B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-02-23  Filip Pizlo  <fpizlo@apple.com>
2
3         B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
4         https://bugs.webkit.org/show_bug.cgi?id=154592
5
6         Reviewed by Saam Barati.
7
8         If Foo has a virtual destructor, then:
9
10         foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
11         subclass of Foo that overrides the destructor, this syntax will not call that override.
12
13         foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
14         get the subclass's override.
15
16         In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
17         This caused leaks because this didn't actually call the subclass's override. This fixes the
18         problem by using this->~Value() instead.
19
20         * b3/B3ControlValue.cpp:
21         (JSC::B3::ControlValue::convertToJump):
22         (JSC::B3::ControlValue::convertToOops):
23         * b3/B3Value.cpp:
24         (JSC::B3::Value::replaceWithIdentity):
25         (JSC::B3::Value::replaceWithNop):
26         (JSC::B3::Value::replaceWithPhi):
27
28 2016-02-23  Brian Burg  <bburg@apple.com>
29
30         Web Inspector: the protocol generator's Objective-C name prefix should be configurable
31         https://bugs.webkit.org/show_bug.cgi?id=154596
32         <rdar://problem/24794962>
33
34         Reviewed by Timothy Hatcher.
35
36         In order to support different generated protocol sets that don't have conflicting
37         file and type names, allow the Objective-C prefix to be configurable based on the
38         target framework. Each name also has the implicit prefix 'Protocol' appended to the
39         per-target framework prefix.
40
41         For example, the existing protocol for remote inspection has the prefix 'RWI'
42         and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
43         and is generated as 'AutomationProtocol'.
44
45         To make this change, convert ObjCGenerator to be a subclass of Generator and use
46         the instance method model() to find the target framework and its setting for
47         'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
48         these instance methods that used to be static methods. This is a large but
49         mechanical change to use self instead of ObjCGenerator.
50
51         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
52         (ObjCBackendDispatcherHeaderGenerator):
53         (ObjCBackendDispatcherHeaderGenerator.__init__):
54         (ObjCBackendDispatcherHeaderGenerator.output_filename):
55         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
56         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
57         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
58         (ObjCConfigurationImplementationGenerator):
59         (ObjCConfigurationImplementationGenerator.__init__):
60         (ObjCConfigurationImplementationGenerator.output_filename):
61         (ObjCConfigurationImplementationGenerator.generate_output):
62         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
63         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
64         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
65         * inspector/scripts/codegen/generate_objc_configuration_header.py:
66         (ObjCConfigurationHeaderGenerator):
67         (ObjCConfigurationHeaderGenerator.__init__):
68         (ObjCConfigurationHeaderGenerator.output_filename):
69         (ObjCConfigurationHeaderGenerator.generate_output):
70         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
71         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
72         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
73         (ObjCBackendDispatcherImplementationGenerator):
74         (ObjCBackendDispatcherImplementationGenerator.__init__):
75         (ObjCBackendDispatcherImplementationGenerator.output_filename):
76         (ObjCBackendDispatcherImplementationGenerator.generate_output):
77         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
78         (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
79         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
80         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
81         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
82         (ObjCConversionHelpersGenerator):
83         (ObjCConversionHelpersGenerator.__init__):
84         (ObjCConversionHelpersGenerator.output_filename):
85         (ObjCConversionHelpersGenerator.generate_output):
86         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
87         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
88         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
89         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
90         (ObjCFrontendDispatcherImplementationGenerator):
91         (ObjCFrontendDispatcherImplementationGenerator.__init__):
92         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
93         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
94         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
95         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
96         (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
97         (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
98         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
99         * inspector/scripts/codegen/generate_objc_header.py:
100         (ObjCHeaderGenerator):
101         (ObjCHeaderGenerator.__init__):
102         (ObjCHeaderGenerator.output_filename):
103         (ObjCHeaderGenerator.generate_output):
104         (ObjCHeaderGenerator._generate_forward_declarations):
105         (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
106         (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
107         (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
108         (ObjCHeaderGenerator._generate_type_interface):
109         (ObjCHeaderGenerator._generate_init_method_for_required_members):
110         (ObjCHeaderGenerator._generate_member_property):
111         (ObjCHeaderGenerator._generate_command_protocols):
112         (ObjCHeaderGenerator._generate_single_command_protocol):
113         (ObjCHeaderGenerator._callback_block_for_command):
114         (ObjCHeaderGenerator._generate_event_interfaces):
115         (ObjCHeaderGenerator._generate_single_event_interface):
116         * inspector/scripts/codegen/generate_objc_internal_header.py:
117         (ObjCInternalHeaderGenerator):
118         (ObjCInternalHeaderGenerator.__init__):
119         (ObjCInternalHeaderGenerator.output_filename):
120         (ObjCInternalHeaderGenerator.generate_output):
121         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
122         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
123         (ObjCProtocolTypesImplementationGenerator):
124         (ObjCProtocolTypesImplementationGenerator.__init__):
125         (ObjCProtocolTypesImplementationGenerator.output_filename):
126         (ObjCProtocolTypesImplementationGenerator.generate_output):
127         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
128         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
129         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
130         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
131         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
132         (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
133         * inspector/scripts/codegen/models.py:
134         * inspector/scripts/codegen/objc_generator.py:
135         (ObjCTypeCategory.category_for_type):
136         (ObjCGenerator):
137         (ObjCGenerator.__init__):
138         (ObjCGenerator.objc_prefix):
139         (ObjCGenerator.objc_name_for_type):
140         (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
141         (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
142         (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
143         (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
144         (ObjCGenerator.objc_class_for_type):
145         (ObjCGenerator.objc_class_for_array_type):
146         (ObjCGenerator.objc_accessor_type_for_member):
147         (ObjCGenerator.objc_accessor_type_for_member_internal):
148         (ObjCGenerator.objc_type_for_member):
149         (ObjCGenerator.objc_type_for_member_internal):
150         (ObjCGenerator.objc_type_for_param):
151         (ObjCGenerator.objc_type_for_param_internal):
152         (ObjCGenerator.objc_protocol_export_expression_for_variable):
153         (ObjCGenerator.objc_protocol_import_expression_for_member):
154         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
155         (ObjCGenerator.objc_protocol_import_expression_for_variable):
156         (ObjCGenerator.objc_to_protocol_expression_for_member):
157         (ObjCGenerator.protocol_to_objc_expression_for_member):
158
159         Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
160
161         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
162         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
163         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
164         * inspector/scripts/tests/expected/enum-values.json-result:
165         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
166         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
167         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
168         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
169         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
170         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
171         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
172         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
173         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
174
175 2016-02-23  Mark Lam  <mark.lam@apple.com>
176
177         Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
178         https://bugs.webkit.org/show_bug.cgi?id=154542
179
180         Reviewed by Saam Barati.
181
182         According to the spec, the constructors of the following types "are not intended
183         to be called as a function and will throw an exception".  These types are:
184             TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
185             Map - https://tc39.github.io/ecma262/#sec-map-constructor
186             Set - https://tc39.github.io/ecma262/#sec-set-constructor
187             WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
188             WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
189             ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
190             DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
191             Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
192             Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
193
194         This patch does the foillowing:
195         1. Ensures that these constructors can be called but will throw a TypeError
196            when called.
197         2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
198            in their implementation to be consistent.
199         3. Change the error message to "calling XXX constructor without new is invalid".
200            This is clearer because the error is likely due to the user forgetting to use
201            the new operator on these constructors.
202
203         * runtime/Error.h:
204         * runtime/Error.cpp:
205         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
206         - Added a convenience function to throw the TypeError.
207
208         * runtime/JSArrayBufferConstructor.cpp:
209         (JSC::constructArrayBuffer):
210         (JSC::callArrayBuffer):
211         (JSC::JSArrayBufferConstructor::getCallData):
212         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
213         (JSC::callGenericTypedArrayView):
214         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
215         * runtime/JSPromiseConstructor.cpp:
216         (JSC::callPromise):
217         * runtime/MapConstructor.cpp:
218         (JSC::callMap):
219         * runtime/ProxyConstructor.cpp:
220         (JSC::callProxy):
221         (JSC::ProxyConstructor::getCallData):
222         * runtime/SetConstructor.cpp:
223         (JSC::callSet):
224         * runtime/WeakMapConstructor.cpp:
225         (JSC::callWeakMap):
226         * runtime/WeakSetConstructor.cpp:
227         (JSC::callWeakSet):
228
229         * tests/es6.yaml:
230         - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
231
232         * tests/stress/call-non-calleable-constructors-as-function.js: Added.
233         (test):
234
235         * tests/stress/map-constructor.js:
236         (testCallTypeError):
237         * tests/stress/promise-cannot-be-called.js:
238         (shouldThrow):
239         * tests/stress/proxy-basic.js:
240         * tests/stress/set-constructor.js:
241         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
242         (i.catch):
243         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
244         (i.catch):
245         * tests/stress/throw-from-ftl-call-ic-slow-path.js:
246         (i.catch):
247         * tests/stress/weak-map-constructor.js:
248         (testCallTypeError):
249         * tests/stress/weak-set-constructor.js:
250         - Updated error message string.
251
252 2016-02-23  Alexey Proskuryakov  <ap@apple.com>
253
254         ASan build fix.
255
256         Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
257
258         * inspector/InspectorBackendDispatcher.h:
259
260 2016-02-23  Brian Burg  <bburg@apple.com>
261
262         Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
263         https://bugs.webkit.org/show_bug.cgi?id=154518
264         <rdar://problem/24761096>
265
266         Reviewed by Timothy Hatcher.
267
268         * inspector/InspectorBackendDispatcher.h:
269         Export all the classes since they are used by WebKit::WebAutomationSession.
270
271 2016-02-22  Brian Burg  <bburg@apple.com>
272
273         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
274         https://bugs.webkit.org/show_bug.cgi?id=154509
275         <rdar://problem/24759098>
276
277         Reviewed by Timothy Hatcher.
278
279         Add a new 'WebKit' framework, which is used to generate protocol code
280         in WebKit2.
281
282         Add --backend and --frontend flags to the main generator script.
283         These allow a framework to trigger two different sets of generators
284         so they can be separately generated and compiled.
285
286         * inspector/scripts/codegen/models.py:
287         (Framework.fromString):
288         (Frameworks): Add new framework.
289
290         * inspector/scripts/generate-inspector-protocol-bindings.py:
291         If neither --backend or --frontend is specified, assume both are wanted.
292         This matches the behavior for JavaScriptCore and WebInspector frameworks.
293
294         (generate_from_specification):
295         Generate C++ files for the backend and Objective-C files for the frontend.
296
297 2016-02-22  Saam barati  <sbarati@apple.com>
298
299         JSGlobalObject doesn't visit ProxyObjectStructure during GC
300         https://bugs.webkit.org/show_bug.cgi?id=154564
301
302         Rubber stamped by Mark Lam.
303
304         * runtime/JSGlobalObject.cpp:
305         (JSC::JSGlobalObject::visitChildren):
306
307 2016-02-22  Saam barati  <sbarati@apple.com>
308
309         InternalFunction::createSubclassStructure doesn't take into account that get() might throw
310         https://bugs.webkit.org/show_bug.cgi?id=154548
311
312         Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
313
314         InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw 
315         an exception. Neither the function nor the call sites of the function took this into
316         account. This patch audits the call sites of the function to make it work in
317         the event that an exception is thrown.
318
319         * runtime/BooleanConstructor.cpp:
320         (JSC::constructWithBooleanConstructor):
321         * runtime/DateConstructor.cpp:
322         (JSC::constructDate):
323         * runtime/ErrorConstructor.cpp:
324         (JSC::Interpreter::constructWithErrorConstructor):
325         * runtime/FunctionConstructor.cpp:
326         (JSC::constructFunctionSkippingEvalEnabledCheck):
327         * runtime/InternalFunction.cpp:
328         (JSC::InternalFunction::createSubclassStructure):
329         * runtime/JSArrayBufferConstructor.cpp:
330         (JSC::constructArrayBuffer):
331         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
332         (JSC::constructGenericTypedArrayView):
333         * runtime/JSGlobalObject.h:
334         (JSC::constructEmptyArray):
335         (JSC::constructArray):
336         (JSC::constructArrayNegativeIndexed):
337         * runtime/JSPromiseConstructor.cpp:
338         (JSC::constructPromise):
339         * runtime/MapConstructor.cpp:
340         (JSC::constructMap):
341         * runtime/NativeErrorConstructor.cpp:
342         (JSC::Interpreter::constructWithNativeErrorConstructor):
343         * runtime/NumberConstructor.cpp:
344         (JSC::constructWithNumberConstructor):
345         * runtime/RegExpConstructor.cpp:
346         (JSC::getRegExpStructure):
347         (JSC::constructRegExp):
348         (JSC::constructWithRegExpConstructor):
349         * runtime/SetConstructor.cpp:
350         (JSC::constructSet):
351         * runtime/StringConstructor.cpp:
352         (JSC::constructWithStringConstructor):
353         (JSC::StringConstructor::getConstructData):
354         * runtime/WeakMapConstructor.cpp:
355         (JSC::constructWeakMap):
356         * runtime/WeakSetConstructor.cpp:
357         (JSC::constructWeakSet):
358         * tests/stress/create-subclass-structure-might-throw.js: Added.
359         (assert):
360
361 2016-02-22  Ting-Wei Lan  <lantw44@gmail.com>
362
363         Fix build and implement functions to retrieve registers on FreeBSD
364         https://bugs.webkit.org/show_bug.cgi?id=152258
365
366         Reviewed by Michael Catanzaro.
367
368         * heap/MachineStackMarker.cpp:
369         (pthreadSignalHandlerSuspendResume):
370         struct ucontext is not specified in POSIX and it is not available on
371         FreeBSD. Replacing it with ucontext_t fixes the build problem.
372         (JSC::MachineThreads::Thread::Registers::stackPointer):
373         (JSC::MachineThreads::Thread::Registers::framePointer):
374         (JSC::MachineThreads::Thread::Registers::instructionPointer):
375         (JSC::MachineThreads::Thread::Registers::llintPC):
376         * heap/MachineStackMarker.h:
377
378 2016-02-22  Saam barati  <sbarati@apple.com>
379
380         JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
381         https://bugs.webkit.org/show_bug.cgi?id=154552
382
383         Reviewed by Mark Lam.
384
385         ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
386         They return false on a Proxy with internal [[Call]] and [[Construct]]
387         properties. It seems safest, most forward looking, and most adherent
388         to the specification to check getCallData() and getConstructData() to
389         implement these functions.
390
391         * runtime/InternalFunction.cpp:
392         (JSC::InternalFunction::createSubclassStructure):
393         * runtime/JSCJSValueInlines.h:
394         (JSC::JSValue::isFunction):
395         (JSC::JSValue::isConstructor):
396
397 2016-02-22  Keith Miller  <keith_miller@apple.com>
398
399         Bound functions should use the prototype of the function being bound
400         https://bugs.webkit.org/show_bug.cgi?id=154195
401
402         Reviewed by Geoffrey Garen.
403
404         Per ES6, the result of Function.prototype.bind should have the same
405         prototype as the the function being bound. In order to avoid creating
406         a new structure each time a function is bound we store the new
407         structure in our structure map. However, we cannot currently store
408         structures that have a different GlobalObject than their prototype.
409         In the rare case that the GlobalObject differs or the prototype of
410         the bindee is null we create a new structure each time. To further
411         minimize new structures, as well as making structure lookup faster,
412         we also store the structure in the RareData of the function we
413         are binding.
414
415         * runtime/FunctionRareData.cpp:
416         (JSC::FunctionRareData::visitChildren):
417         * runtime/FunctionRareData.h:
418         (JSC::FunctionRareData::getBoundFunctionStructure):
419         (JSC::FunctionRareData::setBoundFunctionStructure):
420         * runtime/JSBoundFunction.cpp:
421         (JSC::getBoundFunctionStructure):
422         (JSC::JSBoundFunction::create):
423         * tests/es6.yaml:
424         * tests/stress/bound-function-uses-prototype.js: Added.
425         (testChangeProto.foo):
426         (testChangeProto):
427         (testBuiltins):
428         * tests/stress/class-subclassing-function.js:
429
430 2016-02-22  Keith Miller  <keith_miller@apple.com>
431
432         Unreviewed, fix stress test to not print on success.
433
434         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
435         (catch): Deleted.
436
437 2016-02-22  Keith Miller  <keith_miller@apple.com>
438
439         Use Symbol.species in the builtin TypedArray.prototype functions
440         https://bugs.webkit.org/show_bug.cgi?id=153384
441
442         Reviewed by Geoffrey Garen.
443
444         This patch adds the use of species constructors to the TypedArray.prototype map and filter
445         functions. It also adds a new private function typedArrayGetOriginalConstructor that
446         returns the TypedArray constructor used to originally create a TypedArray instance.
447
448         There are no ES6 tests to update for this patch as species creation for these functions is
449         not tested in the compatibility table.
450
451         * builtins/TypedArrayPrototype.js:
452         (map):
453         (filter):
454         * bytecode/BytecodeIntrinsicRegistry.cpp:
455         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
456         * bytecode/BytecodeIntrinsicRegistry.h:
457         * runtime/CommonIdentifiers.h:
458         * runtime/JSGlobalObject.cpp:
459         (JSC::JSGlobalObject::init):
460         (JSC::JSGlobalObject::visitChildren):
461         * runtime/JSGlobalObject.h:
462         (JSC::JSGlobalObject::typedArrayConstructor):
463         * runtime/JSTypedArrayViewPrototype.cpp:
464         (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
465         * runtime/JSTypedArrayViewPrototype.h:
466         * tests/stress/typedarray-filter.js:
467         (subclasses.typedArrays.map):
468         (prototype.accept):
469         (testSpecies):
470         (accept):
471         (forEach):
472         (subclasses.forEach):
473         (testSpeciesRemoveConstructor):
474         * tests/stress/typedarray-map.js:
475         (subclasses.typedArrays.map):
476         (prototype.id):
477         (testSpecies):
478         (id):
479         (forEach):
480         (subclasses.forEach):
481         (testSpeciesRemoveConstructor):
482
483 2016-02-22  Keith Miller  <keith_miller@apple.com>
484
485         Builtins that should not rely on iteration do.
486         https://bugs.webkit.org/show_bug.cgi?id=154475
487
488         Reviewed by Geoffrey Garen.
489
490         When changing the behavior of varargs calls to use ES6 iterators the
491         call builtin function's use of a varargs call was overlooked. The use
492         of iterators is observable outside the scope of the the call function,
493         thus it must be reimplemented.
494
495         * builtins/FunctionPrototype.js:
496         (call):
497         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
498         (test):
499         (addAll):
500         (catch):
501
502 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
503
504         [JSC shell] Don't put empty arguments array to VM.
505         https://bugs.webkit.org/show_bug.cgi?id=154516
506
507         Reviewed by Geoffrey Garen.
508
509         This allows arrowfunction-lexical-bind-arguments-top-level test to pass
510         in jsc as well as in browser.
511
512         * jsc.cpp:
513         (GlobalObject::finishCreation):
514
515 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
516
517         [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
518         https://bugs.webkit.org/show_bug.cgi?id=154450
519
520         Reviewed by Alex Christensen.
521
522         * CMakeLists.txt:
523
524 2016-02-22  Commit Queue  <commit-queue@webkit.org>
525
526         Unreviewed, rolling out r196891.
527         https://bugs.webkit.org/show_bug.cgi?id=154539
528
529         it broke Production builds (Requested by brrian on #webkit).
530
531         Reverted changeset:
532
533         "Web Inspector: add 'Automation' protocol domain and generate
534         its backend classes separately in WebKit2"
535         https://bugs.webkit.org/show_bug.cgi?id=154509
536         http://trac.webkit.org/changeset/196891
537
538 2016-02-21  Joseph Pecoraro  <pecoraro@apple.com>
539
540         CodeBlock always visits its unlinked code twice
541         https://bugs.webkit.org/show_bug.cgi?id=154494
542
543         Reviewed by Saam Barati.
544
545         * bytecode/CodeBlock.cpp:
546         (JSC::CodeBlock::visitChildren):
547         The unlinked code is always visited in stronglyVisitStrongReferences.
548
549 2016-02-21  Brian Burg  <bburg@apple.com>
550
551         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
552         https://bugs.webkit.org/show_bug.cgi?id=154509
553         <rdar://problem/24759098>
554
555         Reviewed by Timothy Hatcher.
556
557         Add a new 'WebKit' framework, which is used to generate protocol code
558         in WebKit2.
559
560         Add --backend and --frontend flags to the main generator script.
561         These allow a framework to trigger two different sets of generators
562         so they can be separately generated and compiled.
563
564         * inspector/scripts/codegen/models.py:
565         (Framework.fromString):
566         (Frameworks): Add new framework.
567
568         * inspector/scripts/generate-inspector-protocol-bindings.py:
569         If neither --backend or --frontend is specified, assume both are wanted.
570         This matches the behavior for JavaScriptCore and WebInspector frameworks.
571
572         (generate_from_specification):
573         Generate C++ files for the backend and Objective-C files for the frontend.
574
575 2016-02-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
576
577         Improvements to Intl code
578         https://bugs.webkit.org/show_bug.cgi?id=154486
579
580         Reviewed by Darin Adler.
581
582         This patch does several things:
583         - Use std::unique_ptr to store ICU objects.
584         - Pass Vector::size() to ICU functions that take a buffer size instead
585           of Vector::capacity().
586         - If U_SUCCESS(status) is true, it means there is no error, but there
587           could be warnings. ICU functions ignore warnings. So, there is no need
588           to reset status to U_ZERO_ERROR.
589         - Remove the initialization of the String instance variables of
590           IntlDateTimeFormat. These values are never read and cause unnecessary
591           memory allocation.
592         - Fix coding style.
593         - Some small optimization.
594
595         * runtime/IntlCollator.cpp:
596         (JSC::IntlCollator::UCollatorDeleter::operator()):
597         (JSC::IntlCollator::createCollator):
598         (JSC::IntlCollator::compareStrings):
599         (JSC::IntlCollator::~IntlCollator): Deleted.
600         * runtime/IntlCollator.h:
601         * runtime/IntlDateTimeFormat.cpp:
602         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
603         (JSC::defaultTimeZone):
604         (JSC::canonicalizeTimeZoneName):
605         (JSC::toDateTimeOptionsAnyDate):
606         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
607         (JSC::IntlDateTimeFormat::weekdayString):
608         (JSC::IntlDateTimeFormat::format):
609         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
610         (JSC::localeData): Deleted.
611         * runtime/IntlDateTimeFormat.h:
612         * runtime/IntlDateTimeFormatConstructor.cpp:
613         * runtime/IntlNumberFormatConstructor.cpp:
614         * runtime/IntlObject.cpp:
615         (JSC::numberingSystemsForLocale):
616
617 2016-02-21  Skachkov Oleksandr  <gskachkov@gmail.com>
618
619         Remove arrowfunction test cases that rely on arguments variable in jsc
620         https://bugs.webkit.org/show_bug.cgi?id=154517
621
622         Reviewed by Yusuke Suzuki.
623
624         Allow to jsc has the same behavior in javascript as browser has
625
626         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
627         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
628
629 2016-02-21  Brian Burg  <bburg@apple.com>
630
631         Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
632         https://bugs.webkit.org/show_bug.cgi?id=154508
633         <rdar://problem/24759077>
634
635         Reviewed by Timothy Hatcher.
636
637         In preparation for being able to generate protocol files for WebKit2,
638         make it possible to not emit generated code that's guarded by
639         ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
640         backend dispatchers generated outside of JavaScriptCore. We can't just
641         define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
642         in the configurations where the code is actually used.
643
644         Add a new opt-in Framework configuration option that turns on generating
645         this code. Adjust how the code is generated so that it can be easily excluded.
646
647         * inspector/scripts/codegen/cpp_generator_templates.py:
648         Make a separate template for the declarations that are guarded.
649         Add an initializer expression so the order of initalizers doesn't matter.
650
651         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
652         (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
653         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
654         If the declarations are needed, they will be appended to the end of the
655         declarations list.
656
657         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
658         (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
659         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
660
661         * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
662         to True for Framework.JavaScriptCore only. It's not needed elsewhere.
663
664         Rebaseline affected tests.
665
666         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
667         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
668         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
669         * inspector/scripts/tests/expected/enum-values.json-result:
670         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
671
672 2016-02-21  Brian Burg  <bburg@apple.com>
673
674         Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
675         https://bugs.webkit.org/show_bug.cgi?id=154505
676         <rdar://problem/24758042>
677
678         Reviewed by Timothy Hatcher.
679
680         It should be possible to generate code for a framework using some generators
681         that other frameworks also use. Right now the generator selection code assumes
682         that use of a generator is mutually exclusive among non-test frameworks.
683
684         Make this code explicitly switch on the framework. Reorder generators
685         alpabetically within each case.
686
687         * inspector/scripts/generate-inspector-protocol-bindings.py:
688         (generate_from_specification):
689
690         Rebaseline tests that are affected by generator reorderings.
691
692         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
693         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
694         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
695         * inspector/scripts/tests/expected/enum-values.json-result:
696         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
697         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
698         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
699         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
700         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
701         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
702         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
703         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
704         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
705
706 2016-02-19  Saam Barati  <sbarati@apple.com>
707
708         [ES6] Implement Proxy.[[Construct]]
709         https://bugs.webkit.org/show_bug.cgi?id=154440
710
711         Reviewed by Oliver Hunt.
712
713         This patch is mostly an implementation of
714         Proxy.[[Construct]] with respect to section 9.5.13
715         of the ECMAScript spec.
716         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
717
718         This patch also changes op_create_this to accept new.target's
719         that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]] 
720         because we might construct a JSFunction with a new.target being
721         a Proxy. This will also be needed when we implement Reflect.construct.
722
723         * dfg/DFGOperations.cpp:
724         * dfg/DFGSpeculativeJIT32_64.cpp:
725         (JSC::DFG::SpeculativeJIT::compile):
726         * dfg/DFGSpeculativeJIT64.cpp:
727         (JSC::DFG::SpeculativeJIT::compile):
728         * jit/JITOpcodes.cpp:
729         (JSC::JIT::emit_op_create_this):
730         (JSC::JIT::emitSlow_op_create_this):
731         * jit/JITOpcodes32_64.cpp:
732         (JSC::JIT::emit_op_create_this):
733         (JSC::JIT::emitSlow_op_create_this):
734         * llint/LLIntData.cpp:
735         (JSC::LLInt::Data::performAssertions):
736         * llint/LowLevelInterpreter.asm:
737         * llint/LowLevelInterpreter32_64.asm:
738         * llint/LowLevelInterpreter64.asm:
739         * runtime/CommonSlowPaths.cpp:
740         (JSC::SLOW_PATH_DECL):
741         * runtime/ProxyObject.cpp:
742         (JSC::ProxyObject::finishCreation):
743         (JSC::ProxyObject::visitChildren):
744         (JSC::performProxyConstruct):
745         (JSC::ProxyObject::getConstructData):
746         * runtime/ProxyObject.h:
747         * tests/es6.yaml:
748         * tests/stress/proxy-construct.js: Added.
749         (assert):
750         (throw.new.Error.let.target):
751         (throw.new.Error):
752         (assert.let.target):
753         (assert.let.handler.get construct):
754         (let.target):
755         (let.handler.construct):
756         (i.catch):
757         (assert.let.handler.construct):
758         (assert.let.construct):
759         (assert.else.assert.let.target):
760         (assert.else.assert.let.construct):
761         (assert.else.assert):
762         (new.proxy.let.target):
763         (new.proxy.let.construct):
764         (new.proxy):
765
766 2016-02-19  Sukolsak Sakshuwong  <sukolsak@gmail.com>
767
768         [INTL] Implement Number Format Functions
769         https://bugs.webkit.org/show_bug.cgi?id=147605
770
771         Reviewed by Darin Adler.
772
773         This patch implements Intl.NumberFormat.prototype.format() according
774         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
775
776         * runtime/IntlNumberFormat.cpp:
777         (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
778         (JSC::IntlNumberFormat::initializeNumberFormat):
779         (JSC::IntlNumberFormat::createNumberFormat):
780         (JSC::IntlNumberFormat::formatNumber):
781         (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
782         * runtime/IntlNumberFormat.h:
783         * runtime/IntlNumberFormatPrototype.cpp:
784         (JSC::IntlNumberFormatFuncFormatNumber):
785
786 2016-02-18  Gavin Barraclough  <barraclough@apple.com>
787
788         JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
789         https://bugs.webkit.org/show_bug.cgi?id=154416
790
791         Reviewed by Geoff Garen.
792
793         Here's the bug. Suppose you call JSObject::getOwnProperty and -
794           - PropertyName contains an index,
795           - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
796           - The base of the access (or another object on the prototype chain) shadows that property.
797
798         JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
799         index, and as such walks up the prototype chain looking for non-index properties before it
800         tries calling parseIndex.
801
802         At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
803         would potentially return the property) we may have already skipped over non-overriding
804         objects that contain the property in index storage.
805
806         * runtime/JSObject.h:
807         (JSC::JSObject::getOwnNonIndexPropertySlot):
808             - renamed from inlineGetOwnPropertySlot to better describe behaviour;
809               added ASSERT guarding that this method never returns index properties -
810               if it ever does, this is unsafe for getPropertySlot.
811         (JSC::JSObject::getOwnPropertySlot):
812             - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
813         (JSC::JSObject::getPropertySlot):
814             - In case of object overriding getOwnPropertySlot check if propertyName is an index.
815         (JSC::JSObject::getNonIndexPropertySlot):
816             - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
817               in order to avoid repeated calls to parseIndex.
818         (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
819             - this was renamed to getOwnNonIndexPropertySlot.
820         (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
821             - this was folded back in to getPropertySlot.
822
823 2016-02-19  Saam Barati  <sbarati@apple.com>
824
825         [ES6] Implement Proxy.[[Call]]
826         https://bugs.webkit.org/show_bug.cgi?id=154425
827
828         Reviewed by Mark Lam.
829
830         This patch is a straight forward implementation of
831         Proxy.[[Call]] with respect to section 9.5.12
832         of the ECMAScript spec.
833         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
834
835         * runtime/ProxyObject.cpp:
836         (JSC::ProxyObject::finishCreation):
837         (JSC::performProxyGet):
838         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
839         (JSC::ProxyObject::performHasProperty):
840         (JSC::ProxyObject::getOwnPropertySlotByIndex):
841         (JSC::performProxyCall):
842         (JSC::ProxyObject::getCallData):
843         (JSC::ProxyObject::visitChildren):
844         * runtime/ProxyObject.h:
845         (JSC::ProxyObject::create):
846         * tests/es6.yaml:
847         * tests/stress/proxy-call.js: Added.
848         (assert):
849         (throw.new.Error.let.target):
850         (throw.new.Error.let.handler.apply):
851         (throw.new.Error):
852         (assert.let.target):
853         (assert.let.handler.get apply):
854         (let.target):
855         (let.handler.apply):
856         (i.catch):
857         (assert.let.handler.apply):
858
859 2016-02-19  Csaba Osztrogonác  <ossy@webkit.org>
860
861         Remove more LLVM related dead code after r196729
862         https://bugs.webkit.org/show_bug.cgi?id=154387
863
864         Reviewed by Filip Pizlo.
865
866         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
867         * Configurations/LLVMForJSC.xcconfig: Removed.
868         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
869         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
870         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
871         * JavaScriptCore.xcodeproj/project.pbxproj:
872         * disassembler/X86Disassembler.cpp:
873
874 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
875
876         Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
877         https://bugs.webkit.org/show_bug.cgi?id=154442
878
879         Reviewed by Saam Barati.
880
881         * runtime/JSString.h:
882         (JSC::isJSString):
883
884 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
885
886         Remove unused SymbolTable::createNameScopeTable
887         https://bugs.webkit.org/show_bug.cgi?id=154443
888
889         Reviewed by Saam Barati.
890
891         * runtime/SymbolTable.h:
892
893 2016-02-18  Benjamin Poulain  <bpoulain@apple.com>
894
895         [JSC] Improve the instruction selection of Select
896         https://bugs.webkit.org/show_bug.cgi?id=154432
897
898         Reviewed by Filip Pizlo.
899
900         Plenty of code but this patch is pretty dumb:
901         -On ARM64: use the 3 operand form of CSEL instead of forcing a source
902          to be alised to the destination. This gives more freedom to the register
903          allocator and it is one less Move to process per Select.
904         -On x86, introduce a fake 3 operands form and use aggressive aliasing
905          to try to alias both sources to the destination.
906
907          If aliasing succeed on the "elseCase", the condition of the Select
908          is reverted in the MacroAssembler.
909
910          If no aliasing is possible and we end up with 3 registers, the missing
911          move instruction is generated by the MacroAssembler.
912
913          The missing move is generated after testing the values because the destination
914          can use the same register as one of the test operand.
915          Experimental testing seems to indicate there is no macro-fusion on CMOV,
916          there is no measurable cost to having the move there.
917
918         * assembler/MacroAssembler.h:
919         (JSC::MacroAssembler::isInvertible):
920         (JSC::MacroAssembler::invert):
921         * assembler/MacroAssemblerARM64.h:
922         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
923         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
924         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
925         (JSC::MacroAssemblerARM64::moveConditionally32):
926         (JSC::MacroAssemblerARM64::moveConditionally64):
927         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
928         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
929         * assembler/MacroAssemblerX86Common.h:
930         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
931         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
932         (JSC::MacroAssemblerX86Common::moveConditionally32):
933         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
934         (JSC::MacroAssemblerX86Common::invert):
935         (JSC::MacroAssemblerX86Common::isInvertible):
936         * assembler/MacroAssemblerX86_64.h:
937         (JSC::MacroAssemblerX86_64::moveConditionally64):
938         (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
939         * b3/B3LowerToAir.cpp:
940         (JSC::B3::Air::LowerToAir::createSelect):
941         (JSC::B3::Air::LowerToAir::lower):
942         * b3/air/AirInstInlines.h:
943         (JSC::B3::Air::Inst::shouldTryAliasingDef):
944         * b3/air/AirOpcode.opcodes:
945
946 2016-02-18  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
947
948         [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
949         https://bugs.webkit.org/show_bug.cgi?id=154430
950
951         Reviewed by Saam Barati.
952
953         llvm isn't used anymore.
954
955         * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
956
957 2016-02-18  Saam Barati  <sbarati@apple.com>
958
959         Implement Proxy.[[HasProperty]]
960         https://bugs.webkit.org/show_bug.cgi?id=154313
961
962         Reviewed by Filip Pizlo.
963
964         This patch is a straight forward implementation of
965         Proxy.[[HasProperty]] with respect to section 9.5.7
966         of the ECMAScript spec.
967         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
968
969         * runtime/ProxyObject.cpp:
970         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
971         (JSC::ProxyObject::performHasProperty):
972         (JSC::ProxyObject::getOwnPropertySlotCommon):
973         * runtime/ProxyObject.h:
974         * tests/es6.yaml:
975         * tests/stress/proxy-basic.js:
976         (assert):
977         (let.handler.has):
978         * tests/stress/proxy-has-property.js: Added.
979         (assert):
980         (throw.new.Error.let.handler.get has):
981         (throw.new.Error):
982         (assert.let.handler.has):
983         (let.handler.has):
984         (getOwnPropertyDescriptor):
985         (i.catch):
986
987 2016-02-18  Saam Barati  <sbarati@apple.com>
988
989         Proxy's don't properly handle Symbols as PropertyKeys.
990         https://bugs.webkit.org/show_bug.cgi?id=154385
991
992         Reviewed by Mark Lam and Yusuke Suzuki.
993
994         We were converting all PropertyKeys to strings, even when
995         the PropertyName was a Symbol. In the spec, PropertyKeys are
996         either a Symbol or a String. We now respect that in Proxy.[[Get]] and
997         Proxy.[[GetOwnProperty]].
998
999         * runtime/Completion.cpp:
1000         (JSC::profiledEvaluate):
1001         (JSC::createSymbolForEntryPointModule):
1002         (JSC::identifierToJSValue): Deleted.
1003         * runtime/Identifier.h:
1004         (JSC::parseIndex):
1005         * runtime/IdentifierInlines.h:
1006         (JSC::Identifier::fromString):
1007         (JSC::identifierToJSValue):
1008         (JSC::identifierToSafePublicJSValue):
1009         * runtime/ProxyObject.cpp:
1010         (JSC::performProxyGet):
1011         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1012         * tests/es6.yaml:
1013         * tests/stress/proxy-basic.js:
1014         (let.handler.getOwnPropertyDescriptor):
1015
1016 2016-02-18  Saam Barati  <sbarati@apple.com>
1017
1018         Follow up fix to Implement Proxy.[[GetOwnProperty]]
1019         https://bugs.webkit.org/show_bug.cgi?id=154314
1020
1021         Reviewed by Filip Pizlo.
1022
1023         Part of the implementation was broken because
1024         of how JSObject::getOwnPropertyDescriptor worked.
1025         I've fixed JSObject::getOwnPropertyDescriptor to
1026         be able to handle ProxyObject.
1027
1028         * runtime/JSObject.cpp:
1029         (JSC::JSObject::getOwnPropertyDescriptor):
1030         * runtime/ProxyObject.cpp:
1031         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1032         * tests/stress/proxy-get-own-property.js:
1033         (assert):
1034         (assert.let.handler.get getOwnPropertyDescriptor):
1035
1036 2016-02-18  Saam Barati  <sbarati@apple.com>
1037
1038         Implement Proxy.[[GetOwnProperty]]
1039         https://bugs.webkit.org/show_bug.cgi?id=154314
1040
1041         Reviewed by Filip Pizlo.
1042
1043         This patch implements Proxy.[[GetOwnProperty]].
1044         It's a straight forward implementation as described
1045         in section 9.5.5 of the specification:
1046         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
1047
1048         * runtime/FunctionPrototype.cpp:
1049         (JSC::functionProtoFuncBind):
1050         * runtime/JSObject.cpp:
1051         (JSC::validateAndApplyPropertyDescriptor):
1052         (JSC::JSObject::defineOwnNonIndexProperty):
1053         (JSC::JSObject::defineOwnProperty):
1054         (JSC::JSObject::getGenericPropertyNames):
1055         (JSC::JSObject::getMethod):
1056         * runtime/JSObject.h:
1057         (JSC::JSObject::butterflyAddress):
1058         (JSC::makeIdentifier):
1059         * runtime/ProxyObject.cpp:
1060         (JSC::performProxyGet):
1061         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1062         (JSC::ProxyObject::getOwnPropertySlotCommon):
1063         (JSC::ProxyObject::getOwnPropertySlot):
1064         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1065         (JSC::ProxyObject::visitChildren):
1066         * runtime/ProxyObject.h:
1067         * tests/es6.yaml:
1068         * tests/stress/proxy-basic.js:
1069         (let.handler.get null):
1070         * tests/stress/proxy-get-own-property.js: Added.
1071         (assert):
1072         (throw.new.Error.let.handler.getOwnPropertyDescriptor):
1073         (throw.new.Error):
1074         (let.handler.getOwnPropertyDescriptor):
1075         (i.catch):
1076         (assert.let.handler.getOwnPropertyDescriptor):
1077
1078 2016-02-18  Andreas Kling  <akling@apple.com>
1079
1080         JSString resolution of substrings should use StringImpl sharing optimization.
1081         <https://webkit.org/b/154068>
1082         <rdar://problem/24629358>
1083
1084         Reviewed by Antti Koivisto.
1085
1086         When resolving a JSString that's actually a substring of another JSString,
1087         use the StringImpl sharing optimization to create a new string pointing into
1088         the parent one, instead of copying out the bytes of the string.
1089
1090         This dramatically reduces peak memory usage on Gerrit diff viewer pages.
1091
1092         Another approach to this would be to induce GC far more frequently due to
1093         the added cost of copying out these substrings. It would reduce the risk
1094         of prolonging the life of strings only kept alive by substrings.
1095
1096         This patch chooses to trade that risk for less GC and lower peak memory.
1097
1098         * runtime/JSString.cpp:
1099         (JSC::JSRopeString::resolveRope):
1100
1101 2016-02-18  Chris Dumez  <cdumez@apple.com>
1102
1103         Crash on SES selftest page when loading the page while WebInspector is open
1104         https://bugs.webkit.org/show_bug.cgi?id=154378
1105         <rdar://problem/24713422>
1106
1107         Reviewed by Mark Lam.
1108
1109         Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
1110         returns early again if it detects that getOwnPropertySlot() returns a
1111         non-own property. This check was removed in r196676 because we assumed that
1112         only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
1113         However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
1114         well.
1115
1116         Not having the check would lead to crashes when using the debugger because
1117         we would get a slot with the CustomAccessor attribute but getDirect() would
1118         then fail to return the property (because it is not an own property). We
1119         would then cast the value returned by getDirect() to a CustomGetterSetter*
1120         and dereference it.
1121
1122         * runtime/JSObject.cpp:
1123         (JSC::JSObject::getOwnPropertyDescriptor):
1124
1125 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
1126
1127         Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
1128         for that.
1129
1130         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1131         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1132
1133 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
1134
1135         Unreviewed, fix CMake build. This got messed up when rebasing.
1136
1137         * CMakeLists.txt:
1138
1139 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
1140
1141         Fix the !ENABLE(DFG_JIT) build after r195865
1142         https://bugs.webkit.org/show_bug.cgi?id=154391
1143
1144         Reviewed by Filip Pizlo.
1145
1146         * runtime/SamplingProfiler.cpp:
1147         (JSC::tryGetBytecodeIndex):
1148
1149 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
1150
1151         Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
1152         https://bugs.webkit.org/show_bug.cgi?id=154383
1153
1154         Reviewed by Saam Barati.
1155
1156         I did a grep -i llvm of all of our code and did one of the following for each occurence:
1157
1158         - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
1159           backend".
1160
1161         - Removed the reference because I found it to be dead. In some cases it was a dead
1162           comment: it was telling us things about what LLVM did and that's just not relevant
1163           anymore. In other cases it was dead code that I forgot to delete in a previous patch.
1164
1165         - Edited the comment in some smart way. There were comments talking about what LLVM did
1166           that were still of interest. In some cases, I added a FIXME to consider changing the
1167           code below the comment on the grounds that it was written in a weird way to placate
1168           LLVM and so we can do it better now.
1169
1170         * CMakeLists.txt:
1171         * JavaScriptCore.xcodeproj/project.pbxproj:
1172         * dfg/DFGArgumentsEliminationPhase.cpp:
1173         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
1174         * dfg/DFGPlan.cpp:
1175         (JSC::DFG::Plan::compileInThread):
1176         (JSC::DFG::Plan::compileInThreadImpl):
1177         (JSC::DFG::Plan::compileTimeStats):
1178         * dfg/DFGPutStackSinkingPhase.cpp:
1179         * dfg/DFGSSAConversionPhase.h:
1180         * dfg/DFGStaticExecutionCountEstimationPhase.h:
1181         * dfg/DFGUnificationPhase.cpp:
1182         (JSC::DFG::UnificationPhase::run):
1183         * disassembler/ARM64Disassembler.cpp:
1184         (JSC::tryToDisassemble): Deleted.
1185         * disassembler/X86Disassembler.cpp:
1186         (JSC::tryToDisassemble):
1187         * ftl/FTLAbstractHeap.cpp:
1188         (JSC::FTL::IndexedAbstractHeap::initialize):
1189         * ftl/FTLAbstractHeap.h:
1190         * ftl/FTLFormattedValue.h:
1191         * ftl/FTLJITFinalizer.cpp:
1192         (JSC::FTL::JITFinalizer::finalizeFunction):
1193         * ftl/FTLLink.cpp:
1194         (JSC::FTL::link):
1195         * ftl/FTLLocation.cpp:
1196         (JSC::FTL::Location::restoreInto):
1197         * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
1198         (JSC::FTL::DFG::ftlUnreachable):
1199         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
1200         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
1201         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
1202         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
1203         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
1204         (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
1205         (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
1206         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
1207         (JSC::FTL::lowerDFGToB3):
1208         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
1209         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
1210         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
1211         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
1212         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
1213         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
1214         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
1215         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
1216         (JSC::FTL::lowerDFGToLLVM): Deleted.
1217         * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
1218         * ftl/FTLLowerDFGToLLVM.cpp: Removed.
1219         * ftl/FTLLowerDFGToLLVM.h: Removed.
1220         * ftl/FTLOSRExitCompiler.cpp:
1221         (JSC::FTL::compileStub):
1222         * ftl/FTLWeight.h:
1223         (JSC::FTL::Weight::frequencyClass):
1224         (JSC::FTL::Weight::inverse):
1225         (JSC::FTL::Weight::scaleToTotal): Deleted.
1226         * ftl/FTLWeightedTarget.h:
1227         (JSC::FTL::rarely):
1228         (JSC::FTL::unsure):
1229         * jit/CallFrameShuffler64.cpp:
1230         (JSC::CallFrameShuffler::emitDisplace):
1231         * jit/RegisterSet.cpp:
1232         (JSC::RegisterSet::ftlCalleeSaveRegisters):
1233         * llvm: Removed.
1234         * llvm/InitializeLLVMLinux.cpp: Removed.
1235         * llvm/InitializeLLVMWin.cpp: Removed.
1236         * llvm/library: Removed.
1237         * llvm/library/LLVMTrapCallback.h: Removed.
1238         * llvm/library/libllvmForJSC.version: Removed.
1239         * runtime/Options.cpp:
1240         (JSC::recomputeDependentOptions):
1241         (JSC::Options::initialize):
1242         * runtime/Options.h:
1243         * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
1244         * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
1245         * wasm/WASMFunctionParser.cpp:
1246
1247 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
1248
1249         [cmake] Build system cleanup
1250         https://bugs.webkit.org/show_bug.cgi?id=154337
1251
1252         Reviewed by Žan Doberšek.
1253
1254         * CMakeLists.txt:
1255
1256 2016-02-17  Mark Lam  <mark.lam@apple.com>
1257
1258         Callers of JSString::value() should check for exceptions thereafter.
1259         https://bugs.webkit.org/show_bug.cgi?id=154346
1260
1261         Reviewed by Geoffrey Garen.
1262
1263         JSString::value() can throw an exception if the JS string is a rope and value() 
1264         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
1265         able to resolve the rope, it will return a null string (in addition to throwing
1266         the exception).  If a caller does not check for exceptions after calling
1267         JSString::value(), they may eventually use the returned null string and crash the
1268         VM.
1269
1270         The fix is to add all the necessary exception checks, and do the appropriate
1271         handling if needed.
1272
1273         * jsc.cpp:
1274         (functionRun):
1275         (functionLoad):
1276         (functionReadFile):
1277         (functionCheckSyntax):
1278         (functionLoadWebAssembly):
1279         (functionLoadModule):
1280         (functionCheckModuleSyntax):
1281         * runtime/DateConstructor.cpp:
1282         (JSC::dateParse):
1283         (JSC::dateNow):
1284         * runtime/JSGlobalObjectFunctions.cpp:
1285         (JSC::globalFuncEval):
1286         * tools/JSDollarVMPrototype.cpp:
1287         (JSC::functionPrint):
1288
1289 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
1290
1291         [JSC] ARM64: Support the immediate format used for bit operations in Air
1292         https://bugs.webkit.org/show_bug.cgi?id=154327
1293
1294         Reviewed by Filip Pizlo.
1295
1296         ARM64 supports a pretty rich form of immediates for bit operation.
1297         There are two formats used to encode repeating patterns and common
1298         input in a dense form.
1299
1300         In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
1301         Those represents the valid immediate forms for bit operation.
1302         On x86, any 32bits value is valid. On ARM64, all the encoding
1303         form are tried and the immediate is used when possible.
1304
1305         The arg type Imm64 is renamed to BigImm to better represent what
1306         it is: an immediate that does not fit into Imm.
1307
1308         * assembler/ARM64Assembler.h:
1309         (JSC::LogicalImmediate::create32): Deleted.
1310         (JSC::LogicalImmediate::create64): Deleted.
1311         (JSC::LogicalImmediate::value): Deleted.
1312         (JSC::LogicalImmediate::isValid): Deleted.
1313         (JSC::LogicalImmediate::is64bit): Deleted.
1314         (JSC::LogicalImmediate::LogicalImmediate): Deleted.
1315         (JSC::LogicalImmediate::mask): Deleted.
1316         (JSC::LogicalImmediate::partialHSB): Deleted.
1317         (JSC::LogicalImmediate::highestSetBit): Deleted.
1318         (JSC::LogicalImmediate::findBitRange): Deleted.
1319         (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
1320         * assembler/AssemblerCommon.h:
1321         (JSC::ARM64LogicalImmediate::create32):
1322         (JSC::ARM64LogicalImmediate::create64):
1323         (JSC::ARM64LogicalImmediate::value):
1324         (JSC::ARM64LogicalImmediate::isValid):
1325         (JSC::ARM64LogicalImmediate::is64bit):
1326         (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
1327         (JSC::ARM64LogicalImmediate::mask):
1328         (JSC::ARM64LogicalImmediate::partialHSB):
1329         (JSC::ARM64LogicalImmediate::highestSetBit):
1330         (JSC::ARM64LogicalImmediate::findBitRange):
1331         (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
1332         * assembler/MacroAssemblerARM64.h:
1333         (JSC::MacroAssemblerARM64::and64):
1334         (JSC::MacroAssemblerARM64::or64):
1335         (JSC::MacroAssemblerARM64::xor64):
1336         * b3/B3LowerToAir.cpp:
1337         (JSC::B3::Air::LowerToAir::bitImm):
1338         (JSC::B3::Air::LowerToAir::bitImm64):
1339         (JSC::B3::Air::LowerToAir::appendBinOp):
1340         * b3/air/AirArg.cpp:
1341         (JSC::B3::Air::Arg::dump):
1342         (WTF::printInternal):
1343         * b3/air/AirArg.h:
1344         (JSC::B3::Air::Arg::bitImm):
1345         (JSC::B3::Air::Arg::bitImm64):
1346         (JSC::B3::Air::Arg::isBitImm):
1347         (JSC::B3::Air::Arg::isBitImm64):
1348         (JSC::B3::Air::Arg::isSomeImm):
1349         (JSC::B3::Air::Arg::value):
1350         (JSC::B3::Air::Arg::isGP):
1351         (JSC::B3::Air::Arg::isFP):
1352         (JSC::B3::Air::Arg::hasType):
1353         (JSC::B3::Air::Arg::isValidBitImmForm):
1354         (JSC::B3::Air::Arg::isValidBitImm64Form):
1355         (JSC::B3::Air::Arg::isValidForm):
1356         (JSC::B3::Air::Arg::asTrustedImm32):
1357         (JSC::B3::Air::Arg::asTrustedImm64):
1358         * b3/air/AirOpcode.opcodes:
1359         * b3/air/opcode_generator.rb:
1360
1361 2016-02-17  Keith Miller  <keith_miller@apple.com>
1362
1363         Spread operator should be allowed when not the first argument of parameter list
1364         https://bugs.webkit.org/show_bug.cgi?id=152721
1365
1366         Reviewed by Saam Barati.
1367
1368         Spread arguments to functions should now be ES6 compliant. Before we
1369         would only take a spread operator if it was the sole argument to a
1370         function. Additionally, we would not use the Symbol.iterator on the
1371         object to generate the arguments. Instead we would do a loop up to the
1372         length mapping indexed properties to the corresponding argument. We fix
1373         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
1374         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
1375         old spread semantics). This solution has the downside of requiring the
1376         allocation of another object and copying each element twice but avoids a
1377         large change to the vm calling convention.
1378
1379         * interpreter/Interpreter.cpp:
1380         (JSC::loadVarargs):
1381         * parser/ASTBuilder.h:
1382         (JSC::ASTBuilder::createElementList):
1383         * parser/Parser.cpp:
1384         (JSC::Parser<LexerType>::parseArguments):
1385         (JSC::Parser<LexerType>::parseArgument):
1386         (JSC::Parser<LexerType>::parseMemberExpression):
1387         * parser/Parser.h:
1388         * parser/SyntaxChecker.h:
1389         (JSC::SyntaxChecker::createElementList):
1390         * tests/es6.yaml:
1391         * tests/stress/spread-calling.js: Added.
1392         (testFunction):
1393         (testEmpty):
1394         (makeObject):
1395         (otherIterator.return.next):
1396         (otherIterator):
1397         (totalIter):
1398         (throwingIter.return.next):
1399         (throwingIter):
1400         (i.catch):
1401
1402 2016-02-17  Brian Burg  <bburg@apple.com>
1403
1404         Remove a wrong cast in RemoteInspector::receivedSetupMessage
1405         https://bugs.webkit.org/show_bug.cgi?id=154361
1406         <rdar://problem/24709281>
1407
1408         Reviewed by Joseph Pecoraro.
1409
1410         * inspector/remote/RemoteInspector.mm:
1411         (Inspector::RemoteInspector::receivedSetupMessage):
1412         Not only is this cast unnecessary (the constructor accepts the base class),
1413         but it is wrong since the target could be an automation target. Remove it.
1414
1415 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
1416
1417         Rename FTLB3Blah to FTLBlah
1418         https://bugs.webkit.org/show_bug.cgi?id=154365
1419
1420         Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
1421
1422         * CMakeLists.txt:
1423         * JavaScriptCore.xcodeproj/project.pbxproj:
1424         * ftl/FTLB3Compile.cpp: Removed.
1425         * ftl/FTLB3Output.cpp: Removed.
1426         * ftl/FTLB3Output.h: Removed.
1427         * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
1428         * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
1429         * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
1430
1431 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
1432
1433         Remove LLVM dependencies from WebKit
1434         https://bugs.webkit.org/show_bug.cgi?id=154323
1435
1436         Reviewed by Antti Koivisto and Benjamin Poulain.
1437
1438         We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
1439         LLVM-related code dead, including the disassembler, which was only reachable when you were on
1440         a platform that already had an in-tree disassembler.
1441
1442         * CMakeLists.txt:
1443         * JavaScriptCore.xcodeproj/project.pbxproj:
1444         * dfg/DFGCommon.h:
1445         * dfg/DFGPlan.cpp:
1446         (JSC::DFG::Plan::compileInThread):
1447         (JSC::DFG::Plan::compileInThreadImpl):
1448         (JSC::DFG::Plan::compileTimeStats):
1449         * disassembler/ARM64Disassembler.cpp:
1450         (JSC::tryToDisassemble):
1451         * disassembler/ARMv7Disassembler.cpp:
1452         (JSC::tryToDisassemble):
1453         * disassembler/Disassembler.cpp:
1454         (JSC::disassemble):
1455         (JSC::disassembleAsynchronously):
1456         * disassembler/Disassembler.h:
1457         (JSC::tryToDisassemble):
1458         * disassembler/LLVMDisassembler.cpp: Removed.
1459         * disassembler/LLVMDisassembler.h: Removed.
1460         * disassembler/UDis86Disassembler.cpp:
1461         (JSC::tryToDisassembleWithUDis86):
1462         * disassembler/UDis86Disassembler.h:
1463         (JSC::tryToDisassembleWithUDis86):
1464         * disassembler/X86Disassembler.cpp:
1465         (JSC::tryToDisassemble):
1466         * ftl/FTLAbbreviatedTypes.h:
1467         * ftl/FTLAbbreviations.h: Removed.
1468         * ftl/FTLAbstractHeap.cpp:
1469         (JSC::FTL::AbstractHeap::decorateInstruction):
1470         (JSC::FTL::AbstractHeap::dump):
1471         (JSC::FTL::AbstractField::dump):
1472         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
1473         (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
1474         (JSC::FTL::IndexedAbstractHeap::baseIndex):
1475         (JSC::FTL::IndexedAbstractHeap::dump):
1476         (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
1477         (JSC::FTL::NumberedAbstractHeap::dump):
1478         (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
1479         (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
1480         * ftl/FTLAbstractHeap.h:
1481         (JSC::FTL::AbstractHeap::AbstractHeap):
1482         (JSC::FTL::AbstractHeap::heapName):
1483         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
1484         (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
1485         (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
1486         (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
1487         * ftl/FTLAbstractHeapRepository.cpp:
1488         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
1489         * ftl/FTLAbstractHeapRepository.h:
1490         * ftl/FTLB3Compile.cpp:
1491         * ftl/FTLB3Output.cpp:
1492         (JSC::FTL::Output::Output):
1493         (JSC::FTL::Output::check):
1494         (JSC::FTL::Output::load):
1495         (JSC::FTL::Output::store):
1496         * ftl/FTLB3Output.h:
1497         * ftl/FTLCommonValues.cpp:
1498         (JSC::FTL::CommonValues::CommonValues):
1499         (JSC::FTL::CommonValues::initializeConstants):
1500         * ftl/FTLCommonValues.h:
1501         (JSC::FTL::CommonValues::initialize): Deleted.
1502         * ftl/FTLCompile.cpp: Removed.
1503         * ftl/FTLCompileBinaryOp.cpp: Removed.
1504         * ftl/FTLCompileBinaryOp.h: Removed.
1505         * ftl/FTLDWARFDebugLineInfo.cpp: Removed.
1506         * ftl/FTLDWARFDebugLineInfo.h: Removed.
1507         * ftl/FTLDWARFRegister.cpp: Removed.
1508         * ftl/FTLDWARFRegister.h: Removed.
1509         * ftl/FTLDataSection.cpp: Removed.
1510         * ftl/FTLDataSection.h: Removed.
1511         * ftl/FTLExceptionHandlerManager.cpp: Removed.
1512         * ftl/FTLExceptionHandlerManager.h: Removed.
1513         * ftl/FTLExceptionTarget.cpp:
1514         * ftl/FTLExceptionTarget.h:
1515         * ftl/FTLExitThunkGenerator.cpp: Removed.
1516         * ftl/FTLExitThunkGenerator.h: Removed.
1517         * ftl/FTLFail.cpp:
1518         (JSC::FTL::fail):
1519         * ftl/FTLInlineCacheDescriptor.h: Removed.
1520         * ftl/FTLInlineCacheSize.cpp: Removed.
1521         * ftl/FTLInlineCacheSize.h: Removed.
1522         * ftl/FTLIntrinsicRepository.cpp: Removed.
1523         * ftl/FTLIntrinsicRepository.h: Removed.
1524         * ftl/FTLJITCode.cpp:
1525         (JSC::FTL::JITCode::~JITCode):
1526         (JSC::FTL::JITCode::initializeB3Code):
1527         (JSC::FTL::JITCode::initializeB3Byproducts):
1528         (JSC::FTL::JITCode::initializeAddressForCall):
1529         (JSC::FTL::JITCode::contains):
1530         (JSC::FTL::JITCode::ftl):
1531         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1532         (JSC::FTL::JITCode::initializeExitThunks): Deleted.
1533         (JSC::FTL::JITCode::addHandle): Deleted.
1534         (JSC::FTL::JITCode::addDataSection): Deleted.
1535         (JSC::FTL::JITCode::exitThunks): Deleted.
1536         * ftl/FTLJITCode.h:
1537         (JSC::FTL::JITCode::b3Code):
1538         (JSC::FTL::JITCode::handles): Deleted.
1539         (JSC::FTL::JITCode::dataSections): Deleted.
1540         * ftl/FTLJITFinalizer.cpp:
1541         (JSC::FTL::JITFinalizer::codeSize):
1542         (JSC::FTL::JITFinalizer::finalizeFunction):
1543         * ftl/FTLJITFinalizer.h:
1544         * ftl/FTLJSCall.cpp: Removed.
1545         * ftl/FTLJSCall.h: Removed.
1546         * ftl/FTLJSCallBase.cpp: Removed.
1547         * ftl/FTLJSCallBase.h: Removed.
1548         * ftl/FTLJSCallVarargs.cpp: Removed.
1549         * ftl/FTLJSCallVarargs.h: Removed.
1550         * ftl/FTLJSTailCall.cpp: Removed.
1551         * ftl/FTLJSTailCall.h: Removed.
1552         * ftl/FTLLazySlowPath.cpp:
1553         (JSC::FTL::LazySlowPath::LazySlowPath):
1554         (JSC::FTL::LazySlowPath::generate):
1555         * ftl/FTLLazySlowPath.h:
1556         (JSC::FTL::LazySlowPath::createGenerator):
1557         (JSC::FTL::LazySlowPath::patchableJump):
1558         (JSC::FTL::LazySlowPath::done):
1559         (JSC::FTL::LazySlowPath::usedRegisters):
1560         (JSC::FTL::LazySlowPath::callSiteIndex):
1561         (JSC::FTL::LazySlowPath::stub):
1562         (JSC::FTL::LazySlowPath::patchpoint): Deleted.
1563         * ftl/FTLLink.cpp:
1564         (JSC::FTL::link):
1565         * ftl/FTLLocation.cpp:
1566         (JSC::FTL::Location::forValueRep):
1567         (JSC::FTL::Location::dump):
1568         (JSC::FTL::Location::forStackmaps): Deleted.
1569         * ftl/FTLLocation.h:
1570         (JSC::FTL::Location::forRegister):
1571         (JSC::FTL::Location::forIndirect):
1572         (JSC::FTL::Location::forConstant):
1573         (JSC::FTL::Location::kind):
1574         (JSC::FTL::Location::hasReg):
1575         * ftl/FTLLowerDFGToLLVM.cpp:
1576         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM):
1577         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1578         (JSC::FTL::DFG::LowerDFGToLLVM::createPhiVariables):
1579         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1580         (JSC::FTL::DFG::LowerDFGToLLVM::compileUpsilon):
1581         (JSC::FTL::DFG::LowerDFGToLLVM::compilePhi):
1582         (JSC::FTL::DFG::LowerDFGToLLVM::compileDoubleConstant):
1583         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
1584         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
1585         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
1586         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
1587         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
1588         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
1589         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
1590         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
1591         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
1592         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
1593         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
1594         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
1595         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
1596         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
1597         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
1598         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
1599         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
1600         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1601         (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadVarargs):
1602         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
1603         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
1604         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
1605         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
1606         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
1607         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
1608         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
1609         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
1610         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
1611         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
1612         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1613         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
1614         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
1615         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
1616         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
1617         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
1618         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
1619         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForAvailability):
1620         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
1621         (JSC::FTL::DFG::LowerDFGToLLVM::probe):
1622         (JSC::FTL::DFG::LowerDFGToLLVM::crash):
1623         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp): Deleted.
1624         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException): Deleted.
1625         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall): Deleted.
1626         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap): Deleted.
1627         * ftl/FTLOSRExit.cpp:
1628         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
1629         (JSC::FTL::OSRExitDescriptor::validateReferences):
1630         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
1631         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
1632         (JSC::FTL::OSRExit::OSRExit):
1633         (JSC::FTL::OSRExit::codeLocationForRepatch):
1634         (JSC::FTL::OSRExit::gatherRegistersToSpillForCallIfException): Deleted.
1635         (JSC::FTL::OSRExit::spillRegistersToSpillSlot): Deleted.
1636         (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot): Deleted.
1637         (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck): Deleted.
1638         (JSC::FTL::OSRExit::willArriveAtOSRExitFromCallOperation): Deleted.
1639         (JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath): Deleted.
1640         * ftl/FTLOSRExit.h:
1641         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
1642         (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl): Deleted.
1643         * ftl/FTLOSRExitCompilationInfo.h: Removed.
1644         * ftl/FTLOSRExitCompiler.cpp:
1645         (JSC::FTL::compileRecovery):
1646         (JSC::FTL::compileStub):
1647         (JSC::FTL::compileFTLOSRExit):
1648         * ftl/FTLOSRExitHandle.cpp:
1649         * ftl/FTLOSRExitHandle.h:
1650         * ftl/FTLOutput.cpp: Removed.
1651         * ftl/FTLOutput.h: Removed.
1652         * ftl/FTLPatchpointExceptionHandle.cpp:
1653         * ftl/FTLPatchpointExceptionHandle.h:
1654         * ftl/FTLStackMaps.cpp: Removed.
1655         * ftl/FTLStackMaps.h: Removed.
1656         * ftl/FTLState.cpp:
1657         (JSC::FTL::State::State):
1658         (JSC::FTL::State::~State):
1659         (JSC::FTL::State::dumpState): Deleted.
1660         * ftl/FTLState.h:
1661         * ftl/FTLUnwindInfo.cpp: Removed.
1662         * ftl/FTLUnwindInfo.h: Removed.
1663         * ftl/FTLValueRange.cpp:
1664         (JSC::FTL::ValueRange::decorateInstruction):
1665         * ftl/FTLValueRange.h:
1666         (JSC::FTL::ValueRange::ValueRange):
1667         (JSC::FTL::ValueRange::begin):
1668         (JSC::FTL::ValueRange::end):
1669         * ftl/FTLWeight.h:
1670         (JSC::FTL::Weight::value):
1671         (JSC::FTL::Weight::frequencyClass):
1672         (JSC::FTL::Weight::scaleToTotal):
1673         * llvm/InitializeLLVM.cpp: Removed.
1674         * llvm/InitializeLLVM.h: Removed.
1675         * llvm/InitializeLLVMMac.cpp: Removed.
1676         * llvm/InitializeLLVMPOSIX.cpp: Removed.
1677         * llvm/InitializeLLVMPOSIX.h: Removed.
1678         * llvm/LLVMAPI.cpp: Removed.
1679         * llvm/LLVMAPI.h: Removed.
1680         * llvm/LLVMAPIFunctions.h: Removed.
1681         * llvm/LLVMHeaders.h: Removed.
1682         * llvm/library/LLVMAnchor.cpp: Removed.
1683         * llvm/library/LLVMExports.cpp: Removed.
1684         * llvm/library/LLVMOverrides.cpp: Removed.
1685         * llvm/library/config_llvm.h: Removed.
1686
1687 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
1688
1689         [JSC] Remove the overflow check on ArithAbs when possible
1690         https://bugs.webkit.org/show_bug.cgi?id=154325
1691
1692         Reviewed by Filip Pizlo.
1693
1694         This patch adds support for ArithMode for ArithAbs.
1695
1696         It is useful for kraken tests where Math.abs() is used
1697         on values for which the range is known.
1698
1699         For example, imaging-gaussian-blur has two Math.abs() with
1700         integers that are always in a small range around zero.
1701         The IntegerRangeOptimizationPhase detects the range correctly
1702         so we can just update the ArithMode depending on the input.
1703
1704         * dfg/DFGFixupPhase.cpp:
1705         (JSC::DFG::FixupPhase::fixupNode):
1706         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1707         * dfg/DFGNode.h:
1708         (JSC::DFG::Node::convertToArithNegate):
1709         (JSC::DFG::Node::hasArithMode):
1710         * dfg/DFGSpeculativeJIT64.cpp:
1711         (JSC::DFG::SpeculativeJIT::compile):
1712         * ftl/FTLLowerDFGToLLVM.cpp:
1713         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAbs):
1714         * tests/stress/arith-abs-integer-range-optimization.js: Added.
1715         (negativeRange):
1716         (negativeRangeIncludingZero):
1717         (negativeRangeWithOverflow):
1718         (positiveRange):
1719         (positiveRangeIncludingZero):
1720         (rangeWithoutOverflow):
1721         * tests/stress/arith-abs-with-bitwise-or-zero.js: Added.
1722         (opaqueAbs):
1723
1724 2016-02-17  Chris Dumez  <cdumez@apple.com>
1725
1726         SES selftest page crashes on nightly r196694
1727         https://bugs.webkit.org/show_bug.cgi?id=154350
1728         <rdar://problem/24704334>
1729
1730         Reviewed by Mark Lam.
1731
1732         SES selftest page crashes after r196001 / r196145 when calling
1733         Object.getOwnPropertyDescriptor(window, "length") after the window
1734         has been reified and "length" has been shadowed by a value property.
1735
1736         It was crashing in JSObject::getOwnPropertyDescriptor() because
1737         we are getting a slot that has attribute "CustomAccessor" but
1738         the property is not a CustomGetterSetter. In this case, since
1739         window.length is [Replaceable] and has been set to a numeric value,
1740         it makes that the property is not a CustomGetterSetter. However,
1741         the "CustomAccessor" attribute should have been dropped from the
1742         slot when window.length was shadowed. Therefore, this code path
1743         should not be exercised at all when calling
1744         getOwnPropertyDescriptor().
1745
1746         The issue was that putDirectInternal() was updating the slot
1747         attributes only if the "Accessor" flag has changed, but not
1748         the "customAccessor" flag. This patch fixes the issue.
1749
1750         * runtime/JSObject.h:
1751         (JSC::JSObject::putDirectInternal):
1752
1753 2016-02-17  Saam barati  <sbarati@apple.com>
1754
1755         Implement Proxy [[Get]]
1756         https://bugs.webkit.org/show_bug.cgi?id=154081
1757
1758         Reviewed by Michael Saboff.
1759
1760         This patch implements ProxyObject and ProxyConstructor. Their
1761         implementations are straight forward and follow the spec.
1762         The largest change in this patch is adding a second parameter
1763         to PropertySlot's constructor that specifies the internal method type of
1764         the getOwnPropertySlot inquiry. We use getOwnPropertySlot to 
1765         implement more than one Internal Method in the spec. Because 
1766         of this, we need InternalMethodType to give us context about 
1767         which Internal Method we're executing. Specifically, Proxy will 
1768         call into different handlers based on this information.
1769
1770         InternalMethodType is an enum with the following values:
1771         - Get
1772           This corresponds to [[Get]] internal method in the spec.
1773         - GetOwnProperty
1774           This corresponds to [[GetOwnProperty]] internal method in the spec.
1775         - HasProperty
1776           This corresponds to [[HasProperty]] internal method in the spec.
1777         - VMInquiry
1778           This is basically everything else that isn't one of the above
1779           types. This value also mandates that getOwnPropertySlot does
1780           not perform any user observable effects. I.e, it can't call
1781           a JS function.
1782
1783         The other non-VMInquiry InternalMethodTypes are allowed to perform user
1784         observable effects. I.e, in future patches, ProxyObject will implement
1785         InternalMethodType::HasProperty and InternalMethodType::GetOwnProperty, which will both be defined
1786         to call user defined JS functions, which clearly have the right to perform
1787         user observable effects.
1788
1789         This patch implements getOwnPropertySlot of ProxyObject under
1790         InternalMethodType::Get. 
1791
1792         * API/JSCallbackObjectFunctions.h:
1793         (JSC::JSCallbackObject<Parent>::put):
1794         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1795         * CMakeLists.txt:
1796         * JavaScriptCore.xcodeproj/project.pbxproj:
1797         * debugger/DebuggerScope.cpp:
1798         (JSC::DebuggerScope::caughtValue):
1799         * interpreter/Interpreter.cpp:
1800         (JSC::Interpreter::execute):
1801         * jit/JITOperations.cpp:
1802         * llint/LLIntSlowPaths.cpp:
1803         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1804         * runtime/ArrayPrototype.cpp:
1805         (JSC::getProperty):
1806         * runtime/CommonIdentifiers.h:
1807         * runtime/JSCJSValueInlines.h:
1808         (JSC::JSValue::get):
1809         * runtime/JSFunction.cpp:
1810         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1811         (JSC::JSFunction::put):
1812         (JSC::JSFunction::defineOwnProperty):
1813         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1814         (JSC::constructGenericTypedArrayViewWithArguments):
1815         * runtime/JSGlobalObject.cpp:
1816         (JSC::JSGlobalObject::init):
1817         (JSC::JSGlobalObject::defineOwnProperty):
1818         * runtime/JSGlobalObject.h:
1819         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
1820         (JSC::JSGlobalObject::moduleRecordStructure):
1821         (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
1822         (JSC::JSGlobalObject::proxyObjectStructure):
1823         (JSC::JSGlobalObject::wasmModuleStructure):
1824         * runtime/JSModuleEnvironment.cpp:
1825         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1826         * runtime/JSModuleNamespaceObject.cpp:
1827         (JSC::callbackGetter):
1828         * runtime/JSONObject.cpp:
1829         (JSC::Stringifier::Holder::appendNextProperty):
1830         (JSC::Walker::walk):
1831         * runtime/JSObject.cpp:
1832         (JSC::JSObject::calculatedClassName):
1833         (JSC::JSObject::putDirectNonIndexAccessor):
1834         (JSC::JSObject::hasProperty):
1835         (JSC::JSObject::deleteProperty):
1836         (JSC::JSObject::hasOwnProperty):
1837         (JSC::JSObject::getOwnPropertyDescriptor):
1838         * runtime/JSObject.h:
1839         (JSC::JSObject::getDirectIndex):
1840         (JSC::JSObject::get):
1841         * runtime/JSScope.cpp:
1842         (JSC::abstractAccess):
1843         * runtime/ObjectConstructor.cpp:
1844         (JSC::toPropertyDescriptor):
1845         * runtime/ObjectPrototype.cpp:
1846         (JSC::objectProtoFuncLookupGetter):
1847         (JSC::objectProtoFuncLookupSetter):
1848         (JSC::objectProtoFuncToString):
1849         * runtime/PropertySlot.h:
1850         (JSC::attributesForStructure):
1851         (JSC::PropertySlot::PropertySlot):
1852         (JSC::PropertySlot::isCacheableGetter):
1853         (JSC::PropertySlot::isCacheableCustom):
1854         (JSC::PropertySlot::internalMethodType):
1855         (JSC::PropertySlot::disableCaching):
1856         (JSC::PropertySlot::getValue):
1857         * runtime/ProxyConstructor.cpp: Added.
1858         (JSC::ProxyConstructor::create):
1859         (JSC::ProxyConstructor::ProxyConstructor):
1860         (JSC::ProxyConstructor::finishCreation):
1861         (JSC::constructProxyObject):
1862         (JSC::ProxyConstructor::getConstructData):
1863         (JSC::ProxyConstructor::getCallData):
1864         * runtime/ProxyConstructor.h: Added.
1865         (JSC::ProxyConstructor::createStructure):
1866         * runtime/ProxyObject.cpp: Added.
1867         (JSC::ProxyObject::ProxyObject):
1868         (JSC::ProxyObject::finishCreation):
1869         (JSC::performProxyGet):
1870         (JSC::ProxyObject::getOwnPropertySlotCommon):
1871         (JSC::ProxyObject::getOwnPropertySlot):
1872         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1873         (JSC::ProxyObject::visitChildren):
1874         * runtime/ProxyObject.h: Added.
1875         (JSC::ProxyObject::create):
1876         (JSC::ProxyObject::createStructure):
1877         (JSC::ProxyObject::target):
1878         (JSC::ProxyObject::handler):
1879         * runtime/ReflectObject.cpp:
1880         (JSC::reflectObjectGet):
1881         * runtime/SamplingProfiler.cpp:
1882         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
1883         * tests/es6.yaml:
1884         * tests/stress/proxy-basic.js: Added.
1885         (assert):
1886         (let.handler.get null):
1887         (get let):
1888         (let.handler.get switch):
1889         (let.handler):
1890         (let.theTarget.get x):
1891         * tests/stress/proxy-in-proto-chain.js: Added.
1892         (assert):
1893         * tests/stress/proxy-of-a-proxy.js: Added.
1894         (assert):
1895         (throw.new.Error.):
1896         * tests/stress/proxy-property-descriptor.js: Added.
1897         (assert):
1898         (set Object):
1899         * wasm/WASMModuleParser.cpp:
1900         (JSC::WASMModuleParser::getImportedValue):
1901
1902 2016-02-17  Mark Lam  <mark.lam@apple.com>
1903
1904         StringPrototype functions should check for exceptions after calling JSString::value().
1905         https://bugs.webkit.org/show_bug.cgi?id=154340
1906
1907         Reviewed by Filip Pizlo.
1908
1909         JSString::value() can throw an exception if the JS string is a rope and value()
1910         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
1911         able to resolve the rope, it will return a null string (in addition to throwing
1912         the exception).  If StringPrototype functions do not check for exceptions after
1913         calling JSString::value(), they may eventually use the returned null string and
1914         crash the VM.
1915
1916         The fix is to add all the necessary exception checks, and do the appropriate
1917         handling if needed.
1918
1919         Also in a few place where when an exception is detected, we return JSValue(), I
1920         changed it to return jsUndefined() instead to be consistent with the rest of the
1921         file.
1922
1923         * runtime/StringPrototype.cpp:
1924         (JSC::replaceUsingRegExpSearch):
1925         (JSC::stringProtoFuncMatch):
1926         (JSC::stringProtoFuncSlice):
1927         (JSC::stringProtoFuncSplit):
1928         (JSC::stringProtoFuncLocaleCompare):
1929         (JSC::stringProtoFuncBig):
1930         (JSC::stringProtoFuncSmall):
1931         (JSC::stringProtoFuncBlink):
1932         (JSC::stringProtoFuncBold):
1933         (JSC::stringProtoFuncFixed):
1934         (JSC::stringProtoFuncItalics):
1935         (JSC::stringProtoFuncStrike):
1936         (JSC::stringProtoFuncSub):
1937         (JSC::stringProtoFuncSup):
1938         (JSC::stringProtoFuncFontcolor):
1939         (JSC::stringProtoFuncFontsize):
1940         (JSC::stringProtoFuncAnchor):
1941         (JSC::stringProtoFuncLink):
1942         (JSC::trimString):
1943
1944 2016-02-17  Commit Queue  <commit-queue@webkit.org>
1945
1946         Unreviewed, rolling out r196675.
1947         https://bugs.webkit.org/show_bug.cgi?id=154344
1948
1949          "Causes major slowdowns on deltablue-varargs" (Requested by
1950         keith_miller on #webkit).
1951
1952         Reverted changeset:
1953
1954         "Spread operator should be allowed when not the first argument
1955         of parameter list"
1956         https://bugs.webkit.org/show_bug.cgi?id=152721
1957         http://trac.webkit.org/changeset/196675
1958
1959 2016-02-17  Gavin Barraclough  <barraclough@apple.com>
1960
1961         JSDOMWindow::put should not do the same thing twice
1962         https://bugs.webkit.org/show_bug.cgi?id=154334
1963
1964         Reviewed by Chris Dumez.
1965
1966         It either calls JSGlobalObject::put or Base::put. Hint: these are basically the same thing.
1967         In the latter case it might call lookupPut. That's redundant; JSObject::put handles static
1968         table entries.
1969
1970         * runtime/JSGlobalObject.h:
1971         (JSC::JSGlobalObject::hasOwnPropertyForWrite): Deleted.
1972             - no longer needed.
1973
1974 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
1975
1976         FTL_USES_B3 should be unconditionally true
1977         https://bugs.webkit.org/show_bug.cgi?id=154324
1978
1979         Reviewed by Benjamin Poulain.
1980
1981         * dfg/DFGCommon.h:
1982
1983 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
1984
1985         FTL should support CompareEq(String:, String:)
1986         https://bugs.webkit.org/show_bug.cgi?id=154269
1987         rdar://problem/24499921
1988
1989         Reviewed by Benjamin Poulain.
1990
1991         Looks like a slight pdfjs slow-down, probably because we're having some recompilations. I
1992         think we should land the increased coverage first and fix the issues after, especially since
1993         the regression is so small and doesn't have a statistically significant effect on the overall
1994         score.
1995
1996         * ftl/FTLCapabilities.cpp:
1997         (JSC::FTL::canCompile):
1998         * ftl/FTLLowerDFGToLLVM.cpp:
1999         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
2000         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
2001         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
2002         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
2003         * tests/stress/ftl-string-equality.js: Added.
2004         * tests/stress/ftl-string-ident-equality.js: Added.
2005         * tests/stress/ftl-string-strict-equality.js: Added.
2006
2007 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
2008
2009         FTL should support NewTypedArray
2010         https://bugs.webkit.org/show_bug.cgi?id=154268
2011
2012         Reviewed by Saam Barati.
2013
2014         3% speed-up on pdfjs. This was already covered by many different tests.
2015
2016         Rolling this back in after fixing the butterfly argument.
2017
2018         * ftl/FTLCapabilities.cpp:
2019         (JSC::FTL::canCompile):
2020         * ftl/FTLLowerDFGToLLVM.cpp:
2021         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2022         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
2023         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
2024         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
2025         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
2026         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
2027         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
2028
2029 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
2030
2031         JSDOMWindow::getOwnPropertySlot should just call getStaticPropertySlot
2032         https://bugs.webkit.org/show_bug.cgi?id=154257
2033
2034         Reviewed by Chris Dumez.
2035
2036         * runtime/Lookup.h:
2037         (JSC::getStaticPropertySlot):
2038         (JSC::getStaticFunctionSlot):
2039         (JSC::getStaticValueSlot):
2040             - this could all do with a little more love.
2041               But enforce the basic precedence:
2042                 (1) regular storage properties always win over static table properties.
2043                 (2) if properties have been reified, don't consult the static tables.
2044                 (3) only if the property is not present on the object & not reified
2045                     should the static hashtable be consulted.
2046
2047 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
2048
2049         JSDOMWindow::getOwnPropertySlot should not search photo chain
2050         https://bugs.webkit.org/show_bug.cgi?id=154102
2051
2052         Reviewed by Chris Dumez.
2053
2054         Should only return *own* properties.
2055
2056         * runtime/JSObject.cpp:
2057         (JSC::JSObject::getOwnPropertyDescriptor):
2058             - remove hack/special-case for DOMWindow; we no longer need this.
2059
2060 2016-02-16  Keith Miller  <keith_miller@apple.com>
2061
2062         Spread operator should be allowed when not the first argument of parameter list
2063         https://bugs.webkit.org/show_bug.cgi?id=152721
2064
2065         Reviewed by Saam Barati.
2066
2067         Spread arguments to functions should now be ES6 compliant. Before we
2068         would only take a spread operator if it was the sole argument to a
2069         function. Additionally, we would not use the Symbol.iterator on the
2070         object to generate the arguments. Instead we would do a loop up to the
2071         length mapping indexed properties to the corresponding argument. We fix
2072         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
2073         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
2074         old spread semantics). This solution has the downside of requiring the
2075         allocation of another object and copying each element twice but avoids a
2076         large change to the vm calling convention.
2077
2078         * interpreter/Interpreter.cpp:
2079         (JSC::loadVarargs):
2080         * parser/ASTBuilder.h:
2081         (JSC::ASTBuilder::createElementList):
2082         * parser/Parser.cpp:
2083         (JSC::Parser<LexerType>::parseArguments):
2084         (JSC::Parser<LexerType>::parseArgument):
2085         (JSC::Parser<LexerType>::parseMemberExpression):
2086         * parser/Parser.h:
2087         * parser/SyntaxChecker.h:
2088         (JSC::SyntaxChecker::createElementList):
2089         * tests/es6.yaml:
2090         * tests/stress/spread-calling.js: Added.
2091         (testFunction):
2092         (testEmpty):
2093         (makeObject):
2094         (otherIterator.return.next):
2095         (otherIterator):
2096         (totalIter):
2097         (throwingIter.return.next):
2098         (throwingIter):
2099         (i.catch):
2100
2101 2016-02-16  Benjamin Poulain  <bpoulain@apple.com>
2102
2103         [JSC] Enable B3 on ARM64
2104         https://bugs.webkit.org/show_bug.cgi?id=154275
2105
2106         Reviewed by Mark Lam.
2107
2108         The port passes more tests than LLVM now, let's use it by default.
2109
2110         * dfg/DFGCommon.h:
2111
2112 2016-02-16  Commit Queue  <commit-queue@webkit.org>
2113
2114         Unreviewed, rolling out r196652.
2115         https://bugs.webkit.org/show_bug.cgi?id=154315
2116
2117         This change caused LayoutTest crashes (Requested by ryanhaddad
2118         on #webkit).
2119
2120         Reverted changeset:
2121
2122         "FTL should support NewTypedArray"
2123         https://bugs.webkit.org/show_bug.cgi?id=154268
2124         http://trac.webkit.org/changeset/196652
2125
2126 2016-02-16  Brian Burg  <bburg@apple.com>
2127
2128         RemoteInspector should forward new automation session requests to its client
2129         https://bugs.webkit.org/show_bug.cgi?id=154260
2130         <rdar://problem/24663313>
2131
2132         Reviewed by Timothy Hatcher.
2133
2134         * inspector/remote/RemoteInspector.h:
2135         * inspector/remote/RemoteInspector.mm:
2136         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2137         (Inspector::RemoteInspector::listingForAutomationTarget):
2138         Use the correct key for the session identifier in the listing. The name()
2139         override for RemoteAutomationTarget is actually the session identifier.
2140
2141         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
2142         * inspector/remote/RemoteInspectorConstants.h: Add new constants.
2143
2144 2016-02-16  Saam barati  <sbarati@apple.com>
2145
2146         SamplingProfiler still fails with ASan enabled
2147         https://bugs.webkit.org/show_bug.cgi?id=154301
2148         <rdar://problem/24679502>
2149
2150         Reviewed by Filip Pizlo.
2151
2152         To fix this issue, I've come up with unsafe versions
2153         of all operations that load memory from the thread's call
2154         frame. All these new unsafe methods are marked with SUPPRESS_ASAN.
2155
2156         * interpreter/CallFrame.cpp:
2157         (JSC::CallFrame::callSiteAsRawBits):
2158         (JSC::CallFrame::unsafeCallSiteAsRawBits):
2159         (JSC::CallFrame::callSiteIndex):
2160         (JSC::CallFrame::unsafeCallSiteIndex):
2161         (JSC::CallFrame::stack):
2162         (JSC::CallFrame::callerFrame):
2163         (JSC::CallFrame::unsafeCallerFrame):
2164         (JSC::CallFrame::friendlyFunctionName):
2165         * interpreter/CallFrame.h:
2166         (JSC::ExecState::calleeAsValue):
2167         (JSC::ExecState::callee):
2168         (JSC::ExecState::unsafeCallee):
2169         (JSC::ExecState::codeBlock):
2170         (JSC::ExecState::unsafeCodeBlock):
2171         (JSC::ExecState::scope):
2172         (JSC::ExecState::callerFrame):
2173         (JSC::ExecState::callerFrameOrVMEntryFrame):
2174         (JSC::ExecState::unsafeCallerFrameOrVMEntryFrame):
2175         (JSC::ExecState::callerFrameOffset):
2176         (JSC::ExecState::callerFrameAndPC):
2177         (JSC::ExecState::unsafeCallerFrameAndPC):
2178         * interpreter/Register.h:
2179         (JSC::Register::codeBlock):
2180         (JSC::Register::asanUnsafeCodeBlock):
2181         (JSC::Register::unboxedInt32):
2182         (JSC::Register::tag):
2183         (JSC::Register::unsafeTag):
2184         (JSC::Register::payload):
2185         * interpreter/VMEntryRecord.h:
2186         (JSC::VMEntryRecord::prevTopCallFrame):
2187         (JSC::VMEntryRecord::unsafePrevTopCallFrame):
2188         (JSC::VMEntryRecord::prevTopVMEntryFrame):
2189         (JSC::VMEntryRecord::unsafePrevTopVMEntryFrame):
2190         * runtime/SamplingProfiler.cpp:
2191         (JSC::FrameWalker::walk):
2192         (JSC::FrameWalker::advanceToParentFrame):
2193         (JSC::FrameWalker::isAtTop):
2194         (JSC::FrameWalker::resetAtMachineFrame):
2195
2196 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
2197
2198         FTL should support NewTypedArray
2199         https://bugs.webkit.org/show_bug.cgi?id=154268
2200
2201         Reviewed by Saam Barati.
2202
2203         3% speed-up on pdfjs. This was already covered by many different tests.
2204
2205         * ftl/FTLCapabilities.cpp:
2206         (JSC::FTL::canCompile):
2207         * ftl/FTLLowerDFGToLLVM.cpp:
2208         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2209         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
2210         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
2211         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
2212         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
2213         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
2214         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
2215
2216 2016-02-16  Saam barati  <sbarati@apple.com>
2217
2218         stress/sampling-profiler-deep-stack.js fails on ARM 32bit
2219         https://bugs.webkit.org/show_bug.cgi?id=154255
2220         <rdar://problem/24662996>
2221
2222         Reviewed by Mark Lam.
2223
2224         The bug here wasn't in the implementation of the sampling profiler 
2225         itself. Rather, it was a bug in the test. JSC wasn't spending a lot
2226         of time in a function that the test assumed a lot of time was spent in.
2227         That's because the DFG was doing a good job at optimizing the function
2228         at the leaf of the recursion. Because of that, we often wouldn't sample it.
2229         I fixed this by making the leaf function do more work.
2230
2231         * tests/stress/sampling-profiler-deep-stack.js:
2232         (platformSupportsSamplingProfiler.foo):
2233
2234 2016-02-16  Chris Dumez  <cdumez@apple.com>
2235
2236         [Web IDL] Operations should be on the instance for global objects or if [Unforgeable]
2237         https://bugs.webkit.org/show_bug.cgi?id=154120
2238         <rdar://problem/24613231>
2239
2240         Reviewed by Gavin Barraclough.
2241
2242         Have putEntry() take a thisValue parameter in addition to the base,
2243         instead of relying on PropertySlot::thisValue() because this did not
2244         always do the right thing. In particular, when JSDOMWindow::put() was
2245         called to set a function, it would end up setting the new value on the
2246         JSDOMWindowShell instead of the actual JSDOMWindow.
2247         JSDOMWindow::getOwnPropertySlot() would then not be able to find it.
2248         Therefore the following would fail:
2249         $ window.open = "test"
2250         $ console.log(window.open) // prints the native function instead of "test"
2251
2252         * runtime/JSObject.cpp:
2253         (JSC::JSObject::putInlineSlow):
2254         * runtime/Lookup.h:
2255         (JSC::putEntry):
2256         (JSC::lookupPut):
2257
2258 2016-02-16  Keith Miller  <keith_miller@apple.com>
2259
2260         ClonedArguments should not materialize its special properties unless they are being changed or deleted
2261         https://bugs.webkit.org/show_bug.cgi?id=154128
2262
2263         Reviewed by Filip Pizlo.
2264
2265         Before we would materialize ClonedArguments whenever they were being accessed.
2266         However this would cause the IC to miss every time as the structure for
2267         the arguments object would change as we went to IC it. Thus on the next
2268         function call we would miss the cache since the new arguments object
2269         would not have materialized the value.
2270
2271         * runtime/ClonedArguments.cpp:
2272         (JSC::ClonedArguments::getOwnPropertySlot):
2273         * tests/stress/cloned-arguments-modification.js: Added.
2274         (foo):
2275
2276 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
2277
2278         FTL should support StringFromCharCode
2279         https://bugs.webkit.org/show_bug.cgi?id=154267
2280         rdar://problem/24192536
2281
2282         Reviewed by Mark Lam.
2283
2284         * dfg/DFGFixupPhase.cpp:
2285         (JSC::DFG::FixupPhase::fixupNode): Fix a bug preventing the UntypedUse from being effective.
2286         * ftl/FTLCapabilities.cpp:
2287         (JSC::FTL::canCompile):
2288         * ftl/FTLLowerDFGToLLVM.cpp:
2289         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2290         (JSC::FTL::DFG::LowerDFGToLLVM::compileStringFromCharCode): Implement the opcode.
2291         * tests/stress/string-from-char-code-slow.js: Added.
2292
2293 2016-02-15  Benjamin Poulain  <bpoulain@apple.com>
2294
2295         [JSC] BranchAdd can override arguments of its stackmap
2296         https://bugs.webkit.org/show_bug.cgi?id=154274
2297
2298         Reviewed by Filip Pizlo.
2299
2300         With the 3 operands BranchAdd added in r196513, we can run into
2301         a register allocation such that the destination register is also
2302         used by a value in the stack map.
2303
2304         It use to be that BranchAdd was a 2 operand instruction.
2305         In that form, the destination is also one of the source and
2306         can be recovered through Sub. There is no conflict between
2307         destination and the stackmap.
2308
2309         After r196513, the destination has its own value. It is uncommon
2310         on x86 because of the aggressive aliasing but that can happen.
2311         On ARM, that's a standard form since there is no need for aliasing.
2312
2313         Since the arguments of the stackmap are of type EarlyUse,
2314         they appeared as not interfering with the destination. When the register
2315         allocator gives the same register to the destination and something in
2316         the stack map, the result of BranchAdd destroys the value kept alive
2317         for the stackmap.
2318
2319         In this patch, I introduce a concept very similar to ForceLateUse
2320         to keep the argument of the stackmap live in CheckAdd. The new
2321         role is "ForceLateUseUnlessRecoverable".
2322
2323         In this mode, anything that is not also an input argument becomes
2324         LateUse. As such, it interferes with the destination of CheckAdd.
2325         The arguments are recovered by the slow patch of CheckAdd. They
2326         remain Early use.
2327
2328         This new modes ensure that destination can be aliased to the source
2329         when that's useful, while making sure it is not aliased with another
2330         value that needs to be live on exit.
2331
2332         * b3/B3CheckSpecial.cpp:
2333         (JSC::B3::CheckSpecial::forEachArg):
2334         * b3/B3LowerToAir.cpp:
2335         (JSC::B3::Air::LowerToAir::lower):
2336         * b3/B3PatchpointSpecial.cpp:
2337         (JSC::B3::PatchpointSpecial::forEachArg):
2338         * b3/B3StackmapSpecial.cpp:
2339         (JSC::B3::StackmapSpecial::forEachArgImpl):
2340         (WTF::printInternal):
2341         * b3/B3StackmapSpecial.h:
2342         * b3/B3StackmapValue.h:
2343
2344 2016-02-15  Joseph Pecoraro  <pecoraro@apple.com>
2345
2346         Web Inspector: Web Workers have no access to console for debugging
2347         https://bugs.webkit.org/show_bug.cgi?id=26237
2348
2349         Reviewed by Timothy Hatcher.
2350
2351         * inspector/ConsoleMessage.h:
2352         Add accessor for MessageLevel.
2353
2354 2016-02-15  Mark Lam  <mark.lam@apple.com>
2355
2356         [ARMv7] stress/op_rshift.js and stress/op_urshift.js are failing.
2357         https://bugs.webkit.org/show_bug.cgi?id=151514
2358
2359         Reviewed by Filip Pizlo.
2360
2361         The issue turns out to be trivial: on ARMv7 (and traditional ARM too), arithmetic
2362         shift right (ASR) and logical shift right (LSR) takes an immediate shift amount
2363         from 1-32.  See http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cjacbgca.html.
2364         An immediate shift amount of 0 is interpreted as a shift of 32 bits.
2365
2366         Meanwhile, our macro assembler is expecting the immediate shift value to be
2367         between 0-31.  As a result, a shift amount of 0 is being wrongly encoded with 0
2368         bits which means shift right by 32 bits.
2369
2370         The fix is to check if the shift amount is 0, and if so, emit a move.  Else,
2371         emit the right shift as usual.
2372
2373         This issue does not affect left shifts, as the immediate shift amount for left
2374         shifts is between 0-31 as our macro assembler expects.
2375
2376         * assembler/MacroAssemblerARM.h:
2377         (JSC::MacroAssemblerARM::rshift32):
2378         (JSC::MacroAssemblerARM::urshift32):
2379         (JSC::MacroAssemblerARM::sub32):
2380         * assembler/MacroAssemblerARMv7.h:
2381         (JSC::MacroAssemblerARMv7::rshift32):
2382         (JSC::MacroAssemblerARMv7::urshift32):
2383
2384         * tests/stress/op_rshift.js:
2385         * tests/stress/op_urshift.js:
2386         - Un-skip these tests.  They should always pass now.
2387
2388 2016-02-15  Filip Pizlo  <fpizlo@apple.com>
2389
2390         Parser::parseVariableDeclarationList should null check the node before attempting to create a new CommaExpr
2391         https://bugs.webkit.org/show_bug.cgi?id=154244
2392         rdar://problem/24290670
2393
2394         Reviewed by Michael Saboff.
2395
2396         * parser/ASTBuilder.h:
2397         (JSC::ASTBuilder::appendToCommaExpr): Catch the bug sooner in debug.
2398         * parser/Parser.cpp:
2399         (JSC::Parser<LexerType>::parseVariableDeclarationList): Fix the bug.
2400         * tests/stress/for-let-comma.js: Added. This used to crash in debug and release.
2401
2402 2016-02-15  Benjamin Poulain  <bpoulain@apple.com>
2403
2404         [JSC] Improve the interface of Inst::shouldTryAliasingDef()
2405         https://bugs.webkit.org/show_bug.cgi?id=154227
2406
2407         Reviewed by Andreas Kling.
2408
2409         Using Optional<> instead of a bool+reference looks cleaner
2410         at the call sites.
2411
2412         * b3/B3CheckSpecial.cpp:
2413         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
2414         * b3/B3CheckSpecial.h:
2415         * b3/air/AirCustom.h:
2416         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
2417         * b3/air/AirInst.h:
2418         * b3/air/AirInstInlines.h:
2419         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2420         * b3/air/AirIteratedRegisterCoalescing.cpp:
2421         * b3/air/AirSpecial.cpp:
2422         (JSC::B3::Air::Special::shouldTryAliasingDef):
2423         * b3/air/AirSpecial.h:
2424
2425 2016-02-14  Brian Burg  <bburg@apple.com>
2426
2427         WKAutomationDelegate's requestAutomationSession should take a suggested session identifier
2428         https://bugs.webkit.org/show_bug.cgi?id=154012
2429         <rdar://problem/24557697>
2430
2431         Reviewed by Darin Adler.
2432
2433         Add a string parameter to the client method for requesting a new session.
2434
2435         * inspector/remote/RemoteInspector.h:
2436
2437 2016-02-13  Timothy Hatcher  <timothy@apple.com>
2438
2439         Fix WebAssembly bug URL in the feature list.
2440
2441         * features.json:
2442
2443 2016-02-12  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2444
2445         Change the last RefPtr::get() to release() in String.prototype.normalize
2446         https://bugs.webkit.org/show_bug.cgi?id=154211
2447
2448         Reviewed by Ryosuke Niwa.
2449
2450         Change the last RefPtr::get() to release() in String.prototype.normalize.
2451
2452         * runtime/StringPrototype.cpp:
2453         (JSC::normalize):
2454
2455 2016-02-12  Saam barati  <sbarati@apple.com>
2456
2457         [ES6] we have an incorrect syntax error when a callee of a function expression has the same name as a top-level lexical declaration
2458         https://bugs.webkit.org/show_bug.cgi?id=154143
2459
2460         Reviewed by Benjamin Poulain.
2461
2462         We were raising syntax errors on the following type of programs when
2463         we shouldn't have been.
2464         ```
2465         (function foo() { const foo = 20; });
2466         ```
2467
2468         * parser/Parser.cpp:
2469         (JSC::Parser<LexerType>::parseFunctionInfo):
2470         * parser/Parser.h:
2471         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
2472         (JSC::Scope::declareCallee):
2473         (JSC::Scope::declareVariable):
2474         (JSC::Scope::hasDeclaredVariable):
2475         (JSC::Scope::hasLexicallyDeclaredVariable):
2476         (JSC::Scope::hasDeclaredParameter):
2477         (JSC::Scope::declareWrite):
2478         (JSC::Scope::getCapturedVars):
2479
2480 2016-02-12  Benjamin Poulain  <bpoulain@apple.com>
2481
2482         [JSC] ZeroExtend and SignExtend use incorrect addressing on ARM64
2483         https://bugs.webkit.org/show_bug.cgi?id=154208
2484
2485         Reviewed by Filip Pizlo.
2486
2487         When lowering:
2488             @1 = Load32(@x)
2489             @2 = SExt8(@1)
2490
2491         LowerToAir would see there is a form of SignExtend8To32 (an alias for Load8S)
2492         and use that.
2493
2494         There are two problems with that:
2495         1) If we have an Addr, it went through legalizeMemoryOffsets() for a 32bits
2496            load. If used on an other kind of load, there is no guarantee the addressing
2497            is still valid.
2498         2) If we have an Index, it is computed for the 32bits MemoryValue.
2499            The computed index is not valid for the 8bits load.
2500
2501         (2) could be fixed by changing LowerToAir to use the current instruction width
2502         instead of the B3ValueWidth but that's a bit tricky. We should just embrace
2503         that one of our target is a Load-Store architecture.
2504
2505         In this patch, I just disabled the faulty forms on ARM64. We still need those operations
2506         to be fast, this will be addressed in: https://bugs.webkit.org/show_bug.cgi?id=154207
2507
2508         I also strengthened the m_allowScratchRegister assertion. The instructions that do not
2509         invalidate the temporary did not run the assertion, making this harder to debug.
2510
2511         * assembler/MacroAssemblerARM64.h:
2512         (JSC::MacroAssemblerARM64::load8):
2513         (JSC::MacroAssemblerARM64::store64):
2514         (JSC::MacroAssemblerARM64::store32):
2515         (JSC::MacroAssemblerARM64::loadDouble):
2516         (JSC::MacroAssemblerARM64::storeDouble):
2517         (JSC::MacroAssemblerARM64::branch32):
2518         (JSC::MacroAssemblerARM64::branch64):
2519         (JSC::MacroAssemblerARM64::getCachedDataTempRegisterIDAndInvalidate):
2520         (JSC::MacroAssemblerARM64::getCachedMemoryTempRegisterIDAndInvalidate):
2521         (JSC::MacroAssemblerARM64::dataMemoryTempRegister):
2522         (JSC::MacroAssemblerARM64::cachedMemoryTempRegister):
2523         (JSC::MacroAssemblerARM64::load):
2524         (JSC::MacroAssemblerARM64::store):
2525         * b3/air/AirOpcode.opcodes:
2526
2527 2016-02-12  Michael Saboff  <msaboff@apple.com>
2528
2529         offlineasm: Emit Dwarf2 file and location directives to allow for debugging .asm files
2530         https://bugs.webkit.org/show_bug.cgi?id=152703
2531
2532         Reviewed by Mark Lam.
2533
2534         Added support to output Dwarf2 .file and .loc assembler directives to provide the debugging
2535         information needed to correlate the offline assembler generated code with the source lines 
2536         in the .asm files.
2537
2538         Changed the tracking of file data to include a file index that was provided to the .file
2539         directive.  That index is used when emitting the .loc directives.
2540
2541         * offlineasm/arm.rb:
2542         * offlineasm/arm64.rb:
2543         * offlineasm/asm.rb:
2544         * offlineasm/backends.rb:
2545         * offlineasm/config.rb:
2546         * offlineasm/parser.rb:
2547         * offlineasm/x86.rb:
2548
2549 2016-02-12  Saam barati  <sbarati@apple.com>
2550
2551         The parser doesn't properly protect against global variable references in builtins
2552         https://bugs.webkit.org/show_bug.cgi?id=154144
2553
2554         Reviewed by Geoffrey Garen.
2555
2556         This patch fixes our global variable reference detection
2557         algorithm that was broken. After fixing the algorithm, I
2558         detected many places where we were incorrectly using global
2559         variables. I've fixed all those.
2560
2561         * builtins/BuiltinExecutables.cpp:
2562         (JSC::createExecutableInternal):
2563         * builtins/NumberPrototype.js:
2564         (toLocaleString):
2565         * builtins/PromiseConstructor.js:
2566         (race):
2567         (reject):
2568         (resolve):
2569         * parser/Nodes.cpp:
2570         (JSC::ProgramNode::ProgramNode):
2571         (JSC::ModuleProgramNode::ModuleProgramNode):
2572         (JSC::ProgramNode::setClosedVariables): Deleted.
2573         * parser/Nodes.h:
2574         (JSC::ScopeNode::setClosedVariables): Deleted.
2575         (JSC::ProgramNode::closedVariables): Deleted.
2576         * parser/Parser.cpp:
2577         (JSC::Parser<LexerType>::parseInner):
2578         (JSC::Parser<LexerType>::didFinishParsing):
2579         * parser/Parser.h:
2580         (JSC::Scope::setIsLexicalScope):
2581         (JSC::Scope::isLexicalScope):
2582         (JSC::Scope::closedVariableCandidates):
2583         (JSC::Scope::declaredVariables):
2584         (JSC::Scope::lexicalVariables):
2585         (JSC::Scope::finalizeLexicalEnvironment):
2586         (JSC::Parser::positionBeforeLastNewline):
2587         (JSC::Parser::locationBeforeLastToken):
2588         (JSC::Parser::isFunctionMetadataNode):
2589         (JSC::parse):
2590         (JSC::Parser::closedVariables): Deleted.
2591
2592 2016-02-12  Filip Pizlo  <fpizlo@apple.com>
2593
2594         JSObject::putByIndexBeyondVectorLengthWithoutAttributes needs to go to the sparse map based on MAX_STORAGE_VECTOR_INDEX
2595         https://bugs.webkit.org/show_bug.cgi?id=154201
2596         rdar://problem/24291387
2597
2598         Reviewed by Saam Barati.
2599
2600         I decided against adding a test for this, because it runs for a very long time.
2601
2602         * runtime/JSObject.cpp:
2603         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): Fix the bug.
2604         * runtime/StringPrototype.cpp:
2605         (JSC::stringProtoFuncSplit): Fix a related bug: if this code creates an array that would have
2606             hit the above bug, then it would probably manifest as a spin or as swapping.
2607
2608 2016-02-12  Jonathan Davis  <jond@apple.com>
2609
2610         Add WebAssembly to the status page
2611         https://bugs.webkit.org/show_bug.cgi?id=154199
2612
2613         Reviewed by Timothy Hatcher.
2614
2615         * features.json:
2616
2617 2016-02-12  Brian Burg  <bburg@apple.com>
2618
2619         Web Inspector: disambiguate the various identifier and connection types in RemoteInspector
2620         https://bugs.webkit.org/show_bug.cgi?id=154130
2621
2622         Reviewed by Joseph Pecoraro.
2623
2624         There are multiple identifier types:
2625             - connection identifier, a string UUID for a remote debugger process.
2626             - session identifier, a string UUID for a remote driver/debugger instance.
2627             - page/target identifier, a number unique within a single process.
2628
2629         There are multiple connection types:
2630             - RemoteInspectorXPCConnection, a connection from RemoteInspectorXPCConnectionor to a relay.
2631             - RemoteConnectionToTarget, a class that bridges to targets' dispatch queues.
2632
2633         Use consistent variable and getter names so that these don't get confused and
2634         so that the code is easier to read. This is especially an improvement when working
2635         with multiple target types or connection types within the same function.
2636
2637         * inspector/remote/RemoteConnectionToTarget.h:
2638         * inspector/remote/RemoteConnectionToTarget.mm:
2639         Remove the member for m_identifier since we can ask the target for its target identifier
2640         or use a default value via WTF::Optional. There's no reason to cache the value.
2641
2642         (Inspector::RemoteTargetHandleRunSourceWithInfo):
2643         (Inspector::RemoteConnectionToTarget::targetIdentifier):
2644         (Inspector::RemoteConnectionToTarget::destination):
2645         (Inspector::RemoteConnectionToTarget::setup):
2646         (Inspector::RemoteConnectionToTarget::sendMessageToFrontend):
2647         Bail out if the target pointer was somehow cleared and we can't get a useful target identifier.
2648
2649         (Inspector::RemoteConnectionToTarget::RemoteConnectionToTarget): Deleted.
2650         * inspector/remote/RemoteControllableTarget.h:
2651         * inspector/remote/RemoteInspectionTarget.cpp:
2652         (Inspector::RemoteInspectionTarget::pauseWaitingForAutomaticInspection):
2653         (Inspector::RemoteInspectionTarget::unpauseForInitializedInspector):
2654         * inspector/remote/RemoteInspector.h:
2655         * inspector/remote/RemoteInspector.mm:
2656         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
2657         (Inspector::RemoteInspector::registerTarget):
2658         (Inspector::RemoteInspector::unregisterTarget):
2659         (Inspector::RemoteInspector::updateTarget):
2660         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
2661         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
2662         (Inspector::RemoteInspector::sendMessageToRemote):
2663         (Inspector::RemoteInspector::setupFailed):
2664         (Inspector::RemoteInspector::setupCompleted):
2665         (Inspector::RemoteInspector::stopInternal):
2666         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2667         (Inspector::RemoteInspector::xpcConnectionFailed):
2668         (Inspector::RemoteInspector::listingForInspectionTarget):
2669         (Inspector::RemoteInspector::listingForAutomationTarget):
2670         (Inspector::RemoteInspector::pushListingsNow):
2671         (Inspector::RemoteInspector::pushListingsSoon):
2672         (Inspector::RemoteInspector::updateHasActiveDebugSession):
2673         (Inspector::RemoteInspector::receivedSetupMessage):
2674         (Inspector::RemoteInspector::receivedDataMessage):
2675         (Inspector::RemoteInspector::receivedDidCloseMessage):
2676         (Inspector::RemoteInspector::receivedIndicateMessage):
2677         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
2678         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
2679         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
2680         (Inspector::RemoteInspector::nextAvailableIdentifier): Deleted.
2681         * inspector/remote/RemoteInspectorConstants.h:
2682
2683 2016-02-12  Benjamin Poulain  <benjamin@webkit.org>
2684
2685         [JSC] On x86, improve the selection of which value are selected for the UseDef part of commutative operations
2686         https://bugs.webkit.org/show_bug.cgi?id=154151
2687
2688         Reviewed by Filip Pizlo.
2689
2690         Previously, when an instruction destroy an argument with
2691         a UseDef use, we would try to pick a good target for the UseDef
2692         while doing instruction selection.
2693
2694         For example:
2695             @x = Add(@1, @2)
2696
2697         can be lowered to:
2698             Move @1 Tmp3
2699             Add @2 Tmp3
2700         or
2701             Move @2 Tmp3
2702             Add @1 Tmp3
2703
2704         The choice of which value ends up copied is done by preferRightForResult()
2705         at lowering time.
2706
2707         There are two common problems with the code we generate:
2708         1) It is based on UseCount. If a value is at its last use,
2709            it is a good target for coalescing even with a use-count > 1.
2710         2) When both values are at their last use, the best choice
2711            depends on the register pressure of each. We don't have that information
2712            until we do register allocation.
2713
2714         This patch implements a simple idea to minimize how many of those Moves are needed.
2715         Each commutative operation gets a 3 op variant. The register allocator then attempts
2716         to alias *both* of them to the destination.
2717         Since our aliasing is conservative, it removes as many copy as possible without causing
2718         spilling.
2719
2720         There was an unexpected cool impovement too. If you have:
2721             Move Tmp1, Tmp2
2722             BranchAdd32 Tmp3, Tmp2
2723         we would previously restore Tmp2 by substracting Tmp3 from the result.
2724         We can now just use Tmp1. That removes quite a few Sub from the slow paths.
2725
2726         The problem is that simple idea uncoverred a bunch of issues that had to be fixed too.
2727         I detail them inline below.
2728
2729         * assembler/MacroAssemblerARM64.h:
2730         (JSC::MacroAssemblerARM64::and64):
2731         * assembler/MacroAssemblerX86Common.h:
2732         Most addition are adding an Address version of the 3 operands opcodes.
2733         The reason for this is allow the complex addressing forms of instructions
2734         when spilling.
2735
2736         (JSC::MacroAssemblerX86Common::and32):
2737         (JSC::MacroAssemblerX86Common::mul32):
2738         (JSC::MacroAssemblerX86Common::or32):
2739         (JSC::MacroAssemblerX86Common::xor32):
2740         (JSC::MacroAssemblerX86Common::moveDouble):
2741         This was an unexpected discovery: removing tons of Move32 made floating-point heavy
2742         code much slower.
2743
2744         It turns out the MoveDouble we were using has partial register dependencies.
2745
2746         The x86 optimization manual, Chapter 3, section 3.4.1.13 lists the move instructions executed
2747         directly on the frontend. That's what we use now.
2748
2749         (JSC::MacroAssemblerX86Common::addDouble):
2750         (JSC::MacroAssemblerX86Common::addFloat):
2751         (JSC::MacroAssemblerX86Common::mulDouble):
2752         (JSC::MacroAssemblerX86Common::mulFloat):
2753         (JSC::MacroAssemblerX86Common::andDouble):
2754         (JSC::MacroAssemblerX86Common::andFloat):
2755         (JSC::MacroAssemblerX86Common::xorDouble):
2756         (JSC::MacroAssemblerX86Common::xorFloat):
2757         If the destination is not aliased, the version taking an address
2758         use LoadFloat/LoadDouble instead of direct addressing.
2759
2760         That is because this:
2761             Move Tmp1, Tmp2
2762             Op [Tmp3], Tmp2
2763         is slower than
2764             Move [Tmp3] Tmp2
2765             Op Tmp1, Tmp2
2766         (sometimes significantly).
2767
2768         I am not exactly sure why.
2769
2770         (JSC::MacroAssemblerX86Common::branchAdd32):
2771         * assembler/MacroAssemblerX86_64.h:
2772         (JSC::MacroAssemblerX86_64::and64):
2773         * assembler/MacroAssemblerARM64.h:
2774         (JSC::MacroAssemblerARM64::and64):
2775         * assembler/MacroAssemblerX86Common.h:
2776         (JSC::MacroAssemblerX86Common::and32):
2777         (JSC::MacroAssemblerX86Common::mul32):
2778         (JSC::MacroAssemblerX86Common::or32):
2779         (JSC::MacroAssemblerX86Common::xor32):
2780         (JSC::MacroAssemblerX86Common::moveDouble):
2781         (JSC::MacroAssemblerX86Common::addDouble):
2782         (JSC::MacroAssemblerX86Common::addFloat):
2783         (JSC::MacroAssemblerX86Common::mulDouble):
2784         (JSC::MacroAssemblerX86Common::mulFloat):
2785         (JSC::MacroAssemblerX86Common::andDouble):
2786         (JSC::MacroAssemblerX86Common::andFloat):
2787         (JSC::MacroAssemblerX86Common::xorDouble):
2788         (JSC::MacroAssemblerX86Common::xorFloat):
2789         (JSC::MacroAssemblerX86Common::branchAdd32):
2790         * assembler/MacroAssemblerX86_64.h:
2791         (JSC::MacroAssemblerX86_64::and64):
2792         (JSC::MacroAssemblerX86_64::mul64):
2793         (JSC::MacroAssemblerX86_64::xor64):
2794         (JSC::MacroAssemblerX86_64::branchAdd64):
2795         * assembler/X86Assembler.h:
2796         (JSC::X86Assembler::movapd_rr):
2797         (JSC::X86Assembler::movaps_rr):
2798         * b3/B3CheckSpecial.cpp:
2799         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
2800         (JSC::B3::CheckSpecial::generate):
2801         * b3/B3CheckSpecial.h:
2802         * b3/B3LowerToAir.cpp:
2803         (JSC::B3::Air::LowerToAir::lower):
2804         * b3/air/AirCustom.h:
2805         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
2806         * b3/air/AirInst.h:
2807         * b3/air/AirInstInlines.h:
2808         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2809         * b3/air/AirIteratedRegisterCoalescing.cpp:
2810         Aliasing the operands is done the same way as any coalescing.
2811
2812         There were problem with considering all those coalescing
2813         as equivalent for the result.
2814
2815         Moves are mostly generated for Upsilon-Phis. Getting rid of
2816         those tends to give better loops.
2817
2818         Sometimes, blocks have only Phis and a Jump. Coalescing
2819         those moves gets rids of the block entirely.
2820
2821         Where it go interesting was that something like:
2822             Move Tmp1, Tmp2
2823             Op Tmp3, Tmp2
2824         was significantly better than:
2825             Op Tmp1, Tmp3
2826             Move Tmp1, Tmp4
2827         even in the same basic block.
2828
2829         To get back to the same performance when, I had to prioritize
2830         regular Moves operations over argument coalescing.
2831
2832         Another argument for doing this is that the alias has a shorter
2833         life in the hardware because the operation itself gets a new
2834         virtual register from the bank.
2835
2836         * b3/air/AirOpcode.opcodes:
2837         * b3/air/AirSpecial.cpp:
2838         (JSC::B3::Air::Special::shouldTryAliasingDef):
2839         * b3/air/AirSpecial.h:
2840         * b3/testb3.cpp:
2841         (JSC::B3::testCheckAddArgumentAliasing64):
2842         (JSC::B3::testCheckAddArgumentAliasing32):
2843         (JSC::B3::testCheckAddSelfOverflow64):
2844         (JSC::B3::testCheckAddSelfOverflow32):
2845         (JSC::B3::testCheckMulArgumentAliasing64):
2846         (JSC::B3::testCheckMulArgumentAliasing32):
2847         (JSC::B3::run):
2848
2849         * dfg/DFGOSRExitCompilerCommon.cpp:
2850         (JSC::DFG::reifyInlinedCallFrames):
2851         * jit/AssemblyHelpers.h:
2852         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
2853         This ruined my week.
2854
2855         When regenerating the frame of an inlined function that
2856         was called through a tail call, we were ignoring r13 for some reason.
2857
2858         Since this patch makes it more likely to increase the degree
2859         of each Tmp, the number of register used increased and r13 was more
2860         commonly used.
2861
2862         When getting out of OSRExit, we would have that value trashed :(
2863
2864         The fix is simply to restore it like the other two Baseline callee saved
2865         register.
2866
2867 2016-02-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2868
2869         [ES6] Implement @@search
2870         https://bugs.webkit.org/show_bug.cgi?id=143889
2871
2872         Reviewed by Darin Adler.
2873
2874         Implement RegExp.prototype[@@search].
2875         In ES6, String.prototype.search delegates the actual matching to it
2876         instead of executing RegExp matching inside String.prototype.search method itself.
2877         By customizing @@search method, we can change the behavior of String.prototype.search for
2878         derived / customized RegExp object.
2879
2880         * CMakeLists.txt:
2881         * DerivedSources.make:
2882         * builtins/BuiltinNames.h:
2883         (JSC::BuiltinNames::BuiltinNames): Deleted.
2884         * builtins/BuiltinUtils.h:
2885         * builtins/StringPrototype.js:
2886         (search):
2887         * bytecode/BytecodeIntrinsicRegistry.cpp:
2888         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2889         * bytecode/BytecodeIntrinsicRegistry.h:
2890         * runtime/CommonIdentifiers.h:
2891         * runtime/JSGlobalObject.cpp:
2892         (JSC::JSGlobalObject::init):
2893         * runtime/RegExpPrototype.cpp:
2894         (JSC::RegExpPrototype::finishCreation):
2895         (JSC::regExpProtoFuncSearch):
2896         * runtime/RegExpPrototype.h:
2897         (JSC::RegExpPrototype::create):
2898         * runtime/StringPrototype.cpp:
2899         (JSC::StringPrototype::getOwnPropertySlot):
2900         (JSC::StringPrototype::finishCreation): Deleted.
2901         (JSC::stringProtoFuncSearch): Deleted.
2902         * runtime/StringPrototype.h:
2903         * tests/es6.yaml:
2904         * tests/stress/regexp-search.js: Added.
2905         (shouldBe):
2906         (shouldThrow):
2907         (errorKey.toString):
2908         (primitive.of.primitives.shouldThrow):
2909         (testRegExpSearch):
2910         (testSearch):
2911         (testBoth):
2912         (alwaysUnmatch):
2913
2914 2016-02-12  Keith Miller  <keith_miller@apple.com>
2915
2916         AdaptiveInferredPropertyValueWatchpoint can trigger a GC that frees its CodeBlock and thus itself
2917         https://bugs.webkit.org/show_bug.cgi?id=154146
2918
2919         Reviewed by Filip Pizlo.
2920
2921         Consider the following: there is some CodeBlock, C, that is watching some object, O, with a
2922         structure, S, for replacements. Also, suppose that C has no references anymore and is due to
2923         be GCed. Now, when some new property is added to O, S will create a new structure S' and
2924         fire its transition watchpoints. Since C is watching S for replacements it will attempt to
2925         have its AdaptiveInferredPropertyValueWatchpoint relocate itself to S'. To do so, it needs
2926         it allocate RareData on S'. This allocation may cause a GC, which frees C while still
2927         executing its watchpoint handler. The solution to this is to defer GC while running
2928         AdaptiveInferredPropertyValueWatchpointBase handlers.
2929
2930         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2931         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2932
2933 2016-02-12  Gavin Barraclough  <barraclough@apple.com>
2934
2935         Separate out !allowsAccess path in JSDOMWindowCustom getOwnPropertySlot
2936         https://bugs.webkit.org/show_bug.cgi?id=154156
2937
2938         Reviewed by Chris Dumez.
2939
2940         * runtime/CommonIdentifiers.h:
2941             - added new property names, needed by jsDOMWindowGetOwnPropertySlotDisallowAccess.
2942
2943 2016-02-12  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2944
2945         Update ICU header files to version 52
2946         https://bugs.webkit.org/show_bug.cgi?id=154160
2947
2948         Reviewed by Alex Christensen.
2949
2950         Update ICU header files to version 52 to allow the use of newer APIs.
2951
2952         * icu/unicode/localpointer.h:
2953         * icu/unicode/platform.h:
2954         * icu/unicode/ptypes.h:
2955         * icu/unicode/putil.h:
2956         * icu/unicode/ucal.h:
2957         * icu/unicode/uchar.h:
2958         * icu/unicode/ucnv.h:
2959         * icu/unicode/ucol.h:
2960         * icu/unicode/uconfig.h:
2961         * icu/unicode/udat.h:
2962         * icu/unicode/udatpg.h:
2963         * icu/unicode/udisplaycontext.h: Added.
2964         * icu/unicode/uenum.h:
2965         * icu/unicode/uformattable.h: Added.
2966         * icu/unicode/uiter.h:
2967         * icu/unicode/uloc.h:
2968         * icu/unicode/umachine.h:
2969         * icu/unicode/unorm2.h:
2970         * icu/unicode/unum.h:
2971         * icu/unicode/urename.h:
2972         * icu/unicode/uscript.h:
2973         * icu/unicode/uset.h:
2974         * icu/unicode/ustring.h:
2975         * icu/unicode/utf.h:
2976         * icu/unicode/utf16.h:
2977         * icu/unicode/utf8.h:
2978         * icu/unicode/utf_old.h:
2979         * icu/unicode/utypes.h:
2980         * icu/unicode/uvernum.h:
2981         * icu/unicode/uversion.h:
2982
2983 2016-02-12  Filip Pizlo  <fpizlo@apple.com>
2984
2985         Fast path in JSObject::defineOwnIndexedProperty() forgets to check for the posibility of a descriptor that doesn't have a value
2986         https://bugs.webkit.org/show_bug.cgi?id=154175
2987         rdar://problem/24291497
2988
2989         Reviewed by Geoffrey Garen.
2990
2991         * runtime/JSObject.cpp:
2992         (JSC::JSObject::defineOwnIndexedProperty): Fix the bug.
2993         * runtime/SparseArrayValueMap.cpp:
2994         (JSC::SparseArrayValueMap::putEntry): Catch the bug sooner in debug.
2995         (JSC::SparseArrayValueMap::putDirect):
2996         * tests/stress/sparse-define-empty-descriptor.js: Added. This used to crash in release.
2997
2998 2016-02-11  Brian Burg  <bburg@apple.com>
2999
3000         Web Inspector: RemoteInspector's listings should include whether an AutomationTarget is paired
3001         https://bugs.webkit.org/show_bug.cgi?id=154077
3002         <rdar://problem/24589133>
3003
3004         Reviewed by Joseph Pecoraro.
3005
3006         Instead of not generating a listing for the target when it is occupied,
3007         generate the listing with a 'paired' flag. The old flag was redundant
3008         because a _WKAutomationDelegate will not create a session if it doesn't
3009         support automation or it already has an active session.
3010
3011         * inspector/remote/RemoteAutomationTarget.cpp:
3012         (Inspector::RemoteAutomationTarget::setIsPaired):
3013         (Inspector::RemoteAutomationTarget::setAutomationAllowed): Deleted.
3014         * inspector/remote/RemoteAutomationTarget.h:
3015         Return false for remoteControlAllowed() if the target is already paired.
3016         This function is used by RemoteInspector to deny incoming connections.
3017
3018         * inspector/remote/RemoteInspector.mm:
3019         (Inspector::RemoteInspector::listingForAutomationTarget):
3020         * inspector/remote/RemoteInspectorConstants.h:
3021
3022 2016-02-11  Filip Pizlo  <fpizlo@apple.com>
3023
3024         DFG::ByteCodeParser needs to null check the result of presenceLike()
3025         https://bugs.webkit.org/show_bug.cgi?id=154135
3026         rdar://problem/24291586
3027
3028         Reviewed by Geoffrey Garen.
3029
3030         ByteCodeParser::presenceLike() could return a null object property condition if it detects a
3031         contradiction. That could happen due to bogus profiling. It's totally OK - we just need to
3032         bail from using a property condition when that happens.
3033
3034         * bytecode/ObjectPropertyCondition.h:
3035         (JSC::ObjectPropertyCondition::equivalence):
3036         (JSC::ObjectPropertyCondition::operator bool):
3037         (JSC::ObjectPropertyCondition::object):
3038         (JSC::ObjectPropertyCondition::condition):
3039         (JSC::ObjectPropertyCondition::operator!): Deleted.
3040         * bytecode/PropertyCondition.h:
3041         (JSC::PropertyCondition::equivalence):
3042         (JSC::PropertyCondition::operator bool):
3043         (JSC::PropertyCondition::kind):
3044         (JSC::PropertyCondition::uid):
3045         (JSC::PropertyCondition::operator!): Deleted.
3046         * dfg/DFGByteCodeParser.cpp:
3047         (JSC::DFG::ByteCodeParser::check):
3048         (JSC::DFG::ByteCodeParser::load):
3049
3050 2016-02-11  Benjamin Poulain  <benjamin@webkit.org>
3051
3052         [JSC] SqrtFloat and CeilFloat also suffer from partial register stalls
3053         https://bugs.webkit.org/show_bug.cgi?id=154131
3054
3055         Reviewed by Filip Pizlo.
3056
3057         Looks like I forgot to update this when adding Float support.
3058         Credit to Filip for finding this issue.
3059
3060         * b3/air/AirFixPartialRegisterStalls.cpp:
3061
3062 2016-02-11  Filip Pizlo  <fpizlo@apple.com>
3063
3064         Cannot call initializeIndex() if we didn't create the array using tryCreateUninitialized()
3065         https://bugs.webkit.org/show_bug.cgi?id=154126
3066
3067         Reviewed by Saam Barati.
3068
3069         * runtime/ArrayPrototype.cpp:
3070         (JSC::arrayProtoFuncSplice):
3071
3072 2016-02-11  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3073
3074         [INTL] Implement Intl.NumberFormat.prototype.resolvedOptions ()
3075         https://bugs.webkit.org/show_bug.cgi?id=147602
3076
3077         Reviewed by Darin Adler.
3078
3079         This patch implements Intl.NumberFormat.prototype.resolvedOptions() according
3080         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
3081
3082         * runtime/IntlDateTimeFormat.cpp:
3083         (JSC::localeData):
3084         * runtime/IntlNumberFormat.cpp:
3085         (JSC::localeData):
3086         (JSC::computeCurrencySortKey):
3087         (JSC::extractCurrencySortKey):
3088         (JSC::computeCurrencyDigits):
3089         (JSC::IntlNumberFormat::initializeNumberFormat):
3090         (JSC::IntlNumberFormat::styleString):
3091         (JSC::IntlNumberFormat::currencyDisplayString):
3092         (JSC::IntlNumberFormat::resolvedOptions):
3093         (JSC::IntlNumberFormat::setBoundFormat):
3094         * runtime/IntlNumberFormat.h:
3095         * runtime/IntlNumberFormatConstructor.cpp:
3096         (JSC::constructIntlNumberFormat):
3097         (JSC::callIntlNumberFormat):
3098         * runtime/IntlNumberFormatPrototype.cpp:
3099         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
3100         * runtime/IntlObject.cpp:
3101         (JSC::intlNumberOption):
3102         (JSC::numberingSystemsForLocale):
3103         (JSC::getNumberingSystemsForLocale): Deleted.
3104         * runtime/IntlObject.h:
3105
3106 2016-02-11  Filip Pizlo  <fpizlo@apple.com>
3107
3108         MacroAssemblerX86 should be happy with shift(cx, cx)
3109         https://bugs.webkit.org/show_bug.cgi?id=154124
3110
3111         Reviewed by Saam Barati.
3112
3113         Prior to this change the assembler asserted that shift_amount and dest cannot be the same.
3114         That's a good assertion for when shift_amount is not in cx. But if it's in cx already then
3115         it's OK for them to be the same. Air will sometimes do shift(cx, cx) if you do "x << x" and
3116         the coalescing got particularly clever.
3117
3118         * assembler/MacroAssemblerX86Common.h:
3119         (JSC::MacroAssemblerX86Common::lshift32):
3120         (JSC::MacroAssemblerX86Common::rshift32):
3121         (JSC::MacroAssemblerX86Common::urshift32):
3122         * assembler/MacroAssemblerX86_64.h:
3123         (JSC::MacroAssemblerX86_64::lshift64):
3124         (JSC::MacroAssemblerX86_64::rshift64):
3125         (JSC::MacroAssemblerX86_64::urshift64):
3126         * b3/testb3.cpp:
3127         (JSC::B3::testLShiftSelf32):
3128         (JSC::B3::testRShiftSelf32):
3129         (JSC::B3::testURShiftSelf32):
3130         (JSC::B3::testLShiftSelf64):
3131         (JSC::B3::testRShiftSelf64):
3132         (JSC::B3::testURShiftSelf64):
3133         (JSC::B3::run):
3134
3135 2016-02-11  Saam barati  <sbarati@apple.com>
3136
3137         The sampling profiler's stack walker methods should be marked with SUPPRESS_ASAN
3138         https://bugs.webkit.org/show_bug.cgi?id=154123
3139
3140         Reviewed by Mark Lam.
3141
3142         The entire premise of the sampling profiler is to load from
3143         another thread's memory. We should SUPPRESS_ASAN on the
3144         methods that do this.
3145
3146         * runtime/SamplingProfiler.cpp:
3147         (JSC::FrameWalker::FrameWalker):
3148         (JSC::FrameWalker::walk):
3149         (JSC::FrameWalker::advanceToParentFrame):
3150         (JSC::FrameWalker::isAtTop):
3151         (JSC::FrameWalker::resetAtMachineFrame):
3152
3153 2016-02-11  Csaba Osztrogonác  <ossy@webkit.org>
3154
3155         Unreviewed typo fix after r190063.
3156
3157         * dfg/DFGSpeculativeJIT.cpp: Removed property svn:executable.
3158         * dfg/DFGSpeculativeJIT.h: Removed property svn:executable.
3159         * jit/JIT.h: Removed property svn:executable.
3160         * jit/JITInlines.h: Removed property svn:executable.
3161         * jit/JITOpcodes.cpp: Removed property svn:executable.
3162
3163 2016-02-11  Csaba Osztrogonác  <ossy@webkit.org>
3164
3165         Unreviewed typo fix after r190063.
3166
3167         * dfg/DFGSpeculativeJIT.cpp: Removed property svn:executable.
3168         * dfg/DFGSpeculativeJIT.h: Removed property svn:executable.
3169         * jit/JIT.h: Removed property svn:executable.
3170         * jit/JITInlines.h: Removed property svn:executable.
3171         * jit/JITOpcodes.cpp: Removed property svn:executable.
3172
3173 2016-02-10  Keith Miller  <keith_miller@apple.com>
3174
3175         Symbol.species accessors on builtin constructors should be configurable
3176         https://bugs.webkit.org/show_bug.cgi?id=154097
3177
3178         Reviewed by Benjamin Poulain.
3179
3180         We did not have the Symbol.species accessors on our builtin constructors
3181         marked as configurable. This does not accurately follow the ES6 spec as
3182         the ES6 spec states that all default accessors on builtins should be
3183         configurable. This means that we need an additional watchpoint on
3184         ArrayConstructor to make sure that no users re-configures Symbol.species.
3185
3186         * runtime/ArrayConstructor.cpp:
3187         (JSC::ArrayConstructor::finishCreation):
3188         * runtime/ArrayPrototype.cpp:
3189         (JSC::speciesConstructArray):
3190         (JSC::ArrayPrototype::setConstructor):
3191         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
3192         * runtime/ArrayPrototype.h:
3193         (JSC::ArrayPrototype::didChangeConstructorOrSpeciesProperties):
3194         (JSC::ArrayPrototype::didChangeConstructorProperty): Deleted.
3195         * runtime/JSArrayBufferConstructor.cpp:
3196         (JSC::JSArrayBufferConstructor::finishCreation):
3197         * runtime/JSPromiseConstructor.cpp:
3198         (JSC::JSPromiseConstructor::finishCreation):
3199         * runtime/JSTypedArrayViewConstructor.cpp:
3200         (JSC::JSTypedArrayViewConstructor::finishCreation):
3201         * runtime/MapConstructor.cpp:
3202         (JSC::MapConstructor::finishCreation):
3203         * runtime/RegExpConstructor.cpp:
3204         (JSC::RegExpConstructor::finishCreation):
3205         * runtime/SetConstructor.cpp:
3206         (JSC::SetConstructor::finishCreation):
3207         * tests/stress/array-species-config-array-constructor.js: Added.
3208         (A):
3209         * tests/stress/symbol-species.js:
3210         (testSymbolSpeciesOnConstructor):
3211
3212 2016-02-10  Benjamin Poulain  <benjamin@webkit.org>
3213
3214         [JSC] The destination of Sqrt should be Def, not UseDef
3215         https://bugs.webkit.org/show_bug.cgi?id=154086
3216
3217         Reviewed by Geoffrey Garen.
3218
3219         An unfortunate copy-paste: the destination of SqrtDouble and SqrtFloat
3220         was defined as UseDef. As a result, the argument would be interfering
3221         with everything defined prior.
3222
3223         * b3/air/AirOpcode.opcodes:
3224
3225 2016-02-10  Chris Dumez  <cdumez@apple.com>
3226
3227         [Web IDL] interface objects should be Function objects
3228         https://bugs.webkit.org/show_bug.cgi?id=154038
3229         <rdar://problem/24569358>
3230
3231         Reviewed by Geoffrey Garen.
3232
3233         Update functionProtoFuncToString() to handle JSObjects that
3234         have the TypeOfShouldCallGetCallData flag and are callable,
3235         as these behave like functions and use ClassInfo::className()
3236         as function name in this case.
3237
3238         * runtime/FunctionPrototype.cpp:
3239         (JSC::functionProtoFuncToString):
3240
3241 2016-02-10  Chris Dumez  <cdumez@apple.com>
3242
3243         Attributes on the Window instance should be configurable unless [Unforgeable]
3244         https://bugs.webkit.org/show_bug.cgi?id=153920
3245         <rdar://problem/24563211>
3246
3247         Reviewed by Darin Adler.
3248
3249         Marking the Window instance attributes as configurable but cause
3250         getOwnPropertyDescriptor() to report them as configurable, as
3251         expected. However, trying to delete them would actually lead to
3252         unexpected behavior because:
3253         - We did not reify custom accessor properties (most of the Window
3254           properties are custom accessors) upon deletion.
3255         - For non-reified static properties marked as configurable,
3256           JSObject::deleteProperty() would attempt to call the property
3257           setter with undefined. As a result, calling delete window.name
3258           would cause window.name to become the string "undefined" instead
3259           of the undefined value.
3260
3261         * runtime/JSObject.cpp:
3262         (JSC::getClassPropertyNames):
3263         Now that we reify ALL properties, we only need to check the property table
3264         if we have not reified. As a result, I dropped the 'didReify' parameter for
3265         this function and instead only call this function if we have not yet reified.
3266
3267         (JSC::JSObject::putInlineSlow):
3268         Only call putEntry() if we have not reified: Drop the
3269         '|| !(entry->attributes() & BuiltinOrFunctionOrAccessor)'
3270         check as such properties now get reified as well.
3271
3272         (JSC::JSObject::deleteProperty):
3273         - Call reifyAllStaticProperties() instead of reifyStaticFunctionsForDelete()
3274           so that we now reify all properties upon deletion, including the custom
3275           accessors. reifyStaticFunctionsForDelete() is now removed and the same
3276           reification function is now used by: deletion, getOwnPropertyDescriptor()
3277           and eager reification of the prototype objects in the bindings.
3278         - Drop code that falls back to calling the static property setter with
3279           undefined if we cannot find the property in the property storage. As
3280           we now reify ALL properties, the code removing the property from the
3281           property storage should succeed, provided that the property actually
3282           exists.
3283
3284         (JSC::JSObject::getOwnNonIndexPropertyNames):
3285         Only call getClassPropertyNames() if we have not reified. We should no longer
3286         check the static property table after reifying now that we reify all
3287         properties.
3288
3289         (JSC::JSObject::reifyAllStaticProperties):
3290         Merge with reifyStaticFunctionsForDelete(). The only behavior change is the
3291         flattening to an uncacheable dictionary, like reifyStaticFunctionsForDelete()
3292         used to do.
3293
3294         * runtime/JSObject.h:
3295
3296 2016-02-10  Commit Queue  <commit-queue@webkit.org>
3297
3298         Unreviewed, rolling out r196251.
3299         https://bugs.webkit.org/show_bug.cgi?id=154078
3300
3301         Large regression on Dromaeo needs explanation (Requested by
3302         kling on #webkit).
3303
3304         Reverted changeset:
3305
3306         "Visiting a WeakBlock should report bytes visited, since we
3307         reported them allocated."
3308         https://bugs.webkit.org/show_bug.cgi?id=153978
3309         http://trac.webkit.org/changeset/196251
3310
3311 2016-02-10  Csaba Osztrogonác  <ossy@webkit.org>
3312
3313         REGRESSION(r196331): It made ~180 JSC tests crash on ARMv7 Linux
3314         https://bugs.webkit.org/show_bug.cgi?id=154064
3315
3316         Reviewed by Mark Lam.
3317
3318         * bytecode/PolymorphicAccess.cpp:
3319         (JSC::AccessCase::generate): Added EABI_32BIT_DUMMY_ARG where it is necessary.
3320         * dfg/DFGSpeculativeJIT.h: Fixed the comment.
3321         * jit/CCallHelpers.h:
3322         (JSC::CCallHelpers::setupArgumentsWithExecState): Added.
3323         * wasm/WASMFunctionCompiler.h: Fixed the comment.
3324
3325 2016-02-09  Keith Miller  <keith_miller@apple.com>
3326
3327         calling methods off super in a class constructor should check for TDZ
3328         https://bugs.webkit.org/show_bug.cgi?id=154060
3329
3330         Reviewed by Ryosuke Niwa.
3331
3332         In a class constructor we need to check for TDZ when calling a method
3333         off the super class. This is because, for super method calls, we use
3334         the derived class's newly constructed object as the super method's
3335         this value.
3336
3337         * bytecompiler/NodesCodegen.cpp:
3338         (JSC::FunctionCallDotNode::emitBytecode):
3339         * tests/stress/super-method-calls-check-tdz.js: Added.
3340         (Base):
3341         (Derived):
3342         (test):
3343
3344 2016-02-09  Filip Pizlo  <fpizlo@apple.com>
3345
3346         Don't crash if we fail to parse a builtin
3347         https://bugs.webkit.org/show_bug.cgi?id=154047
3348         rdar://problem/24300617
3349
3350         Reviewed by Mark Lam.
3351
3352         Crashing probably seemed like a good idea at the time, but we could get here in case of a
3353         near stack overflow, so that the parser bails because of recursion.
3354
3355         * parser/Parser.h:
3356         (JSC::parse):
3357
3358 2016-02-07  Gavin Barraclough  <barraclough@apple.com>
3359
3360         GetValueFunc/PutValueFunc should not take both slotBase and thisValue
3361         https://bugs.webkit.org/show_bug.cgi?id=154009
3362
3363         Reviewed by Geoff Garen.
3364
3365         In JavaScript there are two types of properties - regular value properties, and accessor properties.
3366         One difference between these is how they are reflected by getOwnPropertyDescriptor, and another is
3367         what object they operate on in the case of a prototype access. If you access a value property of a
3368         prototype object it return a value pertinent to the prototype, but in the case of a prototype object
3369         returning an accessor, then the accessor function is applied to the base object of the access.
3370
3371         JSC supports special 'custom' properties implemented as a c++ callback, and these custom properties
3372         can be used to implement either value- or accessor-like behavior. getOwnPropertyDescriptor behavior
3373         is selected via the Custo