7aef68a2222ec6724383caf71451416b36ab001a
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [ES6] Module binding can be exported by multiple names
4         https://bugs.webkit.org/show_bug.cgi?id=160343
5
6         Reviewed by Saam Barati.
7
8         ES6 Module can export the same local binding by using multiple names.
9         For example,
10
11             ```
12             var value = 42;
13
14             export { value };
15             export { value as value2 };
16             ```
17
18         Currently, we only allowed one local binding to be exported with one name. So, in the above case,
19         the local binding "value" is exported as "value2" and "value" name is not exported. This is wrong.
20
21         To fix this issue, we collect the correspondence (local name => exported name) to the local bindings
22         in the parser. Previously, we only maintained the exported local bindings in the parser. And utilize
23         this information when creating the export entries in ModuleAnalyzer.
24
25         And this patch also moves ModuleScopeData from the Scope object to the Parser class since exported
26         names should be managed per-module, not per-scope.
27
28         This change fixes several test262 failures.
29
30         * JavaScriptCore.xcodeproj/project.pbxproj:
31         * parser/ModuleAnalyzer.cpp:
32         (JSC::ModuleAnalyzer::exportVariable):
33         (JSC::ModuleAnalyzer::analyze):
34         (JSC::ModuleAnalyzer::exportedBinding): Deleted.
35         (JSC::ModuleAnalyzer::declareExportAlias): Deleted.
36         * parser/ModuleAnalyzer.h:
37         * parser/ModuleScopeData.h: Copied from Source/JavaScriptCore/parser/ModuleAnalyzer.h.
38         (JSC::ModuleScopeData::create):
39         (JSC::ModuleScopeData::exportedBindings):
40         (JSC::ModuleScopeData::exportName):
41         (JSC::ModuleScopeData::exportBinding):
42         * parser/Nodes.cpp:
43         (JSC::ProgramNode::ProgramNode):
44         (JSC::ModuleProgramNode::ModuleProgramNode):
45         (JSC::EvalNode::EvalNode):
46         (JSC::FunctionNode::FunctionNode):
47         * parser/Nodes.h:
48         (JSC::ModuleProgramNode::moduleScopeData):
49         * parser/NodesAnalyzeModule.cpp:
50         (JSC::ExportDefaultDeclarationNode::analyzeModule):
51         (JSC::ExportNamedDeclarationNode::analyzeModule): Deleted.
52         * parser/Parser.cpp:
53         (JSC::Parser<LexerType>::Parser):
54         (JSC::Parser<LexerType>::parseModuleSourceElements):
55         (JSC::Parser<LexerType>::parseVariableDeclarationList):
56         (JSC::Parser<LexerType>::createBindingPattern):
57         (JSC::Parser<LexerType>::parseFunctionDeclaration):
58         (JSC::Parser<LexerType>::parseClassDeclaration):
59         (JSC::Parser<LexerType>::parseExportSpecifier):
60         (JSC::Parser<LexerType>::parseExportDeclaration):
61         * parser/Parser.h:
62         (JSC::Parser::exportName):
63         (JSC::Parser<LexerType>::parse):
64         (JSC::ModuleScopeData::create): Deleted.
65         (JSC::ModuleScopeData::exportedBindings): Deleted.
66         (JSC::ModuleScopeData::exportName): Deleted.
67         (JSC::ModuleScopeData::exportBinding): Deleted.
68         (JSC::Scope::Scope): Deleted.
69         (JSC::Scope::setSourceParseMode): Deleted.
70         (JSC::Scope::moduleScopeData): Deleted.
71         (JSC::Scope::setIsModule): Deleted.
72         * tests/modules/aliased-names.js: Added.
73         * tests/modules/aliased-names/main.js: Added.
74         (change):
75         * tests/stress/modules-syntax-error-with-names.js:
76         (export.Cocoa):
77         (SyntaxError.Cannot.export.a.duplicate.name):
78         * tests/test262.yaml:
79
80 2016-07-30  Mark Lam  <mark.lam@apple.com>
81
82         Assertion failure while setting the length of an ArrayClass array.
83         https://bugs.webkit.org/show_bug.cgi?id=160381
84         <rdar://problem/27328703>
85
86         Reviewed by Filip Pizlo.
87
88         When setting large length values, we're currently treating ArrayClass as a
89         ContiguousIndexingType array.  This results in an assertion failure.  This is
90         now fixed.
91
92         There are currently only 2 places where we create arrays with indexing type
93         ArrayClass: ArrayPrototype and RuntimeArray.  The fix in JSArray:;setLength()
94         takes care of ArrayPrototype.
95
96         RuntimeArray already checks for the setting of its length property, and will
97         throw a RangeError.  Hence, there's no change is needed for the RuntimeArray.
98         Instead, I added some test cases ensure that the check and throw behavior does
99         not change without notice.
100
101         * runtime/JSArray.cpp:
102         (JSC::JSArray::setLength):
103         * tests/stress/array-setLength-on-ArrayClass-with-large-length.js: Added.
104         (toString):
105         (assertEqual):
106         * tests/stress/array-setLength-on-ArrayClass-with-small-length.js: Added.
107         (toString):
108         (assertEqual):
109
110 2016-07-29  Keith Miller  <keith_miller@apple.com>
111
112         TypedArray super constructor has some incompatabilities
113         https://bugs.webkit.org/show_bug.cgi?id=160369
114
115         Reviewed by Filip Pizlo.
116
117         This patch fixes the length proprety of the TypedArray super constructor.
118         Additionally, the TypedArray super constructor should no longer be callable.
119
120         Also, this patch fixes the expected result of some test262 tests.
121
122         * runtime/JSTypedArrayViewConstructor.cpp:
123         (JSC::JSTypedArrayViewConstructor::finishCreation):
124         (JSC::constructTypedArrayView):
125         (JSC::JSTypedArrayViewConstructor::getCallData):
126         * tests/test262.yaml:
127
128 2016-07-29  Jonathan Bedard  <jbedard@apple.com>
129
130         Undefined Behavior in JSValue cast from NaN
131         https://bugs.webkit.org/show_bug.cgi?id=160322
132
133         Reviewed by Mark Lam.
134
135         JSValues can be constructed from doubles, and in some cases, are deliberately constructed with NaN values.
136
137         In circumstances where NaN is bound through the default JSValue constructor, however, an undefined conversion
138         to int32_t occurs.  While the subsequent if statement should fail and construct the JSValue through the explicit
139         double constructor, given that the deliberate use of NaN is fairly common, it seems that the jsNaN() function
140         should immediately call the explicit double constructor both for efficiency and to prevent inadvertent
141         suppressing of any other bugs which may be instantiating a JSValue with a NaN double.
142
143         * runtime/JSCJSValueInlines.h:
144         (JSC::jsNaN): Explicit double construction for NaN JSValues to avoid undefined behavior.
145
146 2016-07-29  Michael Saboff  <msaboff@apple.com>
147
148         Refactor DFG::Node::hasLocal() to accessesStack()
149         https://bugs.webkit.org/show_bug.cgi?id=160357
150
151         Reviewed by Filip Pizlo.
152
153         Refactoring in preparation for using register arguments for JavaScript calls.
154
155         Renamed Node::hasLocal() to Node::accessesStack() and changed all uses accordingly.
156         Also changed uses of Node::hasVariableAccessData() to accessesStack() where that
157         use guards stack operation logic associated with the Node's VariableAccessData.
158
159         The hasVariableAccessData() check now implies no more than the node has a
160         VariableAccessData and nothing about its use of that data to coordinate stack   
161         accesses.
162
163         * dfg/DFGGraph.cpp:
164         (JSC::DFG::Graph::dump):
165         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
166         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
167         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
168         * dfg/DFGMaximalFlushInsertionPhase.cpp:
169         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
170         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
171         * dfg/DFGNode.h:
172         (JSC::DFG::Node::containsMovHint):
173         (JSC::DFG::Node::accessesStack):
174         (JSC::DFG::Node::hasLocal): Deleted.
175         * dfg/DFGPredictionInjectionPhase.cpp:
176         (JSC::DFG::PredictionInjectionPhase::run):
177         * dfg/DFGValidate.cpp:
178
179 2016-07-29  Benjamin Poulain  <benjamin@webkit.org>
180
181         [JSC] Use the same data structures for DFG and Air Liveness Analysis
182         https://bugs.webkit.org/show_bug.cgi?id=160346
183
184         Reviewed by Geoffrey Garen.
185
186         In Air, we minimized memory accesses during liveness analysis
187         with a couple of tricks:
188         -Use a single Sparse Set ADT for the live value of each block.
189         -Manipulate compact positive indices instead of hashing values.
190
191         This patch brings the same ideas to DFG.
192
193         This patch still uses the same fixpoint algorithms.
194         The reason is Edge's KillStatus used by other phases. We cannot
195         use a block-boundary liveness algorithm and update KillStatus
196         simultaneously. It's something I'll probably revisit at some point.
197
198         * dfg/DFGAbstractInterpreterInlines.h:
199         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
200         (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
201         * dfg/DFGBasicBlock.h:
202         * dfg/DFGGraph.h:
203         (JSC::DFG::Graph::maxNodeCount):
204         (JSC::DFG::Graph::nodeAt):
205         * dfg/DFGInPlaceAbstractState.cpp:
206         (JSC::DFG::setLiveValues):
207         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
208         * dfg/DFGLivenessAnalysisPhase.cpp:
209         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
210         (JSC::DFG::LivenessAnalysisPhase::run):
211         (JSC::DFG::LivenessAnalysisPhase::processBlock):
212         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
213         (JSC::DFG::LivenessAnalysisPhase::process): Deleted.
214
215 2016-07-29  Yusuke Suzuki  <utatane.tea@gmail.com>
216
217         Unreviewed, ByValInfo is only used in JIT enabled environments
218         https://bugs.webkit.org/show_bug.cgi?id=158908
219
220         * bytecode/CodeBlock.cpp:
221         (JSC::CodeBlock::stronglyVisitStrongReferences):
222
223 2016-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
224
225         JSC::Symbol should be hash-consed
226         https://bugs.webkit.org/show_bug.cgi?id=158908
227
228         Reviewed by Filip Pizlo.
229
230         Previously, SymbolImpls held by symbols represent identity of symbols.
231         When we check the equality between symbols, we need to load SymbolImpls of symbols and compare them.
232
233         This patch performs hash-consing onto the symbols. We cache symbols in per-VM's SymbolImpl-keyed WeakGCMap.
234         When creating a new symbol from SymbolImpl, we first query to this map and reuse the previously created symbol
235         if it is found. This ensures that one-on-one correspondence between SymbolImpl and symbol. So now, we can use
236         pointer-comparison to query the equality of symbols.
237
238         This change drops SymbolImpl loads when checking the equality. Furthermore, we can use DFG CheckCell to symbol
239         when we would like to ensure that the given value is the expected symbol. This cleans up GetByVal's symbol-keyd
240         caching. Then, we changed CheckIdent to CheckStringIdent since it only checks the string case now. The symbol
241         case is handled by CheckCell.
242
243         Additionally, this patch also cleans up Map / Set implementation since we can use the logic for JSCell to symbols.
244
245         The performance effects in the related benchmarks are the followings.
246
247                                                                baseline                   patch
248
249             bigswitch-indirect-symbol-or-undefined         85.6214+-1.0063     ^     63.0522+-0.8615        ^ definitely 1.3579x faster
250             bigswitch-indirect-symbol                      84.9653+-0.6258     ^     80.4900+-0.8008        ^ definitely 1.0556x faster
251             fold-put-by-val-with-symbol-to-multi-put-by-offset
252                                                             9.4396+-0.3726            9.2941+-0.3311          might be 1.0157x faster
253             inlined-put-by-val-with-symbol-transition
254                                                            49.5477+-0.2401     ?     49.7533+-0.3369        ?
255             get-by-val-with-symbol-self-or-proto           11.9740+-0.0798     ?     12.1706+-0.2723        ? might be 1.0164x slower
256             get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple
257                                                             4.1364+-0.0841            4.0872+-0.0925          might be 1.0120x faster
258             put-by-val-with-symbol                         11.3709+-0.0223           11.3613+-0.0264
259             get-by-val-with-symbol-proto-or-self           11.8984+-0.0706     ?     11.9030+-0.0787        ?
260             polymorphic-put-by-val-with-symbol             31.4176+-0.0558           31.3825+-0.0447
261             implicit-bigswitch-indirect-symbol             61.3115+-0.6577     ^     58.0098+-0.1212        ^ definitely 1.0569x faster
262             get-by-val-with-symbol-bimorphic-check-structure-elimination-simple
263                                                             3.3139+-0.0565     ^      2.9947+-0.0732        ^ definitely 1.1066x faster
264             get-by-val-with-symbol-chain-from-try-block
265                                                             2.2316+-0.0179            2.2137+-0.0210
266             get-by-val-with-symbol-bimorphic-check-structure-elimination
267                                                            10.6031+-0.2216     ^     10.0939+-0.1977        ^ definitely 1.0504x faster
268             get-by-val-with-symbol-check-structure-elimination
269                                                             8.5576+-0.1521     ^      7.7107+-0.1308        ^ definitely 1.1098x faster
270             put-by-val-with-symbol-slightly-polymorphic
271                                                             3.1957+-0.0538     ^      2.9181+-0.0708        ^ definitely 1.0951x faster
272             put-by-val-with-symbol-replace-and-transition
273                                                            11.8253+-0.0757     ^     11.6590+-0.0351        ^ definitely 1.0143x faster
274
275             <geometric>                                    13.3911+-0.0527     ^     12.7376+-0.0457        ^ definitely 1.0513x faster
276
277         * bytecode/ByValInfo.h:
278         * bytecode/CodeBlock.cpp:
279         (JSC::CodeBlock::stronglyVisitStrongReferences):
280         * dfg/DFGAbstractInterpreterInlines.h:
281         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
282         * dfg/DFGByteCodeParser.cpp:
283         (JSC::DFG::ByteCodeParser::parseBlock):
284         * dfg/DFGClobberize.h:
285         (JSC::DFG::clobberize):
286         * dfg/DFGConstantFoldingPhase.cpp:
287         (JSC::DFG::ConstantFoldingPhase::foldConstants):
288         * dfg/DFGDoesGC.cpp:
289         (JSC::DFG::doesGC):
290         * dfg/DFGFixupPhase.cpp:
291         (JSC::DFG::FixupPhase::fixupNode):
292         * dfg/DFGNode.h:
293         (JSC::DFG::Node::hasUidOperand):
294         * dfg/DFGNodeType.h:
295         * dfg/DFGPredictionPropagationPhase.cpp:
296         * dfg/DFGSafeToExecute.h:
297         (JSC::DFG::safeToExecute):
298         * dfg/DFGSpeculativeJIT.cpp:
299         (JSC::DFG::SpeculativeJIT::compileSymbolEquality):
300         (JSC::DFG::SpeculativeJIT::compilePeepHoleSymbolEquality):
301         (JSC::DFG::SpeculativeJIT::compileCheckStringIdent):
302         (JSC::DFG::SpeculativeJIT::extractStringImplFromBinarySymbols): Deleted.
303         (JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
304         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality): Deleted.
305         * dfg/DFGSpeculativeJIT.h:
306         * dfg/DFGSpeculativeJIT32_64.cpp:
307         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
308         (JSC::DFG::SpeculativeJIT::compile):
309         * dfg/DFGSpeculativeJIT64.cpp:
310         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
311         (JSC::DFG::SpeculativeJIT::compile):
312         * ftl/FTLAbstractHeapRepository.h:
313         * ftl/FTLCapabilities.cpp:
314         (JSC::FTL::canCompile):
315         * ftl/FTLLowerDFGToB3.cpp:
316         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
317         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStringIdent):
318         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
319         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent): Deleted.
320         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID): Deleted.
321         * jit/JIT.h:
322         * jit/JITOperations.cpp:
323         (JSC::tryGetByValOptimize):
324         * jit/JITPropertyAccess.cpp:
325         (JSC::JIT::emitGetByValWithCachedId):
326         (JSC::JIT::emitPutByValWithCachedId):
327         (JSC::JIT::emitByValIdentifierCheck):
328         (JSC::JIT::privateCompileGetByValWithCachedId):
329         (JSC::JIT::privateCompilePutByValWithCachedId):
330         (JSC::JIT::emitIdentifierCheck): Deleted.
331         * jit/JITPropertyAccess32_64.cpp:
332         (JSC::JIT::emitGetByValWithCachedId):
333         (JSC::JIT::emitPutByValWithCachedId):
334         * runtime/JSCJSValue.cpp:
335         (JSC::JSValue::dumpInContextAssumingStructure):
336         * runtime/JSCJSValueInlines.h:
337         (JSC::JSValue::equalSlowCaseInline):
338         (JSC::JSValue::strictEqualSlowCaseInline): Deleted.
339         * runtime/JSFunction.cpp:
340         (JSC::JSFunction::setFunctionName):
341         * runtime/MapData.h:
342         * runtime/MapDataInlines.h:
343         (JSC::JSIterator>::clear): Deleted.
344         (JSC::JSIterator>::find): Deleted.
345         (JSC::JSIterator>::add): Deleted.
346         (JSC::JSIterator>::remove): Deleted.
347         (JSC::JSIterator>::replaceAndPackBackingStore): Deleted.
348         * runtime/Symbol.cpp:
349         (JSC::Symbol::finishCreation):
350         (JSC::Symbol::create):
351         * runtime/Symbol.h:
352         * runtime/VM.cpp:
353         (JSC::VM::VM):
354         * runtime/VM.h:
355         * tests/stress/symbol-equality-over-gc.js: Added.
356         (shouldBe):
357         (test):
358
359 2016-07-28  Mark Lam  <mark.lam@apple.com>
360
361         ASSERTION FAILED in errorProtoFuncToString() when Error name is a single char string.
362         https://bugs.webkit.org/show_bug.cgi?id=160324
363         <rdar://problem/27389572>
364
365         Reviewed by Keith Miller.
366
367         The issue is that errorProtoFuncToString() was using jsNontrivialString() to
368         generate the error string even when the name string can be a single character
369         string.  This is incorrect.  We should be using jsString() instead.
370
371         * runtime/ErrorPrototype.cpp:
372         (JSC::errorProtoFuncToString):
373         * tests/stress/errors-with-simple-names-or-messages-should-not-crash-toString.js: Added.
374
375 2016-07-28  Michael Saboff  <msaboff@apple.com>
376
377         ARM64: Fused left shift with a right shift can create NaNs from integers
378         https://bugs.webkit.org/show_bug.cgi?id=160329
379
380         Reviewed by Geoffrey Garen.
381
382         When we fuse a left shift and a right shift of integers where the shift amounts
383         are the same and the size of the quantity being shifted is 8 bits, we rightly
384         generate a sign extend byte instruction.  On ARM64, we were sign extending
385         to a 64 bit quantity, when we really wanted to sign extend to a 32 bit quantity.
386
387         Checking the ARM64 marco assembler and we were extending to 64 bits for all
388         four combinations of zero / sign and 8 / 16 bits.
389         
390         * assembler/MacroAssemblerARM64.h:
391         (JSC::MacroAssemblerARM64::zeroExtend16To32):
392         (JSC::MacroAssemblerARM64::signExtend16To32):
393         (JSC::MacroAssemblerARM64::zeroExtend8To32):
394         (JSC::MacroAssemblerARM64::signExtend8To32):
395         * tests/stress/regress-160329.js: New test added.
396         (narrow):
397
398 2016-07-28  Mark Lam  <mark.lam@apple.com>
399
400         StringView should have an explicit m_is8Bit field.
401         https://bugs.webkit.org/show_bug.cgi?id=160282
402         <rdar://problem/27327943>
403
404         Reviewed by Benjamin Poulain.
405
406         * tests/stress/string-joining-long-strings-should-not-crash.js: Added.
407         (catch):
408
409 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
410
411         [ARM] Typo fix after r121885
412         https://bugs.webkit.org/show_bug.cgi?id=160288
413
414         Reviewed by Zoltan Herczeg.
415
416         * assembler/MacroAssemblerARM.h:
417         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
418
419 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
420
421         64-bit alignment check isn't necessary in ARMAssembler::prepareExecutableCopy after r202214
422         https://bugs.webkit.org/show_bug.cgi?id=159711
423
424         Reviewed by Mark Lam.
425
426         * assembler/ARMAssembler.cpp:
427         (JSC::ARMAssembler::prepareExecutableCopy):
428
429 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
430
431         [JSC] Remove some unused code from FTL
432         https://bugs.webkit.org/show_bug.cgi?id=160285
433
434         Reviewed by Mark Lam.
435
436         All the liveness and swapping is done inside B3,
437         this code is no longer needed.
438
439         * dfg/DFGEdge.h:
440         (JSC::DFG::Edge::doesNotKill): Deleted.
441         * ftl/FTLLowerDFGToB3.cpp:
442         (JSC::FTL::DFG::LowerDFGToB3::doesKill): Deleted.
443
444 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
445
446         [JSC] DFG::Node should not have its own allocator
447         https://bugs.webkit.org/show_bug.cgi?id=160098
448
449         Reviewed by Geoffrey Garen.
450
451         We need some design changes for DFG::Node:
452         -Accessing the index must be fast. B3 uses indices for sets
453          and maps, it is a lot faster than hashing pointers.
454         -We should be able to subclass DFG::Node to specialize it.
455
456         * CMakeLists.txt:
457         * JavaScriptCore.xcodeproj/project.pbxproj:
458         * dfg/DFGAllocator.h: Removed.
459         (JSC::DFG::Allocator::Region::size): Deleted.
460         (JSC::DFG::Allocator::Region::headerSize): Deleted.
461         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
462         (JSC::DFG::Allocator::Region::data): Deleted.
463         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
464         (JSC::DFG::Allocator::Region::regionFor): Deleted.
465         (JSC::DFG::Allocator<T>::Allocator): Deleted.
466         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
467         (JSC::DFG::Allocator<T>::allocate): Deleted.
468         (JSC::DFG::Allocator<T>::free): Deleted.
469         (JSC::DFG::Allocator<T>::freeAll): Deleted.
470         (JSC::DFG::Allocator<T>::reset): Deleted.
471         (JSC::DFG::Allocator<T>::indexOf): Deleted.
472         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
473         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
474         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
475         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
476         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
477         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
478         * dfg/DFGByteCodeParser.cpp:
479         (JSC::DFG::ByteCodeParser::addToGraph):
480         * dfg/DFGCPSRethreadingPhase.cpp:
481         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
482         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
483         * dfg/DFGCleanUpPhase.cpp:
484         (JSC::DFG::CleanUpPhase::run):
485         * dfg/DFGConstantFoldingPhase.cpp:
486         (JSC::DFG::ConstantFoldingPhase::run):
487         * dfg/DFGConstantHoistingPhase.cpp:
488         * dfg/DFGDCEPhase.cpp:
489         (JSC::DFG::DCEPhase::fixupBlock):
490         * dfg/DFGDriver.cpp:
491         (JSC::DFG::compileImpl):
492         * dfg/DFGGraph.cpp:
493         (JSC::DFG::Graph::Graph):
494         (JSC::DFG::Graph::deleteNode):
495         (JSC::DFG::Graph::killBlockAndItsContents):
496         (JSC::DFG::Graph::~Graph): Deleted.
497         * dfg/DFGGraph.h:
498         (JSC::DFG::Graph::addNode):
499         * dfg/DFGLICMPhase.cpp:
500         (JSC::DFG::LICMPhase::attemptHoist):
501         * dfg/DFGLongLivedState.cpp: Removed.
502         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
503         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
504         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
505         * dfg/DFGLongLivedState.h: Removed.
506         * dfg/DFGNode.cpp:
507         (JSC::DFG::Node::index): Deleted.
508         * dfg/DFGNode.h:
509         (JSC::DFG::Node::index):
510         * dfg/DFGNodeAllocator.h: Removed.
511         (operator new ): Deleted.
512         * dfg/DFGObjectAllocationSinkingPhase.cpp:
513         * dfg/DFGPlan.cpp:
514         (JSC::DFG::Plan::compileInThread):
515         (JSC::DFG::Plan::compileInThreadImpl):
516         * dfg/DFGPlan.h:
517         * dfg/DFGSSAConversionPhase.cpp:
518         (JSC::DFG::SSAConversionPhase::run):
519         * dfg/DFGWorklist.cpp:
520         (JSC::DFG::Worklist::runThread):
521         * runtime/VM.cpp:
522         (JSC::VM::VM): Deleted.
523         * runtime/VM.h:
524
525 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
526
527         [JSC] Fix a bunch of use-after-free of DFG::Node
528         https://bugs.webkit.org/show_bug.cgi?id=160228
529
530         Reviewed by Mark Lam.
531
532         FTL had a few places where we use a node after it has been
533         deleted. The dangling pointers come from the SSA liveness information
534         kept on the basic blocks.
535
536         This patch fixes the issues I could find and adds liveness invalidation
537         to help finding dependencies like these.
538
539         * dfg/DFGBasicBlock.h:
540         (JSC::DFG::BasicBlock::SSAData::invalidate):
541
542         * dfg/DFGConstantFoldingPhase.cpp:
543         (JSC::DFG::ConstantFoldingPhase::run):
544         Constant folding phase was deleting nodes in the loop over basic blocks.
545         The problem is the deleted nodes can be referenced by other blocks.
546         When the abstract interpreter was manipulating the abstract values of those
547         it was doing so on the dead nodes.
548
549         * dfg/DFGConstantHoistingPhase.cpp:
550         Just invalidation. Nothing wrong here since the useless nodes were
551         kept live while iterating the blocks.
552
553         * dfg/DFGGraph.cpp:
554         (JSC::DFG::Graph::killBlockAndItsContents):
555         (JSC::DFG::Graph::killUnreachableBlocks):
556         (JSC::DFG::Graph::invalidateNodeLiveness):
557
558         * dfg/DFGGraph.h:
559         * dfg/DFGPlan.cpp:
560         (JSC::DFG::Plan::compileInThreadImpl):
561         We had a lot of use-after-free in LCIM because we were using the stale
562         live nodes deleted by previous phases.
563
564 2016-07-27  Keith Miller  <keith_miller@apple.com>
565
566         concatAppendOne should allocate using the indexing type of the array if it cannot merge
567         https://bugs.webkit.org/show_bug.cgi?id=160261
568         <rdar://problem/27530122>
569
570         Reviewed by Mark Lam.
571
572         Before, if we could not merge the indexing types for copying, we would allocate the
573         the array as ArrayWithUndecided. Instead, we should allocate an array with the original
574         array's indexing type.
575
576         * runtime/ArrayPrototype.cpp:
577         (JSC::concatAppendOne):
578         * tests/stress/concat-append-one-with-sparse-array.js: Added.
579
580 2016-07-27  Saam Barati  <sbarati@apple.com>
581
582         We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an object with symbols
583         https://bugs.webkit.org/show_bug.cgi?id=160211
584         <rdar://problem/27572612>
585
586         Reviewed by Geoffrey Garen.
587
588         The fast for-in iteration mode assumes all inline/out-of-line properties
589         can be iterated in linear order. This is not true if we have Symbols
590         because Symbols should not be iterated by for-in.
591
592         * runtime/Structure.cpp:
593         (JSC::Structure::add):
594         * tests/stress/symbol-should-not-break-for-in.js: Added.
595         (assert):
596         (foo):
597
598 2016-07-27  Mark Lam  <mark.lam@apple.com>
599
600         The second argument for Function.prototype.apply should be array-like or null/undefined.
601         https://bugs.webkit.org/show_bug.cgi?id=160212
602         <rdar://problem/27328525>
603
604         Reviewed by Filip Pizlo.
605
606         The spec for Function.prototype.apply says its second argument can only be null,
607         undefined, or must be array-like.  See
608         https://tc39.github.io/ecma262/#sec-function.prototype.apply and
609         https://tc39.github.io/ecma262/#sec-createlistfromarraylike.
610
611         Our previous implementation was not handling this correctly for SymbolType.
612         This is now fixed.
613
614         * interpreter/Interpreter.cpp:
615         (JSC::sizeOfVarargs):
616         * tests/stress/apply-second-argument-must-be-array-like.js: Added.
617
618 2016-07-27  Saam Barati  <sbarati@apple.com>
619
620         MathICs should be able to emit only a jump along the inline path when they don't have any type data
621         https://bugs.webkit.org/show_bug.cgi?id=160110
622
623         Reviewed by Mark Lam.
624
625         This patch allows for MathIC fast-path generation to be delayed.
626         We delay when we don't see any observed type information for
627         the lhs/rhs operand, which implies that the MathIC has never
628         executed. This is profitable for two main reasons:
629         1. If the math operation never executes, we emit much less code.
630         2. Once we get type information for the lhs/rhs, we can emit better code.
631
632         To implement this, we just emit a jump to the slow path call
633         that will repatch on first execution.
634
635         New data for add:
636                    |   JetStream  |  Unity 3D  |
637              ------| -------------|--------------
638               Old  |   148 bytes  |  143 bytes |
639              ------| -------------|--------------
640               New  |   116  bytes |  113 bytes |
641              ------------------------------------
642
643         New data for mul:
644                    |   JetStream  |  Unity 3D  |
645              ------| -------------|--------------
646               Old  |   210 bytes  |  185 bytes |
647              ------| -------------|--------------
648               New  |   170  bytes |  137 bytes |
649              ------------------------------------
650
651         * jit/JITAddGenerator.cpp:
652         (JSC::JITAddGenerator::generateInline):
653         * jit/JITAddGenerator.h:
654         (JSC::JITAddGenerator::isLeftOperandValidConstant):
655         (JSC::JITAddGenerator::isRightOperandValidConstant):
656         (JSC::JITAddGenerator::arithProfile):
657         * jit/JITMathIC.h:
658         (JSC::JITMathIC::generateInline):
659         (JSC::JITMathIC::generateOutOfLine):
660         (JSC::JITMathIC::finalizeInlineCode):
661         * jit/JITMathICInlineResult.h:
662         * jit/JITMulGenerator.cpp:
663         (JSC::JITMulGenerator::generateInline):
664         * jit/JITMulGenerator.h:
665         (JSC::JITMulGenerator::isLeftOperandValidConstant):
666         (JSC::JITMulGenerator::isRightOperandValidConstant):
667         (JSC::JITMulGenerator::arithProfile):
668         * jit/JITOperations.cpp:
669
670 2016-07-26  Saam Barati  <sbarati@apple.com>
671
672         rollout r203666
673         https://bugs.webkit.org/show_bug.cgi?id=160226
674
675         Unreviewed rollout.
676
677         * b3/B3BasicBlock.h:
678         (JSC::B3::BasicBlock::successorBlock):
679         * b3/B3LowerToAir.cpp:
680         (JSC::B3::Air::LowerToAir::createGenericCompare):
681         * b3/B3LowerToAir.h:
682         * b3/air/AirArg.cpp:
683         (JSC::B3::Air::Arg::isRepresentableAs):
684         (JSC::B3::Air::Arg::usesTmp):
685         * b3/air/AirArg.h:
686         (JSC::B3::Air::Arg::isRepresentableAs):
687         (JSC::B3::Air::Arg::asNumber):
688         (JSC::B3::Air::Arg::castToType): Deleted.
689         * b3/air/AirCode.h:
690         (JSC::B3::Air::Code::size):
691         (JSC::B3::Air::Code::at):
692         * b3/air/AirOpcode.opcodes:
693         * b3/air/AirValidate.h:
694         * b3/air/opcode_generator.rb:
695         * b3/testb3.cpp:
696         (JSC::B3::compileAndRun):
697         (JSC::B3::testSomeEarlyRegister):
698         (JSC::B3::zero):
699         (JSC::B3::run):
700         (JSC::B3::lowerToAirForTesting): Deleted.
701         (JSC::B3::testBranchBitAndImmFusion): Deleted.
702
703 2016-07-26  Caitlin Potter  <caitp@igalia.com>
704
705         [JSC] Object.getOwnPropertyDescriptors should not add undefined props to result
706         https://bugs.webkit.org/show_bug.cgi?id=159409
707
708         Reviewed by Geoffrey Garen.
709
710         * runtime/ObjectConstructor.cpp:
711         (JSC::objectConstructorGetOwnPropertyDescriptors):
712         * tests/es6.yaml:
713         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
714         (testPropertiesIndexedSetterOnPrototypeThrows.set get var): Deleted.
715         (testPropertiesIndexedSetterOnPrototypeThrows): Deleted.
716         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js.
717         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js.
718
719 2016-07-26  Mark Lam  <mark.lam@apple.com>
720
721         Remove unused DEBUG_WITH_BREAKPOINT configuration.
722         https://bugs.webkit.org/show_bug.cgi?id=160203
723
724         Reviewed by Keith Miller.
725
726         * bytecompiler/BytecodeGenerator.cpp:
727         (JSC::BytecodeGenerator::emitDebugHook):
728
729 2016-07-25  Benjamin Poulain  <benjamin@webkit.org>
730
731         Unreviewed, rolling out r203703.
732
733         It breaks some internal tests
734
735         Reverted changeset:
736
737         "[JSC] DFG::Node should not have its own allocator"
738         https://bugs.webkit.org/show_bug.cgi?id=160098
739         http://trac.webkit.org/changeset/203703
740
741 2016-07-25  Benjamin Poulain  <bpoulain@apple.com>
742
743         [JSC] DFG::Node should not have its own allocator
744         https://bugs.webkit.org/show_bug.cgi?id=160098
745
746         Reviewed by Geoffrey Garen.
747
748         We need some design changes for DFG::Node:
749         -Accessing the index must be fast. B3 uses indices for sets
750          and maps, it is a lot faster than hashing pointers.
751         -We should be able to subclass DFG::Node to specialize it.
752
753         * CMakeLists.txt:
754         * JavaScriptCore.xcodeproj/project.pbxproj:
755         * dfg/DFGAllocator.h: Removed.
756         (JSC::DFG::Allocator::Region::size): Deleted.
757         (JSC::DFG::Allocator::Region::headerSize): Deleted.
758         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
759         (JSC::DFG::Allocator::Region::data): Deleted.
760         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
761         (JSC::DFG::Allocator::Region::regionFor): Deleted.
762         (JSC::DFG::Allocator<T>::Allocator): Deleted.
763         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
764         (JSC::DFG::Allocator<T>::allocate): Deleted.
765         (JSC::DFG::Allocator<T>::free): Deleted.
766         (JSC::DFG::Allocator<T>::freeAll): Deleted.
767         (JSC::DFG::Allocator<T>::reset): Deleted.
768         (JSC::DFG::Allocator<T>::indexOf): Deleted.
769         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
770         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
771         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
772         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
773         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
774         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
775         * dfg/DFGByteCodeParser.cpp:
776         (JSC::DFG::ByteCodeParser::addToGraph):
777         * dfg/DFGCPSRethreadingPhase.cpp:
778         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
779         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
780         * dfg/DFGCleanUpPhase.cpp:
781         (JSC::DFG::CleanUpPhase::run):
782         * dfg/DFGConstantFoldingPhase.cpp:
783         (JSC::DFG::ConstantFoldingPhase::run):
784         * dfg/DFGConstantHoistingPhase.cpp:
785         * dfg/DFGDCEPhase.cpp:
786         (JSC::DFG::DCEPhase::fixupBlock):
787         * dfg/DFGDriver.cpp:
788         (JSC::DFG::compileImpl):
789         * dfg/DFGGraph.cpp:
790         (JSC::DFG::Graph::Graph):
791         (JSC::DFG::Graph::deleteNode):
792         (JSC::DFG::Graph::killBlockAndItsContents):
793         (JSC::DFG::Graph::~Graph): Deleted.
794         * dfg/DFGGraph.h:
795         (JSC::DFG::Graph::addNode):
796         * dfg/DFGLICMPhase.cpp:
797         (JSC::DFG::LICMPhase::attemptHoist):
798         * dfg/DFGLongLivedState.cpp: Removed.
799         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
800         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
801         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
802         * dfg/DFGLongLivedState.h: Removed.
803         * dfg/DFGNode.cpp:
804         (JSC::DFG::Node::index): Deleted.
805         * dfg/DFGNode.h:
806         (JSC::DFG::Node::index):
807         * dfg/DFGNodeAllocator.h: Removed.
808         (operator new ): Deleted.
809         * dfg/DFGObjectAllocationSinkingPhase.cpp:
810         * dfg/DFGPlan.cpp:
811         (JSC::DFG::Plan::compileInThread):
812         (JSC::DFG::Plan::compileInThreadImpl):
813         * dfg/DFGPlan.h:
814         * dfg/DFGSSAConversionPhase.cpp:
815         (JSC::DFG::SSAConversionPhase::run):
816         * dfg/DFGWorklist.cpp:
817         (JSC::DFG::Worklist::runThread):
818         * runtime/VM.cpp:
819         (JSC::VM::VM): Deleted.
820         * runtime/VM.h:
821
822 2016-07-25  Filip Pizlo  <fpizlo@apple.com>
823
824         AssemblyHelpers should own all of the cell allocation methods
825         https://bugs.webkit.org/show_bug.cgi?id=160171
826
827         Reviewed by Saam Barati.
828         
829         Prior to this change we had some code in DFGSpeculativeJIT.h and some code in JIT.h that
830         did cell allocation.
831         
832         This change moves all of that code into AssemblyHelpers.h.
833
834         * dfg/DFGSpeculativeJIT.h:
835         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
836         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
837         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
838         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
839         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
840         * jit/AssemblyHelpers.h:
841         (JSC::AssemblyHelpers::emitAllocate):
842         (JSC::AssemblyHelpers::emitAllocateJSCell):
843         (JSC::AssemblyHelpers::emitAllocateJSObject):
844         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
845         (JSC::AssemblyHelpers::emitAllocateVariableSized):
846         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
847         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
848         * jit/JIT.h:
849         * jit/JITInlines.h:
850         (JSC::JIT::isOperandConstantChar):
851         (JSC::JIT::emitValueProfilingSite):
852         (JSC::JIT::emitAllocateJSObject): Deleted.
853         * jit/JITOpcodes.cpp:
854         (JSC::JIT::emit_op_new_object):
855         (JSC::JIT::emit_op_create_this):
856         * jit/JITOpcodes32_64.cpp:
857         (JSC::JIT::emit_op_new_object):
858         (JSC::JIT::emit_op_create_this):
859
860 2016-07-25  Saam Barati  <sbarati@apple.com>
861
862         MathICs should be able to take and dump stats about code size
863         https://bugs.webkit.org/show_bug.cgi?id=160148
864
865         Reviewed by Filip Pizlo.
866
867         This will make testing changes on MathIC going forward much easier.
868         We will be able to easily see if modifications to MathIC will lead
869         to us generating smaller code. We now only dump average size when we
870         regenerate any MathIC. This works out for large tests/pages, but is not
871         great for testing small programs. We can add more dump points later if
872         we find that we want to dump stats while running small small programs.
873
874         * bytecode/CodeBlock.cpp:
875         (JSC::CodeBlock::jitSoon):
876         (JSC::CodeBlock::dumpMathICStats):
877         * bytecode/CodeBlock.h:
878         (JSC::CodeBlock::isStrictMode):
879         (JSC::CodeBlock::ecmaMode):
880         * dfg/DFGSpeculativeJIT.cpp:
881         (JSC::DFG::SpeculativeJIT::compileMathIC):
882         * ftl/FTLLowerDFGToB3.cpp:
883         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
884         * jit/JITArithmetic.cpp:
885         (JSC::JIT::emitMathICFast):
886         (JSC::JIT::emitMathICSlow):
887         * jit/JITMathIC.h:
888         (JSC::JITMathIC::finalizeInlineCode):
889         (JSC::JITMathIC::codeSize):
890         * jit/JITOperations.cpp:
891
892 2016-07-25  Saam Barati  <sbarati@apple.com>
893
894         op_mul/ArithMul(Untyped,Untyped) should be an IC
895         https://bugs.webkit.org/show_bug.cgi?id=160108
896
897         Reviewed by Mark Lam.
898
899         This patch makes Mul a type based IC in much the same way that we made
900         Add a type-based IC. I implemented Mul in the same way. I abstracted the
901         implementation of the Add IC in the various JITs to allow for it to
902         work over arbitrary IC snippets. This will make adding Div/Sub/Pow in the
903         future easy. This patch also adds a new boolean argument to the various
904         snippet generateFastPath() methods to indicate if we should emit result profiling.
905         I added this because we want this profiling to be emitted for Mul in
906         the baseline, but not in the DFG. We used to indicate this through passing
907         in a nullptr for the ArithProfile, but we no longer do that in the upper
908         JIT tiers. So we are passing an explicit request from the JIT tier about
909         whether or not it's worth it for the IC to emit profiling.
910
911         We now emit much less code for Mul. Here is some data on the average
912         Mul snippet/IC size:
913
914                    |   JetStream  |  Unity 3D  |
915              ------| -------------|--------------
916               Old  |  ~280 bytes  | ~280 bytes |
917              ------| -------------|--------------
918               New  |   210  bytes |  185 bytes |
919              ------------------------------------
920
921         * bytecode/CodeBlock.cpp:
922         (JSC::CodeBlock::addJITAddIC):
923         (JSC::CodeBlock::addJITMulIC):
924         (JSC::CodeBlock::findStubInfo):
925         * bytecode/CodeBlock.h:
926         (JSC::CodeBlock::stubInfoBegin):
927         (JSC::CodeBlock::stubInfoEnd):
928         * dfg/DFGSpeculativeJIT.cpp:
929         (JSC::DFG::GPRTemporary::adopt):
930         (JSC::DFG::FPRTemporary::FPRTemporary):
931         (JSC::DFG::SpeculativeJIT::compileValueAdd):
932         (JSC::DFG::SpeculativeJIT::compileMathIC):
933         (JSC::DFG::SpeculativeJIT::compileArithMul):
934         * dfg/DFGSpeculativeJIT.h:
935         (JSC::DFG::SpeculativeJIT::callOperation):
936         (JSC::DFG::GPRTemporary::GPRTemporary):
937         (JSC::DFG::GPRTemporary::operator=):
938         (JSC::DFG::FPRTemporary::~FPRTemporary):
939         (JSC::DFG::FPRTemporary::fpr):
940         * ftl/FTLLowerDFGToB3.cpp:
941         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
942         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
943         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
944         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
945         * jit/JIT.h:
946         (JSC::JIT::getSlowCase):
947         * jit/JITAddGenerator.cpp:
948         (JSC::JITAddGenerator::generateInline):
949         (JSC::JITAddGenerator::generateFastPath):
950         * jit/JITAddGenerator.h:
951         (JSC::JITAddGenerator::JITAddGenerator):
952         (JSC::JITAddGenerator::isLeftOperandValidConstant):
953         (JSC::JITAddGenerator::isRightOperandValidConstant):
954         * jit/JITArithmetic.cpp:
955         (JSC::JIT::emit_op_add):
956         (JSC::JIT::emitSlow_op_add):
957         (JSC::JIT::emitMathICFast):
958         (JSC::JIT::emitMathICSlow):
959         (JSC::JIT::emit_op_mul):
960         (JSC::JIT::emitSlow_op_mul):
961         (JSC::JIT::emit_op_sub):
962         * jit/JITInlines.h:
963         (JSC::JIT::callOperation):
964         * jit/JITMathIC.h:
965         (JSC::JITMathIC::slowPathStartLocation):
966         (JSC::JITMathIC::slowPathCallLocation):
967         (JSC::JITMathIC::isLeftOperandValidConstant):
968         (JSC::JITMathIC::isRightOperandValidConstant):
969         (JSC::JITMathIC::generateInline):
970         (JSC::JITMathIC::generateOutOfLine):
971         * jit/JITMathICForwards.h:
972         * jit/JITMulGenerator.cpp:
973         (JSC::JITMulGenerator::generateInline):
974         (JSC::JITMulGenerator::generateFastPath):
975         * jit/JITMulGenerator.h:
976         (JSC::JITMulGenerator::JITMulGenerator):
977         (JSC::JITMulGenerator::isLeftOperandValidConstant):
978         (JSC::JITMulGenerator::isRightOperandValidConstant):
979         (JSC::JITMulGenerator::didEmitFastPath): Deleted.
980         (JSC::JITMulGenerator::endJumpList): Deleted.
981         (JSC::JITMulGenerator::slowPathJumpList): Deleted.
982         * jit/JITOperations.cpp:
983         * jit/JITOperations.h:
984
985 2016-07-25  Darin Adler  <darin@apple.com>
986
987         Speed up make process slightly by improving "list of files" idiom
988         https://bugs.webkit.org/show_bug.cgi?id=160164
989
990         Reviewed by Mark Lam.
991
992         * DerivedSources.make: Change rules that build lists of files to only run when
993         DerivedSources.make has been modified since the last time they were run. Since the
994         list of files are inside this file, this is safe, and this is faster than always
995         comparing and regenerating the file containing the list of files each time.
996
997 2016-07-24  Youenn Fablet  <youenn@apple.com>
998
999         [Fetch API] Request should be created with any HeadersInit data
1000         https://bugs.webkit.org/show_bug.cgi?id=159672
1001
1002         Reviewed by Sam Weinig.
1003
1004         * Scripts/builtins/builtins_generator.py:
1005         (WK_lcfirst): Synchronized with CodeGenerator.pm version.
1006
1007 2016-07-24  Filip Pizlo  <fpizlo@apple.com>
1008
1009         B3 should support multiple entrypoints
1010         https://bugs.webkit.org/show_bug.cgi?id=159391
1011
1012         Reviewed by Saam Barati.
1013         
1014         This teaches B3 how to compile procedures with multiple entrypoints in the best way ever.
1015         
1016         Multiple entrypoints are useful. We could use them to reduce the cost of compiling OSR
1017         entrypoints. We could use them to implement better try/catch.
1018         
1019         Multiple entrypoints are hard to support. All of the code that assumed that the root block
1020         is the entrypoint would have to be changed. Transformations like moveConstants() would have
1021         to do crazy things if the existence of multiple entrypoints prevented it from finding a
1022         single common dominator.
1023         
1024         Therefore, we want to add multiple entrypoints without actually teaching the compiler that
1025         there is such a thing. That's sort of what this change does.
1026         
1027         This adds a new opcode to both B3 and Air called EntrySwitch. It's a terminal that takes
1028         one or more successors and no value children. The number of successors must match
1029         Procedure::numEntrypoints(), which could be arbitrarily large. The semantics of EntrySwitch
1030         are:
1031         
1032         - Each of the entrypoints sets a hidden Entry variable to that entrypoint's index and jumps
1033           to the procedure's root block.
1034         
1035         - An EntrySwitch is a switch statement over this hidden Entry variable.
1036         
1037         The way that we actually implement this is that Air has a very late phase - after all
1038         register and stack layout - that clones all code where the Entry variable is live; i.e all
1039         code in the closure over predecessors of all blocks that do EntrySwitch.
1040         
1041         Usually, you would use this by creating an EntrySwitch in the root block, but you don't
1042         have to do that. Just remember that the code before EntrySwitch gets cloned for each
1043         entrypoint. We allow cloning of an arbitrarily large amount of code because restricting it,
1044         and so restricing the placement of EntrySwitches, would be unelegant. It would be hard to
1045         preserve this invariant. For example we wouldn't be able to lower any value before an
1046         EntrySwitch to a control flow diamond.
1047         
1048         This patch gives us an easy-to-use way to use B3 to compile code with multiple entrypoints.
1049         Inside the compiler, only code that runs very late in Air has to know about this feature.
1050         We get the best of both worlds!
1051         
1052         Also, I finally got rid of the requirement that you explicitly cast BasicBlock* to
1053         FrequentedBlock. I can no longer remember why I thought that was a good idea. Removing it
1054         doesn't cause any problems and it makes code easier to write.
1055
1056         * CMakeLists.txt:
1057         * JavaScriptCore.xcodeproj/project.pbxproj:
1058         * b3/B3BasicBlockUtils.h:
1059         (JSC::B3::updatePredecessorsAfter):
1060         (JSC::B3::clearPredecessors):
1061         (JSC::B3::recomputePredecessors):
1062         * b3/B3FrequencyClass.h:
1063         (JSC::B3::maxFrequency):
1064         * b3/B3Generate.h:
1065         * b3/B3LowerToAir.cpp:
1066         (JSC::B3::Air::LowerToAir::lower):
1067         * b3/B3MoveConstants.cpp:
1068         * b3/B3Opcode.cpp:
1069         (WTF::printInternal):
1070         * b3/B3Opcode.h:
1071         * b3/B3Procedure.cpp:
1072         (JSC::B3::Procedure::isFastConstant):
1073         (JSC::B3::Procedure::entrypointLabel):
1074         (JSC::B3::Procedure::addDataSection):
1075         * b3/B3Procedure.h:
1076         (JSC::B3::Procedure::numEntrypoints):
1077         (JSC::B3::Procedure::setNumEntrypoints):
1078         (JSC::B3::Procedure::setLastPhaseName):
1079         * b3/B3Validate.cpp:
1080         * b3/B3Value.cpp:
1081         (JSC::B3::Value::effects):
1082         (JSC::B3::Value::typeFor):
1083         * b3/B3Value.h:
1084         * b3/air/AirCode.cpp:
1085         (JSC::B3::Air::Code::cCallSpecial):
1086         (JSC::B3::Air::Code::isEntrypoint):
1087         (JSC::B3::Air::Code::resetReachability):
1088         (JSC::B3::Air::Code::dump):
1089         * b3/air/AirCode.h:
1090         (JSC::B3::Air::Code::setFrameSize):
1091         (JSC::B3::Air::Code::numEntrypoints):
1092         (JSC::B3::Air::Code::entrypoints):
1093         (JSC::B3::Air::Code::entrypoint):
1094         (JSC::B3::Air::Code::setEntrypoints):
1095         (JSC::B3::Air::Code::entrypointLabel):
1096         (JSC::B3::Air::Code::setEntrypointLabels):
1097         (JSC::B3::Air::Code::calleeSaveRegisters):
1098         * b3/air/AirCustom.h:
1099         (JSC::B3::Air::PatchCustom::isTerminal):
1100         (JSC::B3::Air::PatchCustom::hasNonArgEffects):
1101         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
1102         (JSC::B3::Air::PatchCustom::generate):
1103         (JSC::B3::Air::CommonCustomBase::hasNonArgEffects):
1104         (JSC::B3::Air::CCallCustom::forEachArg):
1105         (JSC::B3::Air::ColdCCallCustom::forEachArg):
1106         (JSC::B3::Air::ShuffleCustom::forEachArg):
1107         (JSC::B3::Air::EntrySwitchCustom::forEachArg):
1108         (JSC::B3::Air::EntrySwitchCustom::isValidFormStatic):
1109         (JSC::B3::Air::EntrySwitchCustom::isValidForm):
1110         (JSC::B3::Air::EntrySwitchCustom::admitsStack):
1111         (JSC::B3::Air::EntrySwitchCustom::isTerminal):
1112         (JSC::B3::Air::EntrySwitchCustom::hasNonArgNonControlEffects):
1113         (JSC::B3::Air::EntrySwitchCustom::generate):
1114         * b3/air/AirGenerate.cpp:
1115         (JSC::B3::Air::prepareForGeneration):
1116         (JSC::B3::Air::generate):
1117         * b3/air/AirLowerEntrySwitch.cpp: Added.
1118         (JSC::B3::Air::lowerEntrySwitch):
1119         * b3/air/AirLowerEntrySwitch.h: Added.
1120         * b3/air/AirOpcode.opcodes:
1121         * b3/air/AirOptimizeBlockOrder.cpp:
1122         (JSC::B3::Air::blocksInOptimizedOrder):
1123         * b3/air/AirSpecial.cpp:
1124         (JSC::B3::Air::Special::isTerminal):
1125         (JSC::B3::Air::Special::hasNonArgEffects):
1126         (JSC::B3::Air::Special::hasNonArgNonControlEffects):
1127         * b3/air/AirSpecial.h:
1128         * b3/air/AirValidate.cpp:
1129         * b3/air/opcode_generator.rb:
1130         * b3/testb3.cpp:
1131
1132 2016-07-24  Filip Pizlo  <fpizlo@apple.com>
1133
1134         Unreviewed, fix broken test. I don't know why I goofed this up without seeing it before landing.
1135
1136         * b3/air/AirOpcode.opcodes:
1137         * b3/testb3.cpp:
1138         (JSC::B3::run):
1139
1140 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
1141
1142         [B3] Fusing immediates into test instructions should work again
1143         https://bugs.webkit.org/show_bug.cgi?id=160073
1144
1145         Reviewed by Sam Weinig.
1146
1147         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
1148         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
1149         was still using Imm!  This meant that isValidForm() always returned false.
1150         
1151         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
1152         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
1153         with the scratch register).
1154         
1155         This is not an obvious progression on anything, so I added comprehensive tests to
1156         testb3, which check that we selected the optimal instruction in a variety of situations.
1157         We should add more tests like this!
1158
1159         * b3/B3BasicBlock.h:
1160         (JSC::B3::BasicBlock::successorBlock):
1161         * b3/B3LowerToAir.cpp:
1162         (JSC::B3::Air::LowerToAir::createGenericCompare):
1163         * b3/B3LowerToAir.h:
1164         * b3/air/AirArg.cpp:
1165         (JSC::B3::Air::Arg::isRepresentableAs):
1166         (JSC::B3::Air::Arg::usesTmp):
1167         * b3/air/AirArg.h:
1168         (JSC::B3::Air::Arg::isRepresentableAs):
1169         (JSC::B3::Air::Arg::castToType):
1170         (JSC::B3::Air::Arg::asNumber):
1171         * b3/air/AirCode.h:
1172         (JSC::B3::Air::Code::size):
1173         (JSC::B3::Air::Code::at):
1174         * b3/air/AirOpcode.opcodes:
1175         * b3/air/AirValidate.h:
1176         * b3/air/opcode_generator.rb:
1177         * b3/testb3.cpp:
1178         (JSC::B3::compile):
1179         (JSC::B3::compileAndRun):
1180         (JSC::B3::lowerToAirForTesting):
1181         (JSC::B3::testSomeEarlyRegister):
1182         (JSC::B3::testBranchBitAndImmFusion):
1183         (JSC::B3::zero):
1184         (JSC::B3::run):
1185
1186 2016-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1187
1188         Unreviewed, update the exponentiation expression error message
1189         https://bugs.webkit.org/show_bug.cgi?id=159969
1190
1191         Follow up patch for r203499.
1192
1193         * parser/Parser.cpp:
1194         (JSC::Parser<LexerType>::parseBinaryExpression):
1195         * tests/stress/pow-expects-update-expression-on-lhs.js:
1196         (throw.new.Error):
1197
1198 2016-07-24  Darin Adler  <darin@apple.com>
1199
1200         Adding a new WebCore JavaScript built-in source file does not trigger rebuild of WebCoreJSBuiltins*
1201         https://bugs.webkit.org/show_bug.cgi?id=160115
1202
1203         Reviewed by Youenn Fablet.
1204
1205         * make-generated-sources.sh: Removed. Was unused.
1206
1207 2016-07-23  Commit Queue  <commit-queue@webkit.org>
1208
1209         Unreviewed, rolling out r203641.
1210         https://bugs.webkit.org/show_bug.cgi?id=160116
1211
1212         It broke make-based builds (Requested by youenn on #webkit).
1213
1214         Reverted changeset:
1215
1216         "[Fetch API] Request should be created with any HeadersInit
1217         data"
1218         https://bugs.webkit.org/show_bug.cgi?id=159672
1219         http://trac.webkit.org/changeset/203641
1220
1221 2016-07-23  Youenn Fablet  <youenn@apple.com>
1222
1223         [Fetch API] Request should be created with any HeadersInit data
1224         https://bugs.webkit.org/show_bug.cgi?id=159672
1225
1226         Reviewed by Sam Weinig.
1227
1228         * Scripts/builtins/builtins_generator.py:
1229         (WK_lcfirst): Synchronized with CodeGenerator.pm version.
1230
1231 2016-07-21  Filip Pizlo  <fpizlo@apple.com>
1232
1233         Teach MarkedSpace how to allocate auxiliary storage
1234         https://bugs.webkit.org/show_bug.cgi?id=160053
1235
1236         Reviewed by Sam Weinig.
1237         
1238         Previously, we had two kinds of subspaces in MarkedSpace: destructor and non-destructor. This
1239         was described using "bool needsDestruction" that would get passed around. We'd iterate over
1240         these spaces using duplicated code - one loop for destructors and one for non-destructors, or
1241         a single loop that does one thing for destructors and one for non-destructors.
1242         
1243         But now we want a third subspace: non-destructor non-JSCell, aka Auxiliary.
1244         
1245         So, this changes all of the reflection and iteration over subspaces to use functors, so that
1246         the looping is written once and reused. Most places don't even have to know that there is a
1247         third subspace; they just know that they must do things for each subspace, for each
1248         allocator, or for each block - and the functor magic handles it for you.
1249         
1250         To make this somewhat nice, this change also fixes how we describe subspaces. Instead of a
1251         bool, we now have AllocatorAttributes, which is a struct. If we ever add more subspaces, we
1252         can add fields to AllocatorAttributes to describe how those subspaces differ. For now it just
1253         contains two properties: a DestructionMode and a HeapCell::Kind. The DesctructionMode
1254         replaces bool needsDestruction. I deliberately used a non-class enum to avoid tautologies.
1255         DestructionMode has two members: NeedsDestruction and DoesNotNeedDestruction. I almost went
1256         with DestructionMode::Needed and DestructionMode::NotNeeded, but I felt like that involves
1257         more typing and doesn't actually avoid any kind of namespace issues.
1258         
1259         This is intended to have no behavior change other than the addition of a totally unused
1260         space, which should always be empty. So hopefully it doesn't cost anything.
1261
1262         * CMakeLists.txt:
1263         * JavaScriptCore.xcodeproj/project.pbxproj:
1264         * heap/AllocatorAttributes.cpp: Added.
1265         (JSC::AllocatorAttributes::dump):
1266         * heap/AllocatorAttributes.h: Added.
1267         (JSC::AllocatorAttributes::AllocatorAttributes):
1268         * heap/DestructionMode.cpp: Added.
1269         (WTF::printInternal):
1270         * heap/DestructionMode.h: Added.
1271         * heap/Heap.h:
1272         * heap/MarkedAllocator.cpp:
1273         (JSC::MarkedAllocator::allocateBlock):
1274         (JSC::MarkedAllocator::addBlock):
1275         * heap/MarkedAllocator.h:
1276         (JSC::MarkedAllocator::cellSize):
1277         (JSC::MarkedAllocator::attributes):
1278         (JSC::MarkedAllocator::needsDestruction):
1279         (JSC::MarkedAllocator::destruction):
1280         (JSC::MarkedAllocator::cellKind):
1281         (JSC::MarkedAllocator::heap):
1282         (JSC::MarkedAllocator::takeLastActiveBlock):
1283         (JSC::MarkedAllocator::MarkedAllocator):
1284         (JSC::MarkedAllocator::init):
1285         (JSC::MarkedAllocator::allocate):
1286         * heap/MarkedBlock.cpp:
1287         (JSC::MarkedBlock::create):
1288         (JSC::MarkedBlock::destroy):
1289         (JSC::MarkedBlock::MarkedBlock):
1290         (JSC::MarkedBlock::callDestructor):
1291         (JSC::MarkedBlock::sweep):
1292         (JSC::MarkedBlock::stopAllocating):
1293         (JSC::MarkedBlock::didRetireBlock):
1294         * heap/MarkedBlock.h:
1295         (JSC::MarkedBlock::cellSize):
1296         (JSC::MarkedBlock::attributes):
1297         (JSC::MarkedBlock::needsDestruction):
1298         (JSC::MarkedBlock::destruction):
1299         (JSC::MarkedBlock::cellKind):
1300         (JSC::MarkedBlock::size):
1301         (JSC::MarkedBlock::forEachCell):
1302         (JSC::MarkedBlock::forEachLiveCell):
1303         (JSC::MarkedBlock::forEachDeadCell):
1304         * heap/MarkedSpace.cpp:
1305         (JSC::MarkedSpace::MarkedSpace):
1306         (JSC::MarkedSpace::~MarkedSpace):
1307         (JSC::MarkedSpace::lastChanceToFinalize):
1308         (JSC::MarkedSpace::resetAllocators):
1309         (JSC::MarkedSpace::forEachAllocator):
1310         (JSC::MarkedSpace::stopAllocating):
1311         (JSC::MarkedSpace::resumeAllocating):
1312         (JSC::MarkedSpace::isPagedOut):
1313         (JSC::MarkedSpace::freeBlock):
1314         (JSC::MarkedSpace::shrink):
1315         (JSC::MarkedSpace::clearNewlyAllocated):
1316         (JSC::clearNewlyAllocatedInBlock): Deleted.
1317         * heap/MarkedSpace.h:
1318         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
1319         (JSC::MarkedSpace::subspaceForObjectsWithoutDestructor):
1320         (JSC::MarkedSpace::subspaceForAuxiliaryData):
1321         (JSC::MarkedSpace::allocatorFor):
1322         (JSC::MarkedSpace::destructorAllocatorFor):
1323         (JSC::MarkedSpace::auxiliaryAllocatorFor):
1324         (JSC::MarkedSpace::allocateWithoutDestructor):
1325         (JSC::MarkedSpace::allocateWithDestructor):
1326         (JSC::MarkedSpace::allocateAuxiliary):
1327         (JSC::MarkedSpace::forEachBlock):
1328         (JSC::MarkedSpace::didAddBlock):
1329         (JSC::MarkedSpace::capacity):
1330         (JSC::MarkedSpace::forEachSubspace):
1331
1332 2016-07-22  Saam Barati  <sbarati@apple.com>
1333
1334         REGRESSION(r203537): It made many tests crash on ARMv7 Linux platforms
1335         https://bugs.webkit.org/show_bug.cgi?id=160082
1336
1337         Reviewed by Keith Miller.
1338
1339         We were improperly linking the Jump in the link buffer.
1340         It caused us to be linking against the executable address
1341         which always has bit 0 set. We shouldn't be doing that.
1342         This patch fixes this, by using the same idiom that
1343         PolymorphicAccess uses to link a jump to out of line code.
1344
1345         * jit/JITMathIC.h:
1346         (JSC::JITMathIC::generateOutOfLine):
1347
1348 2016-07-22  Commit Queue  <commit-queue@webkit.org>
1349
1350         Unreviewed, rolling out r203603.
1351         https://bugs.webkit.org/show_bug.cgi?id=160096
1352
1353         Caused CLoop tests to fail with assertions (Requested by
1354         perarne on #webkit).
1355
1356         Reverted changeset:
1357
1358         "[Win] jsc.exe sometimes never exits."
1359         https://bugs.webkit.org/show_bug.cgi?id=158073
1360         http://trac.webkit.org/changeset/203603
1361
1362 2016-07-22  Per Arne Vollan  <pvollan@apple.com>
1363
1364         [Win] jsc.exe sometimes never exits.
1365         https://bugs.webkit.org/show_bug.cgi?id=158073
1366
1367         Reviewed by Mark Lam.
1368
1369         Make sure the VM is deleted after the test has finished. This will gracefully stop the sampling profiler thread,
1370         and give the thread the opportunity to release the machine thread lock aquired in SamplingProfiler::takeSample.  
1371         If the sampling profiler thread was terminated while holding the machine thread lock, the machine thread will
1372         not be able to grab the lock afterwards. 
1373  
1374         * jsc.cpp:
1375         (jscmain):
1376
1377 2016-07-22  Per Arne Vollan  <pvollan@apple.com>
1378
1379         Fix the Windows 64-bit build after r203537
1380         https://bugs.webkit.org/show_bug.cgi?id=160080
1381
1382         Reviewed by Csaba Osztrogonác.
1383
1384         Added new version of setupArgumentsWithExecState method.
1385
1386         * jit/CCallHelpers.h:
1387         (JSC::CCallHelpers::setupArgumentsWithExecState):
1388
1389 2016-07-22  Csaba Osztrogonác  <ossy@webkit.org>
1390
1391         [ARM] Unreviewed EABI buildfix after r203537.
1392
1393         * jit/CCallHelpers.h:
1394         (JSC::CCallHelpers::setupArgumentsWithExecState): Added.
1395
1396 2016-07-22  Youenn Fablet  <youenn@apple.com>
1397
1398         run-builtins-generator-tests should be able to test WebCore builtins wrapper with more than one file
1399         https://bugs.webkit.org/show_bug.cgi?id=159921
1400
1401         Reviewed by Brian Burg.
1402
1403         Updated built-in generator to generate only wrapper files when passed the --wrappers-only option.
1404         When this option is used, wrapper files are generated but no individual file is generated.
1405         When this option is not used, individual files are generated but not wrapper file is generated.
1406         This allows the builtin generator test runner to generate a single WebCore-Wrappers.h-result generated for all
1407         WebCore test files, like used for real in WebCore.
1408         Previously wrapper code was generated individually for each WebCore test file.
1409
1410         Added new built-in test file to cover the case of concatenating several guards in generated WebCore wrapper files.
1411
1412         * Scripts/generate-js-builtins.py:
1413         (concatenated_output_filename): Compute a decent name for wrapper files in case of test mode.
1414         (generate_bindings_for_builtins_files): When --wrappers-only is activated, this generates only the wrapper files, not the individual files.
1415         * Scripts/tests/builtins/WebCore-AnotherGuardedInternalBuiltin-Separate.js: Added.
1416         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result: Added.
1417         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: Removed wrapper code.
1418         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Ditto.
1419         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: Ditto.
1420         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Ditto.
1421         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: Removed wrapper code.
1422         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result: Added, contains wrapper code for all WebCore valid test cases.
1423
1424 2016-07-21  Saam Barati  <sbarati@apple.com>
1425
1426         callOperation(.) variants in the DFG that explicitly take a tag/payload register should take a JSValueRegs instead
1427         https://bugs.webkit.org/show_bug.cgi?id=160007
1428
1429         Reviewed by Filip Pizlo.
1430
1431         This patch is the first step in my plan to remove all callOperation(.) variants
1432         in the various JITs and to unify them using a couple template variations.
1433         The steps are as follows:
1434         1. Replace all explicit tag/payload pairs with JSValueRegs in the DFG
1435         2. Replace all explicit tag/payload pairs with JSValueRegs in the baseline
1436         3. remove callOperation(.) variants and teach setupArgumentsWithExecState
1437            about JSValueRegs.
1438
1439         * dfg/DFGSpeculativeJIT.cpp:
1440         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1441         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1442         (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
1443         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
1444         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
1445         * dfg/DFGSpeculativeJIT.h:
1446         (JSC::DFG::SpeculativeJIT::callOperation):
1447         * dfg/DFGSpeculativeJIT32_64.cpp:
1448         (JSC::DFG::SpeculativeJIT::cachedGetById):
1449         (JSC::DFG::SpeculativeJIT::cachedPutById):
1450         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1451         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal):
1452         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1453         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1454         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1455         (JSC::DFG::SpeculativeJIT::emitCall):
1456         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1457         (JSC::DFG::SpeculativeJIT::emitBranch):
1458         (JSC::DFG::SpeculativeJIT::compile):
1459
1460 2016-07-21  Saam Barati  <sbarati@apple.com>
1461
1462         op_add/ValueAdd should be an IC in all JIT tiers
1463         https://bugs.webkit.org/show_bug.cgi?id=159649
1464
1465         Reviewed by Benjamin Poulain.
1466
1467         This patch makes Add an IC inside all JIT tiers. It does so in a
1468         simple, but effective, way. We will try to generate an int+int add
1469         that will repatch itself if its type checks fail. Sometimes though,
1470         we have runtime type data saying that the add won't be int+int.
1471         In those cases, we will just generate a full snippet that doesn't patch itself.
1472         Other times, we may generate no inline code and defer to making a C call. A lot
1473         of this patch is just refactoring ResultProfile into what we're now calling ArithProfile.
1474         ArithProfile does everything ResultProfile used to do, and more. It records simple type
1475         data about the LHS/RHS operands it sees. This allows us to determine if an op_add
1476         has only seen int+int operands, etc. ArithProfile will also contain the ResultType
1477         for the LHS/RHS that the parser feeds into op_add. ArithProfile now fits into 32-bits.
1478         This means instead of having a side table like we did for ResultProfile, we just
1479         inject the ArithProfile into the bytecode instruction stream. This makes asking
1480         for ArithProfile faster; we no longer need to lock around this operation.
1481
1482         The size of an Add has gone down on average, but we can still do better.
1483         We still generate a lot of code because we generate calls to the slow path.
1484         I think we can make this better by moving the slow path to a shared thunk
1485         system. This patch mostly lays the foundation for future improvements to Add,
1486         and a framework to move all other arithmetic operations to be typed-based ICs.
1487
1488         Here is some data I took on the average op_add/ValueAdd size on various benchmarks:
1489                    |   JetStream  |  Speedometer |  Unity 3D  |
1490              ------| -------------|-----------------------------
1491               Old  |  189 bytes   |  169 bytes   |  192 bytes |
1492              ------| -------------|-----------------------------
1493               New  |  148 bytes   |  124 bytes   |  143 bytes |
1494              ---------------------------------------------------
1495
1496         Making an arithmetic IC is now easy. The JITMathIC class will hold a snippet
1497         generator as a member variable. To make a snippet an IC, you need to implement
1498         a generateInline(.) method, which generates the inline IC. Then, you need to
1499         generate the IC where you used to generate the snippet. When generating the
1500         IC, we need to inform JITMathIC of various data like we do with StructureStubInfo.
1501         We need to tell it about where the slow path starts, where the slow path call is, etc.
1502         When generating a JITMathIC, it may tell you that it didn't generate any code inline.
1503         This is a request to the user of JITMathIC to just generate a C call along the
1504         fast path. JITMathIC may also have the snippet tell it to just generate the full
1505         snippet instead of the int+int path along the fast path.
1506
1507         In subsequent patches, we can improve upon how we decide to generate int+int or
1508         the full snippet. I tried to get clever by having double+double, double+int, int+double,
1509         fast paths, but they didn't work out nearly as well as the int+int fast path. I ended up
1510         generating a lot of code when I did this and ended up using more memory than just generating
1511         the full snippet. There is probably some way we can be clever and generate specialized fast
1512         paths that are more successful than what I tried implementing, but I think that's worth deferring
1513         this to follow up patches once the JITMathIC foundation has landed.
1514
1515         This patch also fixes a bug inside the slow path lambdas in the DFG.
1516         Before, it was not legal to emit an exception check inside them. Now,
1517         it is. So it's now easy to define arbitrary late paths using the DFG
1518         slow path lambda API.
1519
1520         * CMakeLists.txt:
1521         * JavaScriptCore.xcodeproj/project.pbxproj:
1522         * bytecode/ArithProfile.cpp: Added.
1523         (JSC::ArithProfile::emitObserveResult):
1524         (JSC::ArithProfile::shouldEmitSetDouble):
1525         (JSC::ArithProfile::emitSetDouble):
1526         (JSC::ArithProfile::shouldEmitSetNonNumber):
1527         (JSC::ArithProfile::emitSetNonNumber):
1528         (WTF::printInternal):
1529         * bytecode/ArithProfile.h: Added.
1530         (JSC::ObservedType::ObservedType):
1531         (JSC::ObservedType::sawInt32):
1532         (JSC::ObservedType::isOnlyInt32):
1533         (JSC::ObservedType::sawNumber):
1534         (JSC::ObservedType::isOnlyNumber):
1535         (JSC::ObservedType::sawNonNumber):
1536         (JSC::ObservedType::isOnlyNonNumber):
1537         (JSC::ObservedType::isEmpty):
1538         (JSC::ObservedType::bits):
1539         (JSC::ObservedType::withInt32):
1540         (JSC::ObservedType::withNumber):
1541         (JSC::ObservedType::withNonNumber):
1542         (JSC::ObservedType::withoutNonNumber):
1543         (JSC::ObservedType::operator==):
1544         (JSC::ArithProfile::ArithProfile):
1545         (JSC::ArithProfile::fromInt):
1546         (JSC::ArithProfile::lhsResultType):
1547         (JSC::ArithProfile::rhsResultType):
1548         (JSC::ArithProfile::lhsObservedType):
1549         (JSC::ArithProfile::rhsObservedType):
1550         (JSC::ArithProfile::setLhsObservedType):
1551         (JSC::ArithProfile::setRhsObservedType):
1552         (JSC::ArithProfile::tookSpecialFastPath):
1553         (JSC::ArithProfile::didObserveNonInt32):
1554         (JSC::ArithProfile::didObserveDouble):
1555         (JSC::ArithProfile::didObserveNonNegZeroDouble):
1556         (JSC::ArithProfile::didObserveNegZeroDouble):
1557         (JSC::ArithProfile::didObserveNonNumber):
1558         (JSC::ArithProfile::didObserveInt32Overflow):
1559         (JSC::ArithProfile::didObserveInt52Overflow):
1560         (JSC::ArithProfile::setObservedNonNegZeroDouble):
1561         (JSC::ArithProfile::setObservedNegZeroDouble):
1562         (JSC::ArithProfile::setObservedNonNumber):
1563         (JSC::ArithProfile::setObservedInt32Overflow):
1564         (JSC::ArithProfile::setObservedInt52Overflow):
1565         (JSC::ArithProfile::addressOfBits):
1566         (JSC::ArithProfile::observeResult):
1567         (JSC::ArithProfile::lhsSawInt32):
1568         (JSC::ArithProfile::lhsSawNumber):
1569         (JSC::ArithProfile::lhsSawNonNumber):
1570         (JSC::ArithProfile::rhsSawInt32):
1571         (JSC::ArithProfile::rhsSawNumber):
1572         (JSC::ArithProfile::rhsSawNonNumber):
1573         (JSC::ArithProfile::observeLHSAndRHS):
1574         (JSC::ArithProfile::bits):
1575         (JSC::ArithProfile::hasBits):
1576         (JSC::ArithProfile::setBit):
1577         * bytecode/CodeBlock.cpp:
1578         (JSC::CodeBlock::dumpRareCaseProfile):
1579         (JSC::CodeBlock::dumpArithProfile):
1580         (JSC::CodeBlock::dumpBytecode):
1581         (JSC::CodeBlock::addStubInfo):
1582         (JSC::CodeBlock::addJITAddIC):
1583         (JSC::CodeBlock::findStubInfo):
1584         (JSC::CodeBlock::resetJITData):
1585         (JSC::CodeBlock::shrinkToFit):
1586         (JSC::CodeBlock::dumpValueProfiles):
1587         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
1588         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1589         (JSC::CodeBlock::arithProfileForPC):
1590         (JSC::CodeBlock::couldTakeSpecialFastCase):
1591         (JSC::CodeBlock::dumpResultProfile): Deleted.
1592         (JSC::CodeBlock::resultProfileForBytecodeOffset): Deleted.
1593         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset): Deleted.
1594         (JSC::CodeBlock::ensureResultProfile): Deleted.
1595         * bytecode/CodeBlock.h:
1596         (JSC::CodeBlock::stubInfoBegin):
1597         (JSC::CodeBlock::stubInfoEnd):
1598         (JSC::CodeBlock::couldTakeSlowCase):
1599         (JSC::CodeBlock::numberOfResultProfiles): Deleted.
1600         * bytecode/MethodOfGettingAValueProfile.cpp:
1601         (JSC::MethodOfGettingAValueProfile::emitReportValue):
1602         * bytecode/MethodOfGettingAValueProfile.h:
1603         (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
1604         * bytecode/ValueProfile.cpp:
1605         (JSC::ResultProfile::emitDetectNumericness): Deleted.
1606         (JSC::ResultProfile::emitSetDouble): Deleted.
1607         (JSC::ResultProfile::emitSetNonNumber): Deleted.
1608         (WTF::printInternal): Deleted.
1609         * bytecode/ValueProfile.h:
1610         (JSC::getRareCaseProfileBytecodeOffset):
1611         (JSC::ResultProfile::ResultProfile): Deleted.
1612         (JSC::ResultProfile::bytecodeOffset): Deleted.
1613         (JSC::ResultProfile::specialFastPathCount): Deleted.
1614         (JSC::ResultProfile::didObserveNonInt32): Deleted.
1615         (JSC::ResultProfile::didObserveDouble): Deleted.
1616         (JSC::ResultProfile::didObserveNonNegZeroDouble): Deleted.
1617         (JSC::ResultProfile::didObserveNegZeroDouble): Deleted.
1618         (JSC::ResultProfile::didObserveNonNumber): Deleted.
1619         (JSC::ResultProfile::didObserveInt32Overflow): Deleted.
1620         (JSC::ResultProfile::didObserveInt52Overflow): Deleted.
1621         (JSC::ResultProfile::setObservedNonNegZeroDouble): Deleted.
1622         (JSC::ResultProfile::setObservedNegZeroDouble): Deleted.
1623         (JSC::ResultProfile::setObservedNonNumber): Deleted.
1624         (JSC::ResultProfile::setObservedInt32Overflow): Deleted.
1625         (JSC::ResultProfile::setObservedInt52Overflow): Deleted.
1626         (JSC::ResultProfile::addressOfFlags): Deleted.
1627         (JSC::ResultProfile::addressOfSpecialFastPathCount): Deleted.
1628         (JSC::ResultProfile::detectNumericness): Deleted.
1629         (JSC::ResultProfile::hasBits): Deleted.
1630         (JSC::ResultProfile::setBit): Deleted.
1631         (JSC::getResultProfileBytecodeOffset): Deleted.
1632         * bytecompiler/BytecodeGenerator.cpp:
1633         (JSC::BytecodeGenerator::emitBinaryOp):
1634         * dfg/DFGByteCodeParser.cpp:
1635         (JSC::DFG::ByteCodeParser::makeSafe):
1636         * dfg/DFGGraph.cpp:
1637         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1638         * dfg/DFGJITCompiler.cpp:
1639         (JSC::DFG::JITCompiler::exceptionCheck):
1640         * dfg/DFGSlowPathGenerator.h:
1641         (JSC::DFG::SlowPathGenerator::generate):
1642         * dfg/DFGSpeculativeJIT.cpp:
1643         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
1644         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
1645         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1646         * dfg/DFGSpeculativeJIT.h:
1647         (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
1648         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
1649         (JSC::DFG::SpeculativeJIT::callOperation):
1650         * ftl/FTLLowerDFGToB3.cpp:
1651         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
1652         (JSC::FTL::DFG::LowerDFGToB3::compileStrCat):
1653         * jit/CCallHelpers.h:
1654         (JSC::CCallHelpers::setupArgumentsWithExecState):
1655         (JSC::CCallHelpers::setupArguments):
1656         * jit/JIT.h:
1657         * jit/JITAddGenerator.cpp:
1658         (JSC::JITAddGenerator::generateInline):
1659         (JSC::JITAddGenerator::generateFastPath):
1660         * jit/JITAddGenerator.h:
1661         (JSC::JITAddGenerator::JITAddGenerator):
1662         (JSC::JITAddGenerator::didEmitFastPath): Deleted.
1663         (JSC::JITAddGenerator::endJumpList): Deleted.
1664         (JSC::JITAddGenerator::slowPathJumpList): Deleted.
1665         * jit/JITArithmetic.cpp:
1666         (JSC::JIT::emit_op_jless):
1667         (JSC::JIT::emitSlow_op_urshift):
1668         (JSC::getOperandTypes):
1669         (JSC::JIT::emit_op_add):
1670         (JSC::JIT::emitSlow_op_add):
1671         (JSC::JIT::emit_op_div):
1672         (JSC::JIT::emit_op_mul):
1673         (JSC::JIT::emitSlow_op_mul):
1674         (JSC::JIT::emit_op_sub):
1675         (JSC::JIT::emitSlow_op_sub):
1676         * jit/JITDivGenerator.cpp:
1677         (JSC::JITDivGenerator::generateFastPath):
1678         * jit/JITDivGenerator.h:
1679         (JSC::JITDivGenerator::JITDivGenerator):
1680         * jit/JITInlines.h:
1681         (JSC::JIT::callOperation):
1682         * jit/JITMathIC.h: Added.
1683         (JSC::JITMathIC::doneLocation):
1684         (JSC::JITMathIC::slowPathStartLocation):
1685         (JSC::JITMathIC::slowPathCallLocation):
1686         (JSC::JITMathIC::generateInline):
1687         (JSC::JITMathIC::generateOutOfLine):
1688         (JSC::JITMathIC::finalizeInlineCode):
1689         * jit/JITMathICForwards.h: Added.
1690         * jit/JITMathICInlineResult.h: Added.
1691         * jit/JITMulGenerator.cpp:
1692         (JSC::JITMulGenerator::generateFastPath):
1693         * jit/JITMulGenerator.h:
1694         (JSC::JITMulGenerator::JITMulGenerator):
1695         * jit/JITOperations.cpp:
1696         * jit/JITOperations.h:
1697         * jit/JITSubGenerator.cpp:
1698         (JSC::JITSubGenerator::generateFastPath):
1699         * jit/JITSubGenerator.h:
1700         (JSC::JITSubGenerator::JITSubGenerator):
1701         * jit/Repatch.cpp:
1702         (JSC::readCallTarget):
1703         (JSC::ftlThunkAwareRepatchCall):
1704         (JSC::tryCacheGetByID):
1705         (JSC::repatchGetByID):
1706         (JSC::appropriateGenericPutByIdFunction):
1707         (JSC::tryCachePutByID):
1708         (JSC::repatchPutByID):
1709         (JSC::tryRepatchIn):
1710         (JSC::repatchIn):
1711         (JSC::linkSlowFor):
1712         (JSC::resetGetByID):
1713         (JSC::resetPutByID):
1714         (JSC::repatchCall): Deleted.
1715         * jit/Repatch.h:
1716         * llint/LLIntData.cpp:
1717         (JSC::LLInt::Data::performAssertions):
1718         * llint/LowLevelInterpreter.asm:
1719         * llint/LowLevelInterpreter32_64.asm:
1720         * llint/LowLevelInterpreter64.asm:
1721         * parser/ResultType.h:
1722         (JSC::ResultType::ResultType):
1723         (JSC::ResultType::isInt32):
1724         (JSC::ResultType::definitelyIsNumber):
1725         (JSC::ResultType::definitelyIsString):
1726         (JSC::ResultType::definitelyIsBoolean):
1727         (JSC::ResultType::mightBeNumber):
1728         (JSC::ResultType::isNotNumber):
1729         (JSC::ResultType::forBitOp):
1730         (JSC::ResultType::bits):
1731         (JSC::OperandTypes::OperandTypes):
1732         * runtime/CommonSlowPaths.cpp:
1733         (JSC::SLOW_PATH_DECL):
1734         (JSC::updateArithProfileForBinaryArithOp):
1735         (JSC::updateResultProfileForBinaryArithOp): Deleted.
1736         * tests/stress/op-add-exceptions.js: Added.
1737         (assert):
1738         (f1):
1739         (f2):
1740         (f3):
1741         (let.oException.valueOf):
1742         (foo):
1743         (ident):
1744         (bar):
1745
1746 2016-07-21  Csaba Osztrogonác  <ossy@webkit.org>
1747
1748         Clarify testing mode names in run-jsc-stress-tests
1749         https://bugs.webkit.org/show_bug.cgi?id=160021
1750
1751         Reviewed by Mark Lam.
1752
1753         Default should mean really default, not default with disabled FTL, renamed
1754         - runMozillaTestDefault to runMozillaTestNoFTL
1755         - runMozillaTestDefaultFTL to runMozillaTestDefault
1756         - runDefault to runNoFTL
1757         - runDefaultFTL to runDefault
1758         - runLayoutTestDefault to runLayoutTestNoFTL
1759         - runLayoutTestDefaultFTL to runLayoutTestDefault
1760         - runNoisyTestDefault to runNoisyTestNoFTL
1761         - runNoisyTestDefaultFTL to runNoisyTestDefault
1762
1763         * tests/mozilla/mozilla-tests.yaml:
1764         * tests/stress/lift-tdz-bypass-catch.js:
1765         * tests/stress/obscure-error-message-dont-crash.js:
1766         * tests/stress/shadow-chicken-disabled.js:
1767
1768 2016-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1769
1770         [ES7] Introduce exponentiation expression
1771         https://bugs.webkit.org/show_bug.cgi?id=159969
1772
1773         Reviewed by Saam Barati.
1774
1775         This patch implements the exponentiation expression, e.g. `x ** y`.
1776         The exponentiation expression is introduced in ECMA262 2016 and ECMA262 2016
1777         is already released. So this is not the draft spec.
1778
1779         The exponentiation expression has 2 interesting points.
1780
1781         1. Right associative
1782
1783             To follow the Math expression, ** operator is right associative.
1784             When we execute `x ** y ** z`, this is handled as `x ** (y ** z)`, not `(x ** y) ** z`.
1785             This patch introduces the right associativity to the binary operator and handles it
1786             in the operator precedence parser in Parser.cpp.
1787
1788         2. LHS of the exponentiation expression is UpdateExpression
1789
1790             ExponentiationExpression[Yield]:
1791                 UnaryExpression[?Yield]
1792                 UpdateExpression[?Yield] ** ExponentiationExpression[?Yield]
1793
1794             As we can see, the left hand side of the ExponentiationExpression is UpdateExpression, not UnaryExpression.
1795             It means that `+x ** y` becomes a syntax error. This is intentional. Without superscript in JS,
1796             `-x**y` is confusing between `-(x ** y)` and `(-x) ** y`. So ECMA262 intentionally avoids UnaryExpression here.
1797             If we need to use a negated value, we need to write parentheses explicitly e.g. `(-x) ** y`.
1798             In this patch, we ensure that the left hand side is not an unary expression by checking an operator in
1799             parseBinaryExpression. This works since `**` has the highest operator precedence in the binary operators.
1800
1801         We introduce a new bytecode, op_pow. That simply works as similar as the other binary operators.
1802         And it is converted to ArithPow in DFG and handled in DFG and FTL.
1803         In this patch, we take the approach just introducing a new bytecode instead of calling Math.pow.
1804         This is because we would like to execute ToNumber in the caller side, not in the callee (Math.pow) side.
1805         And we don't want to compile ** into the following.
1806
1807             lhsNumber = to_number (lhs)
1808             rhsNumber = to_number (rhs)
1809             call Math.pow(lhsNumber, rhsNumber)
1810
1811         We ensure that this patch passes all the test262 tests related to the exponentiation expression.
1812
1813         The only sensitive part to the performance is the parser changes.
1814         So we measured the code-load performance and it is neutral in my x64 Linux box (hanayamata).
1815
1816             Collected 30 samples per benchmark/VM, with 30 VM invocations per benchmark. Emitted a call to
1817             gc() between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used
1818             the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark
1819             execution times with 95% confidence intervals in milliseconds.
1820
1821                                      baseline                  patched
1822
1823             closure              0.60499+-0.00250          0.60180+-0.00244
1824             jquery               7.89175+-0.02433    ?     7.91287+-0.04759       ?
1825
1826             <geometric>          2.18499+-0.00523          2.18207+-0.00689         might be 1.0013x faster
1827
1828         * bytecode/BytecodeList.json:
1829         * bytecode/BytecodeUseDef.h:
1830         (JSC::computeUsesForBytecodeOffset):
1831         (JSC::computeDefsForBytecodeOffset):
1832         * bytecode/CodeBlock.cpp:
1833         (JSC::CodeBlock::dumpBytecode):
1834         * bytecompiler/NodesCodegen.cpp:
1835         (JSC::emitReadModifyAssignment):
1836         * dfg/DFGByteCodeParser.cpp:
1837         (JSC::DFG::ByteCodeParser::parseBlock):
1838         * dfg/DFGCapabilities.cpp:
1839         (JSC::DFG::capabilityLevel):
1840         * jit/JIT.cpp:
1841         (JSC::JIT::privateCompileMainPass):
1842         * jit/JIT.h:
1843         * jit/JITArithmetic.cpp:
1844         (JSC::JIT::emit_op_pow):
1845         * llint/LowLevelInterpreter.asm:
1846         * parser/ASTBuilder.h:
1847         (JSC::ASTBuilder::operatorStackShouldReduce):
1848         (JSC::ASTBuilder::makePowNode):
1849         (JSC::ASTBuilder::makeMultNode):
1850         (JSC::ASTBuilder::makeDivNode):
1851         (JSC::ASTBuilder::makeModNode):
1852         (JSC::ASTBuilder::makeSubNode):
1853         (JSC::ASTBuilder::makeBinaryNode):
1854         (JSC::ASTBuilder::operatorStackHasHigherPrecedence): Deleted.
1855         * parser/Lexer.cpp:
1856         (JSC::Lexer<T>::lex):
1857         * parser/NodeConstructors.h:
1858         (JSC::PowNode::PowNode):
1859         * parser/Nodes.h:
1860         * parser/Parser.cpp:
1861         (JSC::Parser<LexerType>::parseAssignmentExpression):
1862         (JSC::isUnaryOpExcludingUpdateOp):
1863         (JSC::Parser<LexerType>::parseBinaryExpression):
1864         (JSC::isUnaryOp): Deleted.
1865         * parser/ParserTokens.h:
1866         (JSC::isUpdateOp):
1867         (JSC::isUnaryOp):
1868         * parser/SyntaxChecker.h:
1869         (JSC::SyntaxChecker::operatorStackPop):
1870         * runtime/CommonSlowPaths.cpp:
1871         (JSC::SLOW_PATH_DECL):
1872         * runtime/CommonSlowPaths.h:
1873         * tests/stress/pow-basics.js: Added.
1874         (valuesAreClose):
1875         (mathPowDoubleDouble1):
1876         (mathPowDoubleInt1):
1877         (test1):
1878         (mathPowDoubleDouble2):
1879         (mathPowDoubleInt2):
1880         (test2):
1881         (mathPowDoubleDouble3):
1882         (mathPowDoubleInt3):
1883         (test3):
1884         (mathPowDoubleDouble4):
1885         (mathPowDoubleInt4):
1886         (test4):
1887         (mathPowDoubleDouble5):
1888         (mathPowDoubleInt5):
1889         (test5):
1890         (mathPowDoubleDouble6):
1891         (mathPowDoubleInt6):
1892         (test6):
1893         (mathPowDoubleDouble7):
1894         (mathPowDoubleInt7):
1895         (test7):
1896         (mathPowDoubleDouble8):
1897         (mathPowDoubleInt8):
1898         (test8):
1899         (mathPowDoubleDouble9):
1900         (mathPowDoubleInt9):
1901         (test9):
1902         (mathPowDoubleDouble10):
1903         (mathPowDoubleInt10):
1904         (test10):
1905         (mathPowDoubleDouble11):
1906         (mathPowDoubleInt11):
1907         (test11):
1908         * tests/stress/pow-coherency.js: Added.
1909         (pow42):
1910         (build42AsDouble.opaqueAdd):
1911         (build42AsDouble):
1912         (powDouble42):
1913         (clobber):
1914         (pow42NoConstantFolding):
1915         (powDouble42NoConstantFolding):
1916         * tests/stress/pow-evaluation-order.js: Added.
1917         (shouldBe):
1918         (throw.new.Error):
1919         * tests/stress/pow-expects-update-expression-on-lhs.js: Added.
1920         (testSyntax):
1921         (testSyntaxError):
1922         (throw.new.Error):
1923         (let.token.of.tokens.testSyntax.pow):
1924         (testSyntax.pow):
1925         * tests/stress/pow-integer-exponent-fastpath.js: Added.
1926         (valuesAreClose):
1927         (mathPowDoubleDoubleTestExponentFifty):
1928         (mathPowDoubleIntTestExponentFifty):
1929         (testExponentFifty):
1930         (mathPowDoubleDoubleTestExponentTenThousands):
1931         (mathPowDoubleIntTestExponentTenThousands):
1932         (testExponentTenThousands):
1933         * tests/stress/pow-nan-behaviors.js: Added.
1934         (testIntegerBaseWithNaNExponentStatic):
1935         (mathPowIntegerBaseWithNaNExponentDynamic):
1936         (testIntegerBaseWithNaNExponentDynamic):
1937         (testFloatingPointBaseWithNaNExponentStatic):
1938         (mathPowFloatingPointBaseWithNaNExponentDynamic):
1939         (testFloatingPointBaseWithNaNExponentDynamic):
1940         (testNaNBaseStatic):
1941         (mathPowNaNBaseDynamic1):
1942         (mathPowNaNBaseDynamic2):
1943         (mathPowNaNBaseDynamic3):
1944         (mathPowNaNBaseDynamic4):
1945         (testNaNBaseDynamic):
1946         (infiniteExponentsStatic):
1947         (mathPowInfiniteExponentsDynamic1):
1948         (mathPowInfiniteExponentsDynamic2):
1949         (mathPowInfiniteExponentsDynamic3):
1950         (mathPowInfiniteExponentsDynamic4):
1951         (infiniteExponentsDynamic):
1952         * tests/stress/pow-simple.js: Added.
1953         (shouldBe):
1954         (throw.new.Error):
1955         * tests/stress/pow-stable-results.js: Added.
1956         (opaquePow):
1957         (isIdentical):
1958         * tests/stress/pow-to-number-should-be-executed-in-code-side.js: Added.
1959         (shouldBe):
1960         (throw.new.Error):
1961         * tests/stress/pow-with-constants.js: Added.
1962         (exponentIsZero):
1963         (testExponentIsZero):
1964         (exponentIsOne):
1965         (testExponentIsOne):
1966         (powUsedAsSqrt):
1967         (testPowUsedAsSqrt):
1968         (powUsedAsOneOverSqrt):
1969         (testPowUsedAsOneOverSqrt):
1970         (powUsedAsSquare):
1971         (testPowUsedAsSquare):
1972         (intIntConstantsSmallNumbers):
1973         (intIntConstantsLargeNumbers):
1974         (intIntSmallConstants):
1975         (intDoubleConstants):
1976         (doubleDoubleConstants):
1977         (doubleIntConstants):
1978         (testBaseAndExponentConstantLiterals):
1979         (exponentIsIntegerConstant):
1980         (testExponentIsIntegerConstant):
1981         (exponentIsDoubleConstant):
1982         (testExponentIsDoubleConstant):
1983         (exponentIsInfinityConstant):
1984         (testExponentIsInfinityConstant):
1985         (exponentIsNegativeInfinityConstant):
1986         (testExponentIsNegativeInfinityConstant):
1987         * tests/stress/pow-with-never-NaN-exponent.js: Added.
1988         (exponentIsNonNanDouble1):
1989         (exponentIsNonNanDouble2):
1990         (testExponentIsDoubleConstant):
1991         * tests/test262.yaml:
1992
1993 2016-07-18  Filip Pizlo  <fpizlo@apple.com>
1994
1995         Switching on symbols should be fast
1996         https://bugs.webkit.org/show_bug.cgi?id=158892
1997
1998         Reviewed by Keith Miller.
1999         
2000         This does two things: fixes some goofs in our lowering of symbol equality and adds a new phase
2001         to B3 to infer switch statements from linear chains of branches.
2002         
2003         This changes how we compile equality to Symbols to constant-fold the load of the Symbol's UID.
2004         This is necessary for making switches on Symbols inferrable. This also gives us the ability to
2005         efficiently compile strict equality comparisons of SymbolUse and UntypedUse.
2006
2007         This adds a new phase to B3, which finds chains of branches that test for (in)equality on the
2008         same value and constants, and turns them into a Switch. This can turn O(n) code into
2009         O(log n) code, or even O(1) code if the switch cases are dense.
2010         
2011         This can make a big difference in JS. Say you write a switch in which the case statements are
2012         variable resolutions. The bytecode generator cannot use a bytecode switch in this case, since
2013         we're required to evaluate the resolutions in order. But in DFG IR, we will often turn those
2014         variable resolutions into constants, since we do that for any immutable singleton. This means
2015         that B3 will see a chain of Branches: the else case of one Branch will point to a basic block
2016         that does nothing but Branch on equality on the same value as the first Branch.
2017
2018         The inference algorithm is quite simple. The basic building block is the ability to summarize
2019         a block's switch behavior. For a block that ends in a switch, this is just the collection of
2020         switch cases. For a block that ends in a branch, we recognize Branch(Equal(value, const)),
2021         Branch(NotEqual(value, const)), and Branch(value). Each of these are summarized as if they
2022         were one-case switches. We infer a new switch if both some block and its sole predecessor
2023         can be described as switches on the same value, nothing shady is going on (like loops), and
2024         the block in question does no work other than this switch. In that case, the block is killed
2025         and its cases (which we get from the summary) are added to the predecessor's switch. This
2026         algorithm runs to fixpoint.
2027         
2028         * CMakeLists.txt:
2029         * JavaScriptCore.xcodeproj/project.pbxproj:
2030         * b3/B3Generate.cpp:
2031         (JSC::B3::generateToAir):
2032         * b3/B3InferSwitches.cpp: Added.
2033         (JSC::B3::inferSwitches):
2034         * b3/B3InferSwitches.h: Added.
2035         * b3/B3Procedure.h:
2036         (JSC::B3::Procedure::cfg):
2037         * b3/B3ReduceStrength.cpp:
2038         * b3/B3Value.cpp:
2039         (JSC::B3::Value::performSubstitution):
2040         (JSC::B3::Value::isFree):
2041         (JSC::B3::Value::dumpMeta):
2042         * b3/B3Value.h:
2043         * ftl/FTLLowerDFGToB3.cpp:
2044         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent):
2045         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2046         (JSC::FTL::DFG::LowerDFGToB3::lowSymbol):
2047         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID):
2048         (JSC::FTL::DFG::LowerDFGToB3::lowNonNullObject):
2049
2050 2016-07-20  Filip Pizlo  <fpizlo@apple.com>
2051
2052         FTL snippet generators should be able to request a different register for output and input
2053         https://bugs.webkit.org/show_bug.cgi?id=160010
2054         rdar://problem/27439330
2055
2056         Reviewed by Saam Barati.
2057         
2058         The BitOr and BitXor snippet generators have problems if the register for the right input is
2059         the same as the register for the result. We could fix those generators, but I'm not convinced
2060         that the other snippet generators don't have this bug. So, the approach that this patch takes
2061         is to teach the FTL to request that B3 to use a different register for the result than for
2062         any input to the snippet patchpoint.
2063         
2064         Air already has the ability to let any instruction do an EarlyDef, which means exactly this.
2065         But B3 did not expose this via ValueRep. This patch exposes this in ValueRep as
2066         SomeEarlyRegister. That's most of the change.
2067         
2068         This adds a testb3 test for SomeEarlyRegister and a regression test for this particular
2069         problem. The regression test failed on trunk JSC before this.
2070
2071         * b3/B3LowerToAir.cpp:
2072         (JSC::B3::Air::LowerToAir::lower):
2073         * b3/B3PatchpointSpecial.cpp:
2074         (JSC::B3::PatchpointSpecial::forEachArg):
2075         (JSC::B3::PatchpointSpecial::admitsStack):
2076         * b3/B3StackmapSpecial.cpp:
2077         (JSC::B3::StackmapSpecial::forEachArgImpl):
2078         (JSC::B3::StackmapSpecial::isArgValidForRep):
2079         * b3/B3Validate.cpp:
2080         * b3/B3ValueRep.cpp:
2081         (JSC::B3::ValueRep::addUsedRegistersTo):
2082         (JSC::B3::ValueRep::dump):
2083         (WTF::printInternal):
2084         * b3/B3ValueRep.h:
2085         (JSC::B3::ValueRep::ValueRep):
2086         (JSC::B3::ValueRep::reg):
2087         (JSC::B3::ValueRep::isAny):
2088         (JSC::B3::ValueRep::isReg):
2089         (JSC::B3::ValueRep::isSomeRegister): Deleted.
2090         * b3/testb3.cpp:
2091         * ftl/FTLLowerDFGToB3.cpp:
2092         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
2093         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
2094         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
2095         * tests/stress/ftl-bit-xor-right-result-interference.js: Added.
2096
2097 2016-07-20  Michael Saboff  <msaboff@apple.com>
2098
2099         CrashOnOverflow in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets
2100         https://bugs.webkit.org/show_bug.cgi?id=159954
2101
2102         Reviewed by Benjamin Poulain.
2103
2104         YarrPatternConstructor::setupAlternativeOffsets() is using the checked arithmetic class
2105         Checked<>, for offset calculations.  However the default use will just crash on
2106         overflow.  Instead we should stop processing and propagate the error up the call stack.
2107
2108         Consolidated explicit error string with the common RegExp parsing error logic.
2109         Moved that logic to YarrPattern as that seems like a better common place to put it.
2110
2111         * jit/JITOperations.cpp:
2112         * llint/LLIntSlowPaths.cpp:
2113         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2114         * tests/stress/regress-159954.js: New test.
2115         * yarr/YarrParser.h:
2116         (JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate):
2117         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
2118         (JSC::Yarr::Parser::Parser):
2119         (JSC::Yarr::Parser::isIdentityEscapeAnError):
2120         (JSC::Yarr::Parser::parseEscape):
2121         (JSC::Yarr::Parser::parseCharacterClass):
2122         (JSC::Yarr::Parser::parseParenthesesBegin):
2123         (JSC::Yarr::Parser::parseParenthesesEnd):
2124         (JSC::Yarr::Parser::parseQuantifier):
2125         (JSC::Yarr::Parser::parseTokens):
2126         (JSC::Yarr::Parser::parse):
2127         * yarr/YarrPattern.cpp:
2128         (JSC::Yarr::YarrPatternConstructor::disjunction):
2129         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
2130         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
2131         (JSC::Yarr::YarrPattern::errorMessage):
2132         (JSC::Yarr::YarrPattern::compile):
2133         * yarr/YarrPattern.h:
2134         (JSC::Yarr::YarrPattern::reset):
2135
2136 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
2137
2138         The default testing mode should not involve disabling the FTL JIT
2139         https://bugs.webkit.org/show_bug.cgi?id=159929
2140
2141         Rubber stamped by Mark Lam and Saam Barati.
2142         
2143         Use the new powers to make some tests run only in the default configuration (i.e. FTL,
2144         concurrent JIT).
2145
2146         * tests/mozilla/mozilla-tests.yaml:
2147
2148 2016-07-19  Keith Miller  <keith_miller@apple.com>
2149
2150         Test262 should have a file with the revision and url
2151         https://bugs.webkit.org/show_bug.cgi?id=159937
2152
2153         Reviewed by Mark Lam.
2154
2155         The file.
2156
2157         * tests/test262/test262-Revision.txt: Added.
2158
2159 2016-07-19  Anders Carlsson  <andersca@apple.com>
2160
2161         WebCore-7602.1.42 fails to build: error: private field 'm_vm' is not used
2162         https://bugs.webkit.org/show_bug.cgi?id=159944
2163         rdar://problem/27420308
2164
2165         Reviewed by Dan Bernstein.
2166
2167         Wrap the m_vm declaration and initialization in conditional guards.
2168
2169         * Scripts/builtins/builtins_generate_internals_wrapper_header.py:
2170         (generate_members):
2171         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2172         (BuiltinsInternalsWrapperImplementationGenerator.generate_constructor):
2173         Add guards.
2174
2175         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2176         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2177         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2178         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2179         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2180         Update expected results.
2181
2182 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
2183
2184         REGRESSION (r203348-r203368): ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info())
2185         https://bugs.webkit.org/show_bug.cgi?id=159930
2186
2187         Reviewed by Geoffrey Garen.
2188         
2189         The problem is that the 32-bit DFG can flush the scope register as an unboxed cell, but the
2190         Register::scope() method was causing us to assert that it's a JSValue with proper cell
2191         boxing. We could have forced the DFG to flush it as a boxed JSValue, but I don't think that
2192         would have made anything better. This fixes the issue by teaching Register::scope() that it
2193         might see unboxed cells.
2194
2195         * runtime/JSScope.h:
2196         (JSC::Register::scope):
2197         (JSC::ExecState::lexicalGlobalObject):
2198
2199 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
2200
2201         B3 methods that mutate the successors array should take FrequentedBlock by value
2202         https://bugs.webkit.org/show_bug.cgi?id=159935
2203
2204         Reviewed by Michael Saboff.
2205         
2206         This bug was found by ASan testing. setSuccessors() takes a const FrequentedBlock&, and the
2207         caller that caused the ASan crash was doing:
2208
2209         block->setSuccessors(block->notTaken())
2210
2211         So, inside setSuccessors(), after we resize() the successors array, the const
2212         FrequentedBlock& points to nonsense.
2213
2214         The fix is to pass FrequentedBlock by value in all of these kinds of methods.
2215         
2216         No new tests, but ASan testing catches this instantly for anything that triggers CFG
2217         simplification in B3. So like half of our tests.
2218
2219         * b3/B3BasicBlock.cpp:
2220         (JSC::B3::BasicBlock::clearSuccessors):
2221         (JSC::B3::BasicBlock::appendSuccessor):
2222         (JSC::B3::BasicBlock::setSuccessors):
2223         * b3/B3BasicBlock.h:
2224         (JSC::B3::BasicBlock::successors):
2225         (JSC::B3::BasicBlock::successorBlock):
2226         * b3/B3Value.cpp:
2227         (JSC::B3::Value::replaceWithPhi):
2228         (JSC::B3::Value::replaceWithJump):
2229         (JSC::B3::Value::replaceWithOops):
2230         * b3/B3Value.h:
2231
2232 2016-07-18  Joseph Pecoraro  <pecoraro@apple.com>
2233
2234         Make builtin TypeErrors consistent
2235         https://bugs.webkit.org/show_bug.cgi?id=159899
2236
2237         Reviewed by Keith Miller.
2238
2239         Converge on the single TypeError for non-coercible this objects in builtins.
2240         Also update some other style to be more consistent with-in builtins.
2241
2242         * builtins/ArrayIteratorPrototype.js:
2243         (next):
2244         * builtins/ArrayPrototype.js:
2245         (values):
2246         (keys):
2247         (entries):
2248         (reduce):
2249         (reduceRight):
2250         (every):
2251         (forEach):
2252         (filter):
2253         (map):
2254         (some):
2255         (fill):
2256         (find):
2257         (findIndex):
2258         (includes):
2259         (sort):
2260         (concatSlowPath):
2261         (copyWithin):
2262         * builtins/StringPrototype.js:
2263         (match):
2264         (repeat):
2265         (padStart):
2266         (padEnd):
2267         (intrinsic.StringPrototypeReplaceIntrinsic.replace):
2268         (localeCompare):
2269         (search):
2270         (split):
2271         * tests/es6/String.prototype_methods_String.prototype.padEnd.js:
2272         * tests/es6/String.prototype_methods_String.prototype.padStart.js:
2273         * tests/stress/array-iterators-next-error-messages.js:
2274         (catch):
2275         * tests/stress/array-iterators-next-with-call.js:
2276         * tests/stress/regexp-match.js:
2277         (shouldThrow):
2278         * tests/stress/regexp-search.js:
2279         (shouldThrow):
2280
2281 2016-07-17  Filip Pizlo  <fpizlo@apple.com>
2282
2283         Implement table-based switches in B3/Air
2284         https://bugs.webkit.org/show_bug.cgi?id=151141
2285
2286         Reviewed by Benjamin Poulain.
2287
2288         If a switch statement gets large, it's better to express it as an indirect jump rather than
2289         using a binary switch (divide-and-conquer tree of comparisons leading to O(log n) branches to
2290         get to the switch case). When dealing with integer switches, FTL will already use the B3
2291         Switch and expect this to get lowered as efficiently as possible; it's a bug that B3 will
2292         always use a binary switch rather than indirect jumps. When dealing with switches over some
2293         more sophisticated types, we'd want FTL to build an indirect jump table itself and use
2294         something like a hashtable to feed it. In that case, there will be no B3 Switch; we'll want
2295         some way for the FTL to directly express an indirection jump when emitting B3.
2296         
2297         This implies that we want B3 to have the ability to lower Switch to indirect jumps and to
2298         expose those indirect jumps in IR so that the FTL could do its own indirect jumps for
2299         switches over more complicated things like strings. But indirect jumps are tough to express
2300         in IR. For example, the LLVM approach ("indirectbr" and "blockaddress", see
2301         http://blog.llvm.org/2010/01/address-of-label-and-indirect-branches.html) means that some
2302         control flow edges cannot be split. Indirectbr takes an address as input and jumps to it, and
2303         blockaddress lets you build jump tables out of basic block addresses. This means that the
2304         compiler can never change any successor of an indirectbr, since the client will have already
2305         arranged for that indirectbr to jump to exactly those successors. We don't want such
2306         restrictions in B3, since B3 relies on being able to break critical edges for SSA conversion.
2307         Also, indirectbr is not cloneable, which would break any hope of doing specialization-based
2308         transformations like we want to do for multiple entrypoints (bug 159391). The goal of this
2309         change is to let clients do indirect jumps without placing any restrictions on IR.
2310         
2311         The trick is to allow Patchpoints to be used as block terminals. Patchpoints already allow
2312         clients of B3 to emit whatever code they like. Patchpoints are friendly to B3's other
2313         transformations because the client of the patchpoint has to play along with whatever
2314         decisions B3 had made around the patchpoint: what registers got used, what the control flow
2315         looks like, etc. Patchpoints can even be cloned by B3, and the client has to accommodate this
2316         in their patchpoint generator. It turns out that using Patchpoints as terminals is quite
2317         natural. We accomplish this by moving the successor edges out of ControlValue and into
2318         BasicBlock, and removing ControlValue entirely. This way, any Value subclass can be a
2319         terminal. It was already true that a Value is a terminal if value->effects().terminal, which
2320         works great with Patchpoints since they control their effects via PatchpointValue::effects.
2321         You can make your Patchpoint into a terminal by placing it at the end of a block and doing:
2322         
2323         patchpoint->effects.terminal = true;
2324         
2325         A Patchpoints in terminal position gets access to additional API in StackmapGenerationParams.
2326         The generator can get a Box<Label> for each successor to its owning block. For example, to
2327         implement a jump-table-based switch, you would make your patchpoint take the table index as
2328         its sole input. Inside the generator, you allocate the jump table and emit a BaseIndex jump
2329         that uses the jump table pointer (which will be a constant known to the generator since it
2330         just allocated it) as the base and the patchpoint input as an index. The jump table can be
2331         populated by MacroAssemblerCodePtr's computed by installing a link task to resolve the labels
2332         to concrete locations. This change makes LowerMacros do such a lowering for Switches that can
2333         benefit from jump tables. This happens recursively: if the original Switch is too sparse, we
2334         will divide-and-conquer as before. If at any recursion step we find that the remaining cases
2335         are dense and large enough to profit from a jump table, then those cases will be lowered to a
2336         Patchpoint that does the table jump. This is a fun way to do stepwise lowering: LowerMacros
2337         is essentially pre-lowering the Switch directly to machine code, and wrapping that machine
2338         code in a Patchpoint so that the rest of the compiler doesn't have to know anything about
2339         what happened. I suspect that in the future we will want to do other pre-lowerings this way,
2340         whenever the B3 IR phases have some special knowledge about what machine code should be
2341         emitted and it would be annoying to drag that knowledge through the rest of the compiler.
2342         
2343         One downside of this change is that we used ControlValue in so many places. Most of this
2344         patch involves removing references to ControlValue. It would be less than 100kb if it wasn't
2345         for that. To make this a bit easier, I added "appendNewControlValue" methods to BasicBlock,
2346         which allocate a Value and set the successors as if you had done "appendNew<ControlValue>".
2347         This made for an easy search-and-replace in testb3 and FTLOutput. I filed bug 159440 to
2348         remove this ugly stopgap method.
2349         
2350         I think that we will also end up using this facility to extend our use of snippets. We
2351         already use shared snippet generators for the generic forms of arithmetic. We will probably
2352         also want to do this for generic forms of branches. This wouldn't have been possible prior to
2353         this change, since there would have been no way to emit a control snippet in FTL. Now we can
2354         emit control snippets using terminal patchpoints.
2355
2356         This is a ~30% speed-up on microbenchmarks that have big switch statements (~60 cases). It's
2357         not a speed-up on mainstream benchmarks.
2358         
2359         This also adds a new test to testb3 for terminal Patchpoints, Get, and Set. The FTL does not
2360         currently use terminal Patchpoints directly, but we want this to be possible. It also doesn't
2361         use Get/Set directly even though we want this to be possible. It's important to test these
2362         since opcodes that result from lowering don't affect early phases, so we could have
2363         regressions in early phases related to these opcodes that wouldn't be caught by any JS test.
2364         So, this adds a very basic threaded interpreter to testb3 for a Brainfuck-style language, and
2365         tests it by having it run a program that prints the numbers 1..100 in a loop. Unlike a real
2366         threaded interpreter, it uses a common dispatch block rather than having dispatch at the
2367         terminus of each opcode. That's necessary because PolyJump is not cloneable. The state of the
2368         interpreter is represented using Variables that we Get and Set, so it tests Get/Set as well.
2369
2370         * CMakeLists.txt:
2371         * JavaScriptCore.xcodeproj/project.pbxproj:
2372         * assembler/MacroAssemblerARM64.h:
2373         (JSC::MacroAssemblerARM64::jump):
2374         * assembler/MacroAssemblerX86Common.h:
2375         (JSC::MacroAssemblerX86Common::jump):
2376         * assembler/X86Assembler.h:
2377         (JSC::X86Assembler::jmp_m):
2378         * b3/B3BasicBlock.cpp:
2379         (JSC::B3::BasicBlock::append):
2380         (JSC::B3::BasicBlock::appendNonTerminal):
2381         (JSC::B3::BasicBlock::removeLast):
2382         (JSC::B3::BasicBlock::appendIntConstant):
2383         (JSC::B3::BasicBlock::clearSuccessors):
2384         (JSC::B3::BasicBlock::appendSuccessor):
2385         (JSC::B3::BasicBlock::setSuccessors):
2386         (JSC::B3::BasicBlock::replaceSuccessor):
2387         (JSC::B3::BasicBlock::addPredecessor):
2388         (JSC::B3::BasicBlock::deepDump):
2389         (JSC::B3::BasicBlock::appendNewControlValue):
2390         * b3/B3BasicBlock.h:
2391         (JSC::B3::BasicBlock::numSuccessors):
2392         (JSC::B3::BasicBlock::successor):
2393         (JSC::B3::BasicBlock::successors):
2394         (JSC::B3::BasicBlock::successorBlock):
2395         (JSC::B3::BasicBlock::successorBlocks):
2396         (JSC::B3::BasicBlock::numPredecessors):
2397         (JSC::B3::BasicBlock::predecessor):
2398         (JSC::B3::BasicBlock::frequency):
2399         * b3/B3BasicBlockInlines.h:
2400         (JSC::B3::BasicBlock::replaceLastWithNew):
2401         (JSC::B3::BasicBlock::taken):
2402         (JSC::B3::BasicBlock::notTaken):
2403         (JSC::B3::BasicBlock::fallThrough):
2404         (JSC::B3::BasicBlock::numSuccessors): Deleted.
2405         (JSC::B3::BasicBlock::successor): Deleted.
2406         (JSC::B3::BasicBlock::successors): Deleted.
2407         (JSC::B3::BasicBlock::successorBlock): Deleted.
2408         (JSC::B3::BasicBlock::successorBlocks): Deleted.
2409         * b3/B3BlockInsertionSet.cpp:
2410         (JSC::B3::BlockInsertionSet::splitForward):
2411         * b3/B3BreakCriticalEdges.cpp:
2412         (JSC::B3::breakCriticalEdges):
2413         * b3/B3CaseCollection.cpp: Added.
2414         (JSC::B3::CaseCollection::dump):
2415         * b3/B3CaseCollection.h: Added.
2416         (JSC::B3::CaseCollection::CaseCollection):
2417         (JSC::B3::CaseCollection::operator[]):
2418         (JSC::B3::CaseCollection::iterator::iterator):
2419         (JSC::B3::CaseCollection::iterator::operator*):
2420         (JSC::B3::CaseCollection::iterator::operator++):
2421         (JSC::B3::CaseCollection::iterator::operator==):
2422         (JSC::B3::CaseCollection::iterator::operator!=):
2423         (JSC::B3::CaseCollection::begin):
2424         (JSC::B3::CaseCollection::end):
2425         * b3/B3CaseCollectionInlines.h: Added.
2426         (JSC::B3::CaseCollection::fallThrough):
2427         (JSC::B3::CaseCollection::size):
2428         (JSC::B3::CaseCollection::at):
2429         * b3/B3CheckSpecial.cpp:
2430         (JSC::B3::CheckSpecial::CheckSpecial):
2431         (JSC::B3::CheckSpecial::hiddenBranch):
2432         * b3/B3Common.h:
2433         (JSC::B3::is64Bit):
2434         * b3/B3ControlValue.cpp: Removed.
2435         * b3/B3ControlValue.h: Removed.
2436         * b3/B3DataSection.cpp:
2437         (JSC::B3::DataSection::DataSection):
2438         * b3/B3DuplicateTails.cpp:
2439         * b3/B3FixSSA.cpp:
2440         * b3/B3FoldPathConstants.cpp:
2441         * b3/B3LowerMacros.cpp:
2442         * b3/B3LowerToAir.cpp:
2443         (JSC::B3::Air::LowerToAir::run):
2444         (JSC::B3::Air::LowerToAir::lower):
2445         * b3/B3MathExtras.cpp:
2446         (JSC::B3::powDoubleInt32):
2447         * b3/B3Opcode.h:
2448         (JSC::B3::isConstant):
2449         (JSC::B3::isDefinitelyTerminal):
2450         * b3/B3PatchpointSpecial.cpp:
2451         (JSC::B3::PatchpointSpecial::generate):
2452         (JSC::B3::PatchpointSpecial::isTerminal):
2453         (JSC::B3::PatchpointSpecial::dumpImpl):
2454         * b3/B3PatchpointSpecial.h:
2455         * b3/B3Procedure.cpp:
2456         (JSC::B3::Procedure::resetReachability):
2457         * b3/B3Procedure.h:
2458         (JSC::B3::Procedure::lastPhaseName):
2459         (JSC::B3::Procedure::byproducts):
2460         * b3/B3ReduceStrength.cpp:
2461         * b3/B3StackmapGenerationParams.cpp:
2462         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
2463         (JSC::B3::StackmapGenerationParams::successorLabels):
2464         (JSC::B3::StackmapGenerationParams::fallsThroughToSuccessor):
2465         (JSC::B3::StackmapGenerationParams::proc):
2466         * b3/B3StackmapGenerationParams.h:
2467         (JSC::B3::StackmapGenerationParams::gpScratch):
2468         (JSC::B3::StackmapGenerationParams::fpScratch):
2469         * b3/B3SwitchValue.cpp:
2470         (JSC::B3::SwitchValue::~SwitchValue):
2471         (JSC::B3::SwitchValue::removeCase):
2472         (JSC::B3::SwitchValue::hasFallThrough):
2473         (JSC::B3::SwitchValue::setFallThrough):
2474         (JSC::B3::SwitchValue::appendCase):
2475         (JSC::B3::SwitchValue::dumpSuccessors):
2476         (JSC::B3::SwitchValue::dumpMeta):
2477         (JSC::B3::SwitchValue::cloneImpl):
2478         (JSC::B3::SwitchValue::SwitchValue):
2479         * b3/B3SwitchValue.h:
2480         (JSC::B3::SwitchValue::accepts):
2481         (JSC::B3::SwitchValue::caseValues):
2482         (JSC::B3::SwitchValue::cases):
2483         (JSC::B3::SwitchValue::fallThrough): Deleted.
2484         (JSC::B3::SwitchValue::size): Deleted.
2485         (JSC::B3::SwitchValue::at): Deleted.
2486         (JSC::B3::SwitchValue::operator[]): Deleted.
2487         (JSC::B3::SwitchValue::iterator::iterator): Deleted.
2488         (JSC::B3::SwitchValue::iterator::operator*): Deleted.
2489         (JSC::B3::SwitchValue::iterator::operator++): Deleted.
2490         (JSC::B3::SwitchValue::iterator::operator==): Deleted.
2491         (JSC::B3::SwitchValue::iterator::operator!=): Deleted.
2492         (JSC::B3::SwitchValue::begin): Deleted.
2493         (JSC::B3::SwitchValue::end): Deleted.
2494         * b3/B3Validate.cpp:
2495         * b3/B3Value.cpp:
2496         (JSC::B3::Value::replaceWithPhi):
2497         (JSC::B3::Value::replaceWithJump):
2498         (JSC::B3::Value::replaceWithOops):
2499         (JSC::B3::Value::dump):
2500         (JSC::B3::Value::deepDump):
2501         (JSC::B3::Value::dumpSuccessors):
2502         (JSC::B3::Value::negConstant):
2503         (JSC::B3::Value::typeFor):
2504         * b3/B3Value.h:
2505         * b3/air/AirCode.cpp:
2506         (JSC::B3::Air::Code::addFastTmp):
2507         (JSC::B3::Air::Code::addDataSection):
2508         (JSC::B3::Air::Code::jsHash):
2509         * b3/air/AirCode.h:
2510         (JSC::B3::Air::Code::isFastTmp):
2511         (JSC::B3::Air::Code::setLastPhaseName):
2512         * b3/air/AirCustom.h:
2513         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
2514         (JSC::B3::Air::PatchCustom::isTerminal):
2515         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
2516         (JSC::B3::Air::PatchCustom::generate):
2517         (JSC::B3::Air::CCallCustom::admitsStack):
2518         (JSC::B3::Air::CCallCustom::isTerminal):
2519         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
2520         (JSC::B3::Air::ShuffleCustom::admitsStack):
2521         (JSC::B3::Air::ShuffleCustom::isTerminal):
2522         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
2523         * b3/air/AirGenerate.cpp:
2524         (JSC::B3::Air::generate):
2525         * b3/air/AirGenerationContext.h:
2526         * b3/air/AirInst.h:
2527         (JSC::B3::Air::Inst::hasNonControlEffects):
2528         * b3/air/AirSimplifyCFG.cpp:
2529         (JSC::B3::Air::simplifyCFG):
2530         * b3/air/AirSpecial.cpp:
2531         (JSC::B3::Air::Special::shouldTryAliasingDef):
2532         (JSC::B3::Air::Special::isTerminal):
2533         (JSC::B3::Air::Special::hasNonArgNonControlEffects):
2534         * b3/air/AirSpecial.h:
2535         * b3/air/AirValidate.cpp:
2536         * b3/air/opcode_generator.rb:
2537         * b3/testb3.cpp:
2538         * ftl/FTLLowerDFGToB3.cpp:
2539         * ftl/FTLOutput.cpp:
2540         (JSC::FTL::Output::jump):
2541         (JSC::FTL::Output::branch):
2542         (JSC::FTL::Output::ret):
2543         (JSC::FTL::Output::unreachable):
2544         (JSC::FTL::Output::speculate):
2545         (JSC::FTL::Output::trap):
2546         (JSC::FTL::Output::anchor):
2547         (JSC::FTL::Output::decrementSuperSamplerCount):
2548         (JSC::FTL::Output::addIncomingToPhi):
2549         * ftl/FTLOutput.h:
2550         (JSC::FTL::Output::constIntPtr):
2551         (JSC::FTL::Output::callWithoutSideEffects):
2552         (JSC::FTL::Output::switchInstruction):
2553         (JSC::FTL::Output::phi):
2554         (JSC::FTL::Output::addIncomingToPhi):
2555
2556 2016-07-18  Anders Carlsson  <andersca@apple.com>
2557
2558         WebKit nightly fails to build on macOS Sierra
2559         https://bugs.webkit.org/show_bug.cgi?id=159902
2560         rdar://problem/27365672
2561
2562         Reviewed by Tim Horton.
2563
2564         * icu/unicode/ucurr.h: Added.
2565         Add ucurr.h from ICU.
2566
2567 2016-07-18  Michael Saboff  <msaboff@apple.com>
2568
2569         ASSERTION FAILED: : (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) -- WTF/wtf/DateMath.cpp
2570         https://bugs.webkit.org/show_bug.cgi?id=159883
2571
2572         Reviewed by Filip Pizlo.
2573
2574         New test.
2575
2576         * tests/stress/regress-159883.js: Added.
2577
2578 2016-07-12  Filip Pizlo  <fpizlo@apple.com>
2579
2580         MarkedBlocks should know that they can be used for more than JSCells
2581         https://bugs.webkit.org/show_bug.cgi?id=159643
2582
2583         Reviewed by Geoffrey Garen.
2584         
2585         This teaches the Heap that a MarkedBlock may hold either JSCells, or Auxiliary, which is
2586         not a JSCell. It teaches the heap and all of the things that walk the heap to ignore
2587         non-JSCells whenever they are looking for global objects, JSObjects, and things to trace
2588         for debugging or profiling. The idea is that we will be able to allocate butterflies and
2589         typed array backing stores as Auxiliary in MarkedSpace rather than allocating those things
2590         in CopiedSpace. That's what bug 159658 is all about.
2591         
2592         This gives us a new type, called HeapCell, which is just meant to be a class distinct from
2593         JSCell or any type we would use for Auxiliary. For convenience, JSCell is a subclass of
2594         HeapCell. HeapCell has an enum called HeapCell::Kind, which is either HeapCell::JSCell or
2595         HeapCell::Auxiliary. MarkedSpace no longer speaks of JSCells directly except when dealing
2596         with destruction.
2597         
2598         This change required doing a lot of stuff to all of those functor callbacks, since they
2599         now take HeapCell* instead of JSCell* and they take an extra HeapCell::Kind argument to
2600         tell them if they are dealing with JSCells or Auxiliary. I figured that this would be as
2601         good a time as any to convert those functors to being lambda-compatible. This means that
2602         operator() must be const. In some cases, converting the operator() to be const would have
2603         taken more work than just turning the whole thing into a lambda. Whenever this was the
2604         case, I converted the code to use lambdas. I left a lot of functors alone. In cases where
2605         the functor would benefit from being a lambda, for example because it would get rid of
2606         const_casts or mutables, I put in a FIXME referencing bug 159644.
2607
2608         * CMakeLists.txt:
2609         * JavaScriptCore.xcodeproj/project.pbxproj:
2610         * debugger/Debugger.cpp:
2611         (JSC::Debugger::SetSteppingModeFunctor::SetSteppingModeFunctor):
2612         (JSC::Debugger::SetSteppingModeFunctor::operator()):
2613         (JSC::Debugger::ToggleBreakpointFunctor::ToggleBreakpointFunctor):
2614         (JSC::Debugger::ToggleBreakpointFunctor::operator()):
2615         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::ClearCodeBlockDebuggerRequestsFunctor):
2616         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator()):
2617         (JSC::Debugger::ClearDebuggerRequestsFunctor::ClearDebuggerRequestsFunctor):
2618         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator()):
2619         * heap/CodeBlockSet.h:
2620         (JSC::CodeBlockSet::iterate):
2621         * heap/HandleSet.h:
2622         (JSC::HandleNode::next):
2623         (JSC::HandleSet::forEachStrongHandle):
2624         * heap/Heap.cpp:
2625         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
2626         (JSC::GatherHeapSnapshotData::operator()):
2627         (JSC::RemoveDeadHeapSnapshotNodes::RemoveDeadHeapSnapshotNodes):
2628         (JSC::RemoveDeadHeapSnapshotNodes::operator()):
2629         (JSC::Heap::protectedGlobalObjectCount):
2630         (JSC::Heap::globalObjectCount):
2631         (JSC::Heap::protectedObjectCount):
2632         (JSC::Heap::protectedObjectTypeCounts):
2633         (JSC::Heap::objectTypeCounts):
2634         (JSC::Heap::deleteAllCodeBlocks):
2635         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
2636         (JSC::MarkedBlockSnapshotFunctor::operator()):
2637         (JSC::Zombify::visit):
2638         (JSC::Zombify::operator()):
2639         (JSC::Heap::zombifyDeadObjects):
2640         (JSC::Heap::flushWriteBarrierBuffer):
2641         * heap/Heap.h:
2642         (JSC::Heap::handleSet):
2643         (JSC::Heap::handleStack):
2644         * heap/HeapCell.cpp: Added.
2645         (WTF::printInternal):
2646         * heap/HeapCell.h: Added.
2647         (JSC::HeapCell::HeapCell):
2648         (JSC::HeapCell::zap):
2649         (JSC::HeapCell::isZapped):
2650         * heap/HeapInlines.h:
2651         (JSC::Heap::deprecatedReportExtraMemory):
2652         (JSC::Heap::forEachCodeBlock):
2653         (JSC::Heap::forEachProtectedCell):
2654         (JSC::Heap::allocateWithDestructor):
2655         * heap/HeapStatistics.cpp:
2656         (JSC::StorageStatistics::visit):
2657         (JSC::StorageStatistics::operator()):
2658         * heap/HeapVerifier.cpp:
2659         (JSC::GatherLiveObjFunctor::visit):
2660         (JSC::GatherLiveObjFunctor::operator()):
2661         * heap/MarkedAllocator.cpp:
2662         (JSC::MarkedAllocator::allocateBlock):
2663         (JSC::MarkedAllocator::addBlock):
2664         (JSC::MarkedAllocator::reset):
2665         (JSC::MarkedAllocator::lastChanceToFinalize):
2666         (JSC::LastChanceToFinalize::operator()): Deleted.
2667         * heap/MarkedAllocator.h:
2668         (JSC::MarkedAllocator::takeLastActiveBlock):
2669         (JSC::MarkedAllocator::resumeAllocating):
2670         (JSC::MarkedAllocator::forEachBlock):
2671         * heap/MarkedBlock.cpp:
2672         (JSC::MarkedBlock::create):
2673         (JSC::MarkedBlock::destroy):
2674         (JSC::MarkedBlock::MarkedBlock):
2675         (JSC::MarkedBlock::callDestructor):
2676         (JSC::MarkedBlock::specializedSweep):
2677         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
2678         (JSC::SetNewlyAllocatedFunctor::operator()):
2679         (JSC::MarkedBlock::stopAllocating):
2680         (JSC::MarkedBlock::didRetireBlock):
2681         * heap/MarkedBlock.h:
2682         (JSC::MarkedBlock::CountFunctor::CountFunctor):
2683         (JSC::MarkedBlock::CountFunctor::count):
2684         (JSC::MarkedBlock::CountFunctor::returnValue):
2685         (JSC::MarkedBlock::needsDestruction):
2686         (JSC::MarkedBlock::cellKind):
2687         (JSC::MarkedBlock::size):
2688         (JSC::MarkedBlock::clearNewlyAllocated):
2689         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
2690         (JSC::MarkedBlock::isLive):
2691         (JSC::MarkedBlock::isLiveCell):
2692         (JSC::MarkedBlock::forEachCell):
2693         (JSC::MarkedBlock::forEachLiveCell):
2694         (JSC::MarkedBlock::forEachDeadCell):
2695         * heap/MarkedSpace.cpp:
2696         (JSC::MarkedSpace::MarkedSpace):
2697         (JSC::MarkedSpace::~MarkedSpace):
2698         (JSC::MarkedSpace::lastChanceToFinalize):
2699         (JSC::MarkedSpace::sweep):
2700         (JSC::MarkedSpace::zombifySweep):
2701         (JSC::MarkedSpace::resetAllocators):
2702         (JSC::MarkedSpace::visitWeakSets):
2703         (JSC::MarkedSpace::reapWeakSets):
2704         (JSC::MarkedSpace::forEachAllocator):
2705         (JSC::MarkedSpace::stopAllocating):
2706         (JSC::MarkedSpace::resumeAllocating):
2707         (JSC::MarkedSpace::isPagedOut):
2708         (JSC::MarkedSpace::shrink):
2709         (JSC::clearNewlyAllocatedInBlock):
2710         (JSC::MarkedSpace::clearNewlyAllocated):
2711         (JSC::MarkedSpace::clearMarks):
2712         (JSC::Free::Free): Deleted.
2713         (JSC::Free::operator()): Deleted.
2714         (JSC::FreeOrShrink::FreeOrShrink): Deleted.
2715         (JSC::FreeOrShrink::operator()): Deleted.
2716         (JSC::VisitWeakSet::VisitWeakSet): Deleted.
2717         (JSC::VisitWeakSet::operator()): Deleted.
2718         (JSC::ReapWeakSet::operator()): Deleted.
2719         (JSC::LastChanceToFinalize::operator()): Deleted.
2720         (JSC::StopAllocatingFunctor::operator()): Deleted.
2721         (JSC::ResumeAllocatingFunctor::operator()): Deleted.
2722         (JSC::ClearNewlyAllocated::operator()): Deleted.
2723         (JSC::VerifyNewlyAllocated::operator()): Deleted.
2724         * heap/MarkedSpace.h:
2725         (JSC::MarkedSpace::forEachLiveCell):
2726         (JSC::MarkedSpace::forEachDeadCell):
2727         (JSC::MarkedSpace::allocatorFor):
2728         (JSC::MarkedSpace::allocateWithDestructor):
2729         (JSC::MarkedSpace::forEachBlock):
2730         (JSC::MarkedSpace::didAddBlock):
2731         (JSC::MarkedSpace::objectCount):
2732         (JSC::MarkedSpace::size):
2733         (JSC::MarkedSpace::capacity):
2734         (JSC::ClearMarks::operator()): Deleted.
2735         (JSC::Sweep::operator()): Deleted.
2736         (JSC::ZombifySweep::operator()): Deleted.
2737         (JSC::MarkCount::operator()): Deleted.
2738         (JSC::Size::operator()): Deleted.
2739         * runtime/JSCell.h:
2740         (JSC::JSCell::zap): Deleted.
2741         (JSC::JSCell::isZapped): Deleted.
2742         * runtime/JSCellInlines.h:
2743         (JSC::allocateCell):
2744         (JSC::JSCell::isObject):
2745         (JSC::isZapped): Deleted.
2746         * runtime/JSGlobalObject.cpp:
2747         * tools/JSDollarVMPrototype.cpp:
2748         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
2749         (JSC::CellAddressCheckFunctor::operator()):
2750
2751 2016-07-18  Filip Pizlo  <fpizlo@apple.com>
2752
2753         Repeatedly creating and destroying workers that enqueue DFG plans can outpace the DFG worklist, which then causes VM shutdown to stall, which then causes memory growth
2754         https://bugs.webkit.org/show_bug.cgi?id=159754
2755
2756         Reviewed by Geoffrey Garen.
2757         
2758         If you create and destroy workers at a high rate and those workers enqueue some DFG plans
2759         that are still not compiled at the time that the worker is closed, then the closed workers
2760         end up stalling in VM::~VM waiting for the DFG worklist thread to finish those plans. Since
2761         we don't actually cancel the plans, it's easy to create a situation where the workers
2762         outpace the DFG worklist, especially if you create many workers at a time and each one
2763         finishes just after enqueueing those plans.
2764         
2765         The solution is to allow VM::~VM to remove plans from the DFG worklist that are related to
2766         that VM but aren't currently being worked on. That turns out to be an easy change.
2767         
2768         I have a test that repros this, but it's quite long-running. I call it workers/bomb.html. We
2769         may want to exclude it from test runs because of how long it takes.
2770
2771         * dfg/DFGWorklist.cpp:
2772         (JSC::DFG::Worklist::removeDeadPlans):
2773         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
2774         (JSC::DFG::Worklist::queueLength):
2775         (JSC::DFG::Worklist::runThread):
2776         * dfg/DFGWorklist.h:
2777         * runtime/VM.cpp:
2778         (JSC::VM::~VM):
2779
2780 2016-07-17  Filip Pizlo  <fpizlo@apple.com>
2781
2782         Object.preventExtensions/seal/freeze makes code much slower
2783         https://bugs.webkit.org/show_bug.cgi?id=143247
2784
2785         Reviewed by Michael Saboff.
2786         
2787         This has been a huge pet peeve of mine for a long time, but I was always afraid of fixing
2788         it because I thought that it would be hard. Well, it looks like it's not hard at all.
2789         
2790         The problem is that you cannot mutate a structure that participates in transition caching.
2791         You can only clone the structure and mutate that one. But if you do this, you have to make
2792         a hard choice:
2793         
2794         1) Clone the structure without caching the transition. This is what the code did before
2795            this change. It's the most obvious choice, but it introduces an uncacheable transition
2796            that leads to an explosion of structures, which then breaks all inline caches.
2797         
2798         2) Perform one of the existing cacheable transitions. Cacheable transitions can either add
2799            properties or they can do one of the NonPropertyTransitions, which until now have been
2800            restricted to just IndexingType transitions. So, only adding transitions or making
2801            certain prescribed changes to the indexing type count as cacheable transitions.
2802         
2803         This change decouples NonPropertyTransition from IndexingType and adds three new kinds of
2804         transitions: PreventExtensions, Seal, and Freeze. We have to give any cacheable transition
2805         a name that fully disambiguates this transition from any other, so that the transition can
2806         be cached. Since we're already giving them names in an enum, I figured that the most
2807         pragmatic way to implement them is to have Structure::nonPropertyTransition() case on the
2808         NonPropertyTransition and implement all of the mutations associated with that transition.
2809         The alternative would have been to allow callers of nonPropertyTransition() to supply
2810         something like a lambda that describes the mutation, but this seemed awkward since each
2811         set of mutations has to anyway be tied to one of the NonPropertyTransition members.
2812         
2813         This is an enormous speed-up on microbenchmarks that use Object.preventExtensions(),
2814         Object.seal(), or Object.freeze(). I don't know if "real" benchmarks use these features
2815         and I don't really care. This should be fast.
2816
2817         * runtime/JSObject.cpp:
2818         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2819         (JSC::JSObject::createInitialUndecided):
2820         (JSC::JSObject::createInitialInt32):
2821         (JSC::JSObject::createInitialDouble):
2822         (JSC::JSObject::createInitialContiguous):
2823         (JSC::JSObject::convertUndecidedToInt32):
2824         (JSC::JSObject::convertUndecidedToDouble):
2825         (JSC::JSObject::convertUndecidedToContiguous):
2826         (JSC::JSObject::convertInt32ToDouble):
2827         (JSC::JSObject::convertInt32ToContiguous):
2828         (JSC::JSObject::convertDoubleToContiguous):
2829         (JSC::JSObject::switchToSlowPutArrayStorage):
2830         * runtime/Structure.cpp:
2831         (JSC::Structure::suggestedArrayStorageTransition):
2832         (JSC::Structure::addPropertyTransition):
2833         (JSC::Structure::toUncacheableDictionaryTransition):
2834         (JSC::Structure::sealTransition):
2835         (JSC::Structure::freezeTransition):
2836         (JSC::Structure::preventExtensionsTransition):
2837         (JSC::Structure::takePropertyTableOrCloneIfPinned):
2838         (JSC::Structure::nonPropertyTransition):
2839         (JSC::Structure::pin):
2840         (JSC::Structure::pinForCaching):
2841         (JSC::Structure::allocateRareData):
2842         * runtime/Structure.h:
2843         * runtime/StructureTransitionTable.h:
2844         (JSC::toAttributes):
2845         (JSC::changesIndexingType):
2846         (JSC::newIndexingType):
2847         (JSC::preventsExtensions):
2848         (JSC::setsDontDeleteOnAllProperties):
2849         (JSC::setsReadOnlyOnAllProperties):
2850
2851 2016-07-17  Filip Pizlo  <fpizlo@apple.com>
2852
2853         RegisterSet should use a Bitmap instead of a BitVector so that it never allocates memory and is trivial to copy
2854         https://bugs.webkit.org/show_bug.cgi?id=159863
2855
2856         Reviewed by Saam Barati.
2857         
2858         Switch RegisterSet set to Bitmap because Bitmap doesn't ever allocate memory and can be
2859         assigned by memcpy. This should be a performance improvement for compiler code that does a
2860         lot of things with RegisterSet. For example, it's one of the fundamental data structures in
2861         Air. The previous use of BitVector meant that almost every operation on RegisterSet would
2862         have a slow path call. On ARM64, it would mean memory allocation for any RegisterSet that
2863         used all available registers.
2864         
2865         This meant adding even more GPR/FPR reflection to the MacroAssembler API: we now have consts
2866         called numGPRs and numFPRs. This is necessary to statically size the Bitmap in RegisterSet.
2867         
2868         Here's the breakdown of sizes of RegisterSet on different CPUs:
2869         
2870         x86-32: 8 bits (GPRs) + 8 bits (FPRs) + 1 bit (is deleted) = 1x uint32_t.
2871         x86-64: 16 bits + 16 bits + 1 bit = 2x uint32_t.
2872         ARMv7: 16 bits + 16 bits + 1 bit = 2x uint32_t.
2873         ARM64: 32 bits + 32 bits + 1 bit = 3x uint32_t.
2874
2875         * assembler/MacroAssemblerARM.h:
2876         * assembler/MacroAssemblerARM64.h:
2877         * assembler/MacroAssemblerARMv7.h:
2878         * assembler/MacroAssemblerX86.h:
2879         * assembler/MacroAssemblerX86Common.h:
2880         (JSC::MacroAssemblerX86Common::scratchRegister):
2881         * assembler/MacroAssemblerX86_64.h:
2882         * jit/RegisterSet.h:
2883         (JSC::RegisterSet::set):
2884         (JSC::RegisterSet::get):
2885         (JSC::RegisterSet::setAll):
2886         (JSC::RegisterSet::merge):
2887         (JSC::RegisterSet::filter):
2888         (JSC::RegisterSet::exclude):
2889         (JSC::RegisterSet::numberOfSetRegisters):
2890         (JSC::RegisterSet::RegisterSet):
2891         (JSC::RegisterSet::isEmptyValue):
2892         (JSC::RegisterSet::isDeletedValue):
2893         (JSC::RegisterSet::operator==):
2894         (JSC::RegisterSet::operator!=):
2895         (JSC::RegisterSet::hash):
2896         (JSC::RegisterSet::forEach):
2897         (JSC::RegisterSet::setMany):
2898
2899 2016-07-15  Filip Pizlo  <fpizlo@apple.com>
2900
2901         DFG and FTL should support op_call_eval
2902         https://bugs.webkit.org/show_bug.cgi?id=159786
2903
2904         Reviewed by Saam Barati.
2905         
2906         This adds support for op_call_eval in DFG and FTL by brute force:
2907         
2908         - There is now a CallEval() node type, which compiles exactly the same way that we do in
2909           baseline.
2910         
2911         - We teach the DFG and bytecode liveness that the scope register and 'this' are read by
2912           CallEval()/op_call_eval.
2913         
2914         We can compile eval quite well, except that right now we cannot inline functions that use
2915         eval. It would be nice to do that, but the payoff is probably smaller. "Don't inline users
2916         of eval" may even be an OK inlining heuristic. Not inlining users of eval allows me to
2917         reuse the baseline implementation, which is really great. Otherwise, I'd have to get rid
2918         of things like the rogue reads of scope register and 'this'.
2919         
2920         The goal here is to produce speed-ups for code that has functions that do both eval and
2921         some computational stuff. Obviously, we're not producing any benefit for the eval itself.
2922         But now the other stuff in a function that uses eval will get to participate in
2923         optimization.
2924         
2925         This is a huge speed-up on microbenchmarks.
2926
2927         * bytecode/BytecodeUseDef.h:
2928         (JSC::computeUsesForBytecodeOffset):
2929         * bytecode/CodeBlock.cpp:
2930         (JSC::CodeBlock::printCallOp):
2931         (JSC::CodeBlock::dumpBytecode):
2932         * dfg/DFGAbstractInterpreterInlines.h:
2933         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2934         * dfg/DFGByteCodeParser.cpp:
2935         (JSC::DFG::ByteCodeParser::setLocal):
2936         (JSC::DFG::ByteCodeParser::setArgument):
2937         (JSC::DFG::ByteCodeParser::flush):
2938         (JSC::DFG::ByteCodeParser::parseBlock):
2939         * dfg/DFGCapabilities.cpp:
2940         (JSC::DFG::capabilityLevel):
2941         * dfg/DFGClobberize.h:
2942         (JSC::DFG::clobberize):
2943         * dfg/DFGDoesGC.cpp:
2944         (JSC::DFG::doesGC):
2945         * dfg/DFGFixupPhase.cpp:
2946         (JSC::DFG::FixupPhase::fixupNode):
2947         * dfg/DFGGraph.h:
2948         (JSC::DFG::Graph::needsScopeRegister):
2949         (JSC::DFG::Graph::needsFlushedThis):
2950         * dfg/DFGHeapLocation.cpp:
2951         (WTF::printInternal):
2952         * dfg/DFGHeapLocation.h:
2953         * dfg/DFGMayExit.cpp:
2954         * dfg/DFGNode.h:
2955         (JSC::DFG::Node::hasHeapPrediction):
2956         * dfg/DFGNodeType.h:
2957         * dfg/DFGOSRExitCompiler.cpp:
2958         * dfg/DFGPredictionPropagationPhase.cpp:
2959         * dfg/DFGSafeToExecute.h:
2960         (JSC::DFG::safeToExecute):
2961         * dfg/DFGSpeculativeJIT32_64.cpp:
2962         (JSC::DFG::SpeculativeJIT::emitCall):
2963         (JSC::DFG::SpeculativeJIT::compile):
2964         * dfg/DFGSpeculativeJIT64.cpp:
2965         (JSC::DFG::SpeculativeJIT::emitCall):
2966         (JSC::DFG::SpeculativeJIT::compile):
2967         * dfg/DFGStackLayoutPhase.cpp:
2968         (JSC::DFG::StackLayoutPhase::run):
2969         * dfg/DFGWatchpointCollectionPhase.cpp:
2970         (JSC::DFG::WatchpointCollectionPhase::handle):
2971         * ftl/FTLCapabilities.cpp:
2972         (JSC::FTL::canCompile):
2973         * ftl/FTLCompile.cpp:
2974         (JSC::FTL::compile):
2975         * ftl/FTLLowerDFGToB3.cpp:
2976         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2977         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2978         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
2979         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
2980         * jit/AssemblyHelpers.cpp:
2981         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2982         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2983         * jit/AssemblyHelpers.h:
2984         (JSC::AssemblyHelpers::emitTypeOf):
2985         * jit/JITCall.cpp:
2986         (JSC::JIT::compileCallEvalSlowCase):
2987         * jit/JITCall32_64.cpp:
2988         (JSC::JIT::compileCallEvalSlowCase):
2989         * jit/JITOperations.cpp:
2990         * tests/stress/exit-then-eval.js: Added.
2991         (foo):
2992         * tests/stress/force-exit-then-eval-dfg.js: Added.
2993         (foo):
2994         * tests/stress/force-exit-then-eval.js: Added.
2995         (foo):
2996
2997 2016-07-12  Filip Pizlo  <fpizlo@apple.com>
2998
2999         DFG should really support jneq_ptr
3000         https://bugs.webkit.org/show_bug.cgi?id=159700
3001
3002         Reviewed by Keith Miller.
3003         
3004         Prior to this change, DFG statically speculated that jneq_ptr would always fall through. This
3005         meant that programs that called o.apply() or o.call() where apply or call weren't the
3006         expected ones (i.e. the function.prototype.apply/call) would rage-recompile forever.
3007         
3008         This adds profiling to jneq_ptr. We now know if it always falls through or sometimes doesn't.
3009         If it sometimes doesn't, we now emit an actual control flow diamond. I decided to add a new
3010         NodeType for "equal pointer", since none of the existing ones really captured that. For
3011         example, there was no way to express "equal pointer" for strings or symbols. We don't use it
3012         for that right now, but we might, and if we did, then it would be hugely surprising that the
3013         DFG interpreted this as value equality. So, the DFG now has CompareEqPtr, which means exactly
3014         what jneq_ptr means by "equal pointer".
3015         
3016         This is an enormous speed-up on microbenchmarks. I would assume that it's a speed-up on some
3017         real things, too, but I don't know that for a fact.
3018
3019         * bytecode/BytecodeList.json:
3020         * bytecode/CodeBlock.cpp:
3021         (JSC::CodeBlock::dumpBytecode):
3022         * bytecompiler/BytecodeGenerator.cpp:
3023         (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
3024         (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
3025         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
3026         * dfg/DFGAbstractInterpreterInlines.h:
3027         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3028         * dfg/DFGByteCodeParser.cpp:
3029         (JSC::DFG::ByteCodeParser::parseBlock):
3030         * dfg/DFGClobberize.h:
3031         (JSC::DFG::clobberize):
3032         * dfg/DFGDoesGC.cpp:
3033         (JSC::DFG::doesGC):
3034         * dfg/DFGFixupPhase.cpp:
3035         (JSC::DFG::FixupPhase::fixupNode):
3036         * dfg/DFGNode.h:
3037         (JSC::DFG::Node::hasCellOperand):
3038         * dfg/DFGNodeType.h:
3039         * dfg/DFGSafeToExecute.h:
3040         (JSC::DFG::safeToExecute):
3041         * dfg/DFGSpeculativeJIT.cpp:
3042         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3043         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
3044         * dfg/DFGSpeculativeJIT.h:
3045         * dfg/DFGSpeculativeJIT32_64.cpp:
3046         (JSC::DFG::SpeculativeJIT::compile):
3047         * dfg/DFGSpeculativeJIT64.cpp:
3048         (JSC::DFG::SpeculativeJIT::compile):
3049         * dfg/DFGValidate.cpp:
3050         * ftl/FTLCapabilities.cpp:
3051         (JSC::FTL::canCompile):
3052         * ftl/FTLLowerDFGToB3.cpp:
3053         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3054         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
3055         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEqPtr):
3056         (JSC::FTL::DFG::LowerDFGToB3::compileCompareLess):
3057         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEqConstant): Deleted.
3058         * jit/JITOpcodes.cpp:
3059         (JSC::JIT::emit_op_jneq_ptr):
3060         (JSC::JIT::emit_op_eq):
3061         * jit/JITOpcodes32_64.cpp:
3062         (JSC::JIT::emit_op_jneq_ptr):
3063         (JSC::JIT::emit_op_eq):
3064         * llint/LowLevelInterpreter32_64.asm:
3065         * llint/LowLevelInterpreter64.asm:
3066
3067 2016-07-12  Filip Pizlo  <fpizlo@apple.com>
3068
3069         OSR entry into DFG has problems with lexical scoping
3070         https://bugs.webkit.org/show_bug.cgi?id=159687
3071
3072         Reviewed by Saam Barati.
3073         
3074         What a fun bug! It turns out that uses of lexical scoping, like "let", may sometimes cause us
3075         to not be able to OSR enter into a loop from baseline to DFG. The bug is in a mitigation for
3076         a different bug, which in turn had a mitigation for yet another bug, so the story here is a
3077         long one.
3078         
3079         DFG OSR entry has long had a mitigation for the following bug: the DFG bytecode parser may
3080         choose to make us always OSR exit at some instruction if it thinks that it doesn't have
3081         enough profiling for that instruction. We will do this if some kinds of put_by_id only
3082         execute once, for example. This causes problems for loopy benchmarks like this:
3083         
3084             put_by_id(something crazy);
3085             for (var i = 0; i < bigNumber; ++i) simpleMath;
3086         
3087         In this case, the put_by_id will have only executed once, and since it did something crazy
3088         that one time, the bytecode parser will replace it with ForceOSRExit.
3089         
3090         This creates an OSR entry bug: DFG CFA will then prove that the loop is unreachable, and will
3091         tell OSR entry that it's impossible to enter into that loop.
3092         
3093         We mitigated this bug a long time ago by recording mustHandleValues for loops at which we
3094         want to enter. We inject these values into DFG CFA and we force CFA to recognize that the
3095         loop is reachable even if CFA wanted to prove that it wasn't.
3096         
3097         But this leads to another bug: we need to scrape the values from the stack inside
3098         operationOptimize() and then we need to reason about them in the compiler. Some of those
3099         values may be garbage, which would cause pandemonium inside the compiler. We also mitigated
3100         this bug, by only recording the "vars", since those are guaranteed to be reset by op_enter.
3101         
3102         And that's where the lexical scoping bug happens: "let" bound variables aren't part of the
3103         "vars". DFG will see that they are live, but mustHandleValues will not have anything for
3104         those variables, so CFA will prove that the values are Bottom. Then OSR entry will always
3105         fail because no value is ever a subset of Bottom.
3106         
3107         The first part of the fix is to ensure that mustHandleValues record all of the values on the
3108         stack (i.e. within m_numCalleeLocals, rather than just m_numVars). But this creates a second
3109         problem: we may record garbage. This patch includes a better fix for the garbage: before
3110         touching mustHandleValues we run the bytecode liveness analysis and clear any values that are
3111         not live. This ensures that we clear the garbage.
3112         
3113         This is an enormous speed-up on microbenchmarks that use lexical scoping and have some crazy
3114         put_by_id in the lead-up to the hot loop.
3115
3116         * dfg/DFGCFAPhase.cpp:
3117         (JSC::DFG::CFAPhase::run):
3118         * dfg/DFGOSREntry.cpp:
3119         (JSC::DFG::prepareOSREntry):
3120         * dfg/DFGPlan.cpp:
3121         (JSC::DFG::Plan::compileInThreadImpl):
3122         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
3123         (JSC::DFG::Plan::cancel):
3124         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
3125         * dfg/DFGPlan.h:
3126         (JSC::DFG::Plan::canTierUpAndOSREnter):
3127         * jit/JITOperations.cpp:
3128
3129 2016-07-18  Youenn Fablet  <youenn@apple.com>
3130
3131         REGRESSION(r202975): --minimal build is broken
3132         https://bugs.webkit.org/show_bug.cgi?id=159765
3133
3134         Reviewed by Chris Dumez.
3135
3136         Covered partially by builtin generated test code.
3137
3138         Updating generator to add a global compilation guard around the code that generates all global internal properties.
3139         Split the generate_methods function in two, one dedicated to the visit method and the second one dedicated to
3140         the initialize method.
3141
3142         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
3143         (BuiltinsInternalsWrapperImplementationGenerator.generate_section_for_object): Use splitted generation functions.
3144         (BuiltinsInternalsWrapperImplementationGenerator.generate_visit_method): Response to generate the visit method.
3145         (BuiltinsInternalsWrapperImplementationGenerator._generate_initialize_static_globals): Responsible to generate
3146         the code to initialize the internal globals. This code is put in a global compilation guard in case all
3147         internals are compiled out by specific builds.
3148         (BuiltinsInternalsWrapperImplementationGenerator):
3149         (BuiltinsInternalsWrapperImplementationGenerator.generate_initialize_method): Responsible to generate the
3150         initialize method.
3151         (BuiltinsInternalsWrapperImplementationGenerator.generate_methods): Deleted.
3152         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: Copyright change.
3153         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Ditto.
3154         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: Ditto.
3155         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Ditto.
3156         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: Reflects partially the built-in
3157         generator change.
3158
3159 2016-07-18  Keith Miller  <keith_miller@apple.com>
3160
3161         Fix bad assertions in genericTypedArrayViewPrivateFuncSubarrayCreate
3162         https://bugs.webkit.org/show_bug.cgi?id=159882
3163         <rdar://problem/27327111>
3164
3165         Reviewed by Mark Lam.
3166
3167         According the spec toInteger can return values we don't consider ints.
3168         Such as, -0 and +/-Infinity. This broke some assertions in
3169         genericTypedArrayViewPrivateFuncSubarrayCreate.
3170
3171         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3172         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
3173         * tests/stress/typedarray-subarray.js:
3174
3175 2016-07-16  Filip Pizlo  <fpizlo@apple.com>
3176
3177         DFG CSE is broken for MultiGetByOffset
3178         https://bugs.webkit.org/show_bug.cgi?id=159858
3179
3180         Reviewed by Saam Barati.
3181         
3182         This disabled CSE for MultiGetByOffset. I opened bug 159859 for the long-term fix, which
3183         would teach CSE (and other passes also) how to decay a removed MultiGetByOffset to a
3184         CheckStructure. Since we currently just decay MultiGetByOffset to Check, we forget the
3185         structure checks. So, if we CSE a MultiGetByOffset that checks for one set of structures with
3186         a heap access on the same property and base that checks for different structures, then we
3187         will forget some structure checks that we had previously. It's unsound to forget checks in
3188         DFG IR.
3189         
3190         This bug mostly manifested as a high-volume crash at Unreachable in FTL, because we'd prove
3191         that the code after the MultiGetByOffset was unreachable due to the structure checks and then
3192         CSE would remove everything but the Unreachable.
3193
3194         * dfg/DFGClobberize.h:
3195         (JSC::DFG::clobberize): Remove the def() for MultiGetByOffset to disable CSE for this node for now.
3196         * tests/stress/cse-multi-get-by-offset-remove-checks.js: Added. This used to fail with FTL enabled.
3197         (Cons1):
3198         (Cons2):
3199         (Cons3):
3200         (foo):
3201         (bar):
3202
3203 2016-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3204
3205         [JSC] Enable test262 module tests
3206         https://bugs.webkit.org/show_bug.cgi?id=159854
3207
3208         Reviewed by Saam Barati.
3209
3210         This patch enables test262 module tests. Before this patch, the modules tests in test262 do not work fine.
3211         This patch fixes the following 2 things.
3212
3213         1. Test harness
3214
3215             Before this patch, there is only one global switch "-m" in jsc shell. So we cannot load the test262 test harness before evaluating the module tests.
3216             This patch adds a new option, "--module-file=". It is similar to "--strict-file=". When we specify the file with "--module-file=", it is evaluated as
3217             a module, while the other files are evaluated by following the JSC's default manner. This option allows us to load the test harness files into the
3218             global context before loading the module tests.
3219
3220         2. Module's asynchronous errors
3221
3222             Before this patch, the errors caused in the module evaluation are not handled as the same to the usual sync files. In synchronous execution, we have
3223             "--exception=" option to pass the expected exception to the JSC shell. But this option does not work in the module evaluation.
3224             This patch correctly handles this expected exception in the module evaluation promise's fulfill and reject handlers.
3225
3226         And we fix the YAML file. Now the recorded :fail and :normal are the correct test results for the module tests.
3227
3228         * jsc.cpp:
3229         (Script::Script):
3230         (checkUncaughtException):
3231         (runWithScripts):
3232         (printUsageStatement):
3233         (CommandLine::parseArguments):
3234         (dumpException): Deleted.
3235         * tests/test262.yaml:
3236
3237 2016-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3238
3239         [JSC] Mask TrustedImm32 to 8bit in MacroAssembler for 8bit operations
3240         https://bugs.webkit.org/show_bug.cgi?id=159334
3241
3242         Reviewed by Filip Pizlo.
3243
3244         Previously, in 8bit operations (like add8, compare8, test8, branch8, branchTest8 etc.),
3245         we require that the given TrustedImm32 is in range of 8bit. While achieving this in
3246         the manual MacroAssembler calling is easy, in Air, we don't guarantee that the higher bit
3247         of the 8bit argument is cleared. So the current assertions are invalid.
3248
3249         This patch relaxes the above restriction. By removing this assertion,
3250         8bit operations can take arbitrary 32bit imms. And only lower 8bit are effective when
3251         emitting the code in these methods.
3252
3253         * assembler/MacroAssembler.h:
3254         (JSC::MacroAssembler::branchTest8):
3255         * assembler/MacroAssemblerARM.h:
3256         (JSC::MacroAssemblerARM::store8):
3257         (JSC::MacroAssemblerARM::branch8):
3258         (JSC::MacroAssemblerARM::branchTest8):
3259         (JSC::MacroAssemblerARM::compare8):
3260         (JSC::MacroAssemblerARM::test8):
3261         * assembler/MacroAssemblerARM64.h:
3262         (JSC::MacroAssemblerARM64::store8):
3263         (JSC::MacroAssemblerARM64::branch8):
3264         (JSC::MacroAssemblerARM64::branchTest8):
3265         (JSC::MacroAssemblerARM64::compare8):
3266         (JSC::MacroAssemblerARM64::test8):
3267         * assembler/MacroAssemblerARMv7.h:
3268         (JSC::MacroAssemblerARMv7::store8):
3269         (JSC::MacroAssemblerARMv7::branch8):
3270         (JSC::MacroAssemblerARMv7::branchTest8):
3271         (JSC::MacroAssemblerARMv7::compare8):
3272         (JSC::MacroAssemblerARMv7::test8):
3273         * assembler/MacroAssemblerMIPS.h:
3274         (JSC::MacroAssemblerMIPS::store8):
3275         (JSC::MacroAssemblerMIPS::branch8):
3276         (JSC::MacroAssemblerMIPS::compare8):
3277         (JSC::MacroAssemblerMIPS::branchTest8):
3278         (JSC::MacroAssemblerMIPS::test8):
3279         * assembler/MacroAssemblerSH4.h:
3280         (JSC::MacroAssemblerSH4::store8):
3281         (JSC::MacroAssemblerSH4::branchTest8):
3282         (JSC::MacroAssemblerSH4::branch8):
3283         (JSC::MacroAssemblerSH4::compare8):
3284         (JSC::MacroAssemblerSH4::test8):
3285         * assembler/MacroAssemblerX86.h:
3286         (JSC::MacroAssemblerX86::store8):
3287         (JSC::MacroAssemblerX86::branch8):
3288         (JSC::MacroAssemblerX86::branchTest8):
3289         * assembler/MacroAssemblerX86Common.h:
3290         (JSC::MacroAssemblerX86Common::add8):
3291         (JSC::MacroAssemblerX86Common::store8):
3292         (JSC::MacroAssemblerX86Common::branch8):
3293         (JSC::MacroAssemblerX86Common::branchTest8):
3294         (JSC::MacroAssemblerX86Common::compare8):
3295         (JSC::MacroAssemblerX86Common::test8):
3296         * assembler/MacroAssemblerX86_64.h:
3297         (JSC::MacroAssemblerX86_64::store8):
3298         (JSC::MacroAssemblerX86_64::branch8):
3299         (JSC::MacroAssemblerX86_64::branchTest8):
3300
3301 2016-07-16  Chris Dumez  <cdumez@apple.com>
3302
3303         Unreviewed, rolling out r203318.
3304
3305         Regressed most JS Benchmarks on MacBook Air by ~2% (7% on
3306         SunSpider)
3307
3308         Reverted changeset:
3309
3310         "[JSC] Change some parameters based on a random search"
3311         https://bugs.webkit.org/show_bug.cgi?id=158514
3312         http://trac.webkit.org/changeset/203318
3313
3314 2016-07-15  Benjamin Poulain  <bpoulain@apple.com>
3315
3316         [JSC] Convert the remaining createOutOfMemoryError()+throwException() into throwOutOfMemoryError()
3317         https://bugs.webkit.org/show_bug.cgi?id=159665
3318
3319         Reviewed by Saam Barati.
3320
3321         * API/JSTypedArray.cpp:
3322         (createTypedArray):
3323         * runtime/Error.cpp:
3324         (JSC::createOutOfMemoryError):
3325         * runtime/Error.h:
3326         * runtime/ExceptionHelpers.cpp:
3327         (JSC::throwOutOfMemoryError):
3328         * runtime/JSArrayBufferConstructor.cpp:
3329         (JSC::constructArrayBuffer):
3330         * runtime/JSArrayBufferPrototype.cpp:
3331         (JSC::arrayBufferProtoFuncSlice):
3332         * runtime/JSGenericTypedArrayViewInlines.h:
3333         (JSC::JSGenericTypedArrayView<Adaptor>::create):
3334         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
3335
3336 2016-07-15  Benjamin Poulain  <bpoulain@apple.com>
3337
3338         [JSC] Change some parameters based on a random search
3339         https://bugs.webkit.org/show_bug.cgi?id=158514
3340
3341         Reviewed by Saam Barati.
3342
3343         * bytecode/CodeBlock.cpp:
3344         (JSC::CodeBlock::optimizationThresholdScalingFactor):
3345         * runtime/Options.h:
3346
3347 2016-07-15  Mark Lam  <mark.lam@apple.com>
3348
3349         Assertion failures and crashes with missing TDZ checks for catch-node bindings.
3350         https://bugs.webkit.org/show_bug.cgi?id=158797
3351
3352         Reviewed by Saam Barati.
3353
3354         * bytecompiler/BytecodeGenerator.cpp:
3355         (JSC::BytecodeGenerator::emitPushCatchScope):
3356         (JSC::BytecodeGenerator::emitPopCatchScope):
3357         * tests/stress/catch-clause-should-be-under-tdz1.js: Added.
3358         * tests/stress/catch-clause-should-be-under-tdz2.js: Added.
3359         * tests/stress/catch-clause-should-be-under-tdz3.js: Added.
3360         * tests/stress/catch-clause-should-be-under-tdz4.js: Added.
3361         * tests/stress/catch-clause-should-be-under-tdz5.js: Added.
3362
3363 2016-07-15  Geoffrey Garen  <ggaren@apple.com>
3364
3365         Added a makeRef<T> helper
3366         https://bugs.webkit.org/show_bug.cgi?id=159835
3367
3368         Reviewed by Andreas Kling.
3369
3370         Anders told me to!
3371
3372         * inspector/InjectedScriptHost.cpp:
3373         (Inspector::InjectedScriptHost::wrapper):
3374
3375 2016-07-15  Mark Lam  <mark.lam@apple.com>
3376
3377         FunctionOverride's parseClause() needs to keep the CString instance in scope while its data is being used.
3378         https://bugs.webkit.org/show_bug.cgi?id=159828
3379
3380         Reviewed by Saam Barati.
3381
3382         Otherwise, we'll have a use after free.  This issue was caught when running an
3383         ASan debug build of testapi.
3384
3385         * tools/FunctionOverrides.cpp:
3386         (JSC::parseClause):
3387
3388 2016-07-15  Keith Miller  <keith_miller@apple.com>
3389
3390         %TypedArray%.prototype.indexOf is coercing non-integers or non-floats to numbers wrongly
3391         https://bugs.webkit.org/show_bug.cgi?id=159400
3392
3393         Reviewed by Geoffrey Garen.
3394
3395         This patch fixes coercion of non-numbers in indexOf/lastIndexOf.
3396         Additionally, this patch fixes an issue with includes where it
3397         would not check that the buffer remained non-neutered after
3398         calling the toInteger() function. Lastly, some extra release
3399         asserts have been added in some places to inform us of any issues
3400         in the future.
3401
3402         Additionally, this patch changes bool toNativeFromDouble to
3403         Optional<Type> toNativeFromDoubleWithoutCoercion. This makes it a
3404         little clearer what the function does and also removes the return
3405         argument. The only behavior change is that the function no longer
3406         coerces non-numbers into numbers. That behavior was unused (maybe
3407         unintended), however.
3408
3409         * runtime/JSGenericTypedArrayView.h:
3410         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion):
3411         (JSC::JSGenericTypedArrayView::sort):
3412         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue): Deleted.
3413         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3414         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
3415         (JSC::genericTypedArrayViewProtoFuncIncludes):
3416         (JSC::genericTypedArrayViewProtoFuncIndexOf):
3417         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
3418         * runtime/ToNativeFromValue.h:
3419         (JSC::toNativeFromValueWithoutCoercion):
3420         (JSC::toNativeFromValue): Deleted.
3421         * runtime/TypedArrayAdaptors.h:
3422         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
3423         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32WithoutCoercion):
3424         (JSC::IntegralTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
3425         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
3426         (JSC::FloatTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
3427         (JSC::Uint8ClampedAdaptor::toNativeFromInt32WithoutCoercion):
3428         (JSC::Uint8ClampedAdaptor::toNativeFromDoubleWithoutCoercion):
3429         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32): Deleted.
3430         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32): Deleted.
3431         (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble): Deleted.
3432         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32): Deleted.
3433         (JSC::FloatTypedArrayAdaptor::toNativeFromDouble): Deleted.
3434         (JSC::Uint8ClampedAdaptor::toNativeFromInt32): Deleted.
3435         (JSC::Uint8ClampedAdaptor::toNativeFromDouble): Deleted.
3436         * tests/stress/resources/typedarray-test-helper-functions.js:
3437         * tests/stress/typedarray-functions-with-neutered.js:
3438         (callWithArgs):
3439         * tests/stress/typedarray-includes.js: Added.
3440         * tests/stress/typedarray-indexOf.js:
3441         * tests/stress/typedarray-lastIndexOf.js:
3442
3443 2016-07-15  Csaba Osztrogonác  <ossy@webkit.org>
3444
3445         Add new functions to ARMAssembler after r202214
3446         https://bugs.webkit.org/show_bug.cgi?id=159713
3447
3448         Reviewed by Saam Barati.
3449
3450         * assembler/ARMAssembler.h:
3451         (JSC::ARMAssembler::fillNops):
3452         * assembler/MacroAssemblerARM.h:
3453         (JSC::MacroAssemblerARM::patchableBranch32):
3454         (JSC::MacroAssemblerARM::internalCompare32):
3455
3456 2016-07-15  Mark Lam  <mark.lam@apple.com>
3457
3458         Stack overflow error for deeply nested classes.
3459         https://bugs.webkit.org/show_bug.cgi?id=157086
3460
3461         Reviewed by Geoffrey Garen.
3462
3463         Changed the StructureStubClearingWatchpoint destructor to iteratively destruct
3464         its chain of next StructureStubClearingWatchpoints instead of recursively doing
3465         so.
3466
3467         The added deep-StructureStubClearingWatchpoint-destructor-recursion.js test
3468         produces a crash before the fix is applied, but takes about 14 minutes to run.
3469         Hence, it is skipped.
3470
3471         * bytecode/StructureStubClearingWatchpoint.cpp:
3472         (JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint):
3473         * tests/stress/deep-StructureStubClearingWatchpoint-destructor-recursion.js: Added.
3474
3475 2016-07-15  Csaba Osztrogonác  <ossy@webkit.org>
3476
3477         Fix expectations in test262.yaml
3478         https://bugs.webkit.org/show_bug.cgi?id=159810
3479
3480         Reviewed by Keith Miller.
3481
3482         * tests/test262.yaml:
3483
3484 2016-07-15  Csaba Osztrogonác  <ossy@webkit.org>
3485
3486         [ARM] Disable Inline Caching on ARMv7 traditional until proper fix
3487         https://bugs.webkit.org/show_bug.cgi?id=159759
3488
3489         Reviewed by Saam Barati.
3490
3491         * jit/Repatch.cpp:
3492         (JSC::forceICFailure):
3493
3494 2016-07-14  Keith Miller  <keith_miller@apple.com>
3495
3496         Add Test262 test files and yaml
3497
3498         Rubber Stamped by Benjamin Poulain.
3499
3500         This patch adds all the test262 test files and the yaml that drives
3501         run-jsc-stress-tests.
3502
3503         * tests/test262.yaml: Added. Yaml file to drive the test262 test suite with our driver.
3504         * tests/test262/LICENSE: Added. License for the test262 test suite.
3505         * tests/test262/harness/: Added. Harness directory for the test262 tests.
3506         * tests/test262/test/: Added. Directory with all the actual test files.
3507
3508 2016-07-14  Joseph Pecoraro  <pecoraro@apple.com>
3509
3510         Return the correct value from Heap::externalMemorySize
3511         https://bugs.webkit.org/show_bug.cgi?id=159797
3512         <rdar://problem/27362446>
3513
3514         Reviewed by Timothy Hatcher.
3515
3516         * heap/Heap.h:
3517         (JSC::Heap::externalMemorySize):
3518         We should have been returning m_externalMemorySize which is a subset
3519         of m_extraMemorySize. In practice the difference can be small. A major
3520         difference in "extra memory size" may be from deprecated memory size
3521         and array buffer sizes.
3522
3523 2016-07-14  Saam Barati  <sbarati@apple.com>
3524
3525         It should be a syntax error to have a 'use strict' directive inside a function that has a non-simple parameter list
3526         https://bugs.webkit.org/show_bug.cgi?id=159790
3527         <rdar://problem/27171636>
3528
3529         Reviewed by Geoffrey Garen.
3530
3531         Is is a syntax error for a function's parameter list to be non-simple
3532         and for the function to also contain a 'use strict' directive.
3533
3534         See section 14.2.1 of the spec:
3535         https://tc39.github.io/ecma262/#sec-arrow-function-definitions-static-semantics-early-errors
3536
3537         * parser/Parser.cpp:
3538         (JSC::Parser<LexerType>::parseSourceElements):
3539         (JSC::Parser<LexerType>::parseFormalParameters):
3540         * parser/Parser.h:
3541         (JSC::Scope::Scope):
3542         (JSC::Scope::strictMode):
3543         (JSC::Scope::isValidStrictMode):
3544         (JSC::Scope::shadowsArguments):
3545         (JSC::Scope::setHasNonSimpleParameterList):
3546         (JSC::Scope::hasNonSimpleParameterList):
3547         (JSC::Scope::copyCapturedVariablesToVector):
3548
3549 2016-07-14  Geoffrey Garen  <ggaren@apple.com>
3550
3551         ASSERTION FAILED: : this != replacement()
3552         https://bugs.webkit.org/show_bug.cgi?id=159779
3553
3554         Reviewed by Michael Saboff.
3555
3556         * bytecode/CodeBlock.cpp:
3557         (JSC::CodeBlock::jettison): If we jettison during GC, and our owner
3558         is dead, we choose not to replace ourselves. (See
3559         https://bugs.webkit.org/show_bug.cgi?id=159588.) So, it's possible to
3560         invalidate and still be our owner's CodeBlock. Relax our ASSERT to allow
3561         for this.
3562
3563 2016-07-14  Mark Lam  <mark.lam@apple.com>
3564
3565         JSONObject Walker::walk must save array length before processing array elements.
3566         https://bugs.webkit.org/show_bug.cgi?id=153485
3567
3568         Reviewed by Darin Adler and Michael Saboff.
3569
3570         According to https://tc39.github.io/ecma262/#sec-internalizejsonproperty,
3571         JSON.parse() should cache the length of an array and use the cached length when
3572         iterating array elements (see section 24.3.1.1 2.b.iii).
3573
3574         * runtime/JSONObject.cpp:
3575         (JSC::Walker::walk):
3576         * tests/stress/JSON-parse-should-cache-array-lengths.js: Added.
3577         (toString):
3578         (shouldBe):
3579         (test):
3580         (test2):
3581
3582 2016-07-14  Julien Brianceau  <jbriance@cisco.com>
3583
3584         [mips] Handle properly unaligned halfword load
3585         https://bugs.webkit.org/show_bug.cgi?id=153226
3586
3587         Reviewed by Michael Catanzaro.
3588
3589         Waiting for the kernel to silently fix-up unaligned accesses is
3590         not efficient, so let's provide an implementation of load16Unaligned
3591         in mips macro assembler.
3592
3593         Performance improvement seen with SunSpider's regexp-dna test.
3594
3595         * assembler/MacroAssemblerMIPS.h:
3596         (JSC::MacroAssemblerMIPS::load16Unaligned):
3597         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
3598
3599 2016-07-14  Youenn Fablet  <youenn@apple.com>
3600
3601         DOM value iterable interfaces should use Array prototype methods
3602         https://bugs.webkit.org/show_bug.cgi?id=159296
3603
3604         Reviewed by Chris Dumez and Mark Lam.
3605
3606         * JavaScriptCore.xcodeproj/project.pbxproj: Marking some header files as private so that they can be included in
3607         WebCore.
3608         * runtime/ArrayPrototype.cpp:
3609         (JSC::ArrayPrototype::finishCreation): copying iterable methods (entries, forEach, keys and values) to private slots.
3610
3611 2016-07-13  Csaba Osztrogonác  <ossy@webkit.org>
3612
3613         Fix the magic numbers for ARM traditional in InlineAccess.h
3614         https://bugs.webkit.org/show_bug.cgi?id=159708
3615
3616         Reviewed by Saam Barati.
3617
3618         * bytecode/InlineAccess.h:
3619         (JSC::InlineAccess::sizeForPropertyAccess):
3620         (JSC::InlineAccess::sizeForPropertyReplace):
3621         (JSC::InlineAccess::sizeForLengthAccess):
3622
3623 2016-07-13  Michael Saboff  <msaboff@apple.com>
3624
3625         YARR uses mixture of int and unsigned values to index into subject string
3626         https://bugs.webkit.org/show_bug.cgi?id=159744
3627
3628         Reviewed by Benjamin Poulain.
3629
3630         In most cases, we refer to characters in subject strings using a negative index from the number of
3631         "checked" characters in a subject string.  The required length is compared against the actual length
3632         and then we use that required length as the checked amount.  For example, when matching the string of
3633         4 digits in the RegExp /abc \d{4}/, we know that need 8 characters in the subject string.  We refer
3634         to the digits part of the expression from an already checked index of 8 and use negative offsets of
3635         -4 through -1.  In many cases we used a signed int for the negative offsets.  There are other cases
3636         where we used unsigned values as the amount of negative offset to use when accessing subject characters.
3637
3638         Changed all occurrances of character offsets to unsigned or Checked Arithmetic unsigned values.  Note
3639         that the pre-existing Checked class is used in other places to check for under/overflow with arithmetic
3640         operations.  Those unsigned offsets are always the number of characters before (negative) from the
3641         current checked character offset.  Also added some asserts for cases where arithmetic is not protected
3642         by other checks or with Checked<> wrapped values.
3643
3644         In the case of the JIT, subject characters are accessed using base with scaled index and offset
3645         addressing.  The MacroAssembler provides this addressing using the BaseIndex struct.  The offset for
3646         this struct is a 32 bit signed quantity.  Since we only care about negative offsets, we really only
3647         have 31 bits.  Changed the generation of a BaseOffset address to handle the case when the offset and
3648         scaled combination will exceed the 31 bits of negative offset.  This is done by moving the base value
3649         into a temp register and biasing the temp base and offset to smaller values so that we can emit
3650         instructions that can reference characters without exceeding the 31 bits of negative offset.
3651
3652         To abstract the character address generation, put the base with scaled index and offset into
3653         one function and used that function everywhere the YARR JIT wants to access subject characters.
3654         Also consilidated a few cases where we were generating inline what readCharacter() does.  Usually
3655         this was due to using a different index register.
3656
3657         Added a new regression test.
3658
3659         * tests/stress/regress-159744.js: Added regression test.
3660         (testRegExp):
3661         * yarr/YarrInterpreter.cpp:
3662         (JSC::Yarr::Interpreter::recordParenthesesMatch):
3663         (JSC::Yarr::Interpreter::resetMatches):
3664         (JSC::Yarr::Interpreter::matchParenthesesOnceEnd):
3665         (JSC::Yarr::Interpreter::backtrackParenthesesOnceEnd):
3666         (JSC::Yarr::ByteCompiler::closeBodyAlternative):
3667         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
3668         (JSC::Yarr::ByteCompiler::atomParenthesesOnceEnd):
3669         (JSC::Yarr::ByteCompiler::atomParenthesesTerminalEnd):
3670         (JSC::Yarr::ByteCompiler::emitDisjunction):
3671         * yarr/YarrInterpreter.h:
3672         (JSC::Yarr::ByteTerm::ByteTerm):
3673         (JSC::Yarr::ByteTerm::BOL):
3674         (JSC::Yarr::ByteTerm::UncheckInput):
3675         (JSC::Yarr::ByteTerm::EOL):
3676         (JSC::Yarr::ByteTerm::WordBoundary):
3677         (JSC::Yarr::ByteTerm::BackReference):
3678         * yarr/YarrJIT.cpp:
3679         (JSC::Yarr::YarrGenerator::notAtEndOfInput):
3680         (JSC::Yarr::YarrGenerator::negativeOffsetIndexedAddress):
3681         (JSC::Yarr::YarrGenerator::readCharacter):
3682         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
3683         (JSC::Yarr::YarrGenerator::storeToFrame):
3684         (JSC::Yarr::YarrGenerator::generateAssertionBOL):
3685         (JSC::Yarr::YarrGenerator::backtrackAssertionBOL):
3686         (JSC::Yarr::YarrGenerator::generateAssertionEOL):
3687         (JSC::Yarr::YarrGenerator::matchAssertionWordchar):
3688         (JSC::Yarr::YarrGenerator::generateAssertionWordBoundary):
3689         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
3690         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
3691         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
3692         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
3693         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
3694         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
3695         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
3696         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
3697         (JSC::Yarr::YarrGenerator::generate):
3698         (JSC::Yarr::YarrGenerator::backtrack):
3699         (JSC::Yarr::YarrGenerator::YarrGenerator):
3700         * yarr/YarrPattern.h:
3701         (JSC::Yarr::PatternTerm::PatternTerm):
3702
3703 2016-07-13  Keith Miller  <keith_miller@apple.com>
3704
3705         Crashes with detached ArrayBuffers
3706         https://bugs.webkit.org/show_bug.cgi?id=157088
3707         <rdar://problem/27327362>
3708
3709         Reviewed by Filip Pizlo.
3710
3711         TypedArray.prototype.fill was incorrect because it should perform
3712         ToNumber coercion each time it tries to store the
3713         object. Currently, we only perform the coercion once at the
3714         beginning of the loop. If we find that we need to improve the
3715         performance of this function, we can add a faster C++ path back
3716         that only handles the primitive case.
3717
3718         This patch also moves the isNeutered() checks from put and
3719         putByIndex into setIndex. This fixes an issue where setIndex might
3720         store to a no longer valid offset.
3721
3722         * builtins/TypedArrayPrototype.js:
3723         (globalPrivate.typedArrayClampArgumentToStartOrEnd):
3724         (fill):
3725         * runtime/JSGenericTypedArrayView.h:
3726         (JSC::JSGenericTypedArrayView::setIndexQuickly):
3727         (JSC::JSGenericTypedArrayView::setIndex):
3728         (JSC::JSGenericTypedArrayView::setRangeToValue): Deleted.
3729         * runtime/JSGenericTypedArrayViewInlines.h:
3730         (JSC::JSGenericTypedArrayView<Adaptor>::put): Deleted.
3731         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex): Deleted.
3732         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3733         (JSC::genericTypedArrayViewProtoFuncFill): Deleted.
3734         * runtime/JSTypedArrayViewPrototype.cpp:
3735         (JSC::JSTypedArrayViewPrototype::finishCreation):
3736         (JSC::typedArrayViewProtoFuncFill): Deleted.
3737         * tests/stress/typedarray-fill.js:
3738         * tests/stress/typedarray-functions-with-neutered.js:
3739         (defaultForArg):
3740         (test2):
3741         (checkArgumentsForType): Deleted.
3742         (checkArguments): Deleted.
3743
3744 2016-07-13  Michael Saboff  <msaboff@apple.com>
3745
3746         Some bad unicode regex escapes aren't flagged as errors
3747         https://bugs.webkit.org/show_bug.cgi?id=158080
3748
3749         Reviewed by Saam Barati.
3750
3751         If we have a partial unicode escape, eg /\u{1/u or /\u12|abc/u, we
3752         didn't check for the closing '}' and processed the unicode escape with
3753         the hex value provided.  
3754
3755         Added a check that we properly terminated a \u{} unicode escape.
3756         If we fail that check and there isn't a prior error, we record that we
3757         have an invalid unicode escape.  The next existing line in the code will
3758         terminate parsing and bubble up the error.
3759
3760         * yarr/YarrParser.h:
3761         (JSC::Yarr::Parser::parseEscape):
3762
3763 2016-07-13  Chris Dumez  <cdumez@apple.com>
3764
3765         Unreviewed, rolling out r203199.
3766
3767         Broke the build
3768
3769         Reverted changeset:
3770
3771         "Crashes with detached ArrayBuffers"
3772         https://bugs.webkit.org/show_bug.cgi?id=157088
3773         http://trac.webkit.org/changeset/203199
3774
3775 2016-07-13  Keith Miller  <keith_miller@apple.com>
3776
3777         Crashes with detached ArrayBuffers
3778         https://bugs.webkit.org/show_bug.cgi?id=157088
3779         <rdar://problem/27327362>
3780
3781         Reviewed by Filip Pizlo.
3782
3783         TypedArray.prototype.fill was incorrect because it should perform
3784         ToNumber coercion each time it tries to store the
3785         object. Currently, we only perform the coercion once at the
3786         beginning of the loop. If we find that we need to improve the
3787         performance of this function, we can add a faster C++ path back
3788         that only handles the primitive case.
3789
3790         This patch also moves the isNeutered() checks from put and
3791         putByIndex into setIndex. This fixes an issue where setIndex might
3792         store to a no longer valid offset.
3793
3794         * builtins/TypedArrayPrototype.js:
3795         (globalPrivate.typedArrayClampArgumentToStartOrEnd):
3796         (fill):
3797         * runtime/JSGenericTypedArrayView.h:
3798         (JSC::JSGenericTypedArrayView::setIndexQuickly):
3799         (JSC::JSGenericTypedArrayView::setIndex):
3800         (JSC::JSGenericTypedArrayView::setRangeToValue): Deleted.
3801         * runtime/JSGenericTypedArrayViewInlines.h:
3802         (JSC::JSGenericTypedArrayView<Adaptor>::put): Deleted.
3803         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex): Deleted.
3804         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3805         (JSC::genericTypedArrayViewProtoFuncFill): Deleted.
3806         * runtime/JSTypedArrayViewPrototype.cpp:
3807         (JSC::JSTypedArrayViewPrototype::finishCreation):
3808         (JSC::typedArrayVi