FTL should be able to run everything in Octane/regexp
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
2
3         FTL should be able to run everything in Octane/regexp
4         https://bugs.webkit.org/show_bug.cgi?id=154266
5
6         Reviewed by Saam Barati.
7
8         Adds FTL support for NewRegexp, RegExpTest, and RegExpExec. I couldn't figure out how to
9         make the RegExpExec peephole optimization work in FTL. This optimizations shouldn't be a
10         DFG backend optimization anyway - if we need this optimization then it should be a
11         strength reduction rule over IR. That way, it can be shared by all backends.
12
13         I measured whether removing that optimization had any effect on performance separately
14         from measuring the performance of this patch. Removing that optimization did not change
15         our score on any benchmarks.
16
17         This patch does have an overall negative effect on the Octane/regexp score. This is
18         presumably because tiering up to the FTL has no value to the code in the regexp test. Or
19         maybe it's something else. No matter - the overall effect on the Octane score is not
20         statistically significant and we don't want this kind of coverage blocked by the fact
21         that adding coverage hurts a benchmark.
22
23         * dfg/DFGByteCodeParser.cpp:
24         (JSC::DFG::ByteCodeParser::parseBlock):
25         * dfg/DFGNode.h:
26         (JSC::DFG::Node::setIndexingType):
27         (JSC::DFG::Node::hasRegexpIndex):
28         * dfg/DFGSpeculativeJIT.cpp:
29         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
30         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
31         (JSC::DFG::SpeculativeJIT::compileRegExpExec): Deleted.
32         * dfg/DFGSpeculativeJIT32_64.cpp:
33         (JSC::DFG::SpeculativeJIT::compile):
34         * dfg/DFGSpeculativeJIT64.cpp:
35         (JSC::DFG::SpeculativeJIT::compile):
36         * ftl/FTLCapabilities.cpp:
37         (JSC::FTL::canCompile):
38         * ftl/FTLLowerDFGToB3.cpp:
39         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
40         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
41         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
42         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
43         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
44         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
45         * tests/stress/ftl-regexp-exec.js: Added.
46         * tests/stress/ftl-regexp-test.js: Added.
47
48 2016-02-28  Andreas Kling  <akling@apple.com>
49
50         Make JSFunction.name allocation fully lazy.
51         <https://webkit.org/b/154806>
52
53         Reviewed by Saam Barati.
54
55         We were reifying the "name" field on functions lazily, but created the string
56         value itself up front. This patch gets rid of the up-front allocation,
57         saving us a JSString allocation per function in most cases.
58
59         * builtins/BuiltinExecutables.cpp:
60         (JSC::createExecutableInternal):
61         * bytecode/UnlinkedFunctionExecutable.cpp:
62         (JSC::UnlinkedFunctionExecutable::visitChildren):
63         * bytecode/UnlinkedFunctionExecutable.h:
64         * runtime/CodeCache.cpp:
65         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
66         * runtime/Executable.h:
67         * runtime/JSFunction.cpp:
68         (JSC::JSFunction::reifyName):
69
70 2016-02-28  Andreas Kling  <akling@apple.com>
71
72         REGRESSION(r197303): 4 jsc tests failing on bots.
73
74         Unreviewed follow-up fix.
75
76         * bytecode/UnlinkedCodeBlock.cpp:
77         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): This function
78         can still get called with !m_rareData, in case the type profiler is active but this
79         particular code block doesn't have type profiler data. Handle it gracefully.
80
81 2016-02-28  Andreas Kling  <akling@apple.com>
82
83         Shrink UnlinkedCodeBlock a bit.
84         <https://webkit.org/b/154797>
85
86         Reviewed by Anders Carlsson.
87
88         Move profiler-related members of UnlinkedCodeBlock into its RareData
89         structure, saving 40 bytes, and then reorder the other members of
90         UnlinkedCodeBlock to save another 24 bytes, netting a nice total 64.
91
92         The VM member was removed entirely since UnlinkedCodeBlock is a cell
93         and can retrieve its VM through MarkedBlock header lookup.
94
95         * bytecode/UnlinkedCodeBlock.cpp:
96         (JSC::UnlinkedCodeBlock::vm):
97         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
98         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
99         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
100         * bytecode/UnlinkedCodeBlock.h:
101         (JSC::UnlinkedCodeBlock::addRegExp):
102         (JSC::UnlinkedCodeBlock::addConstant):
103         (JSC::UnlinkedCodeBlock::addFunctionDecl):
104         (JSC::UnlinkedCodeBlock::addFunctionExpr):
105         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
106         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
107         (JSC::UnlinkedCodeBlock::vm): Deleted.
108
109 2016-02-27  Filip Pizlo  <fpizlo@apple.com>
110
111         FTL should lower its abstract heaps to B3 heap ranges
112         https://bugs.webkit.org/show_bug.cgi?id=154782
113
114         Reviewed by Saam Barati.
115
116         The FTL can describe the abstract heaps (points-to sets) that a memory operation will
117         affect. The abstract heaps are arranged as a hierarchy. We used to transform this into
118         TBAA hierarchies in LLVM, but we never got around to wiring this up to B3's equivalent
119         notion - the HeapRange. That's what this patch fixes.
120
121         B3 has a minimalistic alias analysis. It represents abstract heaps using unsigned 32-bit
122         integers. There are 1<<32 abstract heaps. The B3 client can describe what an operation
123         affects by specifying a heap range: a begin...end pair that says that the operation
124         affects all abstract heaps H such that begin <= H < end.
125
126         This peculiar scheme was a deliberate attempt to distill what the abstract heap
127         hierarchy is all about. We can assign begin...end numbers to abstract heaps so that:
128
129         - A heap's end is greater than its begin.
130         - A heap's begin is greater than or equal to its parent's begin.
131         - A heap's end is less than or equal to its parent's end.
132
133         This is easy to do using a recursive traversal of the abstract heap hierarchy. I almost
134         went for the iterative traversal, which is a splendid algorithm, but it's totally
135         unnecessary here since we tightly control the height of the heap hierarchy.
136
137         Because abstract heaps are produced on-the-fly by FTL lowering, due to the fact that we
138         generate new ones for field names and constant indices we encounter, we can't actually
139         decorate the B3 instructions we create in lowering until all lowering is done. Adding a
140         new abstract heap to the hierarchy after ranges were already computed would require
141         updating the ranges of any heaps "to the right" of that heap in the hierarchy. This
142         patch solves that problem by recording the associations between abstract heaps and their
143         intended roles in the generated IR, and then decorating all of the relevant B3 values
144         after we compute the ranges of the hierarchy after lowering.
145
146         This is perf-neutral. I was hoping for a small speed-up, but I could not detect a
147         speed-up on any benchmark. That's not too surprising. We already have very precise CSE
148         in the DFG, so there aren't many opportunities left for the B3 CSE and it may have
149         already been getting the big ones even without alias analysis.
150
151         Even without a speed-up, this patch is valuable because it makes it easier to implement
152         other optimizations, like store elimination.
153
154         * b3/B3HeapRange.h:
155         (JSC::B3::HeapRange::HeapRange):
156         * ftl/FTLAbstractHeap.cpp:
157         (JSC::FTL::AbstractHeap::AbstractHeap):
158         (JSC::FTL::AbstractHeap::changeParent):
159         (JSC::FTL::AbstractHeap::compute):
160         (JSC::FTL::AbstractHeap::shallowDump):
161         (JSC::FTL::AbstractHeap::dump):
162         (JSC::FTL::AbstractHeap::deepDump):
163         (JSC::FTL::AbstractHeap::badRangeError):
164         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
165         (JSC::FTL::IndexedAbstractHeap::baseIndex):
166         (JSC::FTL::IndexedAbstractHeap::atSlow):
167         (JSC::FTL::IndexedAbstractHeap::initialize):
168         (JSC::FTL::AbstractHeap::decorateInstruction): Deleted.
169         (JSC::FTL::AbstractField::dump): Deleted.
170         * ftl/FTLAbstractHeap.h:
171         (JSC::FTL::AbstractHeap::AbstractHeap):
172         (JSC::FTL::AbstractHeap::isInitialized):
173         (JSC::FTL::AbstractHeap::initialize):
174         (JSC::FTL::AbstractHeap::parent):
175         (JSC::FTL::AbstractHeap::heapName):
176         (JSC::FTL::AbstractHeap::range):
177         (JSC::FTL::AbstractHeap::offset):
178         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
179         (JSC::FTL::IndexedAbstractHeap::at):
180         (JSC::FTL::IndexedAbstractHeap::operator[]):
181         (JSC::FTL::IndexedAbstractHeap::returnInitialized):
182         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::constructDeletedValue):
183         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::isDeletedValue):
184         (JSC::FTL::AbstractHeap::changeParent): Deleted.
185         (JSC::FTL::AbstractField::AbstractField): Deleted.
186         (JSC::FTL::AbstractField::initialize): Deleted.
187         (JSC::FTL::AbstractField::offset): Deleted.
188         * ftl/FTLAbstractHeapRepository.cpp:
189         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
190         (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
191         (JSC::FTL::AbstractHeapRepository::decorateMemory):
192         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
193         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
194         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
195         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
196         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
197         * ftl/FTLAbstractHeapRepository.h:
198         (JSC::FTL::AbstractHeapRepository::forArrayType):
199         (JSC::FTL::AbstractHeapRepository::HeapForValue::HeapForValue):
200         * ftl/FTLLowerDFGToB3.cpp:
201         (JSC::FTL::DFG::LowerDFGToB3::lower):
202         * ftl/FTLOutput.cpp:
203         (JSC::FTL::Output::load):
204         (JSC::FTL::Output::load8SignExt32):
205         (JSC::FTL::Output::load8ZeroExt32):
206         (JSC::FTL::Output::load16SignExt32):
207         (JSC::FTL::Output::load16ZeroExt32):
208         (JSC::FTL::Output::store):
209         (JSC::FTL::Output::store32As8):
210         (JSC::FTL::Output::store32As16):
211         (JSC::FTL::Output::baseIndex):
212         * ftl/FTLOutput.h:
213         (JSC::FTL::Output::address):
214         (JSC::FTL::Output::absolute):
215         (JSC::FTL::Output::load8SignExt32):
216         (JSC::FTL::Output::load8ZeroExt32):
217         (JSC::FTL::Output::load16SignExt32):
218         (JSC::FTL::Output::load16ZeroExt32):
219         (JSC::FTL::Output::load32):
220         (JSC::FTL::Output::load64):
221         (JSC::FTL::Output::loadPtr):
222         (JSC::FTL::Output::loadDouble):
223         (JSC::FTL::Output::store32):
224         (JSC::FTL::Output::store64):
225         (JSC::FTL::Output::storePtr):
226         (JSC::FTL::Output::storeDouble):
227         (JSC::FTL::Output::ascribeRange):
228         (JSC::FTL::Output::nonNegative32):
229         (JSC::FTL::Output::load32NonNegative):
230         (JSC::FTL::Output::equal):
231         (JSC::FTL::Output::notEqual):
232         * ftl/FTLTypedPointer.h:
233         (JSC::FTL::TypedPointer::operator!):
234         (JSC::FTL::TypedPointer::heap):
235         (JSC::FTL::TypedPointer::value):
236
237 2016-02-28  Skachkov Oleksandr  <gskachkov@gmail.com>
238
239         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
240         https://bugs.webkit.org/show_bug.cgi?id=153981
241
242         Reviewed by Saam Barati.
243        
244         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
245         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
246         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
247         During syntax analyze parser store information about using variables in arrow function inside of 
248         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
249
250         * bytecompiler/BytecodeGenerator.cpp:
251         (JSC::BytecodeGenerator::BytecodeGenerator):
252         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
253         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
254         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
255         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
256         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
257         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
258         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
259         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
260         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
261         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
262         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
263         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
264         * bytecompiler/BytecodeGenerator.h:
265         * bytecompiler/NodesCodegen.cpp:
266         (JSC::ThisNode::emitBytecode):
267         (JSC::EvalFunctionCallNode::emitBytecode):
268         (JSC::FunctionNode::emitBytecode):
269         * parser/ASTBuilder.h:
270         (JSC::ASTBuilder::createBracketAccess):
271         (JSC::ASTBuilder::createDotAccess):
272         (JSC::ASTBuilder::usesSuperCall):
273         (JSC::ASTBuilder::usesSuperProperty):
274         (JSC::ASTBuilder::makeFunctionCallNode):
275         * parser/Nodes.cpp:
276         (JSC::ScopeNode::ScopeNode):
277         (JSC::ProgramNode::ProgramNode):
278         (JSC::ModuleProgramNode::ModuleProgramNode):
279         (JSC::EvalNode::EvalNode):
280         (JSC::FunctionNode::FunctionNode):
281         * parser/Nodes.h:
282         (JSC::ScopeNode::innerArrowFunctionCodeFeatures):
283         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseArguments):
284         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperCall):
285         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperProperty):
286         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseEval):
287         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseThis):
288         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseNewTarget):
289         (JSC::ScopeNode::doAnyInnerArrowFunctionUseAnyFeature):
290         (JSC::ScopeNode::usesSuperCall):
291         (JSC::ScopeNode::usesSuperProperty):
292         * parser/Parser.cpp:
293         (JSC::Parser<LexerType>::parseProperty):
294         (JSC::Parser<LexerType>::parsePrimaryExpression):
295         (JSC::Parser<LexerType>::parseMemberExpression):
296         * parser/Parser.h:
297         (JSC::Scope::Scope):
298         (JSC::Scope::isArrowFunctionBoundary):
299         (JSC::Scope::innerArrowFunctionFeatures):
300         (JSC::Scope::setInnerArrowFunctionUsesSuperCall):
301         (JSC::Scope::setInnerArrowFunctionUsesSuperProperty):
302         (JSC::Scope::setInnerArrowFunctionUsesEval):
303         (JSC::Scope::setInnerArrowFunctionUsesThis):
304         (JSC::Scope::setInnerArrowFunctionUsesNewTarget):
305         (JSC::Scope::setInnerArrowFunctionUsesArguments):
306         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
307         (JSC::Scope::collectFreeVariables):
308         (JSC::Scope::mergeInnerArrowFunctionFeatures):
309         (JSC::Scope::fillParametersForSourceProviderCache):
310         (JSC::Scope::restoreFromSourceProviderCache):
311         (JSC::Scope::setIsFunction):
312         (JSC::Scope::setIsArrowFunction):
313         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
314         (JSC::Parser::pushScope):
315         (JSC::Parser::popScopeInternal):
316         (JSC::Parser<LexerType>::parse):
317         * parser/ParserModes.h:
318         * parser/SourceProviderCacheItem.h:
319         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
320         * parser/SyntaxChecker.h:
321         (JSC::SyntaxChecker::createFunctionMetadata):
322         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
323         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
324         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
325         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
326         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
327
328 2016-02-28  Saam barati  <sbarati@apple.com>
329
330         ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot
331         https://bugs.webkit.org/show_bug.cgi?id=154768
332
333         Reviewed by Ryosuke Niwa.
334
335         This fixes a big bug with ProxyObject.[[GetOwnProperty]]:
336         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
337         We weren't correctly propagating the result of this operation to the
338         out PropertySlot& parameter. This patch fixes that and adds tests.
339
340         * runtime/ObjectConstructor.cpp:
341         (JSC::objectConstructorGetOwnPropertyDescriptor):
342         I added a missing exception check after object allocation
343         because I saw that it was missing while reading the code.
344
345         * runtime/PropertyDescriptor.cpp:
346         (JSC::PropertyDescriptor::setUndefined):
347         (JSC::PropertyDescriptor::slowGetterSetter):
348         (JSC::PropertyDescriptor::getter):
349         * runtime/PropertyDescriptor.h:
350         (JSC::PropertyDescriptor::attributes):
351         (JSC::PropertyDescriptor::value):
352         * runtime/ProxyObject.cpp:
353         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
354         * tests/es6.yaml:
355         * tests/stress/proxy-get-own-property.js:
356         (let.handler.getOwnPropertyDescriptor):
357         (set get let.handler.return):
358         (set get let.handler.getOwnPropertyDescriptor):
359         (set get let):
360         (set get let.a):
361         (let.b):
362         (let.setter):
363         (let.getter):
364
365 2016-02-27  Andy VanWagoner  <thetalecrafter@gmail.com>
366
367         Intl.Collator uses POSIX locale (detected by js/intl-collator.html on iOS Simulator)
368         https://bugs.webkit.org/show_bug.cgi?id=152448
369
370         Reviewed by Darin Adler.
371
372         Add defaultLanguage to the globalObjectMethodTable and use it for the
373         default locale in Intl object initializations. Fall back to ICU default
374         locale only if the defaultLanguage function is null, or returns an
375         empty string.
376
377         * jsc.cpp:
378         * runtime/IntlCollator.cpp:
379         (JSC::IntlCollator::initializeCollator):
380         * runtime/IntlDateTimeFormat.cpp:
381         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
382         * runtime/IntlNumberFormat.cpp:
383         (JSC::IntlNumberFormat::initializeNumberFormat):
384         * runtime/IntlObject.cpp:
385         (JSC::defaultLocale):
386         (JSC::lookupMatcher):
387         (JSC::bestFitMatcher):
388         (JSC::resolveLocale):
389         * runtime/IntlObject.h:
390         * runtime/JSGlobalObject.cpp:
391         * runtime/JSGlobalObject.h:
392         * runtime/StringPrototype.cpp:
393         (JSC::toLocaleCase):
394
395 2016-02-27  Oliver Hunt  <oliver@apple.com>
396
397         CLoop build fix.
398
399         * jit/ExecutableAllocatorFixedVMPool.cpp:
400
401 2016-02-26  Oliver Hunt  <oliver@apple.com>
402
403         Remove the on demand executable allocator
404         https://bugs.webkit.org/show_bug.cgi?id=154749
405
406         Reviewed by Geoffrey Garen.
407
408         Remove all the DemandExecutable code and executable allocator ifdefs.
409
410         * CMakeLists.txt:
411         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
412         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
413         * JavaScriptCore.xcodeproj/project.pbxproj:
414         * jit/ExecutableAllocator.cpp: Removed.
415         (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
416         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
417         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
418         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
419         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
420         (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
421         (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
422         (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
423         (JSC::DemandExecutableAllocator::allocators): Deleted.
424         (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
425         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
426         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
427         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
428         (JSC::ExecutableAllocator::isValid): Deleted.
429         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
430         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
431         (JSC::ExecutableAllocator::allocate): Deleted.
432         (JSC::ExecutableAllocator::committedByteCount): Deleted.
433         (JSC::ExecutableAllocator::dumpProfile): Deleted.
434         (JSC::ExecutableAllocator::getLock): Deleted.
435         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
436         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
437         * jit/ExecutableAllocator.h:
438         * jit/ExecutableAllocatorFixedVMPool.cpp:
439         * jit/JITStubRoutine.h:
440         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
441         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
442         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
443
444 2016-02-26  Joseph Pecoraro  <pecoraro@apple.com>
445
446         Reduce direct callers of Structure::findStructuresAndMapForMaterialization
447         https://bugs.webkit.org/show_bug.cgi?id=154751
448
449         Reviewed by Mark Lam.
450
451         * runtime/Structure.cpp:
452         (JSC::Structure::toStructureShape):
453         This property name iteration is identical to Structure::forEachPropertyConcurrently.
454         Share the code and reduce callers to the subtle findStructuresAndMapForMaterialization.
455
456 2016-02-26  Mark Lam  <mark.lam@apple.com>
457
458         Function.name and Function.length should be configurable.
459         https://bugs.webkit.org/show_bug.cgi?id=154604
460
461         Reviewed by Saam Barati.
462
463         According to https://tc39.github.io/ecma262/#sec-ecmascript-language-functions-and-classes,
464         "Unless otherwise specified, the name property of a built-in Function object,
465         if it exists, has the attributes { [[Writable]]: false, [[Enumerable]]: false,
466         [[Configurable]]: true }."
467
468         Similarly, "the length property of a built-in Function object has the attributes
469         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }."
470
471         This patch makes Function.name and Function.length configurable.
472
473         We do this by lazily reifying the JSFunction name and length properties on first
474         access.  We track whether each of these properties have been reified using flags
475         in the FunctionRareData.  On first access, if not already reified, we will put
476         the property into the object with its default value and attributes and set the
477         reified flag.  Thereafter, we rely on the base JSObject to handle access to the
478         property.
479
480         Also, lots of test results have to be re-baselined because the old Function.length
481         has attribute DontDelete, which is in conflict with the ES6 requirement that it
482         is configurable.
483
484         * runtime/FunctionRareData.h:
485         (JSC::FunctionRareData::hasReifiedLength):
486         (JSC::FunctionRareData::setHasReifiedLength):
487         (JSC::FunctionRareData::hasReifiedName):
488         (JSC::FunctionRareData::setHasReifiedName):
489         - Flags for tracking whether each property has been reified.
490
491         * runtime/JSFunction.cpp:
492         (JSC::JSFunction::finishCreation):
493         (JSC::JSFunction::createBuiltinFunction):
494         - Host and builtin functions currently always reify their name and length
495           properties.  Currently, for builtins, the default names that are used may
496           differ from the executable name.  For now, we'll stay with keeping this
497           alternate approach to getting the name and length properties for host and
498           builtin functions.
499           However, we need their default attribute to be configurable as well.
500
501         (JSC::JSFunction::getOwnPropertySlot):
502         (JSC::JSFunction::getOwnNonIndexPropertyNames):
503         (JSC::JSFunction::put):
504         (JSC::JSFunction::deleteProperty):
505         (JSC::JSFunction::defineOwnProperty):
506         (JSC::JSFunction::reifyLength):
507         (JSC::JSFunction::reifyName):
508         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
509         (JSC::JSFunction::lengthGetter): Deleted.
510         (JSC::JSFunction::nameGetter): Deleted.
511         * runtime/JSFunction.h:
512         * runtime/JSFunctionInlines.h:
513         (JSC::JSFunction::hasReifiedLength):
514         (JSC::JSFunction::hasReifiedName):
515
516         * tests/es6.yaml:
517         - 4 new passing tests.
518
519         * tests/mozilla/ecma/Array/15.4.4.3-1.js:
520         * tests/mozilla/ecma/Array/15.4.4.4-1.js:
521         * tests/mozilla/ecma/Array/15.4.4.4-2.js:
522         * tests/mozilla/ecma/GlobalObject/15.1.2.1-1.js:
523         * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
524         * tests/mozilla/ecma/GlobalObject/15.1.2.3-1.js:
525         * tests/mozilla/ecma/GlobalObject/15.1.2.4.js:
526         * tests/mozilla/ecma/GlobalObject/15.1.2.5-1.js:
527         * tests/mozilla/ecma/GlobalObject/15.1.2.6.js:
528         * tests/mozilla/ecma/GlobalObject/15.1.2.7.js:
529         * tests/mozilla/ecma/String/15.5.4.10-1.js:
530         * tests/mozilla/ecma/String/15.5.4.11-1.js:
531         * tests/mozilla/ecma/String/15.5.4.11-5.js:
532         * tests/mozilla/ecma/String/15.5.4.12-1.js:
533         * tests/mozilla/ecma/String/15.5.4.6-2.js:
534         * tests/mozilla/ecma/String/15.5.4.7-2.js:
535         * tests/mozilla/ecma/String/15.5.4.8-1.js:
536         * tests/mozilla/ecma/String/15.5.4.9-1.js:
537         - Rebase expected test results.
538
539         * tests/stress/function-configurable-properties.js: Added.
540
541 2016-02-26  Keith Miller  <keith_miller@apple.com>
542
543         Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup
544         https://bugs.webkit.org/show_bug.cgi?id=154743
545
546         Reviewed by Mark Lam.
547
548         * dfg/DFGConstantFoldingPhase.cpp:
549         (JSC::DFG::ConstantFoldingPhase::foldConstants):
550         * dfg/DFGFixupPhase.cpp:
551         (JSC::DFG::FixupPhase::fixupNode):
552
553 2016-02-26  Keith Miller  <keith_miller@apple.com>
554
555         Native Typed Array functions should use Symbol.species
556         https://bugs.webkit.org/show_bug.cgi?id=154569
557
558         Reviewed by Michael Saboff.
559
560         This patch adds support for Symbol.species in the native Typed Array prototype
561         functions. Additionally, now that other types of typedarrays are creatable inside
562         the slice we use the JSGenericTypedArrayView::set function, which has been beefed
563         up, to put everything into the correct place.
564
565         * runtime/JSDataView.cpp:
566         (JSC::JSDataView::set):
567         * runtime/JSDataView.h:
568         * runtime/JSGenericTypedArrayView.h:
569         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
570         (JSC::constructGenericTypedArrayViewFromIterator):
571         (JSC::constructGenericTypedArrayViewWithArguments):
572         (JSC::constructGenericTypedArrayView):
573         * runtime/JSGenericTypedArrayViewInlines.h:
574         (JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
575         (JSC::JSGenericTypedArrayView<Adaptor>::set):
576         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
577         (JSC::speciesConstruct):
578         (JSC::genericTypedArrayViewProtoFuncSet):
579         (JSC::genericTypedArrayViewProtoFuncSlice):
580         (JSC::genericTypedArrayViewProtoFuncSubarray):
581         * tests/stress/typedarray-slice.js:
582         (subclasses.typedArrays.map):
583         (testSpecies):
584         (forEach):
585         (subclasses.forEach):
586         (testSpeciesRemoveConstructor):
587         (testSpeciesWithSameBuffer):
588         * tests/stress/typedarray-subarray.js: Added.
589         (subclasses.typedArrays.map):
590         (testSpecies):
591         (forEach):
592         (subclasses.forEach):
593         (testSpeciesRemoveConstructor):
594
595 2016-02-26  Benjamin Poulain  <bpoulain@apple.com>
596
597         [JSC] Add32(Imm, Tmp, Tmp) does not ZDef the destination if Imm is zero
598         https://bugs.webkit.org/show_bug.cgi?id=154704
599
600         Reviewed by Geoffrey Garen.
601
602         If the Imm is zero, we should still zero the top bits
603         to match the definition in AirOpcodes.
604
605         * assembler/MacroAssemblerX86Common.h:
606         (JSC::MacroAssemblerX86Common::add32):
607         * b3/testb3.cpp:
608
609 2016-02-26  Oliver Hunt  <oliver@apple.com>
610
611         Make testRegExp not crash when given an invalid regexp
612         https://bugs.webkit.org/show_bug.cgi?id=154732
613
614         Reviewed by Mark Lam.
615
616         * testRegExp.cpp:
617         (parseRegExpLine):
618
619 2016-02-26  Benjamin Poulain  <benjamin@webkit.org>
620
621         [JSC] Add the test for r197155
622         https://bugs.webkit.org/show_bug.cgi?id=154715
623
624         Reviewed by Mark Lam.
625
626         Silly me. I forgot the test in the latest patch update.
627
628         * tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.
629
630 2016-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
631
632         [DFG] Drop unnecessary proved type branch in ToPrimitive
633         https://bugs.webkit.org/show_bug.cgi?id=154716
634
635         Reviewed by Geoffrey Garen.
636
637         This branching based on the proved types is unnecessary because this is already handled in constant folding phase.
638         In fact, the DFGSpeculativeJIT64.cpp case is already removed in r164243.
639         This patch removes the remaining JIT32_64 case.
640
641         * dfg/DFGSpeculativeJIT32_64.cpp:
642         (JSC::DFG::SpeculativeJIT::compile):
643
644 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
645
646         [JSC] Be aggressive with OSR Entry to FTL if the DFG function was only used for OSR Entry itself
647         https://bugs.webkit.org/show_bug.cgi?id=154575
648
649         Reviewed by Filip Pizlo.
650
651         I noticed that imaging-gaussian-blur spends most of its
652         samples in DFG code despite executing most of the loop
653         iterations in FTL.
654
655         On this particular test, the main function is only entered
656         once and have a very heavy loop there. What happens is DFG
657         starts by compiling the full function in FTL. That takes about
658         8 to 10 milliseconds during which the DFG code makes very little
659         progress. The calls to triggerOSREntryNow() try to OSR Enter
660         for a while then finally start compiling something. By the time
661         the function is ready, we have wasted a lot of time in DFG code.
662
663         What this patch does is set a flag when a DFG function is entered.
664         If we try to triggerOSREntryNow() and the flag was never set,
665         we start compiling both the full function and the one for OSR Entry.
666
667         * dfg/DFGJITCode.h:
668         * dfg/DFGJITCompiler.cpp:
669         (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
670         (JSC::DFG::JITCompiler::compile):
671         (JSC::DFG::JITCompiler::compileFunction):
672         * dfg/DFGJITCompiler.h:
673         * dfg/DFGOperations.cpp:
674         * dfg/DFGPlan.cpp:
675         (JSC::DFG::Plan::Plan): Deleted.
676         * dfg/DFGPlan.h:
677         * dfg/DFGTierUpCheckInjectionPhase.cpp:
678         (JSC::DFG::TierUpCheckInjectionPhase::run):
679
680 2016-02-25  Benjamin Poulain  <benjamin@webkit.org>
681
682         [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
683         https://bugs.webkit.org/show_bug.cgi?id=154664
684
685         Reviewed by Saam Barati.
686
687         When doing OSR Enter into a constructor, we lose the information
688         that this may have been set to empty by a previously executed block.
689
690         All the code just assumed the type for a FlushedJS value and thus
691         not an empty value. It was then okay to eliminate the TDZ checks.
692
693         In this patch, the values on root entry now assume they may be empty.
694         As a result, the SetArgument() for "this" has "empty" as possible
695         type and the TDZ checks are no longer eliminated.
696
697         * dfg/DFGInPlaceAbstractState.cpp:
698         (JSC::DFG::InPlaceAbstractState::initialize):
699
700 2016-02-25  Ada Chan  <adachan@apple.com>
701
702         Update the definition of ENABLE_VIDEO_PRESENTATION_MODE for Mac platform
703         https://bugs.webkit.org/show_bug.cgi?id=154702
704
705         Reviewed by Dan Bernstein.
706
707         * Configurations/FeatureDefines.xcconfig:
708
709 2016-02-25  Saam barati  <sbarati@apple.com>
710
711         [ES6] for...in iteration doesn't comply with the specification
712         https://bugs.webkit.org/show_bug.cgi?id=154665
713
714         Reviewed by Michael Saboff.
715
716         If you read ForIn/OfHeadEvaluation inside the spec:
717         https://tc39.github.io/ecma262/#sec-runtime-semantics-forin-div-ofheadevaluation-tdznames-expr-iterationkind
718         It calls EnumerateObjectProperties(obj) to get a set of properties
719         to enumerate over (it models this "set" as en ES6 generator function).
720         EnumerateObjectProperties is defined in section 13.7.5.15:
721         https://tc39.github.io/ecma262/#sec-enumerate-object-properties
722         The implementation calls Reflect.getOwnPropertyDescriptor(.) on the
723         properties it sees. We must do the same by modeling the operation as
724         a [[GetOwnProperty]] instead of a [[HasProperty]] internal method call.
725
726         * jit/JITOperations.cpp:
727         * jit/JITOperations.h:
728         * runtime/CommonSlowPaths.cpp:
729         (JSC::SLOW_PATH_DECL):
730         * runtime/JSObject.cpp:
731         (JSC::JSObject::hasProperty):
732         (JSC::JSObject::hasPropertyGeneric):
733         * runtime/JSObject.h:
734         * tests/stress/proxy-get-own-property.js:
735         (assert):
736         (let.handler.getOwnPropertyDescriptor):
737         (i.set assert):
738
739 2016-02-25  Saam barati  <sbarati@apple.com>
740
741         [ES6] Implement Proxy.[[Set]]
742         https://bugs.webkit.org/show_bug.cgi?id=154511
743
744         Reviewed by Filip Pizlo.
745
746         This patch is mostly an implementation of
747         Proxy.[[Set]] with respect to section 9.5.9
748         of the ECMAScript spec.
749         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-set-p-v-receiver
750
751         This patch also changes JSObject::putInline and JSObject::putByIndex
752         to be aware that a Proxy in the prototype chain will intercept
753         property accesses.
754
755         * runtime/JSObject.cpp:
756         (JSC::JSObject::putInlineSlow):
757         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
758         * runtime/JSObject.h:
759         * runtime/JSObjectInlines.h:
760         (JSC::JSObject::canPerformFastPutInline):
761         (JSC::JSObject::putInline):
762         * runtime/JSType.h:
763         * runtime/ProxyObject.cpp:
764         (JSC::ProxyObject::getOwnPropertySlotByIndex):
765         (JSC::ProxyObject::performPut):
766         (JSC::ProxyObject::put):
767         (JSC::ProxyObject::putByIndexCommon):
768         (JSC::ProxyObject::putByIndex):
769         (JSC::performProxyCall):
770         (JSC::ProxyObject::getCallData):
771         (JSC::performProxyConstruct):
772         (JSC::ProxyObject::deletePropertyByIndex):
773         (JSC::ProxyObject::visitChildren):
774         * runtime/ProxyObject.h:
775         (JSC::ProxyObject::create):
776         (JSC::ProxyObject::createStructure):
777         (JSC::ProxyObject::target):
778         (JSC::ProxyObject::handler):
779         * tests/es6.yaml:
780         * tests/stress/proxy-set.js: Added.
781         (assert):
782         (throw.new.Error.let.handler.set 45):
783         (throw.new.Error):
784         (let.target.set x):
785         (let.target.get x):
786         (set let):
787
788 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
789
790         [JSC] Remove a useless "Move" in the lowering of Select
791         https://bugs.webkit.org/show_bug.cgi?id=154670
792
793         Reviewed by Geoffrey Garen.
794
795         I left the Move instruction when creating the aliasing form
796         of Select.
797
798         On ARM64, that meant a useless move for any case that can't
799         be coalesced.
800
801         On x86, that meant an extra constraint on child2, making it
802         stupidly hard to alias child1.
803
804         * b3/B3LowerToAir.cpp:
805         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
806
807 2016-02-24  Joseph Pecoraro  <pecoraro@apple.com>
808
809         Web Inspector: Expose Proxy target and handler internal properties to Inspector
810         https://bugs.webkit.org/show_bug.cgi?id=154663
811
812         Reviewed by Timothy Hatcher.
813
814         * inspector/JSInjectedScriptHost.cpp:
815         (Inspector::JSInjectedScriptHost::getInternalProperties):
816         Expose the ProxyObject's target and handler.
817
818 2016-02-24  Nikos Andronikos  <nikos.andronikos-webkit@cisra.canon.com.au>
819
820         [web-animations] Add AnimationTimeline, DocumentTimeline and add extensions to Document interface
821         https://bugs.webkit.org/show_bug.cgi?id=151688
822
823         Reviewed by Dean Jackson.
824
825         Enables the WEB_ANIMATIONS compiler switch.
826
827         * Configurations/FeatureDefines.xcconfig:
828
829 2016-02-24  Konstantin Tokarev  <annulen@yandex.ru>
830
831         [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
832         https://bugs.webkit.org/show_bug.cgi?id=154651
833
834         Reviewed by Alex Christensen.
835
836         * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
837
838 2016-02-24  Commit Queue  <commit-queue@webkit.org>
839
840         Unreviewed, rolling out r197033.
841         https://bugs.webkit.org/show_bug.cgi?id=154649
842
843         "It broke JSC tests when 'this' was loaded from global scope"
844         (Requested by saamyjoon on #webkit).
845
846         Reverted changeset:
847
848         "[ES6] Arrow function syntax. Emit loading&putting this/super
849         only if they are used in arrow function"
850         https://bugs.webkit.org/show_bug.cgi?id=153981
851         http://trac.webkit.org/changeset/197033
852
853 2016-02-24  Saam Barati  <sbarati@apple.com>
854
855         [ES6] Implement Proxy.[[Delete]]
856         https://bugs.webkit.org/show_bug.cgi?id=154607
857
858         Reviewed by Mark Lam.
859
860         This patch implements Proxy.[[Delete]] with respect to section 9.5.10 of the ECMAScript spec.
861         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-delete-p
862
863         * runtime/ProxyObject.cpp:
864         (JSC::ProxyObject::getConstructData):
865         (JSC::ProxyObject::performDelete):
866         (JSC::ProxyObject::deleteProperty):
867         (JSC::ProxyObject::deletePropertyByIndex):
868         * runtime/ProxyObject.h:
869         * tests/es6.yaml:
870         * tests/stress/proxy-delete.js: Added.
871         (assert):
872         (throw.new.Error.let.handler.get deleteProperty):
873         (throw.new.Error):
874         (assert.let.handler.deleteProperty):
875         (let.handler.deleteProperty):
876
877 2016-02-24  Filip Pizlo  <fpizlo@apple.com>
878
879         Stackmaps have problems with double register constraints
880         https://bugs.webkit.org/show_bug.cgi?id=154643
881
882         Reviewed by Geoffrey Garen.
883
884         This is currently a benign bug. I found it while playing.
885
886         * b3/B3LowerToAir.cpp:
887         (JSC::B3::Air::LowerToAir::fillStackmap):
888         * b3/testb3.cpp:
889         (JSC::B3::testURShiftSelf64):
890         (JSC::B3::testPatchpointDoubleRegs):
891         (JSC::B3::zero):
892         (JSC::B3::run):
893
894 2016-02-24  Skachkov Oleksandr  <gskachkov@gmail.com>
895
896         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
897         https://bugs.webkit.org/show_bug.cgi?id=153981
898
899         Reviewed by Saam Barati.
900        
901         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
902         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
903         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
904         During syntax analyze parser store information about using variables in arrow function inside of 
905         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
906
907         * bytecode/ExecutableInfo.h:
908         (JSC::ExecutableInfo::ExecutableInfo):
909         (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
910         * bytecode/UnlinkedCodeBlock.cpp:
911         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
912         * bytecode/UnlinkedCodeBlock.h:
913         (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
914         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
915         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
916         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
917         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
918         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
919         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
920         * bytecode/UnlinkedFunctionExecutable.cpp:
921         (JSC::generateUnlinkedFunctionCodeBlock):
922         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
923         * bytecode/UnlinkedFunctionExecutable.h:
924         * bytecompiler/BytecodeGenerator.cpp:
925         (JSC::BytecodeGenerator::BytecodeGenerator):
926         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
927         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
928         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
929         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
930         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
931         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
932         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
933         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
934         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
935         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
936         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
937         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
938         * bytecompiler/BytecodeGenerator.h:
939         * bytecompiler/NodesCodegen.cpp:
940         (JSC::ThisNode::emitBytecode):
941         (JSC::EvalFunctionCallNode::emitBytecode):
942         (JSC::FunctionCallValueNode::emitBytecode):
943         (JSC::FunctionNode::emitBytecode):
944         * parser/ASTBuilder.h:
945         (JSC::ASTBuilder::createFunctionMetadata):
946         * parser/Nodes.cpp:
947         (JSC::FunctionMetadataNode::FunctionMetadataNode):
948         * parser/Nodes.h:
949         * parser/Parser.cpp:
950         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
951         (JSC::Parser<LexerType>::parseFunctionBody):
952         (JSC::Parser<LexerType>::parseFunctionInfo):
953         (JSC::Parser<LexerType>::parseProperty):
954         (JSC::Parser<LexerType>::parsePrimaryExpression):
955         (JSC::Parser<LexerType>::parseMemberExpression):
956         * parser/Parser.h:
957         (JSC::Scope::Scope):
958         (JSC::Scope::isArrowFunctionBoundary):
959         (JSC::Scope::innerArrowFunctionFeatures):
960         (JSC::Scope::setInnerArrowFunctionUseSuperCall):
961         (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
962         (JSC::Scope::setInnerArrowFunctionUseEval):
963         (JSC::Scope::setInnerArrowFunctionUseThis):
964         (JSC::Scope::setInnerArrowFunctionUseNewTarget):
965         (JSC::Scope::setInnerArrowFunctionUseArguments):
966         (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
967         (JSC::Scope::collectFreeVariables):
968         (JSC::Scope::mergeInnerArrowFunctionFeatures):
969         (JSC::Scope::fillParametersForSourceProviderCache):
970         (JSC::Scope::restoreFromSourceProviderCache):
971         (JSC::Scope::setIsFunction):
972         (JSC::Scope::setIsArrowFunction):
973         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
974         (JSC::Parser::pushScope):
975         (JSC::Parser::popScopeInternal):
976         * parser/ParserModes.h:
977         * parser/SourceProviderCacheItem.h:
978         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
979         * parser/SyntaxChecker.h:
980         (JSC::SyntaxChecker::createFunctionMetadata):
981         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
982         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
983         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
984         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
985         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
986
987 2016-02-23  Brian Burg  <bburg@apple.com>
988
989         Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
990         https://bugs.webkit.org/show_bug.cgi?id=154615
991         <rdar://problem/24804330>
992
993         Reviewed by Timothy Hatcher.
994
995         Some of the generated Objective-C bindings are only relevant to code acting as the
996         protocol backend. Add a per-generator setting mechanism and propagate --frontend and
997         --backend to all generators. Use the setting in a few generators to omit code that's
998         not needed.
999
1000         Also fix a few places where the code emits the wrong Objective-C class prefix.
1001         There is some common non-generated code that must always have the RWIProtocol prefix.
1002
1003         Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
1004         macros defined in the internal header now need to be used outside of the framework.
1005
1006         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1007         Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
1008         depending on the target framework.
1009
1010         * inspector/scripts/codegen/generate_objc_header.py:
1011         (ObjCHeaderGenerator.generate_output):
1012         For now, omit generating command protocol and event dispatchers when generating for --frontend.
1013
1014         (ObjCHeaderGenerator._generate_type_interface):
1015         Use OBJC_STATIC_PREFIX along with the unprefixed file name.
1016
1017         * inspector/scripts/codegen/generate_objc_internal_header.py:
1018         Use RWIProtocolJSONObjectPrivate.h instead.
1019
1020         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1021         (ObjCProtocolTypesImplementationGenerator.generate_output):
1022         Include the Internal header if it's being generated (only for --backend).
1023
1024         * inspector/scripts/codegen/generator.py:
1025         (Generator.__init__):
1026         (Generator.set_generator_setting):
1027         (Generator):
1028         (Generator.get_generator_setting):
1029         Crib a simple setting system from the Framework class. Make the names more obnoxious.
1030
1031         (Generator.string_for_file_include):
1032         Inspired by the replay input generator, this is a function that uses the proper syntax
1033         for a file include depending on the file's framework and target framework.
1034
1035         * inspector/scripts/codegen/objc_generator.py:
1036         (ObjCGenerator.and):
1037         (ObjCGenerator.and.objc_prefix):
1038         (ObjCGenerator):
1039         (ObjCGenerator.objc_type_for_raw_name):
1040         (ObjCGenerator.objc_class_for_raw_name):
1041         Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
1042
1043         * inspector/scripts/generate-inspector-protocol-bindings.py:
1044         (generate_from_specification):
1045         Change the generators to use for the frontend. Propagate --frontend and --backend.
1046
1047         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1048         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1049         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1050         * inspector/scripts/tests/expected/enum-values.json-result:
1051         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1052         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1053         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1054         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1055         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1056         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1057         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1058         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1059         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1060         Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
1061
1062 2016-02-23  Saam barati  <sbarati@apple.com>
1063
1064         arrayProtoFuncConcat doesn't check for an exception after allocating an array
1065         https://bugs.webkit.org/show_bug.cgi?id=154621
1066
1067         Reviewed by Michael Saboff.
1068
1069         * runtime/ArrayPrototype.cpp:
1070         (JSC::arrayProtoFuncConcat):
1071
1072 2016-02-23  Dan Bernstein  <mitz@apple.com>
1073
1074         [Xcode] Linker errors display mangled names, but no longer should
1075         https://bugs.webkit.org/show_bug.cgi?id=154632
1076
1077         Reviewed by Sam Weinig.
1078
1079         * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
1080
1081 2016-02-23  Gavin Barraclough  <barraclough@apple.com>
1082
1083         Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
1084         https://bugs.webkit.org/show_bug.cgi?id=112323
1085
1086         Reviewed by Chris Dumez.
1087
1088         This feature is controlled by a runtime switch, and defaults off.
1089
1090         * Configurations/FeatureDefines.xcconfig:
1091
1092 2016-02-23  Keith Miller  <keith_miller@apple.com>
1093
1094         JSC stress tests' standalone-pre.js should exit on the first failure by default
1095         https://bugs.webkit.org/show_bug.cgi?id=154565
1096
1097         Reviewed by Mark Lam.
1098
1099         Currently, if a test writer does not call finishJSTest() at the end of
1100         any test using stress/resources/standalone-pre.js then the test can fail
1101         without actually reporting an error to the harness. By default, we
1102         should throw on the first error so, in the event someone does not call
1103         finishJSTest() the harness will still notice the error.
1104
1105         * tests/stress/regress-151324.js:
1106         * tests/stress/resources/standalone-pre.js:
1107         (testFailed):
1108
1109 2016-02-23  Saam barati  <sbarati@apple.com>
1110
1111         Make JSObject::getMethod have fewer branches
1112         https://bugs.webkit.org/show_bug.cgi?id=154603
1113
1114         Reviewed by Mark Lam.
1115
1116         Writing code with fewer branches is almost always better.
1117
1118         * runtime/JSObject.cpp:
1119         (JSC::JSObject::getMethod):
1120
1121 2016-02-23  Filip Pizlo  <fpizlo@apple.com>
1122
1123         B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
1124         https://bugs.webkit.org/show_bug.cgi?id=154592
1125
1126         Reviewed by Saam Barati.
1127
1128         If Foo has a virtual destructor, then:
1129
1130         foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
1131         subclass of Foo that overrides the destructor, this syntax will not call that override.
1132
1133         foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
1134         get the subclass's override.
1135
1136         In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
1137         This caused leaks because this didn't actually call the subclass's override. This fixes the
1138         problem by using this->~Value() instead.
1139
1140         * b3/B3ControlValue.cpp:
1141         (JSC::B3::ControlValue::convertToJump):
1142         (JSC::B3::ControlValue::convertToOops):
1143         * b3/B3Value.cpp:
1144         (JSC::B3::Value::replaceWithIdentity):
1145         (JSC::B3::Value::replaceWithNop):
1146         (JSC::B3::Value::replaceWithPhi):
1147
1148 2016-02-23  Brian Burg  <bburg@apple.com>
1149
1150         Web Inspector: the protocol generator's Objective-C name prefix should be configurable
1151         https://bugs.webkit.org/show_bug.cgi?id=154596
1152         <rdar://problem/24794962>
1153
1154         Reviewed by Timothy Hatcher.
1155
1156         In order to support different generated protocol sets that don't have conflicting
1157         file and type names, allow the Objective-C prefix to be configurable based on the
1158         target framework. Each name also has the implicit prefix 'Protocol' appended to the
1159         per-target framework prefix.
1160
1161         For example, the existing protocol for remote inspection has the prefix 'RWI'
1162         and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
1163         and is generated as 'AutomationProtocol'.
1164
1165         To make this change, convert ObjCGenerator to be a subclass of Generator and use
1166         the instance method model() to find the target framework and its setting for
1167         'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
1168         these instance methods that used to be static methods. This is a large but
1169         mechanical change to use self instead of ObjCGenerator.
1170
1171         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1172         (ObjCBackendDispatcherHeaderGenerator):
1173         (ObjCBackendDispatcherHeaderGenerator.__init__):
1174         (ObjCBackendDispatcherHeaderGenerator.output_filename):
1175         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
1176         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
1177         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1178         (ObjCConfigurationImplementationGenerator):
1179         (ObjCConfigurationImplementationGenerator.__init__):
1180         (ObjCConfigurationImplementationGenerator.output_filename):
1181         (ObjCConfigurationImplementationGenerator.generate_output):
1182         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
1183         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
1184         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
1185         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1186         (ObjCConfigurationHeaderGenerator):
1187         (ObjCConfigurationHeaderGenerator.__init__):
1188         (ObjCConfigurationHeaderGenerator.output_filename):
1189         (ObjCConfigurationHeaderGenerator.generate_output):
1190         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1191         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
1192         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1193         (ObjCBackendDispatcherImplementationGenerator):
1194         (ObjCBackendDispatcherImplementationGenerator.__init__):
1195         (ObjCBackendDispatcherImplementationGenerator.output_filename):
1196         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1197         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1198         (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
1199         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
1200         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
1201         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1202         (ObjCConversionHelpersGenerator):
1203         (ObjCConversionHelpersGenerator.__init__):
1204         (ObjCConversionHelpersGenerator.output_filename):
1205         (ObjCConversionHelpersGenerator.generate_output):
1206         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
1207         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
1208         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
1209         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1210         (ObjCFrontendDispatcherImplementationGenerator):
1211         (ObjCFrontendDispatcherImplementationGenerator.__init__):
1212         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
1213         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1214         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
1215         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1216         (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
1217         (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
1218         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1219         * inspector/scripts/codegen/generate_objc_header.py:
1220         (ObjCHeaderGenerator):
1221         (ObjCHeaderGenerator.__init__):
1222         (ObjCHeaderGenerator.output_filename):
1223         (ObjCHeaderGenerator.generate_output):
1224         (ObjCHeaderGenerator._generate_forward_declarations):
1225         (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
1226         (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
1227         (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
1228         (ObjCHeaderGenerator._generate_type_interface):
1229         (ObjCHeaderGenerator._generate_init_method_for_required_members):
1230         (ObjCHeaderGenerator._generate_member_property):
1231         (ObjCHeaderGenerator._generate_command_protocols):
1232         (ObjCHeaderGenerator._generate_single_command_protocol):
1233         (ObjCHeaderGenerator._callback_block_for_command):
1234         (ObjCHeaderGenerator._generate_event_interfaces):
1235         (ObjCHeaderGenerator._generate_single_event_interface):
1236         * inspector/scripts/codegen/generate_objc_internal_header.py:
1237         (ObjCInternalHeaderGenerator):
1238         (ObjCInternalHeaderGenerator.__init__):
1239         (ObjCInternalHeaderGenerator.output_filename):
1240         (ObjCInternalHeaderGenerator.generate_output):
1241         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
1242         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1243         (ObjCProtocolTypesImplementationGenerator):
1244         (ObjCProtocolTypesImplementationGenerator.__init__):
1245         (ObjCProtocolTypesImplementationGenerator.output_filename):
1246         (ObjCProtocolTypesImplementationGenerator.generate_output):
1247         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1248         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
1249         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
1250         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
1251         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
1252         (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
1253         * inspector/scripts/codegen/models.py:
1254         * inspector/scripts/codegen/objc_generator.py:
1255         (ObjCTypeCategory.category_for_type):
1256         (ObjCGenerator):
1257         (ObjCGenerator.__init__):
1258         (ObjCGenerator.objc_prefix):
1259         (ObjCGenerator.objc_name_for_type):
1260         (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
1261         (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
1262         (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
1263         (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
1264         (ObjCGenerator.objc_class_for_type):
1265         (ObjCGenerator.objc_class_for_array_type):
1266         (ObjCGenerator.objc_accessor_type_for_member):
1267         (ObjCGenerator.objc_accessor_type_for_member_internal):
1268         (ObjCGenerator.objc_type_for_member):
1269         (ObjCGenerator.objc_type_for_member_internal):
1270         (ObjCGenerator.objc_type_for_param):
1271         (ObjCGenerator.objc_type_for_param_internal):
1272         (ObjCGenerator.objc_protocol_export_expression_for_variable):
1273         (ObjCGenerator.objc_protocol_import_expression_for_member):
1274         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
1275         (ObjCGenerator.objc_protocol_import_expression_for_variable):
1276         (ObjCGenerator.objc_to_protocol_expression_for_member):
1277         (ObjCGenerator.protocol_to_objc_expression_for_member):
1278
1279         Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
1280
1281         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1282         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1283         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1284         * inspector/scripts/tests/expected/enum-values.json-result:
1285         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1286         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1287         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1288         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1289         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1290         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1291         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1292         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1293         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1294
1295 2016-02-23  Mark Lam  <mark.lam@apple.com>
1296
1297         Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
1298         https://bugs.webkit.org/show_bug.cgi?id=154542
1299
1300         Reviewed by Saam Barati.
1301
1302         According to the spec, the constructors of the following types "are not intended
1303         to be called as a function and will throw an exception".  These types are:
1304             TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
1305             Map - https://tc39.github.io/ecma262/#sec-map-constructor
1306             Set - https://tc39.github.io/ecma262/#sec-set-constructor
1307             WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
1308             WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
1309             ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
1310             DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
1311             Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
1312             Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
1313
1314         This patch does the foillowing:
1315         1. Ensures that these constructors can be called but will throw a TypeError
1316            when called.
1317         2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
1318            in their implementation to be consistent.
1319         3. Change the error message to "calling XXX constructor without new is invalid".
1320            This is clearer because the error is likely due to the user forgetting to use
1321            the new operator on these constructors.
1322
1323         * runtime/Error.h:
1324         * runtime/Error.cpp:
1325         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
1326         - Added a convenience function to throw the TypeError.
1327
1328         * runtime/JSArrayBufferConstructor.cpp:
1329         (JSC::constructArrayBuffer):
1330         (JSC::callArrayBuffer):
1331         (JSC::JSArrayBufferConstructor::getCallData):
1332         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1333         (JSC::callGenericTypedArrayView):
1334         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
1335         * runtime/JSPromiseConstructor.cpp:
1336         (JSC::callPromise):
1337         * runtime/MapConstructor.cpp:
1338         (JSC::callMap):
1339         * runtime/ProxyConstructor.cpp:
1340         (JSC::callProxy):
1341         (JSC::ProxyConstructor::getCallData):
1342         * runtime/SetConstructor.cpp:
1343         (JSC::callSet):
1344         * runtime/WeakMapConstructor.cpp:
1345         (JSC::callWeakMap):
1346         * runtime/WeakSetConstructor.cpp:
1347         (JSC::callWeakSet):
1348
1349         * tests/es6.yaml:
1350         - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
1351
1352         * tests/stress/call-non-calleable-constructors-as-function.js: Added.
1353         (test):
1354
1355         * tests/stress/map-constructor.js:
1356         (testCallTypeError):
1357         * tests/stress/promise-cannot-be-called.js:
1358         (shouldThrow):
1359         * tests/stress/proxy-basic.js:
1360         * tests/stress/set-constructor.js:
1361         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
1362         (i.catch):
1363         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
1364         (i.catch):
1365         * tests/stress/throw-from-ftl-call-ic-slow-path.js:
1366         (i.catch):
1367         * tests/stress/weak-map-constructor.js:
1368         (testCallTypeError):
1369         * tests/stress/weak-set-constructor.js:
1370         - Updated error message string.
1371
1372 2016-02-23  Alexey Proskuryakov  <ap@apple.com>
1373
1374         ASan build fix.
1375
1376         Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
1377
1378         * inspector/InspectorBackendDispatcher.h:
1379
1380 2016-02-23  Brian Burg  <bburg@apple.com>
1381
1382         Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
1383         https://bugs.webkit.org/show_bug.cgi?id=154518
1384         <rdar://problem/24761096>
1385
1386         Reviewed by Timothy Hatcher.
1387
1388         * inspector/InspectorBackendDispatcher.h:
1389         Export all the classes since they are used by WebKit::WebAutomationSession.
1390
1391 2016-02-22  Brian Burg  <bburg@apple.com>
1392
1393         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
1394         https://bugs.webkit.org/show_bug.cgi?id=154509
1395         <rdar://problem/24759098>
1396
1397         Reviewed by Timothy Hatcher.
1398
1399         Add a new 'WebKit' framework, which is used to generate protocol code
1400         in WebKit2.
1401
1402         Add --backend and --frontend flags to the main generator script.
1403         These allow a framework to trigger two different sets of generators
1404         so they can be separately generated and compiled.
1405
1406         * inspector/scripts/codegen/models.py:
1407         (Framework.fromString):
1408         (Frameworks): Add new framework.
1409
1410         * inspector/scripts/generate-inspector-protocol-bindings.py:
1411         If neither --backend or --frontend is specified, assume both are wanted.
1412         This matches the behavior for JavaScriptCore and WebInspector frameworks.
1413
1414         (generate_from_specification):
1415         Generate C++ files for the backend and Objective-C files for the frontend.
1416
1417 2016-02-22  Saam barati  <sbarati@apple.com>
1418
1419         JSGlobalObject doesn't visit ProxyObjectStructure during GC
1420         https://bugs.webkit.org/show_bug.cgi?id=154564
1421
1422         Rubber stamped by Mark Lam.
1423
1424         * runtime/JSGlobalObject.cpp:
1425         (JSC::JSGlobalObject::visitChildren):
1426
1427 2016-02-22  Saam barati  <sbarati@apple.com>
1428
1429         InternalFunction::createSubclassStructure doesn't take into account that get() might throw
1430         https://bugs.webkit.org/show_bug.cgi?id=154548
1431
1432         Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
1433
1434         InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw 
1435         an exception. Neither the function nor the call sites of the function took this into
1436         account. This patch audits the call sites of the function to make it work in
1437         the event that an exception is thrown.
1438
1439         * runtime/BooleanConstructor.cpp:
1440         (JSC::constructWithBooleanConstructor):
1441         * runtime/DateConstructor.cpp:
1442         (JSC::constructDate):
1443         * runtime/ErrorConstructor.cpp:
1444         (JSC::Interpreter::constructWithErrorConstructor):
1445         * runtime/FunctionConstructor.cpp:
1446         (JSC::constructFunctionSkippingEvalEnabledCheck):
1447         * runtime/InternalFunction.cpp:
1448         (JSC::InternalFunction::createSubclassStructure):
1449         * runtime/JSArrayBufferConstructor.cpp:
1450         (JSC::constructArrayBuffer):
1451         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1452         (JSC::constructGenericTypedArrayView):
1453         * runtime/JSGlobalObject.h:
1454         (JSC::constructEmptyArray):
1455         (JSC::constructArray):
1456         (JSC::constructArrayNegativeIndexed):
1457         * runtime/JSPromiseConstructor.cpp:
1458         (JSC::constructPromise):
1459         * runtime/MapConstructor.cpp:
1460         (JSC::constructMap):
1461         * runtime/NativeErrorConstructor.cpp:
1462         (JSC::Interpreter::constructWithNativeErrorConstructor):
1463         * runtime/NumberConstructor.cpp:
1464         (JSC::constructWithNumberConstructor):
1465         * runtime/RegExpConstructor.cpp:
1466         (JSC::getRegExpStructure):
1467         (JSC::constructRegExp):
1468         (JSC::constructWithRegExpConstructor):
1469         * runtime/SetConstructor.cpp:
1470         (JSC::constructSet):
1471         * runtime/StringConstructor.cpp:
1472         (JSC::constructWithStringConstructor):
1473         (JSC::StringConstructor::getConstructData):
1474         * runtime/WeakMapConstructor.cpp:
1475         (JSC::constructWeakMap):
1476         * runtime/WeakSetConstructor.cpp:
1477         (JSC::constructWeakSet):
1478         * tests/stress/create-subclass-structure-might-throw.js: Added.
1479         (assert):
1480
1481 2016-02-22  Ting-Wei Lan  <lantw44@gmail.com>
1482
1483         Fix build and implement functions to retrieve registers on FreeBSD
1484         https://bugs.webkit.org/show_bug.cgi?id=152258
1485
1486         Reviewed by Michael Catanzaro.
1487
1488         * heap/MachineStackMarker.cpp:
1489         (pthreadSignalHandlerSuspendResume):
1490         struct ucontext is not specified in POSIX and it is not available on
1491         FreeBSD. Replacing it with ucontext_t fixes the build problem.
1492         (JSC::MachineThreads::Thread::Registers::stackPointer):
1493         (JSC::MachineThreads::Thread::Registers::framePointer):
1494         (JSC::MachineThreads::Thread::Registers::instructionPointer):
1495         (JSC::MachineThreads::Thread::Registers::llintPC):
1496         * heap/MachineStackMarker.h:
1497
1498 2016-02-22  Saam barati  <sbarati@apple.com>
1499
1500         JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
1501         https://bugs.webkit.org/show_bug.cgi?id=154552
1502
1503         Reviewed by Mark Lam.
1504
1505         ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
1506         They return false on a Proxy with internal [[Call]] and [[Construct]]
1507         properties. It seems safest, most forward looking, and most adherent
1508         to the specification to check getCallData() and getConstructData() to
1509         implement these functions.
1510
1511         * runtime/InternalFunction.cpp:
1512         (JSC::InternalFunction::createSubclassStructure):
1513         * runtime/JSCJSValueInlines.h:
1514         (JSC::JSValue::isFunction):
1515         (JSC::JSValue::isConstructor):
1516
1517 2016-02-22  Keith Miller  <keith_miller@apple.com>
1518
1519         Bound functions should use the prototype of the function being bound
1520         https://bugs.webkit.org/show_bug.cgi?id=154195
1521
1522         Reviewed by Geoffrey Garen.
1523
1524         Per ES6, the result of Function.prototype.bind should have the same
1525         prototype as the the function being bound. In order to avoid creating
1526         a new structure each time a function is bound we store the new
1527         structure in our structure map. However, we cannot currently store
1528         structures that have a different GlobalObject than their prototype.
1529         In the rare case that the GlobalObject differs or the prototype of
1530         the bindee is null we create a new structure each time. To further
1531         minimize new structures, as well as making structure lookup faster,
1532         we also store the structure in the RareData of the function we
1533         are binding.
1534
1535         * runtime/FunctionRareData.cpp:
1536         (JSC::FunctionRareData::visitChildren):
1537         * runtime/FunctionRareData.h:
1538         (JSC::FunctionRareData::getBoundFunctionStructure):
1539         (JSC::FunctionRareData::setBoundFunctionStructure):
1540         * runtime/JSBoundFunction.cpp:
1541         (JSC::getBoundFunctionStructure):
1542         (JSC::JSBoundFunction::create):
1543         * tests/es6.yaml:
1544         * tests/stress/bound-function-uses-prototype.js: Added.
1545         (testChangeProto.foo):
1546         (testChangeProto):
1547         (testBuiltins):
1548         * tests/stress/class-subclassing-function.js:
1549
1550 2016-02-22  Keith Miller  <keith_miller@apple.com>
1551
1552         Unreviewed, fix stress test to not print on success.
1553
1554         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
1555         (catch): Deleted.
1556
1557 2016-02-22  Keith Miller  <keith_miller@apple.com>
1558
1559         Use Symbol.species in the builtin TypedArray.prototype functions
1560         https://bugs.webkit.org/show_bug.cgi?id=153384
1561
1562         Reviewed by Geoffrey Garen.
1563
1564         This patch adds the use of species constructors to the TypedArray.prototype map and filter
1565         functions. It also adds a new private function typedArrayGetOriginalConstructor that
1566         returns the TypedArray constructor used to originally create a TypedArray instance.
1567
1568         There are no ES6 tests to update for this patch as species creation for these functions is
1569         not tested in the compatibility table.
1570
1571         * builtins/TypedArrayPrototype.js:
1572         (map):
1573         (filter):
1574         * bytecode/BytecodeIntrinsicRegistry.cpp:
1575         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1576         * bytecode/BytecodeIntrinsicRegistry.h:
1577         * runtime/CommonIdentifiers.h:
1578         * runtime/JSGlobalObject.cpp:
1579         (JSC::JSGlobalObject::init):
1580         (JSC::JSGlobalObject::visitChildren):
1581         * runtime/JSGlobalObject.h:
1582         (JSC::JSGlobalObject::typedArrayConstructor):
1583         * runtime/JSTypedArrayViewPrototype.cpp:
1584         (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
1585         * runtime/JSTypedArrayViewPrototype.h:
1586         * tests/stress/typedarray-filter.js:
1587         (subclasses.typedArrays.map):
1588         (prototype.accept):
1589         (testSpecies):
1590         (accept):
1591         (forEach):
1592         (subclasses.forEach):
1593         (testSpeciesRemoveConstructor):
1594         * tests/stress/typedarray-map.js:
1595         (subclasses.typedArrays.map):
1596         (prototype.id):
1597         (testSpecies):
1598         (id):
1599         (forEach):
1600         (subclasses.forEach):
1601         (testSpeciesRemoveConstructor):
1602
1603 2016-02-22  Keith Miller  <keith_miller@apple.com>
1604
1605         Builtins that should not rely on iteration do.
1606         https://bugs.webkit.org/show_bug.cgi?id=154475
1607
1608         Reviewed by Geoffrey Garen.
1609
1610         When changing the behavior of varargs calls to use ES6 iterators the
1611         call builtin function's use of a varargs call was overlooked. The use
1612         of iterators is observable outside the scope of the the call function,
1613         thus it must be reimplemented.
1614
1615         * builtins/FunctionPrototype.js:
1616         (call):
1617         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
1618         (test):
1619         (addAll):
1620         (catch):
1621
1622 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
1623
1624         [JSC shell] Don't put empty arguments array to VM.
1625         https://bugs.webkit.org/show_bug.cgi?id=154516
1626
1627         Reviewed by Geoffrey Garen.
1628
1629         This allows arrowfunction-lexical-bind-arguments-top-level test to pass
1630         in jsc as well as in browser.
1631
1632         * jsc.cpp:
1633         (GlobalObject::finishCreation):
1634
1635 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
1636
1637         [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
1638         https://bugs.webkit.org/show_bug.cgi?id=154450
1639
1640         Reviewed by Alex Christensen.
1641
1642         * CMakeLists.txt:
1643
1644 2016-02-22  Commit Queue  <commit-queue@webkit.org>
1645
1646         Unreviewed, rolling out r196891.
1647         https://bugs.webkit.org/show_bug.cgi?id=154539
1648
1649         it broke Production builds (Requested by brrian on #webkit).
1650
1651         Reverted changeset:
1652
1653         "Web Inspector: add 'Automation' protocol domain and generate
1654         its backend classes separately in WebKit2"
1655         https://bugs.webkit.org/show_bug.cgi?id=154509
1656         http://trac.webkit.org/changeset/196891
1657
1658 2016-02-21  Joseph Pecoraro  <pecoraro@apple.com>
1659
1660         CodeBlock always visits its unlinked code twice
1661         https://bugs.webkit.org/show_bug.cgi?id=154494
1662
1663         Reviewed by Saam Barati.
1664
1665         * bytecode/CodeBlock.cpp:
1666         (JSC::CodeBlock::visitChildren):
1667         The unlinked code is always visited in stronglyVisitStrongReferences.
1668
1669 2016-02-21  Brian Burg  <bburg@apple.com>
1670
1671         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
1672         https://bugs.webkit.org/show_bug.cgi?id=154509
1673         <rdar://problem/24759098>
1674
1675         Reviewed by Timothy Hatcher.
1676
1677         Add a new 'WebKit' framework, which is used to generate protocol code
1678         in WebKit2.
1679
1680         Add --backend and --frontend flags to the main generator script.
1681         These allow a framework to trigger two different sets of generators
1682         so they can be separately generated and compiled.
1683
1684         * inspector/scripts/codegen/models.py:
1685         (Framework.fromString):
1686         (Frameworks): Add new framework.
1687
1688         * inspector/scripts/generate-inspector-protocol-bindings.py:
1689         If neither --backend or --frontend is specified, assume both are wanted.
1690         This matches the behavior for JavaScriptCore and WebInspector frameworks.
1691
1692         (generate_from_specification):
1693         Generate C++ files for the backend and Objective-C files for the frontend.
1694
1695 2016-02-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1696
1697         Improvements to Intl code
1698         https://bugs.webkit.org/show_bug.cgi?id=154486
1699
1700         Reviewed by Darin Adler.
1701
1702         This patch does several things:
1703         - Use std::unique_ptr to store ICU objects.
1704         - Pass Vector::size() to ICU functions that take a buffer size instead
1705           of Vector::capacity().
1706         - If U_SUCCESS(status) is true, it means there is no error, but there
1707           could be warnings. ICU functions ignore warnings. So, there is no need
1708           to reset status to U_ZERO_ERROR.
1709         - Remove the initialization of the String instance variables of
1710           IntlDateTimeFormat. These values are never read and cause unnecessary
1711           memory allocation.
1712         - Fix coding style.
1713         - Some small optimization.
1714
1715         * runtime/IntlCollator.cpp:
1716         (JSC::IntlCollator::UCollatorDeleter::operator()):
1717         (JSC::IntlCollator::createCollator):
1718         (JSC::IntlCollator::compareStrings):
1719         (JSC::IntlCollator::~IntlCollator): Deleted.
1720         * runtime/IntlCollator.h:
1721         * runtime/IntlDateTimeFormat.cpp:
1722         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
1723         (JSC::defaultTimeZone):
1724         (JSC::canonicalizeTimeZoneName):
1725         (JSC::toDateTimeOptionsAnyDate):
1726         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1727         (JSC::IntlDateTimeFormat::weekdayString):
1728         (JSC::IntlDateTimeFormat::format):
1729         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
1730         (JSC::localeData): Deleted.
1731         * runtime/IntlDateTimeFormat.h:
1732         * runtime/IntlDateTimeFormatConstructor.cpp:
1733         * runtime/IntlNumberFormatConstructor.cpp:
1734         * runtime/IntlObject.cpp:
1735         (JSC::numberingSystemsForLocale):
1736
1737 2016-02-21  Skachkov Oleksandr  <gskachkov@gmail.com>
1738
1739         Remove arrowfunction test cases that rely on arguments variable in jsc
1740         https://bugs.webkit.org/show_bug.cgi?id=154517
1741
1742         Reviewed by Yusuke Suzuki.
1743
1744         Allow to jsc has the same behavior in javascript as browser has
1745
1746         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1747         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1748
1749 2016-02-21  Brian Burg  <bburg@apple.com>
1750
1751         Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
1752         https://bugs.webkit.org/show_bug.cgi?id=154508
1753         <rdar://problem/24759077>
1754
1755         Reviewed by Timothy Hatcher.
1756
1757         In preparation for being able to generate protocol files for WebKit2,
1758         make it possible to not emit generated code that's guarded by
1759         ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
1760         backend dispatchers generated outside of JavaScriptCore. We can't just
1761         define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
1762         in the configurations where the code is actually used.
1763
1764         Add a new opt-in Framework configuration option that turns on generating
1765         this code. Adjust how the code is generated so that it can be easily excluded.
1766
1767         * inspector/scripts/codegen/cpp_generator_templates.py:
1768         Make a separate template for the declarations that are guarded.
1769         Add an initializer expression so the order of initalizers doesn't matter.
1770
1771         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1772         (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
1773         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1774         If the declarations are needed, they will be appended to the end of the
1775         declarations list.
1776
1777         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1778         (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
1779         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
1780
1781         * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
1782         to True for Framework.JavaScriptCore only. It's not needed elsewhere.
1783
1784         Rebaseline affected tests.
1785
1786         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1787         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1788         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1789         * inspector/scripts/tests/expected/enum-values.json-result:
1790         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1791
1792 2016-02-21  Brian Burg  <bburg@apple.com>
1793
1794         Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
1795         https://bugs.webkit.org/show_bug.cgi?id=154505
1796         <rdar://problem/24758042>
1797
1798         Reviewed by Timothy Hatcher.
1799
1800         It should be possible to generate code for a framework using some generators
1801         that other frameworks also use. Right now the generator selection code assumes
1802         that use of a generator is mutually exclusive among non-test frameworks.
1803
1804         Make this code explicitly switch on the framework. Reorder generators
1805         alpabetically within each case.
1806
1807         * inspector/scripts/generate-inspector-protocol-bindings.py:
1808         (generate_from_specification):
1809
1810         Rebaseline tests that are affected by generator reorderings.
1811
1812         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1813         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1814         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1815         * inspector/scripts/tests/expected/enum-values.json-result:
1816         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1817         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1818         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1819         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1820         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1821         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1822         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1823         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1824         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1825
1826 2016-02-19  Saam Barati  <sbarati@apple.com>
1827
1828         [ES6] Implement Proxy.[[Construct]]
1829         https://bugs.webkit.org/show_bug.cgi?id=154440
1830
1831         Reviewed by Oliver Hunt.
1832
1833         This patch is mostly an implementation of
1834         Proxy.[[Construct]] with respect to section 9.5.13
1835         of the ECMAScript spec.
1836         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
1837
1838         This patch also changes op_create_this to accept new.target's
1839         that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]] 
1840         because we might construct a JSFunction with a new.target being
1841         a Proxy. This will also be needed when we implement Reflect.construct.
1842
1843         * dfg/DFGOperations.cpp:
1844         * dfg/DFGSpeculativeJIT32_64.cpp:
1845         (JSC::DFG::SpeculativeJIT::compile):
1846         * dfg/DFGSpeculativeJIT64.cpp:
1847         (JSC::DFG::SpeculativeJIT::compile):
1848         * jit/JITOpcodes.cpp:
1849         (JSC::JIT::emit_op_create_this):
1850         (JSC::JIT::emitSlow_op_create_this):
1851         * jit/JITOpcodes32_64.cpp:
1852         (JSC::JIT::emit_op_create_this):
1853         (JSC::JIT::emitSlow_op_create_this):
1854         * llint/LLIntData.cpp:
1855         (JSC::LLInt::Data::performAssertions):
1856         * llint/LowLevelInterpreter.asm:
1857         * llint/LowLevelInterpreter32_64.asm:
1858         * llint/LowLevelInterpreter64.asm:
1859         * runtime/CommonSlowPaths.cpp:
1860         (JSC::SLOW_PATH_DECL):
1861         * runtime/ProxyObject.cpp:
1862         (JSC::ProxyObject::finishCreation):
1863         (JSC::ProxyObject::visitChildren):
1864         (JSC::performProxyConstruct):
1865         (JSC::ProxyObject::getConstructData):
1866         * runtime/ProxyObject.h:
1867         * tests/es6.yaml:
1868         * tests/stress/proxy-construct.js: Added.
1869         (assert):
1870         (throw.new.Error.let.target):
1871         (throw.new.Error):
1872         (assert.let.target):
1873         (assert.let.handler.get construct):
1874         (let.target):
1875         (let.handler.construct):
1876         (i.catch):
1877         (assert.let.handler.construct):
1878         (assert.let.construct):
1879         (assert.else.assert.let.target):
1880         (assert.else.assert.let.construct):
1881         (assert.else.assert):
1882         (new.proxy.let.target):
1883         (new.proxy.let.construct):
1884         (new.proxy):
1885
1886 2016-02-19  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1887
1888         [INTL] Implement Number Format Functions
1889         https://bugs.webkit.org/show_bug.cgi?id=147605
1890
1891         Reviewed by Darin Adler.
1892
1893         This patch implements Intl.NumberFormat.prototype.format() according
1894         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
1895
1896         * runtime/IntlNumberFormat.cpp:
1897         (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
1898         (JSC::IntlNumberFormat::initializeNumberFormat):
1899         (JSC::IntlNumberFormat::createNumberFormat):
1900         (JSC::IntlNumberFormat::formatNumber):
1901         (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
1902         * runtime/IntlNumberFormat.h:
1903         * runtime/IntlNumberFormatPrototype.cpp:
1904         (JSC::IntlNumberFormatFuncFormatNumber):
1905
1906 2016-02-18  Gavin Barraclough  <barraclough@apple.com>
1907
1908         JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
1909         https://bugs.webkit.org/show_bug.cgi?id=154416
1910
1911         Reviewed by Geoff Garen.
1912
1913         Here's the bug. Suppose you call JSObject::getOwnProperty and -
1914           - PropertyName contains an index,
1915           - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
1916           - The base of the access (or another object on the prototype chain) shadows that property.
1917
1918         JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
1919         index, and as such walks up the prototype chain looking for non-index properties before it
1920         tries calling parseIndex.
1921
1922         At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
1923         would potentially return the property) we may have already skipped over non-overriding
1924         objects that contain the property in index storage.
1925
1926         * runtime/JSObject.h:
1927         (JSC::JSObject::getOwnNonIndexPropertySlot):
1928             - renamed from inlineGetOwnPropertySlot to better describe behaviour;
1929               added ASSERT guarding that this method never returns index properties -
1930               if it ever does, this is unsafe for getPropertySlot.
1931         (JSC::JSObject::getOwnPropertySlot):
1932             - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
1933         (JSC::JSObject::getPropertySlot):
1934             - In case of object overriding getOwnPropertySlot check if propertyName is an index.
1935         (JSC::JSObject::getNonIndexPropertySlot):
1936             - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
1937               in order to avoid repeated calls to parseIndex.
1938         (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
1939             - this was renamed to getOwnNonIndexPropertySlot.
1940         (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
1941             - this was folded back in to getPropertySlot.
1942
1943 2016-02-19  Saam Barati  <sbarati@apple.com>
1944
1945         [ES6] Implement Proxy.[[Call]]
1946         https://bugs.webkit.org/show_bug.cgi?id=154425
1947
1948         Reviewed by Mark Lam.
1949
1950         This patch is a straight forward implementation of
1951         Proxy.[[Call]] with respect to section 9.5.12
1952         of the ECMAScript spec.
1953         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
1954
1955         * runtime/ProxyObject.cpp:
1956         (JSC::ProxyObject::finishCreation):
1957         (JSC::performProxyGet):
1958         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1959         (JSC::ProxyObject::performHasProperty):
1960         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1961         (JSC::performProxyCall):
1962         (JSC::ProxyObject::getCallData):
1963         (JSC::ProxyObject::visitChildren):
1964         * runtime/ProxyObject.h:
1965         (JSC::ProxyObject::create):
1966         * tests/es6.yaml:
1967         * tests/stress/proxy-call.js: Added.
1968         (assert):
1969         (throw.new.Error.let.target):
1970         (throw.new.Error.let.handler.apply):
1971         (throw.new.Error):
1972         (assert.let.target):
1973         (assert.let.handler.get apply):
1974         (let.target):
1975         (let.handler.apply):
1976         (i.catch):
1977         (assert.let.handler.apply):
1978
1979 2016-02-19  Csaba Osztrogonác  <ossy@webkit.org>
1980
1981         Remove more LLVM related dead code after r196729
1982         https://bugs.webkit.org/show_bug.cgi?id=154387
1983
1984         Reviewed by Filip Pizlo.
1985
1986         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
1987         * Configurations/LLVMForJSC.xcconfig: Removed.
1988         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
1989         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
1990         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
1991         * JavaScriptCore.xcodeproj/project.pbxproj:
1992         * disassembler/X86Disassembler.cpp:
1993
1994 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1995
1996         Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
1997         https://bugs.webkit.org/show_bug.cgi?id=154442
1998
1999         Reviewed by Saam Barati.
2000
2001         * runtime/JSString.h:
2002         (JSC::isJSString):
2003
2004 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2005
2006         Remove unused SymbolTable::createNameScopeTable
2007         https://bugs.webkit.org/show_bug.cgi?id=154443
2008
2009         Reviewed by Saam Barati.
2010
2011         * runtime/SymbolTable.h:
2012
2013 2016-02-18  Benjamin Poulain  <bpoulain@apple.com>
2014
2015         [JSC] Improve the instruction selection of Select
2016         https://bugs.webkit.org/show_bug.cgi?id=154432
2017
2018         Reviewed by Filip Pizlo.
2019
2020         Plenty of code but this patch is pretty dumb:
2021         -On ARM64: use the 3 operand form of CSEL instead of forcing a source
2022          to be alised to the destination. This gives more freedom to the register
2023          allocator and it is one less Move to process per Select.
2024         -On x86, introduce a fake 3 operands form and use aggressive aliasing
2025          to try to alias both sources to the destination.
2026
2027          If aliasing succeed on the "elseCase", the condition of the Select
2028          is reverted in the MacroAssembler.
2029
2030          If no aliasing is possible and we end up with 3 registers, the missing
2031          move instruction is generated by the MacroAssembler.
2032
2033          The missing move is generated after testing the values because the destination
2034          can use the same register as one of the test operand.
2035          Experimental testing seems to indicate there is no macro-fusion on CMOV,
2036          there is no measurable cost to having the move there.
2037
2038         * assembler/MacroAssembler.h:
2039         (JSC::MacroAssembler::isInvertible):
2040         (JSC::MacroAssembler::invert):
2041         * assembler/MacroAssemblerARM64.h:
2042         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
2043         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
2044         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
2045         (JSC::MacroAssemblerARM64::moveConditionally32):
2046         (JSC::MacroAssemblerARM64::moveConditionally64):
2047         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
2048         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
2049         * assembler/MacroAssemblerX86Common.h:
2050         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2051         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2052         (JSC::MacroAssemblerX86Common::moveConditionally32):
2053         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
2054         (JSC::MacroAssemblerX86Common::invert):
2055         (JSC::MacroAssemblerX86Common::isInvertible):
2056         * assembler/MacroAssemblerX86_64.h:
2057         (JSC::MacroAssemblerX86_64::moveConditionally64):
2058         (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
2059         * b3/B3LowerToAir.cpp:
2060         (JSC::B3::Air::LowerToAir::createSelect):
2061         (JSC::B3::Air::LowerToAir::lower):
2062         * b3/air/AirInstInlines.h:
2063         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2064         * b3/air/AirOpcode.opcodes:
2065
2066 2016-02-18  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2067
2068         [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
2069         https://bugs.webkit.org/show_bug.cgi?id=154430
2070
2071         Reviewed by Saam Barati.
2072
2073         llvm isn't used anymore.
2074
2075         * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
2076
2077 2016-02-18  Saam Barati  <sbarati@apple.com>
2078
2079         Implement Proxy.[[HasProperty]]
2080         https://bugs.webkit.org/show_bug.cgi?id=154313
2081
2082         Reviewed by Filip Pizlo.
2083
2084         This patch is a straight forward implementation of
2085         Proxy.[[HasProperty]] with respect to section 9.5.7
2086         of the ECMAScript spec.
2087         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
2088
2089         * runtime/ProxyObject.cpp:
2090         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2091         (JSC::ProxyObject::performHasProperty):
2092         (JSC::ProxyObject::getOwnPropertySlotCommon):
2093         * runtime/ProxyObject.h:
2094         * tests/es6.yaml:
2095         * tests/stress/proxy-basic.js:
2096         (assert):
2097         (let.handler.has):
2098         * tests/stress/proxy-has-property.js: Added.
2099         (assert):
2100         (throw.new.Error.let.handler.get has):
2101         (throw.new.Error):
2102         (assert.let.handler.has):
2103         (let.handler.has):
2104         (getOwnPropertyDescriptor):
2105         (i.catch):
2106
2107 2016-02-18  Saam Barati  <sbarati@apple.com>
2108
2109         Proxy's don't properly handle Symbols as PropertyKeys.
2110         https://bugs.webkit.org/show_bug.cgi?id=154385
2111
2112         Reviewed by Mark Lam and Yusuke Suzuki.
2113
2114         We were converting all PropertyKeys to strings, even when
2115         the PropertyName was a Symbol. In the spec, PropertyKeys are
2116         either a Symbol or a String. We now respect that in Proxy.[[Get]] and
2117         Proxy.[[GetOwnProperty]].
2118
2119         * runtime/Completion.cpp:
2120         (JSC::profiledEvaluate):
2121         (JSC::createSymbolForEntryPointModule):
2122         (JSC::identifierToJSValue): Deleted.
2123         * runtime/Identifier.h:
2124         (JSC::parseIndex):
2125         * runtime/IdentifierInlines.h:
2126         (JSC::Identifier::fromString):
2127         (JSC::identifierToJSValue):
2128         (JSC::identifierToSafePublicJSValue):
2129         * runtime/ProxyObject.cpp:
2130         (JSC::performProxyGet):
2131         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2132         * tests/es6.yaml:
2133         * tests/stress/proxy-basic.js:
2134         (let.handler.getOwnPropertyDescriptor):
2135
2136 2016-02-18  Saam Barati  <sbarati@apple.com>
2137
2138         Follow up fix to Implement Proxy.[[GetOwnProperty]]
2139         https://bugs.webkit.org/show_bug.cgi?id=154314
2140
2141         Reviewed by Filip Pizlo.
2142
2143         Part of the implementation was broken because
2144         of how JSObject::getOwnPropertyDescriptor worked.
2145         I've fixed JSObject::getOwnPropertyDescriptor to
2146         be able to handle ProxyObject.
2147
2148         * runtime/JSObject.cpp:
2149         (JSC::JSObject::getOwnPropertyDescriptor):
2150         * runtime/ProxyObject.cpp:
2151         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2152         * tests/stress/proxy-get-own-property.js:
2153         (assert):
2154         (assert.let.handler.get getOwnPropertyDescriptor):
2155
2156 2016-02-18  Saam Barati  <sbarati@apple.com>
2157
2158         Implement Proxy.[[GetOwnProperty]]
2159         https://bugs.webkit.org/show_bug.cgi?id=154314
2160
2161         Reviewed by Filip Pizlo.
2162
2163         This patch implements Proxy.[[GetOwnProperty]].
2164         It's a straight forward implementation as described
2165         in section 9.5.5 of the specification:
2166         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
2167
2168         * runtime/FunctionPrototype.cpp:
2169         (JSC::functionProtoFuncBind):
2170         * runtime/JSObject.cpp:
2171         (JSC::validateAndApplyPropertyDescriptor):
2172         (JSC::JSObject::defineOwnNonIndexProperty):
2173         (JSC::JSObject::defineOwnProperty):
2174         (JSC::JSObject::getGenericPropertyNames):
2175         (JSC::JSObject::getMethod):
2176         * runtime/JSObject.h:
2177         (JSC::JSObject::butterflyAddress):
2178         (JSC::makeIdentifier):
2179         * runtime/ProxyObject.cpp:
2180         (JSC::performProxyGet):
2181         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2182         (JSC::ProxyObject::getOwnPropertySlotCommon):
2183         (JSC::ProxyObject::getOwnPropertySlot):
2184         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2185         (JSC::ProxyObject::visitChildren):
2186         * runtime/ProxyObject.h:
2187         * tests/es6.yaml:
2188         * tests/stress/proxy-basic.js:
2189         (let.handler.get null):
2190         * tests/stress/proxy-get-own-property.js: Added.
2191         (assert):
2192         (throw.new.Error.let.handler.getOwnPropertyDescriptor):
2193         (throw.new.Error):
2194         (let.handler.getOwnPropertyDescriptor):
2195         (i.catch):
2196         (assert.let.handler.getOwnPropertyDescriptor):
2197
2198 2016-02-18  Andreas Kling  <akling@apple.com>
2199
2200         JSString resolution of substrings should use StringImpl sharing optimization.
2201         <https://webkit.org/b/154068>
2202         <rdar://problem/24629358>
2203
2204         Reviewed by Antti Koivisto.
2205
2206         When resolving a JSString that's actually a substring of another JSString,
2207         use the StringImpl sharing optimization to create a new string pointing into
2208         the parent one, instead of copying out the bytes of the string.
2209
2210         This dramatically reduces peak memory usage on Gerrit diff viewer pages.
2211
2212         Another approach to this would be to induce GC far more frequently due to
2213         the added cost of copying out these substrings. It would reduce the risk
2214         of prolonging the life of strings only kept alive by substrings.
2215
2216         This patch chooses to trade that risk for less GC and lower peak memory.
2217
2218         * runtime/JSString.cpp:
2219         (JSC::JSRopeString::resolveRope):
2220
2221 2016-02-18  Chris Dumez  <cdumez@apple.com>
2222
2223         Crash on SES selftest page when loading the page while WebInspector is open
2224         https://bugs.webkit.org/show_bug.cgi?id=154378
2225         <rdar://problem/24713422>
2226
2227         Reviewed by Mark Lam.
2228
2229         Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
2230         returns early again if it detects that getOwnPropertySlot() returns a
2231         non-own property. This check was removed in r196676 because we assumed that
2232         only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
2233         However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
2234         well.
2235
2236         Not having the check would lead to crashes when using the debugger because
2237         we would get a slot with the CustomAccessor attribute but getDirect() would
2238         then fail to return the property (because it is not an own property). We
2239         would then cast the value returned by getDirect() to a CustomGetterSetter*
2240         and dereference it.
2241
2242         * runtime/JSObject.cpp:
2243         (JSC::JSObject::getOwnPropertyDescriptor):
2244
2245 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
2246
2247         Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
2248         for that.
2249
2250         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2251         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2252
2253 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
2254
2255         Unreviewed, fix CMake build. This got messed up when rebasing.
2256
2257         * CMakeLists.txt:
2258
2259 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
2260
2261         Fix the !ENABLE(DFG_JIT) build after r195865
2262         https://bugs.webkit.org/show_bug.cgi?id=154391
2263
2264         Reviewed by Filip Pizlo.
2265
2266         * runtime/SamplingProfiler.cpp:
2267         (JSC::tryGetBytecodeIndex):
2268
2269 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
2270
2271         Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
2272         https://bugs.webkit.org/show_bug.cgi?id=154383
2273
2274         Reviewed by Saam Barati.
2275
2276         I did a grep -i llvm of all of our code and did one of the following for each occurence:
2277
2278         - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
2279           backend".
2280
2281         - Removed the reference because I found it to be dead. In some cases it was a dead
2282           comment: it was telling us things about what LLVM did and that's just not relevant
2283           anymore. In other cases it was dead code that I forgot to delete in a previous patch.
2284
2285         - Edited the comment in some smart way. There were comments talking about what LLVM did
2286           that were still of interest. In some cases, I added a FIXME to consider changing the
2287           code below the comment on the grounds that it was written in a weird way to placate
2288           LLVM and so we can do it better now.
2289
2290         * CMakeLists.txt:
2291         * JavaScriptCore.xcodeproj/project.pbxproj:
2292         * dfg/DFGArgumentsEliminationPhase.cpp:
2293         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2294         * dfg/DFGPlan.cpp:
2295         (JSC::DFG::Plan::compileInThread):
2296         (JSC::DFG::Plan::compileInThreadImpl):
2297         (JSC::DFG::Plan::compileTimeStats):
2298         * dfg/DFGPutStackSinkingPhase.cpp:
2299         * dfg/DFGSSAConversionPhase.h:
2300         * dfg/DFGStaticExecutionCountEstimationPhase.h:
2301         * dfg/DFGUnificationPhase.cpp:
2302         (JSC::DFG::UnificationPhase::run):
2303         * disassembler/ARM64Disassembler.cpp:
2304         (JSC::tryToDisassemble): Deleted.
2305         * disassembler/X86Disassembler.cpp:
2306         (JSC::tryToDisassemble):
2307         * ftl/FTLAbstractHeap.cpp:
2308         (JSC::FTL::IndexedAbstractHeap::initialize):
2309         * ftl/FTLAbstractHeap.h:
2310         * ftl/FTLFormattedValue.h:
2311         * ftl/FTLJITFinalizer.cpp:
2312         (JSC::FTL::JITFinalizer::finalizeFunction):
2313         * ftl/FTLLink.cpp:
2314         (JSC::FTL::link):
2315         * ftl/FTLLocation.cpp:
2316         (JSC::FTL::Location::restoreInto):
2317         * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
2318         (JSC::FTL::DFG::ftlUnreachable):
2319         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2320         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
2321         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2322         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
2323         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
2324         (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
2325         (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
2326         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
2327         (JSC::FTL::lowerDFGToB3):
2328         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
2329         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
2330         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
2331         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
2332         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
2333         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
2334         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
2335         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
2336         (JSC::FTL::lowerDFGToLLVM): Deleted.
2337         * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
2338         * ftl/FTLLowerDFGToLLVM.cpp: Removed.
2339         * ftl/FTLLowerDFGToLLVM.h: Removed.
2340         * ftl/FTLOSRExitCompiler.cpp:
2341         (JSC::FTL::compileStub):
2342         * ftl/FTLWeight.h:
2343         (JSC::FTL::Weight::frequencyClass):
2344         (JSC::FTL::Weight::inverse):
2345         (JSC::FTL::Weight::scaleToTotal): Deleted.
2346         * ftl/FTLWeightedTarget.h:
2347         (JSC::FTL::rarely):
2348         (JSC::FTL::unsure):
2349         * jit/CallFrameShuffler64.cpp:
2350         (JSC::CallFrameShuffler::emitDisplace):
2351         * jit/RegisterSet.cpp:
2352         (JSC::RegisterSet::ftlCalleeSaveRegisters):
2353         * llvm: Removed.
2354         * llvm/InitializeLLVMLinux.cpp: Removed.
2355         * llvm/InitializeLLVMWin.cpp: Removed.
2356         * llvm/library: Removed.
2357         * llvm/library/LLVMTrapCallback.h: Removed.
2358         * llvm/library/libllvmForJSC.version: Removed.
2359         * runtime/Options.cpp:
2360         (JSC::recomputeDependentOptions):
2361         (JSC::Options::initialize):
2362         * runtime/Options.h:
2363         * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
2364         * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
2365         * wasm/WASMFunctionParser.cpp:
2366
2367 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
2368
2369         [cmake] Build system cleanup
2370         https://bugs.webkit.org/show_bug.cgi?id=154337
2371
2372         Reviewed by Žan Doberšek.
2373
2374         * CMakeLists.txt:
2375
2376 2016-02-17  Mark Lam  <mark.lam@apple.com>
2377
2378         Callers of JSString::value() should check for exceptions thereafter.
2379         https://bugs.webkit.org/show_bug.cgi?id=154346
2380
2381         Reviewed by Geoffrey Garen.
2382
2383         JSString::value() can throw an exception if the JS string is a rope and value() 
2384         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
2385         able to resolve the rope, it will return a null string (in addition to throwing
2386         the exception).  If a caller does not check for exceptions after calling
2387         JSString::value(), they may eventually use the returned null string and crash the
2388         VM.
2389
2390         The fix is to add all the necessary exception checks, and do the appropriate
2391         handling if needed.
2392
2393         * jsc.cpp:
2394         (functionRun):
2395         (functionLoad):
2396         (functionReadFile):
2397         (functionCheckSyntax):
2398         (functionLoadWebAssembly):
2399         (functionLoadModule):
2400         (functionCheckModuleSyntax):
2401         * runtime/DateConstructor.cpp:
2402         (JSC::dateParse):
2403         (JSC::dateNow):
2404         * runtime/JSGlobalObjectFunctions.cpp:
2405         (JSC::globalFuncEval):
2406         * tools/JSDollarVMPrototype.cpp:
2407         (JSC::functionPrint):
2408
2409 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
2410
2411         [JSC] ARM64: Support the immediate format used for bit operations in Air
2412         https://bugs.webkit.org/show_bug.cgi?id=154327
2413
2414         Reviewed by Filip Pizlo.
2415
2416         ARM64 supports a pretty rich form of immediates for bit operation.
2417         There are two formats used to encode repeating patterns and common
2418         input in a dense form.
2419
2420         In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
2421         Those represents the valid immediate forms for bit operation.
2422         On x86, any 32bits value is valid. On ARM64, all the encoding
2423         form are tried and the immediate is used when possible.
2424
2425         The arg type Imm64 is renamed to BigImm to better represent what
2426         it is: an immediate that does not fit into Imm.
2427
2428         * assembler/ARM64Assembler.h:
2429         (JSC::LogicalImmediate::create32): Deleted.
2430         (JSC::LogicalImmediate::create64): Deleted.
2431         (JSC::LogicalImmediate::value): Deleted.
2432         (JSC::LogicalImmediate::isValid): Deleted.
2433         (JSC::LogicalImmediate::is64bit): Deleted.
2434         (JSC::LogicalImmediate::LogicalImmediate): Deleted.
2435         (JSC::LogicalImmediate::mask): Deleted.
2436         (JSC::LogicalImmediate::partialHSB): Deleted.
2437         (JSC::LogicalImmediate::highestSetBit): Deleted.
2438         (JSC::LogicalImmediate::findBitRange): Deleted.
2439         (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
2440         * assembler/AssemblerCommon.h:
2441         (JSC::ARM64LogicalImmediate::create32):
2442         (JSC::ARM64LogicalImmediate::create64):
2443         (JSC::ARM64LogicalImmediate::value):
2444         (JSC::ARM64LogicalImmediate::isValid):
2445         (JSC::ARM64LogicalImmediate::is64bit):
2446         (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
2447         (JSC::ARM64LogicalImmediate::mask):
2448         (JSC::ARM64LogicalImmediate::partialHSB):
2449         (JSC::ARM64LogicalImmediate::highestSetBit):
2450         (JSC::ARM64LogicalImmediate::findBitRange):
2451         (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
2452         * assembler/MacroAssemblerARM64.h:
2453         (JSC::MacroAssemblerARM64::and64):
2454         (JSC::MacroAssemblerARM64::or64):
2455         (JSC::MacroAssemblerARM64::xor64):
2456         * b3/B3LowerToAir.cpp:
2457         (JSC::B3::Air::LowerToAir::bitImm):
2458         (JSC::B3::Air::LowerToAir::bitImm64):
2459         (JSC::B3::Air::LowerToAir::appendBinOp):
2460         * b3/air/AirArg.cpp:
2461         (JSC::B3::Air::Arg::dump):
2462         (WTF::printInternal):
2463         * b3/air/AirArg.h:
2464         (JSC::B3::Air::Arg::bitImm):
2465         (JSC::B3::Air::Arg::bitImm64):
2466         (JSC::B3::Air::Arg::isBitImm):
2467         (JSC::B3::Air::Arg::isBitImm64):
2468         (JSC::B3::Air::Arg::isSomeImm):
2469         (JSC::B3::Air::Arg::value):
2470         (JSC::B3::Air::Arg::isGP):
2471         (JSC::B3::Air::Arg::isFP):
2472         (JSC::B3::Air::Arg::hasType):
2473         (JSC::B3::Air::Arg::isValidBitImmForm):
2474         (JSC::B3::Air::Arg::isValidBitImm64Form):
2475         (JSC::B3::Air::Arg::isValidForm):
2476         (JSC::B3::Air::Arg::asTrustedImm32):
2477         (JSC::B3::Air::Arg::asTrustedImm64):
2478         * b3/air/AirOpcode.opcodes:
2479         * b3/air/opcode_generator.rb:
2480
2481 2016-02-17  Keith Miller  <keith_miller@apple.com>
2482
2483         Spread operator should be allowed when not the first argument of parameter list
2484         https://bugs.webkit.org/show_bug.cgi?id=152721
2485
2486         Reviewed by Saam Barati.
2487
2488         Spread arguments to functions should now be ES6 compliant. Before we
2489         would only take a spread operator if it was the sole argument to a
2490         function. Additionally, we would not use the Symbol.iterator on the
2491         object to generate the arguments. Instead we would do a loop up to the
2492         length mapping indexed properties to the corresponding argument. We fix
2493         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
2494         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
2495         old spread semantics). This solution has the downside of requiring the
2496         allocation of another object and copying each element twice but avoids a
2497         large change to the vm calling convention.
2498
2499         * interpreter/Interpreter.cpp:
2500         (JSC::loadVarargs):
2501         * parser/ASTBuilder.h:
2502         (JSC::ASTBuilder::createElementList):
2503         * parser/Parser.cpp:
2504         (JSC::Parser<LexerType>::parseArguments):
2505         (JSC::Parser<LexerType>::parseArgument):
2506         (JSC::Parser<LexerType>::parseMemberExpression):
2507         * parser/Parser.h:
2508         * parser/SyntaxChecker.h:
2509         (JSC::SyntaxChecker::createElementList):
2510         * tests/es6.yaml:
2511         * tests/stress/spread-calling.js: Added.
2512         (testFunction):
2513         (testEmpty):
2514         (makeObject):
2515         (otherIterator.return.next):
2516         (otherIterator):
2517         (totalIter):
2518         (throwingIter.return.next):
2519         (throwingIter):
2520         (i.catch):
2521
2522 2016-02-17  Brian Burg  <bburg@apple.com>
2523
2524         Remove a wrong cast in RemoteInspector::receivedSetupMessage
2525         https://bugs.webkit.org/show_bug.cgi?id=154361
2526         <rdar://problem/24709281>
2527
2528         Reviewed by Joseph Pecoraro.
2529
2530         * inspector/remote/RemoteInspector.mm:
2531         (Inspector::RemoteInspector::receivedSetupMessage):
2532         Not only is this cast unnecessary (the constructor accepts the base class),
2533         but it is wrong since the target could be an automation target. Remove it.
2534
2535 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
2536
2537         Rename FTLB3Blah to FTLBlah
2538         https://bugs.webkit.org/show_bug.cgi?id=154365
2539
2540         Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
2541
2542         * CMakeLists.txt:
2543         * JavaScriptCore.xcodeproj/project.pbxproj:
2544         * ftl/FTLB3Compile.cpp: Removed.
2545         * ftl/FTLB3Output.cpp: Removed.
2546         * ftl/FTLB3Output.h: Removed.
2547         * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
2548         * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
2549         * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
2550
2551 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
2552
2553         Remove LLVM dependencies from WebKit
2554         https://bugs.webkit.org/show_bug.cgi?id=154323
2555
2556         Reviewed by Antti Koivisto and Benjamin Poulain.
2557
2558         We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
2559         LLVM-related code dead, including the disassembler, which was only reachable when you were on
2560         a platform that already had an in-tree disassembler.
2561
2562         * CMakeLists.txt:
2563         * JavaScriptCore.xcodeproj/project.pbxproj:
2564         * dfg/DFGCommon.h:
2565         * dfg/DFGPlan.cpp:
2566         (JSC::DFG::Plan::compileInThread):
2567         (JSC::DFG::Plan::compileInThreadImpl):
2568         (JSC::DFG::Plan::compileTimeStats):
2569         * disassembler/ARM64Disassembler.cpp:
2570         (JSC::tryToDisassemble):
2571         * disassembler/ARMv7Disassembler.cpp:
2572         (JSC::tryToDisassemble):
2573         * disassembler/Disassembler.cpp:
2574         (JSC::disassemble):
2575         (JSC::disassembleAsynchronously):
2576         * disassembler/Disassembler.h:
2577         (JSC::tryToDisassemble):
2578         * disassembler/LLVMDisassembler.cpp: Removed.
2579         * disassembler/LLVMDisassembler.h: Removed.
2580         * disassembler/UDis86Disassembler.cpp:
2581         (JSC::tryToDisassembleWithUDis86):
2582         * disassembler/UDis86Disassembler.h:
2583         (JSC::tryToDisassembleWithUDis86):
2584         * disassembler/X86Disassembler.cpp:
2585         (JSC::tryToDisassemble):
2586         * ftl/FTLAbbreviatedTypes.h:
2587         * ftl/FTLAbbreviations.h: Removed.
2588         * ftl/FTLAbstractHeap.cpp:
2589         (JSC::FTL::AbstractHeap::decorateInstruction):
2590         (JSC::FTL::AbstractHeap::dump):
2591         (JSC::FTL::AbstractField::dump):
2592         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
2593         (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
2594         (JSC::FTL::IndexedAbstractHeap::baseIndex):
2595         (JSC::FTL::IndexedAbstractHeap::dump):
2596         (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
2597         (JSC::FTL::NumberedAbstractHeap::dump):
2598         (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
2599         (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
2600         * ftl/FTLAbstractHeap.h:
2601         (JSC::FTL::AbstractHeap::AbstractHeap):
2602         (JSC::FTL::AbstractHeap::heapName):
2603         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
2604         (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
2605         (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
2606         (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
2607         * ftl/FTLAbstractHeapRepository.cpp:
2608         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2609         * ftl/FTLAbstractHeapRepository.h:
2610         * ftl/FTLB3Compile.cpp:
2611         * ftl/FTLB3Output.cpp:
2612         (JSC::FTL::Output::Output):
2613         (JSC::FTL::Output::check):
2614         (JSC::FTL::Output::load):
2615         (JSC::FTL::Output::store):
2616         * ftl/FTLB3Output.h:
2617         * ftl/FTLCommonValues.cpp:
2618         (JSC::FTL::CommonValues::CommonValues):
2619         (JSC::FTL::CommonValues::initializeConstants):
2620         * ftl/FTLCommonValues.h:
2621         (JSC::FTL::CommonValues::initialize): Deleted.
2622         * ftl/FTLCompile.cpp: Removed.
2623         * ftl/FTLCompileBinaryOp.cpp: Removed.
2624         * ftl/FTLCompileBinaryOp.h: Removed.
2625         * ftl/FTLDWARFDebugLineInfo.cpp: Removed.
2626         * ftl/FTLDWARFDebugLineInfo.h: Removed.
2627         * ftl/FTLDWARFRegister.cpp: Removed.
2628         * ftl/FTLDWARFRegister.h: Removed.
2629         * ftl/FTLDataSection.cpp: Removed.
2630         * ftl/FTLDataSection.h: Removed.
2631         * ftl/FTLExceptionHandlerManager.cpp: Removed.
2632         * ftl/FTLExceptionHandlerManager.h: Removed.
2633         * ftl/FTLExceptionTarget.cpp:
2634         * ftl/FTLExceptionTarget.h:
2635         * ftl/FTLExitThunkGenerator.cpp: Removed.
2636         * ftl/FTLExitThunkGenerator.h: Removed.
2637         * ftl/FTLFail.cpp:
2638         (JSC::FTL::fail):
2639         * ftl/FTLInlineCacheDescriptor.h: Removed.
2640         * ftl/FTLInlineCacheSize.cpp: Removed.
2641         * ftl/FTLInlineCacheSize.h: Removed.
2642         * ftl/FTLIntrinsicRepository.cpp: Removed.
2643         * ftl/FTLIntrinsicRepository.h: Removed.
2644         * ftl/FTLJITCode.cpp:
2645         (JSC::FTL::JITCode::~JITCode):
2646         (JSC::FTL::JITCode::initializeB3Code):
2647         (JSC::FTL::JITCode::initializeB3Byproducts):
2648         (JSC::FTL::JITCode::initializeAddressForCall):
2649         (JSC::FTL::JITCode::contains):
2650         (JSC::FTL::JITCode::ftl):
2651         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2652         (JSC::FTL::JITCode::initializeExitThunks): Deleted.
2653         (JSC::FTL::JITCode::addHandle): Deleted.
2654         (JSC::FTL::JITCode::addDataSection): Deleted.
2655         (JSC::FTL::JITCode::exitThunks): Deleted.
2656         * ftl/FTLJITCode.h:
2657         (JSC::FTL::JITCode::b3Code):
2658         (JSC::FTL::JITCode::handles): Deleted.
2659         (JSC::FTL::JITCode::dataSections): Deleted.
2660         * ftl/FTLJITFinalizer.cpp:
2661         (JSC::FTL::JITFinalizer::codeSize):
2662         (JSC::FTL::JITFinalizer::finalizeFunction):
2663         * ftl/FTLJITFinalizer.h:
2664         * ftl/FTLJSCall.cpp: Removed.
2665         * ftl/FTLJSCall.h: Removed.
2666         * ftl/FTLJSCallBase.cpp: Removed.
2667         * ftl/FTLJSCallBase.h: Removed.
2668         * ftl/FTLJSCallVarargs.cpp: Removed.
2669         * ftl/FTLJSCallVarargs.h: Removed.
2670         * ftl/FTLJSTailCall.cpp: Removed.
2671         * ftl/FTLJSTailCall.h: Removed.
2672         * ftl/FTLLazySlowPath.cpp:
2673         (JSC::FTL::LazySlowPath::LazySlowPath):
2674         (JSC::FTL::LazySlowPath::generate):
2675         * ftl/FTLLazySlowPath.h:
2676         (JSC::FTL::LazySlowPath::createGenerator):
2677         (JSC::FTL::LazySlowPath::patchableJump):
2678         (JSC::FTL::LazySlowPath::done):
2679         (JSC::FTL::LazySlowPath::usedRegisters):
2680         (JSC::FTL::LazySlowPath::callSiteIndex):
2681         (JSC::FTL::LazySlowPath::stub):
2682         (JSC::FTL::LazySlowPath::patchpoint): Deleted.
2683         * ftl/FTLLink.cpp:
2684         (JSC::FTL::link):
2685         * ftl/FTLLocation.cpp:
2686         (JSC::FTL::Location::forValueRep):
2687         (JSC::FTL::Location::dump):
2688         (JSC::FTL::Location::forStackmaps): Deleted.
2689         * ftl/FTLLocation.h:
2690         (JSC::FTL::Location::forRegister):
2691         (JSC::FTL::Location::forIndirect):
2692         (JSC::FTL::Location::forConstant):
2693         (JSC::FTL::Location::kind):
2694         (JSC::FTL::Location::hasReg):
2695         * ftl/FTLLowerDFGToLLVM.cpp:
2696         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM):
2697         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2698         (JSC::FTL::DFG::LowerDFGToLLVM::createPhiVariables):
2699         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2700         (JSC::FTL::DFG::LowerDFGToLLVM::compileUpsilon):
2701         (JSC::FTL::DFG::LowerDFGToLLVM::compilePhi):
2702         (JSC::FTL::DFG::LowerDFGToLLVM::compileDoubleConstant):
2703         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
2704         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
2705         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
2706         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2707         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
2708         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
2709         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
2710         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
2711         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
2712         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
2713         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
2714         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
2715         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
2716         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
2717         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
2718         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
2719         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
2720         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
2721         (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadVarargs):
2722         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
2723         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
2724         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2725         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
2726         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
2727         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
2728         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
2729         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2730         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
2731         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
2732         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
2733         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
2734         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
2735         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
2736         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2737         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
2738         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
2739         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForAvailability):
2740         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
2741         (JSC::FTL::DFG::LowerDFGToLLVM::probe):
2742         (JSC::FTL::DFG::LowerDFGToLLVM::crash):
2743         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp): Deleted.
2744         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException): Deleted.
2745         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall): Deleted.
2746         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap): Deleted.
2747         * ftl/FTLOSRExit.cpp:
2748         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
2749         (JSC::FTL::OSRExitDescriptor::validateReferences):
2750         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
2751         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
2752         (JSC::FTL::OSRExit::OSRExit):
2753         (JSC::FTL::OSRExit::codeLocationForRepatch):
2754         (JSC::FTL::OSRExit::gatherRegistersToSpillForCallIfException): Deleted.
2755         (JSC::FTL::OSRExit::spillRegistersToSpillSlot): Deleted.
2756         (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot): Deleted.
2757         (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck): Deleted.
2758         (JSC::FTL::OSRExit::willArriveAtOSRExitFromCallOperation): Deleted.
2759         (JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath): Deleted.
2760         * ftl/FTLOSRExit.h:
2761         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2762         (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl): Deleted.
2763         * ftl/FTLOSRExitCompilationInfo.h: Removed.
2764         * ftl/FTLOSRExitCompiler.cpp:
2765         (JSC::FTL::compileRecovery):
2766         (JSC::FTL::compileStub):
2767         (JSC::FTL::compileFTLOSRExit):
2768         * ftl/FTLOSRExitHandle.cpp:
2769         * ftl/FTLOSRExitHandle.h:
2770         * ftl/FTLOutput.cpp: Removed.
2771         * ftl/FTLOutput.h: Removed.
2772         * ftl/FTLPatchpointExceptionHandle.cpp:
2773         * ftl/FTLPatchpointExceptionHandle.h:
2774         * ftl/FTLStackMaps.cpp: Removed.
2775         * ftl/FTLStackMaps.h: Removed.
2776         * ftl/FTLState.cpp:
2777         (JSC::FTL::State::State):
2778         (JSC::FTL::State::~State):
2779         (JSC::FTL::State::dumpState): Deleted.
2780         * ftl/FTLState.h:
2781         * ftl/FTLUnwindInfo.cpp: Removed.
2782         * ftl/FTLUnwindInfo.h: Removed.
2783         * ftl/FTLValueRange.cpp:
2784         (JSC::FTL::ValueRange::decorateInstruction):
2785         * ftl/FTLValueRange.h:
2786         (JSC::FTL::ValueRange::ValueRange):
2787         (JSC::FTL::ValueRange::begin):
2788         (JSC::FTL::ValueRange::end):
2789         * ftl/FTLWeight.h:
2790         (JSC::FTL::Weight::value):
2791         (JSC::FTL::Weight::frequencyClass):
2792         (JSC::FTL::Weight::scaleToTotal):
2793         * llvm/InitializeLLVM.cpp: Removed.
2794         * llvm/InitializeLLVM.h: Removed.
2795         * llvm/InitializeLLVMMac.cpp: Removed.
2796         * llvm/InitializeLLVMPOSIX.cpp: Removed.
2797         * llvm/InitializeLLVMPOSIX.h: Removed.
2798         * llvm/LLVMAPI.cpp: Removed.
2799         * llvm/LLVMAPI.h: Removed.
2800         * llvm/LLVMAPIFunctions.h: Removed.
2801         * llvm/LLVMHeaders.h: Removed.
2802         * llvm/library/LLVMAnchor.cpp: Removed.
2803         * llvm/library/LLVMExports.cpp: Removed.
2804         * llvm/library/LLVMOverrides.cpp: Removed.
2805         * llvm/library/config_llvm.h: Removed.
2806
2807 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
2808
2809         [JSC] Remove the overflow check on ArithAbs when possible
2810         https://bugs.webkit.org/show_bug.cgi?id=154325
2811
2812         Reviewed by Filip Pizlo.
2813
2814         This patch adds support for ArithMode for ArithAbs.
2815
2816         It is useful for kraken tests where Math.abs() is used
2817         on values for which the range is known.
2818
2819         For example, imaging-gaussian-blur has two Math.abs() with
2820         integers that are always in a small range around zero.
2821         The IntegerRangeOptimizationPhase detects the range correctly
2822         so we can just update the ArithMode depending on the input.
2823
2824         * dfg/DFGFixupPhase.cpp:
2825         (JSC::DFG::FixupPhase::fixupNode):
2826         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2827         * dfg/DFGNode.h:
2828         (JSC::DFG::Node::convertToArithNegate):
2829         (JSC::DFG::Node::hasArithMode):
2830         * dfg/DFGSpeculativeJIT64.cpp:
2831         (JSC::DFG::SpeculativeJIT::compile):
2832         * ftl/FTLLowerDFGToLLVM.cpp:
2833         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAbs):
2834         * tests/stress/arith-abs-integer-range-optimization.js: Added.
2835         (negativeRange):
2836         (negativeRangeIncludingZero):
2837         (negativeRangeWithOverflow):
2838         (positiveRange):
2839         (positiveRangeIncludingZero):
2840         (rangeWithoutOverflow):
2841         * tests/stress/arith-abs-with-bitwise-or-zero.js: Added.
2842         (opaqueAbs):
2843
2844 2016-02-17  Chris Dumez  <cdumez@apple.com>
2845
2846         SES selftest page crashes on nightly r196694
2847         https://bugs.webkit.org/show_bug.cgi?id=154350
2848         <rdar://problem/24704334>
2849
2850         Reviewed by Mark Lam.
2851
2852         SES selftest page crashes after r196001 / r196145 when calling
2853         Object.getOwnPropertyDescriptor(window, "length") after the window
2854         has been reified and "length" has been shadowed by a value property.
2855
2856         It was crashing in JSObject::getOwnPropertyDescriptor() because
2857         we are getting a slot that has attribute "CustomAccessor" but
2858         the property is not a CustomGetterSetter. In this case, since
2859         window.length is [Replaceable] and has been set to a numeric value,
2860         it makes that the property is not a CustomGetterSetter. However,
2861         the "CustomAccessor" attribute should have been dropped from the
2862         slot when window.length was shadowed. Therefore, this code path
2863         should not be exercised at all when calling
2864         getOwnPropertyDescriptor().
2865
2866         The issue was that putDirectInternal() was updating the slot
2867         attributes only if the "Accessor" flag has changed, but not
2868         the "customAccessor" flag. This patch fixes the issue.
2869
2870         * runtime/JSObject.h:
2871         (JSC::JSObject::putDirectInternal):
2872
2873 2016-02-17  Saam barati  <sbarati@apple.com>
2874
2875         Implement Proxy [[Get]]
2876         https://bugs.webkit.org/show_bug.cgi?id=154081
2877
2878         Reviewed by Michael Saboff.
2879
2880         This patch implements ProxyObject and ProxyConstructor. Their
2881         implementations are straight forward and follow the spec.
2882         The largest change in this patch is adding a second parameter
2883         to PropertySlot's constructor that specifies the internal method type of
2884         the getOwnPropertySlot inquiry. We use getOwnPropertySlot to 
2885         implement more than one Internal Method in the spec. Because 
2886         of this, we need InternalMethodType to give us context about 
2887         which Internal Method we're executing. Specifically, Proxy will 
2888         call into different handlers based on this information.
2889
2890         InternalMethodType is an enum with the following values:
2891         - Get
2892           This corresponds to [[Get]] internal method in the spec.
2893         - GetOwnProperty
2894           This corresponds to [[GetOwnProperty]] internal method in the spec.
2895         - HasProperty
2896           This corresponds to [[HasProperty]] internal method in the spec.
2897         - VMInquiry
2898           This is basically everything else that isn't one of the above
2899           types. This value also mandates that getOwnPropertySlot does
2900           not perform any user observable effects. I.e, it can't call
2901           a JS function.
2902
2903         The other non-VMInquiry InternalMethodTypes are allowed to perform user
2904         observable effects. I.e, in future patches, ProxyObject will implement
2905         InternalMethodType::HasProperty and InternalMethodType::GetOwnProperty, which will both be defined
2906         to call user defined JS functions, which clearly have the right to perform
2907         user observable effects.
2908
2909         This patch implements getOwnPropertySlot of ProxyObject under
2910         InternalMethodType::Get. 
2911
2912         * API/JSCallbackObjectFunctions.h:
2913         (JSC::JSCallbackObject<Parent>::put):
2914         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2915         * CMakeLists.txt:
2916         * JavaScriptCore.xcodeproj/project.pbxproj:
2917         * debugger/DebuggerScope.cpp:
2918         (JSC::DebuggerScope::caughtValue):
2919         * interpreter/Interpreter.cpp:
2920         (JSC::Interpreter::execute):
2921         * jit/JITOperations.cpp:
2922         * llint/LLIntSlowPaths.cpp:
2923         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2924         * runtime/ArrayPrototype.cpp:
2925         (JSC::getProperty):
2926         * runtime/CommonIdentifiers.h:
2927         * runtime/JSCJSValueInlines.h:
2928         (JSC::JSValue::get):
2929         * runtime/JSFunction.cpp:
2930         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2931         (JSC::JSFunction::put):
2932         (JSC::JSFunction::defineOwnProperty):
2933         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2934         (JSC::constructGenericTypedArrayViewWithArguments):
2935         * runtime/JSGlobalObject.cpp:
2936         (JSC::JSGlobalObject::init):
2937         (JSC::JSGlobalObject::defineOwnProperty):
2938         * runtime/JSGlobalObject.h:
2939         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
2940         (JSC::JSGlobalObject::moduleRecordStructure):
2941         (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
2942         (JSC::JSGlobalObject::proxyObjectStructure):
2943         (JSC::JSGlobalObject::wasmModuleStructure):
2944         * runtime/JSModuleEnvironment.cpp:
2945         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2946         * runtime/JSModuleNamespaceObject.cpp:
2947         (JSC::callbackGetter):
2948         * runtime/JSONObject.cpp:
2949         (JSC::Stringifier::Holder::appendNextProperty):
2950         (JSC::Walker::walk):
2951         * runtime/JSObject.cpp:
2952         (JSC::JSObject::calculatedClassName):
2953         (JSC::JSObject::putDirectNonIndexAccessor):
2954         (JSC::JSObject::hasProperty):
2955         (JSC::JSObject::deleteProperty):
2956         (JSC::JSObject::hasOwnProperty):
2957         (JSC::JSObject::getOwnPropertyDescriptor):
2958         * runtime/JSObject.h:
2959         (JSC::JSObject::getDirectIndex):
2960         (JSC::JSObject::get):
2961         * runtime/JSScope.cpp:
2962         (JSC::abstractAccess):
2963         * runtime/ObjectConstructor.cpp:
2964         (JSC::toPropertyDescriptor):
2965         * runtime/ObjectPrototype.cpp:
2966         (JSC::objectProtoFuncLookupGetter):
2967         (JSC::objectProtoFuncLookupSetter):
2968         (JSC::objectProtoFuncToString):
2969         * runtime/PropertySlot.h:
2970         (JSC::attributesForStructure):
2971         (JSC::PropertySlot::PropertySlot):
2972         (JSC::PropertySlot::isCacheableGetter):
2973         (JSC::PropertySlot::isCacheableCustom):
2974         (JSC::PropertySlot::internalMethodType):
2975         (JSC::PropertySlot::disableCaching):
2976         (JSC::PropertySlot::getValue):
2977         * runtime/ProxyConstructor.cpp: Added.
2978         (JSC::ProxyConstructor::create):
2979         (JSC::ProxyConstructor::ProxyConstructor):
2980         (JSC::ProxyConstructor::finishCreation):
2981         (JSC::constructProxyObject):
2982         (JSC::ProxyConstructor::getConstructData):
2983         (JSC::ProxyConstructor::getCallData):
2984         * runtime/ProxyConstructor.h: Added.
2985         (JSC::ProxyConstructor::createStructure):
2986         * runtime/ProxyObject.cpp: Added.
2987         (JSC::ProxyObject::ProxyObject):
2988         (JSC::ProxyObject::finishCreation):
2989         (JSC::performProxyGet):
2990         (JSC::ProxyObject::getOwnPropertySlotCommon):
2991         (JSC::ProxyObject::getOwnPropertySlot):
2992         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2993         (JSC::ProxyObject::visitChildren):
2994         * runtime/ProxyObject.h: Added.
2995         (JSC::ProxyObject::create):
2996         (JSC::ProxyObject::createStructure):
2997         (JSC::ProxyObject::target):
2998         (JSC::ProxyObject::handler):
2999         * runtime/ReflectObject.cpp:
3000         (JSC::reflectObjectGet):
3001         * runtime/SamplingProfiler.cpp:
3002         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
3003         * tests/es6.yaml:
3004         * tests/stress/proxy-basic.js: Added.
3005         (assert):
3006         (let.handler.get null):
3007         (get let):
3008         (let.handler.get switch):
3009         (let.handler):
3010         (let.theTarget.get x):
3011         * tests/stress/proxy-in-proto-chain.js: Added.
3012         (assert):
3013         * tests/stress/proxy-of-a-proxy.js: Added.
3014         (assert):
3015         (throw.new.Error.):
3016         * tests/stress/proxy-property-descriptor.js: Added.
3017         (assert):
3018         (set Object):
3019         * wasm/WASMModuleParser.cpp:
3020         (JSC::WASMModuleParser::getImportedValue):
3021
3022 2016-02-17  Mark Lam  <mark.lam@apple.com>
3023
3024         StringPrototype functions should check for exceptions after calling JSString::value().
3025         https://bugs.webkit.org/show_bug.cgi?id=154340
3026
3027         Reviewed by Filip Pizlo.
3028
3029         JSString::value() can throw an exception if the JS string is a rope and value()
3030         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
3031         able to resolve the rope, it will return a null string (in addition to throwing
3032         the exception).  If StringPrototype functions do not check for exceptions after
3033         calling JSString::value(), they may eventually use the returned null string and
3034         crash the VM.
3035
3036         The fix is to add all the necessary exception checks, and do the appropriate
3037         handling if needed.
3038
3039         Also in a few place where when an exception is detected, we return JSValue(), I
3040         changed it to return jsUndefined() instead to be consistent with the rest of the
3041         file.
3042
3043         * runtime/StringPrototype.cpp:
3044         (JSC::replaceUsingRegExpSearch):
3045         (JSC::stringProtoFuncMatch):
3046         (JSC::stringProtoFuncSlice):
3047         (JSC::stringProtoFuncSplit):
3048         (JSC::stringProtoFuncLocaleCompare):
3049         (JSC::stringProtoFuncBig):
3050         (JSC::stringProtoFuncSmall):
3051         (JSC::stringProtoFuncBlink):
3052         (JSC::stringProtoFuncBold):
3053         (JSC::stringProtoFuncFixed):
3054         (JSC::stringProtoFuncItalics):
3055         (JSC::stringProtoFuncStrike):
3056         (JSC::stringProtoFuncSub):
3057         (JSC::stringProtoFuncSup):
3058         (JSC::stringProtoFuncFontcolor):
3059         (JSC::stringProtoFuncFontsize):
3060         (JSC::stringProtoFuncAnchor):
3061         (JSC::stringProtoFuncLink):
3062         (JSC::trimString):
3063
3064 2016-02-17  Commit Queue  <commit-queue@webkit.org>
3065
3066         Unreviewed, rolling out r196675.
3067         https://bugs.webkit.org/show_bug.cgi?id=154344
3068
3069          "Causes major slowdowns on deltablue-varargs" (Requested by
3070         keith_miller on #webkit).
3071
3072         Reverted changeset:
3073
3074         "Spread operator should be allowed when not the first argument
3075         of parameter list"
3076         https://bugs.webkit.org/show_bug.cgi?id=152721
3077         http://trac.webkit.org/changeset/196675
3078
3079 2016-02-17  Gavin Barraclough  <barraclough@apple.com>
3080
3081         JSDOMWindow::put should not do the same thing twice
3082         https://bugs.webkit.org/show_bug.cgi?id=154334
3083
3084         Reviewed by Chris Dumez.
3085
3086         It either calls JSGlobalObject::put or Base::put. Hint: these are basically the same thing.
3087         In the latter case it might call lookupPut. That's redundant; JSObject::put handles static
3088         table entries.
3089
3090         * runtime/JSGlobalObject.h:
3091         (JSC::JSGlobalObject::hasOwnPropertyForWrite): Deleted.
3092             - no longer needed.
3093
3094 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3095
3096         FTL_USES_B3 should be unconditionally true
3097         https://bugs.webkit.org/show_bug.cgi?id=154324
3098
3099         Reviewed by Benjamin Poulain.
3100
3101         * dfg/DFGCommon.h:
3102
3103 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3104
3105         FTL should support CompareEq(String:, String:)
3106         https://bugs.webkit.org/show_bug.cgi?id=154269
3107         rdar://problem/24499921
3108
3109         Reviewed by Benjamin Poulain.
3110
3111         Looks like a slight pdfjs slow-down, probably because we're having some recompilations. I
3112         think we should land the increased coverage first and fix the issues after, especially since
3113         the regression is so small and doesn't have a statistically significant effect on the overall
3114         score.
3115
3116         * ftl/FTLCapabilities.cpp:
3117         (JSC::FTL::canCompile):
3118         * ftl/FTLLowerDFGToLLVM.cpp:
3119         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
3120         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
3121         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
3122         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
3123         * tests/stress/ftl-string-equality.js: Added.
3124         * tests/stress/ftl-string-ident-equality.js: Added.
3125         * tests/stress/ftl-string-strict-equality.js: Added.
3126
3127 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3128
3129         FTL should support NewTypedArray
3130         https://bugs.webkit.org/show_bug.cgi?id=154268
3131
3132         Reviewed by Saam Barati.
3133
3134         3% speed-up on pdfjs. This was already covered by many different tests.
3135
3136         Rolling this back in after fixing the butterfly argument.
3137
3138         * ftl/FTLCapabilities.cpp:
3139         (JSC::FTL::canCompile):
3140         * ftl/FTLLowerDFGToLLVM.cpp:
3141         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3142         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
3143         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
3144         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
3145         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
3146         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
3147         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
3148
3149 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
3150
3151         JSDOMWindow::getOwnPropertySlot should just call getStaticPropertySlot
3152         https://bugs.webkit.org/show_bug.cgi?id=154257
3153
3154         Reviewed by Chris Dumez.
3155
3156         * runtime/Lookup.h:
3157         (JSC::getStaticPropertySlot):
3158         (JSC::getStaticFunctionSlot):
3159         (JSC::getStaticValueSlot):
3160             - this could all do with a little more love.
3161               But enforce the basic precedence:
3162                 (1) regular storage properties always win over static table properties.
3163                 (2) if properties have been reified, don't consult the static tables.
3164                 (3) only if the property is not present on the object & not reified
3165                     should the static hashtable be consulted.
3166
3167 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
3168
3169         JSDOMWindow::getOwnPropertySlot should not search photo chain
3170         https://bugs.webkit.org/show_bug.cgi?id=154102
3171
3172         Reviewed by Chris Dumez.
3173
3174         Should only return *own* properties.
3175
3176         * runtime/JSObject.cpp:
3177         (JSC::JSObject::getOwnPropertyDescriptor):
3178             - remove hack/special-case for DOMWindow; we no longer need this.
3179
3180 2016-02-16  Keith Miller  <keith_miller@apple.com>
3181
3182         Spread operator should be allowed when not the first argument of parameter list
3183         https://bugs.webkit.org/show_bug.cgi?id=152721
3184
3185         Reviewed by Saam Barati.
3186
3187         Spread arguments to functions should now be ES6 compliant. Before we
3188         would only take a spread operator if it was the sole argument to a
3189         function. Additionally, we would not use the Symbol.iterator on the
3190         object to generate the arguments. Instead we would do a loop up to the
3191         length mapping indexed properties to the corresponding argument. We fix
3192         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
3193         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
3194         old spread semantics). This solution has the downside of requiring the
3195         allocation of another object and copying each element twice but avoids a
3196         large change to the vm calling convention.
3197
3198         * interpreter/Interpreter.cpp:
3199         (JSC::loadVarargs):
3200         * parser/ASTBuilder.h:
3201         (JSC::ASTBuilder::createElementList):
3202         * parser/Parser.cpp:
3203         (JSC::Parser<LexerType>::parseArguments):
3204         (JSC::Parser<LexerType>::parseArgument):
3205         (JSC::Parser<LexerType>::parseMemberExpression):
3206         * parser/Parser.h:
3207         * parser/SyntaxChecker.h:
3208         (JSC::SyntaxChecker::createElementList):
3209         * tests/es6.yaml:
3210         * tests/stress/spread-calling.js: Added.
3211         (testFunction):
3212         (testEmpty):
3213         (makeObject):
3214         (otherIterator.return.next):
3215         (otherIterator):
3216         (totalIter):
3217         (throwingIter.return.next):
3218         (throwingIter):
3219         (i.catch):
3220
3221 2016-02-16  Benjamin Poulain  <bpoulain@apple.com>
3222
3223         [JSC] Enable B3 on ARM64
3224         https://bugs.webkit.org/show_bug.cgi?id=154275
3225
3226         Reviewed by Mark Lam.
3227
3228         The port passes more tests than LLVM now, let's use it by default.
3229
3230         * dfg/DFGCommon.h:
3231
3232 2016-02-16  Commit Queue  <commit-queue@webkit.org>
3233
3234         Unreviewed, rolling out r196652.
3235         https://bugs.webkit.org/show_bug.cgi?id=154315
3236
3237         This change caused LayoutTest crashes (Requested by ryanhaddad
3238         on #webkit).
3239
3240         Reverted changeset:
3241
3242         "FTL should support NewTypedArray"
3243         https://bugs.webkit.org/show_bug.cgi?id=154268
3244         http://trac.webkit.org/changeset/196652
3245
3246 2016-02-16  Brian Burg  <bburg@apple.com>
3247
3248         RemoteInspector should forward new automation session requests to its client
3249         https://bugs.webkit.org/show_bug.cgi?id=154260
3250         <rdar://problem/24663313>
3251
3252         Reviewed by Timothy Hatcher.
3253
3254         * inspector/remote/RemoteInspector.h:
3255         * inspector/remote/RemoteInspector.mm:
3256         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3257         (Inspector::RemoteInspector::listingForAutomationTarget):
3258         Use the correct key for the session identifier in the listing. The name()
3259         override for RemoteAutomationTarget is actually the session identifier.
3260
3261         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
3262         * inspector/remote/RemoteInspectorConstants.h: Add new constants.
3263
3264 2016-02-16  Saam barati  <sbarati@apple.com>
3265
3266         SamplingProfiler still fails with ASan enabled
3267         https://bugs.webkit.org/show_bug.cgi?id=154301
3268         <rdar://problem/24679502>
3269
3270         Reviewed by Filip Pizlo.
3271
3272         To fix this issue, I've come up with unsafe versions
3273         of all operations that load memory from the thread's call
3274         frame. All these new unsafe methods are marked with SUPPRESS_ASAN.
3275
3276         * interpreter/CallFrame.cpp:
3277         (JSC::CallFrame::callSiteAsRawBits):
3278         (JSC::CallFrame::unsafeCallSiteAsRawBits):
3279         (JSC::CallFrame::callSiteIndex):
3280         (JSC::CallFrame::unsafeCallSiteIndex):
3281         (JSC::CallFrame::stack):
3282         (JSC::CallFrame::callerFrame):
3283         (JSC::CallFrame::unsafeCallerFrame):
3284         (JSC::CallFrame::friendlyFunctionName):
3285         * interpreter/CallFrame.h:
3286         (JSC::ExecState::calleeAsValue):
3287         (JSC::ExecState::callee):
3288         (JSC::ExecState::unsafeCallee):
3289         (JSC::ExecState::codeBlock):
3290         (JSC::ExecState::unsafeCodeBlock):
3291         (JSC::ExecState::scope):
3292         (JSC::ExecState::callerFrame):
3293         (JSC::ExecState::callerFrameOrVMEntryFrame):
3294         (JSC::ExecState::unsafeCallerFrameOrVMEntryFrame):
3295         (JSC::ExecState::callerFrameOffset):
3296         (JSC::ExecState::callerFrameAndPC):
3297         (JSC::ExecState::unsafeCallerFrameAndPC):
3298         * interpreter/Register.h:
3299         (JSC::Register::codeBlock):
3300         (JSC::Register::asanUnsafeCodeBlock):
3301         (JSC::Register::unboxedInt32):
3302         (JSC::Register::tag):
3303         (JSC::Register::unsafeTag):
3304         (JSC::Register::payload):
3305         * interpreter/VMEntryRecord.h:
3306         (JSC::VMEntryRecord::prevTopCallFrame):
3307         (JSC::VMEntryRecord::unsafePrevTopCallFrame):
3308         (JSC::VMEntryRecord::prevTopVMEntryFrame):
3309         (JSC::VMEntryRecord::unsafePrevTopVMEntryFrame):
3310         * runtime/SamplingProfiler.cpp:
3311         (JSC::FrameWalker::walk):
3312         (JSC::FrameWalker::advanceToParentFrame):
3313         (JSC::FrameWalker::isAtTop):
3314         (JSC::FrameWalker::resetAtMachineFrame):
3315
3316 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3317
3318         FTL should support NewTypedArray
3319         https://bugs.webkit.org/show_bug.cgi?id=154268
3320
3321         Reviewed by Saam Barati.
3322
3323         3% speed-up on pdfjs. This was already covered by many different tests.
3324
3325         * ftl/FTLCapabilities.cpp:
3326         (JSC::FTL::canCompile):
3327         * ftl/FTLLowerDFGToLLVM.cpp:
3328         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3329         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
3330         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
3331         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
3332         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
3333         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
3334         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
3335
3336 2016-02-16  Saam barati  <sbarati@apple.com>
3337
3338         stress/sampling-profiler-deep-stack.js fails on ARM 32bit
3339         https://bugs.webkit.org/show_bug.cgi?id=154255
3340         <rdar://problem/24662996>
3341
3342         Reviewed by Mark Lam.
3343
3344         The bug here wasn't in the implementation of the sampling profiler 
3345         itself. Rather, it was a bug in the test. JSC wasn't spending a lot
3346         of time in a function that the test assumed a lot of time was spent in.
3347         That's because the DFG was doing a good job at optimizing the function
3348         at the leaf of the recursion. Because of that, we often wouldn't sample it.
3349         I fixed this by making the leaf function do more work.
3350
3351         * tests/stress/sampling-profiler-deep-stack.js:
3352         (platformSupportsSamplingProfiler.foo):
3353
3354 2016-02-16  Chris Dumez  <cdumez@apple.com>
3355
3356         [Web IDL] Operations should be on the instance for global objects or if [Unforgeable]
3357         https://bugs.webkit.org/show_bug.cgi?id=154120
3358         <rdar://problem/24613231>
3359
3360         Reviewed by Gavin Barraclough.
3361
3362         Have putEntry() take a thisValue parameter in addition to the base,
3363         instead of relying on PropertySlot::thisValue() because this did not
3364         always do the right thing. In particular, when JSDOMWindow::put() was
3365         called to set a function, it would end up setting the new value on the
3366         JSDOMWindowShell instead of the actual JSDOMWindow.
3367         JSDOMWindow::getOwnPropertySlot() would then&n