         * b3/B3ConstDoubleValue.cpp:
511         (JSC::B3::ConstDoubleValue::dumpMeta):
512         (JSC::B3::ConstDoubleValue::cloneImpl):
513         * b3/B3ConstDoubleValue.h:
514         * b3/B3ConstFloatValue.cpp:
515         (JSC::B3::ConstFloatValue::dumpMeta):
516         (JSC::B3::ConstFloatValue::cloneImpl):
517         * b3/B3ConstFloatValue.h:
518         * b3/B3ControlValue.cpp:
519         (JSC::B3::ControlValue::dumpMeta):
520         (JSC::B3::ControlValue::cloneImpl):
521         * b3/B3ControlValue.h:
522         * b3/B3DuplicateTails.cpp: Added.
523         (JSC::B3::duplicateTails):
524         * b3/B3DuplicateTails.h: Added.
525         * b3/B3FixSSA.cpp: Added.
526         (JSC::B3::demoteValues):
527         (JSC::B3::fixSSA):
528         * b3/B3FixSSA.h: Added.
529         * b3/B3Generate.cpp:
530         (JSC::B3::generateToAir):
531         * b3/B3IndexSet.h:
532         (JSC::B3::IndexSet::Iterable::Iterable):
533         (JSC::B3::IndexSet::values):
534         (JSC::B3::IndexSet::indices):
535         * b3/B3InsertionSet.cpp:
536         (JSC::B3::InsertionSet::insertIntConstant):
537         (JSC::B3::InsertionSet::insertBottom):
538         (JSC::B3::InsertionSet::execute):
539         * b3/B3InsertionSet.h:
540         * b3/B3LowerToAir.cpp:
541         (JSC::B3::Air::LowerToAir::run):
542         (JSC::B3::Air::LowerToAir::tmp):
543         * b3/B3MemoryValue.cpp:
544         (JSC::B3::MemoryValue::dumpMeta):
545         (JSC::B3::MemoryValue::cloneImpl):
546         * b3/B3MemoryValue.h:
547         * b3/B3OriginDump.cpp: Added.
548         (JSC::B3::OriginDump::dump):
549         * b3/B3OriginDump.h:
550         (JSC::B3::OriginDump::OriginDump):
551         (JSC::B3::OriginDump::dump): Deleted.
552         * b3/B3PatchpointValue.cpp:
553         (JSC::B3::PatchpointValue::dumpMeta):
554         (JSC::B3::PatchpointValue::cloneImpl):
555         (JSC::B3::PatchpointValue::PatchpointValue):
556         * b3/B3PatchpointValue.h:
557         * b3/B3Procedure.cpp:
558         (JSC::B3::Procedure::addBlock):
559         (JSC::B3::Procedure::clone):
560         (JSC::B3::Procedure::addIntConstant):
561         (JSC::B3::Procedure::addBottom):
562         (JSC::B3::Procedure::addBoolConstant):
563         (JSC::B3::Procedure::deleteValue):
564         * b3/B3Procedure.h:
565         * b3/B3ReduceStrength.cpp:
566         * b3/B3SSACalculator.cpp: Added.
567         (JSC::B3::SSACalculator::Variable::dump):
568         (JSC::B3::SSACalculator::Variable::dumpVerbose):
569         (JSC::B3::SSACalculator::Def::dump):
570         (JSC::B3::SSACalculator::SSACalculator):
571         (JSC::B3::SSACalculator::~SSACalculator):
572         (JSC::B3::SSACalculator::reset):
573         (JSC::B3::SSACalculator::newVariable):
574         (JSC::B3::SSACalculator::newDef):
575         (JSC::B3::SSACalculator::nonLocalReachingDef):
576         (JSC::B3::SSACalculator::reachingDefAtTail):
577         (JSC::B3::SSACalculator::dump):
578         * b3/B3SSACalculator.h: Added.
579         (JSC::B3::SSACalculator::Variable::index):
580         (JSC::B3::SSACalculator::Variable::Variable):
581         (JSC::B3::SSACalculator::Def::variable):
582         (JSC::B3::SSACalculator::Def::block):
583         (JSC::B3::SSACalculator::Def::value):
584         (JSC::B3::SSACalculator::Def::Def):
585         (JSC::B3::SSACalculator::variable):
586         (JSC::B3::SSACalculator::computePhis):
587         (JSC::B3::SSACalculator::phisForBlock):
588         (JSC::B3::SSACalculator::reachingDefAtHead):
589         * b3/B3StackSlotKind.h:
590         * b3/B3StackSlotValue.cpp:
591         (JSC::B3::StackSlotValue::dumpMeta):
592         (JSC::B3::StackSlotValue::cloneImpl):
593         * b3/B3StackSlotValue.h:
594         * b3/B3SwitchValue.cpp:
595         (JSC::B3::SwitchValue::dumpMeta):
596         (JSC::B3::SwitchValue::cloneImpl):
597         (JSC::B3::SwitchValue::SwitchValue):
598         * b3/B3SwitchValue.h:
599         * b3/B3UpsilonValue.cpp:
600         (JSC::B3::UpsilonValue::dumpMeta):
601         (JSC::B3::UpsilonValue::cloneImpl):
602         * b3/B3UpsilonValue.h:
603         * b3/B3Validate.cpp:
604         * b3/B3Value.cpp:
605         (JSC::B3::Value::replaceWithNop):
606         (JSC::B3::Value::replaceWithPhi):
607         (JSC::B3::Value::dump):
608         (JSC::B3::Value::cloneImpl):
609         (JSC::B3::Value::dumpChildren):
610         (JSC::B3::Value::deepDump):
611         * b3/B3Value.h:
612         (JSC::B3::DeepValueDump::DeepValueDump):
613         (JSC::B3::DeepValueDump::dump):
614         (JSC::B3::deepDump):
615         * b3/B3ValueInlines.h:
616         (JSC::B3::Value::asNumber):
617         (JSC::B3::Value::walk):
618         * b3/B3ValueKey.cpp:
619         (JSC::B3::ValueKey::intConstant):
620         (JSC::B3::ValueKey::dump):
621         * b3/B3ValueKey.h:
622         (JSC::B3::ValueKey::ValueKey):
623         (JSC::B3::ValueKey::opcode):
624         (JSC::B3::ValueKey::type):
625         (JSC::B3::ValueKey::childIndex):
626         * b3/air/AirCode.h:
627         (JSC::B3::Air::Code::forAllTmps):
628         (JSC::B3::Air::Code::isFastTmp):
629         * b3/air/AirIteratedRegisterCoalescing.cpp:
630         * b3/air/AirUseCounts.h:
631         (JSC::B3::Air::UseCounts::UseCounts):
632         (JSC::B3::Air::UseCounts::operator[]):
633         (JSC::B3::Air::UseCounts::dump):
634         * b3/testb3.cpp:
635         (JSC::B3::testSelectInvert):
636         (JSC::B3::testCheckSelect):
637         (JSC::B3::testCheckSelectCheckSelect):
638         (JSC::B3::testPowDoubleByIntegerLoop):
639         (JSC::B3::run):
640         * runtime/Options.h:
641
642 2016-01-20  Benjamin Poulain  <bpoulain@apple.com>
643
644         [JSC] Fix a typo in the Air definition of CeilDouble/CeilFloat
645         https://bugs.webkit.org/show_bug.cgi?id=153286
646
647         Reviewed by Mark Lam.
648
649         * b3/air/AirOpcode.opcodes:
650         The second argument should a Def. The previous definition was
651         adding useless constraints on the allocation of the second argument.
652
653 2016-01-20  Benjamin Poulain  <benjamin@webkit.org>
654
655         [JSC] The register allocator can use a dangling pointer when selecting a spill candidate
656         https://bugs.webkit.org/show_bug.cgi?id=153287
657
658         Reviewed by Mark Lam.
659
660         A tricky bug I discovered while experimenting with live range breaking.
661
662         We have the following initial conditions:
663         -UseCounts is slow, so we only compute it once for all the iterations
664          of the allocator.
665         -The only new Tmps we create are for spills and refills. They are unspillable
666          by definition so it is fine to not update UseCounts accordingly.
667
668         But, in selectSpill(), we go over all the spill candidates and select the best
669         one based on its score. The score() lambda uses useCounts, it cannot be used
670         with a new Tmps created for something we already spilled.
671
672         The first time we use score is correct, we started by skipping all the unspillable
673         Tmps from the candidate. The next use was incorrect: we were checking unspillableTmps
674         *after* calling score().
675
676         The existing tests did not catch this due to back luck. I added an assertion
677         to find similar problems in the future.
678
679         * b3/air/AirIteratedRegisterCoalescing.cpp:
680         * b3/air/AirUseCounts.h:
681
682 2016-01-20  Saam barati  <sbarati@apple.com>
683
684         Fix CLoop build after bug https://bugs.webkit.org/show_bug.cgi?id=152766
685
686         Unreviewed build fix.
687
688         * inspector/agents/InspectorScriptProfilerAgent.h:
689
690 2016-01-20  Andy VanWagoner  <thetalecrafter@gmail.com>
691
692         [INTL] Implement Date.prototype.toLocaleTimeString in ECMA-402
693         https://bugs.webkit.org/show_bug.cgi?id=147613
694
695         Reviewed by Darin Adler.
696
697         Implement toLocaleTimeString in builtin JavaScript.
698
699         * builtins/DatePrototype.js:
700         (toLocaleTimeString.toDateTimeOptionsTimeTime):
701         (toLocaleTimeString):
702         * runtime/DatePrototype.cpp:
703         (JSC::DatePrototype::finishCreation):
704
705 2016-01-20  Saam barati  <sbarati@apple.com>
706
707         Web Inspector: Hook the sampling profiler into the Timelines UI
708         https://bugs.webkit.org/show_bug.cgi?id=152766
709         <rdar://problem/24066360>
710
711         Reviewed by Joseph Pecoraro.
712
713         This patch adds some necessary functions to SamplingProfiler::StackFrame
714         to allow it to give data to the Inspector for the timelines UI. i.e, the
715         sourceID of the executable of a stack frame.
716
717         This patch also swaps in the SamplingProfiler in place of the
718         LegacyProfiler inside InspectorScriptProfilerAgent. It adds
719         the necessary protocol data to allow the SamplingProfiler's
720         data to hook into the timelines UI.
721
722         * debugger/Debugger.cpp:
723         (JSC::Debugger::setProfilingClient):
724         (JSC::Debugger::willEvaluateScript):
725         (JSC::Debugger::didEvaluateScript):
726         (JSC::Debugger::toggleBreakpoint):
727         * debugger/Debugger.h:
728         * debugger/ScriptProfilingScope.h:
729         (JSC::ScriptProfilingScope::ScriptProfilingScope):
730         (JSC::ScriptProfilingScope::~ScriptProfilingScope):
731         * inspector/agents/InspectorScriptProfilerAgent.cpp:
732         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
733         (Inspector::InspectorScriptProfilerAgent::startTracking):
734         (Inspector::InspectorScriptProfilerAgent::stopTracking):
735         (Inspector::InspectorScriptProfilerAgent::isAlreadyProfiling):
736         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
737         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
738         (Inspector::InspectorScriptProfilerAgent::addEvent):
739         (Inspector::buildSamples):
740         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
741         (Inspector::buildAggregateCallInfoInspectorObject): Deleted.
742         (Inspector::buildInspectorObject): Deleted.
743         (Inspector::buildProfileInspectorObject): Deleted.
744         * inspector/agents/InspectorScriptProfilerAgent.h:
745         * inspector/protocol/ScriptProfiler.json:
746         * jsc.cpp:
747         (functionSamplingProfilerStackTraces):
748         * runtime/SamplingProfiler.cpp:
749         (JSC::SamplingProfiler::start):
750         (JSC::SamplingProfiler::stop):
751         (JSC::SamplingProfiler::clearData):
752         (JSC::SamplingProfiler::StackFrame::displayName):
753         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
754         (JSC::SamplingProfiler::StackFrame::startLine):
755         (JSC::SamplingProfiler::StackFrame::startColumn):
756         (JSC::SamplingProfiler::StackFrame::sourceID):
757         (JSC::SamplingProfiler::StackFrame::url):
758         (JSC::SamplingProfiler::stackTraces):
759         (JSC::SamplingProfiler::stackTracesAsJSON):
760         (JSC::displayName): Deleted.
761         (JSC::SamplingProfiler::stacktracesAsJSON): Deleted.
762         * runtime/SamplingProfiler.h:
763         (JSC::SamplingProfiler::StackFrame::StackFrame):
764         (JSC::SamplingProfiler::getLock):
765         (JSC::SamplingProfiler::setTimingInterval):
766         (JSC::SamplingProfiler::totalTime):
767         (JSC::SamplingProfiler::setStopWatch):
768         (JSC::SamplingProfiler::stackTraces): Deleted.
769         * tests/stress/sampling-profiler-anonymous-function.js:
770         (platformSupportsSamplingProfiler.baz):
771         (platformSupportsSamplingProfiler):
772         * tests/stress/sampling-profiler-basic.js:
773         (platformSupportsSamplingProfiler.nothing):
774         (platformSupportsSamplingProfiler.top):
775         * tests/stress/sampling-profiler/samplingProfiler.js:
776         (doesTreeHaveStackTrace):
777
778 2016-01-20  Keith Miller  <keith_miller@apple.com>
779
780         TypedArray's .buffer does not return the JSArrayBuffer that was passed to it on creation.
781         https://bugs.webkit.org/show_bug.cgi?id=153281
782
783         Reviewed by Geoffrey Garen.
784
785         When creating an JSArrayBuffer we should make sure that the backing ArrayBuffer uses the
786         new JSArrayBuffer as its wrapper. This causes issues when we get the buffer of a Typed Array
787         created by passing a JSArrayBuffer as the backing ArrayBuffer does not have a reference to
788         the original JSArrayBuffer and a new object is created.
789
790         * runtime/JSArrayBuffer.cpp:
791         (JSC::JSArrayBuffer::finishCreation):
792         * tests/stress/typedarray-buffer-neutered.js: Added.
793         (arrays.typedArrays.map):
794
795 2016-01-20  Andreas Kling  <akling@apple.com>
796
797         Pack RegisterAtOffset harder.
798         <https://webkit.org/b/152501>
799
800         Reviewed by Michael Saboff.
801
802         Pack the register index and the offset into a single pointer-sized word instead of two.
803         This reduces memory consumption by 620 kB on mobile theverge.com.
804
805         The packing doesn't succeed on MSVC for some reason, so I've left out the static
806         assertion about class size in those builds.
807
808         * jit/RegisterAtOffset.cpp:
809         * jit/RegisterAtOffset.h:
810
811 2016-01-20  Per Arne Vollan  <peavo@outlook.com>
812
813         [B3][Win64] Compile fix.
814         https://bugs.webkit.org/show_bug.cgi?id=153278
815
816         Reviewed by Filip Pizlo.
817
818         MSVC does not accept that a class declared as exported also have members declared as exported.
819
820         * b3/B3Const32Value.h:
821         * b3/B3ControlValue.h:
822
823 2016-01-19  Keith Miller  <keith_miller@apple.com>
824
825         [ES6] Fix various issues with TypedArrays.
826         https://bugs.webkit.org/show_bug.cgi?id=153245
827
828         Reviewed by Geoffrey Garen.
829
830         This patch fixes a couple of issues with TypedArrays:
831
832         1) We were not checking if a view had been neutered and throwing an error
833         if it had in the our TypedArray.prototype functions.
834
835         2) The TypedArray.prototype.set function had a couple of minor issues with
836         checking for the offset being negative.
837
838         3) The JSArrayBufferView class did not check if the backing store had
839         been neutered when computing the offset even though the view's vector
840         pointer had been set to NULL. This meant that under some conditions we
841         could, occasionally, return a garbage number as the offset. Now, we only
842         neuter views if the backing ArrayBuffer's view is actually transfered.
843
844         * jsc.cpp:
845         (GlobalObject::finishCreation):
846         (functionNeuterTypedArray):
847         * runtime/JSArrayBufferView.h:
848         (JSC::JSArrayBufferView::isNeutered):
849         * runtime/JSArrayBufferViewInlines.h:
850         (JSC::JSArrayBufferView::byteOffset):
851         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
852         (JSC::genericTypedArrayViewProtoFuncSet):
853         (JSC::genericTypedArrayViewProtoFuncEntries):
854         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
855         (JSC::genericTypedArrayViewProtoFuncFill):
856         (JSC::genericTypedArrayViewProtoFuncIndexOf):
857         (JSC::genericTypedArrayViewProtoFuncJoin):
858         (JSC::genericTypedArrayViewProtoFuncKeys):
859         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
860         (JSC::genericTypedArrayViewProtoFuncReverse):
861         (JSC::genericTypedArrayViewPrivateFuncSort):
862         (JSC::genericTypedArrayViewProtoFuncSlice):
863         (JSC::genericTypedArrayViewProtoFuncSubarray):
864         (JSC::typedArrayViewProtoFuncValues):
865         * runtime/JSTypedArrayViewPrototype.cpp:
866         (JSC::typedArrayViewPrivateFuncLength):
867         (JSC::typedArrayViewPrivateFuncSort): Deleted.
868         * tests/stress/typedarray-functions-with-neutered.js: Added.
869         (getGetter):
870         (unit):
871         (args.new.Int32Array):
872         (arrays.typedArrays.map):
873         (checkProtoFunc.throwsCorrectError):
874         (checkProtoFunc):
875         (test):
876
877 2016-01-19  Andy VanWagoner  <thetalecrafter@gmail.com>
878
879         [INTL] Implement Date.prototype.toLocaleDateString in ECMA-402
880         https://bugs.webkit.org/show_bug.cgi?id=147612
881
882         Reviewed by Benjamin Poulain.
883
884         Implement toLocaleDateString in builtin JavaScript. Remove comments with
885         spec steps, and instead link to the new HTML version of the spec.
886
887         Avoids creating an extra empty object in the prototype chain of the options
888         object in ToDateTimeOptions. The version used in toLocaleString was updated
889         to match as well.
890
891         * builtins/DatePrototype.js:
892         (toLocaleString.toDateTimeOptionsAnyAll):
893         (toLocaleString):
894         (toLocaleDateString.toDateTimeOptionsDateDate):
895         (toLocaleDateString):
896         * runtime/DatePrototype.cpp:
897         (JSC::DatePrototype::finishCreation):
898
899 2016-01-19  Benjamin Poulain  <bpoulain@apple.com>
900
901         [JSC] fixSpillSlotZDef() crashes on ARM64
902         https://bugs.webkit.org/show_bug.cgi?id=153246
903
904         Reviewed by Geoffrey Garen.
905
906         Moving an immediate to memory is not a valid instruction on ARM64.
907         This patch adds a small workaround for this specific case: an instruction
908         to zero a chunk of memory.
909
910         * assembler/MacroAssemblerARM64.h:
911         (JSC::MacroAssemblerARM64::storeZero32):
912         * assembler/MacroAssemblerX86Common.h:
913         (JSC::MacroAssemblerX86Common::storeZero32):
914         * b3/air/AirFixSpillSlotZDef.h:
915         (JSC::B3::Air::fixSpillSlotZDef):
916         * b3/air/AirOpcode.opcodes:
917
918 2016-01-19  Enrica Casucci  <enrica@apple.com>
919
920         Add support for DataDetectors in WK (iOS).
921         https://bugs.webkit.org/show_bug.cgi?id=152989
922         rdar://problem/22855960
923
924         Reviewed by Tim Horton.
925
926         Adding feature definition for data detection.
927
928         * Configurations/FeatureDefines.xcconfig:
929
930 2016-01-19  Per Arne Vollan  <peavo@outlook.com>
931
932         [B3][Win64] Compile and warning fixes.
933         https://bugs.webkit.org/show_bug.cgi?id=153234
934
935         Reviewed by Alex Christensen.
936
937         The size of 'long' is 4 bytes on Win64. We can use 'long long' instead,
938         when we want the size to be 8 bytes.
939
940         * b3/B3LowerMacrosAfterOptimizations.cpp:
941         * b3/B3ReduceStrength.cpp:
942
943 2016-01-19  Csaba Osztrogonác  <ossy@webkit.org>
944
945         [cmake] Fix the B3 build after r195159
946         https://bugs.webkit.org/show_bug.cgi?id=153232
947
948         Reviewed by Yusuke Suzuki.
949
950         * CMakeLists.txt:
951
952 2016-01-19  Commit Queue  <commit-queue@webkit.org>
953
954         Unreviewed, rolling out r195300.
955         https://bugs.webkit.org/show_bug.cgi?id=153244
956
957         enrica wants more time to fix Windows (Requested by thorton on
958         #webkit).
959
960         Reverted changeset:
961
962         "Add support for DataDetectors in WK (iOS)."
963         https://bugs.webkit.org/show_bug.cgi?id=152989
964         http://trac.webkit.org/changeset/195300
965
966 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
967
968         Reconsider B3's constant motion policy
969         https://bugs.webkit.org/show_bug.cgi?id=152202
970
971         Reviewed by Geoffrey Garen.
972
973         This changes moveConstants() to hoist constants. This is a speed-up on things like mandreel.
974         It has a generally positive impact on the Octane score, but it's within margin of error.
975
976         This also changes IRC to make it a bit more likely to spill constants. We don't want it to
977         spill them too much, because we can't rely on fixObviousSpills() to always replace a load of
978         a constant from the stack with the constant itself, especially in case of instructions that
979         need an extra register to materialize the immediate.
980
981         Also fixed DFG graph dumping to print a bit less things. It was trying to print the results of
982         constant property inference, and this sometimes caused crashes when you dumped the graph at an
983         inopportune time.
984
985         * JavaScriptCore.xcodeproj/project.pbxproj:
986         * b3/B3MoveConstants.cpp:
987         * b3/air/AirArg.h:
988         * b3/air/AirArgInlines.h: Added.
989         (JSC::B3::Air::ArgThingHelper<Tmp>::is):
990         (JSC::B3::Air::ArgThingHelper<Tmp>::as):
991         (JSC::B3::Air::ArgThingHelper<Tmp>::forEachFast):
992         (JSC::B3::Air::ArgThingHelper<Tmp>::forEach):
993         (JSC::B3::Air::ArgThingHelper<Arg>::is):
994         (JSC::B3::Air::ArgThingHelper<Arg>::as):
995         (JSC::B3::Air::ArgThingHelper<Arg>::forEachFast):
996         (JSC::B3::Air::ArgThingHelper<Arg>::forEach):
997         (JSC::B3::Air::Arg::is):
998         (JSC::B3::Air::Arg::as):
999         (JSC::B3::Air::Arg::forEachFast):
1000         (JSC::B3::Air::Arg::forEach):
1001         * b3/air/AirIteratedRegisterCoalescing.cpp:
1002         * b3/air/AirUseCounts.h:
1003         (JSC::B3::Air::UseCounts::UseCounts):
1004         * dfg/DFGGraph.cpp:
1005         (JSC::DFG::Graph::dump):
1006
1007 2016-01-19  Enrica Casucci  <enrica@apple.com>
1008
1009         Add support for DataDetectors in WK (iOS).
1010         https://bugs.webkit.org/show_bug.cgi?id=152989
1011         rdar://problem/22855960
1012
1013         Reviewed by Tim Horton.
1014
1015         Adding feature definition.
1016
1017         * Configurations/FeatureDefines.xcconfig:
1018
1019 2016-01-17  Filip Pizlo  <fpizlo@apple.com>
1020
1021         FTL B3 should be just as fast as FTL LLVM on Octane/crypto
1022         https://bugs.webkit.org/show_bug.cgi?id=153113
1023
1024         Reviewed by Saam Barati.
1025
1026         This is the result of a hacking rampage to close the gap between FTL B3 and FTL LLVM on
1027         Octane/crypto. It was a very successful rampage.
1028
1029         The biggest change in this patch is the introduction of a phase called fixObviousSpills()
1030         that fixes patterns like:
1031
1032         Store register to stack slot and then use stack slot:
1033             Move %rcx, (stack42)
1034             Foo use:(stack42) // replace (stack42) with %rcx here.
1035
1036         Load stack slot into register and then use stack slot:
1037             Move (stack42), %rcx
1038             Foo use:(stack42) // replace (stack42) with %rcx here.
1039
1040         Store constant into stack slot and then use stack slot:
1041             Move $42, %rcx
1042             Move %rcx, (stack42)
1043             Bar def:%rcx // %rcx isn't available anymore, but we still know that (stack42) is $42
1044             Foo use:(stack42) // replace (stack42) with $42 here.
1045
1046         This phases does these fixups by doing a global forward flow that propagates sets of
1047         must-aliases.
1048
1049         Also added a phase to report register pressure. It pretty-prints code alongside the set of
1050         in-use registers above each instruction. Using this phase, I found that our register
1051         allocator is actually doing a pretty awesome job. I had previously feared that we'd have to
1052         make substantial changes to register allocation. I don't have such a fear anymore, at least
1053         for Octane/crypto. In the future, we can check how the regalloc is performing just by
1054         enabling logAirRegisterPressure.
1055
1056         Also fixed some FTL codegen pathologies. We were using bitOr where we meant to use a
1057         conditional or. LLVM likes to canonicalize boolean expressions this way. B3, on the other
1058         hand, doesn't do this canonicalization and doesn't have logic to decompose it into sequences
1059         of branches.
1060
1061         Also added strength reductions for checked arithmetic. It turns out that LLVM learned how to
1062         reduce checked multiply to unchecked multiply in some obvious cases that our existing DFG
1063         optimizations lacked. Ideally, our DFG integer range optimization phase would cover this. But
1064         the cases of interest were dead simple - the incoming values to the CheckMul were obviously
1065         too small to cause overflow. I added such reasoning to B3's strength reduction.
1066
1067         Finally, this fixes some bugs with how we were handling subwidth spill slots. The register
1068         allocator was making two mistakes. First, it might cause a Width64 def or use of a 4-byte
1069         spill slot. In that case, it would extend the size of the spill slot to ensure that the use
1070         or def is safe. Second, it emulates ZDef on Tmp behavior by emitting a Move32 to initialize
1071         the high bits of a spill slot. But this is unsound because of the liveness semantics of spill
1072         slots. They cannot have more than one def to initialize their value. I fixed that by making
1073         allocateStack() be the thing that fixes ZDefs. That's a change to ZDef semantics: now, ZDef
1074         on an anonymous stack slot means that the high bits are zero-filled. I wasn't able to
1075         construct a test for this. It might be a hypothetical bug, but still, I like how this
1076         simplifies the register allocator.
1077
1078         This is a ~0.7% speed-up on Octane.
1079
1080         * CMakeLists.txt:
1081         * JavaScriptCore.xcodeproj/project.pbxproj:
1082         * b3/B3CheckSpecial.cpp:
1083         (JSC::B3::CheckSpecial::hiddenBranch):
1084         (JSC::B3::CheckSpecial::forEachArg):
1085         (JSC::B3::CheckSpecial::commitHiddenBranch): Deleted.
1086         * b3/B3CheckSpecial.h:
1087         * b3/B3LowerToAir.cpp:
1088         (JSC::B3::Air::LowerToAir::fillStackmap):
1089         (JSC::B3::Air::LowerToAir::lower):
1090         * b3/B3StackmapValue.h:
1091         * b3/air/AirAllocateStack.cpp:
1092         (JSC::B3::Air::allocateStack):
1093         * b3/air/AirAllocateStack.h:
1094         * b3/air/AirArg.h:
1095         (JSC::B3::Air::Arg::callArg):
1096         (JSC::B3::Air::Arg::stackAddr):
1097         (JSC::B3::Air::Arg::isValidScale):
1098         * b3/air/AirBasicBlock.cpp:
1099         (JSC::B3::Air::BasicBlock::deepDump):
1100         (JSC::B3::Air::BasicBlock::dumpHeader):
1101         (JSC::B3::Air::BasicBlock::dumpFooter):
1102         * b3/air/AirBasicBlock.h:
1103         * b3/air/AirCCallSpecial.cpp:
1104         (JSC::B3::Air::CCallSpecial::CCallSpecial):
1105         (JSC::B3::Air::CCallSpecial::~CCallSpecial):
1106         * b3/air/AirCode.h:
1107         (JSC::B3::Air::Code::lastPhaseName):
1108         (JSC::B3::Air::Code::setEnableRCRS):
1109         (JSC::B3::Air::Code::enableRCRS):
1110         * b3/air/AirCustom.cpp:
1111         (JSC::B3::Air::PatchCustom::isValidForm):
1112         (JSC::B3::Air::CCallCustom::isValidForm):
1113         * b3/air/AirCustom.h:
1114         (JSC::B3::Air::PatchCustom::isValidFormStatic):
1115         (JSC::B3::Air::PatchCustom::admitsStack):
1116         (JSC::B3::Air::PatchCustom::isValidForm): Deleted.
1117         * b3/air/AirEmitShuffle.cpp:
1118         (JSC::B3::Air::ShufflePair::dump):
1119         (JSC::B3::Air::createShuffle):
1120         (JSC::B3::Air::emitShuffle):
1121         * b3/air/AirEmitShuffle.h:
1122         * b3/air/AirFixObviousSpills.cpp: Added.
1123         (JSC::B3::Air::fixObviousSpills):
1124         * b3/air/AirFixObviousSpills.h: Added.
1125         * b3/air/AirFixSpillSlotZDef.h: Removed.
1126         * b3/air/AirGenerate.cpp:
1127         (JSC::B3::Air::prepareForGeneration):
1128         (JSC::B3::Air::generate):
1129         * b3/air/AirHandleCalleeSaves.cpp:
1130         (JSC::B3::Air::handleCalleeSaves):
1131         * b3/air/AirInst.h:
1132         * b3/air/AirInstInlines.h:
1133         (JSC::B3::Air::Inst::reportUsedRegisters):
1134         (JSC::B3::Air::Inst::admitsStack):
1135         (JSC::B3::Air::isShiftValid):
1136         * b3/air/AirIteratedRegisterCoalescing.cpp:
1137         * b3/air/AirLiveness.h:
1138         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
1139         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::begin):
1140         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::end):
1141         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::contains):
1142         (JSC::B3::Air::AbstractLiveness::LocalCalc::live):
1143         (JSC::B3::Air::AbstractLiveness::LocalCalc::isLive):
1144         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
1145         (JSC::B3::Air::AbstractLiveness::rawLiveAtHead):
1146         (JSC::B3::Air::AbstractLiveness::Iterable::begin):
1147         (JSC::B3::Air::AbstractLiveness::Iterable::end):
1148         (JSC::B3::Air::AbstractLiveness::Iterable::contains):
1149         (JSC::B3::Air::AbstractLiveness::liveAtTail):
1150         (JSC::B3::Air::AbstractLiveness::workset):
1151         * b3/air/AirLogRegisterPressure.cpp: Added.
1152         (JSC::B3::Air::logRegisterPressure):
1153         * b3/air/AirLogRegisterPressure.h: Added.
1154         * b3/air/AirOptimizeBlockOrder.cpp:
1155         (JSC::B3::Air::blocksInOptimizedOrder):
1156         (JSC::B3::Air::optimizeBlockOrder):
1157         * b3/air/AirOptimizeBlockOrder.h:
1158         * b3/air/AirReportUsedRegisters.cpp:
1159         (JSC::B3::Air::reportUsedRegisters):
1160         * b3/air/AirReportUsedRegisters.h:
1161         * b3/air/AirSpillEverything.cpp:
1162         (JSC::B3::Air::spillEverything):
1163         * b3/air/AirStackSlot.h:
1164         (JSC::B3::Air::StackSlot::isLocked):
1165         (JSC::B3::Air::StackSlot::index):
1166         (JSC::B3::Air::StackSlot::ensureSize):
1167         (JSC::B3::Air::StackSlot::alignment):
1168         * b3/air/AirValidate.cpp:
1169         * ftl/FTLB3Compile.cpp:
1170         (JSC::FTL::compile):
1171         * ftl/FTLLowerDFGToLLVM.cpp:
1172         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
1173         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
1174         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMod):
1175         * jit/RegisterSet.h:
1176         (JSC::RegisterSet::get):
1177         (JSC::RegisterSet::setAll):
1178         (JSC::RegisterSet::merge):
1179         (JSC::RegisterSet::filter):
1180         * runtime/Options.h:
1181
1182 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
1183
1184         Unreviewed, undo unintended commit.
1185
1186         * dfg/DFGCommon.h:
1187
1188 2016-01-18  Filip Pizlo  <fpizlo@apple.com>
1189
1190         Fix Air shuffling assertions
1191         https://bugs.webkit.org/show_bug.cgi?id=153213
1192
1193         Reviewed by Saam Barati.
1194
1195         Fixes some assertions that I was seeing running JSC tests. Adds a new Air test.
1196
1197         * assembler/MacroAssemblerX86Common.h:
1198         (JSC::MacroAssemblerX86Common::store8):
1199         (JSC::MacroAssemblerX86Common::getUnusedRegister):
1200         * b3/air/AirEmitShuffle.cpp:
1201         (JSC::B3::Air::emitShuffle):
1202         * b3/air/AirLowerAfterRegAlloc.cpp:
1203         (JSC::B3::Air::lowerAfterRegAlloc):
1204         * b3/air/testair.cpp:
1205         (JSC::B3::Air::testShuffleRotateWithFringe):
1206         (JSC::B3::Air::testShuffleRotateWithFringeInWeirdOrder):
1207         (JSC::B3::Air::testShuffleRotateWithLongFringe):
1208         (JSC::B3::Air::run):
1209
1210 2016-01-19  Konstantin Tokarev  <annulen@yandex.ru>
1211
1212         [mips] Logical instructions allow immediates in range 0..0xffff, not 0x7fff
1213         https://bugs.webkit.org/show_bug.cgi?id=152693
1214
1215         Reviewed by Michael Saboff.
1216
1217         * offlineasm/mips.rb:
1218
1219 2016-01-18  Saam barati  <sbarati@apple.com>
1220
1221         assertions in BytecodeUseDef.h about opcode length are off by one
1222         https://bugs.webkit.org/show_bug.cgi?id=153215
1223
1224         Reviewed by Dan Bernstein.
1225
1226         * bytecode/BytecodeUseDef.h:
1227         (JSC::computeUsesForBytecodeOffset):
1228
1229 2016-01-18  Saam barati  <sbarati@apple.com>
1230
1231         FTL doesn't do proper spilling for exception handling when GetById/Snippets go to slow path
1232         https://bugs.webkit.org/show_bug.cgi?id=153186
1233
1234         Reviewed by Michael Saboff.
1235
1236         Michael was investigating a bug he found while doing the new JSC calling 
1237         convention work and it turns out to be a latent bug in FTL try/catch machinery.
1238         After I looked at the code again, I realized that what I had previously
1239         written is wrong in a subtle way. The FTL callOperation machinery will remove
1240         its result register from the set of registers it needs to spill. This is not
1241         correct when we have try/catch. We may want to do value recovery on
1242         the value that the result register is prior to the call after the call
1243         throws an exception. The case that we were solving before was when the 
1244         resultRegister == baseRegister in a GetById, or left/rightRegister == resultRegister in a Snippet.
1245         This code is correct in wanting to spill in that case, even though it might spill
1246         when we don't need it to (i.e the result is not needed for value recovery). Once I
1247         investigated this bug further, I realized that the previous rule is just a
1248         partial subset of the rule that says we should spill anytime the result is
1249         a register we might do value recovery on. This patch implements the rule that
1250         says we always want to spill the result when we will do value recovery on it 
1251         if an exception is thrown.
1252
1253         * ftl/FTLCompile.cpp:
1254         (JSC::FTL::mmAllocateDataSection):
1255         * tests/stress/ftl-try-catch-getter-throw-interesting-value-recovery.js: Added.
1256         (assert):
1257         (random):
1258         (identity):
1259         (let.o2.get f):
1260         (let.o3.get f):
1261         (foo):
1262         (i.else):
1263
1264 2016-01-18  Konstantin Tokarev  <annulen@yandex.ru>
1265
1266         [MIPS] LLInt: fix calculation of Global Offset Table
1267         https://bugs.webkit.org/show_bug.cgi?id=150381
1268
1269         Offlineasm adds a .cpload $t9 when we create a label in MIPS, which
1270         computes address of GOT. However, this instruction requires $t9 to
1271         contain address of current function. So we need to set $t9 to pcBase,
1272         otherwise GOT-related calculations will be invalid.
1273
1274         Since offlineasm does not allow direct move to $t9 on MIPS, added new
1275         instruction setcallreg which does exactly that.
1276
1277         Reviewed by Michael Saboff.
1278
1279         * llint/LowLevelInterpreter.asm:
1280         * offlineasm/instructions.rb:
1281         * offlineasm/mips.rb:
1282
1283 2016-01-18  Csaba Osztrogonác  <ossy@webkit.org>
1284
1285         REGRESSION(r194601): Fix the jsc timeout option of jsc.cpp
1286         https://bugs.webkit.org/show_bug.cgi?id=153204
1287
1288         Reviewed by Michael Catanzaro.
1289
1290         * jsc.cpp:
1291         (main):
1292
1293 2016-01-18  Csaba Osztrogonác  <ossy@webkit.org>
1294
1295         [cmake] Add testair to the build system
1296         https://bugs.webkit.org/show_bug.cgi?id=153126
1297
1298         Reviewed by Michael Catanzaro.
1299
1300         * shell/CMakeLists.txt:
1301
1302 2016-01-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>
1303
1304         Ensure that CF_AVAILABLE is undefined when building webkit-gtk
1305
1306         https://bugs.webkit.org/show_bug.cgi?id=152720
1307
1308         This change ensures that CF_AVAILABLE is correctly a no-op to
1309         address build failure that was observed when building on older
1310         versions of OSX.  Previously, CF_AVAILABLE may have been unexpectedly
1311         re-defined to the system header value based on include-order.
1312
1313         Reviewed by Michael Catanzaro.
1314
1315         * API/WebKitAvailability.h:
1316
1317 2016-01-17  Julien Brianceau  <jbriance@cisco.com>
1318
1319         [mips] Fix regT2 and regT3 trampling in MacroAssembler
1320         https://bugs.webkit.org/show_bug.cgi?id=153131
1321
1322         Mips $t2 and $t3 registers were used as temporary registers
1323         in MacroAssemblerMIPS.h, whereas they are mapped to regT2
1324         and regT3 in LLInt and GPRInfo.
1325
1326         This patch rearranges register mapping for the mips architecture:
1327         - use $t0 and $t1 as temp registers in LLInt (as in MacroAssembler)
1328         - use $t7 and $t8 as temp registers in MacroAssembler (as in LLInt)
1329         - remove $t6 from temp registers list in LLInt
1330         - update GPRInfo.h accordingly
1331         - add mips macroScratchRegisters() list in RegisterSet.cpp
1332
1333         Reviewed by Michael Saboff.
1334
1335         * assembler/MacroAssemblerMIPS.h:
1336         * jit/GPRInfo.h:
1337         (JSC::GPRInfo::toRegister):
1338         (JSC::GPRInfo::toIndex):
1339         * jit/RegisterSet.cpp:
1340         (JSC::RegisterSet::macroScratchRegisters):
1341         (JSC::RegisterSet::calleeSaveRegisters):
1342         * offlineasm/mips.rb:
1343
1344 2016-01-16  Skachkov Oleksandr  <gskachkov@gmail.com>
1345
1346         [ES6] Arrow function syntax. Arrow function should support the destructuring parameters.
1347         https://bugs.webkit.org/show_bug.cgi?id=146934
1348
1349         Reviewed by Saam Barati.
1350         
1351         Added support of destructuring parameters, before arrow function expect only simple parameters,
1352         e.g. (), (x), (x, y) or x in assigment expressio. To support destructuring parameters added
1353         additional check that check for destructuring paramters if check does not pass for simple parameters.
1354
1355         * parser/Parser.cpp:
1356         (JSC::Parser<LexerType>::isArrowFunctionParameters):
1357         (JSC::Parser<LexerType>::parseAssignmentExpression):
1358         * parser/Parser.h:
1359
1360 2016-01-15  Benjamin Poulain  <bpoulain@apple.com>
1361
1362         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
1363         https://bugs.webkit.org/show_bug.cgi?id=153065
1364
1365         Reviewed by Mark Lam.
1366         Reviewed by Filip Pizlo.
1367
1368         On ARM64, we cannot use signed 32bits offset for memory addressing.
1369         There are two available addressing: signed 9bits and unsigned scaled 12bits.
1370         Air already knows about it.
1371
1372         In this patch, the offsets are changed to something valid for ARM64
1373         prior to lowering. When an offset is invalid, it is just computed
1374         before the instruction and used as the base for addressing.
1375
1376         * JavaScriptCore.xcodeproj/project.pbxproj:
1377         * b3/B3Generate.cpp:
1378         (JSC::B3::generateToAir):
1379         * b3/B3LegalizeMemoryOffsets.cpp: Added.
1380         (JSC::B3::legalizeMemoryOffsets):
1381         * b3/B3LegalizeMemoryOffsets.h: Added.
1382         * b3/B3LowerToAir.cpp:
1383         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
1384         * b3/testb3.cpp:
1385         (JSC::B3::testLoadWithOffsetImpl):
1386         (JSC::B3::testLoadOffsetImm9Max):
1387         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
1388         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
1389         (JSC::B3::testLoadOffsetImm9Min):
1390         (JSC::B3::testLoadOffsetImm9MinMinusOne):
1391         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
1392         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
1393         (JSC::B3::run):
1394
1395 2016-01-15  Alex Christensen  <achristensen@webkit.org>
1396
1397         Fix internal Windows build
1398         https://bugs.webkit.org/show_bug.cgi?id=153142
1399
1400         Reviewed by Brent Fulgham.
1401
1402         The internal Windows build builds JavaScriptCore from a directory that is not called JavaScriptCore.
1403         Searching for JavaScriptCore/API/APICast.h fails because it is in SomethingElse/API/APICast.h.
1404         Since we are including the JavaScriptCore directory, it is not necessary to have JavaScriptCore in
1405         the forwarding headers, but removing it allows builds form directories that are not named JavaScriptCore.
1406
1407         * ForwardingHeaders/JavaScriptCore/APICast.h:
1408         * ForwardingHeaders/JavaScriptCore/JSBase.h:
1409         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h:
1410         * ForwardingHeaders/JavaScriptCore/JSContextRef.h:
1411         * ForwardingHeaders/JavaScriptCore/JSObjectRef.h:
1412         * ForwardingHeaders/JavaScriptCore/JSRetainPtr.h:
1413         * ForwardingHeaders/JavaScriptCore/JSStringRef.h:
1414         * ForwardingHeaders/JavaScriptCore/JSStringRefCF.h:
1415         * ForwardingHeaders/JavaScriptCore/JSValueRef.h:
1416         * ForwardingHeaders/JavaScriptCore/JavaScript.h:
1417         * ForwardingHeaders/JavaScriptCore/JavaScriptCore.h:
1418         * ForwardingHeaders/JavaScriptCore/OpaqueJSString.h:
1419         * ForwardingHeaders/JavaScriptCore/WebKitAvailability.h:
1420
1421 2016-01-15  Per Arne Vollan  <peavo@outlook.com>
1422
1423         [B3][Win64] Compile fixes.
1424         https://bugs.webkit.org/show_bug.cgi?id=153127
1425
1426         Reviewed by Alex Christensen.
1427
1428         MSVC have several overloads of fmod, pow, and ceil. We need to suggest to MSVC
1429         which one we want to use.
1430
1431         * b3/B3LowerMacros.cpp:
1432         * b3/B3LowerMacrosAfterOptimizations.cpp:
1433         * b3/B3MathExtras.cpp:
1434         (JSC::B3::powDoubleInt32):
1435         * b3/B3ReduceStrength.cpp:
1436
1437 2016-01-15  Filip Pizlo  <fpizlo@apple.com>
1438
1439         Air needs a Shuffle instruction
1440         https://bugs.webkit.org/show_bug.cgi?id=152952
1441
1442         Reviewed by Saam Barati.
1443
1444         This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
1445         multiple moves to perform arbitrary permutations over registers and memory. We call these
1446         rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
1447         c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
1448         use immediates as their source.
1449
1450         Shuffle is added as a custom instruction, since it has a variable number of arguments. It
1451         takes any number of triplets of arguments, where each triplet describes one mapping of the
1452         shuffle. For example, to represent (a => b, b => c), we might say:
1453
1454             Shuffle %a, %b, 64, %b, %c, 64
1455
1456         Note the "64"s, those are width arguments that describe how many bits of the register are
1457         being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
1458         most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
1459         of the pairs in the example). For GP arguments, the width follows ZDef semantics.
1460
1461         In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
1462         how to use it:
1463
1464         - C calling convention argument marshalling. Previously we used move instructions. But that's
1465           problematic since it introduces artificial interference between the argument registers and
1466           the inputs. Using Shuffle removes that interference. This helps a bit.
1467
1468         - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
1469           a cold path, then we want it to appear to the register allocator like it doesn't clobber
1470           any registers. Only after register allocation should we handle the clobbering by simply
1471           saving all of the live volatile registers to the stack. If you imagine the saving and the
1472           argument marshalling, you can see how before the call, we want to have a Shuffle that does
1473           both of those things. This is important. If argument marshalling was separate from the
1474           saving, then we'd still appear to clobber argument registers. Doing them together as one
1475           Shuffle means that the cold call doesn't appear to even clobber the argument registers.
1476
1477         Unfortunately, I was wrong about cold C calls being the dominant problem with our register
1478         allocator right now. Fixing this revealed other problems in my current tuning benchmark,
1479         Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
1480         functionality we will need to implement other optimizations.
1481
1482         Relanding after fixing production build.
1483
1484         * CMakeLists.txt:
1485         * JavaScriptCore.xcodeproj/project.pbxproj:
1486         * assembler/AbstractMacroAssembler.h:
1487         (JSC::isX86_64):
1488         (JSC::isIOS):
1489         (JSC::optimizeForARMv7IDIVSupported):
1490         * assembler/MacroAssemblerX86Common.h:
1491         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
1492         (JSC::MacroAssemblerX86Common::swap32):
1493         (JSC::MacroAssemblerX86Common::moveConditionally32):
1494         * assembler/MacroAssemblerX86_64.h:
1495         (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
1496         (JSC::MacroAssemblerX86_64::swap64):
1497         (JSC::MacroAssemblerX86_64::move64ToDouble):
1498         * assembler/X86Assembler.h:
1499         (JSC::X86Assembler::xchgl_rr):
1500         (JSC::X86Assembler::xchgl_rm):
1501         (JSC::X86Assembler::xchgq_rr):
1502         (JSC::X86Assembler::xchgq_rm):
1503         (JSC::X86Assembler::movl_rr):
1504         * b3/B3CCallValue.h:
1505         * b3/B3Compilation.cpp:
1506         (JSC::B3::Compilation::Compilation):
1507         (JSC::B3::Compilation::~Compilation):
1508         * b3/B3Compilation.h:
1509         (JSC::B3::Compilation::code):
1510         * b3/B3LowerToAir.cpp:
1511         (JSC::B3::Air::LowerToAir::run):
1512         (JSC::B3::Air::LowerToAir::createSelect):
1513         (JSC::B3::Air::LowerToAir::lower):
1514         (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
1515         * b3/B3OpaqueByproducts.h:
1516         (JSC::B3::OpaqueByproducts::count):
1517         * b3/B3StackmapSpecial.cpp:
1518         (JSC::B3::StackmapSpecial::isArgValidForValue):
1519         (JSC::B3::StackmapSpecial::isArgValidForRep):
1520         * b3/air/AirArg.cpp:
1521         (JSC::B3::Air::Arg::isStackMemory):
1522         (JSC::B3::Air::Arg::isRepresentableAs):
1523         (JSC::B3::Air::Arg::usesTmp):
1524         (JSC::B3::Air::Arg::canRepresent):
1525         (JSC::B3::Air::Arg::isCompatibleType):
1526         (JSC::B3::Air::Arg::dump):
1527         (WTF::printInternal):
1528         * b3/air/AirArg.h:
1529         (JSC::B3::Air::Arg::forEachType):
1530         (JSC::B3::Air::Arg::isWarmUse):
1531         (JSC::B3::Air::Arg::cooled):
1532         (JSC::B3::Air::Arg::isEarlyUse):
1533         (JSC::B3::Air::Arg::imm64):
1534         (JSC::B3::Air::Arg::immPtr):
1535         (JSC::B3::Air::Arg::addr):
1536         (JSC::B3::Air::Arg::special):
1537         (JSC::B3::Air::Arg::widthArg):
1538         (JSC::B3::Air::Arg::operator==):
1539         (JSC::B3::Air::Arg::isImm64):
1540         (JSC::B3::Air::Arg::isSomeImm):
1541         (JSC::B3::Air::Arg::isAddr):
1542         (JSC::B3::Air::Arg::isIndex):
1543         (JSC::B3::Air::Arg::isMemory):
1544         (JSC::B3::Air::Arg::isRelCond):
1545         (JSC::B3::Air::Arg::isSpecial):
1546         (JSC::B3::Air::Arg::isWidthArg):
1547         (JSC::B3::Air::Arg::isAlive):
1548         (JSC::B3::Air::Arg::base):
1549         (JSC::B3::Air::Arg::hasOffset):
1550         (JSC::B3::Air::Arg::offset):
1551         (JSC::B3::Air::Arg::width):
1552         (JSC::B3::Air::Arg::isGPTmp):
1553         (JSC::B3::Air::Arg::isGP):
1554         (JSC::B3::Air::Arg::isFP):
1555         (JSC::B3::Air::Arg::isType):
1556         (JSC::B3::Air::Arg::isGPR):
1557         (JSC::B3::Air::Arg::isValidForm):
1558         (JSC::B3::Air::Arg::forEachTmpFast):
1559         * b3/air/AirBasicBlock.h:
1560         (JSC::B3::Air::BasicBlock::insts):
1561         (JSC::B3::Air::BasicBlock::appendInst):
1562         (JSC::B3::Air::BasicBlock::append):
1563         * b3/air/AirCCallingConvention.cpp: Added.
1564         (JSC::B3::Air::computeCCallingConvention):
1565         (JSC::B3::Air::cCallResult):
1566         (JSC::B3::Air::buildCCall):
1567         * b3/air/AirCCallingConvention.h: Added.
1568         * b3/air/AirCode.h:
1569         (JSC::B3::Air::Code::proc):
1570         * b3/air/AirCustom.cpp: Added.
1571         (JSC::B3::Air::CCallCustom::isValidForm):
1572         (JSC::B3::Air::CCallCustom::generate):
1573         (JSC::B3::Air::ShuffleCustom::isValidForm):
1574         (JSC::B3::Air::ShuffleCustom::generate):
1575         * b3/air/AirCustom.h:
1576         (JSC::B3::Air::PatchCustom::forEachArg):
1577         (JSC::B3::Air::PatchCustom::generate):
1578         (JSC::B3::Air::CCallCustom::forEachArg):
1579         (JSC::B3::Air::CCallCustom::isValidFormStatic):
1580         (JSC::B3::Air::CCallCustom::admitsStack):
1581         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
1582         (JSC::B3::Air::ColdCCallCustom::forEachArg):
1583         (JSC::B3::Air::ShuffleCustom::forEachArg):
1584         (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
1585         (JSC::B3::Air::ShuffleCustom::admitsStack):
1586         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
1587         * b3/air/AirEmitShuffle.cpp: Added.
1588         (JSC::B3::Air::ShufflePair::dump):
1589         (JSC::B3::Air::emitShuffle):
1590         * b3/air/AirEmitShuffle.h: Added.
1591         (JSC::B3::Air::ShufflePair::ShufflePair):
1592         (JSC::B3::Air::ShufflePair::src):
1593         (JSC::B3::Air::ShufflePair::dst):
1594         (JSC::B3::Air::ShufflePair::width):
1595         * b3/air/AirGenerate.cpp:
1596         (JSC::B3::Air::prepareForGeneration):
1597         * b3/air/AirGenerate.h:
1598         * b3/air/AirInsertionSet.cpp:
1599         (JSC::B3::Air::InsertionSet::insertInsts):
1600         (JSC::B3::Air::InsertionSet::execute):
1601         * b3/air/AirInsertionSet.h:
1602         (JSC::B3::Air::InsertionSet::insertInst):
1603         (JSC::B3::Air::InsertionSet::insert):
1604         * b3/air/AirInst.h:
1605         (JSC::B3::Air::Inst::operator bool):
1606         (JSC::B3::Air::Inst::append):
1607         * b3/air/AirLowerAfterRegAlloc.cpp: Added.
1608         (JSC::B3::Air::lowerAfterRegAlloc):
1609         * b3/air/AirLowerAfterRegAlloc.h: Added.
1610         * b3/air/AirLowerMacros.cpp: Added.
1611         (JSC::B3::Air::lowerMacros):
1612         * b3/air/AirLowerMacros.h: Added.
1613         * b3/air/AirOpcode.opcodes:
1614         * b3/air/AirRegisterPriority.h:
1615         (JSC::B3::Air::regsInPriorityOrder):
1616         * b3/air/testair.cpp: Added.
1617         (hiddenTruthBecauseNoReturnIsStupid):
1618         (usage):
1619         (JSC::B3::Air::compile):
1620         (JSC::B3::Air::invoke):
1621         (JSC::B3::Air::compileAndRun):
1622         (JSC::B3::Air::testSimple):
1623         (JSC::B3::Air::loadConstantImpl):
1624         (JSC::B3::Air::loadConstant):
1625         (JSC::B3::Air::loadDoubleConstant):
1626         (JSC::B3::Air::testShuffleSimpleSwap):
1627         (JSC::B3::Air::testShuffleSimpleShift):
1628         (JSC::B3::Air::testShuffleLongShift):
1629         (JSC::B3::Air::testShuffleLongShiftBackwards):
1630         (JSC::B3::Air::testShuffleSimpleRotate):
1631         (JSC::B3::Air::testShuffleSimpleBroadcast):
1632         (JSC::B3::Air::testShuffleBroadcastAllRegs):
1633         (JSC::B3::Air::testShuffleTreeShift):
1634         (JSC::B3::Air::testShuffleTreeShiftBackward):
1635         (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
1636         (JSC::B3::Air::testShuffleMultipleShifts):
1637         (JSC::B3::Air::testShuffleRotateWithFringe):
1638         (JSC::B3::Air::testShuffleRotateWithLongFringe):
1639         (JSC::B3::Air::testShuffleMultipleRotates):
1640         (JSC::B3::Air::testShuffleShiftAndRotate):
1641         (JSC::B3::Air::testShuffleShiftAllRegs):
1642         (JSC::B3::Air::testShuffleRotateAllRegs):
1643         (JSC::B3::Air::testShuffleSimpleSwap64):
1644         (JSC::B3::Air::testShuffleSimpleShift64):
1645         (JSC::B3::Air::testShuffleSwapMixedWidth):
1646         (JSC::B3::Air::testShuffleShiftMixedWidth):
1647         (JSC::B3::Air::testShuffleShiftMemory):
1648         (JSC::B3::Air::testShuffleShiftMemoryLong):
1649         (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
1650         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
1651         (JSC::B3::Air::combineHiLo):
1652         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
1653         (JSC::B3::Air::testShuffleRotateMemory):
1654         (JSC::B3::Air::testShuffleRotateMemory64):
1655         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
1656         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
1657         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
1658         (JSC::B3::Air::testShuffleSwapDouble):
1659         (JSC::B3::Air::testShuffleShiftDouble):
1660         (JSC::B3::Air::run):
1661         (run):
1662         (main):
1663         * b3/testb3.cpp:
1664         (JSC::B3::testCallSimple):
1665         (JSC::B3::testCallRare):
1666         (JSC::B3::testCallRareLive):
1667         (JSC::B3::testCallSimplePure):
1668         (JSC::B3::run):
1669
1670 2016-01-15  Andy VanWagoner  <thetalecrafter@gmail.com>
1671
1672         [INTL] Implement Date.prototype.toLocaleString in ECMA-402
1673         https://bugs.webkit.org/show_bug.cgi?id=147611
1674
1675         Reviewed by Benjamin Poulain.
1676
1677         Expose dateProtoFuncGetTime as thisTimeValue for builtins.
1678         Remove unused code in DateTimeFormat toDateTimeOptions, and make the
1679         function specific to the call in initializeDateTimeFormat. Properly
1680         throw when the options parameter is null.
1681         Add toLocaleString in builtin JavaScript, with it's own specific branch
1682         of toDateTimeOptions.
1683
1684         * CMakeLists.txt:
1685         * DerivedSources.make:
1686         * JavaScriptCore.xcodeproj/project.pbxproj:
1687         * builtins/DatePrototype.js: Added.
1688         (toLocaleString.toDateTimeOptionsAnyAll):
1689         (toLocaleString):
1690         * runtime/CommonIdentifiers.h:
1691         * runtime/DatePrototype.cpp:
1692         (JSC::DatePrototype::finishCreation):
1693         * runtime/DatePrototype.h:
1694         * runtime/IntlDateTimeFormat.cpp:
1695         (JSC::toDateTimeOptionsAnyDate):
1696         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1697         (JSC::toDateTimeOptions): Deleted.
1698         * runtime/JSGlobalObject.cpp:
1699         (JSC::JSGlobalObject::init):
1700
1701 2016-01-15  Konstantin Tokarev  <annulen@yandex.ru>
1702
1703         [mips] Implemented emitFunctionPrologue/Epilogue
1704         https://bugs.webkit.org/show_bug.cgi?id=152947
1705
1706         Reviewed by Michael Saboff.
1707
1708         * assembler/MacroAssemblerMIPS.h:
1709         (JSC::MacroAssemblerMIPS::popPair):
1710         (JSC::MacroAssemblerMIPS::pushPair):
1711         * jit/AssemblyHelpers.h:
1712         (JSC::AssemblyHelpers::emitFunctionPrologue):
1713         (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
1714         (JSC::AssemblyHelpers::emitFunctionEpilogue):
1715
1716 2016-01-15  Commit Queue  <commit-queue@webkit.org>
1717
1718         Unreviewed, rolling out r195084.
1719         https://bugs.webkit.org/show_bug.cgi?id=153132
1720
1721         Broke Production build (Requested by ap on #webkit).
1722
1723         Reverted changeset:
1724
1725         "Air needs a Shuffle instruction"
1726         https://bugs.webkit.org/show_bug.cgi?id=152952
1727         http://trac.webkit.org/changeset/195084
1728
1729 2016-01-15  Julien Brianceau  <jbriance@cisco.com>
1730
1731         [mips] Add countLeadingZeros32 implementation in macro assembler
1732         https://bugs.webkit.org/show_bug.cgi?id=152886
1733
1734         Reviewed by Michael Saboff.
1735
1736         * assembler/MIPSAssembler.h:
1737         (JSC::MIPSAssembler::lui):
1738         (JSC::MIPSAssembler::clz):
1739         (JSC::MIPSAssembler::addiu):
1740         * assembler/MacroAssemblerMIPS.h:
1741         (JSC::MacroAssemblerMIPS::and32):
1742         (JSC::MacroAssemblerMIPS::countLeadingZeros32):
1743         (JSC::MacroAssemblerMIPS::lshift32):
1744
1745 2016-01-14  Filip Pizlo  <fpizlo@apple.com>
1746
1747         Air needs a Shuffle instruction
1748         https://bugs.webkit.org/show_bug.cgi?id=152952
1749
1750         Reviewed by Saam Barati.
1751
1752         This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
1753         multiple moves to perform arbitrary permutations over registers and memory. We call these
1754         rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
1755         c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
1756         use immediates as their source.
1757
1758         Shuffle is added as a custom instruction, since it has a variable number of arguments. It
1759         takes any number of triplets of arguments, where each triplet describes one mapping of the
1760         shuffle. For example, to represent (a => b, b => c), we might say:
1761
1762             Shuffle %a, %b, 64, %b, %c, 64
1763
1764         Note the "64"s, those are width arguments that describe how many bits of the register are
1765         being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
1766         most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
1767         of the pairs in the example). For GP arguments, the width follows ZDef semantics.
1768
1769         In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
1770         how to use it:
1771
1772         - C calling convention argument marshalling. Previously we used move instructions. But that's
1773           problematic since it introduces artificial interference between the argument registers and
1774           the inputs. Using Shuffle removes that interference. This helps a bit.
1775
1776         - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
1777           a cold path, then we want it to appear to the register allocator like it doesn't clobber
1778           any registers. Only after register allocation should we handle the clobbering by simply
1779           saving all of the live volatile registers to the stack. If you imagine the saving and the
1780           argument marshalling, you can see how before the call, we want to have a Shuffle that does
1781           both of those things. This is important. If argument marshalling was separate from the
1782           saving, then we'd still appear to clobber argument registers. Doing them together as one
1783           Shuffle means that the cold call doesn't appear to even clobber the argument registers.
1784
1785         Unfortunately, I was wrong about cold C calls being the dominant problem with our register
1786         allocator right now. Fixing this revealed other problems in my current tuning benchmark,
1787         Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
1788         functionality we will need to implement other optimizations.
1789
1790         * CMakeLists.txt:
1791         * JavaScriptCore.xcodeproj/project.pbxproj:
1792         * assembler/AbstractMacroAssembler.h:
1793         (JSC::isX86_64):
1794         (JSC::isIOS):
1795         (JSC::optimizeForARMv7IDIVSupported):
1796         * assembler/MacroAssemblerX86Common.h:
1797         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
1798         (JSC::MacroAssemblerX86Common::swap32):
1799         (JSC::MacroAssemblerX86Common::moveConditionally32):
1800         * assembler/MacroAssemblerX86_64.h:
1801         (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
1802         (JSC::MacroAssemblerX86_64::swap64):
1803         (JSC::MacroAssemblerX86_64::move64ToDouble):
1804         * assembler/X86Assembler.h:
1805         (JSC::X86Assembler::xchgl_rr):
1806         (JSC::X86Assembler::xchgl_rm):
1807         (JSC::X86Assembler::xchgq_rr):
1808         (JSC::X86Assembler::xchgq_rm):
1809         (JSC::X86Assembler::movl_rr):
1810         * b3/B3CCallValue.h:
1811         * b3/B3Compilation.cpp:
1812         (JSC::B3::Compilation::Compilation):
1813         (JSC::B3::Compilation::~Compilation):
1814         * b3/B3Compilation.h:
1815         (JSC::B3::Compilation::code):
1816         * b3/B3LowerToAir.cpp:
1817         (JSC::B3::Air::LowerToAir::run):
1818         (JSC::B3::Air::LowerToAir::createSelect):
1819         (JSC::B3::Air::LowerToAir::lower):
1820         (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
1821         * b3/B3OpaqueByproducts.h:
1822         (JSC::B3::OpaqueByproducts::count):
1823         * b3/B3StackmapSpecial.cpp:
1824         (JSC::B3::StackmapSpecial::isArgValidForValue):
1825         (JSC::B3::StackmapSpecial::isArgValidForRep):
1826         * b3/air/AirArg.cpp:
1827         (JSC::B3::Air::Arg::isStackMemory):
1828         (JSC::B3::Air::Arg::isRepresentableAs):
1829         (JSC::B3::Air::Arg::usesTmp):
1830         (JSC::B3::Air::Arg::canRepresent):
1831         (JSC::B3::Air::Arg::isCompatibleType):
1832         (JSC::B3::Air::Arg::dump):
1833         (WTF::printInternal):
1834         * b3/air/AirArg.h:
1835         (JSC::B3::Air::Arg::forEachType):
1836         (JSC::B3::Air::Arg::isWarmUse):
1837         (JSC::B3::Air::Arg::cooled):
1838         (JSC::B3::Air::Arg::isEarlyUse):
1839         (JSC::B3::Air::Arg::imm64):
1840         (JSC::B3::Air::Arg::immPtr):
1841         (JSC::B3::Air::Arg::addr):
1842         (JSC::B3::Air::Arg::special):
1843         (JSC::B3::Air::Arg::widthArg):
1844         (JSC::B3::Air::Arg::operator==):
1845         (JSC::B3::Air::Arg::isImm64):
1846         (JSC::B3::Air::Arg::isSomeImm):
1847         (JSC::B3::Air::Arg::isAddr):
1848         (JSC::B3::Air::Arg::isIndex):
1849         (JSC::B3::Air::Arg::isMemory):
1850         (JSC::B3::Air::Arg::isRelCond):
1851         (JSC::B3::Air::Arg::isSpecial):
1852         (JSC::B3::Air::Arg::isWidthArg):
1853         (JSC::B3::Air::Arg::isAlive):
1854         (JSC::B3::Air::Arg::base):
1855         (JSC::B3::Air::Arg::hasOffset):
1856         (JSC::B3::Air::Arg::offset):
1857         (JSC::B3::Air::Arg::width):
1858         (JSC::B3::Air::Arg::isGPTmp):
1859         (JSC::B3::Air::Arg::isGP):
1860         (JSC::B3::Air::Arg::isFP):
1861         (JSC::B3::Air::Arg::isType):
1862         (JSC::B3::Air::Arg::isGPR):
1863         (JSC::B3::Air::Arg::isValidForm):
1864         (JSC::B3::Air::Arg::forEachTmpFast):
1865         * b3/air/AirBasicBlock.h:
1866         (JSC::B3::Air::BasicBlock::insts):
1867         (JSC::B3::Air::BasicBlock::appendInst):
1868         (JSC::B3::Air::BasicBlock::append):
1869         * b3/air/AirCCallingConvention.cpp: Added.
1870         (JSC::B3::Air::computeCCallingConvention):
1871         (JSC::B3::Air::cCallResult):
1872         (JSC::B3::Air::buildCCall):
1873         * b3/air/AirCCallingConvention.h: Added.
1874         * b3/air/AirCode.h:
1875         (JSC::B3::Air::Code::proc):
1876         * b3/air/AirCustom.cpp: Added.
1877         (JSC::B3::Air::CCallCustom::isValidForm):
1878         (JSC::B3::Air::CCallCustom::generate):
1879         (JSC::B3::Air::ShuffleCustom::isValidForm):
1880         (JSC::B3::Air::ShuffleCustom::generate):
1881         * b3/air/AirCustom.h:
1882         (JSC::B3::Air::PatchCustom::forEachArg):
1883         (JSC::B3::Air::PatchCustom::generate):
1884         (JSC::B3::Air::CCallCustom::forEachArg):
1885         (JSC::B3::Air::CCallCustom::isValidFormStatic):
1886         (JSC::B3::Air::CCallCustom::admitsStack):
1887         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
1888         (JSC::B3::Air::ColdCCallCustom::forEachArg):
1889         (JSC::B3::Air::ShuffleCustom::forEachArg):
1890         (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
1891         (JSC::B3::Air::ShuffleCustom::admitsStack):
1892         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
1893         * b3/air/AirEmitShuffle.cpp: Added.
1894         (JSC::B3::Air::ShufflePair::dump):
1895         (JSC::B3::Air::emitShuffle):
1896         * b3/air/AirEmitShuffle.h: Added.
1897         (JSC::B3::Air::ShufflePair::ShufflePair):
1898         (JSC::B3::Air::ShufflePair::src):
1899         (JSC::B3::Air::ShufflePair::dst):
1900         (JSC::B3::Air::ShufflePair::width):
1901         * b3/air/AirGenerate.cpp:
1902         (JSC::B3::Air::prepareForGeneration):
1903         * b3/air/AirGenerate.h:
1904         * b3/air/AirInsertionSet.cpp:
1905         (JSC::B3::Air::InsertionSet::insertInsts):
1906         (JSC::B3::Air::InsertionSet::execute):
1907         * b3/air/AirInsertionSet.h:
1908         (JSC::B3::Air::InsertionSet::insertInst):
1909         (JSC::B3::Air::InsertionSet::insert):
1910         * b3/air/AirInst.h:
1911         (JSC::B3::Air::Inst::operator bool):
1912         (JSC::B3::Air::Inst::append):
1913         * b3/air/AirLowerAfterRegAlloc.cpp: Added.
1914         (JSC::B3::Air::lowerAfterRegAlloc):
1915         * b3/air/AirLowerAfterRegAlloc.h: Added.
1916         * b3/air/AirLowerMacros.cpp: Added.
1917         (JSC::B3::Air::lowerMacros):
1918         * b3/air/AirLowerMacros.h: Added.
1919         * b3/air/AirOpcode.opcodes:
1920         * b3/air/AirRegisterPriority.h:
1921         (JSC::B3::Air::regsInPriorityOrder):
1922         * b3/air/testair.cpp: Added.
1923         (hiddenTruthBecauseNoReturnIsStupid):
1924         (usage):
1925         (JSC::B3::Air::compile):
1926         (JSC::B3::Air::invoke):
1927         (JSC::B3::Air::compileAndRun):
1928         (JSC::B3::Air::testSimple):
1929         (JSC::B3::Air::loadConstantImpl):
1930         (JSC::B3::Air::loadConstant):
1931         (JSC::B3::Air::loadDoubleConstant):
1932         (JSC::B3::Air::testShuffleSimpleSwap):
1933         (JSC::B3::Air::testShuffleSimpleShift):
1934         (JSC::B3::Air::testShuffleLongShift):
1935         (JSC::B3::Air::testShuffleLongShiftBackwards):
1936         (JSC::B3::Air::testShuffleSimpleRotate):
1937         (JSC::B3::Air::testShuffleSimpleBroadcast):
1938         (JSC::B3::Air::testShuffleBroadcastAllRegs):
1939         (JSC::B3::Air::testShuffleTreeShift):
1940         (JSC::B3::Air::testShuffleTreeShiftBackward):
1941         (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
1942         (JSC::B3::Air::testShuffleMultipleShifts):
1943         (JSC::B3::Air::testShuffleRotateWithFringe):
1944         (JSC::B3::Air::testShuffleRotateWithLongFringe):
1945         (JSC::B3::Air::testShuffleMultipleRotates):
1946         (JSC::B3::Air::testShuffleShiftAndRotate):
1947         (JSC::B3::Air::testShuffleShiftAllRegs):
1948         (JSC::B3::Air::testShuffleRotateAllRegs):
1949         (JSC::B3::Air::testShuffleSimpleSwap64):
1950         (JSC::B3::Air::testShuffleSimpleShift64):
1951         (JSC::B3::Air::testShuffleSwapMixedWidth):
1952         (JSC::B3::Air::testShuffleShiftMixedWidth):
1953         (JSC::B3::Air::testShuffleShiftMemory):
1954         (JSC::B3::Air::testShuffleShiftMemoryLong):
1955         (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
1956         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
1957         (JSC::B3::Air::combineHiLo):
1958         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
1959         (JSC::B3::Air::testShuffleRotateMemory):
1960         (JSC::B3::Air::testShuffleRotateMemory64):
1961         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
1962         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
1963         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
1964         (JSC::B3::Air::testShuffleSwapDouble):
1965         (JSC::B3::Air::testShuffleShiftDouble):
1966         (JSC::B3::Air::run):
1967         (run):
1968         (main):
1969         * b3/testb3.cpp:
1970         (JSC::B3::testCallSimple):
1971         (JSC::B3::testCallRare):
1972         (JSC::B3::testCallRareLive):
1973         (JSC::B3::testCallSimplePure):
1974         (JSC::B3::run):
1975
1976 2016-01-14  Keith Miller  <keith_miller@apple.com>
1977
1978         Unreviewed mark passing es6 tests as no longer failing.
1979
1980         * tests/es6.yaml:
1981
1982 2016-01-14  Keith Miller  <keith_miller@apple.com>
1983
1984         [ES6] Support subclassing Function.
1985         https://bugs.webkit.org/show_bug.cgi?id=153081
1986
1987         Reviewed by Geoffrey Garen.
1988
1989         This patch enables subclassing the Function object. It also fixes an existing
1990         bug that prevented users from subclassing functions that have a function in
1991         the superclass's prototype property.
1992
1993         * bytecompiler/NodesCodegen.cpp:
1994         (JSC::ClassExprNode::emitBytecode):
1995         * runtime/FunctionConstructor.cpp:
1996         (JSC::constructWithFunctionConstructor):
1997         (JSC::constructFunction):
1998         (JSC::constructFunctionSkippingEvalEnabledCheck):
1999         * runtime/FunctionConstructor.h:
2000         * runtime/JSFunction.cpp:
2001         (JSC::JSFunction::create):
2002         * runtime/JSFunction.h:
2003         (JSC::JSFunction::createImpl):
2004         * runtime/JSFunctionInlines.h:
2005         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2006         (JSC::JSFunction::JSFunction): Deleted.
2007         * tests/stress/class-subclassing-function.js: Added.
2008
2009 2016-01-13  Carlos Garcia Campos  <cgarcia@igalia.com>
2010
2011         [CMake] Do not use LLVM static libraries for FTL JIT
2012         https://bugs.webkit.org/show_bug.cgi?id=151559
2013
2014         Reviewed by Michael Catanzaro.
2015
2016         Allow ports decide whether to prefer linking to llvm static or
2017         dynamic libraries. This patch only changes the behavior of the GTK
2018         port, other ports can change the default behavior by setting
2019         llvmForJSC_LIBRARIES in their platform specific cmake files.
2020
2021         * CMakeLists.txt: Move llvmForJSC library definition after the
2022         WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS, to allow platform specific
2023         files to set their own llvmForJSC_LIBRARIES. When not set, it
2024         defaults to LLVM_STATIC_LIBRARIES. The command to create
2025         WebKitLLVMLibraryToken.h no longer depends on the static
2026         libraries, since we are going to make the build fail anyway when
2027         not found in case of linking to the static libraries. If platform
2028         specific file defined llvmForJSC_INSTALL_DIR llvmForJSC is also
2029         installed to the given destination.
2030         * PlatformGTK.cmake: Set llvmForJSC_LIBRARIES and
2031         llvmForJSC_INSTALL_DIR.
2032
2033 2016-01-13  Saam barati  <sbarati@apple.com>
2034
2035         NativeExecutable should have a name field
2036         https://bugs.webkit.org/show_bug.cgi?id=153083
2037
2038         Reviewed by Geoffrey Garen.
2039
2040         This is going to help the SamplingProfiler come up
2041         with names for NativeExecutable objects it encounters.
2042
2043         * jit/JITThunks.cpp:
2044         (JSC::JITThunks::finalize):
2045         (JSC::JITThunks::hostFunctionStub):
2046         * jit/JITThunks.h:
2047         * runtime/Executable.h:
2048         * runtime/JSBoundFunction.cpp:
2049         (JSC::JSBoundFunction::create):
2050         * runtime/JSFunction.cpp:
2051         (JSC::JSFunction::create):
2052         (JSC::JSFunction::lookUpOrCreateNativeExecutable):
2053         * runtime/JSFunction.h:
2054         (JSC::JSFunction::createImpl):
2055         * runtime/JSNativeStdFunction.cpp:
2056         (JSC::JSNativeStdFunction::create):
2057         * runtime/VM.cpp:
2058         (JSC::thunkGeneratorForIntrinsic):
2059         (JSC::VM::getHostFunction):
2060         * runtime/VM.h:
2061         (JSC::VM::getCTIStub):
2062         (JSC::VM::exceptionOffset):
2063
2064 2016-01-13  Keith Miller  <keith_miller@apple.com>
2065
2066         [ES6] Support subclassing the String builtin object
2067         https://bugs.webkit.org/show_bug.cgi?id=153068
2068
2069         Reviewed by Michael Saboff.
2070
2071         This patch adds subclassing of strings. Also, this patch fixes a bug where we could have
2072         the wrong indexing type for builtins constructed without storage.
2073
2074         * runtime/PrototypeMap.cpp:
2075         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
2076         * runtime/StringConstructor.cpp:
2077         (JSC::constructWithStringConstructor):
2078         * tests/stress/class-subclassing-string.js: Added.
2079         (test):
2080
2081 2016-01-13  Mark Lam  <mark.lam@apple.com>
2082
2083         The StringFromCharCode DFG intrinsic should support untyped operands.
2084         https://bugs.webkit.org/show_bug.cgi?id=153046
2085
2086         Reviewed by Geoffrey Garen.
2087
2088         The current StringFromCharCode DFG intrinsic assumes that its operand charCode
2089         must be an Int32.  This results in 26000+ BadType OSR exits in the LongSpider
2090         crypto-aes benchmark.  With support for Untyped operands, the number of OSR
2091         exits drops to 202.
2092
2093         * dfg/DFGClobberize.h:
2094         (JSC::DFG::clobberize):
2095         * dfg/DFGFixupPhase.cpp:
2096         (JSC::DFG::FixupPhase::fixupNode):
2097         * dfg/DFGOperations.cpp:
2098         * dfg/DFGOperations.h:
2099         * dfg/DFGSpeculativeJIT.cpp:
2100         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
2101         * dfg/DFGSpeculativeJIT.h:
2102         (JSC::DFG::SpeculativeJIT::callOperation):
2103         * dfg/DFGValidate.cpp:
2104         (JSC::DFG::Validate::validate):
2105         * runtime/JSCJSValueInlines.h:
2106         (JSC::JSValue::toUInt32):
2107
2108 2016-01-13  Mark Lam  <mark.lam@apple.com>
2109
2110         Use DFG Graph::binary/unaryArithShouldSpeculateInt32/MachineInt() functions consistently.
2111         https://bugs.webkit.org/show_bug.cgi?id=153080
2112
2113         Reviewed by Geoffrey Garen.
2114
2115         We currently have Graph::mulShouldSpeculateInt32/machineInt() and
2116         Graph::negateShouldSpeculateInt32/MachineInt() functions which are only used by
2117         the ArithMul and ArithNegate nodes.  However, the same tests need to be done for
2118         many other arith nodes in the DFG.  This patch renames these functions as
2119         Graph::binaryArithShouldSpeculateInt32/machineInt() and
2120         Graph::unaryArithShouldSpeculateInt32/MachineInt(), and uses them consistently
2121         in the DFG.
2122
2123         * dfg/DFGFixupPhase.cpp:
2124         (JSC::DFG::FixupPhase::fixupNode):
2125         * dfg/DFGGraph.h:
2126         (JSC::DFG::Graph::addShouldSpeculateMachineInt):
2127         (JSC::DFG::Graph::binaryArithShouldSpeculateInt32):
2128         (JSC::DFG::Graph::binaryArithShouldSpeculateMachineInt):
2129         (JSC::DFG::Graph::unaryArithShouldSpeculateInt32):
2130         (JSC::DFG::Graph::unaryArithShouldSpeculateMachineInt):
2131         (JSC::DFG::Graph::mulShouldSpeculateInt32): Deleted.
2132         (JSC::DFG::Graph::mulShouldSpeculateMachineInt): Deleted.
2133         (JSC::DFG::Graph::negateShouldSpeculateInt32): Deleted.
2134         (JSC::DFG::Graph::negateShouldSpeculateMachineInt): Deleted.
2135         * dfg/DFGPredictionPropagationPhase.cpp:
2136         (JSC::DFG::PredictionPropagationPhase::propagate):
2137         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2138
2139 2016-01-13  Joseph Pecoraro  <pecoraro@apple.com>
2140
2141         Web Inspector: Inspector should use the last sourceURL / sourceMappingURL directive
2142         https://bugs.webkit.org/show_bug.cgi?id=153072
2143         <rdar://problem/24168312>
2144
2145         Reviewed by Timothy Hatcher.
2146
2147         * parser/Lexer.cpp:
2148         (JSC::Lexer<T>::parseCommentDirective):
2149         Just keep overwriting the member variable so we end up with
2150         the last directive value.
2151
2152 2016-01-13  Commit Queue  <commit-queue@webkit.org>
2153
2154         Unreviewed, rolling out r194969.
2155         https://bugs.webkit.org/show_bug.cgi?id=153075
2156
2157         This change broke the iOS build (Requested by ryanhaddad on
2158         #webkit).
2159
2160         Reverted changeset:
2161
2162         "[JSC] Legalize Memory Offsets for ARM64 before lowering to
2163         Air"
2164         https://bugs.webkit.org/show_bug.cgi?id=153065
2165         http://trac.webkit.org/changeset/194969
2166
2167 2016-01-13  Benjamin Poulain  <bpoulain@apple.com>
2168
2169         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
2170         https://bugs.webkit.org/show_bug.cgi?id=153065
2171
2172         Reviewed by Mark Lam.
2173         Reviewed by Filip Pizlo.
2174
2175         On ARM64, we cannot use signed 32bits offset for memory addressing.
2176         There are two available addressing: signed 9bits and unsigned scaled 12bits.
2177         Air already knows about it.
2178
2179         In this patch, the offsets are changed to something valid for ARM64
2180         prior to lowering. When an offset is invalid, it is just computed
2181         before the instruction and used as the base for addressing.
2182
2183         * JavaScriptCore.xcodeproj/project.pbxproj:
2184         * b3/B3Generate.cpp:
2185         (JSC::B3::generateToAir):
2186         * b3/B3LegalizeMemoryOffsets.cpp: Added.
2187         (JSC::B3::legalizeMemoryOffsets):
2188         * b3/B3LegalizeMemoryOffsets.h: Added.
2189         * b3/B3LowerToAir.cpp:
2190         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
2191         * b3/testb3.cpp:
2192         (JSC::B3::testLoadWithOffsetImpl):
2193         (JSC::B3::testLoadOffsetImm9Max):
2194         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
2195         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
2196         (JSC::B3::testLoadOffsetImm9Min):
2197         (JSC::B3::testLoadOffsetImm9MinMinusOne):
2198         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
2199         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
2200         (JSC::B3::run):
2201
2202 2016-01-12  Per Arne Vollan  <peavo@outlook.com>
2203
2204         [FTL][Win64] Compile error.
2205         https://bugs.webkit.org/show_bug.cgi?id=153031
2206
2207         Reviewed by Brent Fulgham.
2208
2209         The header file dlfcn.h does not exist on Windows.
2210
2211         * ftl/FTLLowerDFGToLLVM.cpp:
2212
2213 2016-01-12  Ryosuke Niwa  <rniwa@webkit.org>
2214
2215         Add a build flag for custom element
2216         https://bugs.webkit.org/show_bug.cgi?id=153005
2217
2218         Reviewed by Alex Christensen.
2219
2220         * Configurations/FeatureDefines.xcconfig:
2221
2222 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
2223
2224         [JSC] Remove some invalid immediate instruction forms from ARM64 Air
2225         https://bugs.webkit.org/show_bug.cgi?id=153024
2226
2227         Reviewed by Michael Saboff.
2228
2229         * b3/B3BasicBlock.h:
2230         Export the symbols for testb3.
2231
2232         * b3/air/AirOpcode.opcodes:
2233         We had 2 invalid opcodes:
2234         -Compare with immediate just does not exist.
2235         -Test64 with immediate exists but Air does not recognize
2236          the valid form of bit-immediates.
2237
2238         * b3/testb3.cpp:
2239         (JSC::B3::genericTestCompare):
2240         (JSC::B3::testCompareImpl):
2241         Extend the tests to cover what was invalid.
2242
2243 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
2244
2245         [JSC] JSC does not build with FTL_USES_B3 on ARM64
2246         https://bugs.webkit.org/show_bug.cgi?id=153011
2247
2248         Reviewed by Saam Barati.
2249
2250         Apparently the static const member can only be used for constexpr.
2251         C++ is weird.
2252
2253         * jit/GPRInfo.cpp:
2254         * jit/GPRInfo.h:
2255
2256 2016-01-11  Johan K. Jensen  <jj@johanjensen.dk>
2257
2258         Web Inspector: console.count() shouldn't show a colon in front of a number
2259         https://bugs.webkit.org/show_bug.cgi?id=152038
2260
2261         Reviewed by Brian Burg.
2262
2263         * inspector/agents/InspectorConsoleAgent.cpp:
2264         (Inspector::InspectorConsoleAgent::count):
2265         Do not include title and colon if the title is empty.
2266
2267 2016-01-11  Dan Bernstein  <mitz@apple.com>
2268
2269         Reverted r194317.
2270
2271         Reviewed by Joseph Pecoraro.
2272
2273         r194317 did not contain a change log entry, did not explain the motivation, did not name a
2274         reviewer, and does not seem necessary.
2275
2276         * JavaScriptCore.xcodeproj/project.pbxproj:
2277
2278 2016-01-11  Joseph Pecoraro  <pecoraro@apple.com>
2279
2280         keywords ("super", "delete", etc) should be valid method names
2281         https://bugs.webkit.org/show_bug.cgi?id=144281
2282
2283         Reviewed by Ryosuke Niwa.
2284
2285         * parser/Parser.cpp:
2286         (JSC::Parser<LexerType>::parseClass):
2287         - When parsing "static(" treat it as a method named "static" and not a static method.
2288         - When parsing a keyword treat it like a string method name (get and set are not keywords)
2289         - When parsing a getter / setter method name identifier, allow lookahead to be a keyword
2290
2291         (JSC::Parser<LexerType>::parseGetterSetter):
2292         - When parsing the getter / setter's name, allow it to be a keyword.
2293
2294 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
2295
2296         [JSC] Add Div/Mod and fix Mul for B3 ARM64
2297         https://bugs.webkit.org/show_bug.cgi?id=152978
2298
2299         Reviewed by Filip Pizlo.
2300
2301         Add the 3 operands forms of Mul.
2302         Remove the form taking immediate on ARM64, there are no such instruction.
2303
2304         Add Div with sdiv.
2305
2306         Unfortunately, I discovered ChillMod's division by zero
2307         makes it non-trivial on ARM64. I just made it into a macro like on x86.
2308
2309         * assembler/MacroAssemblerARM64.h:
2310         (JSC::MacroAssemblerARM64::mul32):
2311         (JSC::MacroAssemblerARM64::mul64):
2312         (JSC::MacroAssemblerARM64::div32):
2313         (JSC::MacroAssemblerARM64::div64):
2314         * b3/B3LowerMacros.cpp:
2315         * b3/B3LowerToAir.cpp:
2316         (JSC::B3::Air::LowerToAir::lower):
2317         * b3/air/AirOpcode.opcodes:
2318
2319 2016-01-11  Keith Miller  <keith_miller@apple.com>
2320
2321         Arrays should use the InternalFunctionAllocationProfile when constructing new Arrays
2322         https://bugs.webkit.org/show_bug.cgi?id=152949
2323
2324         Reviewed by Michael Saboff.
2325
2326         This patch updates Array constructors to use the new InternalFunctionAllocationProfile.
2327
2328         * runtime/ArrayConstructor.cpp:
2329         (JSC::constructArrayWithSizeQuirk):
2330         (JSC::constructWithArrayConstructor):
2331         * runtime/InternalFunction.h:
2332         (JSC::InternalFunction::createStructure):
2333         * runtime/JSGlobalObject.h:
2334         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
2335         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
2336         (JSC::constructEmptyArray):
2337         (JSC::constructArray):
2338         (JSC::constructArrayNegativeIndexed):
2339         * runtime/PrototypeMap.cpp:
2340         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
2341         * runtime/Structure.h:
2342         * runtime/StructureInlines.h:
2343
2344 2016-01-08  Keith Miller  <keith_miller@apple.com>
2345
2346         Use a profile to store allocation structures for subclasses of InternalFunctions
2347         https://bugs.webkit.org/show_bug.cgi?id=152942
2348
2349         Reviewed by Michael Saboff.
2350
2351         This patch adds InternalFunctionAllocationProfile to FunctionRareData, which holds
2352         a cached structure that can be used to quickly allocate any derived class of an InternalFunction.
2353         InternalFunctionAllocationProfile ended up being distinct from ObjectAllocationProfile, due to
2354         constraints imposed by Reflect.construct. Reflect.construct allows the user to pass an arbitrary
2355         constructor as a new.target to any other constructor. This means that a user can pass some
2356         non-derived constructor to an InternalFunction (they can even pass another InternalFunction as the
2357         new.target). If we use the same profile for both InternalFunctions and JS allocations then we always
2358         need to check in both JS code and C++ code that the profiled structure has the same ClassInfo as the
2359         current constructor. By using different profiles, we only need to check the profile in InternalFunctions
2360         as all JS constructed objects share the same ClassInfo (JSFinalObject). This comes at the relatively
2361         low cost of using slightly more memory on FunctionRareData and being slightly more conceptually complex.
2362
2363         Additionally, this patch adds subclassing to some omitted classes.
2364
2365         * API/JSObjectRef.cpp:
2366         (JSObjectMakeDate):
2367         (JSObjectMakeRegExp):
2368         * JavaScriptCore.xcodeproj/project.pbxproj:
2369         * bytecode/InternalFunctionAllocationProfile.h: Added.
2370         (JSC::InternalFunctionAllocationProfile::structure):
2371         (JSC::InternalFunctionAllocationProfile::clear):
2372         (JSC::InternalFunctionAllocationProfile::visitAggregate):
2373         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
2374         * dfg/DFGByteCodeParser.cpp:
2375         (JSC::DFG::ByteCodeParser::parseBlock):
2376         * dfg/DFGOperations.cpp:
2377         * dfg/DFGSpeculativeJIT32_64.cpp:
2378         (JSC::DFG::SpeculativeJIT::compile):
2379         * dfg/DFGSpeculativeJIT64.cpp:
2380         (JSC::DFG::SpeculativeJIT::compile):
2381         * jit/JITOpcodes.cpp:
2382         (JSC::JIT::emit_op_create_this):
2383         * jit/JITOpcodes32_64.cpp:
2384         (JSC::JIT::emit_op_create_this):
2385         * llint/LowLevelInterpreter32_64.asm:
2386         * llint/LowLevelInterpreter64.asm:
2387         * runtime/BooleanConstructor.cpp:
2388         (JSC::constructWithBooleanConstructor):
2389         * runtime/CommonSlowPaths.cpp:
2390         (JSC::SLOW_PATH_DECL):
2391         * runtime/DateConstructor.cpp:
2392         (JSC::constructDate):
2393         (JSC::constructWithDateConstructor):
2394         * runtime/DateConstructor.h:
2395         * runtime/ErrorConstructor.cpp:
2396         (JSC::Interpreter::constructWithErrorConstructor):
2397         * runtime/FunctionRareData.cpp:
2398         (JSC::FunctionRareData::create):
2399         (JSC::FunctionRareData::visitChildren):
2400         (JSC::FunctionRareData::FunctionRareData):
2401         (JSC::FunctionRareData::initializeObjectAllocationProfile):
2402         (JSC::FunctionRareData::clear):
2403         (JSC::FunctionRareData::finishCreation): Deleted.
2404         (JSC::FunctionRareData::initialize): Deleted.
2405         * runtime/FunctionRareData.h:
2406         (JSC::FunctionRareData::offsetOfObjectAllocationProfile):
2407         (JSC::FunctionRareData::objectAllocationProfile):
2408         (JSC::FunctionRareData::objectAllocationStructure):
2409         (JSC::FunctionRareData::allocationProfileWatchpointSet):
2410         (JSC::FunctionRareData::isObjectAllocationProfileInitialized):
2411         (JSC::FunctionRareData::internalFunctionAllocationStructure):
2412         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
2413         (JSC::FunctionRareData::offsetOfAllocationProfile): Deleted.
2414         (JSC::FunctionRareData::allocationProfile): Deleted.
2415         (JSC::FunctionRareData::allocationStructure): Deleted.
2416         (JSC::FunctionRareData::isInitialized): Deleted.
2417         * runtime/InternalFunction.cpp:
2418         (JSC::InternalFunction::createSubclassStructure):
2419         * runtime/InternalFunction.h:
2420         * runtime/JSArrayBufferConstructor.cpp:
2421         (JSC::constructArrayBuffer):
2422         * runtime/JSFunction.cpp:
2423         (JSC::JSFunction::allocateRareData):
2424         (JSC::JSFunction::allocateAndInitializeRareData):
2425         (JSC::JSFunction::initializeRareData):
2426         * runtime/JSFunction.h:
2427         (JSC::JSFunction::rareData):
2428         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2429         (JSC::constructGenericTypedArrayView):
2430         * runtime/JSObject.h:
2431         (JSC::JSFinalObject::typeInfo):
2432         (JSC::JSFinalObject::createStructure):
2433         * runtime/JSPromiseConstructor.cpp:
2434         (JSC::constructPromise):
2435         * runtime/JSPromiseConstructor.h:
2436         * runtime/JSWeakMap.cpp:
2437         * runtime/JSWeakSet.cpp:
2438         * runtime/MapConstructor.cpp:
2439         (JSC::constructMap):
2440         * runtime/NativeErrorConstructor.cpp:
2441         (JSC::Interpreter::constructWithNativeErrorConstructor):
2442         * runtime/NumberConstructor.cpp:
2443         (JSC::constructWithNumberConstructor):
2444         * runtime/PrototypeMap.cpp:
2445         (JSC::PrototypeMap::createEmptyStructure):
2446         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
2447         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
2448         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
2449         * runtime/PrototypeMap.h:
2450         * runtime/RegExpConstructor.cpp:
2451         (JSC::getRegExpStructure):
2452         (JSC::constructRegExp):
2453         (JSC::constructWithRegExpConstructor):
2454         * runtime/RegExpConstructor.h:
2455         * runtime/SetConstructor.cpp:
2456         (JSC::constructSet):
2457         * runtime/WeakMapConstructor.cpp:
2458         (JSC::constructWeakMap):
2459         * runtime/WeakSetConstructor.cpp:
2460         (JSC::constructWeakSet):
2461         * tests/stress/class-subclassing-misc.js:
2462         (A):
2463         (D):
2464         (E):
2465         (WM):
2466         (WS):
2467         (test):
2468         * tests/stress/class-subclassing-typedarray.js: Added.
2469         (test):
2470
2471 2016-01-11  Per Arne Vollan  <peavo@outlook.com>
2472
2473         [B3][Win64] Compile error.
2474         https://bugs.webkit.org/show_bug.cgi?id=152984
2475
2476         Reviewed by Alex Christensen.
2477
2478         Windows does not have bzero, use memset instead.
2479
2480         * b3/air/AirIteratedRegisterCoalescing.cpp:
2481
2482 2016-01-11  Konstantin Tokarev  <annulen@yandex.ru>
2483
2484         Fixed compilation of JavaScriptCore with GCC 4.8 on 32-bit platforms
2485         https://bugs.webkit.org/show_bug.cgi?id=152923
2486
2487         Reviewed by Alex Christensen.
2488
2489         * jit/CallFrameShuffler.h:
2490         (JSC::CallFrameShuffler::assumeCalleeIsCell):
2491
2492 2016-01-11  Csaba Osztrogonác  <ossy@webkit.org>
2493
2494         [B3] Fix control reaches end of non-void function GCC warnings on Linux
2495         https://bugs.webkit.org/show_bug.cgi?id=152887
2496
2497         Reviewed by Mark Lam.
2498
2499         * b3/B3LowerToAir.cpp:
2500         (JSC::B3::Air::LowerToAir::createBranch):
2501         (JSC::B3::Air::LowerToAir::createCompare):
2502         (JSC::B3::Air::LowerToAir::createSelect):
2503         * b3/B3Type.h:
2504         (JSC::B3::sizeofType):
2505         * b3/air/AirArg.cpp:
2506         (JSC::B3::Air::Arg::isRepresentableAs):
2507         * b3/air/AirArg.h:
2508         (JSC::B3::Air::Arg::isAnyUse):
2509         (JSC::B3::Air::Arg::isColdUse):
2510         (JSC::B3::Air::Arg::isEarlyUse):
2511         (JSC::B3::Air::Arg::isLateUse):
2512         (JSC::B3::Air::Arg::isAnyDef):
2513         (JSC::B3::Air::Arg::isEarlyDef):
2514         (JSC::B3::Air::Arg::isLateDef):
2515         (JSC::B3::Air::Arg::isZDef):
2516         (JSC::B3::Air::Arg::widthForB3Type):
2517         (JSC::B3::Air::Arg::isGP):
2518         (JSC::B3::Air::Arg::isFP):
2519         (JSC::B3::Air::Arg::isType):
2520         (JSC::B3::Air::Arg::isValidForm):
2521         * b3/air/AirCode.h:
2522         (JSC::B3::Air::Code::newTmp):
2523         (JSC::B3::Air::Code::numTmps):
2524
2525 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
2526
2527         Make it easier to introduce exotic instructions to Air
2528         https://bugs.webkit.org/show_bug.cgi?id=152953
2529
2530         Reviewed by Benjamin Poulain.
2531
2532         Currently, you can define new "opcodes" in Air using either:
2533
2534         1) New opcode declared in AirOpcode.opcodes.
2535         2) Patch opcode with a new implementation of Air::Special.
2536
2537         With (1), you are limited to fixed-argument-length instructions. There are other
2538         restrictions as well, like that you can only use the roles that the AirOpcode syntax
2539         supports.
2540
2541         With (2), you can do anything you like, but the instruction will be harder to match
2542         since it will share the same opcode as any other Patch. Also, the instruction will have
2543         the Special argument, which means more busy-work when creating the instruction and
2544         validating it.
2545
2546         This introduces an in-between facility called "custom". This replaces what AirOpcode
2547         previously called "special". A custom instruction is one whose behavior is defined by a
2548         FooCustom struct with some static methods. Calls to those methods are emitted by
2549         opcode_generator.rb.
2550
2551         The "custom" facility is powerful enough to be used to implement Patch, with the caveat
2552         that we now treat the Patch instruction specially in a few places. Those places were
2553         already effectively treating it specially by assuming that only Patch instructions have
2554         a Special as their first argument.
2555
2556         This will let me implement the Shuffle instruction (bug 152952), which I think is needed
2557         for performance work.
2558
2559         * JavaScriptCore.xcodeproj/project.pbxproj:
2560         * b3/air/AirCustom.h: Added.
2561         (JSC::B3::Air::PatchCustom::forEachArg):
2562         (JSC::B3::Air::PatchCustom::isValidFormStatic):
2563         (JSC::B3::Air::PatchCustom::isValidForm):
2564         (JSC::B3::Air::PatchCustom::admitsStack):
2565         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
2566         (JSC::B3::Air::PatchCustom::generate):
2567         * b3/air/AirHandleCalleeSaves.cpp:
2568         (JSC::B3::Air::handleCalleeSaves):
2569         * b3/air/AirInst.h:
2570         * b3/air/AirInstInlines.h:
2571         (JSC::B3::Air::Inst::forEach):
2572         (JSC::B3::Air::Inst::extraClobberedRegs):
2573         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
2574         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
2575         (JSC::B3::Air::Inst::reportUsedRegisters):
2576         (JSC::B3::Air::Inst::hasSpecial): Deleted.
2577         * b3/air/AirOpcode.opcodes:
2578         * b3/air/AirReportUsedRegisters.cpp:
2579         (JSC::B3::Air::reportUsedRegisters):
2580         * b3/air/opcode_generator.rb:
2581
2582 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
2583
2584         Turn Check(true) into Patchpoint() followed by Oops
2585         https://bugs.webkit.org/show_bug.cgi?id=152968
2586
2587         Reviewed by Benjamin Poulain.
2588
2589         This is an obvious strength reduction to have, especially since if we discover that the
2590         input to the Check is true after some amount of B3 optimization, then stubbing out the rest
2591         of the basic block unlocks CFG simplification opportunities.
2592
2593         It's also a proof-of-concept for the Check->Patchpoint conversion that I'll use once I
2594         implement sinking (bug 152162).
2595
2596         * b3/B3ControlValue.cpp:
2597         (JSC::B3::ControlValue::convertToJump):
2598         (JSC::B3::ControlValue::convertToOops):
2599         (JSC::B3::ControlValue::dumpMeta):
2600         * b3/B3ControlValue.h:
2601         * b3/B3InsertionSet.h:
2602         (JSC::B3::InsertionSet::insertValue):
2603         * b3/B3InsertionSetInlines.h:
2604         (JSC::B3::InsertionSet::insert):
2605         * b3/B3ReduceStrength.cpp:
2606         * b3/B3StackmapValue.h:
2607         * b3/B3Value.h:
2608         * tests/stress/ftl-force-osr-exit.js: Added.
2609
2610 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
2611
2612         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
2613         https://bugs.webkit.org/show_bug.cgi?id=152840
2614
2615         Reviewed by Mark Lam.
2616
2617         ARM64 has two kinds of addressing with immediates:
2618         -Signed 9bits direct (really only -256 to 255).
2619         -Unsigned 12bits scaled by the load/store size.
2620
2621         When resolving the stack addresses, we easily run
2622         past -256 bytes from FP. Addressing from SP gives us more
2623         room to address the stack efficiently because we can
2624         use unsigned immediates.
2625
2626         * b3/B3StackmapSpecial.cpp:
2627         (JSC::B3::StackmapSpecial::repForArg):
2628         * b3/air/AirAllocateStack.cpp:
2629         (JSC::B3::Air::allocateStack):
2630
2631 2016-01-10  Saam barati  <sbarati@apple.com>
2632
2633         Implement a sampling profiler
2634         https://bugs.webkit.org/show_bug.cgi?id=151713
2635
2636         Reviewed by Filip Pizlo.
2637
2638         This patch implements a sampling profiler for JavaScriptCore
2639         that will be used in the Inspector UI. The implementation works as follows:
2640         We queue the sampling profiler to run a task on a background
2641         thread every 1ms. When the queued task executes, the sampling profiler
2642         will pause the JSC execution thread and attempt to take a stack trace. 
2643         The sampling profiler does everything it can to be very careful
2644         while taking this stack trace. Because it's reading arbitrary memory,
2645         the sampling profiler must validate every pointer it reads from.
2646
2647         The sampling profiler tries to get an ExecutableBase for every call frame
2648         it reads. It first tries to read the CodeBlock slot. It does this because
2649         it can be 100% certain that a pointer is a CodeBlock while it's taking a
2650         stack trace. But, not every call frame will have a CodeBlock. So we must read
2651         the call frame's callee. For these stack traces where we read the callee, we
2652         must verify the callee pointer, and the pointer traversal to an ExecutableBase,
2653         on the main JSC execution thread, and not on the thread taking the stack
2654         trace. We do this verification either before we run the marking phase in
2655         GC, or when somebody asks the SamplingProfiler to materialize its data.
2656
2657         The SamplingProfiler must also be careful to not grab any locks while the JSC execution
2658         thread is paused (this means it can't do anything that mallocs) because
2659         that could cause a deadlock. Therefore, the sampling profiler grabs
2660         locks for all data structures it consults before it pauses the JSC
2661         execution thread.
2662
2663         * CMakeLists.txt:
2664         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2665         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2666         * JavaScriptCore.xcodeproj/project.pbxproj:
2667         * bytecode/CodeBlock.h:
2668         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
2669         (JSC::CodeBlockSet::mark):
2670         * dfg/DFGNodeType.h:
2671         * heap/CodeBlockSet.cpp:
2672         (JSC::CodeBlockSet::add):
2673         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
2674         (JSC::CodeBlockSet::clearMarksForFullCollection):
2675         (JSC::CodeBlockSet::lastChanceToFinalize):
2676         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2677         (JSC::CodeBlockSet::contains):
2678         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
2679         (JSC::CodeBlockSet::remove): Deleted.
2680         * heap/CodeBlockSet.h:
2681         (JSC::CodeBlockSet::getLock):
2682         (JSC::CodeBlockSet::iterate):
2683         The sampling pofiler uses the heap's CodeBlockSet to validate
2684         CodeBlock pointers. This data structure must now be under a lock
2685         because we must be certain we're not pausing the JSC execution thread
2686         while it's manipulating this data structure.
2687
2688         * heap/ConservativeRoots.cpp:
2689         (JSC::ConservativeRoots::ConservativeRoots):
2690         (JSC::ConservativeRoots::grow):
2691         (JSC::ConservativeRoots::genericAddPointer):
2692         (JSC::ConservativeRoots::genericAddSpan):
2693         (JSC::ConservativeRoots::add):
2694         (JSC::CompositeMarkHook::CompositeMarkHook):
2695         (JSC::CompositeMarkHook::mark):
2696         * heap/ConservativeRoots.h:
2697         * heap/Heap.cpp:
2698         (JSC::Heap::markRoots):
2699         (JSC::Heap::visitHandleStack):
2700         (JSC::Heap::visitSamplingProfiler):
2701         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2702         (JSC::Heap::snapshotMarkedSpace):
2703         * heap/Heap.h:
2704         (JSC::Heap::structureIDTable):
2705         (JSC::Heap::codeBlockSet):
2706         * heap/MachineStackMarker.cpp:
2707         (pthreadSignalHandlerSuspendResume):
2708         (JSC::getCurrentPlatformThread):
2709         (JSC::MachineThreads::MachineThreads):
2710         (JSC::MachineThreads::~MachineThreads):
2711         (JSC::MachineThreads::Thread::createForCurrentThread):
2712         (JSC::MachineThreads::Thread::operator==):
2713         (JSC::isThreadInList):
2714         (JSC::MachineThreads::addCurrentThread):
2715         (JSC::MachineThreads::machineThreadForCurrentThread):
2716         (JSC::MachineThreads::removeThread):
2717         (JSC::MachineThreads::gatherFromCurrentThread):
2718         (JSC::MachineThreads::Thread::Thread):
2719         (JSC::MachineThreads::Thread::~Thread):
2720         (JSC::MachineThreads::Thread::suspend):
2721         (JSC::MachineThreads::Thread::resume):
2722         (JSC::MachineThreads::Thread::getRegisters):
2723         (JSC::MachineThreads::Thread::Registers::stackPointer):
2724         (JSC::MachineThreads::Thread::Registers::framePointer):
2725         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2726         (JSC::MachineThreads::Thread::freeRegisters):
2727         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2728         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
2729         (JSC::MachineThreads::Thread::operator!=): Deleted.
2730         * heap/MachineStackMarker.h:
2731         (JSC::MachineThreads::Thread::operator!=):
2732         (JSC::MachineThreads::getLock):
2733         (JSC::MachineThreads::threadsListHead):
2734         We can now ask a MachineThreads::Thread for its frame pointer
2735         and program counter on darwin and windows platforms. efl
2736         and gtk implementations will happen in another patch.
2737
2738         * heap/MarkedBlockSet.h:
2739         (JSC::MarkedBlockSet::getLock):
2740         (JSC::MarkedBlockSet::add):
2741         (JSC::MarkedBlockSet::remove):
2742         (JSC::MarkedBlockSet::recomputeFilter):
2743         (JSC::MarkedBlockSet::filter):
2744         (JSC::MarkedBlockSet::set):
2745         * heap/MarkedSpace.cpp:
2746         (JSC::Free::Free):
2747         (JSC::Free::operator()):
2748         (JSC::FreeOrShrink::FreeOrShrink):
2749         (JSC::FreeOrShrink::operator()):
2750         (JSC::MarkedSpace::~MarkedSpace):
2751         (JSC::MarkedSpace::isPagedOut):
2752         (JSC::MarkedSpace::freeBlock):
2753         (JSC::MarkedSpace::freeOrShrinkBlock):
2754         (JSC::MarkedSpace::shrink):
2755         * heap/MarkedSpace.h:
2756         (JSC::MarkedSpace::forEachLiveCell):
2757         (JSC::MarkedSpace::forEachDeadCell):
2758         * interpreter/CallFrame.h:
2759         (JSC::ExecState::calleeAsValue):
2760         (JSC::ExecState::callee):
2761         (JSC::ExecState::unsafeCallee):
2762         (JSC::ExecState::codeBlock):
2763         (JSC::ExecState::scope):
2764         * jit/ExecutableAllocator.cpp:
2765         (JSC::ExecutableAllocator::dumpProfile):
2766         (JSC::ExecutableAllocator::getLock):
2767         (JSC::ExecutableAllocator::isValidExecutableMemory):
2768         * jit/ExecutableAllocator.h:
2769         * jit/ExecutableAllocatorFixedVMPool.cpp:
2770         (JSC::ExecutableAllocator::allocate):
2771         (JSC::ExecutableAllocator::isValidExecutableMemory):
2772         (JSC::ExecutableAllocator::getLock):
2773         (JSC::ExecutableAllocator::committedByteCount):
2774         The sampling profiler consults the ExecutableAllocator to check
2775         if the frame pointer it reads is in executable allocated memory.
2776
2777         * jsc.cpp:
2778         (GlobalObject::finishCreation):
2779         (functionCheckModuleSyntax):
2780         (functionStartSamplingProfiler):
2781         (functionSamplingProfilerStackTraces):
2782         * llint/LLIntPCRanges.h: Added.
2783         (JSC::LLInt::isLLIntPC):
2784         * offlineasm/asm.rb:
2785         I added the ability to test whether the PC is executing
2786         LLInt code because this code is not part of the memory
2787         our executable allocator allocates.
2788
2789         * runtime/Executable.h:
2790         (JSC::ExecutableBase::isModuleProgramExecutable):
2791         (JSC::ExecutableBase::isExecutableType):
2792         (JSC::ExecutableBase::isHostFunction):
2793         * runtime/JSLock.cpp:
2794         (JSC::JSLock::didAcquireLock):
2795         (JSC::JSLock::unlock):
2796         * runtime/Options.h:
2797         * runtime/SamplingProfiler.cpp: Added.
2798         (JSC::reportStats):
2799         (JSC::FrameWalker::FrameWalker):
2800         (JSC::FrameWalker::walk):
2801         (JSC::FrameWalker::wasValidWalk):
2802         (JSC::FrameWalker::advanceToParentFrame):
2803         (JSC::FrameWalker::isAtTop):
2804         (JSC::FrameWalker::resetAtMachineFrame):
2805         (JSC::FrameWalker::isValidFramePointer):
2806         (JSC::FrameWalker::isValidCodeBlock):
2807         (JSC::FrameWalker::tryToGetExecutableFromCallee):
2808         The FrameWalker class is used to walk the stack in a safe
2809         manner. It doesn't do anything that would deadlock, and it
2810         validates all pointers that it sees.
2811
2812         (JSC::SamplingProfiler::SamplingProfiler):
2813         (JSC::SamplingProfiler::~SamplingProfiler):
2814         (JSC::SamplingProfiler::visit):
2815         (JSC::SamplingProfiler::shutdown):
2816         (JSC::SamplingProfiler::start):
2817         (JSC::SamplingProfiler::stop):
2818         (JSC::SamplingProfiler::pause):
2819         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2820         (JSC::SamplingProfiler::dispatchIfNecessary):
2821         (JSC::SamplingProfiler::dispatchFunction):
2822         (JSC::SamplingProfiler::noticeJSLockAcquisition):
2823         (JSC::SamplingProfiler::noticeVMEntry):
2824         (JSC::SamplingProfiler::observeStackTrace):
2825         (JSC::SamplingProfiler::clearData):
2826         (JSC::displayName):
2827         (JSC::startLine):
2828         (JSC::startColumn):
2829         (JSC::sourceID):
2830         (JSC::url):
2831         (JSC::SamplingProfiler::stacktracesAsJSON):
2832         * runtime/SamplingProfiler.h: Added.
2833         (JSC::SamplingProfiler::getLock):
2834         (JSC::SamplingProfiler::setTimingInterval):
2835         (JSC::SamplingProfiler::stackTraces):
2836         * runtime/VM.cpp:
2837         (JSC::VM::VM):
2838         (JSC::VM::~VM):
2839         (JSC::VM::setLastStackTop):
2840         (JSC::VM::createContextGroup):
2841         (JSC::VM::ensureWatchdog):
2842         (JSC::VM::ensureSamplingProfiler):
2843         (JSC::thunkGeneratorForIntrinsic):
2844         * runtime/VM.h:
2845         (JSC::VM::watchdog):
2846         (JSC::VM::isSafeToRecurse):
2847         (JSC::VM::lastStackTop):
2848         (JSC::VM::scratchBufferForSize):
2849         (JSC::VM::samplingProfiler):
2850         (JSC::VM::setShouldRewriteConstAsVar):
2851         (JSC::VM::setLastStackTop): Deleted.
2852         * runtime/VMEntryScope.cpp:
2853         (JSC::VMEntryScope::VMEntryScope):
2854         * tests/stress/sampling-profiler: Added.
2855         * tests/stress/sampling-profiler-anonymous-function.js: Added.
2856         (foo):
2857         (baz):
2858         * tests/stress/sampling-profiler-basic.js: Added.
2859         (bar):
2860         (foo):
2861         (nothing):
2862         (top):
2863         (jaz):
2864         (kaz):
2865         (checkInlining):
2866         * tests/stress/sampling-profiler-deep-stack.js: Added.
2867         (foo):
2868         (hellaDeep):
2869         (start):
2870         * tests/stress/sampling-profiler-microtasks.js: Added.
2871         (testResults):
2872         (loop.jaz):
2873         (loop):
2874         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
2875         (assert):
2876         (let.nodePrototype.makeChildIfNeeded):
2877         (makeNode):
2878         (updateCallingContextTree):
2879         (doesTreeHaveStackTrace):
2880         (makeTree):
2881         (runTest):
2882         (dumpTree):
2883         * tools/JSDollarVMPrototype.cpp:
2884         (JSC::JSDollarVMPrototype::isInObjectSpace):
2885         (JSC::JSDollarVMPrototype::isInStorageSpace):
2886         * yarr/YarrJIT.cpp:
2887         (JSC::Yarr::YarrGenerator::generateEnter):
2888         (JSC::Yarr::YarrGenerator::generateReturn):
2889         (JSC::Yarr::YarrGenerator::YarrGenerator):
2890         (JSC::Yarr::YarrGenerator::compile):
2891         (JSC::Yarr::jitCompile):
2892         We now have a boolean that's set to true when
2893         we're executing a RegExp, and to false otherwise.
2894         The boolean lives off of VM.
2895
2896         * CMakeLists.txt:
2897         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2898         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2899         * JavaScriptCore.xcodeproj/project.pbxproj:
2900         * bytecode/CodeBlock.h:
2901         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
2902         (JSC::CodeBlockSet::mark):
2903         * dfg/DFGNodeType.h:
2904         * heap/CodeBlockSet.cpp:
2905         (JSC::CodeBlockSet::add):
2906         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
2907         (JSC::CodeBlockSet::clearMarksForFullCollection):
2908         (JSC::CodeBlockSet::lastChanceToFinalize):
2909         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2910         (JSC::CodeBlockSet::contains):
2911         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
2912         (JSC::CodeBlockSet::remove): Deleted.
2913         * heap/CodeBlockSet.h:
2914         (JSC::CodeBlockSet::getLock):
2915         (JSC::CodeBlockSet::iterate):
2916         * heap/ConservativeRoots.cpp:
2917         (JSC::ConservativeRoots::ConservativeRoots):
2918         (JSC::ConservativeRoots::genericAddPointer):
2919         (JSC::ConservativeRoots::add):
2920         (JSC::CompositeMarkHook::CompositeMarkHook):
2921         (JSC::CompositeMarkHook::mark):
2922         * heap/ConservativeRoots.h:
2923         * heap/Heap.cpp:
2924         (JSC::Heap::markRoots):
2925         (JSC::Heap::visitHandleStack):
2926         (JSC::Heap::visitSamplingProfiler):
2927         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2928         * heap/Heap.h:
2929         (JSC::Heap::structureIDTable):
2930         (JSC::Heap::codeBlockSet):
2931         * heap/HeapInlines.h:
2932         (JSC::Heap::didFreeBlock):
2933         (JSC::Heap::isPointerGCObject):
2934         (JSC::Heap::isValueGCObject):
2935         * heap/MachineStackMarker.cpp:
2936         (pthreadSignalHandlerSuspendResume):
2937         (JSC::getCurrentPlatformThread):
2938         (JSC::MachineThreads::MachineThreads):
2939         (JSC::MachineThreads::~MachineThreads):
2940         (JSC::MachineThreads::Thread::createForCurrentThread):
2941         (JSC::MachineThreads::Thread::operator==):
2942         (JSC::isThreadInList):
2943         (JSC::MachineThreads::addCurrentThread):
2944         (JSC::MachineThreads::machineThreadForCurrentThread):
2945         (JSC::MachineThreads::removeThread):
2946         (JSC::MachineThreads::gatherFromCurrentThread):
2947         (JSC::MachineThreads::Thread::Thread):
2948         (JSC::MachineThreads::Thread::~Thread):
2949         (JSC::MachineThreads::Thread::suspend):
2950         (JSC::MachineThreads::Thread::resume):
2951         (JSC::MachineThreads::Thread::getRegisters):
2952         (JSC::MachineThreads::Thread::Registers::stackPointer):
2953         (JSC::MachineThreads::Thread::Registers::framePointer):
2954         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2955         (JSC::MachineThreads::Thread::freeRegisters):
2956         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
2957         (JSC::MachineThreads::Thread::operator!=): Deleted.
2958         * heap/MachineStackMarker.h:
2959         (JSC::MachineThreads::Thread::operator!=):
2960         (JSC::MachineThreads::getLock):
2961         (JSC::MachineThreads::threadsListHead):
2962         * heap/MarkedBlockSet.h:
2963         * heap/MarkedSpace.cpp:
2964         (JSC::Free::Free):
2965         (JSC::Free::operator()):
2966         (JSC::FreeOrShrink::FreeOrShrink):
2967         (JSC::FreeOrShrink::operator()):
2968         * interpreter/CallFrame.h:
2969         (JSC::ExecState::calleeAsValue):
2970         (JSC::ExecState::callee):
2971         (JSC::ExecState::unsafeCallee):
2972         (JSC::ExecState::codeBlock):
2973         (JSC::ExecState::scope):
2974         * jit/ExecutableAllocator.cpp:
2975         (JSC::ExecutableAllocator::dumpProfile):
2976         (JSC::ExecutableAllocator::getLock):
2977         (JSC::ExecutableAllocator::isValidExecutableMemory):
2978         * jit/ExecutableAllocator.h:
2979         * jit/ExecutableAllocatorFixedVMPool.cpp:
2980         (JSC::ExecutableAllocator::allocate):
2981         (JSC::ExecutableAllocator::isValidExecutableMemory):
2982         (JSC::ExecutableAllocator::getLock):
2983         (JSC::ExecutableAllocator::committedByteCount):
2984         * jsc.cpp:
2985         (GlobalObject::finishCreation):
2986         (functionCheckModuleSyntax):
2987         (functionPlatformSupportsSamplingProfiler):
2988         (functionStartSamplingProfiler):
2989         (functionSamplingProfilerStackTraces):
2990         * llint/LLIntPCRanges.h: Added.
2991         (JSC::LLInt::isLLIntPC):
2992         * offlineasm/asm.rb:
2993         * runtime/Executable.h:
2994         (JSC::ExecutableBase::isModuleProgramExecutable):
2995         (JSC::ExecutableBase::isExecutableType):
2996         (JSC::ExecutableBase::isHostFunction):
2997         * runtime/JSLock.cpp:
2998         (JSC::JSLock::didAcquireLock):
2999         (JSC::JSLock::unlock):
3000         * runtime/Options.h:
3001         * runtime/SamplingProfiler.cpp: Added.
3002         (JSC::reportStats):
3003         (JSC::FrameWalker::FrameWalker):
3004         (JSC::FrameWalker::walk):
3005         (JSC::FrameWalker::wasValidWalk):
3006         (JSC::FrameWalker::advanceToParentFrame):
3007         (JSC::FrameWalker::isAtTop):
3008         (JSC::FrameWalker::resetAtMachineFrame):
3009         (JSC::FrameWalker::isValidFramePointer):
3010         (JSC::FrameWalker::isValidCodeBlock):
3011         (JSC::SamplingProfiler::SamplingProfiler):
3012         (JSC::SamplingProfiler::~SamplingProfiler):
3013         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3014         (JSC::SamplingProfiler::visit):
3015         (JSC::SamplingProfiler::shutdown):
3016         (JSC::SamplingProfiler::start):
3017         (JSC::SamplingProfiler::stop):
3018         (JSC::SamplingProfiler::pause):
3019         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
3020         (JSC::SamplingProfiler::dispatchIfNecessary):
3021         (JSC::SamplingProfiler::dispatchFunction):
3022         (JSC::SamplingProfiler::noticeJSLockAcquisition):
3023         (JSC::SamplingProfiler::noticeVMEntry):
3024         (JSC::SamplingProfiler::clearData):
3025         (JSC::displayName):
3026         (JSC::SamplingProfiler::stacktracesAsJSON):
3027         (WTF::printInternal):
3028         * runtime/SamplingProfiler.h: Added.
3029         (JSC::SamplingProfiler::StackFrame::StackFrame):
3030         (JSC::SamplingProfiler::getLock):
3031         (JSC::SamplingProfiler::setTimingInterval):
3032         (JSC::SamplingProfiler::stackTraces):
3033         * runtime/VM.cpp:
3034         (JSC::VM::VM):
3035         (JSC::VM::~VM):
3036         (JSC::VM::setLastStackTop):
3037         (JSC::VM::createContextGroup):
3038         (JSC::VM::ensureWatchdog):
3039         (JSC::VM::ensureSamplingProfiler):
3040         (JSC::thunkGeneratorForIntrinsic):
3041         * runtime/VM.h:
3042         (JSC::VM::watchdog):
3043         (JSC::VM::samplingProfiler):
3044         (JSC::VM::isSafeToRecurse):
3045         (JSC::VM::lastStackTop):
3046         (JSC::VM::scratchBufferForSize):
3047         (JSC::VM::setLastStackTop): Deleted.
3048         * runtime/VMEntryScope.cpp:
3049         (JSC::VMEntryScope::VMEntryScope):
3050         * tests/stress/sampling-profiler: Added.
3051         * tests/stress/sampling-profiler-anonymous-function.js: Added.
3052         (platformSupportsSamplingProfiler.foo):
3053         (platformSupportsSamplingProfiler.baz):
3054         (platformSupportsSamplingProfiler):
3055         * tests/stress/sampling-profiler-basic.js: Added.
3056         (platformSupportsSamplingProfiler.bar):
3057         (platformSupportsSamplingProfiler.foo):
3058         (platformSupportsSamplingProfiler.nothing):
3059         (platformSupportsSamplingProfiler.top):
3060         (platformSupportsSamplingProfiler.jaz):
3061         (platformSupportsSamplingProfiler.kaz):
3062         (platformSupportsSamplingProfiler.checkInlining):
3063         (platformSupportsSamplingProfiler):
3064         * tests/stress/sampling-profiler-deep-stack.js: Added.
3065         (platformSupportsSamplingProfiler.foo):
3066         (platformSupportsSamplingProfiler.let.hellaDeep):
3067         (platformSupportsSamplingProfiler.let.start):
3068         (platformSupportsSamplingProfiler):
3069         * tests/stress/sampling-profiler-microtasks.js: Added.
3070         (platformSupportsSamplingProfiler.testResults):
3071         (platformSupportsSamplingProfiler):
3072         (platformSupportsSamplingProfiler.loop.jaz):
3073         (platformSupportsSamplingProfiler.loop):
3074         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
3075         (assert):
3076         (let.nodePrototype.makeChildIfNeeded):
3077         (makeNode):
3078         (updateCallingContextTree):
3079         (doesTreeHaveStackTrace):
3080         (makeTree):
3081         (runTest):
3082         (dumpTree):
3083         * yarr/YarrJIT.cpp:
3084         (JSC::Yarr::YarrGenerator::generateEnter):
3085         (JSC::Yarr::YarrGenerator::generateReturn):
3086         (JSC::Yarr::YarrGenerator::YarrGenerator):
3087         (JSC::Yarr::YarrGenerator::compile):
3088         (JSC::Yarr::jitCompile):
3089
3090 2016-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3091
3092         [JSC] Iterating over a Set/Map is too slow
3093         https://bugs.webkit.org/show_bug.cgi?id=152691
3094
3095         Reviewed by Saam Barati.
3096
3097         Set#forEach and Set & for-of are very slow. There are 2 reasons.
3098
3099         1. forEach is implemented in C++. And typically, taking JS callback and calling it from C++.
3100
3101         C++ to JS transition seems costly. perf result in Linux machine shows this.
3102
3103             Samples: 23K of event 'cycles', Event count (approx.): 21446074385
3104             34.04%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Interpreter::execute(JSC::CallFrameClosure&)
3105             20.48%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] vmEntryToJavaScript
3106              9.80%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
3107              7.95%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::setProtoFuncForEach(JSC::ExecState*)
3108              5.65%  jsc  perf-22854.map                      [.] 0x00007f5d2c204a6f
3109
3110         Writing forEach in JS eliminates this.
3111
3112             Samples: 23K of event 'cycles', Event count (approx.): 21255691651
3113             62.91%  jsc  perf-22890.map                      [.] 0x00007fd117c0a3b9
3114             24.89%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::privateFuncSetIteratorNext(JSC::ExecState*)
3115              0.29%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&)
3116              0.24%  jsc  [vdso]                              [.] 0x00000000000008e8
3117              0.22%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::predictedMachineCodeSize()
3118              0.16%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] WTF::MetaAllocator::currentStatistics()
3119              0.15%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Lexer<unsigned char>::lex(JSC::JSToken*, unsigned int, bool)
3120
3121         2. Iterator result object allocation is costly.
3122
3123         Iterator result object allocation is costly. Even if the (1) is solved, when executing Set & for-of, perf result shows very slow performance due to (2).
3124
3125             Samples: 108K of event 'cycles', Event count (approx.): 95529273748
3126             18.02%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::createIteratorResultObject(JSC::ExecState*, JSC::JSValue, bool)
3127             15.68%  jsc  jsc                                 [.] JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int)
3128             14.18%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::PrototypeMap::emptyObjectStructureForPrototype(JSC::JSObject*, unsigned int)
3129             13.40%  jsc  perf-25420.map                      [.] 0x00007fce158006a1
3130              6.79%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::StructureTransitionTable::get(WTF::UniquedStringImpl*, unsigned int) const
3131
3132         In the long term, we should implement SetIterator#next in JS and make the iterator result object allocation written in JS to encourage object allocation elimination in FTL.
3133         But seeing the perf result, we can find the easy to fix bottleneck in the current implementation.
3134         Every time createIteratorResultObject creates the empty object and use putDirect to store properties.
3135         The pre-baked Structure* with `done` and `value` properties makes this implementation fast.
3136
3137         After these improvements, the micro benchmark[1] shows the following.
3138
3139         old:
3140             Linked List x 212,776 ops/sec ±0.21% (162 runs sampled)
3141             Array x 376,156 ops/sec ±0.20% (162 runs sampled)
3142             Array forEach x 17,345 ops/sec ±0.99% (137 runs sampled)
3143             Array for-of x 16,518 ops/sec ±0.58% (160 runs sampled)
3144             Set forEach x 13,263 ops/sec ±0.20% (162 runs sampled)
3145             Set for-of x 4,732 ops/sec ±0.34% (123 runs sampled)
3146
3147         new:
3148             Linked List x 210,833 ops/sec ±0.28% (161 runs sampled)
3149             Array x 371,347 ops/sec ±0.36% (162 runs sampled)
3150             Array forEach x 17,460 ops/sec ±0.84% (136 runs sampled)
3151             Array for-of x 16,188 ops/sec ±1.27% (158 runs sampled)
3152             Set forEach x 23,684 ops/sec ±2.46% (139 runs sampled)
3153             Set for-of x 12,176 ops/sec ±0.54% (157 runs sampled)
3154
3155         Set#forEach becomes comparable to Array#forEach. And Set#forEach and Set & for-of are improved (1.79x, and 2.57x).
3156         After this optimizations, they are still much slower than linked list and array.
3157         This should be optimized in the long term.
3158
3159         [1]: https://gist.github.com/Constellation/8db5f5b8f12fe7e283d0
3160
3161         * CMakeLists.txt:
3162         * DerivedSources.make:
3163         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3164         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3165         * JavaScriptCore.xcodeproj/project.pbxproj:
3166         * builtins/MapPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
3167         (forEach):
3168         * builtins/SetPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
3169         (forEach):
3170         * runtime/CommonIdentifiers.h:
3171         * runtime/IteratorOperations.cpp:
3172         (JSC::createIteratorResultObjectStructure):
3173         (JSC::createIteratorResultObject):
3174         * runtime/IteratorOperations.h:
3175         * runtime/JSGlobalObject.cpp:
3176         (JSC::JSGlobalObject::init):
3177         (JSC::JSGlobalObject::visitChildren):
3178         * runtime/JSGlobalObject.h:
3179         (JSC::JSGlobalObject::iteratorResultObjectStructure):
3180         (JSC::JSGlobalObject::iteratorResultStructure): Deleted.
3181         (JSC::JSGlobalObject::iteratorResultStructureOffset): Deleted.
3182         * runtime/MapPrototype.cpp:
3183         (JSC::MapPrototype::getOwnPropertySlot):
3184         (JSC::privateFuncIsMap):
3185         (JSC::privateFuncMapIterator):
3186         (JSC::privateFuncMapIteratorNext):
3187         (JSC::MapPrototype::finishCreation): Deleted.
3188         (JSC::mapProtoFuncForEach): Deleted.
3189         * runtime/MapPrototype.h:
3190         * runtime/SetPrototype.cpp:
3191         (JSC::SetPrototype::getOwnPropertySlot):
3192         (JSC::privateFuncIsSet):
3193         (JSC::privateFuncSetIterator):
3194         (JSC::privateFuncSetIteratorNext):
3195         (JSC::SetPrototype::finishCreation): Deleted.
3196         (JSC::setProtoFuncForEach): Deleted.
3197         * runtime/SetPrototype.h:
3198
3199 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
3200
3201         Unreviewed, fix ARM64 build.
3202
3203         * b3/air/AirOpcode.opcodes:
3204
3205 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
3206
3207         B3 should reduce Trunc(BitOr(value, constant)) where !(constant & 0xffffffff) to Trunc(value)
3208         https://bugs.webkit.org/show_bug.cgi?id=152955
3209
3210         Reviewed by Saam Barati.
3211
3212         This happens when we box an int32 and then immediately unbox it.
3213
3214         This makes an enormous difference on AsmBench/FloatMM. It's a 2x speed-up on that
3215         benchmark. It's neutral elsewhere.
3216
3217         * b3/B3ReduceStrength.cpp:
3218         * b3/testb3.cpp:
3219         (JSC::B3::testPowDoubleByIntegerLoop):
3220         (JSC::B3::testTruncOrHigh):
3221         (JSC::B3::testTruncOrLow):
3222         (JSC::B3::testBitAndOrHigh):
3223         (JSC::B3::testBitAndOrLow):
3224         (JSC::B3::zero):
3225         (JSC::B3::run):
3226
3227 2016-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
3228
3229         [ES6] Arrow function syntax. Get rid of JSArrowFunction and use standard JSFunction class
3230         https://bugs.webkit.org/show_bug.cgi?id=149855
3231
3232         Reviewed by Saam Barati.
3233
3234         JSArrowFunction.h/cpp were removed from JavaScriptCore, because now is used new approach for storing 
3235         'this', 'arguments' and 'super'
3236
3237         * CMakeLists.txt:
3238         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3239         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3240         * JavaScriptCore.xcodeproj/project.pbxproj:
3241         * dfg/DFGAbstractInterpreterInlines.h:
3242         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3243         * dfg/DFGSpeculativeJIT.cpp:
3244         (JSC::DFG::SpeculativeJIT::compileNewFunction):
3245         * dfg/DFGStructureRegistrationPhase.cpp:
3246         (JSC::DFG::StructureRegistrationPhase::run):
3247         * ftl/FTLAbstractHeapRepository.cpp:
3248         * ftl/FTLAbstractHeapRepository.h:
3249         * ftl/FTLLowerDFGToLLVM.cpp:
3250         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
3251         * interpreter/Interpreter.cpp:
3252         * interpreter/Interpreter.h:
3253         * jit/JITOpcodes.cpp:
3254         * jit/JITOpcodes32_64.cpp:
3255         * jit/JITOperations.cpp:
3256         * jit/JITOperations.h:
3257         * llint/LLIntOffsetsExtractor.cpp:
3258         * llint/LLIntSlowPaths.cpp:
3259         * runtime/JSArrowFunction.cpp: Removed.
3260         * runtime/JSArrowFunction.h: Removed.
3261         * runtime/JSGlobalObject.cpp:
3262         * runtime/JSGlobalObject.h:
3263
3264 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
3265
3266         It should be possible to run liveness over registers without also tracking Tmps
3267         https://bugs.webkit.org/show_bug.cgi?id=152963
3268
3269         Reviewed by Saam Barati.
3270
3271         This adds a RegLivenessAdapter so that we can run Liveness over registers. This makes it
3272         easier to write certain kinds of phases, like ReportUsedRegisters. I anticipate writing more
3273         code like that for handling cold function calls. It also makes code like that somewhat more
3274         scalable, since we're no longer using HashSets.
3275
3276         Currently, the way we track sets of registers is with a BitVector. Normally, we use the
3277         RegisterSet class, which wraps BitVector, so that we can add()/contains() on Reg's. But in
3278         the liveness analysis, everything gets turned into an index. So, we want to use BitVector
3279         directly. To do that, I needed to make the BitVector API look a bit more like a set API. I
3280         think that this is good, because the lack of set methods (add/remove/contains) has caused
3281         bugs in the past. This makes BitVector have methods both for set operations on bits and array
3282         operations on bits. I think that's good, since BitVector gets used in both contexts.
3283
3284         * b3/B3IndexSet.h:
3285         (JSC::B3::IndexSet::Iterable::iterator::iterator):
3286         (JSC::B3::IndexSet::Iterable::begin):
3287         (JSC::B3::IndexSet::dump):
3288         * b3/air/AirInstInlines.h:
3289         (JSC::B3::Air::ForEach<Tmp>::forEach):
3290         (JSC::B3::Air::ForEach<Arg>::forEach):
3291         (JSC::B3::Air::ForEach<Reg>::forEach):
3292         (JSC::B3::Air::Inst::forEach):
3293         * b3/air/AirLiveness.h:
3294         (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter):
3295         (JSC::B3::Air::RegLivenessAdapter::maxIndex):
3296         (JSC::B3::Air::RegLivenessAdapter::acceptsType):
3297         (JSC::B3::Air::RegLivenessAdapter::valueToIndex):
3298         (JSC::B3::Air::RegLivenessAdapter::indexToValue):
3299         * b3/air/AirReportUsedRegisters.cpp:
3300         (JSC::B3::Air::reportUsedRegisters):
3301         * jit/Reg.h:
3302         (JSC::Reg::next):
3303         (JSC::Reg::index):
3304         (JSC::Reg::maxIndex):
3305         (JSC::Reg::isSet):
3306         (JSC::Reg::operator bool):
3307         * jit/RegisterSet.h:
3308         (JSC::RegisterSet::forEach):
3309
3310 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
3311
3312         [JSC] Make branchMul functional in ARM B3 and minor fixes
3313         https://bugs.webkit.org/show_bug.cgi?id=152889
3314
3315         Reviewed by Mark Lam.
3316
3317         ARM64 does not have a "S" version of MUL setting the flags.
3318         What we do is abstract that in the MacroAssembler. The problem
3319         is that form requires scratch registers.
3320
3321         For simplicity, I just exposed the two scratch registers
3322         for Air. Filip already added the concept of Scratch role,
3323         all I needed was to expose it for opcodes.
3324
3325         * assembler/MacroAssemblerARM64.h:
3326         (JSC::MacroAssemblerARM64::branchMul32):
3327         (JSC::MacroAssemblerARM64::branchMul64):
3328         Expose a version with the scratch registers as arguments.
3329
3330         * b3/B3LowerToAir.cpp:
3331         (JSC::B3::Air::LowerToAir::lower):
3332         Add the new form of CheckMul lowering.
3333
3334         * b3/air/AirOpcode.opcodes:
3335         Expose the new BranchMuls.
3336         Remove all the Test variants that use immediates
3337         since Air can't handle those immediates correctly yet.
3338
3339         * b3/air/opcode_generator.rb:
3340         Expose the Scratch role.
3341
3342         * b3/testb3.cpp:
3343         (JSC::B3::testPatchpointLotsOfLateAnys):
3344         Ooops, the scratch registers were not clobbered. We were just lucky
3345         on x86.
3346
3347 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
3348
3349         [JSC] B3 is unable to do function calls on ARM64
3350         https://bugs.webkit.org/show_bug.cgi?id=152895
3351
3352         Reviewed by Mark Lam.
3353
3354         Apparently iOS does not follow the ARM64 ABI for function calls.
3355         Instead of giving each value a 8 bytes slot, it must be packed
3356         while preserving alignment.
3357
3358         This patch adds a #ifdef to make function calls functional.
3359
3360         * b3/B3LowerToAir.cpp:
3361         (JSC::B3::Air::LowerToAir::marshallCCallArgument):
3362         (JSC::B3::Air::LowerToAir::lower):
3363
3364 2016-01-09  Filip Pizlo  <fpizlo@apple.com>
3365
3366         Air should support Branch64 with immediates
3367         https://bugs.webkit.org/show_bug.cgi?id=152951
3368
3369         Reviewed by Oliver Hunt.