Remove unused SlotVisitor::append() variant.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-08-18  Mark Lam  <mark.lam@apple.com>
2
3         Remove unused SlotVisitor::append() variant.
4         https://bugs.webkit.org/show_bug.cgi?id=160961
5
6         Reviewed by Saam Barati.
7
8         * heap/SlotVisitor.h:
9         * jit/JITWriteBarrier.h:
10         (JSC::JITWriteBarrier::get):
11         (JSC::SlotVisitor::append): Deleted.
12
13 2016-08-18  Saam Barati  <sbarati@apple.com>
14
15         Make @Array(size) a bytecode intrinsic
16         https://bugs.webkit.org/show_bug.cgi?id=160867
17
18         Reviewed by Mark Lam.
19
20         There were a few places in the code where we were emitting `@Array(size)`
21         or `new @Array(size)`. Since we have a bytecode operation that already
22         represents this, called new_array_with_size, it's faster to just make a
23         bytecode intrinsic for the this operation. This patch does that and
24         the intrinsic is called `@newArrayWithSize`. This might be around a
25         1% speedup on ES6 sample bench, but it's within the noise. This is just
26         a good bytecode operation to have because it's common enough to
27         create arrays and it's good to make that fast in all tiers.
28
29         * builtins/ArrayConstructor.js:
30         (of):
31         (from):
32         * builtins/ArrayPrototype.js:
33         (filter):
34         (map):
35         (sort.stringSort):
36         (sort):
37         (concatSlowPath):
38         * bytecode/BytecodeIntrinsicRegistry.h:
39         * bytecompiler/NodesCodegen.cpp:
40         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
41         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newArrayWithSize):
42
43 2016-08-18  Rawinder Singh  <rawinder.singh-webkit@cisra.canon.com.au>
44
45         [web-animations] Add Animatable, AnimationEffect, KeyframeEffect and Animation interface
46         https://bugs.webkit.org/show_bug.cgi?id=156096
47
48         Reviewed by Dean Jackson.
49
50         Adds:
51         - Animatable interface and implementation of getAnimations in Element.
52         - Interface and implementation for Document getAnimations method.
53         - AnimationEffect interface and class stub.
54         - KeyframeEffect interface and constructor implementation.
55         - 'Animation' interface, constructor and query methods for effect and timeline.
56         - Remove runtime condition on Web animation interfaces (compile time flag is specified).
57
58         * runtime/CommonIdentifiers.h:
59
60 2016-08-17  Keith Miller  <keith_miller@apple.com>
61
62         Add WASM support for i64 simple opcodes.
63         https://bugs.webkit.org/show_bug.cgi?id=160928
64
65         Reviewed by Michael Saboff.
66
67         This patch also removes the unsigned int32 mod operator, which is not supported by B3 yet.
68
69         * wasm/WASMB3IRGenerator.cpp:
70         (JSC::WASM::toB3Op):
71         (JSC::WASM::B3IRGenerator::unaryOp):
72         * wasm/WASMFunctionParser.h:
73         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
74         * wasm/WASMOps.h:
75
76 2016-08-17  JF Bastien  <jfbastien@apple.com>
77
78         We allow assignments to const variables when in a for-in/for-of loop
79         https://bugs.webkit.org/show_bug.cgi?id=156673
80
81         Reviewed by Filip Pizlo.
82
83         for-in and for-of weren't checking whether iteration variable from
84         parent scopes were const. Assigning to such variables should
85         throw, but used not to.
86
87         * bytecompiler/NodesCodegen.cpp:
88         (JSC::ForInNode::emitLoopHeader):
89         (JSC::ForOfNode::emitBytecode):
90
91 2016-08-17  Geoffrey Garen  <ggaren@apple.com>
92
93         Fixed a potential bug in MarkedArgumentBuffer.
94         https://bugs.webkit.org/show_bug.cgi?id=160948
95         <rdar://problem/27889416>
96
97         Reviewed by Oliver Hunt.
98
99         I haven't been able to produce an observable test case after some trying.
100
101         * runtime/ArgList.cpp:
102         (JSC::MarkedArgumentBuffer::addMarkSet): New helper function -- I broke
103         this out from existing code for clarity, but the behavior is the same.
104
105         (JSC::MarkedArgumentBuffer::expandCapacity): Ditto.
106
107         (JSC::MarkedArgumentBuffer::slowAppend): Always addMarkSet() on the slow
108         path. This is faster than the old linear scan, and I think it might
109         avoid cases the old scan could miss.
110
111         * runtime/ArgList.h:
112         (JSC::MarkedArgumentBuffer::append): Account for the case where someone
113         has called clear() or removeLast().
114
115         (JSC::MarkedArgumentBuffer::mallocBase): No behavior change -- but it's
116         clearer to test the buffers directly instead of inferring what they
117         might be based on capacity.
118
119 2016-08-17  Mark Lam  <mark.lam@apple.com>
120
121         Remove an invalid assertion in the DFG backend's GetById emitter.
122         https://bugs.webkit.org/show_bug.cgi?id=160925
123         <rdar://problem/27248961>
124
125         Reviewed by Filip Pizlo.
126
127         The DFG backend's GetById assertion that the node's prediction not be SpecNone
128         is just plain wrong.  It assumes that we can never have a GetById node without a
129         type prediction, but this is not true.  The following test case proves otherwise:
130
131             function foo() {
132                 "use strict";
133                 return --arguments["callee"];
134             }
135
136         Will remove the assertion.  Nothing else needs to change as the DFG is working
137         correctly without the assertion.
138
139         * dfg/DFGSpeculativeJIT32_64.cpp:
140         (JSC::DFG::SpeculativeJIT::compile):
141         * dfg/DFGSpeculativeJIT64.cpp:
142         (JSC::DFG::SpeculativeJIT::compile):
143
144 2016-08-16  Mark Lam  <mark.lam@apple.com>
145
146         Heap::collectAllGarbage() should work with JSC_useImmortalObjects=true.
147         https://bugs.webkit.org/show_bug.cgi?id=160917
148
149         Reviewed by Filip Pizlo.
150
151         If we do an synchronous GC when JSC_useImmortalObjects=true, we'll get a
152         RELEASE_ASSERT failure:
153
154             $ JSC_useImmortalObjects=true jsc
155             >>> gc()
156             Trace/BPT trap: 5
157
158         This is because Heap::collectAllGarbage() is doing an explicit sweep of the
159         MarkedSpace, and the sweeper is expecting to see no RetiredBlocks.  However, we
160         make objects immortal by retiring their blocks.  As a result, there is a mismatch
161         in expectancy.
162
163         The fix is simply to not run the sweeper when JSC_useImmortalObjects=true.
164
165         * heap/Heap.cpp:
166         (JSC::Heap::collectAllGarbage):
167
168 2016-08-16  Keith Miller  <keith_miller@apple.com>
169
170         Add WASM I32 simple operators.
171         https://bugs.webkit.org/show_bug.cgi?id=160914
172
173         Reviewed by Benjamin Poulain.
174
175         This patch adds support for the i32 simple binary operators.
176
177         * wasm/WASMB3IRGenerator.cpp:
178         (JSC::WASM::toB3Op):
179         (JSC::WASM::B3IRGenerator::binaryOp):
180         * wasm/WASMFunctionParser.h:
181         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
182         * wasm/WASMOps.h:
183
184 2016-08-15  Ryosuke Niwa  <rniwa@webkit.org>
185
186         Conversion to sequence<T> is broken for iterable objects
187         https://bugs.webkit.org/show_bug.cgi?id=160801
188
189         Reviewed by Darin Adler.
190
191         Export functions used to iterate over iterable objects.
192
193         * runtime/IteratorOperations.h:
194         (JSC::forEachInIterable):
195
196 2016-08-15  Benjamin Poulain  <bpoulain@apple.com>
197
198         [Regression 204203-204210] 32-bit ASSERTION FAILED: !m_data[index].name.isValid()
199         https://bugs.webkit.org/show_bug.cgi?id=160881
200
201         Reviewed by Mark Lam.
202
203         * dfg/DFGSpeculativeJIT32_64.cpp:
204         (JSC::DFG::SpeculativeJIT::compile):
205         We were trying to set the result of the Identity node to the same
206         value as the source of the Identity.
207         That is pretty messed up.
208
209 2016-08-15  Saam Barati  <sbarati@apple.com>
210
211         Web Inspector: Introduce a method to enable code coverage profiler without enabling type profiler
212         https://bugs.webkit.org/show_bug.cgi?id=160750
213         <rdar://problem/27793469>
214
215         Reviewed by Joseph Pecoraro.
216
217         * inspector/agents/InspectorRuntimeAgent.cpp:
218         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
219         (Inspector::InspectorRuntimeAgent::enableControlFlowProfiler):
220         (Inspector::InspectorRuntimeAgent::disableControlFlowProfiler):
221         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
222         (Inspector::InspectorRuntimeAgent::setControlFlowProfilerEnabledState):
223         * inspector/agents/InspectorRuntimeAgent.h:
224         * inspector/protocol/Runtime.json:
225
226 2016-08-15  Saam Barati  <sbarati@apple.com>
227
228         Array.prototype.map builtin should go on the fast path when constructor===@Array
229         https://bugs.webkit.org/show_bug.cgi?id=160836
230
231         Reviewed by Keith Miller.
232
233         In the FTL, we were not compiling the result array in Array.prototype.map
234         efficiently when the result array should use the Array constructor
235         (which is the common case). We used to compile it as:
236         x: JSConstant(Array)
237         y: Construct(@x, ...)
238         instead of
239         y: NewArrayWithSize(...)
240
241         This patch changes the builtin to go down the fast path when certain
242         conditions are met. Often, the check to go down the fast path will
243         be constant folded because we always create a normal array from the
244         Array constructor.
245
246         This is around a 5% speedup on ES6 Sample Bench.
247
248         I also made similar changes for Array.prototype.filter
249         and Array.prototype.concat on its slow path.
250
251         * builtins/ArrayPrototype.js:
252
253 2016-08-15  Mark Lam  <mark.lam@apple.com>
254
255         Make JSValue::strictEqual() handle failures to resolve JSRopeStrings.
256         https://bugs.webkit.org/show_bug.cgi?id=160832
257         <rdar://problem/27577556>
258
259         Reviewed by Geoffrey Garen.
260
261         Currently, JSValue::strictEqualSlowCaseInline() (and peers) will blindly try to
262         access the StringImpl of a JSRopeString that fails to resolve its rope.  As a
263         result, we'll crash with null pointer dereferences.
264
265         We can fix this by introducing a JSString::equal() method that will do the
266         equality comparison, but is aware of the potential failures to resolve ropes.
267         JSValue::strictEqualSlowCaseInline() (and peers) will now call JSString::equal()
268         instead of accessing the underlying StringImpl directly.
269
270         Also added some exception checks.
271
272         * JavaScriptCore.xcodeproj/project.pbxproj:
273         * jit/JITOperations.cpp:
274         * runtime/ArrayPrototype.cpp:
275         (JSC::arrayProtoFuncIndexOf):
276         (JSC::arrayProtoFuncLastIndexOf):
277         * runtime/JSCJSValueInlines.h:
278         (JSC::JSValue::equalSlowCaseInline):
279         (JSC::JSValue::strictEqualSlowCaseInline):
280         * runtime/JSString.cpp:
281         (JSC::JSString::equalSlowCase):
282         * runtime/JSString.h:
283         * runtime/JSStringInlines.h: Added.
284         (JSC::JSString::equal):
285
286 2016-08-15  Keith Miller  <keith_miller@apple.com>
287
288         Implement WASM Parser and B3 IR generator
289         https://bugs.webkit.org/show_bug.cgi?id=160681
290
291         Reviewed by Benjamin Poulain.
292
293         This patch adds the skeleton for a WebAssembly pipeline. The
294         pipeline is designed in order to make it easy to have as much of
295         the compilation process threaded as possible. The flow of the
296         pipeline roughly goes as follows:
297
298         1) Create a WASMPlan with the VM and a Vector of the
299         assembly. Currently the plan will process all the work
300         synchronously, however, in the future this can be offloaded to
301         other threads.
302
303         2) The plan will run the WASMModuleParser, which collates all the
304         information needed to compile each module function
305         independently. Since, we are still in the early phases, the only
306         information is the starting and ending byte of the function's
307         body. The module parser, however, still scans both and
308         semi-validates the type and the function sections.
309
310         3) Each function is decoded and compiled. In the future this
311         should also include a opcode validation phase. The
312         WASMFunctionParser is templatized so that a validator should be
313         able to use most of the same code the B3 IR generator does.
314
315         4) When the plan has finished it will fill a Vector of
316         B3::Compilation objects that correspond to the respective function
317         in the WASM module.
318
319
320         The current testing plan for the modules is to inline the the
321         binary generated by the spec's OCaml prototype. The inlined binary
322         is passed to a WASMPlan then invoked to check the result of the
323         function. In the future we should add a more robust testing
324         infrastructure.
325
326         * JavaScriptCore.xcodeproj/project.pbxproj:
327         * testWASM.cpp:
328         (printUsageStatement):
329         (CommandLine::parseArguments):
330         (invoke):
331         (runWASMTests):
332         (main):
333         * wasm/JSWASMModule.h:
334         (JSC::JSWASMModule::globalVariableTypes):
335         * wasm/WASMB3IRGenerator.cpp: Added.
336         (JSC::WASM::B3IRGenerator::B3IRGenerator):
337         (JSC::WASM::B3IRGenerator::addLocal):
338         (JSC::WASM::B3IRGenerator::binaryOp):
339         (JSC::WASM::B3IRGenerator::addConstant):
340         (JSC::WASM::B3IRGenerator::addBlock):
341         (JSC::WASM::B3IRGenerator::endBlock):
342         (JSC::WASM::B3IRGenerator::addReturn):
343         (JSC::WASM::B3IRGenerator::unify):
344         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
345         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel):
346         (JSC::WASM::B3IRGenerator::stackForControlLevel):
347         (JSC::WASM::B3IRGenerator::blockForControlLevel):
348         (JSC::WASM::parseAndCompile):
349         * wasm/WASMB3IRGenerator.h: Copied from Source/WTF/wtf/DataLog.h.
350         * wasm/WASMFormat.h:
351         * wasm/WASMFunctionParser.h: Added.
352         (JSC::WASM::WASMFunctionParser<Context>::WASMFunctionParser):
353         (JSC::WASM::WASMFunctionParser<Context>::parse):
354         (JSC::WASM::WASMFunctionParser<Context>::parseBlock):
355         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
356         * wasm/WASMModuleParser.cpp: Added.
357         (JSC::WASM::WASMModuleParser::parse):
358         (JSC::WASM::WASMModuleParser::parseFunctionTypes):
359         (JSC::WASM::WASMModuleParser::parseFunctionSignatures):
360         (JSC::WASM::WASMModuleParser::parseFunctionDefinitions):
361         * wasm/WASMModuleParser.h: Copied from Source/WTF/wtf/DataLog.h.
362         (JSC::WASM::WASMModuleParser::WASMModuleParser):
363         (JSC::WASM::WASMModuleParser::functionInformation):
364         * wasm/WASMOps.h: Copied from Source/WTF/wtf/DataLog.h.
365         * wasm/WASMParser.h: Added.
366         (JSC::WASM::WASMParser::parseVarUInt32):
367         (JSC::WASM::WASMParser::WASMParser):
368         (JSC::WASM::WASMParser::consumeCharacter):
369         (JSC::WASM::WASMParser::consumeString):
370         (JSC::WASM::WASMParser::parseUInt32):
371         (JSC::WASM::WASMParser::parseUInt7):
372         (JSC::WASM::WASMParser::parseVarUInt1):
373         (JSC::WASM::WASMParser::parseValueType):
374         * wasm/WASMPlan.cpp: Copied from Source/WTF/wtf/DataLog.h.
375         (JSC::WASM::Plan::Plan):
376         * wasm/WASMPlan.h: Copied from Source/WTF/wtf/DataLog.h.
377         * wasm/WASMSections.cpp: Copied from Source/WTF/wtf/DataLog.h.
378         (JSC::WASM::WASMSections::lookup):
379         * wasm/WASMSections.h: Copied from Source/WTF/wtf/DataLog.h.
380         (JSC::WASM::WASMSections::validateOrder):
381
382 2016-08-15  Benjamin Poulain  <bpoulain@apple.com>
383
384         [JSC] B3 Neg opcode should support float
385         https://bugs.webkit.org/show_bug.cgi?id=160795
386
387         Reviewed by Geoffrey Garen.
388
389         This is required to implement WASM f32.neg opcode.
390
391         * assembler/MacroAssemblerARM64.h:
392         (JSC::MacroAssemblerARM64::negateFloat):
393         * b3/B3LowerToAir.cpp:
394         (JSC::B3::Air::LowerToAir::lower):
395         * b3/B3ReduceDoubleToFloat.cpp:
396         * b3/air/AirOpcode.opcodes:
397         * b3/testb3.cpp:
398         (JSC::B3::testNegDouble):
399         (JSC::B3::testNegFloat):
400         (JSC::B3::testNegFloatWithUselessDoubleConversion):
401         (JSC::B3::run):
402
403 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
404
405         Use #pragma once in inspector headers
406         https://bugs.webkit.org/show_bug.cgi?id=160861
407
408         Reviewed by Mark Lam.
409
410         * inspector/*.h:
411
412 2016-08-15  Daniel Bates  <dabates@apple.com>
413
414         Cannot build WebKit for iOS device using Xcode 7.3/iOS 9.3 public SDK due to missing
415         private frameworks and libraries
416         https://bugs.webkit.org/show_bug.cgi?id=155931
417         <rdar://problem/25807989>
418
419         Reviewed by Dan Bernstein.
420
421         Add directory WebKitLibraries/WebKitPrivateFrameworkStubs/iOS/X to the framework search path
422         where X is the major version of the active iOS SDK.
423
424         * Configurations/Base.xcconfig:
425
426 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
427
428         Reduce includes of Debugger.h
429         https://bugs.webkit.org/show_bug.cgi?id=160827
430
431         Reviewed by Mark Lam.
432
433         * API/JSTypedArray.cpp:
434         * bytecode/UnlinkedCodeBlock.h:
435         * bytecode/UnlinkedFunctionExecutable.cpp:
436         * bytecode/UnlinkedFunctionExecutable.h:
437         * bytecompiler/BytecodeGenerator.h:
438         * bytecompiler/NodesCodegen.cpp:
439         * dfg/DFGPlan.cpp:
440         * dfg/DFGSpeculativeJIT32_64.cpp:
441         * dfg/DFGSpeculativeJIT64.cpp:
442         * ftl/FTLJITCode.h:
443         * inspector/ScriptCallStackFactory.cpp:
444         * inspector/agents/InspectorDebuggerAgent.h:
445         * jit/JITOpcodes.cpp:
446         * jit/JITOpcodes32_64.cpp:
447         * jit/JITOperations.cpp:
448         * llint/LLIntOffsetsExtractor.cpp:
449         * parser/Nodes.cpp:
450         * parser/Parser.cpp:
451         * parser/Parser.h:
452         * runtime/Completion.cpp:
453         * runtime/Executable.cpp:
454         * runtime/Executable.h:
455         * runtime/FunctionConstructor.cpp:
456         * runtime/SamplingProfiler.cpp:
457         * runtime/SamplingProfiler.h:
458         * runtime/VMEntryScope.cpp:
459
460 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
461
462         Remove unused includes of wtf headers
463         https://bugs.webkit.org/show_bug.cgi?id=160839
464
465         Reviewed by Alex Christensen.
466
467         * Lots of files.
468
469 2016-08-13  Per Arne Vollan  <pvollan@apple.com>
470
471         [Win] Warning fixes.
472         https://bugs.webkit.org/show_bug.cgi?id=160803
473
474         Reviewed by Brent Fulgham.
475
476         Initialize local variables.
477
478         * jit/JIT.cpp:
479         (JSC::JIT::compileWithoutLinking):
480         * runtime/Error.cpp:
481         (JSC::addErrorInfoAndGetBytecodeOffset):
482
483 2016-08-12  Joseph Pecoraro  <pecoraro@apple.com>
484
485         Remove always true JSC::Debugger::needPauseHandling virtual method
486         https://bugs.webkit.org/show_bug.cgi?id=160822
487
488         Reviewed by Mark Lam.
489
490         All subclasses return true for this method. Just remove the method.
491
492         * debugger/Debugger.cpp:
493         (JSC::Debugger::pauseIfNeeded):
494         * inspector/ScriptDebugServer.h:
495
496 2016-08-12  Saam Barati  <sbarati@apple.com>
497
498         Inline store loop for CopyRest in DFG and FTL for certain array modes
499         https://bugs.webkit.org/show_bug.cgi?id=159612
500
501         Reviewed by Filip Pizlo.
502
503         This patch changes the old copy_rest bytecode to actually allocate the rest array itself.
504         The bytecode is now called create_rest with an analogous CreateRest node in the DFG/FTL.
505         This allows the bytecode to be in control of what type of indexingType the array is allocated
506         with. We always allocate using ArrayWithContiguous storage unless we're havingABadTime().
507         This also makes allocating and writing into the array fast. On the fast path, the DFG/FTL
508         JIT will fast allocate the array and its storage, and we will do a memmove from the rest
509         region of arguments into the array's storage.
510
511         I'm seeing a 1-2% speedup on ES6SampleBench, and about a 2x speedup
512         on micro benchmarks that just test rest creation speed.
513
514         * bytecode/BytecodeList.json:
515         * bytecode/BytecodeUseDef.h:
516         (JSC::computeUsesForBytecodeOffset):
517         (JSC::computeDefsForBytecodeOffset):
518         * bytecode/CodeBlock.cpp:
519         (JSC::CodeBlock::dumpBytecode):
520         * bytecompiler/BytecodeGenerator.cpp:
521         (JSC::BytecodeGenerator::emitRestParameter):
522         * dfg/DFGAbstractInterpreterInlines.h:
523         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
524         * dfg/DFGByteCodeParser.cpp:
525         (JSC::DFG::ByteCodeParser::parseBlock):
526         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
527         (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
528         * dfg/DFGCapabilities.cpp:
529         (JSC::DFG::capabilityLevel):
530         * dfg/DFGClobberize.h:
531         (JSC::DFG::clobberize):
532         * dfg/DFGDoesGC.cpp:
533         (JSC::DFG::doesGC):
534         * dfg/DFGFixupPhase.cpp:
535         (JSC::DFG::FixupPhase::fixupNode):
536         * dfg/DFGGraph.h:
537         (JSC::DFG::Graph::uses):
538         (JSC::DFG::Graph::isWatchingHavingABadTimeWatchpoint):
539         (JSC::DFG::Graph::compilation):
540         * dfg/DFGNode.h:
541         (JSC::DFG::Node::numberOfArgumentsToSkip):
542         * dfg/DFGNodeType.h:
543         * dfg/DFGOperations.cpp:
544         * dfg/DFGOperations.h:
545         * dfg/DFGPredictionPropagationPhase.cpp:
546         * dfg/DFGSafeToExecute.h:
547         (JSC::DFG::safeToExecute):
548         * dfg/DFGSpeculativeJIT.cpp:
549         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
550         (JSC::DFG::SpeculativeJIT::compileCreateRest):
551         (JSC::DFG::SpeculativeJIT::compileGetRestLength):
552         (JSC::DFG::SpeculativeJIT::compileCopyRest): Deleted.
553         * dfg/DFGSpeculativeJIT.h:
554         (JSC::DFG::SpeculativeJIT::callOperation):
555         * dfg/DFGSpeculativeJIT32_64.cpp:
556         (JSC::DFG::SpeculativeJIT::compile):
557         (JSC::DFG::SpeculativeJIT::compileArithRandom):
558         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
559         * dfg/DFGSpeculativeJIT64.cpp:
560         (JSC::DFG::SpeculativeJIT::compile):
561         (JSC::DFG::SpeculativeJIT::compileArithRandom):
562         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
563         * ftl/FTLCapabilities.cpp:
564         (JSC::FTL::canCompile):
565         * ftl/FTLLowerDFGToB3.cpp:
566         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
567         (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
568         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
569         (JSC::FTL::DFG::LowerDFGToB3::compileGetRestLength):
570         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
571         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize):
572         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
573         (JSC::FTL::DFG::LowerDFGToB3::compileCopyRest): Deleted.
574         * interpreter/CallFrame.h:
575         (JSC::ExecState::addressOfArgumentsStart):
576         (JSC::ExecState::argument):
577         * jit/JIT.cpp:
578         (JSC::JIT::privateCompileMainPass):
579         * jit/JIT.h:
580         * jit/JITOpcodes.cpp:
581         (JSC::JIT::emit_op_argument_count):
582         (JSC::JIT::emit_op_create_rest):
583         (JSC::JIT::emit_op_copy_rest): Deleted.
584         * jit/JITOperations.h:
585         * llint/LowLevelInterpreter.asm:
586         * runtime/CommonSlowPaths.cpp:
587         (JSC::SLOW_PATH_DECL):
588         * runtime/CommonSlowPaths.h:
589
590 2016-08-12  Ryosuke Niwa  <rniwa@webkit.org>
591
592         Add a helper class for enumerating elements in an iterable object
593         https://bugs.webkit.org/show_bug.cgi?id=160800
594
595         Reviewed by Benjamin Poulain.
596
597         Added iteratorForIterable which provides an abstraction for iterating over an iterable object,
598         and deployed it in the constructors of Set, WeakSet, Map, and WeakMap.
599
600         Also added a helper function iteratorForIterable, which retrieves the iterator out of an iterable object.
601
602         * runtime/IteratorOperations.cpp:
603         (JSC::iteratorForIterable): Added.
604         * runtime/IteratorOperations.h:
605         (JSC::forEachInIterable): Added.
606         * runtime/MapConstructor.cpp:
607         (JSC::constructMap):
608         * runtime/SetConstructor.cpp:
609         (JSC::constructSet):
610         * runtime/WeakMapConstructor.cpp:
611         (JSC::constructWeakMap):
612         * runtime/WeakSetConstructor.cpp:
613         (JSC::constructWeakSet):
614
615 2016-08-12  Joseph Pecoraro  <pecoraro@apple.com>
616
617         Remove unused includes of RefCountedLeakCounter.h
618         https://bugs.webkit.org/show_bug.cgi?id=160817
619
620         Reviewed by Mark Lam.
621
622         * parser/Nodes.cpp:
623         * runtime/Structure.cpp:
624
625 2016-08-12  Pranjal Jumde  <pjumde@apple.com>
626
627         ASSERTION FAILED: : line >= firstLine in BytecodeGenerator::emitExpressionInfo.
628         https://bugs.webkit.org/show_bug.cgi?id=160535
629         <rdar://problem/27328151>
630         
631         Reviewed by Saam Barati.
632
633         lineNumber from the savePoint was not being restored before calling next() causing discrepancy in the offset and line for the token
634
635         * parser/Parser.h:
636         (JSC::Parser::restoreLexerState):
637
638 2016-08-12  Skachkov Oleksandr  <gskachkov@gmail.com>
639
640         [ES2016] Implement Object.entries
641         https://bugs.webkit.org/show_bug.cgi?id=160412
642
643         Reviewed by Saam Barati.
644
645         This patch adds entries function to Object that returns list of 
646         key+values pairs. Patch did according to the point of
647         spec https://tc39.github.io/ecma262/#sec-object.entries
648
649         * builtins/ObjectConstructor.js:
650         (globalPrivate.enumerableOwnProperties):
651         (entries):
652         * runtime/ObjectConstructor.cpp:
653
654 2016-08-11  Mark Lam  <mark.lam@apple.com>
655
656         OverridesHasInstance should not branch across register allocations.
657         https://bugs.webkit.org/show_bug.cgi?id=160792
658         <rdar://problem/27361778>
659
660         Reviewed by Benjamin Poulain.
661
662         The OverrideHasInstance node has a branch test that is emitted conditionally.
663         It also has a bug where it allocated a register after this branch, which is not
664         allowed and would fail an assertion introduced in https://trac.webkit.org/r145931.
665         From the ChangeLog for r145931:
666
667         "This [assertion that register allocations are not branched around] protects
668         against the case where an allocation could have spilled register contents to free
669         up a register and that spill only occurs on one path of many through the code.
670         A subsequent fill of the spilled register may load garbage."
671
672         Because the branch isn't always emitted, this bug has gone unnoticed until now.
673         This patch fixes this issue by pre-allocating the registers before emitting the
674         branch in OverrideHasInstance.
675
676         Note: this issue is only present in DFGSpeculativeJIT64.cpp.  The 32-bit version
677         is doing it right.
678
679         * dfg/DFGSpeculativeJIT64.cpp:
680         (JSC::DFG::SpeculativeJIT::compile):
681
682 2016-08-11  Benjamin Poulain  <bpoulain@apple.com>
683
684         [JSC] Make B3 Return opcode work without arguments
685         https://bugs.webkit.org/show_bug.cgi?id=160787
686
687         Reviewed by Keith Miller.
688
689         We need a way to create functions that do not return values.
690
691         * assembler/MacroAssembler.h:
692         (JSC::MacroAssembler::retVoid):
693         * b3/B3BasicBlock.cpp:
694         (JSC::B3::BasicBlock::appendNewControlValue):
695         * b3/B3LowerToAir.cpp:
696         (JSC::B3::Air::LowerToAir::lower):
697         * b3/B3Validate.cpp:
698         * b3/B3Value.h:
699         * b3/air/AirOpcode.opcodes:
700         * b3/testb3.cpp:
701         (JSC::B3::testReturnVoid):
702         (JSC::B3::run):
703
704 2016-08-11  Mark Lam  <mark.lam@apple.com>
705
706         Gardening: fix gcc builds after r204387. 
707
708         Not reviewed.
709
710         Apparently, gcc is not sophisticated enough to realize that the end of the
711         function is unreachable, and is wrongly complaining about "control reaches end of
712         non-void function".  I'm restoring the RELEASE_ASSERT_NOT_REACHED() and return
713         statement at the end of MarkedBlock::sweepHelper() to appease gcc.
714
715         * heap/MarkedBlock.cpp:
716         (JSC::MarkedBlock::sweepHelper):
717
718 2016-08-11  Alex Christensen  <achristensen@webkit.org>
719
720         Use StringBuilder::appendLiteral when possible don't append result of makeString
721         https://bugs.webkit.org/show_bug.cgi?id=160772
722
723         Reviewed by Sam Weinig.
724
725         * API/tests/ExecutionTimeLimitTest.cpp:
726         (testExecutionTimeLimit):
727         * API/tests/PingPongStackOverflowTest.cpp:
728         (PingPongStackOverflowObject_hasInstance):
729         * bytecompiler/NodesCodegen.cpp:
730         (JSC::ArrayPatternNode::toString):
731         (JSC::RestParameterNode::toString):
732         * runtime/ErrorInstance.cpp:
733         (JSC::ErrorInstance::sanitizedToString):
734         * runtime/Options.cpp:
735         (JSC::Options::dumpOption):
736
737 2016-08-11  Benjamin Poulain  <bpoulain@apple.com>
738
739         [JSC] Revert most of r203808
740         https://bugs.webkit.org/show_bug.cgi?id=160784
741
742         Reviewed by Geoffrey Garen.
743
744         Switching to fastMalloc() caused regressions on Jetstream and Octane
745         on MacBook Air. I was able to get back some of it in the following
746         patches but the tests that never go to FTL are still regressed.
747
748         This patch revert r203808 except of the node index.
749         Nodes are allocated with the custom allocator like before but they are
750         now also kept in a table, addressed by the node index.
751
752         * CMakeLists.txt:
753         * JavaScriptCore.xcodeproj/project.pbxproj:
754         * b3/B3SparseCollection.h:
755         (JSC::B3::SparseCollection::packIndices): Deleted.
756         * dfg/DFGAllocator.h: Added.
757         (JSC::DFG::Allocator::Region::size):
758         (JSC::DFG::Allocator::Region::headerSize):
759         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
760         (JSC::DFG::Allocator::Region::data):
761         (JSC::DFG::Allocator::Region::isInThisRegion):
762         (JSC::DFG::Allocator::Region::regionFor):
763         (JSC::DFG::Allocator<T>::Allocator):
764         (JSC::DFG::Allocator<T>::~Allocator):
765         (JSC::DFG::Allocator<T>::allocate):
766         (JSC::DFG::Allocator<T>::free):
767         (JSC::DFG::Allocator<T>::freeAll):
768         (JSC::DFG::Allocator<T>::reset):
769         (JSC::DFG::Allocator<T>::indexOf):
770         (JSC::DFG::Allocator<T>::allocatorOf):
771         (JSC::DFG::Allocator<T>::bumpAllocate):
772         (JSC::DFG::Allocator<T>::freeListAllocate):
773         (JSC::DFG::Allocator<T>::allocateSlow):
774         (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
775         (JSC::DFG::Allocator<T>::startBumpingIn):
776         * dfg/DFGDriver.cpp:
777         (JSC::DFG::compileImpl):
778         * dfg/DFGGraph.cpp:
779         (JSC::DFG::Graph::Graph):
780         (JSC::DFG::Graph::~Graph):
781         (JSC::DFG::Graph::addNodeToMapByIndex):
782         (JSC::DFG::Graph::deleteNode):
783         (JSC::DFG::Graph::packNodeIndices):
784         * dfg/DFGGraph.h:
785         (JSC::DFG::Graph::addNode):
786         (JSC::DFG::Graph::maxNodeCount):
787         (JSC::DFG::Graph::nodeAt):
788         * dfg/DFGLongLivedState.cpp: Added.
789         (JSC::DFG::LongLivedState::LongLivedState):
790         (JSC::DFG::LongLivedState::~LongLivedState):
791         (JSC::DFG::LongLivedState::shrinkToFit):
792         * dfg/DFGLongLivedState.h: Added.
793         * dfg/DFGNode.h:
794         * dfg/DFGNodeAllocator.h: Added.
795         (operator new ):
796         * dfg/DFGPlan.cpp:
797         (JSC::DFG::Plan::compileInThread):
798         (JSC::DFG::Plan::compileInThreadImpl):
799         * dfg/DFGPlan.h:
800         * dfg/DFGWorklist.cpp:
801         (JSC::DFG::Worklist::runThread):
802         * runtime/VM.cpp:
803         (JSC::VM::VM):
804         * runtime/VM.h:
805
806 2016-08-11  Mark Lam  <mark.lam@apple.com>
807
808         The jsc shell's Element host constructor should throw if it fails to construct an object.
809         https://bugs.webkit.org/show_bug.cgi?id=160773
810         <rdar://problem/27328608>
811
812         Reviewed by Saam Barati.
813
814         The Element object is a test object provided in the jsc shell for testing use only.
815         JavaScriptCore expects host constructors to either throw an error or return a
816         constructed object.  Element has a host constructor that did not obey this contract.
817         As a result, the following statement will fail a RELEASE_ASSERT:
818
819             new (Element.bind())
820
821         This is now fixed.
822
823         * jsc.cpp:
824         (functionCreateElement):
825
826 2016-08-11  Mark Lam  <mark.lam@apple.com>
827
828         Disallow synchronous sweeping for eden GCs.
829         https://bugs.webkit.org/show_bug.cgi?id=160716
830
831         Reviewed by Geoffrey Garen.
832
833         * heap/Heap.cpp:
834         (JSC::Heap::collectAllGarbage):
835         (JSC::Heap::collectAndSweep): Deleted.
836         * heap/Heap.h:
837         (JSC::Heap::collectAllGarbage): Deleted.
838         - No need for a separate collectAndSweep() anymore since we only call it for
839           FullCollections.
840         - Since we've already swept all the blocks, I cleared m_blockSnapshot so that the
841           IncrementalSweeper can bail earlier when it runs later.
842
843         * heap/MarkedBlock.cpp:
844         (JSC::MarkedBlock::sweepHelper):
845         - Removed the unreachable return statement.
846
847         * heap/MarkedBlock.h:
848         - Document what "Retired" means.
849
850         * tools/JSDollarVMPrototype.cpp:
851         (JSC::JSDollarVMPrototype::edenGC):
852
853 2016-08-11  Per Arne Vollan  <pvollan@apple.com>
854
855         [Win] Warning fix.
856         https://bugs.webkit.org/show_bug.cgi?id=160734
857
858         Reviewed by Sam Weinig.
859
860         Add static cast from int to uint32_t.
861
862         * bytecode/ArithProfile.h:
863
864 2016-08-10  Michael Saboff  <msaboff@apple.com>
865
866         Baseline GetByVal and PutByVal for cache ID stubs need to handle exceptions
867         https://bugs.webkit.org/show_bug.cgi?id=160749
868
869         Reviewed by Filip Pizlo.
870
871         We were emitting "callOperation()" calls in emitGetByValWithCachedId() and
872         emitPutByValWithCachedId() without linking the exception checks created by the
873         code emitted.  This manifested itself in various ways depending on the processor.
874         This is due to what the destination is for an unlinked branch.  On X86, an unlinked
875         branch goes tot he next instructions.  On ARM64, we end up with an infinite loop
876         as we branch to the same instruction.  On ARM we branch to 0 as the branch is to
877         an absolute address of 0.
878
879         Now we save the exception handler address for the original generated function and
880         link the exception cases for these by-val stubs to this handler.
881
882         * bytecode/ByValInfo.h:
883         (JSC::ByValInfo::ByValInfo): Added the address of the exception handler we should
884         link to.
885
886         * jit/JIT.cpp:
887         (JSC::JIT::link): Compute the linked exception handler address and pass it to
888         the ByValInfo constructor.
889         (JSC::JIT::privateCompileExceptionHandlers): Make sure that we generate the
890         exception handler if we have any by-val handlers.
891
892         * jit/JIT.h:
893         Added a label for the exception handler.  We'll link this later for the
894         by value handlers.
895
896         * jit/JITPropertyAccess.cpp:
897         (JSC::JIT::privateCompileGetByValWithCachedId):
898         (JSC::JIT::privateCompilePutByValWithCachedId):
899         Link exception branches to the exception handler for the main function.
900
901 2016-08-10  Mark Lam  <mark.lam@apple.com>
902
903         DFG's flushForTerminal() needs to add PhantomLocals for bytecode live locals.
904         https://bugs.webkit.org/show_bug.cgi?id=160755
905         <rdar://problem/27488507>
906
907         Reviewed by Filip Pizlo.
908
909         If the DFG sees that an inlined function will result in an OSR exit every time,
910         it will treat all downstream blocks as dead.  However, it still needs to keep
911         locals that are alive in the bytecode alive for the compiled function so that
912         those locals are properly written to the stack by the OSR exit ramp.
913
914         The existing code neglected to do this.  This patch remedies this issue.
915
916         * dfg/DFGByteCodeParser.cpp:
917         (JSC::DFG::ByteCodeParser::flushDirect):
918         (JSC::DFG::ByteCodeParser::addFlushOrPhantomLocal):
919         (JSC::DFG::ByteCodeParser::phantomLocalDirect):
920         (JSC::DFG::ByteCodeParser::flushForTerminal):
921
922 2016-08-09  Skachkov Oleksandr  <gskachkov@gmail.com>
923
924         [ES2016] Implement Object.values
925         https://bugs.webkit.org/show_bug.cgi?id=160410
926
927         Reviewed by Saam Barati, Yusuke Suzuki.
928
929         This patch adds values function to Object that return list of 
930         own values of the object. Patch did according to the point of 
931         spec http://tc39.github.io/ecma262/#sec-object.values
932         
933         Also patch adds generic builtin intrinsic constants: 
934         @IterationKindKey/@IterationKindValue/@IterationKindKeyValue 
935         that is used in  EnumerableOwnProperties to set Kind of operation  
936         and replace own IterationKind enums in following iterators: 
937         ArrayIterator, MapIterator, and SetIterator 
938
939         * JavaScriptCore.xcodeproj/project.pbxproj:
940         * builtins/ObjectConstructor.js:
941         (globalPrivate.enumerableOwnProperties):
942         (values):
943         * bytecode/BytecodeIntrinsicRegistry.cpp:
944         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
945         * bytecode/BytecodeIntrinsicRegistry.h:
946         * inspector/JSInjectedScriptHost.cpp:
947         (Inspector::JSInjectedScriptHost::getInternalProperties):
948         * runtime/ArrayIteratorPrototype.h:
949         * runtime/IterationKind.h: Copied from Source/JavaScriptCore/builtins/ObjectConstructor.js.
950         * runtime/JSMapIterator.h:
951         (JSC::JSMapIterator::create):
952         (JSC::JSMapIterator::next):
953         (JSC::JSMapIterator::kind):
954         (JSC::JSMapIterator::JSMapIterator):
955         * runtime/JSSetIterator.h:
956         (JSC::JSSetIterator::create):
957         (JSC::JSSetIterator::next):
958         (JSC::JSSetIterator::kind):
959         (JSC::JSSetIterator::JSSetIterator):
960         * runtime/MapPrototype.cpp:
961         (JSC::mapProtoFuncValues):
962         (JSC::mapProtoFuncEntries):
963         (JSC::mapProtoFuncKeys):
964         (JSC::privateFuncMapIterator):
965         * runtime/ObjectConstructor.cpp:
966         * runtime/SetPrototype.cpp:
967         (JSC::setProtoFuncValues):
968         (JSC::setProtoFuncEntries):
969         (JSC::privateFuncSetIterator):
970
971 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
972
973         [JSC] Speed up SparseCollection & related maps
974         https://bugs.webkit.org/show_bug.cgi?id=160733
975
976         Reviewed by Saam Barati.
977
978         On MBA, Graph::addNode() shows up in profiles due to SparseCollection::add().
979         This is unfortunate.
980
981         The first improvement is to build the new unique_ptr in the empty slot
982         instead of moving a new value into it.
983
984         Previously, the code would load the previous value, test if it is null
985         then invoke the destructor and finally fastFree(). The initial test
986         obviously fails so that's a whole bunch of code that is never executed.
987
988         With the new code, we just have a store.
989
990         I also removed the bounds checking on our maps based on node index.
991         Those bounds checks are never eliminated by clang because the index
992         is always loaded from memory instead of being computed.
993         There are unfortunately too many nodes processed and the bounds checks
994         get costly.
995
996         * b3/B3SparseCollection.h:
997         (JSC::B3::SparseCollection::add):
998         * dfg/DFGGraph.h:
999         (JSC::DFG::Graph::abstractValuesCache):
1000         * dfg/DFGInPlaceAbstractState.h:
1001
1002 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
1003
1004         [JSC] Remove some useless code I left when rewriting CSE's large maps
1005         https://bugs.webkit.org/show_bug.cgi?id=160720
1006
1007         Reviewed by Michael Saboff.
1008
1009         * dfg/DFGCSEPhase.cpp:
1010         The maps m_worldMap && m_sideStateMap are useless. They come from the previous
1011         iteration that had weaker constraints.
1012
1013         Also move m_heapMap after m_fallbackStackMap since that is the order
1014         in which they are used in the algorithm.
1015
1016 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
1017
1018         Remove AbstractInterpreter::executeEdges(unsigned), it is no longer used anywhere
1019         https://bugs.webkit.org/show_bug.cgi?id=160708
1020
1021         Reviewed by Mark Lam.
1022
1023         * dfg/DFGAbstractInterpreter.h:
1024         * dfg/DFGAbstractInterpreterInlines.h:
1025         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges): Deleted.
1026
1027 2016-08-10  Simon Fraser  <simon.fraser@apple.com>
1028
1029         Sort the feature flags in the FEATURE_DEFINES lines
1030         https://bugs.webkit.org/show_bug.cgi?id=160742
1031
1032         Reviewed by Anders Carlsson.
1033
1034         * Configurations/FeatureDefines.xcconfig:
1035
1036 2016-08-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1037
1038         [ES6] Add ModuleLoaderPrototype and move methods to it
1039         https://bugs.webkit.org/show_bug.cgi?id=160633
1040
1041         Reviewed by Saam Barati.
1042
1043         In the future, we need to add the ability to create the new Loader object (by users).
1044         So rather than holding all the methods in the ModuleLoaderObject instance, moving them
1045         to ModuleLoaderPrototype and create the default JSModuleLoader instance is better.
1046
1047         No behavior change.
1048
1049         * CMakeLists.txt:
1050         * DerivedSources.make:
1051         * JavaScriptCore.xcodeproj/project.pbxproj:
1052         * builtins/ModuleLoaderObject.js:
1053         (setStateToMax): Deleted.
1054         (newRegistryEntry): Deleted.
1055         (ensureRegistered): Deleted.
1056         (forceFulfillPromise): Deleted.
1057         (fulfillFetch): Deleted.
1058         (fulfillTranslate): Deleted.
1059         (fulfillInstantiate): Deleted.
1060         (commitInstantiated): Deleted.
1061         (instantiation): Deleted.
1062         (requestFetch): Deleted.
1063         (requestTranslate): Deleted.
1064         (requestInstantiate): Deleted.
1065         (requestResolveDependencies.): Deleted.
1066         (requestResolveDependencies): Deleted.
1067         (requestInstantiateAll): Deleted.
1068         (requestLink): Deleted.
1069         (requestReady): Deleted.
1070         (link): Deleted.
1071         (moduleEvaluation): Deleted.
1072         (provide): Deleted.
1073         (loadAndEvaluateModule): Deleted.
1074         (loadModule): Deleted.
1075         (linkAndEvaluateModule): Deleted.
1076         * builtins/ModuleLoaderPrototype.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderObject.js.
1077         (setStateToMax):
1078         (newRegistryEntry):
1079         (ensureRegistered):
1080         (forceFulfillPromise):
1081         (fulfillFetch):
1082         (fulfillTranslate):
1083         (fulfillInstantiate):
1084         (commitInstantiated):
1085         (instantiation):
1086         (requestFetch):
1087         (requestTranslate):
1088         (requestInstantiate):
1089         (requestResolveDependencies.):
1090         (requestResolveDependencies):
1091         (requestInstantiateAll):
1092         (requestLink):
1093         (requestReady):
1094         (link):
1095         (moduleEvaluation):
1096         (provide):
1097         (loadAndEvaluateModule):
1098         (loadModule):
1099         (linkAndEvaluateModule):
1100         * bytecode/BytecodeIntrinsicRegistry.cpp:
1101         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1102         * jsc.cpp:
1103         (GlobalObject::moduleLoaderResolve):
1104         (GlobalObject::moduleLoaderFetch):
1105         * runtime/Completion.cpp:
1106         (JSC::loadAndEvaluateModule):
1107         (JSC::loadModule):
1108         * runtime/JSGlobalObject.cpp:
1109         (JSC::JSGlobalObject::init):
1110         (JSC::JSGlobalObject::visitChildren):
1111         * runtime/JSGlobalObject.h:
1112         (JSC::JSGlobalObject::moduleLoader):
1113         (JSC::JSGlobalObject::moduleLoaderStructure):
1114         * runtime/JSModuleLoader.cpp: Added.
1115         (JSC::JSModuleLoader::JSModuleLoader):
1116         (JSC::JSModuleLoader::finishCreation):
1117         (JSC::printableModuleKey):
1118         (JSC::JSModuleLoader::provide):
1119         (JSC::JSModuleLoader::loadAndEvaluateModule):
1120         (JSC::JSModuleLoader::loadModule):
1121         (JSC::JSModuleLoader::linkAndEvaluateModule):
1122         (JSC::JSModuleLoader::resolve):
1123         (JSC::JSModuleLoader::fetch):
1124         (JSC::JSModuleLoader::translate):
1125         (JSC::JSModuleLoader::instantiate):
1126         (JSC::JSModuleLoader::evaluate):
1127         * runtime/JSModuleLoader.h: Copied from Source/JavaScriptCore/runtime/ModuleLoaderObject.h.
1128         (JSC::JSModuleLoader::create):
1129         (JSC::JSModuleLoader::createStructure):
1130         * runtime/JSModuleRecord.h:
1131         * runtime/ModuleLoaderObject.cpp: Removed.
1132         (JSC::ModuleLoaderObject::ModuleLoaderObject): Deleted.
1133         (JSC::ModuleLoaderObject::finishCreation): Deleted.
1134         (JSC::printableModuleKey): Deleted.
1135         (JSC::ModuleLoaderObject::provide): Deleted.
1136         (JSC::ModuleLoaderObject::loadAndEvaluateModule): Deleted.
1137         (JSC::ModuleLoaderObject::loadModule): Deleted.
1138         (JSC::ModuleLoaderObject::linkAndEvaluateModule): Deleted.
1139         (JSC::ModuleLoaderObject::resolve): Deleted.
1140         (JSC::ModuleLoaderObject::fetch): Deleted.
1141         (JSC::ModuleLoaderObject::translate): Deleted.
1142         (JSC::ModuleLoaderObject::instantiate): Deleted.
1143         (JSC::ModuleLoaderObject::evaluate): Deleted.
1144         (JSC::moduleLoaderObjectParseModule): Deleted.
1145         (JSC::moduleLoaderObjectRequestedModules): Deleted.
1146         (JSC::moduleLoaderObjectModuleDeclarationInstantiation): Deleted.
1147         (JSC::moduleLoaderObjectResolve): Deleted.
1148         (JSC::moduleLoaderObjectFetch): Deleted.
1149         (JSC::moduleLoaderObjectTranslate): Deleted.
1150         (JSC::moduleLoaderObjectInstantiate): Deleted.
1151         (JSC::moduleLoaderObjectEvaluate): Deleted.
1152         * runtime/ModuleLoaderObject.h:
1153         (JSC::ModuleLoaderObject::create): Deleted.
1154         (JSC::ModuleLoaderObject::createStructure): Deleted.
1155         * runtime/ModuleLoaderPrototype.cpp: Added.
1156         (JSC::ModuleLoaderPrototype::ModuleLoaderPrototype):
1157         (JSC::moduleLoaderPrototypeParseModule):
1158         (JSC::moduleLoaderPrototypeRequestedModules):
1159         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1160         (JSC::moduleLoaderPrototypeResolve):
1161         (JSC::moduleLoaderPrototypeFetch):
1162         (JSC::moduleLoaderPrototypeTranslate):
1163         (JSC::moduleLoaderPrototypeInstantiate):
1164         (JSC::moduleLoaderPrototypeEvaluate):
1165         * runtime/ModuleLoaderPrototype.h: Renamed from Source/JavaScriptCore/runtime/ModuleLoaderObject.h.
1166         (JSC::ModuleLoaderPrototype::create):
1167         (JSC::ModuleLoaderPrototype::createStructure):
1168
1169 2016-08-09  Saam Barati  <sbarati@apple.com>
1170
1171         JSBoundFunction should lazily generate its name string
1172         https://bugs.webkit.org/show_bug.cgi?id=160678
1173         <rdar://problem/27043194>
1174
1175         Reviewed by Mark Lam.
1176
1177         We were eagerly allocating the BoundFunction's 'name' string
1178         by prepending the "bound " prefix. This patch makes the 'name'
1179         string creation lazy like we do with ordinary JSFunctions.
1180
1181         This is a 25% speedup on the microbenchmark I added that measures
1182         bound function creation speed. Hopefully this also helps us recover
1183         from a 1% Speedometer regression that was introduced in the original
1184         bound function "bound " prefixing patch.
1185
1186         * runtime/JSBoundFunction.cpp:
1187         (JSC::JSBoundFunction::create):
1188         (JSC::JSBoundFunction::JSBoundFunction):
1189         (JSC::JSBoundFunction::finishCreation):
1190         * runtime/JSBoundFunction.h:
1191         * runtime/JSFunction.cpp:
1192         (JSC::JSFunction::finishCreation):
1193         (JSC::JSFunction::getOwnPropertySlot):
1194         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1195         (JSC::JSFunction::put):
1196         (JSC::JSFunction::deleteProperty):
1197         (JSC::JSFunction::defineOwnProperty):
1198         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1199         (JSC::JSFunction::reifyBoundNameIfNeeded):
1200         * runtime/JSFunction.h:
1201
1202 2016-08-09  George Ruan  <gruan@apple.com>
1203
1204         Implement functionality of media capture on iOS
1205         https://bugs.webkit.org/show_bug.cgi?id=158945
1206         <rdar://problem/26893343>
1207
1208         Reviewed by Tim Horton.
1209
1210         * Configurations/FeatureDefines.xcconfig: Enable media capture feature
1211         for iOS.
1212
1213 2016-08-09  Saam Barati  <sbarati@apple.com>
1214
1215         Parser<LexerType>::parseFunctionInfo() has the wrong info about captured vars when a function is not cached.
1216         https://bugs.webkit.org/show_bug.cgi?id=160671
1217         <rdar://problem/27756112>
1218
1219         Reviewed by Mark Lam.
1220
1221         There was a bug in our captured variable analysis when a function has a default
1222         parameter expression that is a function that captures something from the parent scope.
1223         The bug was that we were relying on the SourceProviderCache to succeed for the
1224         analysis to work. This is obviously wrong. I've fixed this to work regardless
1225         of getting a cache hit. To prevent future bugs that rely on the success of the
1226         SourceProviderCache, I've made the validate testing mode disable the SourceProviderCache
1227
1228         * parser/Parser.cpp:
1229         (JSC::Parser<LexerType>::parseFunctionInfo):
1230         * parser/Parser.h:
1231         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1232         (JSC::Scope::addClosedVariableCandidateUnconditionally):
1233         (JSC::Scope::collectFreeVariables):
1234         * runtime/Options.h:
1235
1236 2016-08-08  Mark Lam  <mark.lam@apple.com>
1237
1238         ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().
1239         https://bugs.webkit.org/show_bug.cgi?id=160666
1240
1241         Reviewed by Keith Miller.
1242
1243         This assertion is benign.  JSFinalObject::visitChildren() calls
1244         JSObject::inlineStorage() to get a pointer to the object's inline storage, and
1245         later passes it to visitor.appendValuesHidden() with a previously computed
1246         storageSize.  When storageSize is 0, appendValuesHidden() ends up doing nothing.
1247         However, before we get there, JSObject::inlineStorage() will be asserting
1248         hasInlineStorage() and this assertion will fail when storageSize is 0.
1249
1250         We can fix this assertion failure by simply adding a storageSize check before
1251         calling hasInlineStorage() and visitor.appendValuesHidden().
1252
1253         * runtime/JSObject.cpp:
1254         (JSC::JSFinalObject::visitChildren):
1255
1256 2016-08-08  Brian Burg  <bburg@apple.com>
1257
1258         Web Inspector: clean up prefixing of Automation protocol generated files
1259         https://bugs.webkit.org/show_bug.cgi?id=160635
1260         <rdar://problem/27735327>
1261
1262         Reviewed by Timothy Hatcher.
1263
1264         Introduce different settings for the 'protocol group' name for C++ vs. Objective-C.
1265
1266         Use 'WD' as the prefix for generated Objective-C frontend dispatchers and helpers.
1267         Continue using 'Automation' as the prefix for generated C++ backend dispatchers.
1268
1269         * inspector/scripts/codegen/cpp_generator.py:
1270         (CppGenerator.protocol_name):
1271         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
1272         (ObjCProtocolTypeConversionsImplementationGenerator.generate_output):
1273         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
1274         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
1275         Adjust the class name. Generate one category per protocol domain to keep it easy to read.
1276
1277         * inspector/scripts/codegen/models.py:
1278         * inspector/scripts/codegen/objc_generator.py:
1279         (ObjCGenerator.protocol_name):
1280
1281         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1282         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1283         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1284         * inspector/scripts/tests/expected/enum-values.json-result:
1285         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1286         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1287         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1288         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1289         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1290         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1291         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1292         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1293         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1294         Rebaseline test results.
1295
1296 2016-08-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1297
1298         [ES6] Module namespace object should not allow unset IC
1299         https://bugs.webkit.org/show_bug.cgi?id=160553
1300
1301         Reviewed by Saam Barati.
1302
1303         Previously, module namespace object accidentally allow "unset IC". But this "unsetness" does not rely on
1304         the structure. We should disable inline caching onto the namespace object. Once it is needed, we should
1305         create the special caching for namespace object like the following: it should be similar to monomorphic IC,
1306         but it caches the object itself instead of the structure. It checks the object itself (And in DFG, it should be
1307         CheckCell) and loads the value from the target module environment directly[1].
1308
1309         And this patch also set setIsTaintedByProxy for the module namespace object to notify to the caller that
1310         this object has impure ::getOwnPropertySlot. Then this function is now renamed to setIsTaintedByOpaqueObject.
1311
1312         We drop the hack in JSModuleNamespaceObject::getOwnPropertySlot since we already introduced InternalMethodType
1313         for ProxyObject. Previously we cannot distinguish ::HasProperty and ::GetOwnProperty. So not to throw any
1314         errors for ::HasProperty case, we used slot.setCustom to delay the observable operation.
1315         But, this hack lacks the support for hasOwnProperty: hasOwnProperty uses [[GetOwnProperty]], so it should throw an error.
1316         However the previous implementation does not throw an error since the delayed observable part (custom function part) is
1317         skipped in hasOwnProperty implementation. We now remove this custom property hack and fix the corresponding failure
1318         in test262.
1319
1320         [1]: https://bugs.webkit.org/show_bug.cgi?id=160590
1321
1322         * jit/JITOperations.cpp:
1323         * runtime/ArrayPrototype.cpp:
1324         (JSC::getProperty):
1325         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1326         (JSC::constructGenericTypedArrayViewWithArguments):
1327         * runtime/JSModuleNamespaceObject.cpp:
1328         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1329         (JSC::callbackGetter): Deleted.
1330         * runtime/JSModuleNamespaceObject.h:
1331         * runtime/PropertySlot.cpp:
1332         (JSC::PropertySlot::getPureResult):
1333         * runtime/PropertySlot.h:
1334         (JSC::PropertySlot::PropertySlot):
1335         (JSC::PropertySlot::setIsTaintedByOpaqueObject):
1336         (JSC::PropertySlot::isTaintedByOpaqueObject):
1337         (JSC::PropertySlot::setIsTaintedByProxy): Deleted.
1338         (JSC::PropertySlot::isTaintedByProxy): Deleted.
1339         * runtime/ProxyObject.cpp:
1340         (JSC::ProxyObject::getOwnPropertySlotCommon):
1341
1342 2016-08-05  Keith Miller  <keith_miller@apple.com>
1343
1344         Add LEBDecoder and tests
1345         https://bugs.webkit.org/show_bug.cgi?id=160625
1346
1347         Reviewed by Benjamin Poulain.
1348
1349         Adds a new target testWASM that is currently used to test the LEB decoder.
1350         In the future, if we add more support for WASM we will put more tests
1351         here.
1352
1353         * JavaScriptCore.xcodeproj/project.pbxproj:
1354         * testWASM.cpp: Added.
1355         (CommandLine::CommandLine):
1356         (printUsageStatement):
1357         (CommandLine::parseArguments):
1358         (runLEBTests):
1359         (main):
1360
1361 2016-08-05  Keith Miller  <keith_miller@apple.com>
1362
1363         32-bit JSC test failure: stress/instanceof-late-constant-folding.js
1364         https://bugs.webkit.org/show_bug.cgi?id=160620
1365
1366         Reviewed by Filip Pizlo.
1367
1368         * dfg/DFGSpeculativeJIT32_64.cpp:
1369         (JSC::DFG::SpeculativeJIT::compile):
1370
1371 2016-08-05  Benjamin Poulain  <bpoulain@apple.com>
1372
1373         [JSC] Remove the first LocalCSE
1374         https://bugs.webkit.org/show_bug.cgi?id=160615
1375
1376         Reviewed by Saam Barati.
1377
1378         LocalCSE is the most expensive phase in DFG (excluding FTL).
1379
1380         The combination of two LocalCSEs does not seem to pay for its cost.
1381         Doing a single LocalCSE is always after ConstantFolding and StrengthReduction
1382         is always a win on my machine.
1383
1384         * dfg/DFGCleanUpPhase.cpp:
1385         (JSC::DFG::CleanUpPhase::run):
1386         * dfg/DFGPlan.cpp:
1387         (JSC::DFG::Plan::compileInThreadImpl):
1388
1389 2016-08-05  Saam Barati  <sbarati@apple.com>
1390
1391         various math operations don't properly check for an exception after calling toNumber() on the lhs
1392         https://bugs.webkit.org/show_bug.cgi?id=160154
1393
1394         Reviewed by Mark Lam.
1395
1396         We must check for an exception after calling toNumber() on the lhs
1397         because this can throw an exception. If we called toNumber() on
1398         the rhs without first checking for an exception after the toNumber()
1399         on the lhs, this can lead us to execute effectful code or deviate
1400         from the standard in subtle ways. I fixed this bug in various places
1401         by always checking for an exception after calling toNumber() on the
1402         lhs for the various bit and arithmetic operations.
1403
1404         This patch also found a commutativity bug inside DFGStrengthReduction.
1405         We could end up commuting the lhs and rhs of say an "|" expression
1406         even when the lhs/rhs may not be numbers. This is wrong because
1407         executing toNumber() on the lhs/rhs has strict ordering guarantees
1408         by the specification and is observable by user programs.
1409
1410         * dfg/DFGOperations.cpp:
1411         * dfg/DFGStrengthReductionPhase.cpp:
1412         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
1413         * jit/JITOperations.cpp:
1414         * runtime/CommonSlowPaths.cpp:
1415         (JSC::SLOW_PATH_DECL):
1416         * runtime/Operations.cpp:
1417         (JSC::jsAddSlowCase):
1418
1419 2016-08-05  Michael Saboff  <msaboff@apple.com>
1420
1421         compilePutByValForIntTypedArray() has a slow path in the middle of its processing
1422         https://bugs.webkit.org/show_bug.cgi?id=160614
1423
1424         Reviewed by Keith Miller.
1425
1426         In compilePutByValForIntTypedArray() we were calling out to the slow path
1427         operationToInt32() and then returning back to the middle of code to finish
1428         the processing of writing the value to the array.  When we make the slow
1429         path call, we trash any temporary registers that have been allocated.
1430         In general slow path calls should finish the operation in progress and
1431         continue processing at the beginning of the next node.
1432
1433         This was discovered while working on the register argument changes, when
1434         we SpeculateStrictInt32Operand on the value child node.  That child node's
1435         value was live in register with a spill format of DataFormatJSInt32.  In that
1436         case we allocate a new temporary register and copy just the lower 32 bits from
1437         the child register to the new temp register.  That temp register gets trashed
1438         when we make the operationToInt32() slow path call.
1439
1440         I spent some time trying to devise a test with the current code base and wasn't
1441         successful.  This case is tested with the register argument changes in progress.
1442
1443         * dfg/DFGSpeculativeJIT.cpp:
1444         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1445
1446 2016-08-05  Saam Barati  <sbarati@apple.com>
1447
1448         Assertion failure when accessing TDZ variable in catch through eval
1449         https://bugs.webkit.org/show_bug.cgi?id=160554
1450
1451         Reviewed by Mark Lam and Keith Miller.
1452
1453         When we were calculating the variables under TDZ from a JSScope,
1454         the algorithm was not taking into account that a catch scope
1455         has variables under TDZ.
1456
1457         * runtime/JSScope.cpp:
1458         (JSC::JSScope::collectVariablesUnderTDZ):
1459
1460 2016-08-05  Keith Miller  <keith_miller@apple.com>
1461
1462         Delete out of date WASM code.
1463         https://bugs.webkit.org/show_bug.cgi?id=160603
1464
1465         Reviewed by Saam Barati.
1466
1467         This patch removes a bunch of the wasm files that we are unlikey to use
1468         with the newer wasm spec. If we end up needing any of the deleted code
1469         later we can restore it at that time.
1470
1471         * CMakeLists.txt:
1472         * JavaScriptCore.xcodeproj/project.pbxproj:
1473         * jit/JITOperations.cpp:
1474         * jsc.cpp:
1475         (GlobalObject::finishCreation): Deleted.
1476         (functionLoadWebAssembly): Deleted.
1477         * llint/LLIntSlowPaths.cpp:
1478         (JSC::LLInt::setUpCall): Deleted.
1479         * runtime/Executable.cpp:
1480         (JSC::WebAssemblyExecutable::prepareForExecution): Deleted.
1481         * runtime/JSGlobalObject.cpp:
1482         (JSC::JSGlobalObject::init): Deleted.
1483         (JSC::JSGlobalObject::visitChildren): Deleted.
1484         * runtime/JSGlobalObject.h:
1485         (JSC::JSGlobalObject::wasmModuleStructure): Deleted.
1486         * wasm/WASMConstants.h: Removed.
1487         * wasm/WASMFunctionB3IRGenerator.h: Removed.
1488         (JSC::WASMFunctionB3IRGenerator::MemoryAddress::MemoryAddress): Deleted.
1489         (JSC::WASMFunctionB3IRGenerator::startFunction): Deleted.
1490         (JSC::WASMFunctionB3IRGenerator::endFunction): Deleted.
1491         (JSC::WASMFunctionB3IRGenerator::buildSetLocal): Deleted.
1492         (JSC::WASMFunctionB3IRGenerator::buildSetGlobal): Deleted.
1493         (JSC::WASMFunctionB3IRGenerator::buildReturn): Deleted.
1494         (JSC::WASMFunctionB3IRGenerator::buildImmediateI32): Deleted.
1495         (JSC::WASMFunctionB3IRGenerator::buildImmediateF32): Deleted.
1496         (JSC::WASMFunctionB3IRGenerator::buildImmediateF64): Deleted.
1497         (JSC::WASMFunctionB3IRGenerator::buildGetLocal): Deleted.
1498         (JSC::WASMFunctionB3IRGenerator::buildGetGlobal): Deleted.
1499         (JSC::WASMFunctionB3IRGenerator::buildConvertType): Deleted.
1500         (JSC::WASMFunctionB3IRGenerator::buildLoad): Deleted.
1501         (JSC::WASMFunctionB3IRGenerator::buildStore): Deleted.
1502         (JSC::WASMFunctionB3IRGenerator::buildUnaryI32): Deleted.
1503         (JSC::WASMFunctionB3IRGenerator::buildUnaryF32): Deleted.
1504         (JSC::WASMFunctionB3IRGenerator::buildUnaryF64): Deleted.
1505         (JSC::WASMFunctionB3IRGenerator::buildBinaryI32): Deleted.
1506         (JSC::WASMFunctionB3IRGenerator::buildBinaryF32): Deleted.
1507         (JSC::WASMFunctionB3IRGenerator::buildBinaryF64): Deleted.
1508         (JSC::WASMFunctionB3IRGenerator::buildRelationalI32): Deleted.
1509         (JSC::WASMFunctionB3IRGenerator::buildRelationalF32): Deleted.
1510         (JSC::WASMFunctionB3IRGenerator::buildRelationalF64): Deleted.
1511         (JSC::WASMFunctionB3IRGenerator::buildMinOrMaxI32): Deleted.
1512         (JSC::WASMFunctionB3IRGenerator::buildMinOrMaxF64): Deleted.
1513         (JSC::WASMFunctionB3IRGenerator::buildCallInternal): Deleted.
1514         (JSC::WASMFunctionB3IRGenerator::buildCallIndirect): Deleted.
1515         (JSC::WASMFunctionB3IRGenerator::buildCallImport): Deleted.
1516         (JSC::WASMFunctionB3IRGenerator::appendExpressionList): Deleted.
1517         (JSC::WASMFunctionB3IRGenerator::discard): Deleted.
1518         (JSC::WASMFunctionB3IRGenerator::linkTarget): Deleted.
1519         (JSC::WASMFunctionB3IRGenerator::jumpToTarget): Deleted.
1520         (JSC::WASMFunctionB3IRGenerator::jumpToTargetIf): Deleted.
1521         (JSC::WASMFunctionB3IRGenerator::startLoop): Deleted.
1522         (JSC::WASMFunctionB3IRGenerator::endLoop): Deleted.
1523         (JSC::WASMFunctionB3IRGenerator::startSwitch): Deleted.
1524         (JSC::WASMFunctionB3IRGenerator::endSwitch): Deleted.
1525         (JSC::WASMFunctionB3IRGenerator::startLabel): Deleted.
1526         (JSC::WASMFunctionB3IRGenerator::endLabel): Deleted.
1527         (JSC::WASMFunctionB3IRGenerator::breakTarget): Deleted.
1528         (JSC::WASMFunctionB3IRGenerator::continueTarget): Deleted.
1529         (JSC::WASMFunctionB3IRGenerator::breakLabelTarget): Deleted.
1530         (JSC::WASMFunctionB3IRGenerator::continueLabelTarget): Deleted.
1531         (JSC::WASMFunctionB3IRGenerator::buildSwitch): Deleted.
1532         * wasm/WASMFunctionCompiler.h: Removed.
1533         (JSC::operationConvertJSValueToInt32): Deleted.
1534         (JSC::operationConvertJSValueToDouble): Deleted.
1535         (JSC::operationDiv): Deleted.
1536         (JSC::operationMod): Deleted.
1537         (JSC::operationUnsignedDiv): Deleted.
1538         (JSC::operationUnsignedMod): Deleted.
1539         (JSC::operationConvertUnsignedInt32ToDouble): Deleted.
1540         (JSC::sizeOfMemoryType): Deleted.
1541         (JSC::WASMFunctionCompiler::MemoryAddress::MemoryAddress): Deleted.
1542         (JSC::WASMFunctionCompiler::WASMFunctionCompiler): Deleted.
1543         (JSC::WASMFunctionCompiler::startFunction): Deleted.
1544         (JSC::WASMFunctionCompiler::endFunction): Deleted.
1545         (JSC::WASMFunctionCompiler::buildSetLocal): Deleted.
1546         (JSC::WASMFunctionCompiler::buildSetGlobal): Deleted.
1547         (JSC::WASMFunctionCompiler::buildReturn): Deleted.
1548         (JSC::WASMFunctionCompiler::buildImmediateI32): Deleted.
1549         (JSC::WASMFunctionCompiler::buildImmediateF32): Deleted.
1550         (JSC::WASMFunctionCompiler::buildImmediateF64): Deleted.
1551         (JSC::WASMFunctionCompiler::buildGetLocal): Deleted.
1552         (JSC::WASMFunctionCompiler::buildGetGlobal): Deleted.
1553         (JSC::WASMFunctionCompiler::buildConvertType): Deleted.
1554         (JSC::WASMFunctionCompiler::buildLoad): Deleted.
1555         (JSC::WASMFunctionCompiler::buildStore): Deleted.
1556         (JSC::WASMFunctionCompiler::buildUnaryI32): Deleted.
1557         (JSC::WASMFunctionCompiler::buildUnaryF32): Deleted.
1558         (JSC::WASMFunctionCompiler::buildUnaryF64): Deleted.
1559         (JSC::WASMFunctionCompiler::buildBinaryI32): Deleted.
1560         (JSC::WASMFunctionCompiler::buildBinaryF32): Deleted.
1561         (JSC::WASMFunctionCompiler::buildBinaryF64): Deleted.
1562         (JSC::WASMFunctionCompiler::buildRelationalI32): Deleted.
1563         (JSC::WASMFunctionCompiler::buildRelationalF32): Deleted.
1564         (JSC::WASMFunctionCompiler::buildRelationalF64): Deleted.
1565         (JSC::WASMFunctionCompiler::buildMinOrMaxI32): Deleted.
1566         (JSC::WASMFunctionCompiler::buildMinOrMaxF64): Deleted.
1567         (JSC::WASMFunctionCompiler::buildCallInternal): Deleted.
1568         (JSC::WASMFunctionCompiler::buildCallIndirect): Deleted.
1569         (JSC::WASMFunctionCompiler::buildCallImport): Deleted.
1570         (JSC::WASMFunctionCompiler::appendExpressionList): Deleted.
1571         (JSC::WASMFunctionCompiler::discard): Deleted.
1572         (JSC::WASMFunctionCompiler::linkTarget): Deleted.
1573         (JSC::WASMFunctionCompiler::jumpToTarget): Deleted.
1574         (JSC::WASMFunctionCompiler::jumpToTargetIf): Deleted.
1575         (JSC::WASMFunctionCompiler::startLoop): Deleted.
1576         (JSC::WASMFunctionCompiler::endLoop): Deleted.
1577         (JSC::WASMFunctionCompiler::startSwitch): Deleted.
1578         (JSC::WASMFunctionCompiler::endSwitch): Deleted.
1579         (JSC::WASMFunctionCompiler::startLabel): Deleted.
1580         (JSC::WASMFunctionCompiler::endLabel): Deleted.
1581         (JSC::WASMFunctionCompiler::breakTarget): Deleted.
1582         (JSC::WASMFunctionCompiler::continueTarget): Deleted.
1583         (JSC::WASMFunctionCompiler::breakLabelTarget): Deleted.
1584         (JSC::WASMFunctionCompiler::continueLabelTarget): Deleted.
1585         (JSC::WASMFunctionCompiler::buildSwitch): Deleted.
1586         (JSC::WASMFunctionCompiler::localAddress): Deleted.
1587         (JSC::WASMFunctionCompiler::temporaryAddress): Deleted.
1588         (JSC::WASMFunctionCompiler::appendCall): Deleted.
1589         (JSC::WASMFunctionCompiler::appendCallWithExceptionCheck): Deleted.
1590         (JSC::WASMFunctionCompiler::emitNakedCall): Deleted.
1591         (JSC::WASMFunctionCompiler::appendCallSetResult): Deleted.
1592         (JSC::WASMFunctionCompiler::callOperation): Deleted.
1593         (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer): Deleted.
1594         (JSC::WASMFunctionCompiler::callAndUnboxResult): Deleted.
1595         (JSC::WASMFunctionCompiler::convertValueToInt32): Deleted.
1596         (JSC::WASMFunctionCompiler::convertValueToDouble): Deleted.
1597         (JSC::WASMFunctionCompiler::convertDoubleToValue): Deleted.
1598         * wasm/WASMFunctionParser.cpp: Removed.
1599         (JSC::nameOfType): Deleted.
1600         (JSC::WASMFunctionParser::checkSyntax): Deleted.
1601         (JSC::WASMFunctionParser::compile): Deleted.
1602         (JSC::WASMFunctionParser::parseFunction): Deleted.
1603         (JSC::WASMFunctionParser::parseLocalVariables): Deleted.
1604         (JSC::WASMFunctionParser::parseStatement): Deleted.
1605         (JSC::WASMFunctionParser::parseReturnStatement): Deleted.
1606         (JSC::WASMFunctionParser::parseBlockStatement): Deleted.
1607         (JSC::WASMFunctionParser::parseIfStatement): Deleted.
1608         (JSC::WASMFunctionParser::parseIfElseStatement): Deleted.
1609         (JSC::WASMFunctionParser::parseWhileStatement): Deleted.
1610         (JSC::WASMFunctionParser::parseDoStatement): Deleted.
1611         (JSC::WASMFunctionParser::parseLabelStatement): Deleted.
1612         (JSC::WASMFunctionParser::parseBreakStatement): Deleted.
1613         (JSC::WASMFunctionParser::parseBreakLabelStatement): Deleted.
1614         (JSC::WASMFunctionParser::parseContinueStatement): Deleted.
1615         (JSC::WASMFunctionParser::parseContinueLabelStatement): Deleted.
1616         (JSC::WASMFunctionParser::parseSwitchStatement): Deleted.
1617         (JSC::WASMFunctionParser::parseExpression): Deleted.
1618         (JSC::WASMFunctionParser::parseExpressionI32): Deleted.
1619         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionI32): Deleted.
1620         (JSC::WASMFunctionParser::parseImmediateExpressionI32): Deleted.
1621         (JSC::WASMFunctionParser::parseUnaryExpressionI32): Deleted.
1622         (JSC::WASMFunctionParser::parseBinaryExpressionI32): Deleted.
1623         (JSC::WASMFunctionParser::parseRelationalI32ExpressionI32): Deleted.
1624         (JSC::WASMFunctionParser::parseRelationalF32ExpressionI32): Deleted.
1625         (JSC::WASMFunctionParser::parseRelationalF64ExpressionI32): Deleted.
1626         (JSC::WASMFunctionParser::parseMinOrMaxExpressionI32): Deleted.
1627         (JSC::WASMFunctionParser::parseExpressionF32): Deleted.
1628         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF32): Deleted.
1629         (JSC::WASMFunctionParser::parseImmediateExpressionF32): Deleted.
1630         (JSC::WASMFunctionParser::parseUnaryExpressionF32): Deleted.
1631         (JSC::WASMFunctionParser::parseBinaryExpressionF32): Deleted.
1632         (JSC::WASMFunctionParser::parseExpressionF64): Deleted.
1633         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF64): Deleted.
1634         (JSC::WASMFunctionParser::parseImmediateExpressionF64): Deleted.
1635         (JSC::WASMFunctionParser::parseUnaryExpressionF64): Deleted.
1636         (JSC::WASMFunctionParser::parseBinaryExpressionF64): Deleted.
1637         (JSC::WASMFunctionParser::parseMinOrMaxExpressionF64): Deleted.
1638         (JSC::WASMFunctionParser::parseExpressionVoid): Deleted.
1639         (JSC::WASMFunctionParser::parseGetLocalExpression): Deleted.
1640         (JSC::WASMFunctionParser::parseGetGlobalExpression): Deleted.
1641         (JSC::WASMFunctionParser::parseSetLocal): Deleted.
1642         (JSC::WASMFunctionParser::parseSetGlobal): Deleted.
1643         (JSC::WASMFunctionParser::parseMemoryAddress): Deleted.
1644         (JSC::WASMFunctionParser::parseLoad): Deleted.
1645         (JSC::WASMFunctionParser::parseStore): Deleted.
1646         (JSC::WASMFunctionParser::parseCallArguments): Deleted.
1647         (JSC::WASMFunctionParser::parseCallInternal): Deleted.
1648         (JSC::WASMFunctionParser::parseCallIndirect): Deleted.
1649         (JSC::WASMFunctionParser::parseCallImport): Deleted.
1650         (JSC::WASMFunctionParser::parseConditional): Deleted.
1651         (JSC::WASMFunctionParser::parseComma): Deleted.
1652         (JSC::WASMFunctionParser::parseConvertType): Deleted.
1653         * wasm/WASMFunctionParser.h: Removed.
1654         (JSC::WASMFunctionParser::WASMFunctionParser): Deleted.
1655         * wasm/WASMFunctionSyntaxChecker.h: Removed.
1656         (JSC::WASMFunctionSyntaxChecker::MemoryAddress::MemoryAddress): Deleted.
1657         (JSC::WASMFunctionSyntaxChecker::startFunction): Deleted.
1658         (JSC::WASMFunctionSyntaxChecker::endFunction): Deleted.
1659         (JSC::WASMFunctionSyntaxChecker::buildSetLocal): Deleted.
1660         (JSC::WASMFunctionSyntaxChecker::buildSetGlobal): Deleted.
1661         (JSC::WASMFunctionSyntaxChecker::buildReturn): Deleted.
1662         (JSC::WASMFunctionSyntaxChecker::buildImmediateI32): Deleted.
1663         (JSC::WASMFunctionSyntaxChecker::buildImmediateF32): Deleted.
1664         (JSC::WASMFunctionSyntaxChecker::buildImmediateF64): Deleted.
1665         (JSC::WASMFunctionSyntaxChecker::buildGetLocal): Deleted.
1666         (JSC::WASMFunctionSyntaxChecker::buildGetGlobal): Deleted.
1667         (JSC::WASMFunctionSyntaxChecker::buildConvertType): Deleted.
1668         (JSC::WASMFunctionSyntaxChecker::buildLoad): Deleted.
1669         (JSC::WASMFunctionSyntaxChecker::buildStore): Deleted.
1670         (JSC::WASMFunctionSyntaxChecker::buildUnaryI32): Deleted.
1671         (JSC::WASMFunctionSyntaxChecker::buildUnaryF32): Deleted.
1672         (JSC::WASMFunctionSyntaxChecker::buildUnaryF64): Deleted.
1673         (JSC::WASMFunctionSyntaxChecker::buildBinaryI32): Deleted.
1674         (JSC::WASMFunctionSyntaxChecker::buildBinaryF32): Deleted.
1675         (JSC::WASMFunctionSyntaxChecker::buildBinaryF64): Deleted.
1676         (JSC::WASMFunctionSyntaxChecker::buildRelationalI32): Deleted.
1677         (JSC::WASMFunctionSyntaxChecker::buildRelationalF32): Deleted.
1678         (JSC::WASMFunctionSyntaxChecker::buildRelationalF64): Deleted.
1679         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxI32): Deleted.
1680         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxF64): Deleted.
1681         (JSC::WASMFunctionSyntaxChecker::buildCallInternal): Deleted.
1682         (JSC::WASMFunctionSyntaxChecker::buildCallImport): Deleted.
1683         (JSC::WASMFunctionSyntaxChecker::buildCallIndirect): Deleted.
1684         (JSC::WASMFunctionSyntaxChecker::appendExpressionList): Deleted.
1685         (JSC::WASMFunctionSyntaxChecker::discard): Deleted.
1686         (JSC::WASMFunctionSyntaxChecker::linkTarget): Deleted.
1687         (JSC::WASMFunctionSyntaxChecker::jumpToTarget): Deleted.
1688         (JSC::WASMFunctionSyntaxChecker::jumpToTargetIf): Deleted.
1689         (JSC::WASMFunctionSyntaxChecker::startLoop): Deleted.
1690         (JSC::WASMFunctionSyntaxChecker::endLoop): Deleted.
1691         (JSC::WASMFunctionSyntaxChecker::startSwitch): Deleted.
1692         (JSC::WASMFunctionSyntaxChecker::endSwitch): Deleted.
1693         (JSC::WASMFunctionSyntaxChecker::startLabel): Deleted.
1694         (JSC::WASMFunctionSyntaxChecker::endLabel): Deleted.
1695         (JSC::WASMFunctionSyntaxChecker::breakTarget): Deleted.
1696         (JSC::WASMFunctionSyntaxChecker::continueTarget): Deleted.
1697         (JSC::WASMFunctionSyntaxChecker::breakLabelTarget): Deleted.
1698         (JSC::WASMFunctionSyntaxChecker::continueLabelTarget): Deleted.
1699         (JSC::WASMFunctionSyntaxChecker::buildSwitch): Deleted.
1700         (JSC::WASMFunctionSyntaxChecker::stackHeight): Deleted.
1701         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeight): Deleted.
1702         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeightForCall): Deleted.
1703         * wasm/WASMModuleParser.cpp: Removed.
1704         (JSC::WASMModuleParser::WASMModuleParser): Deleted.
1705         (JSC::WASMModuleParser::parse): Deleted.
1706         (JSC::WASMModuleParser::parseModule): Deleted.
1707         (JSC::WASMModuleParser::parseConstantPoolSection): Deleted.
1708         (JSC::WASMModuleParser::parseSignatureSection): Deleted.
1709         (JSC::WASMModuleParser::parseFunctionImportSection): Deleted.
1710         (JSC::WASMModuleParser::parseGlobalSection): Deleted.
1711         (JSC::WASMModuleParser::parseFunctionDeclarationSection): Deleted.
1712         (JSC::WASMModuleParser::parseFunctionPointerTableSection): Deleted.
1713         (JSC::WASMModuleParser::parseFunctionDefinitionSection): Deleted.
1714         (JSC::WASMModuleParser::parseFunctionDefinition): Deleted.
1715         (JSC::WASMModuleParser::parseExportSection): Deleted.
1716         (JSC::WASMModuleParser::getImportedValue): Deleted.
1717         (JSC::parseWebAssembly): Deleted.
1718         * wasm/WASMModuleParser.h: Removed.
1719         * wasm/WASMReader.cpp: Removed.
1720         (JSC::WASMReader::readUInt32): Deleted.
1721         (JSC::WASMReader::readFloat): Deleted.
1722         (JSC::WASMReader::readDouble): Deleted.
1723         (JSC::WASMReader::readCompactInt32): Deleted.
1724         (JSC::WASMReader::readCompactUInt32): Deleted.
1725         (JSC::WASMReader::readString): Deleted.
1726         (JSC::WASMReader::readType): Deleted.
1727         (JSC::WASMReader::readExpressionType): Deleted.
1728         (JSC::WASMReader::readExportFormat): Deleted.
1729         (JSC::WASMReader::readByte): Deleted.
1730         (JSC::WASMReader::readOpStatement): Deleted.
1731         (JSC::WASMReader::readOpExpressionI32): Deleted.
1732         (JSC::WASMReader::readOpExpressionF32): Deleted.
1733         (JSC::WASMReader::readOpExpressionF64): Deleted.
1734         (JSC::WASMReader::readOpExpressionVoid): Deleted.
1735         (JSC::WASMReader::readVariableTypes): Deleted.
1736         (JSC::WASMReader::readOp): Deleted.
1737         (JSC::WASMReader::readSwitchCase): Deleted.
1738         * wasm/WASMReader.h: Removed.
1739         (JSC::WASMReader::WASMReader): Deleted.
1740         (JSC::WASMReader::offset): Deleted.
1741         (JSC::WASMReader::setOffset): Deleted.
1742
1743 2016-08-05  Keith Miller  <keith_miller@apple.com>
1744
1745         Fix 32-bit OverridesHasInstance in the DFG.
1746         https://bugs.webkit.org/show_bug.cgi?id=160600
1747
1748         Reviewed by Mark Lam.
1749
1750         In https://trac.webkit.org/changeset/204140, we fixed an issue where the DFG might
1751         do the wrong thing if it proved that the Symbol.hasInstance value for a constructor
1752         was a constant late in compilation. That fix was ommited from the 32-bit version,
1753         causing the new test to fail.
1754
1755         * dfg/DFGSpeculativeJIT32_64.cpp:
1756         (JSC::DFG::SpeculativeJIT::compile):
1757
1758 2016-08-04  Saam Barati  <sbarati@apple.com>
1759
1760         Restore CodeBlock jettison code to jettison when a CodeBlock has been alive for a long time
1761         https://bugs.webkit.org/show_bug.cgi?id=151241
1762
1763         Reviewed by Benjamin Poulain.
1764
1765         This patch rolls back in the jettisoning policy from https://bugs.webkit.org/show_bug.cgi?id=149727.
1766         We can now jettison a CodeBlock when it has been alive for a long time
1767         and is only pointed to by its owner executable. I haven't been able to get this
1768         patch to crash on anything it used to crash on, so I suspect we've fixed the bugs that
1769         were causing this before. I've also added some stress options for this feature that
1770         will cause us to either eagerly old-age jettison or to old-age jettison whenever it's legal.
1771         These options helped me find a bug where we would ask an Executable to create a CodeBlock,
1772         and then the Executable would do some other allocations, causing a GC, immediately causing
1773         the CodeBlock to jettison. There is a small chance that this was the bug we were seeing before,
1774         however, it's unlikely given that the previous timing metrics require at least 5 second between
1775         compiling to jettisoning.
1776
1777         This patch also enables the stress options for various modes
1778         of JSC stress tests.
1779
1780         * bytecode/CodeBlock.cpp:
1781         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
1782         (JSC::timeToLive):
1783         (JSC::CodeBlock::shouldJettisonDueToOldAge):
1784         * interpreter/CallFrame.h:
1785         (JSC::ExecState::callee):
1786         (JSC::ExecState::unsafeCallee):
1787         (JSC::ExecState::codeBlock):
1788         (JSC::ExecState::addressOfCodeBlock):
1789         (JSC::ExecState::unsafeCodeBlock):
1790         (JSC::ExecState::scope):
1791         * interpreter/Interpreter.cpp:
1792         (JSC::Interpreter::execute):
1793         (JSC::Interpreter::executeCall):
1794         (JSC::Interpreter::executeConstruct):
1795         (JSC::Interpreter::prepareForRepeatCall):
1796         * jit/JITOperations.cpp:
1797         * llint/LLIntSlowPaths.cpp:
1798         (JSC::LLInt::setUpCall):
1799         * runtime/Executable.cpp:
1800         (JSC::ScriptExecutable::installCode):
1801         (JSC::setupJIT):
1802         (JSC::ScriptExecutable::prepareForExecutionImpl):
1803         * runtime/Executable.h:
1804         (JSC::ScriptExecutable::prepareForExecution):
1805         * runtime/Options.h:
1806
1807 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1808
1809         [ES6] JSModuleNamespaceObject's Symbol.iterator function should have name
1810         https://bugs.webkit.org/show_bug.cgi?id=160549
1811
1812         Reviewed by Saam Barati.
1813
1814         ES6 Module's namespace[Symbol.iterator] function should have the name, "[Symbol.iterator]".
1815
1816         * runtime/JSModuleNamespaceObject.cpp:
1817         (JSC::JSModuleNamespaceObject::finishCreation):
1818
1819 2016-08-04  Keith Miller  <keith_miller@apple.com>
1820
1821         ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()
1822         https://bugs.webkit.org/show_bug.cgi?id=160562
1823         <rdar://problem/27704825>
1824
1825         Reviewed by Mark Lam.
1826
1827         This patch fixes an issue where we would emit incorrect code in the DFG when constant folding would
1828         convert a GetByOffset into a constant late in compilation. Additionally, it removes invalid assertions
1829         associated with the assumption that this could not happen.
1830
1831         * dfg/DFGSpeculativeJIT64.cpp:
1832         (JSC::DFG::SpeculativeJIT::compile):
1833         * ftl/FTLLowerDFGToB3.cpp:
1834         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance): Deleted.
1835
1836 2016-08-04  Keith Miller  <keith_miller@apple.com>
1837
1838         Remove unused intrinsic member of NativeExecutable
1839         https://bugs.webkit.org/show_bug.cgi?id=160560
1840
1841         Reviewed by Saam Barati.
1842
1843         NativeExecutable has an Intrinsic member. It appears that this member is never
1844         used. Instead we use the Intrinsic member NativeExecutable's super class,
1845         ExecutableBase.
1846
1847         * runtime/Executable.h:
1848
1849 2016-08-04  Benjamin Poulain  <bpoulain@apple.com>
1850
1851         [JSC] Speed up InPlaceAbstractState::endBasicBlock()
1852         https://bugs.webkit.org/show_bug.cgi?id=160539
1853
1854         Reviewed by Mark Lam.
1855
1856         This patch does small improvements to our handling
1857         of value propagation to the successors.
1858
1859         One key insight is that using HashMap to map Nodes
1860         to Value in valuesAtTail is too inefficient at the scale
1861         we use it. Instead, I reuse our existing mapping
1862         from every Node to its value, abstracted by forNode().
1863
1864         Since we are not going to use the mapping after endBasicBlock()
1865         I can replace whatever we had there. The next beginBasicBlock()
1866         will setup the new value as needed.
1867
1868         In endBasicBlock(), valuesAtTail is now a vector of all values live
1869         at tail. For each node, I merge the previous live at tail with
1870         the new value, then replace the value in the mapping.
1871         Liveness Analysis guarantees we won't have duplicates there which
1872         make the replacement sound.
1873
1874         Next, when propagating, I take the vector of values lives at head
1875         and use the global node->value mapping to find its new abstract value.
1876         Again, Liveness Analysis guarantees I won't find a value live at head
1877         that was not replaced by the merging at tail of the predecessor.
1878
1879         All our live lists have become vectors instead of HashTable.
1880         The mapping from Node to Value is always done by array indexing.
1881         Same big-O, much smaller constant.
1882
1883         * dfg/DFGAtTailAbstractState.cpp:
1884         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
1885         (JSC::DFG::AtTailAbstractState::createValueForNode):
1886         (JSC::DFG::AtTailAbstractState::forNode):
1887         * dfg/DFGAtTailAbstractState.h:
1888         I did not look much into this state, I just made it equivalent
1889         to the previous mapping.
1890
1891         * dfg/DFGBasicBlock.h:
1892         * dfg/DFGCFAPhase.cpp:
1893         (JSC::DFG::CFAPhase::performBlockCFA):
1894         * dfg/DFGGraph.cpp:
1895         (JSC::DFG::Graph::dump):
1896         * dfg/DFGInPlaceAbstractState.cpp:
1897         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1898
1899         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1900         AbstractValue is big enough that we really don't want to copy it twice.
1901
1902         (JSC::DFG::InPlaceAbstractState::merge):
1903         (JSC::DFG::setLiveValues): Deleted.
1904         * dfg/DFGInPlaceAbstractState.h:
1905
1906         * dfg/DFGPhiChildren.h:
1907         This is heap allocated by AbstractInterpreter. It should use fastMalloc().
1908
1909 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1910
1911         [ES7] Update features.json for exponentiation expression
1912         https://bugs.webkit.org/show_bug.cgi?id=160541
1913
1914         Reviewed by Mark Lam.
1915
1916         * features.json:
1917
1918 2016-08-03  Chris Dumez  <cdumez@apple.com>
1919
1920         Drop DocumentType.internalSubset attribute
1921         https://bugs.webkit.org/show_bug.cgi?id=160530
1922
1923         Reviewed by Alex Christensen.
1924
1925         Drop DocumentType.internalSubset attribute.
1926
1927         * inspector/protocol/DOM.json:
1928
1929 2016-08-03  Benjamin Poulain  <bpoulain@apple.com>
1930
1931         [JSC] Improve the memory locality of DFG Node's AbstractValues
1932         https://bugs.webkit.org/show_bug.cgi?id=160443
1933
1934         Reviewed by Mark Lam.
1935
1936         The AbstractInterpreter spends a lot of time on memory operations
1937         for AbstractValues. This patch attempts to improve the situation
1938         by putting the values closer together in memory.
1939
1940         First, AbstractValue is moved out of DFG::Node and it kept in
1941         a vector addressed by node indices.
1942
1943         I initially moved them to InPlaceAbstractState but I quickly discovered
1944         initializing the values in the vector was costly.
1945         I moved the vector to Graph as a cache shared by every instantiation of
1946         InPlaceAbstractState. It is mainly there to avoid constructors and destructors
1947         of AbstractValue. The patch of https://bugs.webkit.org/show_bug.cgi?id=160370
1948         should also help eventually.
1949
1950         I instrumented CFA to find how packed is SparseCollection.
1951         The answer is it can be very sparse, which is bad for CFA.
1952         I added packIndices() to repack the collection before running
1953         liveness since that's where we start using the memory intensively.
1954         This is a measurable improvement but it implies we can no longer
1955         keep indices on a side channel between phases since they may change.
1956
1957         * b3/B3SparseCollection.h:
1958         (JSC::B3::SparseCollection::packIndices):
1959         * dfg/DFGGraph.cpp:
1960         (JSC::DFG::Graph::packNodeIndices):
1961         * dfg/DFGGraph.h:
1962         (JSC::DFG::Graph::abstractValuesCache):
1963         * dfg/DFGInPlaceAbstractState.cpp:
1964         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
1965         * dfg/DFGInPlaceAbstractState.h:
1966         (JSC::DFG::InPlaceAbstractState::forNode):
1967         * dfg/DFGLivenessAnalysisPhase.cpp:
1968         (JSC::DFG::performLivenessAnalysis):
1969         * dfg/DFGNode.h:
1970
1971 2016-08-03  Caitlin Potter  <caitp@igalia.com>
1972
1973         Clarify SyntaxErrors around yield and unskip tests
1974         https://bugs.webkit.org/show_bug.cgi?id=158460
1975
1976         Reviewed by Saam Barati.
1977
1978         Fix and unskip tests which erroneously asserted that `yield` is not a
1979         valid BindingIdentifier, and improve error message for YieldExpressions
1980         occuring in Arrow formal parameters.
1981
1982         * parser/Parser.cpp:
1983         (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope):
1984         (JSC::Parser<LexerType>::parseFunctionInfo):
1985         (JSC::Parser<LexerType>::parseYieldExpression):
1986         * parser/Parser.h:
1987
1988 2016-08-03  Filip Pizlo  <fpizlo@apple.com>
1989
1990         REGRESSION(r203368): broke some test262 tests
1991         https://bugs.webkit.org/show_bug.cgi?id=160479
1992
1993         Reviewed by Mark Lam.
1994         
1995         The optimization in r203368 overlooked a subtle detail: freezing should not set ReadOnly on
1996         Accessor properties.
1997
1998         * runtime/Structure.cpp:
1999         (JSC::Structure::nonPropertyTransition):
2000         * runtime/StructureTransitionTable.h:
2001         (JSC::setsDontDeleteOnAllProperties):
2002         (JSC::setsReadOnlyOnNonAccessorProperties):
2003         (JSC::setsReadOnlyOnAllProperties): Deleted.
2004
2005 2016-08-03  Csaba Osztrogonác  <ossy@webkit.org>
2006
2007         Lacking support on a arm-traditional disassembler.
2008         https://bugs.webkit.org/show_bug.cgi?id=123717
2009
2010         Reviewed by Mark Lam.
2011
2012         * CMakeLists.txt:
2013         * disassembler/ARMLLVMDisassembler.cpp: Added, based on pre r196729 LLVMDisassembler, but it is ARM traditional only now.
2014         (JSC::tryToDisassemble):
2015
2016 2016-08-03  Saam Barati  <sbarati@apple.com>
2017
2018         Implement nested rest destructuring w.r.t the ES7 spec
2019         https://bugs.webkit.org/show_bug.cgi?id=160423
2020
2021         Reviewed by Filip Pizlo.
2022
2023         The spec has updated the BindingRestElement grammar production to be:
2024         BindingRestElement:
2025            BindingIdentifier
2026            BindingingPattern.
2027
2028         It used to only allow BindingIdentifier in the grammar production.
2029         I've updated our engine to account for this. The semantics are exactly
2030         what you'd expect.  For example:
2031         `let [a, ...[b, ...c]] = expr();`
2032         means that we create an array for the first rest element `...[b, ...c]`
2033         and then perform the binding of `[b, ...c]` to that array. And so on, 
2034         applied recursively through the pattern.
2035
2036         * bytecompiler/NodesCodegen.cpp:
2037         (JSC::RestParameterNode::collectBoundIdentifiers):
2038         (JSC::RestParameterNode::toString):
2039         (JSC::RestParameterNode::bindValue):
2040         (JSC::RestParameterNode::emit):
2041         * parser/ASTBuilder.h:
2042         (JSC::ASTBuilder::createBindingLocation):
2043         (JSC::ASTBuilder::createRestParameter):
2044         (JSC::ASTBuilder::createAssignmentElement):
2045         * parser/NodeConstructors.h:
2046         (JSC::AssignmentElementNode::AssignmentElementNode):
2047         (JSC::RestParameterNode::RestParameterNode):
2048         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
2049         * parser/Nodes.h:
2050         (JSC::RestParameterNode::name): Deleted.
2051         * parser/Parser.cpp:
2052         (JSC::Parser<LexerType>::parseDestructuringPattern):
2053         (JSC::Parser<LexerType>::parseFormalParameters):
2054         * parser/SyntaxChecker.h:
2055         (JSC::SyntaxChecker::operatorStackPop):
2056
2057 2016-08-03  Benjamin Poulain  <benjamin@webkit.org>
2058
2059         [JSC] Fix Windows build after r204065
2060
2061         * dfg/DFGAbstractValue.cpp:
2062         (JSC::DFG::AbstractValue::observeTransitions):
2063         AbstractValue is bigger on Windows for an unknown reason.
2064
2065 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
2066
2067         [JSC] Fix 32bits jsc after r204065
2068
2069         Default constructed JSValue() are not equal to zero in 32bits.
2070
2071         * dfg/DFGAbstractValue.h:
2072         (JSC::DFG::AbstractValue::AbstractValue):
2073
2074 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
2075
2076         [JSC] Simplify the initialization of AbstractValue in the AbstractInterpreter
2077         https://bugs.webkit.org/show_bug.cgi?id=160370
2078
2079         Reviewed by Saam Barati.
2080
2081         We use a ton of AbstractValue to run the Abstract Interpreter.
2082
2083         When we set up the initial values, the compiler sets
2084         a zero on a first word, a one on a second word, and a zero
2085         again on a third word.
2086         Since no vector or double-store can deal with 3 words, unrolling
2087         is done by repeating those instructions.
2088
2089         The reason for the one was TinyPtrSet. It needed a flag for
2090         empty value to identify the set as thin. I flipped the flag to "fat"
2091         to make sure TinyPtrSet is initialized to zero.
2092
2093         With that done, I just had to clean some places to make
2094         the initialization shorter.
2095         It makes the binary easier to follow but this does not help with
2096         the bigger problem: the time spent per block on Abstract Interpreter.
2097
2098         * bytecode/Operands.h:
2099         The traits were useless, no client code defines it.
2100
2101         (JSC::Operands::Operands):
2102         (JSC::Operands::ensureLocals):
2103         Because of the size of the function, llvm is not inlining it.
2104         We were literally loading 3 registers from memory and storing
2105         them in the vector.
2106         Now that AbstractValue has a VectorTraits, we should just rely
2107         on the memset of Vector when possible.
2108
2109         (JSC::Operands::getLocal):
2110         (JSC::Operands::setArgumentFirstTime):
2111         (JSC::Operands::setLocalFirstTime):
2112         (JSC::Operands::clear):
2113         (JSC::OperandValueTraits::defaultValue): Deleted.
2114         (JSC::OperandValueTraits::isEmptyForDump): Deleted.
2115         * bytecode/OperandsInlines.h:
2116         (JSC::Operands<T>::dumpInContext):
2117         (JSC::Operands<T>::dump):
2118         (JSC::Traits>::dumpInContext): Deleted.
2119         (JSC::Traits>::dump): Deleted.
2120         * dfg/DFGAbstractValue.cpp:
2121         * dfg/DFGAbstractValue.h:
2122         (JSC::DFG::AbstractValue::AbstractValue):
2123
2124 2016-08-02  Saam Barati  <sbarati@apple.com>
2125
2126         update a class extending null w.r.t the ES7 spec
2127         https://bugs.webkit.org/show_bug.cgi?id=160417
2128
2129         Reviewed by Keith Miller.
2130
2131         When a class extends null, it should not be marked as a derived class.
2132         This was changed in the ES2016 spec, and this patch makes the needed
2133         changes in JSC to follow the spec. This allows classes to extend
2134         null and have their default constructor invoked without throwing an exception.
2135         This also prevents |this| from being under TDZ at the start of the constructor.
2136         Because ES6 allows arbitrary expressions in the `class <ident> extends <expr>`
2137         syntax, we don't know statically if a constructor is extending null or not.
2138         Therefore, we don't always know statically if it's a base or derived constructor.
2139         I solved this by putting a boolean on the constructor function under a private
2140         symbol named isDerivedConstructor when doing class construction. We only need
2141         to put this boolean on constructors that may extend null. Constructors that are
2142         declared in a class with no extends syntax can tell statically that they are a base constructor.
2143
2144         I've also renamed the ConstructorKind::Derived enum value to be
2145         ConstructorKind::Extends to better indicate that we can't answer
2146         the "am I a derived constructor?" question statically.
2147
2148         * builtins/BuiltinExecutables.cpp:
2149         (JSC::BuiltinExecutables::createDefaultConstructor):
2150         * builtins/BuiltinNames.h:
2151         * bytecompiler/BytecodeGenerator.cpp:
2152         (JSC::BytecodeGenerator::BytecodeGenerator):
2153         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2154         (JSC::BytecodeGenerator::emitReturn):
2155         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
2156         (JSC::BytecodeGenerator::ensureThis):
2157         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
2158         * bytecompiler/BytecodeGenerator.h:
2159         (JSC::BytecodeGenerator::makeFunction):
2160         * bytecompiler/NodesCodegen.cpp:
2161         (JSC::EvalFunctionCallNode::emitBytecode):
2162         (JSC::FunctionCallValueNode::emitBytecode):
2163         (JSC::FunctionNode::emitBytecode):
2164         (JSC::ClassExprNode::emitBytecode):
2165         * parser/Parser.cpp:
2166         (JSC::Parser<LexerType>::Parser):
2167         (JSC::Parser<LexerType>::parseFunctionInfo):
2168         (JSC::Parser<LexerType>::parseClass):
2169         (JSC::Parser<LexerType>::parseMemberExpression):
2170         * parser/ParserModes.h:
2171
2172 2016-08-02  Enrica Casucci  <enrica@apple.com>
2173
2174         Allow building with content filtering disabled.
2175         https://bugs.webkit.org/show_bug.cgi?id=160454
2176
2177         Reviewed by Simon Fraser.
2178
2179         * Configurations/FeatureDefines.xcconfig:
2180
2181 2016-08-02  Csaba Osztrogonác  <ossy@webkit.org>
2182
2183         [ARM] Disable Inline Caching on ARMv7 traditional until proper fix
2184         https://bugs.webkit.org/show_bug.cgi?id=159759
2185
2186         Reviewed by Saam Barati.
2187
2188         * jit/JITMathIC.h:
2189         (JSC::JITMathIC::generateInline):
2190
2191 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
2192
2193         REGRESSION (r203990): JSC Debug test stress/arity-check-ftl-throw.js failing
2194         https://bugs.webkit.org/show_bug.cgi?id=160438
2195
2196         Reviewed by Mark Lam.
2197         
2198         In r203990 I fixed a bug where CommonSlowPaths.h/arityCheckFor() was basically failing at
2199         catching stack overflow due to large parameter count. It would only catch regular old stack
2200         overflow, like if the frame pointer was already past the limit.
2201         
2202         This had a secondary problem: unfortunately all of our tests for what happens when you overflow
2203         the stack due to large parameter count were not going down that path at all, so we haven't had
2204         test coverage for this in ages.  There were bugs in all tiers of the engine when handling this
2205         case.
2206
2207         We need to be able to roll back the topCallFrame on paths that are meant to throw an exception
2208         from the caller. Otherwise, we'd crash in StackVisitor because it would see a busted stack
2209         frame. Rolling back like this "just works" except when the caller is the VM entry frame. I had
2210         some choices here. I could have forced anyone who is rolling back to always skip VM entry
2211         frames. They can't do it in a way that changes the value of VM::topVMEntryFrame, which is what
2212         a stack frame roll back normally does, since exception unwinding needs to see the current value
2213         of topVMEntryFrame. So, we have a choice to either try to magically avoid all of the paths that
2214         look at topCallFrame, or give topCallFrame a state that unambiguously signals that we are
2215         sitting right on top of a VM entry frame without having succeeded at making a JS call. The only
2216         place that really needs to know is StackVisitor, which wants to start scanning at topCallFrame.
2217         To signal this, I could have either made topCallFrame point to the real top JS call frame
2218         without also rolling back topVMEntryFrame, or I could make topCallFrame == topVMEntryFrame. The
2219         latter felt somehow cleaner. I filed a bug (https://bugs.webkit.org/show_bug.cgi?id=160441) for
2220         converting topCallFrame to a void*, which would give us a chance to harden the rest of the
2221         engine against this case.
2222         
2223         * interpreter/StackVisitor.cpp:
2224         (JSC::StackVisitor::StackVisitor):
2225         We may do ShadowChicken processing, which invokes StackVisitor, when we have topCallFrame
2226         pointing at topVMEntryFrame. This teaches StackVisitor how to handle this case. I believe that
2227         StackVisitor is the only place that needs to be taught about this at this time, because it's
2228         one of the few things that access topCallFrame along this special path.
2229         
2230         * jit/JITOperations.cpp: Roll back the top call frame.
2231         * runtime/CommonSlowPaths.cpp:
2232         (JSC::SLOW_PATH_DECL): Roll back the top call frame.
2233
2234 2016-08-01  Benjamin Poulain  <bpoulain@apple.com>
2235
2236         [JSC][ARM64] Fix branchTest32/64 taking an immediate as mask
2237         https://bugs.webkit.org/show_bug.cgi?id=160439
2238
2239         Reviewed by Filip Pizlo.
2240
2241         * assembler/MacroAssemblerARM64.h:
2242         (JSC::MacroAssemblerARM64::branchTest64):
2243         * b3/air/AirOpcode.opcodes:
2244         Fix the ARM64 codegen to lower BitImm64 without using a scratch register.
2245
2246 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
2247
2248         [B3] Fusing immediates into test instructions should work again
2249         https://bugs.webkit.org/show_bug.cgi?id=160073
2250
2251         Reviewed by Sam Weinig.
2252
2253         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
2254         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
2255         was still using Imm!  This meant that isValidForm() always returned false.
2256         
2257         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
2258         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
2259         with the scratch register).
2260         
2261         This is not an obvious progression on anything, so I added comprehensive tests to
2262         testb3, which check that we selected the optimal instruction in a variety of situations.
2263         We should add more tests like this!
2264
2265         Rolling this back in after fixing ARM64. The bug was that branchTest32|64 on ARM64 doesn't
2266         actually support BitImm or BitImm64, at least not yet. Disabling that in AirOpcodes makes
2267         this patch not a regression on ARM64. That change was reviewed by Benjamin Poulain.
2268
2269         * b3/B3BasicBlock.h:
2270         (JSC::B3::BasicBlock::successorBlock):
2271         * b3/B3LowerToAir.cpp:
2272         (JSC::B3::Air::LowerToAir::createGenericCompare):
2273         * b3/B3LowerToAir.h:
2274         * b3/air/AirArg.cpp:
2275         (JSC::B3::Air::Arg::isRepresentableAs):
2276         (JSC::B3::Air::Arg::usesTmp):
2277         * b3/air/AirArg.h:
2278         (JSC::B3::Air::Arg::isRepresentableAs):
2279         (JSC::B3::Air::Arg::castToType):
2280         (JSC::B3::Air::Arg::asNumber):
2281         * b3/air/AirCode.h:
2282         (JSC::B3::Air::Code::size):
2283         (JSC::B3::Air::Code::at):
2284         * b3/air/AirOpcode.opcodes:
2285         * b3/air/AirValidate.h:
2286         * b3/air/opcode_generator.rb:
2287         * b3/testb3.cpp:
2288         (JSC::B3::compile):
2289         (JSC::B3::compileAndRun):
2290         (JSC::B3::lowerToAirForTesting):
2291         (JSC::B3::testSomeEarlyRegister):
2292         (JSC::B3::testBranchBitAndImmFusion):
2293         (JSC::B3::zero):
2294         (JSC::B3::run):
2295
2296 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
2297
2298         Rationalize varargs stack overflow checks
2299         https://bugs.webkit.org/show_bug.cgi?id=160425
2300
2301         Reviewed by Michael Saboff.
2302
2303         * ftl/FTLLink.cpp:
2304         (JSC::FTL::link): AboveOrEqual 0 is a tautology. The code meant GreaterThanOrEqual, since the error code is -1.
2305         * runtime/CommonSlowPaths.h:
2306         (JSC::CommonSlowPaths::arityCheckFor): Use roundUpToMultipleOf(), which is almost certainly what we meant when we said %.
2307
2308 2016-08-01  Saam Barati  <sbarati@apple.com>
2309
2310         Sub should be a Math IC
2311         https://bugs.webkit.org/show_bug.cgi?id=160270
2312
2313         Reviewed by Mark Lam.
2314
2315         This makes Sub an IC like Mul and Add. I'm seeing the following
2316         improvements of average Sub size on Unity and JetStream:
2317
2318                    |   JetStream  |  Unity 3D  |
2319              ------| -------------|--------------
2320               Old  |   202 bytes  |  205 bytes |
2321              ------| -------------|--------------
2322               New  |   134  bytes |  134 bytes |
2323              ------------------------------------
2324
2325         * bytecode/CodeBlock.cpp:
2326         (JSC::CodeBlock::addJITMulIC):
2327         (JSC::CodeBlock::addJITSubIC):
2328         (JSC::CodeBlock::findStubInfo):
2329         (JSC::CodeBlock::dumpMathICStats):
2330         * bytecode/CodeBlock.h:
2331         (JSC::CodeBlock::stubInfoBegin):
2332         (JSC::CodeBlock::stubInfoEnd):
2333         * dfg/DFGSpeculativeJIT.cpp:
2334         (JSC::DFG::SpeculativeJIT::compileArithSub):
2335         * ftl/FTLLowerDFGToB3.cpp:
2336         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2337         * jit/JITArithmetic.cpp:
2338         (JSC::JIT::emit_op_sub):
2339         (JSC::JIT::emitSlow_op_sub):
2340         (JSC::JIT::emit_op_pow):
2341         * jit/JITMathIC.h:
2342         * jit/JITMathICForwards.h:
2343         * jit/JITOperations.cpp:
2344         * jit/JITOperations.h:
2345         * jit/JITSubGenerator.cpp:
2346         (JSC::JITSubGenerator::generateInline):
2347         (JSC::JITSubGenerator::generateFastPath):
2348         * jit/JITSubGenerator.h:
2349         (JSC::JITSubGenerator::JITSubGenerator):
2350         (JSC::JITSubGenerator::isLeftOperandValidConstant):
2351         (JSC::JITSubGenerator::isRightOperandValidConstant):
2352         (JSC::JITSubGenerator::arithProfile):
2353         (JSC::JITSubGenerator::didEmitFastPath): Deleted.
2354         (JSC::JITSubGenerator::endJumpList): Deleted.
2355         (JSC::JITSubGenerator::slowPathJumpList): Deleted.
2356
2357 2016-08-01  Keith Miller  <keith_miller@apple.com>
2358
2359         We should not keep the JavaScript tests inside the Source/JavaScriptCore/ directory.
2360         https://bugs.webkit.org/show_bug.cgi?id=160372
2361
2362         Rubber stamped by Geoffrey Garen.
2363
2364         This patch moves all the JavaScript tests from Source/JavaScriptCore/tests to
2365         a new top level directory, JSTests. Having the tests in the Source directory
2366         was both confusing an inconvenient for people that just want to checkout the
2367         source code of WebKit. Since there is no other obvious place to put all the
2368         JavaScript tests a new top level directory seemed the most sensible.
2369
2370         * tests/: Deleted.
2371
2372 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2373
2374         [JSC] Should check Test262Error correctly
2375         https://bugs.webkit.org/show_bug.cgi?id=159862
2376
2377         Reviewed by Saam Barati.
2378
2379         Test262Error in the harness does not have "name" property.
2380         Rather than checking "name" property, peforming `instanceof` is better to check the class of the exception.
2381
2382         * jsc.cpp:
2383         (checkUncaughtException):
2384         * runtime/JSObject.h:
2385         * tests/test262.yaml:
2386
2387 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2388
2389         [ES6] Module binding can be exported by multiple names
2390         https://bugs.webkit.org/show_bug.cgi?id=160343
2391
2392         Reviewed by Saam Barati.
2393
2394         ES6 Module can export the same local binding by using multiple names.
2395         For example,
2396
2397             ```
2398             var value = 42;
2399
2400             export { value };
2401             export { value as value2 };
2402             ```
2403
2404         Currently, we only allowed one local binding to be exported with one name. So, in the above case,
2405         the local binding "value" is exported as "value2" and "value" name is not exported. This is wrong.
2406
2407         To fix this issue, we collect the correspondence (local name => exported name) to the local bindings
2408         in the parser. Previously, we only maintained the exported local bindings in the parser. And utilize
2409         this information when creating the export entries in ModuleAnalyzer.
2410
2411         And this patch also moves ModuleScopeData from the Scope object to the Parser class since exported
2412         names should be managed per-module, not per-scope.
2413
2414         This change fixes several test262 failures.
2415
2416         * JavaScriptCore.xcodeproj/project.pbxproj:
2417         * parser/ModuleAnalyzer.cpp:
2418         (JSC::ModuleAnalyzer::exportVariable):
2419         (JSC::ModuleAnalyzer::analyze):
2420         (JSC::ModuleAnalyzer::exportedBinding): Deleted.
2421         (JSC::ModuleAnalyzer::declareExportAlias): Deleted.
2422         * parser/ModuleAnalyzer.h:
2423         * parser/ModuleScopeData.h: Copied from Source/JavaScriptCore/parser/ModuleAnalyzer.h.
2424         (JSC::ModuleScopeData::create):
2425         (JSC::ModuleScopeData::exportedBindings):
2426         (JSC::ModuleScopeData::exportName):
2427         (JSC::ModuleScopeData::exportBinding):
2428         * parser/Nodes.cpp:
2429         (JSC::ProgramNode::ProgramNode):
2430         (JSC::ModuleProgramNode::ModuleProgramNode):
2431         (JSC::EvalNode::EvalNode):
2432         (JSC::FunctionNode::FunctionNode):
2433         * parser/Nodes.h:
2434         (JSC::ModuleProgramNode::moduleScopeData):
2435         * parser/NodesAnalyzeModule.cpp:
2436         (JSC::ExportDefaultDeclarationNode::analyzeModule):
2437         (JSC::ExportNamedDeclarationNode::analyzeModule): Deleted.
2438         * parser/Parser.cpp:
2439         (JSC::Parser<LexerType>::Parser):
2440         (JSC::Parser<LexerType>::parseModuleSourceElements):
2441         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2442         (JSC::Parser<LexerType>::createBindingPattern):
2443         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2444         (JSC::Parser<LexerType>::parseClassDeclaration):
2445         (JSC::Parser<LexerType>::parseExportSpecifier):
2446         (JSC::Parser<LexerType>::parseExportDeclaration):
2447         * parser/Parser.h:
2448         (JSC::Parser::exportName):
2449         (JSC::Parser<LexerType>::parse):
2450         (JSC::ModuleScopeData::create): Deleted.
2451         (JSC::ModuleScopeData::exportedBindings): Deleted.
2452         (JSC::ModuleScopeData::exportName): Deleted.
2453         (JSC::ModuleScopeData::exportBinding): Deleted.
2454         (JSC::Scope::Scope): Deleted.
2455         (JSC::Scope::setSourceParseMode): Deleted.
2456         (JSC::Scope::moduleScopeData): Deleted.
2457         (JSC::Scope::setIsModule): Deleted.
2458         * tests/modules/aliased-names.js: Added.
2459         * tests/modules/aliased-names/main.js: Added.
2460         (change):
2461         * tests/stress/modules-syntax-error-with-names.js:
2462         (export.Cocoa):
2463         (SyntaxError.Cannot.export.a.duplicate.name):
2464         * tests/test262.yaml:
2465
2466 2016-07-30  Mark Lam  <mark.lam@apple.com>
2467
2468         Assertion failure while setting the length of an ArrayClass array.
2469         https://bugs.webkit.org/show_bug.cgi?id=160381
2470         <rdar://problem/27328703>
2471
2472         Reviewed by Filip Pizlo.
2473
2474         When setting large length values, we're currently treating ArrayClass as a
2475         ContiguousIndexingType array.  This results in an assertion failure.  This is
2476         now fixed.
2477
2478         There are currently only 2 places where we create arrays with indexing type
2479         ArrayClass: ArrayPrototype and RuntimeArray.  The fix in JSArray:;setLength()
2480         takes care of ArrayPrototype.
2481
2482         RuntimeArray already checks for the setting of its length property, and will
2483         throw a RangeError.  Hence, there's no change is needed for the RuntimeArray.
2484         Instead, I added some test cases ensure that the check and throw behavior does
2485         not change without notice.
2486
2487         * runtime/JSArray.cpp:
2488         (JSC::JSArray::setLength):
2489         * tests/stress/array-setLength-on-ArrayClass-with-large-length.js: Added.
2490         (toString):
2491         (assertEqual):
2492         * tests/stress/array-setLength-on-ArrayClass-with-small-length.js: Added.
2493         (toString):
2494         (assertEqual):
2495
2496 2016-07-29  Keith Miller  <keith_miller@apple.com>
2497
2498         TypedArray super constructor has some incompatabilities
2499         https://bugs.webkit.org/show_bug.cgi?id=160369
2500
2501         Reviewed by Filip Pizlo.
2502
2503         This patch fixes the length proprety of the TypedArray super constructor.
2504         Additionally, the TypedArray super constructor should no longer be callable.
2505
2506         Also, this patch fixes the expected result of some test262 tests.
2507
2508         * runtime/JSTypedArrayViewConstructor.cpp:
2509         (JSC::JSTypedArrayViewConstructor::finishCreation):
2510         (JSC::constructTypedArrayView):
2511         (JSC::JSTypedArrayViewConstructor::getCallData):
2512         * tests/test262.yaml:
2513
2514 2016-07-29  Jonathan Bedard  <jbedard@apple.com>
2515
2516         Undefined Behavior in JSValue cast from NaN
2517         https://bugs.webkit.org/show_bug.cgi?id=160322
2518
2519         Reviewed by Mark Lam.
2520
2521         JSValues can be constructed from doubles, and in some cases, are deliberately constructed with NaN values.
2522
2523         In circumstances where NaN is bound through the default JSValue constructor, however, an undefined conversion
2524         to int32_t occurs.  While the subsequent if statement should fail and construct the JSValue through the explicit
2525         double constructor, given that the deliberate use of NaN is fairly common, it seems that the jsNaN() function
2526         should immediately call the explicit double constructor both for efficiency and to prevent inadvertent
2527         suppressing of any other bugs which may be instantiating a JSValue with a NaN double.
2528
2529         * runtime/JSCJSValueInlines.h:
2530         (JSC::jsNaN): Explicit double construction for NaN JSValues to avoid undefined behavior.
2531
2532 2016-07-29  Michael Saboff  <msaboff@apple.com>
2533
2534         Refactor DFG::Node::hasLocal() to accessesStack()
2535         https://bugs.webkit.org/show_bug.cgi?id=160357
2536
2537         Reviewed by Filip Pizlo.
2538
2539         Refactoring in preparation for using register arguments for JavaScript calls.
2540
2541         Renamed Node::hasLocal() to Node::accessesStack() and changed all uses accordingly.
2542         Also changed uses of Node::hasVariableAccessData() to accessesStack() where that
2543         use guards stack operation logic associated with the Node's VariableAccessData.
2544
2545         The hasVariableAccessData() check now implies no more than the node has a
2546         VariableAccessData and nothing about its use of that data to coordinate stack   
2547         accesses.
2548
2549         * dfg/DFGGraph.cpp:
2550         (JSC::DFG::Graph::dump):
2551         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2552         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
2553         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
2554         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2555         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2556         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
2557         * dfg/DFGNode.h:
2558         (JSC::DFG::Node::containsMovHint):
2559         (JSC::DFG::Node::accessesStack):
2560         (JSC::DFG::Node::hasLocal): Deleted.
2561         * dfg/DFGPredictionInjectionPhase.cpp:
2562         (JSC::DFG::PredictionInjectionPhase::run):
2563         * dfg/DFGValidate.cpp:
2564
2565 2016-07-29  Benjamin Poulain  <benjamin@webkit.org>
2566
2567         [JSC] Use the same data structures for DFG and Air Liveness Analysis
2568         https://bugs.webkit.org/show_bug.cgi?id=160346
2569
2570         Reviewed by Geoffrey Garen.
2571
2572         In Air, we minimized memory accesses during liveness analysis
2573         with a couple of tricks:
2574         -Use a single Sparse Set ADT for the live value of each block.
2575         -Manipulate compact positive indices instead of hashing values.
2576
2577         This patch brings the same ideas to DFG.
2578
2579         This patch still uses the same fixpoint algorithms.
2580         The reason is Edge's KillStatus used by other phases. We cannot
2581         use a block-boundary liveness algorithm and update KillStatus
2582         simultaneously. It's something I'll probably revisit at some point.
2583
2584         * dfg/DFGAbstractInterpreterInlines.h:
2585         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
2586         (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
2587         * dfg/DFGBasicBlock.h:
2588         * dfg/DFGGraph.h:
2589         (JSC::DFG::Graph::maxNodeCount):
2590         (JSC::DFG::Graph::nodeAt):
2591         * dfg/DFGInPlaceAbstractState.cpp:
2592         (JSC::DFG::setLiveValues):
2593         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2594         * dfg/DFGLivenessAnalysisPhase.cpp:
2595         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
2596         (JSC::DFG::LivenessAnalysisPhase::run):
2597         (JSC::DFG::LivenessAnalysisPhase::processBlock):
2598         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
2599         (JSC::DFG::LivenessAnalysisPhase::process): Deleted.
2600
2601 2016-07-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2602
2603         Unreviewed, ByValInfo is only used in JIT enabled environments
2604         https://bugs.webkit.org/show_bug.cgi?id=158908
2605
2606         * bytecode/CodeBlock.cpp:
2607         (JSC::CodeBlock::stronglyVisitStrongReferences):
2608
2609 2016-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2610
2611         JSC::Symbol should be hash-consed
2612         https://bugs.webkit.org/show_bug.cgi?id=158908
2613
2614         Reviewed by Filip Pizlo.
2615
2616         Previously, SymbolImpls held by symbols represent identity of symbols.
2617         When we check the equality between symbols, we need to load SymbolImpls of symbols and compare them.
2618
2619         This patch performs hash-consing onto the symbols. We cache symbols in per-VM's SymbolImpl-keyed WeakGCMap.
2620         When creating a new symbol from SymbolImpl, we first query to this map and reuse the previously created symbol
2621         if it is found. This ensures that one-on-one correspondence between SymbolImpl and symbol. So now, we can use
2622         pointer-comparison to query the equality of symbols.
2623
2624         This change drops SymbolImpl loads when checking the equality. Furthermore, we can use DFG CheckCell to symbol
2625         when we would like to ensure that the given value is the expected symbol. This cleans up GetByVal's symbol-keyd
2626         caching. Then, we changed CheckIdent to CheckStringIdent since it only checks the string case now. The symbol
2627         case is handled by CheckCell.
2628
2629         Additionally, this patch also cleans up Map / Set implementation since we can use the logic for JSCell to symbols.
2630
2631         The performance effects in the related benchmarks are the followings.
2632
2633                                                                baseline                   patch
2634
2635             bigswitch-indirect-symbol-or-undefined         85.6214+-1.0063     ^     63.0522+-0.8615        ^ definitely 1.3579x faster
2636             bigswitch-indirect-symbol                      84.9653+-0.6258     ^     80.4900+-0.8008        ^ definitely 1.0556x faster
2637             fold-put-by-val-with-symbol-to-multi-put-by-offset
2638                                                             9.4396+-0.3726            9.2941+-0.3311          might be 1.0157x faster
2639             inlined-put-by-val-with-symbol-transition
2640                                                            49.5477+-0.2401     ?     49.7533+-0.3369        ?
2641             get-by-val-with-symbol-self-or-proto           11.9740+-0.0798     ?     12.1706+-0.2723        ? might be 1.0164x slower
2642             get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple
2643                                                             4.1364+-0.0841            4.0872+-0.0925          might be 1.0120x faster
2644             put-by-val-with-symbol                         11.3709+-0.0223           11.3613+-0.0264
2645             get-by-val-with-symbol-proto-or-self           11.8984+-0.0706     ?     11.9030+-0.0787        ?
2646             polymorphic-put-by-val-with-symbol             31.4176+-0.0558           31.3825+-0.0447
2647             implicit-bigswitch-indirect-symbol             61.3115+-0.6577     ^     58.0098+-0.1212        ^ definitely 1.0569x faster
2648             get-by-val-with-symbol-bimorphic-check-structure-elimination-simple
2649                                                             3.3139+-0.0565     ^      2.9947+-0.0732        ^ definitely 1.1066x faster
2650             get-by-val-with-symbol-chain-from-try-block
2651                                                             2.2316+-0.0179            2.2137+-0.0210
2652             get-by-val-with-symbol-bimorphic-check-structure-elimination
2653                                                            10.6031+-0.2216     ^     10.0939+-0.1977        ^ definitely 1.0504x faster
2654             get-by-val-with-symbol-check-structure-elimination
2655                                                             8.5576+-0.1521     ^      7.7107+-0.1308        ^ definitely 1.1098x faster
2656             put-by-val-with-symbol-slightly-polymorphic
2657                                                             3.1957+-0.0538     ^      2.9181+-0.0708        ^ definitely 1.0951x faster
2658             put-by-val-with-symbol-replace-and-transition
2659                                                            11.8253+-0.0757     ^     11.6590+-0.0351        ^ definitely 1.0143x faster
2660
2661             <geometric>                                    13.3911+-0.0527     ^     12.7376+-0.0457        ^ definitely 1.0513x faster
2662
2663         * bytecode/ByValInfo.h:
2664         * bytecode/CodeBlock.cpp:
2665         (JSC::CodeBlock::stronglyVisitStrongReferences):
2666         * dfg/DFGAbstractInterpreterInlines.h:
2667         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2668         * dfg/DFGByteCodeParser.cpp:
2669         (JSC::DFG::ByteCodeParser::parseBlock):
2670         * dfg/DFGClobberize.h:
2671         (JSC::DFG::clobberize):
2672         * dfg/DFGConstantFoldingPhase.cpp:
2673         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2674         * dfg/DFGDoesGC.cpp:
2675         (JSC::DFG::doesGC):
2676         * dfg/DFGFixupPhase.cpp:
2677         (JSC::DFG::FixupPhase::fixupNode):
2678         * dfg/DFGNode.h:
2679         (JSC::DFG::Node::hasUidOperand):
2680         * dfg/DFGNodeType.h:
2681         * dfg/DFGPredictionPropagationPhase.cpp:
2682         * dfg/DFGSafeToExecute.h:
2683         (JSC::DFG::safeToExecute):
2684         * dfg/DFGSpeculativeJIT.cpp:
2685         (JSC::DFG::SpeculativeJIT::compileSymbolEquality):
2686         (JSC::DFG::SpeculativeJIT::compilePeepHoleSymbolEquality):
2687         (JSC::DFG::SpeculativeJIT::compileCheckStringIdent):
2688         (JSC::DFG::SpeculativeJIT::extractStringImplFromBinarySymbols): Deleted.
2689         (JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
2690         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality): Deleted.
2691         * dfg/DFGSpeculativeJIT.h:
2692         * dfg/DFGSpeculativeJIT32_64.cpp:
2693         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
2694         (JSC::DFG::SpeculativeJIT::compile):
2695         * dfg/DFGSpeculativeJIT64.cpp:
2696         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
2697         (JSC::DFG::SpeculativeJIT::compile):
2698         * ftl/FTLAbstractHeapRepository.h:
2699         * ftl/FTLCapabilities.cpp:
2700         (JSC::FTL::canCompile):
2701         * ftl/FTLLowerDFGToB3.cpp:
2702         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2703         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStringIdent):
2704         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2705         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent): Deleted.
2706         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID): Deleted.
2707         * jit/JIT.h:
2708         * jit/JITOperations.cpp:
2709         (JSC::tryGetByValOptimize):
2710         * jit/JITPropertyAccess.cpp:
2711         (JSC::JIT::emitGetByValWithCachedId):
2712         (JSC::JIT::emitPutByValWithCachedId):
2713         (JSC::JIT::emitByValIdentifierCheck):
2714         (JSC::JIT::privateCompileGetByValWithCachedId):
2715         (JSC::JIT::privateCompilePutByValWithCachedId):
2716         (JSC::JIT::emitIdentifierCheck): Deleted.
2717         * jit/JITPropertyAccess32_64.cpp:
2718         (JSC::JIT::emitGetByValWithCachedId):
2719         (JSC::JIT::emitPutByValWithCachedId):
2720         * runtime/JSCJSValue.cpp:
2721         (JSC::JSValue::dumpInContextAssumingStructure):
2722         * runtime/JSCJSValueInlines.h:
2723         (JSC::JSValue::equalSlowCaseInline):
2724         (JSC::JSValue::strictEqualSlowCaseInline): Deleted.
2725         * runtime/JSFunction.cpp:
2726         (JSC::JSFunction::setFunctionName):
2727         * runtime/MapData.h:
2728         * runtime/MapDataInlines.h:
2729         (JSC::JSIterator>::clear): Deleted.
2730         (JSC::JSIterator>::find): Deleted.
2731         (JSC::JSIterator>::add): Deleted.
2732         (JSC::JSIterator>::remove): Deleted.
2733         (JSC::JSIterator>::replaceAndPackBackingStore): Deleted.
2734         * runtime/Symbol.cpp:
2735         (JSC::Symbol::finishCreation):
2736         (JSC::Symbol::create):
2737         * runtime/Symbol.h:
2738         * runtime/VM.cpp:
2739         (JSC::VM::VM):
2740         * runtime/VM.h:
2741         * tests/stress/symbol-equality-over-gc.js: Added.
2742         (shouldBe):
2743         (test):
2744
2745 2016-07-28  Mark Lam  <mark.lam@apple.com>
2746
2747         ASSERTION FAILED in errorProtoFuncToString() when Error name is a single char string.
2748         https://bugs.webkit.org/show_bug.cgi?id=160324
2749         <rdar://problem/27389572>
2750
2751         Reviewed by Keith Miller.
2752
2753         The issue is that errorProtoFuncToString() was using jsNontrivialString() to
2754         generate the error string even when the name string can be a single character
2755         string.  This is incorrect.  We should be using jsString() instead.
2756
2757         * runtime/ErrorPrototype.cpp:
2758         (JSC::errorProtoFuncToString):
2759         * tests/stress/errors-with-simple-names-or-messages-should-not-crash-toString.js: Added.
2760
2761 2016-07-28  Michael Saboff  <msaboff@apple.com>
2762
2763         ARM64: Fused left shift with a right shift can create NaNs from integers
2764         https://bugs.webkit.org/show_bug.cgi?id=160329
2765
2766         Reviewed by Geoffrey Garen.
2767
2768         When we fuse a left shift and a right shift of integers where the shift amounts
2769         are the same and the size of the quantity being shifted is 8 bits, we rightly
2770         generate a sign extend byte instruction.  On ARM64, we were sign extending
2771         to a 64 bit quantity, when we really wanted to sign extend to a 32 bit quantity.
2772
2773         Checking the ARM64 marco assembler and we were extending to 64 bits for all
2774         four combinations of zero / sign and 8 / 16 bits.
2775         
2776         * assembler/MacroAssemblerARM64.h:
2777         (JSC::MacroAssemblerARM64::zeroExtend16To32):
2778         (JSC::MacroAssemblerARM64::signExtend16To32):
2779         (JSC::MacroAssemblerARM64::zeroExtend8To32):
2780         (JSC::MacroAssemblerARM64::signExtend8To32):
2781         * tests/stress/regress-160329.js: New test added.
2782         (narrow):
2783
2784 2016-07-28  Mark Lam  <mark.lam@apple.com>
2785
2786         StringView should have an explicit m_is8Bit field.
2787         https://bugs.webkit.org/show_bug.cgi?id=160282
2788         <rdar://problem/27327943>
2789
2790         Reviewed by Benjamin Poulain.
2791
2792         * tests/stress/string-joining-long-strings-should-not-crash.js: Added.
2793         (catch):
2794
2795 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
2796
2797         [ARM] Typo fix after r121885
2798         https://bugs.webkit.org/show_bug.cgi?id=160288
2799
2800         Reviewed by Zoltan Herczeg.
2801
2802         * assembler/MacroAssemblerARM.h:
2803         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
2804
2805 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
2806
2807         64-bit alignment check isn't necessary in ARMAssembler::prepareExecutableCopy after r202214
2808         https://bugs.webkit.org/show_bug.cgi?id=159711
2809
2810         Reviewed by Mark Lam.
2811
2812         * assembler/ARMAssembler.cpp:
2813         (JSC::ARMAssembler::prepareExecutableCopy):
2814
2815 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2816
2817         [JSC] Remove some unused code from FTL
2818         https://bugs.webkit.org/show_bug.cgi?id=160285
2819
2820         Reviewed by Mark Lam.
2821
2822         All the liveness and swapping is done inside B3,
2823         this code is no longer needed.
2824
2825         * dfg/DFGEdge.h:
2826         (JSC::DFG::Edge::doesNotKill): Deleted.
2827         * ftl/FTLLowerDFGToB3.cpp:
2828         (JSC::FTL::DFG::LowerDFGToB3::doesKill): Deleted.
2829
2830 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2831
2832         [JSC] DFG::Node should not have its own allocator
2833         https://bugs.webkit.org/show_bug.cgi?id=160098
2834
2835         Reviewed by Geoffrey Garen.
2836
2837         We need some design changes for DFG::Node:
2838         -Accessing the index must be fast. B3 uses indices for sets
2839          and maps, it is a lot faster than hashing pointers.
2840         -We should be able to subclass DFG::Node to specialize it.
2841
2842         * CMakeLists.txt:
2843         * JavaScriptCore.xcodeproj/project.pbxproj:
2844         * dfg/DFGAllocator.h: Removed.
2845         (JSC::DFG::Allocator::Region::size): Deleted.
2846         (JSC::DFG::Allocator::Region::headerSize): Deleted.
2847         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
2848         (JSC::DFG::Allocator::Region::data): Deleted.
2849         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
2850         (JSC::DFG::Allocator::Region::regionFor): Deleted.
2851         (JSC::DFG::Allocator<T>::Allocator): Deleted.
2852         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
2853         (JSC::DFG::Allocator<T>::allocate): Deleted.
2854         (JSC::DFG::Allocator<T>::free): Deleted.
2855         (JSC::DFG::Allocator<T>::freeAll): Deleted.
2856         (JSC::DFG::Allocator<T>::reset): Deleted.
2857         (JSC::DFG::Allocator<T>::indexOf): Deleted.
2858         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
2859         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
2860         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
2861         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
2862         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
2863         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
2864         * dfg/DFGByteCodeParser.cpp:
2865         (JSC::DFG::ByteCodeParser::addToGraph):
2866         * dfg/DFGCPSRethreadingPhase.cpp:
2867         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
2868         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
2869         * dfg/DFGCleanUpPhase.cpp:
2870         (JSC::DFG::CleanUpPhase::run):
2871         * dfg/DFGConstantFoldingPhase.cpp:
2872         (JSC::DFG::ConstantFoldingPhase::run):
2873         * dfg/DFGConstantHoistingPhase.cpp:
2874         * dfg/DFGDCEPhase.cpp:
2875         (JSC::DFG::DCEPhase::fixupBlock):
2876         * dfg/DFGDriver.cpp:
2877         (JSC::DFG::compileImpl):
2878         * dfg/DFGGraph.cpp:
2879         (JSC::DFG::Graph::Graph):
2880         (JSC::DFG::Graph::deleteNode):
2881         (JSC::DFG::Graph::killBlockAndItsContents):
2882         (JSC::DFG::Graph::~Graph): Deleted.
2883         * dfg/DFGGraph.h:
2884         (JSC::DFG::Graph::addNode):
2885         * dfg/DFGLICMPhase.cpp:
2886         (JSC::DFG::LICMPhase::attemptHoist):
2887         * dfg/DFGLongLivedState.cpp: Removed.
2888         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
2889         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
2890         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
2891         * dfg/DFGLongLivedState.h: Removed.
2892         * dfg/DFGNode.cpp:
2893         (JSC::DFG::Node::index): Deleted.
2894         * dfg/DFGNode.h:
2895         (JSC::DFG::Node::index):
2896         * dfg/DFGNodeAllocator.h: Removed.
2897         (operator new ): Deleted.
2898         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2899         * dfg/DFGPlan.cpp:
2900         (JSC::DFG::Plan::compileInThread):
2901         (JSC::DFG::Plan::compileInThreadImpl):
2902         * dfg/DFGPlan.h:
2903         * dfg/DFGSSAConversionPhase.cpp:
2904         (JSC::DFG::SSAConversionPhase::run):
2905         * dfg/DFGWorklist.cpp:
2906         (JSC::DFG::Worklist::runThread):
2907         * runtime/VM.cpp:
2908         (JSC::VM::VM): Deleted.
2909         * runtime/VM.h:
2910
2911 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2912
2913         [JSC] Fix a bunch of use-after-free of DFG::Node
2914         https://bugs.webkit.org/show_bug.cgi?id=160228
2915
2916         Reviewed by Mark Lam.
2917
2918         FTL had a few places where we use a node after it has been
2919         deleted. The dangling pointers come from the SSA liveness information
2920         kept on the basic blocks.
2921
2922         This patch fixes the issues I could find and adds liveness invalidation
2923         to help finding dependencies like these.
2924
2925         * dfg/DFGBasicBlock.h:
2926         (JSC::DFG::BasicBlock::SSAData::invalidate):
2927
2928         * dfg/DFGConstantFoldingPhase.cpp:
2929         (JSC::DFG::ConstantFoldingPhase::run):
2930         Constant folding phase was deleting nodes in the loop over basic blocks.
2931         The problem is the deleted nodes can be referenced by other blocks.
2932         When the abstract interpreter was manipulating the abstract values of those
2933         it was doing so on the dead nodes.
2934
2935         * dfg/DFGConstantHoistingPhase.cpp:
2936         Just invalidation. Nothing wrong here since the useless nodes were
2937         kept live while iterating the blocks.
2938
2939         * dfg/DFGGraph.cpp:
2940         (JSC::DFG::Graph::killBlockAndItsContents):
2941         (JSC::DFG::Graph::killUnreachableBlocks):
2942         (JSC::DFG::Graph::invalidateNodeLiveness):
2943
2944         * dfg/DFGGraph.h:
2945         * dfg/DFGPlan.cpp:
2946         (JSC::DFG::Plan::compileInThreadImpl):
2947         We had a lot of use-after-free in LCIM because we were using the stale
2948         live nodes deleted by previous phases.
2949
2950 2016-07-27  Keith Miller  <keith_miller@apple.com>
2951
2952         concatAppendOne should allocate using the indexing type of the array if it cannot merge
2953         https://bugs.webkit.org/show_bug.cgi?id=160261
2954         <rdar://problem/27530122>
2955
2956         Reviewed by Mark Lam.
2957
2958         Before, if we could not merge the indexing types for copying, we would allocate the
2959         the array as ArrayWithUndecided. Instead, we should allocate an array with the original
2960         array's indexing type.
2961
2962         * runtime/ArrayPrototype.cpp:
2963         (JSC::concatAppendOne):
2964         * tests/stress/concat-append-one-with-sparse-array.js: Added.
2965
2966 2016-07-27  Saam Barati  <sbarati@apple.com>
2967
2968         We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an object with symbols
2969         https://bugs.webkit.org/show_bug.cgi?id=160211
2970         <rdar://problem/27572612>
2971
2972         Reviewed by Geoffrey Garen.
2973
2974         The fast for-in iteration mode assumes all inline/out-of-line properties
2975         can be iterated in linear order. This is not true if we have Symbols
2976         because Symbols should not be iterated by for-in.
2977
2978         * runtime/Structure.cpp:
2979         (JSC::Structure::add):
2980         * tests/stress/symbol-should-not-break-for-in.js: Added.
2981         (assert):
2982         (foo):
2983
2984 2016-07-27  Mark Lam  <mark.lam@apple.com>
2985
2986         The second argument for Function.prototype.apply should be array-like or null/undefined.
2987         https://bugs.webkit.org/show_bug.cgi?id=160212
2988         <rdar://problem/27328525>
2989
2990         Reviewed by Filip Pizlo.
2991
2992         The spec for Function.prototype.apply says its second argument can only be null,
2993         undefined, or must be array-like.  See
2994         https://tc39.github.io/ecma262/#sec-function.prototype.apply and
2995         https://tc39.github.io/ecma262/#sec-createlistfromarraylike.
2996
2997         Our previous implementation was not handling this correctly for SymbolType.
2998         This is now fixed.
2999
3000         * interpreter/Interpreter.cpp:
3001         (JSC::sizeOfVarargs):
3002         * tests/stress/apply-second-argument-must-be-array-like.js: Added.
3003
3004 2016-07-27  Saam Barati  <sbarati@apple.com>
3005
3006         MathICs should be able to emit only a jump along the inline path when they don't have any type data
3007         https://bugs.webkit.org/show_bug.cgi?id=160110
3008
3009         Reviewed by Mark Lam.
3010
3011         This patch allows for MathIC fast-path generation to be delayed.
3012         We delay when we don't see any observed type information for
3013         the lhs/rhs operand, which implies that the MathIC has never
3014         executed. This is profitable for two main reasons:
3015         1. If the math operation never executes, we emit much less code.
3016         2. Once we get type information for the lhs/rhs, we can emit better code.
3017
3018         To implement this, we just emit a jump to the slow path call
3019         that will repatch on first execution.
3020
3021         New data for add:
3022                    |   JetStream  |  Unity 3D  |
3023              ------| -------------|--------------
3024               Old  |   148 bytes  |  143 bytes |
3025              ------| -------------|--------------
3026               New  |   116  bytes |  113 bytes |
3027              ------------------------------------
3028
3029         New data for mul:
3030                    |   JetStream  |  Unity 3D  |
3031              ------| -------------|--------------
3032               Old  |   210 bytes  |  185 bytes |
3033              ------| -------------|--------------
3034               New  |   170  bytes |  137 bytes |
3035              ------------------------------------
3036
3037         * jit/JITAddGenerator.cpp:
3038         (JSC::JITAddGenerator::generateInline):
3039         * jit/JITAddGenerator.h:
3040         (JSC::JITAddGenerator::isLeftOperandValidConstant):
3041         (JSC::JITAddGenerator::isRightOperandValidConstant):
3042         (JSC::JITAddGenerator::arithProfile):
3043         * jit/JITMathIC.h:
3044         (JSC::JITMathIC::generateInline):
3045         (JSC::JITMathIC::generateOutOfLine):
3046         (JSC::JITMathIC::finalizeInlineCode):
3047         * jit/JITMathICInlineResult.h:
3048         * jit/JITMulGenerator.cpp:
3049         (JSC::JITMulGenerator::generateInline):
3050         * jit/JITMulGenerator.h:
3051         (JSC::JITMulGenerator::isLeftOperandValidConstant):
3052         (JSC::JITMulGenerator::isRightOperandValidConstant):
3053         (JSC::JITMulGenerator::arithProfile):
3054         * jit/JITOperations.cpp:
3055
3056 2016-07-26  Saam Barati  <sbarati@apple.com>
3057
3058         rollout r203666
3059         https://bugs.webkit.org/show_bug.cgi?id=160226
3060
3061         Unreviewed rollout.
3062
3063         * b3/B3BasicBlock.h:
3064         (JSC::B3::BasicBlock::successorBlock):
3065         * b3/B3LowerToAir.cpp:
3066         (JSC::B3::Air::LowerToAir::createGenericCompare):
3067         * b3/B3LowerToAir.h:
3068         * b3/air/AirArg.cpp:
3069         (JSC::B3::Air::Arg::isRepresentableAs):
3070         (JSC::B3::Air::Arg::usesTmp):
3071         * b3/air/AirArg.h:
3072         (JSC::B3::Air::Arg::isRepresentableAs):
3073         (JSC::B3::Air::Arg::asNumber):
3074         (JSC::B3::Air::Arg::castToType): Deleted.
3075         * b3/air/AirCode.h:
3076         (JSC::B3::Air::Code::size):
3077         (JSC::B3::Air::Code::at):
3078         * b3/air/AirOpcode.opcodes:
3079         * b3/air/AirValidate.h:
3080         * b3/air/opcode_generator.rb:
3081         * b3/testb3.cpp:
3082         (JSC::B3::compileAndRun):
3083         (JSC::B3::testSomeEarlyRegister):
3084         (JSC::B3::zero):
3085         (JSC::B3::run):
3086         (JSC::B3::lowerToAirForTesting): Deleted.
3087         (JSC::B3::testBranchBitAndImmFusion): Deleted.
3088
3089 2016-07-26  Caitlin Potter  <caitp@igalia.com>
3090
3091         [JSC] Object.getOwnPropertyDescriptors should not add undefined props to result
3092         https://bugs.webkit.org/show_bug.cgi?id=159409
3093
3094         Reviewed by Geoffrey Garen.
3095
3096         * runtime/ObjectConstructor.cpp:
3097         (JSC::objectConstructorGetOwnPropertyDescriptors):
3098         * tests/es6.yaml:
3099         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
3100         (testPropertiesIndexedSetterOnPrototypeThrows.set get var): Deleted.
3101         (testPropertiesIndexedSetterOnPrototypeThrows): Deleted.
3102         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js.
3103         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js.
3104
3105 2016-07-26  Mark Lam  <mark.lam@apple.com>
3106
3107         Remove unused DEBUG_WITH_BREAKPOINT configuration.
3108         https://bugs.webkit.org/show_bug.cgi?id=160203
3109
3110         Reviewed by Keith Miller.
3111
3112         * bytecompiler/BytecodeGenerator.cpp:
3113         (JSC::BytecodeGenerator::emitDebugHook):
3114
3115 2016-07-25  Benjamin Poulain  <benjamin@webkit.org>
3116
3117         Unreviewed, rolling out r203703.
3118
3119         It breaks some internal tests
3120
3121         Reverted changeset:
3122
3123         "[JSC] DFG::Node should not have its own allocator"
3124         https://bugs.webkit.org/show_bug.cgi?id=160098
3125         http://trac.webkit.org/changeset/203703
3126
3127 2016-07-25  Benjamin Poulain  <bpoulain@apple.com>
3128
3129         [JSC] DFG::Node should not have its own allocator
3130         https://bugs.webkit.org/show_bug.cgi?id=160098
3131
3132         Reviewed by Geoffrey Garen.
3133
3134         We need some design changes for DFG::Node:
3135         -Accessing the index must be fast. B3 uses indices for sets
3136          and maps, it is a lot faster than hashing pointers.
3137         -We should be able to subclass DFG::Node to specialize it.
3138
3139         * CMakeLists.txt:
3140         * JavaScriptCore.xcodeproj/project.pbxproj:
3141         * dfg/DFGAllocator.h: Removed.
3142         (JSC::DFG::Allocator::Region::size): Deleted.
3143         (JSC::DFG::Allocator::Region::headerSize): Deleted.
3144         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
3145         (JSC::DFG::Allocator::Region::data): Deleted.
3146         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
3147         (JSC::DFG::Allocator::Region::regionFor): Deleted.
3148         (JSC::DFG::Allocator<T>::Allocator): Deleted.
3149         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
3150         (JSC::DFG::Allocator<T>::allocate): Deleted.
3151         (JSC::DFG::Allocator<T>::free): Deleted.
3152         (JSC::DFG::Allocator<T>::freeAll): Deleted.
3153         (JSC::DFG::Allocator<T>::reset): Deleted.
3154         (JSC::DFG::Allocator<T>::indexOf): Deleted.
3155         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
3156         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
3157         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
3158         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
3159         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
3160         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
3161         * dfg/DFGByteCodeParser.cpp:
3162         (JSC::DFG::ByteCodeParser::addToGraph):
3163         * dfg/DFGCPSRethreadingPhase.cpp:
3164         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3165         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
3166         * dfg/DFGCleanUpPhase.cpp:
3167         (JSC::DFG::CleanUpPhase::run):
3168         * dfg/DFGConstantFoldingPhase.cpp:
3169         (JSC::DFG::ConstantFoldingPhase::run):
3170         * dfg/DFGConstantHoistingPhase.cpp:
3171         * dfg/DFGDCEPhase.cpp:
3172         (JSC::DFG::DCEPhase::fixupBlock):
3173         * dfg/DFGDriver.cpp:
3174         (JSC::DFG::compileImpl):
3175         * dfg/DFGGraph.cpp:
3176         (JSC::DFG::Graph::Graph):
3177         (JSC::DFG::Graph::deleteNode):
3178         (JSC::DFG::Graph::killBlockAndItsContents):
3179         (JSC::DFG::Graph::~Graph): Deleted.
3180         * dfg/DFGGraph.h:
3181         (JSC::DFG::Graph::addNode):
3182         * dfg/DFGLICMPhase.cpp:
3183         (JSC::DFG::LICMPhase::attemptHoist):
3184         * dfg/DFGLongLivedState.cpp: Removed.
3185         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
3186         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
3187         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
3188         * dfg/DFGLongLivedState.h: Removed.
3189         * dfg/DFGNode.cpp:
3190         (JSC::DFG::Node::index): Deleted.
3191         * dfg/DFGNode.h:
3192         (JSC::DFG::Node::index):
3193         * dfg/DFGNodeAllocator.h: Removed.
3194         (operator new ): Deleted.
3195         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3196         * dfg/DFGPlan.cpp:
3197         (JSC::DFG::Plan::compileInThread):
3198         (JSC::DFG::Plan::compileInThreadImpl):
3199         * dfg/DFGPlan.h:
3200         * dfg/DFGSSAConversionPhase.cpp:
3201         (JSC::DFG::SSAConversionPhase::run):
3202         * dfg/DFGWorklist.cpp:
3203         (JSC::DFG::Worklist::runThread):
3204         * runtime/VM.cpp:
3205         (JSC::VM::VM): Deleted.
3206         * runtime/VM.h:
3207
3208 2016-07-25  Filip Pizlo  <fpizlo@apple.com>
3209
3210         AssemblyHelpers should own all of the cell allocation methods
3211         https://bugs.webkit.org/show_bug.cgi?id=160171
3212
3213         Reviewed by Saam Barati.
3214         
3215         Prior to this change we had some code in DFGSpeculativeJIT.h and some code in JIT.h that
3216         did cell allocation.
3217         
3218         This change moves all of that code into AssemblyHelpers.h.
3219
3220         * dfg/DFGSpeculativeJIT.h:
3221         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
3222         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
3223         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
3224         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
3225         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
3226         * jit/AssemblyHelpers.h:
3227         (JSC::AssemblyHelpers::emitAllocate):
3228         (JSC::AssemblyHelpers::emitAllocateJSCell):
3229         (JSC::AssemblyHelpers::emitAllocateJSObject):
3230         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3231         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3232         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
3233         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
3234         * jit/JIT.h:
3235         * jit/JITInlines.h:
3236         (JSC::JIT::isOperandConstantChar):
3237         (JSC::JIT::emitValueProfilingSite):
3238         (JSC::JIT::emitAllocateJSObject): Deleted.
3239         * jit/JITOpcodes.cpp:
3240         (JSC::JIT::emit_op_new_object):
3241         (JSC::JIT::emit_op_create_this):
3242         * jit/JITOpcodes32_64.cpp:
3243         (JSC::JIT::emit_op_new_object):
3244         (JSC::JIT::emit_op_create_this):
3245
3246 2016-07-25  Saam Barati  <sbarati@apple.com>
3247
3248         MathICs should be able to take and dump stats about code size
3249         https://bugs.webkit.org/show_bug.cgi?id=160148
3250
3251         Reviewed by Filip Pizlo.
3252
3253         This will make testing changes on MathIC going forward much easier.
3254         We will be able to easily see if modifications to MathIC will lead
3255         to us generating smaller code. We now only dump average size when we
3256         regenerate any MathIC. This works out for large tests/pages, but is not
3257         great for testing small programs. We can add more dump points later if
3258         we find that we want to dump stats while running small small programs.
3259
3260         * bytecode/CodeBlock.cpp:
3261         (JSC::CodeBlock::jitSoon):
3262         (JSC::CodeBlock::dumpMathICStats):
3263         * bytecode/CodeBlock.h:
3264         (JSC::CodeBlock::isStrictMode):
3265         (JSC::CodeBlock::ecmaMode):
3266         * dfg/DFGSpeculativeJIT.cpp:
3267         (JSC::DFG::SpeculativeJIT::compileMathIC):
3268         * ftl/FTLLowerDFGToB3.cpp:
3269         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
3270         * jit/JITArithmetic.cpp:
3271         (JSC::JIT::emitMathICFast):
3272         (JSC::JIT::emitMathICSlow):
3273         * jit/JITMathIC.h:
3274         (JSC::JITMathIC::finalizeInlineCode):
3275         (JSC::JITMathIC::codeSize):
3276         * jit/JITOperations.cpp:
3277
3278 2016-07-25  Saam Barati  <sbarati@apple.com>
3279
3280         op_mul/ArithMul(Untyped,Untyped) should be an IC
3281         https://bugs.webkit.org/show_bug.cgi?id=160108
3282
3283         Reviewed by Mark Lam.
3284
3285         This patch makes Mul a type based IC in much the same way that we made
3286         Add a type-based IC. I implemented Mul in the same way. I abstracted the
3287         implementation of the Add IC in the various JITs to allow for it to
3288         work over arbitrary IC snippets. This will make adding Div/Sub/Pow in the
3289         future easy. This patch also adds a new boolean argument to the various
3290         snippet generateFastPath() methods to indicate if we should emit result profiling.
3291         I added this because we want this profiling to be emitted for Mul in
3292         the baseline, but not in the DFG. We used to indicate this through passing
3293         in a nullptr for the ArithProfile, but we no longer do that in the upper
3294         JIT tiers. So we are passing an explicit request from the JIT tier about
3295         whether or not it's worth it for the IC to emit profiling.
3296
3297         We now emit much less code for Mul. Here is some data on the average
3298         Mul snippet/IC size:
3299
3300                    |   JetStream  |  Unity 3D  |
3301              ------| -------------|--------------
3302               Old  |  ~280 bytes  | ~280 bytes |
3303              ------| -------------|--------------
3304               New  |   210  bytes |  185 bytes |
3305              ------------------------------------
3306
3307         * bytecode/CodeBlock.cpp:
3308         (JSC::CodeBlock::addJITAddIC):
3309         (JSC::CodeBlock::addJITMulIC):
3310         (JSC::CodeBlock::findStubInfo):
3311         * bytecode/CodeBlock.h:
3312         (JSC::CodeBlock::stubInfoBegin):
3313         (JSC::CodeBlock::stubInfoEnd):
3314         * dfg/DFGSpeculativeJIT.cpp:
3315         (JSC::DFG::GPRTemporary::adopt):
3316         (JSC::DFG::FPRTemporary::FPRTemporary):
3317         (JSC::DFG::SpeculativeJIT::compileValueAdd):
3318         (JSC::DFG::SpeculativeJIT::compileMathIC):
3319         (JSC::DFG::SpeculativeJIT::compileArithMul):
3320         * dfg/DFGSpeculativeJIT.h:
3321         (JSC::DFG::SpeculativeJIT::callOperation):
3322         (JSC::DFG::GPRTemporary::GPRTemporary):
3323         (JSC::DFG::GPRTemporary::operator=):
3324         (JSC::DFG::FPRTemporary::~FPRTemporary):
3325         (JSC::DFG::FPRTemporary::fpr):
3326         * ftl/FTLLowerDFGToB3.cpp:
3327         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
3328         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3329         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
3330         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
3331         * jit/JIT.h:
3332         (JSC::JIT::getSlowCase):
3333         * jit/JITAddGenerator.cpp:
3334         (JSC::JITAddGenerator::generateInline):
3335         (JSC::JITAddGenerator::generateFastPath):
3336         * jit/JITAddGenerator.h:
3337         (JSC::JITAddGenerator::JITAddGenerator):
3338     &nbs