B3 CSE should be able to match a full redundancy even if none of the matches dominate...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
2
3         B3 CSE should be able to match a full redundancy even if none of the matches dominate the value in question
4         https://bugs.webkit.org/show_bug.cgi?id=153321
5
6         Reviewed by Benjamin Poulain.
7
8         I once learned that LLVM's GVN can manufacture Phi functions. I don't know the details
9         but I'm presuming that it involves:
10
11             if (p)
12                 tmp1 = *ptr
13             else
14                 tmp2 = *ptr
15             tmp3 = *ptr // Replace this with Phi(tmp1, tmp2).
16
17         This adds such an optimization to our CSE. The idea is that we search through basic
18         blocks until we find the value we want, a side effect, or the start of the procedure. If
19         we find a value that matches our search criteria, we record it and ignore the
20         predecessors. If we find a side effect or the start of the procedure, we give up the
21         whole search. This ensures that if we come out of the search without giving up, we'll
22         have a set of matches that are fully redundant.
23
24         CSE could then create a Phi graph by using SSACalculator. But the recent work on FixSSA
25         revealed a much more exciting option: create a stack slot! In case there is more than one
26         match, CSE now creates a stack slot that each match stores to, and replaces the redundant
27         instruction with a loadfrom the stack slot. The stack slot is anonymous, which ensures
28         that FixSSA will turn it into an optimal Phi graph or whatever.
29
30         This is a significant speed-up on Octane/richards.
31
32         * b3/B3DuplicateTails.cpp:
33         * b3/B3EliminateCommonSubexpressions.cpp:
34         * b3/B3FixSSA.cpp:
35         (JSC::B3::fixSSA):
36         * b3/B3Generate.cpp:
37         (JSC::B3::generateToAir):
38         * b3/B3Procedure.h:
39         (JSC::B3::Procedure::setFrontendData):
40         (JSC::B3::Procedure::frontendData):
41         * b3/testb3.cpp:
42         * ftl/FTLState.cpp:
43         (JSC::FTL::State::State):
44
45 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
46
47         Air should know that CeilDouble has the partial register stall issue
48         https://bugs.webkit.org/show_bug.cgi?id=153338
49
50         Rubber stamped by Benjamin Poulain.
51
52         This is a 8% speed-up on Kraken with B3 enabled, mostly because of a 2.4x speed-up on
53         audio-oscillator.
54
55         * b3/air/AirFixPartialRegisterStalls.cpp:
56
57 2016-01-21  Andy VanWagoner  <andy@instructure.com>
58
59         [INTL] Implement Array.prototype.toLocaleString in ECMA-402
60         https://bugs.webkit.org/show_bug.cgi?id=147614
61
62         Reviewed by Benjamin Poulain.
63
64         The primary changes in the ECMA-402 version, and the existing implementation
65         are passing the arguments on to each element's toLocaleString call, and
66         missing/undefined/null elements become empty string instead of being skipped.
67
68         * runtime/ArrayPrototype.cpp:
69         (JSC::arrayProtoFuncToLocaleString):
70
71 2016-01-21  Per Arne Vollan  <peavo@outlook.com>
72
73         [B3][Win64] Compile fixes.
74         https://bugs.webkit.org/show_bug.cgi?id=153312
75
76         Reviewed by Alex Christensen.
77
78         Since MSVC has several overloads of sin, cos, pow, and log, we need to specify
79         which one we want to use.
80
81         * ftl/FTLB3Output.h:
82         (JSC::FTL::Output::doubleSin):
83         (JSC::FTL::Output::doubleCos):
84         (JSC::FTL::Output::doublePow):
85         (JSC::FTL::Output::doubleLog):
86
87 2016-01-21  Benjamin Poulain  <benjamin@webkit.org>
88
89         [JSC] foldPathConstants() makes invalid assumptions with Switch
90         https://bugs.webkit.org/show_bug.cgi?id=153324
91
92         Reviewed by Filip Pizlo.
93
94         If a Switch() has two cases pointing to the same basic block, foldPathConstants()
95         was adding two override for that block with two different constants.
96         If the block with the Switch dominates the target, both override were equally valid
97         and we were assuming any of the constants as the value in the target block.
98
99         See testSwitchTargettingSameBlockFoldPathConstant() for an example that breaks.
100
101         This patch adds checks to ignore any block that is reached more than
102         once by the control value.
103
104         * b3/B3FoldPathConstants.cpp:
105         * b3/B3Generate.cpp:
106         (JSC::B3::generateToAir):
107         * b3/testb3.cpp:
108         (JSC::B3::testSwitchTargettingSameBlock):
109         (JSC::B3::testSwitchTargettingSameBlockFoldPathConstant):
110         (JSC::B3::run):
111
112 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
113
114         Unreviewed, undo DFGCommon.h change that accidentally enabled the B3 JIT.
115
116         * dfg/DFGCommon.h:
117
118 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
119
120         Move32 should have an Imm, Tmp form
121         https://bugs.webkit.org/show_bug.cgi?id=153313
122
123         Reviewed by Mark Lam.
124
125         This enables some useful optimizations, like constant propagation in fixObviousSpills().
126
127         * assembler/MacroAssemblerX86Common.h:
128         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
129         (JSC::MacroAssemblerX86Common::move):
130         * b3/air/AirOpcode.opcodes:
131
132 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
133
134         B3 should have load elimination
135         https://bugs.webkit.org/show_bug.cgi?id=153288
136
137         Reviewed by Geoffrey Garen.
138
139         This adds a complete GCSE pass that includes load elimination. It would have been super hard
140         to make this work as part of the reduceStrength() fixpoint, since GCSE needs to analyze
141         control flow and reduceStrength() is messing with control flow. So, I did a compromise: I
142         factored out the pure CSE that reduceStrength() was already doing, and now we have:
143
144         - reduceStrength() still does pure CSE using the new PureCSE helper.
145
146         - eliminateCommonSubexpressions() is a separate phase that does general CSE. It uses the
147           PureCSE helper for pure values and does its own special thing for memory values.
148         
149         Unfortunately, this doesn't help any benchmark right now. It doesn't hurt anything, either,
150         and it's likely to become a bigger pay-off once we implement other features, like mapping
151         FTL's abstract heaps onto B3's heap ranges.
152
153         * CMakeLists.txt:
154         * JavaScriptCore.xcodeproj/project.pbxproj:
155         * b3/B3EliminateCommonSubexpressions.cpp: Added.
156         (JSC::B3::eliminateCommonSubexpressions):
157         * b3/B3EliminateCommonSubexpressions.h: Added.
158         * b3/B3Generate.cpp:
159         (JSC::B3::generateToAir):
160         * b3/B3HeapRange.h:
161         (JSC::B3::HeapRange::HeapRange):
162         * b3/B3InsertionSet.h:
163         (JSC::B3::InsertionSet::InsertionSet):
164         (JSC::B3::InsertionSet::isEmpty):
165         (JSC::B3::InsertionSet::code):
166         (JSC::B3::InsertionSet::appendInsertion):
167         * b3/B3MemoryValue.h:
168         * b3/B3PureCSE.cpp: Added.
169         (JSC::B3::PureCSE::PureCSE):
170         (JSC::B3::PureCSE::~PureCSE):
171         (JSC::B3::PureCSE::clear):
172         (JSC::B3::PureCSE::process):
173         * b3/B3PureCSE.h: Added.
174         * b3/B3ReduceStrength.cpp:
175         * b3/B3ReduceStrength.h:
176         * b3/B3Validate.cpp:
177
178 2016-01-21  Keith Miller  <keith_miller@apple.com>
179
180         Fix bug in TypedArray.prototype.set and add tests
181         https://bugs.webkit.org/show_bug.cgi?id=153309
182
183         Reviewed by Michael Saboff.
184
185         This patch fixes an issue with TypedArray.prototype.set where we would
186         assign a double to an unsigned without checking that the double was
187         in the range of the unsigned. Additionally, the patch also adds
188         tests for set for cases that were not covered before.
189
190         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
191         (JSC::genericTypedArrayViewProtoFuncSet):
192         * tests/stress/typedarray-set.js: Added.
193
194 2016-01-19  Ada Chan  <adachan@apple.com>
195
196         Make it possible to enable VIDEO_PRESENTATION_MODE on other Cocoa platforms.
197         https://bugs.webkit.org/show_bug.cgi?id=153218
198
199         Reviewed by Eric Carlson.
200
201         * Configurations/FeatureDefines.xcconfig:
202
203 2016-01-21  Per Arne Vollan  <peavo@outlook.com>
204
205         [B3][CMake] Add missing source file.
206         https://bugs.webkit.org/show_bug.cgi?id=153303
207
208         Reviewed by Csaba Osztrogonác.
209
210         * CMakeLists.txt:
211
212 2016-01-20  Commit Queue  <commit-queue@webkit.org>
213
214         Unreviewed, rolling out r195375.
215         https://bugs.webkit.org/show_bug.cgi?id=153300
216
217         Caused crashes on GuardMalloc (Requested by ap on #webkit).
218
219         Reverted changeset:
220
221         "TypedArray's .buffer does not return the JSArrayBuffer that
222         was passed to it on creation."
223         https://bugs.webkit.org/show_bug.cgi?id=153281
224         http://trac.webkit.org/changeset/195375
225
226 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
227
228         B3 should have basic path specialization
229         https://bugs.webkit.org/show_bug.cgi?id=153200
230
231         Reviewed by Benjamin Poulain.
232
233         This adds two different kind of path specializations:
234
235         - Check(Select) where the Select results are constants is specialized into a Branch
236           instead of a Select and duplicated paths where the results of the Select are folded.
237
238         - Tail duplication. A jump to a small block causes the block's contents to be copied over
239           the Jump.
240
241         Both optimizations required being able to clone Values. We can now do that using
242         proc.clone(value).
243
244         Check(Select) specialization needed some utilities for walking graphs of Values.
245
246         Tail duplication needed SSA fixup, so I added a way to demote values to anonymous stack
247         slots (B3's equivalent of non-SSA variables) and a way to "fix SSA", i.e. to allocate
248         anonymous stack slots to SSA values along with an optimal Phi graph.
249
250         This is a big speed-up on Octane/deltablue. It's a 2.2% speed-up on Octane overall.
251
252         * CMakeLists.txt:
253         * JavaScriptCore.xcodeproj/project.pbxproj:
254         * b3/B3ArgumentRegValue.cpp:
255         (JSC::B3::ArgumentRegValue::dumpMeta):
256         (JSC::B3::ArgumentRegValue::cloneImpl):
257         * b3/B3ArgumentRegValue.h:
258         * b3/B3BasicBlock.cpp:
259         (JSC::B3::BasicBlock::append):
260         (JSC::B3::BasicBlock::appendNonTerminal):
261         (JSC::B3::BasicBlock::removeLast):
262         * b3/B3BasicBlock.h:
263         (JSC::B3::BasicBlock::values):
264         * b3/B3BasicBlockInlines.h:
265         (JSC::B3::BasicBlock::appendNew):
266         (JSC::B3::BasicBlock::appendNewNonTerminal):
267         (JSC::B3::BasicBlock::replaceLastWithNew):
268         * b3/B3BlockInsertionSet.h:
269         * b3/B3BreakCriticalEdges.cpp: Added.
270         (JSC::B3::breakCriticalEdges):
271         * b3/B3BreakCriticalEdges.h: Added.
272         * b3/B3CCallValue.cpp:
273         (JSC::B3::CCallValue::~CCallValue):
274         (JSC::B3::CCallValue::cloneImpl):
275         * b3/B3CCallValue.h:
276         * b3/B3CheckValue.cpp:
277         (JSC::B3::CheckValue::convertToAdd):
278         (JSC::B3::CheckValue::cloneImpl):
279         (JSC::B3::CheckValue::CheckValue):
280         * b3/B3CheckValue.h:
281         * b3/B3Const32Value.cpp:
282         (JSC::B3::Const32Value::dumpMeta):
283         (JSC::B3::Const32Value::cloneImpl):
284         * b3/B3Const32Value.h:
285         * b3/B3Const64Value.cpp:
286         (JSC::B3::Const64Value::dumpMeta):
287         (JSC::B3::Const64Value::cloneImpl):
288         * b3/B3Const64Value.h:
289         * b3/B3ConstDoubleValue.cpp:
290         (JSC::B3::ConstDoubleValue::dumpMeta):
291         (JSC::B3::ConstDoubleValue::cloneImpl):
292         * b3/B3ConstDoubleValue.h:
293         * b3/B3ConstFloatValue.cpp:
294         (JSC::B3::ConstFloatValue::dumpMeta):
295         (JSC::B3::ConstFloatValue::cloneImpl):
296         * b3/B3ConstFloatValue.h:
297         * b3/B3ControlValue.cpp:
298         (JSC::B3::ControlValue::dumpMeta):
299         (JSC::B3::ControlValue::cloneImpl):
300         * b3/B3ControlValue.h:
301         * b3/B3DuplicateTails.cpp: Added.
302         (JSC::B3::duplicateTails):
303         * b3/B3DuplicateTails.h: Added.
304         * b3/B3FixSSA.cpp: Added.
305         (JSC::B3::demoteValues):
306         (JSC::B3::fixSSA):
307         * b3/B3FixSSA.h: Added.
308         * b3/B3Generate.cpp:
309         (JSC::B3::generateToAir):
310         * b3/B3IndexSet.h:
311         (JSC::B3::IndexSet::Iterable::Iterable):
312         (JSC::B3::IndexSet::values):
313         (JSC::B3::IndexSet::indices):
314         * b3/B3InsertionSet.cpp:
315         (JSC::B3::InsertionSet::insertIntConstant):
316         (JSC::B3::InsertionSet::insertBottom):
317         (JSC::B3::InsertionSet::execute):
318         * b3/B3InsertionSet.h:
319         * b3/B3LowerToAir.cpp:
320         (JSC::B3::Air::LowerToAir::run):
321         (JSC::B3::Air::LowerToAir::tmp):
322         * b3/B3MemoryValue.cpp:
323         (JSC::B3::MemoryValue::dumpMeta):
324         (JSC::B3::MemoryValue::cloneImpl):
325         * b3/B3MemoryValue.h:
326         * b3/B3OriginDump.cpp: Added.
327         (JSC::B3::OriginDump::dump):
328         * b3/B3OriginDump.h:
329         (JSC::B3::OriginDump::OriginDump):
330         (JSC::B3::OriginDump::dump): Deleted.
331         * b3/B3PatchpointValue.cpp:
332         (JSC::B3::PatchpointValue::dumpMeta):
333         (JSC::B3::PatchpointValue::cloneImpl):
334         (JSC::B3::PatchpointValue::PatchpointValue):
335         * b3/B3PatchpointValue.h:
336         * b3/B3Procedure.cpp:
337         (JSC::B3::Procedure::addBlock):
338         (JSC::B3::Procedure::clone):
339         (JSC::B3::Procedure::addIntConstant):
340         (JSC::B3::Procedure::addBottom):
341         (JSC::B3::Procedure::addBoolConstant):
342         (JSC::B3::Procedure::deleteValue):
343         * b3/B3Procedure.h:
344         * b3/B3ReduceStrength.cpp:
345         * b3/B3SSACalculator.cpp: Added.
346         (JSC::B3::SSACalculator::Variable::dump):
347         (JSC::B3::SSACalculator::Variable::dumpVerbose):
348         (JSC::B3::SSACalculator::Def::dump):
349         (JSC::B3::SSACalculator::SSACalculator):
350         (JSC::B3::SSACalculator::~SSACalculator):
351         (JSC::B3::SSACalculator::reset):
352         (JSC::B3::SSACalculator::newVariable):
353         (JSC::B3::SSACalculator::newDef):
354         (JSC::B3::SSACalculator::nonLocalReachingDef):
355         (JSC::B3::SSACalculator::reachingDefAtTail):
356         (JSC::B3::SSACalculator::dump):
357         * b3/B3SSACalculator.h: Added.
358         (JSC::B3::SSACalculator::Variable::index):
359         (JSC::B3::SSACalculator::Variable::Variable):
360         (JSC::B3::SSACalculator::Def::variable):
361         (JSC::B3::SSACalculator::Def::block):
362         (JSC::B3::SSACalculator::Def::value):
363         (JSC::B3::SSACalculator::Def::Def):
364         (JSC::B3::SSACalculator::variable):
365         (JSC::B3::SSACalculator::computePhis):
366         (JSC::B3::SSACalculator::phisForBlock):
367         (JSC::B3::SSACalculator::reachingDefAtHead):
368         * b3/B3StackSlotKind.h:
369         * b3/B3StackSlotValue.cpp:
370         (JSC::B3::StackSlotValue::dumpMeta):
371         (JSC::B3::StackSlotValue::cloneImpl):
372         * b3/B3StackSlotValue.h:
373         * b3/B3SwitchValue.cpp:
374         (JSC::B3::SwitchValue::dumpMeta):
375         (JSC::B3::SwitchValue::cloneImpl):
376         (JSC::B3::SwitchValue::SwitchValue):
377         * b3/B3SwitchValue.h:
378         * b3/B3UpsilonValue.cpp:
379         (JSC::B3::UpsilonValue::dumpMeta):
380         (JSC::B3::UpsilonValue::cloneImpl):
381         * b3/B3UpsilonValue.h:
382         * b3/B3Validate.cpp:
383         * b3/B3Value.cpp:
384         (JSC::B3::Value::replaceWithNop):
385         (JSC::B3::Value::replaceWithPhi):
386         (JSC::B3::Value::dump):
387         (JSC::B3::Value::cloneImpl):
388         (JSC::B3::Value::dumpChildren):
389         (JSC::B3::Value::deepDump):
390         * b3/B3Value.h:
391         (JSC::B3::DeepValueDump::DeepValueDump):
392         (JSC::B3::DeepValueDump::dump):
393         (JSC::B3::deepDump):
394         * b3/B3ValueInlines.h:
395         (JSC::B3::Value::asNumber):
396         (JSC::B3::Value::walk):
397         * b3/B3ValueKey.cpp:
398         (JSC::B3::ValueKey::intConstant):
399         (JSC::B3::ValueKey::dump):
400         * b3/B3ValueKey.h:
401         (JSC::B3::ValueKey::ValueKey):
402         (JSC::B3::ValueKey::opcode):
403         (JSC::B3::ValueKey::type):
404         (JSC::B3::ValueKey::childIndex):
405         * b3/air/AirCode.h:
406         (JSC::B3::Air::Code::forAllTmps):
407         (JSC::B3::Air::Code::isFastTmp):
408         * b3/air/AirIteratedRegisterCoalescing.cpp:
409         * b3/air/AirUseCounts.h:
410         (JSC::B3::Air::UseCounts::UseCounts):
411         (JSC::B3::Air::UseCounts::operator[]):
412         (JSC::B3::Air::UseCounts::dump):
413         * b3/testb3.cpp:
414         (JSC::B3::testSelectInvert):
415         (JSC::B3::testCheckSelect):
416         (JSC::B3::testCheckSelectCheckSelect):
417         (JSC::B3::testPowDoubleByIntegerLoop):
418         (JSC::B3::run):
419         * runtime/Options.h:
420
421 2016-01-20  Benjamin Poulain  <bpoulain@apple.com>
422
423         [JSC] Fix a typo in the Air definition of CeilDouble/CeilFloat
424         https://bugs.webkit.org/show_bug.cgi?id=153286
425
426         Reviewed by Mark Lam.
427
428         * b3/air/AirOpcode.opcodes:
429         The second argument should a Def. The previous definition was
430         adding useless constraints on the allocation of the second argument.
431
432 2016-01-20  Benjamin Poulain  <benjamin@webkit.org>
433
434         [JSC] The register allocator can use a dangling pointer when selecting a spill candidate
435         https://bugs.webkit.org/show_bug.cgi?id=153287
436
437         Reviewed by Mark Lam.
438
439         A tricky bug I discovered while experimenting with live range breaking.
440
441         We have the following initial conditions:
442         -UseCounts is slow, so we only compute it once for all the iterations
443          of the allocator.
444         -The only new Tmps we create are for spills and refills. They are unspillable
445          by definition so it is fine to not update UseCounts accordingly.
446
447         But, in selectSpill(), we go over all the spill candidates and select the best
448         one based on its score. The score() lambda uses useCounts, it cannot be used
449         with a new Tmps created for something we already spilled.
450
451         The first time we use score is correct, we started by skipping all the unspillable
452         Tmps from the candidate. The next use was incorrect: we were checking unspillableTmps
453         *after* calling score().
454
455         The existing tests did not catch this due to back luck. I added an assertion
456         to find similar problems in the future.
457
458         * b3/air/AirIteratedRegisterCoalescing.cpp:
459         * b3/air/AirUseCounts.h:
460
461 2016-01-20  Saam barati  <sbarati@apple.com>
462
463         Fix CLoop build after bug https://bugs.webkit.org/show_bug.cgi?id=152766
464
465         Unreviewed build fix.
466
467         * inspector/agents/InspectorScriptProfilerAgent.h:
468
469 2016-01-20  Andy VanWagoner  <thetalecrafter@gmail.com>
470
471         [INTL] Implement Date.prototype.toLocaleTimeString in ECMA-402
472         https://bugs.webkit.org/show_bug.cgi?id=147613
473
474         Reviewed by Darin Adler.
475
476         Implement toLocaleTimeString in builtin JavaScript.
477
478         * builtins/DatePrototype.js:
479         (toLocaleTimeString.toDateTimeOptionsTimeTime):
480         (toLocaleTimeString):
481         * runtime/DatePrototype.cpp:
482         (JSC::DatePrototype::finishCreation):
483
484 2016-01-20  Saam barati  <sbarati@apple.com>
485
486         Web Inspector: Hook the sampling profiler into the Timelines UI
487         https://bugs.webkit.org/show_bug.cgi?id=152766
488         <rdar://problem/24066360>
489
490         Reviewed by Joseph Pecoraro.
491
492         This patch adds some necessary functions to SamplingProfiler::StackFrame
493         to allow it to give data to the Inspector for the timelines UI. i.e, the
494         sourceID of the executable of a stack frame.
495
496         This patch also swaps in the SamplingProfiler in place of the
497         LegacyProfiler inside InspectorScriptProfilerAgent. It adds
498         the necessary protocol data to allow the SamplingProfiler's
499         data to hook into the timelines UI.
500
501         * debugger/Debugger.cpp:
502         (JSC::Debugger::setProfilingClient):
503         (JSC::Debugger::willEvaluateScript):
504         (JSC::Debugger::didEvaluateScript):
505         (JSC::Debugger::toggleBreakpoint):
506         * debugger/Debugger.h:
507         * debugger/ScriptProfilingScope.h:
508         (JSC::ScriptProfilingScope::ScriptProfilingScope):
509         (JSC::ScriptProfilingScope::~ScriptProfilingScope):
510         * inspector/agents/InspectorScriptProfilerAgent.cpp:
511         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
512         (Inspector::InspectorScriptProfilerAgent::startTracking):
513         (Inspector::InspectorScriptProfilerAgent::stopTracking):
514         (Inspector::InspectorScriptProfilerAgent::isAlreadyProfiling):
515         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
516         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
517         (Inspector::InspectorScriptProfilerAgent::addEvent):
518         (Inspector::buildSamples):
519         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
520         (Inspector::buildAggregateCallInfoInspectorObject): Deleted.
521         (Inspector::buildInspectorObject): Deleted.
522         (Inspector::buildProfileInspectorObject): Deleted.
523         * inspector/agents/InspectorScriptProfilerAgent.h:
524         * inspector/protocol/ScriptProfiler.json:
525         * jsc.cpp:
526         (functionSamplingProfilerStackTraces):
527         * runtime/SamplingProfiler.cpp:
528         (JSC::SamplingProfiler::start):
529         (JSC::SamplingProfiler::stop):
530         (JSC::SamplingProfiler::clearData):
531         (JSC::SamplingProfiler::StackFrame::displayName):
532         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
533         (JSC::SamplingProfiler::StackFrame::startLine):
534         (JSC::SamplingProfiler::StackFrame::startColumn):
535         (JSC::SamplingProfiler::StackFrame::sourceID):
536         (JSC::SamplingProfiler::StackFrame::url):
537         (JSC::SamplingProfiler::stackTraces):
538         (JSC::SamplingProfiler::stackTracesAsJSON):
539         (JSC::displayName): Deleted.
540         (JSC::SamplingProfiler::stacktracesAsJSON): Deleted.
541         * runtime/SamplingProfiler.h:
542         (JSC::SamplingProfiler::StackFrame::StackFrame):
543         (JSC::SamplingProfiler::getLock):
544         (JSC::SamplingProfiler::setTimingInterval):
545         (JSC::SamplingProfiler::totalTime):
546         (JSC::SamplingProfiler::setStopWatch):
547         (JSC::SamplingProfiler::stackTraces): Deleted.
548         * tests/stress/sampling-profiler-anonymous-function.js:
549         (platformSupportsSamplingProfiler.baz):
550         (platformSupportsSamplingProfiler):
551         * tests/stress/sampling-profiler-basic.js:
552         (platformSupportsSamplingProfiler.nothing):
553         (platformSupportsSamplingProfiler.top):
554         * tests/stress/sampling-profiler/samplingProfiler.js:
555         (doesTreeHaveStackTrace):
556
557 2016-01-20  Keith Miller  <keith_miller@apple.com>
558
559         TypedArray's .buffer does not return the JSArrayBuffer that was passed to it on creation.
560         https://bugs.webkit.org/show_bug.cgi?id=153281
561
562         Reviewed by Geoffrey Garen.
563
564         When creating an JSArrayBuffer we should make sure that the backing ArrayBuffer uses the
565         new JSArrayBuffer as its wrapper. This causes issues when we get the buffer of a Typed Array
566         created by passing a JSArrayBuffer as the backing ArrayBuffer does not have a reference to
567         the original JSArrayBuffer and a new object is created.
568
569         * runtime/JSArrayBuffer.cpp:
570         (JSC::JSArrayBuffer::finishCreation):
571         * tests/stress/typedarray-buffer-neutered.js: Added.
572         (arrays.typedArrays.map):
573
574 2016-01-20  Andreas Kling  <akling@apple.com>
575
576         Pack RegisterAtOffset harder.
577         <https://webkit.org/b/152501>
578
579         Reviewed by Michael Saboff.
580
581         Pack the register index and the offset into a single pointer-sized word instead of two.
582         This reduces memory consumption by 620 kB on mobile theverge.com.
583
584         The packing doesn't succeed on MSVC for some reason, so I've left out the static
585         assertion about class size in those builds.
586
587         * jit/RegisterAtOffset.cpp:
588         * jit/RegisterAtOffset.h:
589
590 2016-01-20  Per Arne Vollan  <peavo@outlook.com>
591
592         [B3][Win64] Compile fix.
593         https://bugs.webkit.org/show_bug.cgi?id=153278
594
595         Reviewed by Filip Pizlo.
596
597         MSVC does not accept that a class declared as exported also have members declared as exported.
598
599         * b3/B3Const32Value.h:
600         * b3/B3ControlValue.h:
601
602 2016-01-19  Keith Miller  <keith_miller@apple.com>
603
604         [ES6] Fix various issues with TypedArrays.
605         https://bugs.webkit.org/show_bug.cgi?id=153245
606
607         Reviewed by Geoffrey Garen.
608
609         This patch fixes a couple of issues with TypedArrays:
610
611         1) We were not checking if a view had been neutered and throwing an error
612         if it had in the our TypedArray.prototype functions.
613
614         2) The TypedArray.prototype.set function had a couple of minor issues with
615         checking for the offset being negative.
616
617         3) The JSArrayBufferView class did not check if the backing store had
618         been neutered when computing the offset even though the view's vector
619         pointer had been set to NULL. This meant that under some conditions we
620         could, occasionally, return a garbage number as the offset. Now, we only
621         neuter views if the backing ArrayBuffer's view is actually transfered.
622
623         * jsc.cpp:
624         (GlobalObject::finishCreation):
625         (functionNeuterTypedArray):
626         * runtime/JSArrayBufferView.h:
627         (JSC::JSArrayBufferView::isNeutered):
628         * runtime/JSArrayBufferViewInlines.h:
629         (JSC::JSArrayBufferView::byteOffset):
630         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
631         (JSC::genericTypedArrayViewProtoFuncSet):
632         (JSC::genericTypedArrayViewProtoFuncEntries):
633         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
634         (JSC::genericTypedArrayViewProtoFuncFill):
635         (JSC::genericTypedArrayViewProtoFuncIndexOf):
636         (JSC::genericTypedArrayViewProtoFuncJoin):
637         (JSC::genericTypedArrayViewProtoFuncKeys):
638         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
639         (JSC::genericTypedArrayViewProtoFuncReverse):
640         (JSC::genericTypedArrayViewPrivateFuncSort):
641         (JSC::genericTypedArrayViewProtoFuncSlice):
642         (JSC::genericTypedArrayViewProtoFuncSubarray):
643         (JSC::typedArrayViewProtoFuncValues):
644         * runtime/JSTypedArrayViewPrototype.cpp:
645         (JSC::typedArrayViewPrivateFuncLength):
646         (JSC::typedArrayViewPrivateFuncSort): Deleted.
647         * tests/stress/typedarray-functions-with-neutered.js: Added.
648         (getGetter):
649         (unit):
650         (args.new.Int32Array):
651         (arrays.typedArrays.map):
652         (checkProtoFunc.throwsCorrectError):
653         (checkProtoFunc):
654         (test):
655
656 2016-01-19  Andy VanWagoner  <thetalecrafter@gmail.com>
657
658         [INTL] Implement Date.prototype.toLocaleDateString in ECMA-402
659         https://bugs.webkit.org/show_bug.cgi?id=147612
660
661         Reviewed by Benjamin Poulain.
662
663         Implement toLocaleDateString in builtin JavaScript. Remove comments with
664         spec steps, and instead link to the new HTML version of the spec.
665
666         Avoids creating an extra empty object in the prototype chain of the options
667         object in ToDateTimeOptions. The version used in toLocaleString was updated
668         to match as well.
669
670         * builtins/DatePrototype.js:
671         (toLocaleString.toDateTimeOptionsAnyAll):
672         (toLocaleString):
673         (toLocaleDateString.toDateTimeOptionsDateDate):
674         (toLocaleDateString):
675         * runtime/DatePrototype.cpp:
676         (JSC::DatePrototype::finishCreation):
677
678 2016-01-19  Benjamin Poulain  <bpoulain@apple.com>
679
680         [JSC] fixSpillSlotZDef() crashes on ARM64
681         https://bugs.webkit.org/show_bug.cgi?id=153246
682
683         Reviewed by Geoffrey Garen.
684
685         Moving an immediate to memory is not a valid instruction on ARM64.
686         This patch adds a small workaround for this specific case: an instruction
687         to zero a chunk of memory.
688
689         * assembler/MacroAssemblerARM64.h:
690         (JSC::MacroAssemblerARM64::storeZero32):
691         * assembler/MacroAssemblerX86Common.h:
692         (JSC::MacroAssemblerX86Common::storeZero32):
693         * b3/air/AirFixSpillSlotZDef.h:
694         (JSC::B3::Air::fixSpillSlotZDef):
695         * b3/air/AirOpcode.opcodes:
696
697 2016-01-19  Enrica Casucci  <enrica@apple.com>
698
699         Add support for DataDetectors in WK (iOS).
700         https://bugs.webkit.org/show_bug.cgi?id=152989
701         rdar://problem/22855960
702
703         Reviewed by Tim Horton.
704
705         Adding feature definition for data detection.
706
707         * Configurations/FeatureDefines.xcconfig:
708
709 2016-01-19  Per Arne Vollan  <peavo@outlook.com>
710
711         [B3][Win64] Compile and warning fixes.
712         https://bugs.webkit.org/show_bug.cgi?id=153234
713
714         Reviewed by Alex Christensen.
715
716         The size of 'long' is 4 bytes on Win64. We can use 'long long' instead,
717         when we want the size to be 8 bytes.
718
719         * b3/B3LowerMacrosAfterOptimizations.cpp:
720         * b3/B3ReduceStrength.cpp:
721
722 2016-01-19  Csaba Osztrogonác  <ossy@webkit.org>
723
724         [cmake] Fix the B3 build after r195159
725         https://bugs.webkit.org/show_bug.cgi?id=153232
726
727         Reviewed by Yusuke Suzuki.
728
729         * CMakeLists.txt:
730
731 2016-01-19  Commit Queue  <commit-queue@webkit.org>
732
733         Unreviewed, rolling out r195300.
734         https://bugs.webkit.org/show_bug.cgi?id=153244
735
736         enrica wants more time to fix Windows (Requested by thorton on
737         #webkit).
738
739         Reverted changeset:
740
741         "Add support for DataDetectors in WK (iOS)."
742         https://bugs.webkit.org/show_bug.cgi?id=152989
743         http://trac.webkit.org/changeset/195300
744
745 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
746
747         Reconsider B3's constant motion policy
748         https://bugs.webkit.org/show_bug.cgi?id=152202
749
750         Reviewed by Geoffrey Garen.
751
752         This changes moveConstants() to hoist constants. This is a speed-up on things like mandreel.
753         It has a generally positive impact on the Octane score, but it's within margin of error.
754
755         This also changes IRC to make it a bit more likely to spill constants. We don't want it to
756         spill them too much, because we can't rely on fixObviousSpills() to always replace a load of
757         a constant from the stack with the constant itself, especially in case of instructions that
758         need an extra register to materialize the immediate.
759
760         Also fixed DFG graph dumping to print a bit less things. It was trying to print the results of
761         constant property inference, and this sometimes caused crashes when you dumped the graph at an
762         inopportune time.
763
764         * JavaScriptCore.xcodeproj/project.pbxproj:
765         * b3/B3MoveConstants.cpp:
766         * b3/air/AirArg.h:
767         * b3/air/AirArgInlines.h: Added.
768         (JSC::B3::Air::ArgThingHelper<Tmp>::is):
769         (JSC::B3::Air::ArgThingHelper<Tmp>::as):
770         (JSC::B3::Air::ArgThingHelper<Tmp>::forEachFast):
771         (JSC::B3::Air::ArgThingHelper<Tmp>::forEach):
772         (JSC::B3::Air::ArgThingHelper<Arg>::is):
773         (JSC::B3::Air::ArgThingHelper<Arg>::as):
774         (JSC::B3::Air::ArgThingHelper<Arg>::forEachFast):
775         (JSC::B3::Air::ArgThingHelper<Arg>::forEach):
776         (JSC::B3::Air::Arg::is):
777         (JSC::B3::Air::Arg::as):
778         (JSC::B3::Air::Arg::forEachFast):
779         (JSC::B3::Air::Arg::forEach):
780         * b3/air/AirIteratedRegisterCoalescing.cpp:
781         * b3/air/AirUseCounts.h:
782         (JSC::B3::Air::UseCounts::UseCounts):
783         * dfg/DFGGraph.cpp:
784         (JSC::DFG::Graph::dump):
785
786 2016-01-19  Enrica Casucci  <enrica@apple.com>
787
788         Add support for DataDetectors in WK (iOS).
789         https://bugs.webkit.org/show_bug.cgi?id=152989
790         rdar://problem/22855960
791
792         Reviewed by Tim Horton.
793
794         Adding feature definition.
795
796         * Configurations/FeatureDefines.xcconfig:
797
798 2016-01-17  Filip Pizlo  <fpizlo@apple.com>
799
800         FTL B3 should be just as fast as FTL LLVM on Octane/crypto
801         https://bugs.webkit.org/show_bug.cgi?id=153113
802
803         Reviewed by Saam Barati.
804
805         This is the result of a hacking rampage to close the gap between FTL B3 and FTL LLVM on
806         Octane/crypto. It was a very successful rampage.
807
808         The biggest change in this patch is the introduction of a phase called fixObviousSpills()
809         that fixes patterns like:
810
811         Store register to stack slot and then use stack slot:
812             Move %rcx, (stack42)
813             Foo use:(stack42) // replace (stack42) with %rcx here.
814
815         Load stack slot into register and then use stack slot:
816             Move (stack42), %rcx
817             Foo use:(stack42) // replace (stack42) with %rcx here.
818
819         Store constant into stack slot and then use stack slot:
820             Move $42, %rcx
821             Move %rcx, (stack42)
822             Bar def:%rcx // %rcx isn't available anymore, but we still know that (stack42) is $42
823             Foo use:(stack42) // replace (stack42) with $42 here.
824
825         This phases does these fixups by doing a global forward flow that propagates sets of
826         must-aliases.
827
828         Also added a phase to report register pressure. It pretty-prints code alongside the set of
829         in-use registers above each instruction. Using this phase, I found that our register
830         allocator is actually doing a pretty awesome job. I had previously feared that we'd have to
831         make substantial changes to register allocation. I don't have such a fear anymore, at least
832         for Octane/crypto. In the future, we can check how the regalloc is performing just by
833         enabling logAirRegisterPressure.
834
835         Also fixed some FTL codegen pathologies. We were using bitOr where we meant to use a
836         conditional or. LLVM likes to canonicalize boolean expressions this way. B3, on the other
837         hand, doesn't do this canonicalization and doesn't have logic to decompose it into sequences
838         of branches.
839
840         Also added strength reductions for checked arithmetic. It turns out that LLVM learned how to
841         reduce checked multiply to unchecked multiply in some obvious cases that our existing DFG
842         optimizations lacked. Ideally, our DFG integer range optimization phase would cover this. But
843         the cases of interest were dead simple - the incoming values to the CheckMul were obviously
844         too small to cause overflow. I added such reasoning to B3's strength reduction.
845
846         Finally, this fixes some bugs with how we were handling subwidth spill slots. The register
847         allocator was making two mistakes. First, it might cause a Width64 def or use of a 4-byte
848         spill slot. In that case, it would extend the size of the spill slot to ensure that the use
849         or def is safe. Second, it emulates ZDef on Tmp behavior by emitting a Move32 to initialize
850         the high bits of a spill slot. But this is unsound because of the liveness semantics of spill
851         slots. They cannot have more than one def to initialize their value. I fixed that by making
852         allocateStack() be the thing that fixes ZDefs. That's a change to ZDef semantics: now, ZDef
853         on an anonymous stack slot means that the high bits are zero-filled. I wasn't able to
854         construct a test for this. It might be a hypothetical bug, but still, I like how this
855         simplifies the register allocator.
856
857         This is a ~0.7% speed-up on Octane.
858
859         * CMakeLists.txt:
860         * JavaScriptCore.xcodeproj/project.pbxproj:
861         * b3/B3CheckSpecial.cpp:
862         (JSC::B3::CheckSpecial::hiddenBranch):
863         (JSC::B3::CheckSpecial::forEachArg):
864         (JSC::B3::CheckSpecial::commitHiddenBranch): Deleted.
865         * b3/B3CheckSpecial.h:
866         * b3/B3LowerToAir.cpp:
867         (JSC::B3::Air::LowerToAir::fillStackmap):
868         (JSC::B3::Air::LowerToAir::lower):
869         * b3/B3StackmapValue.h:
870         * b3/air/AirAllocateStack.cpp:
871         (JSC::B3::Air::allocateStack):
872         * b3/air/AirAllocateStack.h:
873         * b3/air/AirArg.h:
874         (JSC::B3::Air::Arg::callArg):
875         (JSC::B3::Air::Arg::stackAddr):
876         (JSC::B3::Air::Arg::isValidScale):
877         * b3/air/AirBasicBlock.cpp:
878         (JSC::B3::Air::BasicBlock::deepDump):
879         (JSC::B3::Air::BasicBlock::dumpHeader):
880         (JSC::B3::Air::BasicBlock::dumpFooter):
881         * b3/air/AirBasicBlock.h:
882         * b3/air/AirCCallSpecial.cpp:
883         (JSC::B3::Air::CCallSpecial::CCallSpecial):
884         (JSC::B3::Air::CCallSpecial::~CCallSpecial):
885         * b3/air/AirCode.h:
886         (JSC::B3::Air::Code::lastPhaseName):
887         (JSC::B3::Air::Code::setEnableRCRS):
888         (JSC::B3::Air::Code::enableRCRS):
889         * b3/air/AirCustom.cpp:
890         (JSC::B3::Air::PatchCustom::isValidForm):
891         (JSC::B3::Air::CCallCustom::isValidForm):
892         * b3/air/AirCustom.h:
893         (JSC::B3::Air::PatchCustom::isValidFormStatic):
894         (JSC::B3::Air::PatchCustom::admitsStack):
895         (JSC::B3::Air::PatchCustom::isValidForm): Deleted.
896         * b3/air/AirEmitShuffle.cpp:
897         (JSC::B3::Air::ShufflePair::dump):
898         (JSC::B3::Air::createShuffle):
899         (JSC::B3::Air::emitShuffle):
900         * b3/air/AirEmitShuffle.h:
901         * b3/air/AirFixObviousSpills.cpp: Added.
902         (JSC::B3::Air::fixObviousSpills):
903         * b3/air/AirFixObviousSpills.h: Added.
904         * b3/air/AirFixSpillSlotZDef.h: Removed.
905         * b3/air/AirGenerate.cpp:
906         (JSC::B3::Air::prepareForGeneration):
907         (JSC::B3::Air::generate):
908         * b3/air/AirHandleCalleeSaves.cpp:
909         (JSC::B3::Air::handleCalleeSaves):
910         * b3/air/AirInst.h:
911         * b3/air/AirInstInlines.h:
912         (JSC::B3::Air::Inst::reportUsedRegisters):
913         (JSC::B3::Air::Inst::admitsStack):
914         (JSC::B3::Air::isShiftValid):
915         * b3/air/AirIteratedRegisterCoalescing.cpp:
916         * b3/air/AirLiveness.h:
917         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
918         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::begin):
919         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::end):
920         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::contains):
921         (JSC::B3::Air::AbstractLiveness::LocalCalc::live):
922         (JSC::B3::Air::AbstractLiveness::LocalCalc::isLive):
923         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
924         (JSC::B3::Air::AbstractLiveness::rawLiveAtHead):
925         (JSC::B3::Air::AbstractLiveness::Iterable::begin):
926         (JSC::B3::Air::AbstractLiveness::Iterable::end):
927         (JSC::B3::Air::AbstractLiveness::Iterable::contains):
928         (JSC::B3::Air::AbstractLiveness::liveAtTail):
929         (JSC::B3::Air::AbstractLiveness::workset):
930         * b3/air/AirLogRegisterPressure.cpp: Added.
931         (JSC::B3::Air::logRegisterPressure):
932         * b3/air/AirLogRegisterPressure.h: Added.
933         * b3/air/AirOptimizeBlockOrder.cpp:
934         (JSC::B3::Air::blocksInOptimizedOrder):
935         (JSC::B3::Air::optimizeBlockOrder):
936         * b3/air/AirOptimizeBlockOrder.h:
937         * b3/air/AirReportUsedRegisters.cpp:
938         (JSC::B3::Air::reportUsedRegisters):
939         * b3/air/AirReportUsedRegisters.h:
940         * b3/air/AirSpillEverything.cpp:
941         (JSC::B3::Air::spillEverything):
942         * b3/air/AirStackSlot.h:
943         (JSC::B3::Air::StackSlot::isLocked):
944         (JSC::B3::Air::StackSlot::index):
945         (JSC::B3::Air::StackSlot::ensureSize):
946         (JSC::B3::Air::StackSlot::alignment):
947         * b3/air/AirValidate.cpp:
948         * ftl/FTLB3Compile.cpp:
949         (JSC::FTL::compile):
950         * ftl/FTLLowerDFGToLLVM.cpp:
951         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
952         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
953         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMod):
954         * jit/RegisterSet.h:
955         (JSC::RegisterSet::get):
956         (JSC::RegisterSet::setAll):
957         (JSC::RegisterSet::merge):
958         (JSC::RegisterSet::filter):
959         * runtime/Options.h:
960
961 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
962
963         Unreviewed, undo unintended commit.
964
965         * dfg/DFGCommon.h:
966
967 2016-01-18  Filip Pizlo  <fpizlo@apple.com>
968
969         Fix Air shuffling assertions
970         https://bugs.webkit.org/show_bug.cgi?id=153213
971
972         Reviewed by Saam Barati.
973
974         Fixes some assertions that I was seeing running JSC tests. Adds a new Air test.
975
976         * assembler/MacroAssemblerX86Common.h:
977         (JSC::MacroAssemblerX86Common::store8):
978         (JSC::MacroAssemblerX86Common::getUnusedRegister):
979         * b3/air/AirEmitShuffle.cpp:
980         (JSC::B3::Air::emitShuffle):
981         * b3/air/AirLowerAfterRegAlloc.cpp:
982         (JSC::B3::Air::lowerAfterRegAlloc):
983         * b3/air/testair.cpp:
984         (JSC::B3::Air::testShuffleRotateWithFringe):
985         (JSC::B3::Air::testShuffleRotateWithFringeInWeirdOrder):
986         (JSC::B3::Air::testShuffleRotateWithLongFringe):
987         (JSC::B3::Air::run):
988
989 2016-01-19  Konstantin Tokarev  <annulen@yandex.ru>
990
991         [mips] Logical instructions allow immediates in range 0..0xffff, not 0x7fff
992         https://bugs.webkit.org/show_bug.cgi?id=152693
993
994         Reviewed by Michael Saboff.
995
996         * offlineasm/mips.rb:
997
998 2016-01-18  Saam barati  <sbarati@apple.com>
999
1000         assertions in BytecodeUseDef.h about opcode length are off by one
1001         https://bugs.webkit.org/show_bug.cgi?id=153215
1002
1003         Reviewed by Dan Bernstein.
1004
1005         * bytecode/BytecodeUseDef.h:
1006         (JSC::computeUsesForBytecodeOffset):
1007
1008 2016-01-18  Saam barati  <sbarati@apple.com>
1009
1010         FTL doesn't do proper spilling for exception handling when GetById/Snippets go to slow path
1011         https://bugs.webkit.org/show_bug.cgi?id=153186
1012
1013         Reviewed by Michael Saboff.
1014
1015         Michael was investigating a bug he found while doing the new JSC calling 
1016         convention work and it turns out to be a latent bug in FTL try/catch machinery.
1017         After I looked at the code again, I realized that what I had previously
1018         written is wrong in a subtle way. The FTL callOperation machinery will remove
1019         its result register from the set of registers it needs to spill. This is not
1020         correct when we have try/catch. We may want to do value recovery on
1021         the value that the result register is prior to the call after the call
1022         throws an exception. The case that we were solving before was when the 
1023         resultRegister == baseRegister in a GetById, or left/rightRegister == resultRegister in a Snippet.
1024         This code is correct in wanting to spill in that case, even though it might spill
1025         when we don't need it to (i.e the result is not needed for value recovery). Once I
1026         investigated this bug further, I realized that the previous rule is just a
1027         partial subset of the rule that says we should spill anytime the result is
1028         a register we might do value recovery on. This patch implements the rule that
1029         says we always want to spill the result when we will do value recovery on it 
1030         if an exception is thrown.
1031
1032         * ftl/FTLCompile.cpp:
1033         (JSC::FTL::mmAllocateDataSection):
1034         * tests/stress/ftl-try-catch-getter-throw-interesting-value-recovery.js: Added.
1035         (assert):
1036         (random):
1037         (identity):
1038         (let.o2.get f):
1039         (let.o3.get f):
1040         (foo):
1041         (i.else):
1042
1043 2016-01-18  Konstantin Tokarev  <annulen@yandex.ru>
1044
1045         [MIPS] LLInt: fix calculation of Global Offset Table
1046         https://bugs.webkit.org/show_bug.cgi?id=150381
1047
1048         Offlineasm adds a .cpload $t9 when we create a label in MIPS, which
1049         computes address of GOT. However, this instruction requires $t9 to
1050         contain address of current function. So we need to set $t9 to pcBase,
1051         otherwise GOT-related calculations will be invalid.
1052
1053         Since offlineasm does not allow direct move to $t9 on MIPS, added new
1054         instruction setcallreg which does exactly that.
1055
1056         Reviewed by Michael Saboff.
1057
1058         * llint/LowLevelInterpreter.asm:
1059         * offlineasm/instructions.rb:
1060         * offlineasm/mips.rb:
1061
1062 2016-01-18  Csaba Osztrogonác  <ossy@webkit.org>
1063
1064         REGRESSION(r194601): Fix the jsc timeout option of jsc.cpp
1065         https://bugs.webkit.org/show_bug.cgi?id=153204
1066
1067         Reviewed by Michael Catanzaro.
1068
1069         * jsc.cpp:
1070         (main):
1071
1072 2016-01-18  Csaba Osztrogonác  <ossy@webkit.org>
1073
1074         [cmake] Add testair to the build system
1075         https://bugs.webkit.org/show_bug.cgi?id=153126
1076
1077         Reviewed by Michael Catanzaro.
1078
1079         * shell/CMakeLists.txt:
1080
1081 2016-01-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>
1082
1083         Ensure that CF_AVAILABLE is undefined when building webkit-gtk
1084
1085         https://bugs.webkit.org/show_bug.cgi?id=152720
1086
1087         This change ensures that CF_AVAILABLE is correctly a no-op to
1088         address build failure that was observed when building on older
1089         versions of OSX.  Previously, CF_AVAILABLE may have been unexpectedly
1090         re-defined to the system header value based on include-order.
1091
1092         Reviewed by Michael Catanzaro.
1093
1094         * API/WebKitAvailability.h:
1095
1096 2016-01-17  Julien Brianceau  <jbriance@cisco.com>
1097
1098         [mips] Fix regT2 and regT3 trampling in MacroAssembler
1099         https://bugs.webkit.org/show_bug.cgi?id=153131
1100
1101         Mips $t2 and $t3 registers were used as temporary registers
1102         in MacroAssemblerMIPS.h, whereas they are mapped to regT2
1103         and regT3 in LLInt and GPRInfo.
1104
1105         This patch rearranges register mapping for the mips architecture:
1106         - use $t0 and $t1 as temp registers in LLInt (as in MacroAssembler)
1107         - use $t7 and $t8 as temp registers in MacroAssembler (as in LLInt)
1108         - remove $t6 from temp registers list in LLInt
1109         - update GPRInfo.h accordingly
1110         - add mips macroScratchRegisters() list in RegisterSet.cpp
1111
1112         Reviewed by Michael Saboff.
1113
1114         * assembler/MacroAssemblerMIPS.h:
1115         * jit/GPRInfo.h:
1116         (JSC::GPRInfo::toRegister):
1117         (JSC::GPRInfo::toIndex):
1118         * jit/RegisterSet.cpp:
1119         (JSC::RegisterSet::macroScratchRegisters):
1120         (JSC::RegisterSet::calleeSaveRegisters):
1121         * offlineasm/mips.rb:
1122
1123 2016-01-16  Skachkov Oleksandr  <gskachkov@gmail.com>
1124
1125         [ES6] Arrow function syntax. Arrow function should support the destructuring parameters.
1126         https://bugs.webkit.org/show_bug.cgi?id=146934
1127
1128         Reviewed by Saam Barati.
1129         
1130         Added support of destructuring parameters, before arrow function expect only simple parameters,
1131         e.g. (), (x), (x, y) or x in assigment expressio. To support destructuring parameters added
1132         additional check that check for destructuring paramters if check does not pass for simple parameters.
1133
1134         * parser/Parser.cpp:
1135         (JSC::Parser<LexerType>::isArrowFunctionParameters):
1136         (JSC::Parser<LexerType>::parseAssignmentExpression):
1137         * parser/Parser.h:
1138
1139 2016-01-15  Benjamin Poulain  <bpoulain@apple.com>
1140
1141         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
1142         https://bugs.webkit.org/show_bug.cgi?id=153065
1143
1144         Reviewed by Mark Lam.
1145         Reviewed by Filip Pizlo.
1146
1147         On ARM64, we cannot use signed 32bits offset for memory addressing.
1148         There are two available addressing: signed 9bits and unsigned scaled 12bits.
1149         Air already knows about it.
1150
1151         In this patch, the offsets are changed to something valid for ARM64
1152         prior to lowering. When an offset is invalid, it is just computed
1153         before the instruction and used as the base for addressing.
1154
1155         * JavaScriptCore.xcodeproj/project.pbxproj:
1156         * b3/B3Generate.cpp:
1157         (JSC::B3::generateToAir):
1158         * b3/B3LegalizeMemoryOffsets.cpp: Added.
1159         (JSC::B3::legalizeMemoryOffsets):
1160         * b3/B3LegalizeMemoryOffsets.h: Added.
1161         * b3/B3LowerToAir.cpp:
1162         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
1163         * b3/testb3.cpp:
1164         (JSC::B3::testLoadWithOffsetImpl):
1165         (JSC::B3::testLoadOffsetImm9Max):
1166         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
1167         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
1168         (JSC::B3::testLoadOffsetImm9Min):
1169         (JSC::B3::testLoadOffsetImm9MinMinusOne):
1170         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
1171         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
1172         (JSC::B3::run):
1173
1174 2016-01-15  Alex Christensen  <achristensen@webkit.org>
1175
1176         Fix internal Windows build
1177         https://bugs.webkit.org/show_bug.cgi?id=153142
1178
1179         Reviewed by Brent Fulgham.
1180
1181         The internal Windows build builds JavaScriptCore from a directory that is not called JavaScriptCore.
1182         Searching for JavaScriptCore/API/APICast.h fails because it is in SomethingElse/API/APICast.h.
1183         Since we are including the JavaScriptCore directory, it is not necessary to have JavaScriptCore in
1184         the forwarding headers, but removing it allows builds form directories that are not named JavaScriptCore.
1185
1186         * ForwardingHeaders/JavaScriptCore/APICast.h:
1187         * ForwardingHeaders/JavaScriptCore/JSBase.h:
1188         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h:
1189         * ForwardingHeaders/JavaScriptCore/JSContextRef.h:
1190         * ForwardingHeaders/JavaScriptCore/JSObjectRef.h:
1191         * ForwardingHeaders/JavaScriptCore/JSRetainPtr.h:
1192         * ForwardingHeaders/JavaScriptCore/JSStringRef.h:
1193         * ForwardingHeaders/JavaScriptCore/JSStringRefCF.h:
1194         * ForwardingHeaders/JavaScriptCore/JSValueRef.h:
1195         * ForwardingHeaders/JavaScriptCore/JavaScript.h:
1196         * ForwardingHeaders/JavaScriptCore/JavaScriptCore.h:
1197         * ForwardingHeaders/JavaScriptCore/OpaqueJSString.h:
1198         * ForwardingHeaders/JavaScriptCore/WebKitAvailability.h:
1199
1200 2016-01-15  Per Arne Vollan  <peavo@outlook.com>
1201
1202         [B3][Win64] Compile fixes.
1203         https://bugs.webkit.org/show_bug.cgi?id=153127
1204
1205         Reviewed by Alex Christensen.
1206
1207         MSVC have several overloads of fmod, pow, and ceil. We need to suggest to MSVC
1208         which one we want to use.
1209
1210         * b3/B3LowerMacros.cpp:
1211         * b3/B3LowerMacrosAfterOptimizations.cpp:
1212         * b3/B3MathExtras.cpp:
1213         (JSC::B3::powDoubleInt32):
1214         * b3/B3ReduceStrength.cpp:
1215
1216 2016-01-15  Filip Pizlo  <fpizlo@apple.com>
1217
1218         Air needs a Shuffle instruction
1219         https://bugs.webkit.org/show_bug.cgi?id=152952
1220
1221         Reviewed by Saam Barati.
1222
1223         This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
1224         multiple moves to perform arbitrary permutations over registers and memory. We call these
1225         rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
1226         c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
1227         use immediates as their source.
1228
1229         Shuffle is added as a custom instruction, since it has a variable number of arguments. It
1230         takes any number of triplets of arguments, where each triplet describes one mapping of the
1231         shuffle. For example, to represent (a => b, b => c), we might say:
1232
1233             Shuffle %a, %b, 64, %b, %c, 64
1234
1235         Note the "64"s, those are width arguments that describe how many bits of the register are
1236         being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
1237         most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
1238         of the pairs in the example). For GP arguments, the width follows ZDef semantics.
1239
1240         In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
1241         how to use it:
1242
1243         - C calling convention argument marshalling. Previously we used move instructions. But that's
1244           problematic since it introduces artificial interference between the argument registers and
1245           the inputs. Using Shuffle removes that interference. This helps a bit.
1246
1247         - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
1248           a cold path, then we want it to appear to the register allocator like it doesn't clobber
1249           any registers. Only after register allocation should we handle the clobbering by simply
1250           saving all of the live volatile registers to the stack. If you imagine the saving and the
1251           argument marshalling, you can see how before the call, we want to have a Shuffle that does
1252           both of those things. This is important. If argument marshalling was separate from the
1253           saving, then we'd still appear to clobber argument registers. Doing them together as one
1254           Shuffle means that the cold call doesn't appear to even clobber the argument registers.
1255
1256         Unfortunately, I was wrong about cold C calls being the dominant problem with our register
1257         allocator right now. Fixing this revealed other problems in my current tuning benchmark,
1258         Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
1259         functionality we will need to implement other optimizations.
1260
1261         Relanding after fixing production build.
1262
1263         * CMakeLists.txt:
1264         * JavaScriptCore.xcodeproj/project.pbxproj:
1265         * assembler/AbstractMacroAssembler.h:
1266         (JSC::isX86_64):
1267         (JSC::isIOS):
1268         (JSC::optimizeForARMv7IDIVSupported):
1269         * assembler/MacroAssemblerX86Common.h:
1270         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
1271         (JSC::MacroAssemblerX86Common::swap32):
1272         (JSC::MacroAssemblerX86Common::moveConditionally32):
1273         * assembler/MacroAssemblerX86_64.h:
1274         (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
1275         (JSC::MacroAssemblerX86_64::swap64):
1276         (JSC::MacroAssemblerX86_64::move64ToDouble):
1277         * assembler/X86Assembler.h:
1278         (JSC::X86Assembler::xchgl_rr):
1279         (JSC::X86Assembler::xchgl_rm):
1280         (JSC::X86Assembler::xchgq_rr):
1281         (JSC::X86Assembler::xchgq_rm):
1282         (JSC::X86Assembler::movl_rr):
1283         * b3/B3CCallValue.h:
1284         * b3/B3Compilation.cpp:
1285         (JSC::B3::Compilation::Compilation):
1286         (JSC::B3::Compilation::~Compilation):
1287         * b3/B3Compilation.h:
1288         (JSC::B3::Compilation::code):
1289         * b3/B3LowerToAir.cpp:
1290         (JSC::B3::Air::LowerToAir::run):
1291         (JSC::B3::Air::LowerToAir::createSelect):
1292         (JSC::B3::Air::LowerToAir::lower):
1293         (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
1294         * b3/B3OpaqueByproducts.h:
1295         (JSC::B3::OpaqueByproducts::count):
1296         * b3/B3StackmapSpecial.cpp:
1297         (JSC::B3::StackmapSpecial::isArgValidForValue):
1298         (JSC::B3::StackmapSpecial::isArgValidForRep):
1299         * b3/air/AirArg.cpp:
1300         (JSC::B3::Air::Arg::isStackMemory):
1301         (JSC::B3::Air::Arg::isRepresentableAs):
1302         (JSC::B3::Air::Arg::usesTmp):
1303         (JSC::B3::Air::Arg::canRepresent):
1304         (JSC::B3::Air::Arg::isCompatibleType):
1305         (JSC::B3::Air::Arg::dump):
1306         (WTF::printInternal):
1307         * b3/air/AirArg.h:
1308         (JSC::B3::Air::Arg::forEachType):
1309         (JSC::B3::Air::Arg::isWarmUse):
1310         (JSC::B3::Air::Arg::cooled):
1311         (JSC::B3::Air::Arg::isEarlyUse):
1312         (JSC::B3::Air::Arg::imm64):
1313         (JSC::B3::Air::Arg::immPtr):
1314         (JSC::B3::Air::Arg::addr):
1315         (JSC::B3::Air::Arg::special):
1316         (JSC::B3::Air::Arg::widthArg):
1317         (JSC::B3::Air::Arg::operator==):
1318         (JSC::B3::Air::Arg::isImm64):
1319         (JSC::B3::Air::Arg::isSomeImm):
1320         (JSC::B3::Air::Arg::isAddr):
1321         (JSC::B3::Air::Arg::isIndex):
1322         (JSC::B3::Air::Arg::isMemory):
1323         (JSC::B3::Air::Arg::isRelCond):
1324         (JSC::B3::Air::Arg::isSpecial):
1325         (JSC::B3::Air::Arg::isWidthArg):
1326         (JSC::B3::Air::Arg::isAlive):
1327         (JSC::B3::Air::Arg::base):
1328         (JSC::B3::Air::Arg::hasOffset):
1329         (JSC::B3::Air::Arg::offset):
1330         (JSC::B3::Air::Arg::width):
1331         (JSC::B3::Air::Arg::isGPTmp):
1332         (JSC::B3::Air::Arg::isGP):
1333         (JSC::B3::Air::Arg::isFP):
1334         (JSC::B3::Air::Arg::isType):
1335         (JSC::B3::Air::Arg::isGPR):
1336         (JSC::B3::Air::Arg::isValidForm):
1337         (JSC::B3::Air::Arg::forEachTmpFast):
1338         * b3/air/AirBasicBlock.h:
1339         (JSC::B3::Air::BasicBlock::insts):
1340         (JSC::B3::Air::BasicBlock::appendInst):
1341         (JSC::B3::Air::BasicBlock::append):
1342         * b3/air/AirCCallingConvention.cpp: Added.
1343         (JSC::B3::Air::computeCCallingConvention):
1344         (JSC::B3::Air::cCallResult):
1345         (JSC::B3::Air::buildCCall):
1346         * b3/air/AirCCallingConvention.h: Added.
1347         * b3/air/AirCode.h:
1348         (JSC::B3::Air::Code::proc):
1349         * b3/air/AirCustom.cpp: Added.
1350         (JSC::B3::Air::CCallCustom::isValidForm):
1351         (JSC::B3::Air::CCallCustom::generate):
1352         (JSC::B3::Air::ShuffleCustom::isValidForm):
1353         (JSC::B3::Air::ShuffleCustom::generate):
1354         * b3/air/AirCustom.h:
1355         (JSC::B3::Air::PatchCustom::forEachArg):
1356         (JSC::B3::Air::PatchCustom::generate):
1357         (JSC::B3::Air::CCallCustom::forEachArg):
1358         (JSC::B3::Air::CCallCustom::isValidFormStatic):
1359         (JSC::B3::Air::CCallCustom::admitsStack):
1360         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
1361         (JSC::B3::Air::ColdCCallCustom::forEachArg):
1362         (JSC::B3::Air::ShuffleCustom::forEachArg):
1363         (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
1364         (JSC::B3::Air::ShuffleCustom::admitsStack):
1365         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
1366         * b3/air/AirEmitShuffle.cpp: Added.
1367         (JSC::B3::Air::ShufflePair::dump):
1368         (JSC::B3::Air::emitShuffle):
1369         * b3/air/AirEmitShuffle.h: Added.
1370         (JSC::B3::Air::ShufflePair::ShufflePair):
1371         (JSC::B3::Air::ShufflePair::src):
1372         (JSC::B3::Air::ShufflePair::dst):
1373         (JSC::B3::Air::ShufflePair::width):
1374         * b3/air/AirGenerate.cpp:
1375         (JSC::B3::Air::prepareForGeneration):
1376         * b3/air/AirGenerate.h:
1377         * b3/air/AirInsertionSet.cpp:
1378         (JSC::B3::Air::InsertionSet::insertInsts):
1379         (JSC::B3::Air::InsertionSet::execute):
1380         * b3/air/AirInsertionSet.h:
1381         (JSC::B3::Air::InsertionSet::insertInst):
1382         (JSC::B3::Air::InsertionSet::insert):
1383         * b3/air/AirInst.h:
1384         (JSC::B3::Air::Inst::operator bool):
1385         (JSC::B3::Air::Inst::append):
1386         * b3/air/AirLowerAfterRegAlloc.cpp: Added.
1387         (JSC::B3::Air::lowerAfterRegAlloc):
1388         * b3/air/AirLowerAfterRegAlloc.h: Added.
1389         * b3/air/AirLowerMacros.cpp: Added.
1390         (JSC::B3::Air::lowerMacros):
1391         * b3/air/AirLowerMacros.h: Added.
1392         * b3/air/AirOpcode.opcodes:
1393         * b3/air/AirRegisterPriority.h:
1394         (JSC::B3::Air::regsInPriorityOrder):
1395         * b3/air/testair.cpp: Added.
1396         (hiddenTruthBecauseNoReturnIsStupid):
1397         (usage):
1398         (JSC::B3::Air::compile):
1399         (JSC::B3::Air::invoke):
1400         (JSC::B3::Air::compileAndRun):
1401         (JSC::B3::Air::testSimple):
1402         (JSC::B3::Air::loadConstantImpl):
1403         (JSC::B3::Air::loadConstant):
1404         (JSC::B3::Air::loadDoubleConstant):
1405         (JSC::B3::Air::testShuffleSimpleSwap):
1406         (JSC::B3::Air::testShuffleSimpleShift):
1407         (JSC::B3::Air::testShuffleLongShift):
1408         (JSC::B3::Air::testShuffleLongShiftBackwards):
1409         (JSC::B3::Air::testShuffleSimpleRotate):
1410         (JSC::B3::Air::testShuffleSimpleBroadcast):
1411         (JSC::B3::Air::testShuffleBroadcastAllRegs):
1412         (JSC::B3::Air::testShuffleTreeShift):
1413         (JSC::B3::Air::testShuffleTreeShiftBackward):
1414         (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
1415         (JSC::B3::Air::testShuffleMultipleShifts):
1416         (JSC::B3::Air::testShuffleRotateWithFringe):
1417         (JSC::B3::Air::testShuffleRotateWithLongFringe):
1418         (JSC::B3::Air::testShuffleMultipleRotates):
1419         (JSC::B3::Air::testShuffleShiftAndRotate):
1420         (JSC::B3::Air::testShuffleShiftAllRegs):
1421         (JSC::B3::Air::testShuffleRotateAllRegs):
1422         (JSC::B3::Air::testShuffleSimpleSwap64):
1423         (JSC::B3::Air::testShuffleSimpleShift64):
1424         (JSC::B3::Air::testShuffleSwapMixedWidth):
1425         (JSC::B3::Air::testShuffleShiftMixedWidth):
1426         (JSC::B3::Air::testShuffleShiftMemory):
1427         (JSC::B3::Air::testShuffleShiftMemoryLong):
1428         (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
1429         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
1430         (JSC::B3::Air::combineHiLo):
1431         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
1432         (JSC::B3::Air::testShuffleRotateMemory):
1433         (JSC::B3::Air::testShuffleRotateMemory64):
1434         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
1435         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
1436         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
1437         (JSC::B3::Air::testShuffleSwapDouble):
1438         (JSC::B3::Air::testShuffleShiftDouble):
1439         (JSC::B3::Air::run):
1440         (run):
1441         (main):
1442         * b3/testb3.cpp:
1443         (JSC::B3::testCallSimple):
1444         (JSC::B3::testCallRare):
1445         (JSC::B3::testCallRareLive):
1446         (JSC::B3::testCallSimplePure):
1447         (JSC::B3::run):
1448
1449 2016-01-15  Andy VanWagoner  <thetalecrafter@gmail.com>
1450
1451         [INTL] Implement Date.prototype.toLocaleString in ECMA-402
1452         https://bugs.webkit.org/show_bug.cgi?id=147611
1453
1454         Reviewed by Benjamin Poulain.
1455
1456         Expose dateProtoFuncGetTime as thisTimeValue for builtins.
1457         Remove unused code in DateTimeFormat toDateTimeOptions, and make the
1458         function specific to the call in initializeDateTimeFormat. Properly
1459         throw when the options parameter is null.
1460         Add toLocaleString in builtin JavaScript, with it's own specific branch
1461         of toDateTimeOptions.
1462
1463         * CMakeLists.txt:
1464         * DerivedSources.make:
1465         * JavaScriptCore.xcodeproj/project.pbxproj:
1466         * builtins/DatePrototype.js: Added.
1467         (toLocaleString.toDateTimeOptionsAnyAll):
1468         (toLocaleString):
1469         * runtime/CommonIdentifiers.h:
1470         * runtime/DatePrototype.cpp:
1471         (JSC::DatePrototype::finishCreation):
1472         * runtime/DatePrototype.h:
1473         * runtime/IntlDateTimeFormat.cpp:
1474         (JSC::toDateTimeOptionsAnyDate):
1475         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1476         (JSC::toDateTimeOptions): Deleted.
1477         * runtime/JSGlobalObject.cpp:
1478         (JSC::JSGlobalObject::init):
1479
1480 2016-01-15  Konstantin Tokarev  <annulen@yandex.ru>
1481
1482         [mips] Implemented emitFunctionPrologue/Epilogue
1483         https://bugs.webkit.org/show_bug.cgi?id=152947
1484
1485         Reviewed by Michael Saboff.
1486
1487         * assembler/MacroAssemblerMIPS.h:
1488         (JSC::MacroAssemblerMIPS::popPair):
1489         (JSC::MacroAssemblerMIPS::pushPair):
1490         * jit/AssemblyHelpers.h:
1491         (JSC::AssemblyHelpers::emitFunctionPrologue):
1492         (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
1493         (JSC::AssemblyHelpers::emitFunctionEpilogue):
1494
1495 2016-01-15  Commit Queue  <commit-queue@webkit.org>
1496
1497         Unreviewed, rolling out r195084.
1498         https://bugs.webkit.org/show_bug.cgi?id=153132
1499
1500         Broke Production build (Requested by ap on #webkit).
1501
1502         Reverted changeset:
1503
1504         "Air needs a Shuffle instruction"
1505         https://bugs.webkit.org/show_bug.cgi?id=152952
1506         http://trac.webkit.org/changeset/195084
1507
1508 2016-01-15  Julien Brianceau  <jbriance@cisco.com>
1509
1510         [mips] Add countLeadingZeros32 implementation in macro assembler
1511         https://bugs.webkit.org/show_bug.cgi?id=152886
1512
1513         Reviewed by Michael Saboff.
1514
1515         * assembler/MIPSAssembler.h:
1516         (JSC::MIPSAssembler::lui):
1517         (JSC::MIPSAssembler::clz):
1518         (JSC::MIPSAssembler::addiu):
1519         * assembler/MacroAssemblerMIPS.h:
1520         (JSC::MacroAssemblerMIPS::and32):
1521         (JSC::MacroAssemblerMIPS::countLeadingZeros32):
1522         (JSC::MacroAssemblerMIPS::lshift32):
1523
1524 2016-01-14  Filip Pizlo  <fpizlo@apple.com>
1525
1526         Air needs a Shuffle instruction
1527         https://bugs.webkit.org/show_bug.cgi?id=152952
1528
1529         Reviewed by Saam Barati.
1530
1531         This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
1532         multiple moves to perform arbitrary permutations over registers and memory. We call these
1533         rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
1534         c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
1535         use immediates as their source.
1536
1537         Shuffle is added as a custom instruction, since it has a variable number of arguments. It
1538         takes any number of triplets of arguments, where each triplet describes one mapping of the
1539         shuffle. For example, to represent (a => b, b => c), we might say:
1540
1541             Shuffle %a, %b, 64, %b, %c, 64
1542
1543         Note the "64"s, those are width arguments that describe how many bits of the register are
1544         being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
1545         most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
1546         of the pairs in the example). For GP arguments, the width follows ZDef semantics.
1547
1548         In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
1549         how to use it:
1550
1551         - C calling convention argument marshalling. Previously we used move instructions. But that's
1552           problematic since it introduces artificial interference between the argument registers and
1553           the inputs. Using Shuffle removes that interference. This helps a bit.
1554
1555         - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
1556           a cold path, then we want it to appear to the register allocator like it doesn't clobber
1557           any registers. Only after register allocation should we handle the clobbering by simply
1558           saving all of the live volatile registers to the stack. If you imagine the saving and the
1559           argument marshalling, you can see how before the call, we want to have a Shuffle that does
1560           both of those things. This is important. If argument marshalling was separate from the
1561           saving, then we'd still appear to clobber argument registers. Doing them together as one
1562           Shuffle means that the cold call doesn't appear to even clobber the argument registers.
1563
1564         Unfortunately, I was wrong about cold C calls being the dominant problem with our register
1565         allocator right now. Fixing this revealed other problems in my current tuning benchmark,
1566         Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
1567         functionality we will need to implement other optimizations.
1568
1569         * CMakeLists.txt:
1570         * JavaScriptCore.xcodeproj/project.pbxproj:
1571         * assembler/AbstractMacroAssembler.h:
1572         (JSC::isX86_64):
1573         (JSC::isIOS):
1574         (JSC::optimizeForARMv7IDIVSupported):
1575         * assembler/MacroAssemblerX86Common.h:
1576         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
1577         (JSC::MacroAssemblerX86Common::swap32):
1578         (JSC::MacroAssemblerX86Common::moveConditionally32):
1579         * assembler/MacroAssemblerX86_64.h:
1580         (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
1581         (JSC::MacroAssemblerX86_64::swap64):
1582         (JSC::MacroAssemblerX86_64::move64ToDouble):
1583         * assembler/X86Assembler.h:
1584         (JSC::X86Assembler::xchgl_rr):
1585         (JSC::X86Assembler::xchgl_rm):
1586         (JSC::X86Assembler::xchgq_rr):
1587         (JSC::X86Assembler::xchgq_rm):
1588         (JSC::X86Assembler::movl_rr):
1589         * b3/B3CCallValue.h:
1590         * b3/B3Compilation.cpp:
1591         (JSC::B3::Compilation::Compilation):
1592         (JSC::B3::Compilation::~Compilation):
1593         * b3/B3Compilation.h:
1594         (JSC::B3::Compilation::code):
1595         * b3/B3LowerToAir.cpp:
1596         (JSC::B3::Air::LowerToAir::run):
1597         (JSC::B3::Air::LowerToAir::createSelect):
1598         (JSC::B3::Air::LowerToAir::lower):
1599         (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
1600         * b3/B3OpaqueByproducts.h:
1601         (JSC::B3::OpaqueByproducts::count):
1602         * b3/B3StackmapSpecial.cpp:
1603         (JSC::B3::StackmapSpecial::isArgValidForValue):
1604         (JSC::B3::StackmapSpecial::isArgValidForRep):
1605         * b3/air/AirArg.cpp:
1606         (JSC::B3::Air::Arg::isStackMemory):
1607         (JSC::B3::Air::Arg::isRepresentableAs):
1608         (JSC::B3::Air::Arg::usesTmp):
1609         (JSC::B3::Air::Arg::canRepresent):
1610         (JSC::B3::Air::Arg::isCompatibleType):
1611         (JSC::B3::Air::Arg::dump):
1612         (WTF::printInternal):
1613         * b3/air/AirArg.h:
1614         (JSC::B3::Air::Arg::forEachType):
1615         (JSC::B3::Air::Arg::isWarmUse):
1616         (JSC::B3::Air::Arg::cooled):
1617         (JSC::B3::Air::Arg::isEarlyUse):
1618         (JSC::B3::Air::Arg::imm64):
1619         (JSC::B3::Air::Arg::immPtr):
1620         (JSC::B3::Air::Arg::addr):
1621         (JSC::B3::Air::Arg::special):
1622         (JSC::B3::Air::Arg::widthArg):
1623         (JSC::B3::Air::Arg::operator==):
1624         (JSC::B3::Air::Arg::isImm64):
1625         (JSC::B3::Air::Arg::isSomeImm):
1626         (JSC::B3::Air::Arg::isAddr):
1627         (JSC::B3::Air::Arg::isIndex):
1628         (JSC::B3::Air::Arg::isMemory):
1629         (JSC::B3::Air::Arg::isRelCond):
1630         (JSC::B3::Air::Arg::isSpecial):
1631         (JSC::B3::Air::Arg::isWidthArg):
1632         (JSC::B3::Air::Arg::isAlive):
1633         (JSC::B3::Air::Arg::base):
1634         (JSC::B3::Air::Arg::hasOffset):
1635         (JSC::B3::Air::Arg::offset):
1636         (JSC::B3::Air::Arg::width):
1637         (JSC::B3::Air::Arg::isGPTmp):
1638         (JSC::B3::Air::Arg::isGP):
1639         (JSC::B3::Air::Arg::isFP):
1640         (JSC::B3::Air::Arg::isType):
1641         (JSC::B3::Air::Arg::isGPR):
1642         (JSC::B3::Air::Arg::isValidForm):
1643         (JSC::B3::Air::Arg::forEachTmpFast):
1644         * b3/air/AirBasicBlock.h:
1645         (JSC::B3::Air::BasicBlock::insts):
1646         (JSC::B3::Air::BasicBlock::appendInst):
1647         (JSC::B3::Air::BasicBlock::append):
1648         * b3/air/AirCCallingConvention.cpp: Added.
1649         (JSC::B3::Air::computeCCallingConvention):
1650         (JSC::B3::Air::cCallResult):
1651         (JSC::B3::Air::buildCCall):
1652         * b3/air/AirCCallingConvention.h: Added.
1653         * b3/air/AirCode.h:
1654         (JSC::B3::Air::Code::proc):
1655         * b3/air/AirCustom.cpp: Added.
1656         (JSC::B3::Air::CCallCustom::isValidForm):
1657         (JSC::B3::Air::CCallCustom::generate):
1658         (JSC::B3::Air::ShuffleCustom::isValidForm):
1659         (JSC::B3::Air::ShuffleCustom::generate):
1660         * b3/air/AirCustom.h:
1661         (JSC::B3::Air::PatchCustom::forEachArg):
1662         (JSC::B3::Air::PatchCustom::generate):
1663         (JSC::B3::Air::CCallCustom::forEachArg):
1664         (JSC::B3::Air::CCallCustom::isValidFormStatic):
1665         (JSC::B3::Air::CCallCustom::admitsStack):
1666         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
1667         (JSC::B3::Air::ColdCCallCustom::forEachArg):
1668         (JSC::B3::Air::ShuffleCustom::forEachArg):
1669         (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
1670         (JSC::B3::Air::ShuffleCustom::admitsStack):
1671         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
1672         * b3/air/AirEmitShuffle.cpp: Added.
1673         (JSC::B3::Air::ShufflePair::dump):
1674         (JSC::B3::Air::emitShuffle):
1675         * b3/air/AirEmitShuffle.h: Added.
1676         (JSC::B3::Air::ShufflePair::ShufflePair):
1677         (JSC::B3::Air::ShufflePair::src):
1678         (JSC::B3::Air::ShufflePair::dst):
1679         (JSC::B3::Air::ShufflePair::width):
1680         * b3/air/AirGenerate.cpp:
1681         (JSC::B3::Air::prepareForGeneration):
1682         * b3/air/AirGenerate.h:
1683         * b3/air/AirInsertionSet.cpp:
1684         (JSC::B3::Air::InsertionSet::insertInsts):
1685         (JSC::B3::Air::InsertionSet::execute):
1686         * b3/air/AirInsertionSet.h:
1687         (JSC::B3::Air::InsertionSet::insertInst):
1688         (JSC::B3::Air::InsertionSet::insert):
1689         * b3/air/AirInst.h:
1690         (JSC::B3::Air::Inst::operator bool):
1691         (JSC::B3::Air::Inst::append):
1692         * b3/air/AirLowerAfterRegAlloc.cpp: Added.
1693         (JSC::B3::Air::lowerAfterRegAlloc):
1694         * b3/air/AirLowerAfterRegAlloc.h: Added.
1695         * b3/air/AirLowerMacros.cpp: Added.
1696         (JSC::B3::Air::lowerMacros):
1697         * b3/air/AirLowerMacros.h: Added.
1698         * b3/air/AirOpcode.opcodes:
1699         * b3/air/AirRegisterPriority.h:
1700         (JSC::B3::Air::regsInPriorityOrder):
1701         * b3/air/testair.cpp: Added.
1702         (hiddenTruthBecauseNoReturnIsStupid):
1703         (usage):
1704         (JSC::B3::Air::compile):
1705         (JSC::B3::Air::invoke):
1706         (JSC::B3::Air::compileAndRun):
1707         (JSC::B3::Air::testSimple):
1708         (JSC::B3::Air::loadConstantImpl):
1709         (JSC::B3::Air::loadConstant):
1710         (JSC::B3::Air::loadDoubleConstant):
1711         (JSC::B3::Air::testShuffleSimpleSwap):
1712         (JSC::B3::Air::testShuffleSimpleShift):
1713         (JSC::B3::Air::testShuffleLongShift):
1714         (JSC::B3::Air::testShuffleLongShiftBackwards):
1715         (JSC::B3::Air::testShuffleSimpleRotate):
1716         (JSC::B3::Air::testShuffleSimpleBroadcast):
1717         (JSC::B3::Air::testShuffleBroadcastAllRegs):
1718         (JSC::B3::Air::testShuffleTreeShift):
1719         (JSC::B3::Air::testShuffleTreeShiftBackward):
1720         (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
1721         (JSC::B3::Air::testShuffleMultipleShifts):
1722         (JSC::B3::Air::testShuffleRotateWithFringe):
1723         (JSC::B3::Air::testShuffleRotateWithLongFringe):
1724         (JSC::B3::Air::testShuffleMultipleRotates):
1725         (JSC::B3::Air::testShuffleShiftAndRotate):
1726         (JSC::B3::Air::testShuffleShiftAllRegs):
1727         (JSC::B3::Air::testShuffleRotateAllRegs):
1728         (JSC::B3::Air::testShuffleSimpleSwap64):
1729         (JSC::B3::Air::testShuffleSimpleShift64):
1730         (JSC::B3::Air::testShuffleSwapMixedWidth):
1731         (JSC::B3::Air::testShuffleShiftMixedWidth):
1732         (JSC::B3::Air::testShuffleShiftMemory):
1733         (JSC::B3::Air::testShuffleShiftMemoryLong):
1734         (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
1735         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
1736         (JSC::B3::Air::combineHiLo):
1737         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
1738         (JSC::B3::Air::testShuffleRotateMemory):
1739         (JSC::B3::Air::testShuffleRotateMemory64):
1740         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
1741         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
1742         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
1743         (JSC::B3::Air::testShuffleSwapDouble):
1744         (JSC::B3::Air::testShuffleShiftDouble):
1745         (JSC::B3::Air::run):
1746         (run):
1747         (main):
1748         * b3/testb3.cpp:
1749         (JSC::B3::testCallSimple):
1750         (JSC::B3::testCallRare):
1751         (JSC::B3::testCallRareLive):
1752         (JSC::B3::testCallSimplePure):
1753         (JSC::B3::run):
1754
1755 2016-01-14  Keith Miller  <keith_miller@apple.com>
1756
1757         Unreviewed mark passing es6 tests as no longer failing.
1758
1759         * tests/es6.yaml:
1760
1761 2016-01-14  Keith Miller  <keith_miller@apple.com>
1762
1763         [ES6] Support subclassing Function.
1764         https://bugs.webkit.org/show_bug.cgi?id=153081
1765
1766         Reviewed by Geoffrey Garen.
1767
1768         This patch enables subclassing the Function object. It also fixes an existing
1769         bug that prevented users from subclassing functions that have a function in
1770         the superclass's prototype property.
1771
1772         * bytecompiler/NodesCodegen.cpp:
1773         (JSC::ClassExprNode::emitBytecode):
1774         * runtime/FunctionConstructor.cpp:
1775         (JSC::constructWithFunctionConstructor):
1776         (JSC::constructFunction):
1777         (JSC::constructFunctionSkippingEvalEnabledCheck):
1778         * runtime/FunctionConstructor.h:
1779         * runtime/JSFunction.cpp:
1780         (JSC::JSFunction::create):
1781         * runtime/JSFunction.h:
1782         (JSC::JSFunction::createImpl):
1783         * runtime/JSFunctionInlines.h:
1784         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1785         (JSC::JSFunction::JSFunction): Deleted.
1786         * tests/stress/class-subclassing-function.js: Added.
1787
1788 2016-01-13  Carlos Garcia Campos  <cgarcia@igalia.com>
1789
1790         [CMake] Do not use LLVM static libraries for FTL JIT
1791         https://bugs.webkit.org/show_bug.cgi?id=151559
1792
1793         Reviewed by Michael Catanzaro.
1794
1795         Allow ports decide whether to prefer linking to llvm static or
1796         dynamic libraries. This patch only changes the behavior of the GTK
1797         port, other ports can change the default behavior by setting
1798         llvmForJSC_LIBRARIES in their platform specific cmake files.
1799
1800         * CMakeLists.txt: Move llvmForJSC library definition after the
1801         WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS, to allow platform specific
1802         files to set their own llvmForJSC_LIBRARIES. When not set, it
1803         defaults to LLVM_STATIC_LIBRARIES. The command to create
1804         WebKitLLVMLibraryToken.h no longer depends on the static
1805         libraries, since we are going to make the build fail anyway when
1806         not found in case of linking to the static libraries. If platform
1807         specific file defined llvmForJSC_INSTALL_DIR llvmForJSC is also
1808         installed to the given destination.
1809         * PlatformGTK.cmake: Set llvmForJSC_LIBRARIES and
1810         llvmForJSC_INSTALL_DIR.
1811
1812 2016-01-13  Saam barati  <sbarati@apple.com>
1813
1814         NativeExecutable should have a name field
1815         https://bugs.webkit.org/show_bug.cgi?id=153083
1816
1817         Reviewed by Geoffrey Garen.
1818
1819         This is going to help the SamplingProfiler come up
1820         with names for NativeExecutable objects it encounters.
1821
1822         * jit/JITThunks.cpp:
1823         (JSC::JITThunks::finalize):
1824         (JSC::JITThunks::hostFunctionStub):
1825         * jit/JITThunks.h:
1826         * runtime/Executable.h:
1827         * runtime/JSBoundFunction.cpp:
1828         (JSC::JSBoundFunction::create):
1829         * runtime/JSFunction.cpp:
1830         (JSC::JSFunction::create):
1831         (JSC::JSFunction::lookUpOrCreateNativeExecutable):
1832         * runtime/JSFunction.h:
1833         (JSC::JSFunction::createImpl):
1834         * runtime/JSNativeStdFunction.cpp:
1835         (JSC::JSNativeStdFunction::create):
1836         * runtime/VM.cpp:
1837         (JSC::thunkGeneratorForIntrinsic):
1838         (JSC::VM::getHostFunction):
1839         * runtime/VM.h:
1840         (JSC::VM::getCTIStub):
1841         (JSC::VM::exceptionOffset):
1842
1843 2016-01-13  Keith Miller  <keith_miller@apple.com>
1844
1845         [ES6] Support subclassing the String builtin object
1846         https://bugs.webkit.org/show_bug.cgi?id=153068
1847
1848         Reviewed by Michael Saboff.
1849
1850         This patch adds subclassing of strings. Also, this patch fixes a bug where we could have
1851         the wrong indexing type for builtins constructed without storage.
1852
1853         * runtime/PrototypeMap.cpp:
1854         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
1855         * runtime/StringConstructor.cpp:
1856         (JSC::constructWithStringConstructor):
1857         * tests/stress/class-subclassing-string.js: Added.
1858         (test):
1859
1860 2016-01-13  Mark Lam  <mark.lam@apple.com>
1861
1862         The StringFromCharCode DFG intrinsic should support untyped operands.
1863         https://bugs.webkit.org/show_bug.cgi?id=153046
1864
1865         Reviewed by Geoffrey Garen.
1866
1867         The current StringFromCharCode DFG intrinsic assumes that its operand charCode
1868         must be an Int32.  This results in 26000+ BadType OSR exits in the LongSpider
1869         crypto-aes benchmark.  With support for Untyped operands, the number of OSR
1870         exits drops to 202.
1871
1872         * dfg/DFGClobberize.h:
1873         (JSC::DFG::clobberize):
1874         * dfg/DFGFixupPhase.cpp:
1875         (JSC::DFG::FixupPhase::fixupNode):
1876         * dfg/DFGOperations.cpp:
1877         * dfg/DFGOperations.h:
1878         * dfg/DFGSpeculativeJIT.cpp:
1879         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1880         * dfg/DFGSpeculativeJIT.h:
1881         (JSC::DFG::SpeculativeJIT::callOperation):
1882         * dfg/DFGValidate.cpp:
1883         (JSC::DFG::Validate::validate):
1884         * runtime/JSCJSValueInlines.h:
1885         (JSC::JSValue::toUInt32):
1886
1887 2016-01-13  Mark Lam  <mark.lam@apple.com>
1888
1889         Use DFG Graph::binary/unaryArithShouldSpeculateInt32/MachineInt() functions consistently.
1890         https://bugs.webkit.org/show_bug.cgi?id=153080
1891
1892         Reviewed by Geoffrey Garen.
1893
1894         We currently have Graph::mulShouldSpeculateInt32/machineInt() and
1895         Graph::negateShouldSpeculateInt32/MachineInt() functions which are only used by
1896         the ArithMul and ArithNegate nodes.  However, the same tests need to be done for
1897         many other arith nodes in the DFG.  This patch renames these functions as
1898         Graph::binaryArithShouldSpeculateInt32/machineInt() and
1899         Graph::unaryArithShouldSpeculateInt32/MachineInt(), and uses them consistently
1900         in the DFG.
1901
1902         * dfg/DFGFixupPhase.cpp:
1903         (JSC::DFG::FixupPhase::fixupNode):
1904         * dfg/DFGGraph.h:
1905         (JSC::DFG::Graph::addShouldSpeculateMachineInt):
1906         (JSC::DFG::Graph::binaryArithShouldSpeculateInt32):
1907         (JSC::DFG::Graph::binaryArithShouldSpeculateMachineInt):
1908         (JSC::DFG::Graph::unaryArithShouldSpeculateInt32):
1909         (JSC::DFG::Graph::unaryArithShouldSpeculateMachineInt):
1910         (JSC::DFG::Graph::mulShouldSpeculateInt32): Deleted.
1911         (JSC::DFG::Graph::mulShouldSpeculateMachineInt): Deleted.
1912         (JSC::DFG::Graph::negateShouldSpeculateInt32): Deleted.
1913         (JSC::DFG::Graph::negateShouldSpeculateMachineInt): Deleted.
1914         * dfg/DFGPredictionPropagationPhase.cpp:
1915         (JSC::DFG::PredictionPropagationPhase::propagate):
1916         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1917
1918 2016-01-13  Joseph Pecoraro  <pecoraro@apple.com>
1919
1920         Web Inspector: Inspector should use the last sourceURL / sourceMappingURL directive
1921         https://bugs.webkit.org/show_bug.cgi?id=153072
1922         <rdar://problem/24168312>
1923
1924         Reviewed by Timothy Hatcher.
1925
1926         * parser/Lexer.cpp:
1927         (JSC::Lexer<T>::parseCommentDirective):
1928         Just keep overwriting the member variable so we end up with
1929         the last directive value.
1930
1931 2016-01-13  Commit Queue  <commit-queue@webkit.org>
1932
1933         Unreviewed, rolling out r194969.
1934         https://bugs.webkit.org/show_bug.cgi?id=153075
1935
1936         This change broke the iOS build (Requested by ryanhaddad on
1937         #webkit).
1938
1939         Reverted changeset:
1940
1941         "[JSC] Legalize Memory Offsets for ARM64 before lowering to
1942         Air"
1943         https://bugs.webkit.org/show_bug.cgi?id=153065
1944         http://trac.webkit.org/changeset/194969
1945
1946 2016-01-13  Benjamin Poulain  <bpoulain@apple.com>
1947
1948         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
1949         https://bugs.webkit.org/show_bug.cgi?id=153065
1950
1951         Reviewed by Mark Lam.
1952         Reviewed by Filip Pizlo.
1953
1954         On ARM64, we cannot use signed 32bits offset for memory addressing.
1955         There are two available addressing: signed 9bits and unsigned scaled 12bits.
1956         Air already knows about it.
1957
1958         In this patch, the offsets are changed to something valid for ARM64
1959         prior to lowering. When an offset is invalid, it is just computed
1960         before the instruction and used as the base for addressing.
1961
1962         * JavaScriptCore.xcodeproj/project.pbxproj:
1963         * b3/B3Generate.cpp:
1964         (JSC::B3::generateToAir):
1965         * b3/B3LegalizeMemoryOffsets.cpp: Added.
1966         (JSC::B3::legalizeMemoryOffsets):
1967         * b3/B3LegalizeMemoryOffsets.h: Added.
1968         * b3/B3LowerToAir.cpp:
1969         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
1970         * b3/testb3.cpp:
1971         (JSC::B3::testLoadWithOffsetImpl):
1972         (JSC::B3::testLoadOffsetImm9Max):
1973         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
1974         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
1975         (JSC::B3::testLoadOffsetImm9Min):
1976         (JSC::B3::testLoadOffsetImm9MinMinusOne):
1977         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
1978         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
1979         (JSC::B3::run):
1980
1981 2016-01-12  Per Arne Vollan  <peavo@outlook.com>
1982
1983         [FTL][Win64] Compile error.
1984         https://bugs.webkit.org/show_bug.cgi?id=153031
1985
1986         Reviewed by Brent Fulgham.
1987
1988         The header file dlfcn.h does not exist on Windows.
1989
1990         * ftl/FTLLowerDFGToLLVM.cpp:
1991
1992 2016-01-12  Ryosuke Niwa  <rniwa@webkit.org>
1993
1994         Add a build flag for custom element
1995         https://bugs.webkit.org/show_bug.cgi?id=153005
1996
1997         Reviewed by Alex Christensen.
1998
1999         * Configurations/FeatureDefines.xcconfig:
2000
2001 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
2002
2003         [JSC] Remove some invalid immediate instruction forms from ARM64 Air
2004         https://bugs.webkit.org/show_bug.cgi?id=153024
2005
2006         Reviewed by Michael Saboff.
2007
2008         * b3/B3BasicBlock.h:
2009         Export the symbols for testb3.
2010
2011         * b3/air/AirOpcode.opcodes:
2012         We had 2 invalid opcodes:
2013         -Compare with immediate just does not exist.
2014         -Test64 with immediate exists but Air does not recognize
2015          the valid form of bit-immediates.
2016
2017         * b3/testb3.cpp:
2018         (JSC::B3::genericTestCompare):
2019         (JSC::B3::testCompareImpl):
2020         Extend the tests to cover what was invalid.
2021
2022 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
2023
2024         [JSC] JSC does not build with FTL_USES_B3 on ARM64
2025         https://bugs.webkit.org/show_bug.cgi?id=153011
2026
2027         Reviewed by Saam Barati.
2028
2029         Apparently the static const member can only be used for constexpr.
2030         C++ is weird.
2031
2032         * jit/GPRInfo.cpp:
2033         * jit/GPRInfo.h:
2034
2035 2016-01-11  Johan K. Jensen  <jj@johanjensen.dk>
2036
2037         Web Inspector: console.count() shouldn't show a colon in front of a number
2038         https://bugs.webkit.org/show_bug.cgi?id=152038
2039
2040         Reviewed by Brian Burg.
2041
2042         * inspector/agents/InspectorConsoleAgent.cpp:
2043         (Inspector::InspectorConsoleAgent::count):
2044         Do not include title and colon if the title is empty.
2045
2046 2016-01-11  Dan Bernstein  <mitz@apple.com>
2047
2048         Reverted r194317.
2049
2050         Reviewed by Joseph Pecoraro.
2051
2052         r194317 did not contain a change log entry, did not explain the motivation, did not name a
2053         reviewer, and does not seem necessary.
2054
2055         * JavaScriptCore.xcodeproj/project.pbxproj:
2056
2057 2016-01-11  Joseph Pecoraro  <pecoraro@apple.com>
2058
2059         keywords ("super", "delete", etc) should be valid method names
2060         https://bugs.webkit.org/show_bug.cgi?id=144281
2061
2062         Reviewed by Ryosuke Niwa.
2063
2064         * parser/Parser.cpp:
2065         (JSC::Parser<LexerType>::parseClass):
2066         - When parsing "static(" treat it as a method named "static" and not a static method.
2067         - When parsing a keyword treat it like a string method name (get and set are not keywords)
2068         - When parsing a getter / setter method name identifier, allow lookahead to be a keyword
2069
2070         (JSC::Parser<LexerType>::parseGetterSetter):
2071         - When parsing the getter / setter's name, allow it to be a keyword.
2072
2073 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
2074
2075         [JSC] Add Div/Mod and fix Mul for B3 ARM64
2076         https://bugs.webkit.org/show_bug.cgi?id=152978
2077
2078         Reviewed by Filip Pizlo.
2079
2080         Add the 3 operands forms of Mul.
2081         Remove the form taking immediate on ARM64, there are no such instruction.
2082
2083         Add Div with sdiv.
2084
2085         Unfortunately, I discovered ChillMod's division by zero
2086         makes it non-trivial on ARM64. I just made it into a macro like on x86.
2087
2088         * assembler/MacroAssemblerARM64.h:
2089         (JSC::MacroAssemblerARM64::mul32):
2090         (JSC::MacroAssemblerARM64::mul64):
2091         (JSC::MacroAssemblerARM64::div32):
2092         (JSC::MacroAssemblerARM64::div64):
2093         * b3/B3LowerMacros.cpp:
2094         * b3/B3LowerToAir.cpp:
2095         (JSC::B3::Air::LowerToAir::lower):
2096         * b3/air/AirOpcode.opcodes:
2097
2098 2016-01-11  Keith Miller  <keith_miller@apple.com>
2099
2100         Arrays should use the InternalFunctionAllocationProfile when constructing new Arrays
2101         https://bugs.webkit.org/show_bug.cgi?id=152949
2102
2103         Reviewed by Michael Saboff.
2104
2105         This patch updates Array constructors to use the new InternalFunctionAllocationProfile.
2106
2107         * runtime/ArrayConstructor.cpp:
2108         (JSC::constructArrayWithSizeQuirk):
2109         (JSC::constructWithArrayConstructor):
2110         * runtime/InternalFunction.h:
2111         (JSC::InternalFunction::createStructure):
2112         * runtime/JSGlobalObject.h:
2113         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
2114         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
2115         (JSC::constructEmptyArray):
2116         (JSC::constructArray):
2117         (JSC::constructArrayNegativeIndexed):
2118         * runtime/PrototypeMap.cpp:
2119         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
2120         * runtime/Structure.h:
2121         * runtime/StructureInlines.h:
2122
2123 2016-01-08  Keith Miller  <keith_miller@apple.com>
2124
2125         Use a profile to store allocation structures for subclasses of InternalFunctions
2126         https://bugs.webkit.org/show_bug.cgi?id=152942
2127
2128         Reviewed by Michael Saboff.
2129
2130         This patch adds InternalFunctionAllocationProfile to FunctionRareData, which holds
2131         a cached structure that can be used to quickly allocate any derived class of an InternalFunction.
2132         InternalFunctionAllocationProfile ended up being distinct from ObjectAllocationProfile, due to
2133         constraints imposed by Reflect.construct. Reflect.construct allows the user to pass an arbitrary
2134         constructor as a new.target to any other constructor. This means that a user can pass some
2135         non-derived constructor to an InternalFunction (they can even pass another InternalFunction as the
2136         new.target). If we use the same profile for both InternalFunctions and JS allocations then we always
2137         need to check in both JS code and C++ code that the profiled structure has the same ClassInfo as the
2138         current constructor. By using different profiles, we only need to check the profile in InternalFunctions
2139         as all JS constructed objects share the same ClassInfo (JSFinalObject). This comes at the relatively
2140         low cost of using slightly more memory on FunctionRareData and being slightly more conceptually complex.
2141
2142         Additionally, this patch adds subclassing to some omitted classes.
2143
2144         * API/JSObjectRef.cpp:
2145         (JSObjectMakeDate):
2146         (JSObjectMakeRegExp):
2147         * JavaScriptCore.xcodeproj/project.pbxproj:
2148         * bytecode/InternalFunctionAllocationProfile.h: Added.
2149         (JSC::InternalFunctionAllocationProfile::structure):
2150         (JSC::InternalFunctionAllocationProfile::clear):
2151         (JSC::InternalFunctionAllocationProfile::visitAggregate):
2152         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
2153         * dfg/DFGByteCodeParser.cpp:
2154         (JSC::DFG::ByteCodeParser::parseBlock):
2155         * dfg/DFGOperations.cpp:
2156         * dfg/DFGSpeculativeJIT32_64.cpp:
2157         (JSC::DFG::SpeculativeJIT::compile):
2158         * dfg/DFGSpeculativeJIT64.cpp:
2159         (JSC::DFG::SpeculativeJIT::compile):
2160         * jit/JITOpcodes.cpp:
2161         (JSC::JIT::emit_op_create_this):
2162         * jit/JITOpcodes32_64.cpp:
2163         (JSC::JIT::emit_op_create_this):
2164         * llint/LowLevelInterpreter32_64.asm:
2165         * llint/LowLevelInterpreter64.asm:
2166         * runtime/BooleanConstructor.cpp:
2167         (JSC::constructWithBooleanConstructor):
2168         * runtime/CommonSlowPaths.cpp:
2169         (JSC::SLOW_PATH_DECL):
2170         * runtime/DateConstructor.cpp:
2171         (JSC::constructDate):
2172         (JSC::constructWithDateConstructor):
2173         * runtime/DateConstructor.h:
2174         * runtime/ErrorConstructor.cpp:
2175         (JSC::Interpreter::constructWithErrorConstructor):
2176         * runtime/FunctionRareData.cpp:
2177         (JSC::FunctionRareData::create):
2178         (JSC::FunctionRareData::visitChildren):
2179         (JSC::FunctionRareData::FunctionRareData):
2180         (JSC::FunctionRareData::initializeObjectAllocationProfile):
2181         (JSC::FunctionRareData::clear):
2182         (JSC::FunctionRareData::finishCreation): Deleted.
2183         (JSC::FunctionRareData::initialize): Deleted.
2184         * runtime/FunctionRareData.h:
2185         (JSC::FunctionRareData::offsetOfObjectAllocationProfile):
2186         (JSC::FunctionRareData::objectAllocationProfile):
2187         (JSC::FunctionRareData::objectAllocationStructure):
2188         (JSC::FunctionRareData::allocationProfileWatchpointSet):
2189         (JSC::FunctionRareData::isObjectAllocationProfileInitialized):
2190         (JSC::FunctionRareData::internalFunctionAllocationStructure):
2191         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
2192         (JSC::FunctionRareData::offsetOfAllocationProfile): Deleted.
2193         (JSC::FunctionRareData::allocationProfile): Deleted.
2194         (JSC::FunctionRareData::allocationStructure): Deleted.
2195         (JSC::FunctionRareData::isInitialized): Deleted.
2196         * runtime/InternalFunction.cpp:
2197         (JSC::InternalFunction::createSubclassStructure):
2198         * runtime/InternalFunction.h:
2199         * runtime/JSArrayBufferConstructor.cpp:
2200         (JSC::constructArrayBuffer):
2201         * runtime/JSFunction.cpp:
2202         (JSC::JSFunction::allocateRareData):
2203         (JSC::JSFunction::allocateAndInitializeRareData):
2204         (JSC::JSFunction::initializeRareData):
2205         * runtime/JSFunction.h:
2206         (JSC::JSFunction::rareData):
2207         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2208         (JSC::constructGenericTypedArrayView):
2209         * runtime/JSObject.h:
2210         (JSC::JSFinalObject::typeInfo):
2211         (JSC::JSFinalObject::createStructure):
2212         * runtime/JSPromiseConstructor.cpp:
2213         (JSC::constructPromise):
2214         * runtime/JSPromiseConstructor.h:
2215         * runtime/JSWeakMap.cpp:
2216         * runtime/JSWeakSet.cpp:
2217         * runtime/MapConstructor.cpp:
2218         (JSC::constructMap):
2219         * runtime/NativeErrorConstructor.cpp:
2220         (JSC::Interpreter::constructWithNativeErrorConstructor):
2221         * runtime/NumberConstructor.cpp:
2222         (JSC::constructWithNumberConstructor):
2223         * runtime/PrototypeMap.cpp:
2224         (JSC::PrototypeMap::createEmptyStructure):
2225         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
2226         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
2227         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
2228         * runtime/PrototypeMap.h:
2229         * runtime/RegExpConstructor.cpp:
2230         (JSC::getRegExpStructure):
2231         (JSC::constructRegExp):
2232         (JSC::constructWithRegExpConstructor):
2233         * runtime/RegExpConstructor.h:
2234         * runtime/SetConstructor.cpp:
2235         (JSC::constructSet):
2236         * runtime/WeakMapConstructor.cpp:
2237         (JSC::constructWeakMap):
2238         * runtime/WeakSetConstructor.cpp:
2239         (JSC::constructWeakSet):
2240         * tests/stress/class-subclassing-misc.js:
2241         (A):
2242         (D):
2243         (E):
2244         (WM):
2245         (WS):
2246         (test):
2247         * tests/stress/class-subclassing-typedarray.js: Added.
2248         (test):
2249
2250 2016-01-11  Per Arne Vollan  <peavo@outlook.com>
2251
2252         [B3][Win64] Compile error.
2253         https://bugs.webkit.org/show_bug.cgi?id=152984
2254
2255         Reviewed by Alex Christensen.
2256
2257         Windows does not have bzero, use memset instead.
2258
2259         * b3/air/AirIteratedRegisterCoalescing.cpp:
2260
2261 2016-01-11  Konstantin Tokarev  <annulen@yandex.ru>
2262
2263         Fixed compilation of JavaScriptCore with GCC 4.8 on 32-bit platforms
2264         https://bugs.webkit.org/show_bug.cgi?id=152923
2265
2266         Reviewed by Alex Christensen.
2267
2268         * jit/CallFrameShuffler.h:
2269         (JSC::CallFrameShuffler::assumeCalleeIsCell):
2270
2271 2016-01-11  Csaba Osztrogonác  <ossy@webkit.org>
2272
2273         [B3] Fix control reaches end of non-void function GCC warnings on Linux
2274         https://bugs.webkit.org/show_bug.cgi?id=152887
2275
2276         Reviewed by Mark Lam.
2277
2278         * b3/B3LowerToAir.cpp:
2279         (JSC::B3::Air::LowerToAir::createBranch):
2280         (JSC::B3::Air::LowerToAir::createCompare):
2281         (JSC::B3::Air::LowerToAir::createSelect):
2282         * b3/B3Type.h:
2283         (JSC::B3::sizeofType):
2284         * b3/air/AirArg.cpp:
2285         (JSC::B3::Air::Arg::isRepresentableAs):
2286         * b3/air/AirArg.h:
2287         (JSC::B3::Air::Arg::isAnyUse):
2288         (JSC::B3::Air::Arg::isColdUse):
2289         (JSC::B3::Air::Arg::isEarlyUse):
2290         (JSC::B3::Air::Arg::isLateUse):
2291         (JSC::B3::Air::Arg::isAnyDef):
2292         (JSC::B3::Air::Arg::isEarlyDef):
2293         (JSC::B3::Air::Arg::isLateDef):
2294         (JSC::B3::Air::Arg::isZDef):
2295         (JSC::B3::Air::Arg::widthForB3Type):
2296         (JSC::B3::Air::Arg::isGP):
2297         (JSC::B3::Air::Arg::isFP):
2298         (JSC::B3::Air::Arg::isType):
2299         (JSC::B3::Air::Arg::isValidForm):
2300         * b3/air/AirCode.h:
2301         (JSC::B3::Air::Code::newTmp):
2302         (JSC::B3::Air::Code::numTmps):
2303
2304 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
2305
2306         Make it easier to introduce exotic instructions to Air
2307         https://bugs.webkit.org/show_bug.cgi?id=152953
2308
2309         Reviewed by Benjamin Poulain.
2310
2311         Currently, you can define new "opcodes" in Air using either:
2312
2313         1) New opcode declared in AirOpcode.opcodes.
2314         2) Patch opcode with a new implementation of Air::Special.
2315
2316         With (1), you are limited to fixed-argument-length instructions. There are other
2317         restrictions as well, like that you can only use the roles that the AirOpcode syntax
2318         supports.
2319
2320         With (2), you can do anything you like, but the instruction will be harder to match
2321         since it will share the same opcode as any other Patch. Also, the instruction will have
2322         the Special argument, which means more busy-work when creating the instruction and
2323         validating it.
2324
2325         This introduces an in-between facility called "custom". This replaces what AirOpcode
2326         previously called "special". A custom instruction is one whose behavior is defined by a
2327         FooCustom struct with some static methods. Calls to those methods are emitted by
2328         opcode_generator.rb.
2329
2330         The "custom" facility is powerful enough to be used to implement Patch, with the caveat
2331         that we now treat the Patch instruction specially in a few places. Those places were
2332         already effectively treating it specially by assuming that only Patch instructions have
2333         a Special as their first argument.
2334
2335         This will let me implement the Shuffle instruction (bug 152952), which I think is needed
2336         for performance work.
2337
2338         * JavaScriptCore.xcodeproj/project.pbxproj:
2339         * b3/air/AirCustom.h: Added.
2340         (JSC::B3::Air::PatchCustom::forEachArg):
2341         (JSC::B3::Air::PatchCustom::isValidFormStatic):
2342         (JSC::B3::Air::PatchCustom::isValidForm):
2343         (JSC::B3::Air::PatchCustom::admitsStack):
2344         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
2345         (JSC::B3::Air::PatchCustom::generate):
2346         * b3/air/AirHandleCalleeSaves.cpp:
2347         (JSC::B3::Air::handleCalleeSaves):
2348         * b3/air/AirInst.h:
2349         * b3/air/AirInstInlines.h:
2350         (JSC::B3::Air::Inst::forEach):
2351         (JSC::B3::Air::Inst::extraClobberedRegs):
2352         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
2353         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
2354         (JSC::B3::Air::Inst::reportUsedRegisters):
2355         (JSC::B3::Air::Inst::hasSpecial): Deleted.
2356         * b3/air/AirOpcode.opcodes:
2357         * b3/air/AirReportUsedRegisters.cpp:
2358         (JSC::B3::Air::reportUsedRegisters):
2359         * b3/air/opcode_generator.rb:
2360
2361 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
2362
2363         Turn Check(true) into Patchpoint() followed by Oops
2364         https://bugs.webkit.org/show_bug.cgi?id=152968
2365
2366         Reviewed by Benjamin Poulain.
2367
2368         This is an obvious strength reduction to have, especially since if we discover that the
2369         input to the Check is true after some amount of B3 optimization, then stubbing out the rest
2370         of the basic block unlocks CFG simplification opportunities.
2371
2372         It's also a proof-of-concept for the Check->Patchpoint conversion that I'll use once I
2373         implement sinking (bug 152162).
2374
2375         * b3/B3ControlValue.cpp:
2376         (JSC::B3::ControlValue::convertToJump):
2377         (JSC::B3::ControlValue::convertToOops):
2378         (JSC::B3::ControlValue::dumpMeta):
2379         * b3/B3ControlValue.h:
2380         * b3/B3InsertionSet.h:
2381         (JSC::B3::InsertionSet::insertValue):
2382         * b3/B3InsertionSetInlines.h:
2383         (JSC::B3::InsertionSet::insert):
2384         * b3/B3ReduceStrength.cpp:
2385         * b3/B3StackmapValue.h:
2386         * b3/B3Value.h:
2387         * tests/stress/ftl-force-osr-exit.js: Added.
2388
2389 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
2390
2391         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
2392         https://bugs.webkit.org/show_bug.cgi?id=152840
2393
2394         Reviewed by Mark Lam.
2395
2396         ARM64 has two kinds of addressing with immediates:
2397         -Signed 9bits direct (really only -256 to 255).
2398         -Unsigned 12bits scaled by the load/store size.
2399
2400         When resolving the stack addresses, we easily run
2401         past -256 bytes from FP. Addressing from SP gives us more
2402         room to address the stack efficiently because we can
2403         use unsigned immediates.
2404
2405         * b3/B3StackmapSpecial.cpp:
2406         (JSC::B3::StackmapSpecial::repForArg):
2407         * b3/air/AirAllocateStack.cpp:
2408         (JSC::B3::Air::allocateStack):
2409
2410 2016-01-10  Saam barati  <sbarati@apple.com>
2411
2412         Implement a sampling profiler
2413         https://bugs.webkit.org/show_bug.cgi?id=151713
2414
2415         Reviewed by Filip Pizlo.
2416
2417         This patch implements a sampling profiler for JavaScriptCore
2418         that will be used in the Inspector UI. The implementation works as follows:
2419         We queue the sampling profiler to run a task on a background
2420         thread every 1ms. When the queued task executes, the sampling profiler
2421         will pause the JSC execution thread and attempt to take a stack trace. 
2422         The sampling profiler does everything it can to be very careful
2423         while taking this stack trace. Because it's reading arbitrary memory,
2424         the sampling profiler must validate every pointer it reads from.
2425
2426         The sampling profiler tries to get an ExecutableBase for every call frame
2427         it reads. It first tries to read the CodeBlock slot. It does this because
2428         it can be 100% certain that a pointer is a CodeBlock while it's taking a
2429         stack trace. But, not every call frame will have a CodeBlock. So we must read
2430         the call frame's callee. For these stack traces where we read the callee, we
2431         must verify the callee pointer, and the pointer traversal to an ExecutableBase,
2432         on the main JSC execution thread, and not on the thread taking the stack
2433         trace. We do this verification either before we run the marking phase in
2434         GC, or when somebody asks the SamplingProfiler to materialize its data.
2435
2436         The SamplingProfiler must also be careful to not grab any locks while the JSC execution
2437         thread is paused (this means it can't do anything that mallocs) because
2438         that could cause a deadlock. Therefore, the sampling profiler grabs
2439         locks for all data structures it consults before it pauses the JSC
2440         execution thread.
2441
2442         * CMakeLists.txt:
2443         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2444         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2445         * JavaScriptCore.xcodeproj/project.pbxproj:
2446         * bytecode/CodeBlock.h:
2447         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
2448         (JSC::CodeBlockSet::mark):
2449         * dfg/DFGNodeType.h:
2450         * heap/CodeBlockSet.cpp:
2451         (JSC::CodeBlockSet::add):
2452         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
2453         (JSC::CodeBlockSet::clearMarksForFullCollection):
2454         (JSC::CodeBlockSet::lastChanceToFinalize):
2455         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2456         (JSC::CodeBlockSet::contains):
2457         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
2458         (JSC::CodeBlockSet::remove): Deleted.
2459         * heap/CodeBlockSet.h:
2460         (JSC::CodeBlockSet::getLock):
2461         (JSC::CodeBlockSet::iterate):
2462         The sampling pofiler uses the heap's CodeBlockSet to validate
2463         CodeBlock pointers. This data structure must now be under a lock
2464         because we must be certain we're not pausing the JSC execution thread
2465         while it's manipulating this data structure.
2466
2467         * heap/ConservativeRoots.cpp:
2468         (JSC::ConservativeRoots::ConservativeRoots):
2469         (JSC::ConservativeRoots::grow):
2470         (JSC::ConservativeRoots::genericAddPointer):
2471         (JSC::ConservativeRoots::genericAddSpan):
2472         (JSC::ConservativeRoots::add):
2473         (JSC::CompositeMarkHook::CompositeMarkHook):
2474         (JSC::CompositeMarkHook::mark):
2475         * heap/ConservativeRoots.h:
2476         * heap/Heap.cpp:
2477         (JSC::Heap::markRoots):
2478         (JSC::Heap::visitHandleStack):
2479         (JSC::Heap::visitSamplingProfiler):
2480         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2481         (JSC::Heap::snapshotMarkedSpace):
2482         * heap/Heap.h:
2483         (JSC::Heap::structureIDTable):
2484         (JSC::Heap::codeBlockSet):
2485         * heap/MachineStackMarker.cpp:
2486         (pthreadSignalHandlerSuspendResume):
2487         (JSC::getCurrentPlatformThread):
2488         (JSC::MachineThreads::MachineThreads):
2489         (JSC::MachineThreads::~MachineThreads):
2490         (JSC::MachineThreads::Thread::createForCurrentThread):
2491         (JSC::MachineThreads::Thread::operator==):
2492         (JSC::isThreadInList):
2493         (JSC::MachineThreads::addCurrentThread):
2494         (JSC::MachineThreads::machineThreadForCurrentThread):
2495         (JSC::MachineThreads::removeThread):
2496         (JSC::MachineThreads::gatherFromCurrentThread):
2497         (JSC::MachineThreads::Thread::Thread):
2498         (JSC::MachineThreads::Thread::~Thread):
2499         (JSC::MachineThreads::Thread::suspend):
2500         (JSC::MachineThreads::Thread::resume):
2501         (JSC::MachineThreads::Thread::getRegisters):
2502         (JSC::MachineThreads::Thread::Registers::stackPointer):
2503         (JSC::MachineThreads::Thread::Registers::framePointer):
2504         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2505         (JSC::MachineThreads::Thread::freeRegisters):
2506         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2507         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
2508         (JSC::MachineThreads::Thread::operator!=): Deleted.
2509         * heap/MachineStackMarker.h:
2510         (JSC::MachineThreads::Thread::operator!=):
2511         (JSC::MachineThreads::getLock):
2512         (JSC::MachineThreads::threadsListHead):
2513         We can now ask a MachineThreads::Thread for its frame pointer
2514         and program counter on darwin and windows platforms. efl
2515         and gtk implementations will happen in another patch.
2516
2517         * heap/MarkedBlockSet.h:
2518         (JSC::MarkedBlockSet::getLock):
2519         (JSC::MarkedBlockSet::add):
2520         (JSC::MarkedBlockSet::remove):
2521         (JSC::MarkedBlockSet::recomputeFilter):
2522         (JSC::MarkedBlockSet::filter):
2523         (JSC::MarkedBlockSet::set):
2524         * heap/MarkedSpace.cpp:
2525         (JSC::Free::Free):
2526         (JSC::Free::operator()):
2527         (JSC::FreeOrShrink::FreeOrShrink):
2528         (JSC::FreeOrShrink::operator()):
2529         (JSC::MarkedSpace::~MarkedSpace):
2530         (JSC::MarkedSpace::isPagedOut):
2531         (JSC::MarkedSpace::freeBlock):
2532         (JSC::MarkedSpace::freeOrShrinkBlock):
2533         (JSC::MarkedSpace::shrink):
2534         * heap/MarkedSpace.h:
2535         (JSC::MarkedSpace::forEachLiveCell):
2536         (JSC::MarkedSpace::forEachDeadCell):
2537         * interpreter/CallFrame.h:
2538         (JSC::ExecState::calleeAsValue):
2539         (JSC::ExecState::callee):
2540         (JSC::ExecState::unsafeCallee):
2541         (JSC::ExecState::codeBlock):
2542         (JSC::ExecState::scope):
2543         * jit/ExecutableAllocator.cpp:
2544         (JSC::ExecutableAllocator::dumpProfile):
2545         (JSC::ExecutableAllocator::getLock):
2546         (JSC::ExecutableAllocator::isValidExecutableMemory):
2547         * jit/ExecutableAllocator.h:
2548         * jit/ExecutableAllocatorFixedVMPool.cpp:
2549         (JSC::ExecutableAllocator::allocate):
2550         (JSC::ExecutableAllocator::isValidExecutableMemory):
2551         (JSC::ExecutableAllocator::getLock):
2552         (JSC::ExecutableAllocator::committedByteCount):
2553         The sampling profiler consults the ExecutableAllocator to check
2554         if the frame pointer it reads is in executable allocated memory.
2555
2556         * jsc.cpp:
2557         (GlobalObject::finishCreation):
2558         (functionCheckModuleSyntax):
2559         (functionStartSamplingProfiler):
2560         (functionSamplingProfilerStackTraces):
2561         * llint/LLIntPCRanges.h: Added.
2562         (JSC::LLInt::isLLIntPC):
2563         * offlineasm/asm.rb:
2564         I added the ability to test whether the PC is executing
2565         LLInt code because this code is not part of the memory
2566         our executable allocator allocates.
2567
2568         * runtime/Executable.h:
2569         (JSC::ExecutableBase::isModuleProgramExecutable):
2570         (JSC::ExecutableBase::isExecutableType):
2571         (JSC::ExecutableBase::isHostFunction):
2572         * runtime/JSLock.cpp:
2573         (JSC::JSLock::didAcquireLock):
2574         (JSC::JSLock::unlock):
2575         * runtime/Options.h:
2576         * runtime/SamplingProfiler.cpp: Added.
2577         (JSC::reportStats):
2578         (JSC::FrameWalker::FrameWalker):
2579         (JSC::FrameWalker::walk):
2580         (JSC::FrameWalker::wasValidWalk):
2581         (JSC::FrameWalker::advanceToParentFrame):
2582         (JSC::FrameWalker::isAtTop):
2583         (JSC::FrameWalker::resetAtMachineFrame):
2584         (JSC::FrameWalker::isValidFramePointer):
2585         (JSC::FrameWalker::isValidCodeBlock):
2586         (JSC::FrameWalker::tryToGetExecutableFromCallee):
2587         The FrameWalker class is used to walk the stack in a safe
2588         manner. It doesn't do anything that would deadlock, and it
2589         validates all pointers that it sees.
2590
2591         (JSC::SamplingProfiler::SamplingProfiler):
2592         (JSC::SamplingProfiler::~SamplingProfiler):
2593         (JSC::SamplingProfiler::visit):
2594         (JSC::SamplingProfiler::shutdown):
2595         (JSC::SamplingProfiler::start):
2596         (JSC::SamplingProfiler::stop):
2597         (JSC::SamplingProfiler::pause):
2598         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2599         (JSC::SamplingProfiler::dispatchIfNecessary):
2600         (JSC::SamplingProfiler::dispatchFunction):
2601         (JSC::SamplingProfiler::noticeJSLockAcquisition):
2602         (JSC::SamplingProfiler::noticeVMEntry):
2603         (JSC::SamplingProfiler::observeStackTrace):
2604         (JSC::SamplingProfiler::clearData):
2605         (JSC::displayName):
2606         (JSC::startLine):
2607         (JSC::startColumn):
2608         (JSC::sourceID):
2609         (JSC::url):
2610         (JSC::SamplingProfiler::stacktracesAsJSON):
2611         * runtime/SamplingProfiler.h: Added.
2612         (JSC::SamplingProfiler::getLock):
2613         (JSC::SamplingProfiler::setTimingInterval):
2614         (JSC::SamplingProfiler::stackTraces):
2615         * runtime/VM.cpp:
2616         (JSC::VM::VM):
2617         (JSC::VM::~VM):
2618         (JSC::VM::setLastStackTop):
2619         (JSC::VM::createContextGroup):
2620         (JSC::VM::ensureWatchdog):
2621         (JSC::VM::ensureSamplingProfiler):
2622         (JSC::thunkGeneratorForIntrinsic):
2623         * runtime/VM.h:
2624         (JSC::VM::watchdog):
2625         (JSC::VM::isSafeToRecurse):
2626         (JSC::VM::lastStackTop):
2627         (JSC::VM::scratchBufferForSize):
2628         (JSC::VM::samplingProfiler):
2629         (JSC::VM::setShouldRewriteConstAsVar):
2630         (JSC::VM::setLastStackTop): Deleted.
2631         * runtime/VMEntryScope.cpp:
2632         (JSC::VMEntryScope::VMEntryScope):
2633         * tests/stress/sampling-profiler: Added.
2634         * tests/stress/sampling-profiler-anonymous-function.js: Added.
2635         (foo):
2636         (baz):
2637         * tests/stress/sampling-profiler-basic.js: Added.
2638         (bar):
2639         (foo):
2640         (nothing):
2641         (top):
2642         (jaz):
2643         (kaz):
2644         (checkInlining):
2645         * tests/stress/sampling-profiler-deep-stack.js: Added.
2646         (foo):
2647         (hellaDeep):
2648         (start):
2649         * tests/stress/sampling-profiler-microtasks.js: Added.
2650         (testResults):
2651         (loop.jaz):
2652         (loop):
2653         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
2654         (assert):
2655         (let.nodePrototype.makeChildIfNeeded):
2656         (makeNode):
2657         (updateCallingContextTree):
2658         (doesTreeHaveStackTrace):
2659         (makeTree):
2660         (runTest):
2661         (dumpTree):
2662         * tools/JSDollarVMPrototype.cpp:
2663         (JSC::JSDollarVMPrototype::isInObjectSpace):
2664         (JSC::JSDollarVMPrototype::isInStorageSpace):
2665         * yarr/YarrJIT.cpp:
2666         (JSC::Yarr::YarrGenerator::generateEnter):
2667         (JSC::Yarr::YarrGenerator::generateReturn):
2668         (JSC::Yarr::YarrGenerator::YarrGenerator):
2669         (JSC::Yarr::YarrGenerator::compile):
2670         (JSC::Yarr::jitCompile):
2671         We now have a boolean that's set to true when
2672         we're executing a RegExp, and to false otherwise.
2673         The boolean lives off of VM.
2674
2675         * CMakeLists.txt:
2676         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2677         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2678         * JavaScriptCore.xcodeproj/project.pbxproj:
2679         * bytecode/CodeBlock.h:
2680         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
2681         (JSC::CodeBlockSet::mark):
2682         * dfg/DFGNodeType.h:
2683         * heap/CodeBlockSet.cpp:
2684         (JSC::CodeBlockSet::add):
2685         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
2686         (JSC::CodeBlockSet::clearMarksForFullCollection):
2687         (JSC::CodeBlockSet::lastChanceToFinalize):
2688         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2689         (JSC::CodeBlockSet::contains):
2690         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
2691         (JSC::CodeBlockSet::remove): Deleted.
2692         * heap/CodeBlockSet.h:
2693         (JSC::CodeBlockSet::getLock):
2694         (JSC::CodeBlockSet::iterate):
2695         * heap/ConservativeRoots.cpp:
2696         (JSC::ConservativeRoots::ConservativeRoots):
2697         (JSC::ConservativeRoots::genericAddPointer):
2698         (JSC::ConservativeRoots::add):
2699         (JSC::CompositeMarkHook::CompositeMarkHook):
2700         (JSC::CompositeMarkHook::mark):
2701         * heap/ConservativeRoots.h:
2702         * heap/Heap.cpp:
2703         (JSC::Heap::markRoots):
2704         (JSC::Heap::visitHandleStack):
2705         (JSC::Heap::visitSamplingProfiler):
2706         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2707         * heap/Heap.h:
2708         (JSC::Heap::structureIDTable):
2709         (JSC::Heap::codeBlockSet):
2710         * heap/HeapInlines.h:
2711         (JSC::Heap::didFreeBlock):
2712         (JSC::Heap::isPointerGCObject):
2713         (JSC::Heap::isValueGCObject):
2714         * heap/MachineStackMarker.cpp:
2715         (pthreadSignalHandlerSuspendResume):
2716         (JSC::getCurrentPlatformThread):
2717         (JSC::MachineThreads::MachineThreads):
2718         (JSC::MachineThreads::~MachineThreads):
2719         (JSC::MachineThreads::Thread::createForCurrentThread):
2720         (JSC::MachineThreads::Thread::operator==):
2721         (JSC::isThreadInList):
2722         (JSC::MachineThreads::addCurrentThread):
2723         (JSC::MachineThreads::machineThreadForCurrentThread):
2724         (JSC::MachineThreads::removeThread):
2725         (JSC::MachineThreads::gatherFromCurrentThread):
2726         (JSC::MachineThreads::Thread::Thread):
2727         (JSC::MachineThreads::Thread::~Thread):
2728         (JSC::MachineThreads::Thread::suspend):
2729         (JSC::MachineThreads::Thread::resume):
2730         (JSC::MachineThreads::Thread::getRegisters):
2731         (JSC::MachineThreads::Thread::Registers::stackPointer):
2732         (JSC::MachineThreads::Thread::Registers::framePointer):
2733         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2734         (JSC::MachineThreads::Thread::freeRegisters):
2735         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
2736         (JSC::MachineThreads::Thread::operator!=): Deleted.
2737         * heap/MachineStackMarker.h:
2738         (JSC::MachineThreads::Thread::operator!=):
2739         (JSC::MachineThreads::getLock):
2740         (JSC::MachineThreads::threadsListHead):
2741         * heap/MarkedBlockSet.h:
2742         * heap/MarkedSpace.cpp:
2743         (JSC::Free::Free):
2744         (JSC::Free::operator()):
2745         (JSC::FreeOrShrink::FreeOrShrink):
2746         (JSC::FreeOrShrink::operator()):
2747         * interpreter/CallFrame.h:
2748         (JSC::ExecState::calleeAsValue):
2749         (JSC::ExecState::callee):
2750         (JSC::ExecState::unsafeCallee):
2751         (JSC::ExecState::codeBlock):
2752         (JSC::ExecState::scope):
2753         * jit/ExecutableAllocator.cpp:
2754         (JSC::ExecutableAllocator::dumpProfile):
2755         (JSC::ExecutableAllocator::getLock):
2756         (JSC::ExecutableAllocator::isValidExecutableMemory):
2757         * jit/ExecutableAllocator.h:
2758         * jit/ExecutableAllocatorFixedVMPool.cpp:
2759         (JSC::ExecutableAllocator::allocate):
2760         (JSC::ExecutableAllocator::isValidExecutableMemory):
2761         (JSC::ExecutableAllocator::getLock):
2762         (JSC::ExecutableAllocator::committedByteCount):
2763         * jsc.cpp:
2764         (GlobalObject::finishCreation):
2765         (functionCheckModuleSyntax):
2766         (functionPlatformSupportsSamplingProfiler):
2767         (functionStartSamplingProfiler):
2768         (functionSamplingProfilerStackTraces):
2769         * llint/LLIntPCRanges.h: Added.
2770         (JSC::LLInt::isLLIntPC):
2771         * offlineasm/asm.rb:
2772         * runtime/Executable.h:
2773         (JSC::ExecutableBase::isModuleProgramExecutable):
2774         (JSC::ExecutableBase::isExecutableType):
2775         (JSC::ExecutableBase::isHostFunction):
2776         * runtime/JSLock.cpp:
2777         (JSC::JSLock::didAcquireLock):
2778         (JSC::JSLock::unlock):
2779         * runtime/Options.h:
2780         * runtime/SamplingProfiler.cpp: Added.
2781         (JSC::reportStats):
2782         (JSC::FrameWalker::FrameWalker):
2783         (JSC::FrameWalker::walk):
2784         (JSC::FrameWalker::wasValidWalk):
2785         (JSC::FrameWalker::advanceToParentFrame):
2786         (JSC::FrameWalker::isAtTop):
2787         (JSC::FrameWalker::resetAtMachineFrame):
2788         (JSC::FrameWalker::isValidFramePointer):
2789         (JSC::FrameWalker::isValidCodeBlock):
2790         (JSC::SamplingProfiler::SamplingProfiler):
2791         (JSC::SamplingProfiler::~SamplingProfiler):
2792         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2793         (JSC::SamplingProfiler::visit):
2794         (JSC::SamplingProfiler::shutdown):
2795         (JSC::SamplingProfiler::start):
2796         (JSC::SamplingProfiler::stop):
2797         (JSC::SamplingProfiler::pause):
2798         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2799         (JSC::SamplingProfiler::dispatchIfNecessary):
2800         (JSC::SamplingProfiler::dispatchFunction):
2801         (JSC::SamplingProfiler::noticeJSLockAcquisition):
2802         (JSC::SamplingProfiler::noticeVMEntry):
2803         (JSC::SamplingProfiler::clearData):
2804         (JSC::displayName):
2805         (JSC::SamplingProfiler::stacktracesAsJSON):
2806         (WTF::printInternal):
2807         * runtime/SamplingProfiler.h: Added.
2808         (JSC::SamplingProfiler::StackFrame::StackFrame):
2809         (JSC::SamplingProfiler::getLock):
2810         (JSC::SamplingProfiler::setTimingInterval):
2811         (JSC::SamplingProfiler::stackTraces):
2812         * runtime/VM.cpp:
2813         (JSC::VM::VM):
2814         (JSC::VM::~VM):
2815         (JSC::VM::setLastStackTop):
2816         (JSC::VM::createContextGroup):
2817         (JSC::VM::ensureWatchdog):
2818         (JSC::VM::ensureSamplingProfiler):
2819         (JSC::thunkGeneratorForIntrinsic):
2820         * runtime/VM.h:
2821         (JSC::VM::watchdog):
2822         (JSC::VM::samplingProfiler):
2823         (JSC::VM::isSafeToRecurse):
2824         (JSC::VM::lastStackTop):
2825         (JSC::VM::scratchBufferForSize):
2826         (JSC::VM::setLastStackTop): Deleted.
2827         * runtime/VMEntryScope.cpp:
2828         (JSC::VMEntryScope::VMEntryScope):
2829         * tests/stress/sampling-profiler: Added.
2830         * tests/stress/sampling-profiler-anonymous-function.js: Added.
2831         (platformSupportsSamplingProfiler.foo):
2832         (platformSupportsSamplingProfiler.baz):
2833         (platformSupportsSamplingProfiler):
2834         * tests/stress/sampling-profiler-basic.js: Added.
2835         (platformSupportsSamplingProfiler.bar):
2836         (platformSupportsSamplingProfiler.foo):
2837         (platformSupportsSamplingProfiler.nothing):
2838         (platformSupportsSamplingProfiler.top):
2839         (platformSupportsSamplingProfiler.jaz):
2840         (platformSupportsSamplingProfiler.kaz):
2841         (platformSupportsSamplingProfiler.checkInlining):
2842         (platformSupportsSamplingProfiler):
2843         * tests/stress/sampling-profiler-deep-stack.js: Added.
2844         (platformSupportsSamplingProfiler.foo):
2845         (platformSupportsSamplingProfiler.let.hellaDeep):
2846         (platformSupportsSamplingProfiler.let.start):
2847         (platformSupportsSamplingProfiler):
2848         * tests/stress/sampling-profiler-microtasks.js: Added.
2849         (platformSupportsSamplingProfiler.testResults):
2850         (platformSupportsSamplingProfiler):
2851         (platformSupportsSamplingProfiler.loop.jaz):
2852         (platformSupportsSamplingProfiler.loop):
2853         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
2854         (assert):
2855         (let.nodePrototype.makeChildIfNeeded):
2856         (makeNode):
2857         (updateCallingContextTree):
2858         (doesTreeHaveStackTrace):
2859         (makeTree):
2860         (runTest):
2861         (dumpTree):
2862         * yarr/YarrJIT.cpp:
2863         (JSC::Yarr::YarrGenerator::generateEnter):
2864         (JSC::Yarr::YarrGenerator::generateReturn):
2865         (JSC::Yarr::YarrGenerator::YarrGenerator):
2866         (JSC::Yarr::YarrGenerator::compile):
2867         (JSC::Yarr::jitCompile):
2868
2869 2016-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2870
2871         [JSC] Iterating over a Set/Map is too slow
2872         https://bugs.webkit.org/show_bug.cgi?id=152691
2873
2874         Reviewed by Saam Barati.
2875
2876         Set#forEach and Set & for-of are very slow. There are 2 reasons.
2877
2878         1. forEach is implemented in C++. And typically, taking JS callback and calling it from C++.
2879
2880         C++ to JS transition seems costly. perf result in Linux machine shows this.
2881
2882             Samples: 23K of event 'cycles', Event count (approx.): 21446074385
2883             34.04%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Interpreter::execute(JSC::CallFrameClosure&)
2884             20.48%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] vmEntryToJavaScript
2885              9.80%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
2886              7.95%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::setProtoFuncForEach(JSC::ExecState*)
2887              5.65%  jsc  perf-22854.map                      [.] 0x00007f5d2c204a6f
2888
2889         Writing forEach in JS eliminates this.
2890
2891             Samples: 23K of event 'cycles', Event count (approx.): 21255691651
2892             62.91%  jsc  perf-22890.map                      [.] 0x00007fd117c0a3b9
2893             24.89%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::privateFuncSetIteratorNext(JSC::ExecState*)
2894              0.29%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&)
2895              0.24%  jsc  [vdso]                              [.] 0x00000000000008e8
2896              0.22%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::predictedMachineCodeSize()
2897              0.16%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] WTF::MetaAllocator::currentStatistics()
2898              0.15%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Lexer<unsigned char>::lex(JSC::JSToken*, unsigned int, bool)
2899
2900         2. Iterator result object allocation is costly.
2901
2902         Iterator result object allocation is costly. Even if the (1) is solved, when executing Set & for-of, perf result shows very slow performance due to (2).
2903
2904             Samples: 108K of event 'cycles', Event count (approx.): 95529273748
2905             18.02%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::createIteratorResultObject(JSC::ExecState*, JSC::JSValue, bool)
2906             15.68%  jsc  jsc                                 [.] JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int)
2907             14.18%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::PrototypeMap::emptyObjectStructureForPrototype(JSC::JSObject*, unsigned int)
2908             13.40%  jsc  perf-25420.map                      [.] 0x00007fce158006a1
2909              6.79%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::StructureTransitionTable::get(WTF::UniquedStringImpl*, unsigned int) const
2910
2911         In the long term, we should implement SetIterator#next in JS and make the iterator result object allocation written in JS to encourage object allocation elimination in FTL.
2912         But seeing the perf result, we can find the easy to fix bottleneck in the current implementation.
2913         Every time createIteratorResultObject creates the empty object and use putDirect to store properties.
2914         The pre-baked Structure* with `done` and `value` properties makes this implementation fast.
2915
2916         After these improvements, the micro benchmark[1] shows the following.
2917
2918         old:
2919             Linked List x 212,776 ops/sec ±0.21% (162 runs sampled)
2920             Array x 376,156 ops/sec ±0.20% (162 runs sampled)
2921             Array forEach x 17,345 ops/sec ±0.99% (137 runs sampled)
2922             Array for-of x 16,518 ops/sec ±0.58% (160 runs sampled)
2923             Set forEach x 13,263 ops/sec ±0.20% (162 runs sampled)
2924             Set for-of x 4,732 ops/sec ±0.34% (123 runs sampled)
2925
2926         new:
2927             Linked List x 210,833 ops/sec ±0.28% (161 runs sampled)
2928             Array x 371,347 ops/sec ±0.36% (162 runs sampled)
2929             Array forEach x 17,460 ops/sec ±0.84% (136 runs sampled)
2930             Array for-of x 16,188 ops/sec ±1.27% (158 runs sampled)
2931             Set forEach x 23,684 ops/sec ±2.46% (139 runs sampled)
2932             Set for-of x 12,176 ops/sec ±0.54% (157 runs sampled)
2933
2934         Set#forEach becomes comparable to Array#forEach. And Set#forEach and Set & for-of are improved (1.79x, and 2.57x).
2935         After this optimizations, they are still much slower than linked list and array.
2936         This should be optimized in the long term.
2937
2938         [1]: https://gist.github.com/Constellation/8db5f5b8f12fe7e283d0
2939
2940         * CMakeLists.txt:
2941         * DerivedSources.make:
2942         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2943         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2944         * JavaScriptCore.xcodeproj/project.pbxproj:
2945         * builtins/MapPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
2946         (forEach):
2947         * builtins/SetPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
2948         (forEach):
2949         * runtime/CommonIdentifiers.h:
2950         * runtime/IteratorOperations.cpp:
2951         (JSC::createIteratorResultObjectStructure):
2952         (JSC::createIteratorResultObject):
2953         * runtime/IteratorOperations.h:
2954         * runtime/JSGlobalObject.cpp:
2955         (JSC::JSGlobalObject::init):
2956         (JSC::JSGlobalObject::visitChildren):
2957         * runtime/JSGlobalObject.h:
2958         (JSC::JSGlobalObject::iteratorResultObjectStructure):
2959         (JSC::JSGlobalObject::iteratorResultStructure): Deleted.
2960         (JSC::JSGlobalObject::iteratorResultStructureOffset): Deleted.
2961         * runtime/MapPrototype.cpp:
2962         (JSC::MapPrototype::getOwnPropertySlot):
2963         (JSC::privateFuncIsMap):
2964         (JSC::privateFuncMapIterator):
2965         (JSC::privateFuncMapIteratorNext):
2966         (JSC::MapPrototype::finishCreation): Deleted.
2967         (JSC::mapProtoFuncForEach): Deleted.
2968         * runtime/MapPrototype.h:
2969         * runtime/SetPrototype.cpp:
2970         (JSC::SetPrototype::getOwnPropertySlot):
2971         (JSC::privateFuncIsSet):
2972         (JSC::privateFuncSetIterator):
2973         (JSC::privateFuncSetIteratorNext):
2974         (JSC::SetPrototype::finishCreation): Deleted.
2975         (JSC::setProtoFuncForEach): Deleted.
2976         * runtime/SetPrototype.h:
2977
2978 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
2979
2980         Unreviewed, fix ARM64 build.
2981
2982         * b3/air/AirOpcode.opcodes:
2983
2984 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
2985
2986         B3 should reduce Trunc(BitOr(value, constant)) where !(constant & 0xffffffff) to Trunc(value)
2987         https://bugs.webkit.org/show_bug.cgi?id=152955
2988
2989         Reviewed by Saam Barati.
2990
2991         This happens when we box an int32 and then immediately unbox it.
2992
2993         This makes an enormous difference on AsmBench/FloatMM. It's a 2x speed-up on that
2994         benchmark. It's neutral elsewhere.
2995
2996         * b3/B3ReduceStrength.cpp:
2997         * b3/testb3.cpp:
2998         (JSC::B3::testPowDoubleByIntegerLoop):
2999         (JSC::B3::testTruncOrHigh):
3000         (JSC::B3::testTruncOrLow):
3001         (JSC::B3::testBitAndOrHigh):
3002         (JSC::B3::testBitAndOrLow):
3003         (JSC::B3::zero):
3004         (JSC::B3::run):
3005
3006 2016-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
3007
3008         [ES6] Arrow function syntax. Get rid of JSArrowFunction and use standard JSFunction class
3009         https://bugs.webkit.org/show_bug.cgi?id=149855
3010
3011         Reviewed by Saam Barati.
3012
3013         JSArrowFunction.h/cpp were removed from JavaScriptCore, because now is used new approach for storing 
3014         'this', 'arguments' and 'super'
3015
3016         * CMakeLists.txt:
3017         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3018         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3019         * JavaScriptCore.xcodeproj/project.pbxproj:
3020         * dfg/DFGAbstractInterpreterInlines.h:
3021         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3022         * dfg/DFGSpeculativeJIT.cpp:
3023         (JSC::DFG::SpeculativeJIT::compileNewFunction):
3024         * dfg/DFGStructureRegistrationPhase.cpp:
3025         (JSC::DFG::StructureRegistrationPhase::run):
3026         * ftl/FTLAbstractHeapRepository.cpp:
3027         * ftl/FTLAbstractHeapRepository.h:
3028         * ftl/FTLLowerDFGToLLVM.cpp:
3029         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
3030         * interpreter/Interpreter.cpp:
3031         * interpreter/Interpreter.h:
3032         * jit/JITOpcodes.cpp:
3033         * jit/JITOpcodes32_64.cpp:
3034         * jit/JITOperations.cpp:
3035         * jit/JITOperations.h:
3036         * llint/LLIntOffsetsExtractor.cpp:
3037         * llint/LLIntSlowPaths.cpp:
3038         * runtime/JSArrowFunction.cpp: Removed.
3039         * runtime/JSArrowFunction.h: Removed.
3040         * runtime/JSGlobalObject.cpp:
3041         * runtime/JSGlobalObject.h:
3042
3043 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
3044
3045         It should be possible to run liveness over registers without also tracking Tmps
3046         https://bugs.webkit.org/show_bug.cgi?id=152963
3047
3048         Reviewed by Saam Barati.
3049
3050         This adds a RegLivenessAdapter so that we can run Liveness over registers. This makes it
3051         easier to write certain kinds of phases, like ReportUsedRegisters. I anticipate writing more
3052         code like that for handling cold function calls. It also makes code like that somewhat more
3053         scalable, since we're no longer using HashSets.
3054
3055         Currently, the way we track sets of registers is with a BitVector. Normally, we use the
3056         RegisterSet class, which wraps BitVector, so that we can add()/contains() on Reg's. But in
3057         the liveness analysis, everything gets turned into an index. So, we want to use BitVector
3058         directly. To do that, I needed to make the BitVector API look a bit more like a set API. I
3059         think that this is good, because the lack of set methods (add/remove/contains) has caused
3060         bugs in the past. This makes BitVector have methods both for set operations on bits and array
3061         operations on bits. I think that's good, since BitVector gets used in both contexts.
3062
3063         * b3/B3IndexSet.h:
3064         (JSC::B3::IndexSet::Iterable::iterator::iterator):
3065         (JSC::B3::IndexSet::Iterable::begin):
3066         (JSC::B3::IndexSet::dump):
3067         * b3/air/AirInstInlines.h:
3068         (JSC::B3::Air::ForEach<Tmp>::forEach):
3069         (JSC::B3::Air::ForEach<Arg>::forEach):
3070         (JSC::B3::Air::ForEach<Reg>::forEach):
3071         (JSC::B3::Air::Inst::forEach):
3072         * b3/air/AirLiveness.h:
3073         (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter):
3074         (JSC::B3::Air::RegLivenessAdapter::maxIndex):
3075         (JSC::B3::Air::RegLivenessAdapter::acceptsType):
3076         (JSC::B3::Air::RegLivenessAdapter::valueToIndex):
3077         (JSC::B3::Air::RegLivenessAdapter::indexToValue):
3078         * b3/air/AirReportUsedRegisters.cpp:
3079         (JSC::B3::Air::reportUsedRegisters):
3080         * jit/Reg.h:
3081         (JSC::Reg::next):
3082         (JSC::Reg::index):
3083         (JSC::Reg::maxIndex):
3084         (JSC::Reg::isSet):
3085         (JSC::Reg::operator bool):
3086         * jit/RegisterSet.h:
3087         (JSC::RegisterSet::forEach):
3088
3089 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
3090
3091         [JSC] Make branchMul functional in ARM B3 and minor fixes
3092         https://bugs.webkit.org/show_bug.cgi?id=152889
3093
3094         Reviewed by Mark Lam.
3095
3096         ARM64 does not have a "S" version of MUL setting the flags.
3097         What we do is abstract that in the MacroAssembler. The problem
3098         is that form requires scratch registers.
3099
3100         For simplicity, I just exposed the two scratch registers
3101         for Air. Filip already added the concept of Scratch role,
3102         all I needed was to expose it for opcodes.
3103
3104         * assembler/MacroAssemblerARM64.h:
3105         (JSC::MacroAssemblerARM64::branchMul32):
3106         (JSC::MacroAssemblerARM64::branchMul64):
3107         Expose a version with the scratch registers as arguments.
3108
3109         * b3/B3LowerToAir.cpp:
3110         (JSC::B3::Air::LowerToAir::lower):
3111         Add the new form of CheckMul lowering.
3112
3113         * b3/air/AirOpcode.opcodes:
3114         Expose the new BranchMuls.
3115         Remove all the Test variants that use immediates
3116         since Air can't handle those immediates correctly yet.
3117
3118         * b3/air/opcode_generator.rb:
3119         Expose the Scratch role.
3120
3121         * b3/testb3.cpp:
3122         (JSC::B3::testPatchpointLotsOfLateAnys):
3123         Ooops, the scratch registers were not clobbered. We were just lucky
3124         on x86.
3125
3126 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
3127
3128         [JSC] B3 is unable to do function calls on ARM64
3129         https://bugs.webkit.org/show_bug.cgi?id=152895
3130
3131         Reviewed by Mark Lam.
3132
3133         Apparently iOS does not follow the ARM64 ABI for function calls.
3134         Instead of giving each value a 8 bytes slot, it must be packed
3135         while preserving alignment.
3136
3137         This patch adds a #ifdef to make function calls functional.
3138
3139         * b3/B3LowerToAir.cpp:
3140         (JSC::B3::Air::LowerToAir::marshallCCallArgument):
3141         (JSC::B3::Air::LowerToAir::lower):
3142
3143 2016-01-09  Filip Pizlo  <fpizlo@apple.com>
3144
3145         Air should support Branch64 with immediates
3146         https://bugs.webkit.org/show_bug.cgi?id=152951
3147
3148         Reviewed by Oliver Hunt.
3149
3150         This doesn't significantly improve performance on any benchmarks, but it's great to get this
3151         obvious omission out of the way.
3152
3153         * assembler/MacroAssemblerX86_64.h:
3154         (JSC::MacroAssemblerX86_64::branch64):
3155         * b3/air/AirOpcode.opcodes:
3156         * b3/testb3.cpp:
3157         (JSC::B3::testPowDoubleByIntegerLoop):
3158         (JSC::B3::testBranch64Equal):
3159         (JSC::B3::testBranch64EqualImm):
3160         (JSC::B3::testBranch64EqualMem):
3161         (JSC::B3::testBranch64EqualMemImm):
3162         (JSC::B3::zero):
3163         (JSC::B3::run):
3164
3165 2016-01-09  Dan Bernstein  <mitz@apple.com>
3166
3167         [Cocoa] Allow overriding the frameworks directory independently of using a staging install path
3168         https://bugs.webkit.org/show_bug.cgi?id=152926
3169
3170         Reviewed by Tim Horton.
3171
3172         Introduce a new build setting, WK_OVERRIDE_FRAMEWORKS_DIR. When not empty, it determines
3173         where the frameworks are installed. Setting USE_STAGING_INSTALL_PATH to YES sets
3174         WK_OVERRIDE_FRAMEWORKS_DIR to $(SYSTEM_LIBRARY_DIR)/StagedFrameworks/Safari.
3175
3176         Account for the possibility of WK_OVERRIDE_FRAMEWORKS_DIR containing spaces.
3177
3178         * Configurations/Base.xcconfig:
3179         - Replace STAGED_FRAMEWORKS_SEARCH_PATH in FRAMEWORK_SEARCH_PATHS with
3180           WK_OVERRIDE_FRAMEWORKS_DIR and add quotes to account for spaces.
3181         - Define JAVASCRIPTCORE_FRAMEWORKS_DIR based on WK_OVERRIDE_FRAMEWORKS_DIR.
3182         * Configurations/JSC.xcconfig:
3183           Add quotes to account for spaces.
3184         * Configurations/ToolExecutable.xcconfig:
3185           Ditto.
3186         * postprocess-headers.sh:
3187           Ditto.
3188
3189 2016-01-09  Mark Lam  <mark.lam@apple.com>
3190
3191         The FTL allocated spill slots for BinaryOps is sometimes inaccurate.
3192         https://bugs.webkit.org/show_bug.cgi?id=152918
3193
3194         Reviewed by Filip Pizlo and Saam Barati.
3195
3196         * ftl/FTLCompile.cpp:
3197         - Updated a comment.
3198         * ftl/FTLLowerDFGToLLVM.cpp:
3199         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3200         - The code to compute maxNumberOfCatchSpills was unnecessarily allocating an
3201           extra slot for BinaryOps that don't have Untyped operands, and failing to
3202           allocate that extra slot for some binary ops.  This is now fixed.
3203
3204         * tests/stress/ftl-shr-exception.js:
3205         * tests/stress/ftl-xor-exception.js:
3206         - Un-skipped these tests.  They now pass with this patch.
3207
3208 2016-01-09  Andreas Kling  <akling@apple.com>
3209
3210         Use NeverDestroyed instead of DEPRECATED_DEFINE_STATIC_LOCAL
3211         <https://webkit.org/b/152902>
3212
3213         Reviewed by Anders Carlsson.
3214
3215         Mostly mechanical conversion to NeverDestroyed throughout JavaScriptCore.
3216
3217         * API/JSAPIWrapperObject.mm:
3218         (jsAPIWrapperObjectHandleOwner):
3219         * API/JSManagedValue.mm:
3220         (managedValueHandleOwner):
3221         * inspector/agents/InspectorDebuggerAgent.cpp:
3222         (Inspector::objectGroupForBreakpointAction):
3223         * jit/ExecutableAllocator.cpp:
3224         (JSC::DemandExecutableAllocator::allocators):
3225
3226 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3227
3228         FTL B3 should do varargs tail calls and stack overflows
3229         https://bugs.webkit.org/show_bug.cgi?id=152934
3230
3231         Reviewed by Saam Barati.
3232
3233         I was trying to get tail-call-varargs-no-stack-overflow.js.ftl-no-cjit-validate to work and
3234         at first I hit the stack overflow issue and then I hit the varargs tail call issue. That's
3235         why I have two fixes in one change. Now the test passes.
3236
3237         This reduces the number of failures from 13 to 0.
3238
3239         * ftl/FTLLowerDFGToLLVM.cpp:
3240         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Implement stack overflow handling.
3241         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs): Varargs tail calls need to
3242         append an Oops (i.e. "unreachable").
3243
3244 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3245
3246         B3 needs Neg()
3247         https://bugs.webkit.org/show_bug.cgi?id=152925
3248
3249         Reviewed by Mark Lam.
3250
3251         Previously we said that negation should be represented as Sub(0, x). That's wrong, since
3252         for floats, Sub(0, 0) == 0 while Neg(0) == -0.
3253
3254         One way to solve this would be to say that anyone trying to say Neg(x) where x is a float
3255         should instead say BitXor(x, -0). That's actually correct, but I think that it would be odd
3256         to use bitops to represent floating point operations. Whatever cuteness this would have
3257         bought us would be outweighed by the annoyance of having to write code that matches
3258         Sub(0, x) for integer negation and BitXor(x, -0) for double negation. For example, this
3259         would mean strictly more code for anyone implementing a Neg(Neg(x))=>x strength reduction.
3260         Also, I suspect that the omission of Neg would cause others to make the mistake of using
3261         Sub to represent floating point negation.
3262
3263         So, this introduces a proper Neg() opcode to B3. It's now the canonical way of saying
3264         negation for both ints and floats. For ints, we canonicalize Sub(0, x) to Neg(x). For
3265         floats, we lower it to BitXor(x, -0) on x86.
3266
3267         This reduces the number of failures from 13 to 12.
3268
3269         * assembler/MacroAssemblerX86Common.h:
3270         (JSC::MacroAssemblerX86Common::andFloat):
3271         (JSC::MacroAssemblerX86Common::xorDouble):
3272         (JSC::MacroAssemblerX86Common::xorFloat):
3273         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
3274         * b3/B3LowerMacrosAfterOptimizations.cpp:
3275         * b3/B3LowerToAir.cpp:
3276         (JSC::B3::Air::LowerToAir::lower):
3277         * b3/B3Opcode.cpp:
3278         (WTF::printInternal):
3279         * b3/B3Opcode.h:
3280         * b3/B3ReduceStrength.cpp:
3281         * b3/B3Validate.cpp:
3282         * b3/B3Value.cpp:
3283         (JSC::B3::Value::effects):
3284         (JSC::B3::Value::key):
3285         (JSC::B3::Value::typeFor):
3286         * b3/air/AirOpcode.opcodes:
3287         * ftl/FTLB3Output.cpp:
3288         (JSC::FTL::Output::lockedStackSlot):
3289         (JSC::FTL::Output::neg):
3290         (JSC::FTL::Output::bitNot):
3291         * ftl/FTLB3Output.h:
3292         (JSC::FTL::Output::chillDiv):
3293         (JSC::FTL::Output::mod):
3294         (JSC::FTL::Output::chillMod):
3295         (JSC::FTL::Output::doubleAdd):
3296         (JSC::FTL::Output::doubleSub):
3297         (JSC::FTL::Output::doubleMul):
3298         (JSC::FTL::Output::doubleDiv):
3299         (JSC::FTL::Output::doubleMod):
3300         (JSC::FTL::Output::doubleNeg):
3301         (JSC::FTL::Output::bitAnd):
3302         (JSC::FTL::Output::bitOr):
3303         (JSC::FTL::Output::neg): Deleted.
3304         * tests/stress/ftl-negate-zero.js: Added. This was already covered by op_negate but since
3305         it's such a glaring bug, I thought having a test for it specifically would be good.
3306
3307 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3308
3309         FTL B3 compile() doesn't clear exception handlers before we add FTL-specific ones
3310         https://bugs.webkit.org/show_bug.cgi?id=152922
3311
3312         Reviewed by Saam Barati.
3313
3314         FTL B3 was generating a handler table that first contained the old baseline handlers keyed
3315         by baseline's bytecode indices and then the FTL handlers keyed by FTL callsite index. That's
3316         wrong, since the FTL code block should not contain any baseline handlers. The fix is to
3317         clear the handlers before generation, sort of like FTL LLVM does.
3318
3319         Also added some stuff to make it easier to inspect the handler table.
3320
3321         This reduces the numbe rof failures from 25 to 13.
3322
3323         * bytecode/CodeBlock.cpp:
3324         (JSC::CodeBlock::dumpBytecode):
3325         (JSC::CodeBlock::dumpExceptionHandlers):
3326         (JSC::CodeBlock::beginDumpProfiling):
3327         * bytecode/CodeBlock.h:
3328         * ftl/FTLB3Compile.cpp:
3329         (JSC::FTL::compile):
3330
3331 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3332
3333         B3 incorrectly turns NotEqual(bool, 1) into Equal(bool, 1) instead of Equal(bool, 0)
3334         https://bugs.webkit.org/show_bug.cgi?id=152916
3335
3336         Reviewed by Mark Lam.
3337
3338         This was causing a failure in an ancient DFG layout test. Thanks, ftl-eager-no-cjit!
3339
3340         This reduces the number of failures from 27 to 25.
3341
3342         * b3/B3ReduceStrength.cpp:
3343
3344 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3345
3346         FTL B3 allocateCell() should not crash
3347         https://bugs.webkit.org/show_bug.cgi?id=152909
3348
3349         Reviewed by Mark Lam.
3350
3351         This code was crashing in some tests that forced GC slow paths because it was stubbed out
3352         due to the use of undef. B3 doesn't have undef. In this case, there's no good reason to use
3353         undef. We can just use zero. Since the path is dead anyway in that case, we weren't gaining
3354         any LLVM optimizations by using undef.
3355
3356         This reduces the number of failures from 35 to 27.
3357
3358         * ftl/FTLLowerDFGToLLVM.cpp:
3359         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
3360
3361 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3362
3363         FTL B3 fails to realize that binary snippets might choose to omit their fast path
3364         https://bugs.webkit.org/show_bug.cgi?id=152901
3365
3366         Reviewed by Mark Lam.
3367
3368         This reduces the number of failures from 99 to 35.
3369
3370         * ftl/FTLLowerDFGToLLVM.cpp:
3371         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
3372