7bf9b8e9631e8e5b051afe7a481e38c31f3aaa3d
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-10-22  Michael Saboff  <msaboff@apple.com>
2
3         REGRESSION(r191360): Repro Crash: com.apple.WebKit.WebContent at JavaScriptCore:JSC::ExecState::bytecodeOffset + 174
4         https://bugs.webkit.org/show_bug.cgi?id=150434
5
6         Reviewed by Mark Lam.
7
8         Pass the current frame instead of the caller frame to operationVMHandleException when processing an
9         exception in one of the native thunks.
10
11         * jit/JITExceptions.cpp:
12         (JSC::genericUnwind): Made debug printing of CodeBlock safe for call frames without one.
13         * jit/JITOpcodes32_64.cpp:
14         (JSC::JIT::privateCompileCTINativeCall):
15         * jit/ThunkGenerators.cpp:
16         (JSC::nativeForGenerator):
17
18 2015-10-21  Brian Burg  <bburg@apple.com>
19
20         Restructure generate-js-bindings script to be modular and testable
21         https://bugs.webkit.org/show_bug.cgi?id=149929
22
23         Reviewed by Alex Christensen.
24
25         This is a new code generator, based on the replay inputs code generator and
26         the inspector protocol code generator, which produces various files for JS
27         builtins.
28
29         Relative to the generator it replaces, this one consolidates two scripts in
30         JavaScriptCore and WebCore into a single script with multiple files. Parsed
31         information about the builtins file is stored in backend-independent model
32         objects. Each output file has its own code generator that uses the model to
33         produce resulting code. Generators are additionally parameterized by the target
34         framework (to choose correct macros and includes) and output mode (one
35         header/implementation file per builtin or per framework).
36
37         It includes a few simple tests of the generator's functionality. These result-
38         based tests will become increasingly more important as we start to add support
39         for builtins annotation such as @optional, @internal, etc. to the code generator.
40
41         Some of these complexities, such as having two output modes, will be removed in
42         subsequent patches. This patch is intended to exactly replace the existing
43         functionality with a unified script that makes additional cleanups straightforward.
44
45         Additional cleanup and consolidation between inspector code generator scripts
46         and this script will be pursued in followup patches.
47
48         New tests:
49
50         Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Combined.js
51         Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Separate.js
52         Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js
53         Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js
54         Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Combined.js
55         Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Separate.js
56         Scripts/tests/builtins/WebCore-GuardedBuiltin-Separate.js
57         Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js
58         Scripts/tests/builtins/WebCore-UnguardedBuiltin-Separate.js
59         Scripts/tests/builtins/WebCore-xmlCasingTest-Separate.js
60
61
62         * CMakeLists.txt:
63
64             Copy the scripts that are used by other targets to a staging directory inside
65             ${DERIVED_SOURCES_DIR}/ForwardingHeaders/JavaScriptCore/Scripts.
66             Define JavaScriptCore_SCRIPTS_DIR to point here so that the add_custom_command
67             and shared file lists are identical between JavaScriptCore and WebCore. The staged
68             scripts are a dependency of the main JavaScriptCore target so that they are
69             always staged, even if JavaScriptCore itself does not use a particular script.
70
71             The output files additionally depend on all builtin generator script files
72             and input files that are combined into the single header/implementation file.
73
74         * DerivedSources.make:
75
76             Define JavaScriptCore_SCRIPTS_DIR explicitly so the rule for code generation and
77             shared file lists are identical between JavaScriptCore and WebCore.
78
79             The output files additionally depend on all builtin generator script files
80             and input files that are combined into the single header/implementation file.
81
82         * JavaScriptCore.xcodeproj/project.pbxproj:
83
84             Mark the new builtins generator files as private headers so we can use them from
85             WebCore.
86
87         * Scripts/UpdateContents.py: Renamed from Source/JavaScriptCore/UpdateContents.py.
88         * Scripts/builtins/__init__.py: Added.
89         * Scripts/builtins/builtins.py: Added.
90         * Scripts/builtins/builtins_generator.py: Added. This file contains the base generator.
91         (WK_lcfirst):
92         (WK_ucfirst):
93         (BuiltinsGenerator):
94         (BuiltinsGenerator.__init__):
95         (BuiltinsGenerator.model):
96         (BuiltinsGenerator.generate_license):
97         (BuiltinsGenerator.generate_includes_from_entries):
98         (BuiltinsGenerator.generate_output):
99         (BuiltinsGenerator.output_filename):
100         (BuiltinsGenerator.mangledNameForFunction):
101         (BuiltinsGenerator.mangledNameForFunction.toCamel):
102         (BuiltinsGenerator.generate_embedded_code_string_section_for_function):
103         * Scripts/builtins/builtins_model.py: Added. This file contains builtins model objects.
104         (ParseException):
105         (Framework):
106         (Framework.__init__):
107         (Framework.setting):
108         (Framework.fromString):
109         (Frameworks):
110         (BuiltinObject):
111         (BuiltinObject.__init__):
112         (BuiltinFunction):
113         (BuiltinFunction.__init__):
114         (BuiltinFunction.fromString):
115         (BuiltinFunction.__str__):
116         (BuiltinsCollection):
117         (BuiltinsCollection.__init__):
118         (BuiltinsCollection.parse_builtins_file):
119         (BuiltinsCollection.copyrights):
120         (BuiltinsCollection.all_functions):
121         (BuiltinsCollection._parse_copyright_lines):
122         (BuiltinsCollection._parse_functions):
123         * Scripts/builtins/builtins_templates.py: Added.
124         (BuiltinsGeneratorTemplates):
125         * Scripts/builtins/builtins_generate_combined_header.py: Added.
126         (BuiltinsCombinedHeaderGenerator):
127         (BuiltinsCombinedHeaderGenerator.__init__):
128         (BuiltinsCombinedHeaderGenerator.output_filename):
129         (BuiltinsCombinedHeaderGenerator.generate_output):
130         (BuiltinsCombinedHeaderGenerator.generate_forward_declarations):
131         (FunctionExecutable):
132         (VM):
133         (ConstructAbility):
134         (generate_section_for_object):
135         (generate_externs_for_object):
136         (generate_macros_for_object):
137         (generate_defines_for_object):
138         (generate_section_for_code_table_macro):
139         (generate_section_for_code_name_macro):
140         * Scripts/builtins/builtins_generate_combined_implementation.py: Added.
141         (BuiltinsCombinedImplementationGenerator):
142         (BuiltinsCombinedImplementationGenerator.__init__):
143         (BuiltinsCombinedImplementationGenerator.output_filename):
144         (BuiltinsCombinedImplementationGenerator.generate_output):
145         (BuiltinsCombinedImplementationGenerator.generate_header_includes):
146         * Scripts/builtins/builtins_generate_separate_header.py: Added.
147         (BuiltinsSeparateHeaderGenerator):
148         (BuiltinsSeparateHeaderGenerator.__init__):
149         (BuiltinsSeparateHeaderGenerator.output_filename):
150         (BuiltinsSeparateHeaderGenerator.macro_prefix):
151         (BuiltinsSeparateHeaderGenerator.generate_output):
152         (BuiltinsSeparateHeaderGenerator.generate_forward_declarations):
153         (FunctionExecutable):
154         (generate_header_includes):
155         (generate_section_for_object):
156         (generate_externs_for_object):
157         (generate_macros_for_object):
158         (generate_defines_for_object):
159         (generate_section_for_code_table_macro):
160         (generate_section_for_code_name_macro):
161         * Scripts/builtins/builtins_generate_separate_implementation.py: Added.
162         (BuiltinsSeparateImplementationGenerator):
163         (BuiltinsSeparateImplementationGenerator.__init__):
164         (BuiltinsSeparateImplementationGenerator.output_filename):
165         (BuiltinsSeparateImplementationGenerator.macro_prefix):
166         (BuiltinsSeparateImplementationGenerator.generate_output):
167         (BuiltinsSeparateImplementationGenerator.generate_header_includes):
168         * Scripts/builtins/builtins_generate_separate_wrapper.py: Added.
169         (BuiltinsSeparateWrapperGenerator):
170         (BuiltinsSeparateWrapperGenerator.__init__):
171         (BuiltinsSeparateWrapperGenerator.output_filename):
172         (BuiltinsSeparateWrapperGenerator.macro_prefix):
173         (BuiltinsSeparateWrapperGenerator.generate_output):
174         (BuiltinsSeparateWrapperGenerator.generate_header_includes):
175         * Scripts/generate-js-builtins.py: Added.
176
177             Parse command line options, decide which generators and output modes to use.
178
179         (generate_bindings_for_builtins_files):
180         * Scripts/lazywriter.py: Copied from the inspector protocol generator.
181         (LazyFileWriter):
182         (LazyFileWriter.__init__):
183         (LazyFileWriter.write):
184         (LazyFileWriter.close):
185         * Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Combined.js: Added.
186         * Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Separate.js: Added.
187         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js: Added.
188         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js: Added.
189         * Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Combined.js: Added.
190         * Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Separate.js: Added.
191         * Scripts/tests/builtins/WebCore-GuardedBuiltin-Separate.js: Added.
192         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js: Added.
193         * Scripts/tests/builtins/WebCore-UnguardedBuiltin-Separate.js: Added.
194         * Scripts/tests/builtins/WebCore-xmlCasingTest-Separate.js: Added.
195         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result: Added.
196         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result: Added.
197         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result: Added.
198         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result: Added.
199         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result: Added.
200         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result: Added.
201         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Added.
202         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: Added.
203         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Added.
204         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: Added.
205         * builtins/BuiltinExecutables.cpp:
206         (JSC::BuiltinExecutables::BuiltinExecutables):
207         * builtins/BuiltinExecutables.h:
208         * create_hash_table:
209
210             Update the generated builtin macro names.
211
212         * generate-js-builtins: Removed.
213
214 2015-10-21  Benjamin Poulain  <bpoulain@apple.com>
215
216         [JSC] Remove FTL Native Inlining, it is dead code
217         https://bugs.webkit.org/show_bug.cgi?id=150429
218
219         Reviewed by Filip Pizlo.
220
221         The code is not used and it is in the way of other changes.
222
223         * ftl/FTLAbbreviations.h:
224         (JSC::FTL::getFirstInstruction): Deleted.
225         (JSC::FTL::getNextInstruction): Deleted.
226         (JSC::FTL::getFirstBasicBlock): Deleted.
227         (JSC::FTL::getNextBasicBlock): Deleted.
228         * ftl/FTLLowerDFGToLLVM.cpp:
229         (JSC::FTL::DFG::LowerDFGToLLVM::isInlinableSize): Deleted.
230         * runtime/Options.h:
231
232 2015-10-21  Benjamin Poulain  <bpoulain@apple.com>
233
234         [JSC] Remove two useless temporaries from the PutByOffset codegen
235         https://bugs.webkit.org/show_bug.cgi?id=150421
236
237         Reviewed by Geoffrey Garen.
238
239         * dfg/DFGSpeculativeJIT64.cpp:
240         (JSC::DFG::SpeculativeJIT::compile): Deleted.
241         Looks like they were added by accident in r160796.
242
243 2015-10-21  Filip Pizlo  <fpizlo@apple.com>
244
245         Factor out the graph node worklists from DFG into WTF
246         https://bugs.webkit.org/show_bug.cgi?id=150411
247
248         Reviewed by Geoffrey Garen.
249
250         Rewrite the DFGBlockWorklist.h file as a bunch of typedefs and aliases for things in
251         wtf/GraphNodeWorklist.h. Most users won't notice, except that some small things got
252         renamed. For example PreOrder becomes VisitOrder::Pre and item.block becomes item.node.
253
254         * CMakeLists.txt:
255         * JavaScriptCore.xcodeproj/project.pbxproj:
256         * dfg/DFGBlockWorklist.cpp: Removed.
257         * dfg/DFGBlockWorklist.h:
258         (JSC::DFG::BlockWorklist::notEmpty): Deleted.
259         (JSC::DFG::BlockWith::BlockWith): Deleted.
260         (JSC::DFG::BlockWith::operator bool): Deleted.
261         (JSC::DFG::ExtendedBlockWorklist::ExtendedBlockWorklist): Deleted.
262         (JSC::DFG::ExtendedBlockWorklist::forcePush): Deleted.
263         (JSC::DFG::ExtendedBlockWorklist::push): Deleted.
264         (JSC::DFG::ExtendedBlockWorklist::notEmpty): Deleted.
265         (JSC::DFG::ExtendedBlockWorklist::pop): Deleted.
266         (JSC::DFG::BlockWithOrder::BlockWithOrder): Deleted.
267         (JSC::DFG::BlockWithOrder::operator bool): Deleted.
268         (JSC::DFG::PostOrderBlockWorklist::push): Deleted.
269         (JSC::DFG::PostOrderBlockWorklist::notEmpty): Deleted.
270         * dfg/DFGDominators.cpp:
271         (JSC::DFG::Dominators::compute):
272         * dfg/DFGGraph.cpp:
273         (JSC::DFG::Graph::blocksInPostOrder):
274         * dfg/DFGPrePostNumbering.cpp:
275         (JSC::DFG::PrePostNumbering::compute):
276
277 2015-10-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
278
279         [INTL] Implement Intl.Collator.prototype.resolvedOptions ()
280         https://bugs.webkit.org/show_bug.cgi?id=147601
281
282         Reviewed by Benjamin Poulain.
283
284         This patch implements Intl.Collator.prototype.resolvedOptions() according
285         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
286         It also implements the abstract operations InitializeCollator, ResolveLocale,
287         LookupMatcher, and BestFitMatcher.
288
289         * runtime/CommonIdentifiers.h:
290         * runtime/IntlCollator.h:
291         (JSC::IntlCollator::usage):
292         (JSC::IntlCollator::setUsage):
293         (JSC::IntlCollator::locale):
294         (JSC::IntlCollator::setLocale):
295         (JSC::IntlCollator::collation):
296         (JSC::IntlCollator::setCollation):
297         (JSC::IntlCollator::numeric):
298         (JSC::IntlCollator::setNumeric):
299         (JSC::IntlCollator::sensitivity):
300         (JSC::IntlCollator::setSensitivity):
301         (JSC::IntlCollator::ignorePunctuation):
302         (JSC::IntlCollator::setIgnorePunctuation):
303         * runtime/IntlCollatorConstructor.cpp:
304         (JSC::sortLocaleData):
305         (JSC::searchLocaleData):
306         (JSC::initializeCollator):
307         (JSC::constructIntlCollator):
308         (JSC::callIntlCollator):
309         * runtime/IntlCollatorPrototype.cpp:
310         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
311         * runtime/IntlObject.cpp:
312         (JSC::defaultLocale):
313         (JSC::getIntlBooleanOption):
314         (JSC::getIntlStringOption):
315         (JSC::removeUnicodeLocaleExtension):
316         (JSC::lookupMatcher):
317         (JSC::bestFitMatcher):
318         (JSC::resolveLocale):
319         (JSC::lookupSupportedLocales):
320         * runtime/IntlObject.h:
321
322 2015-10-21  Saam barati  <sbarati@apple.com>
323
324         C calls in PolymorphicAccess shouldn't assume that the top of the stack looks like a JSC JIT frame and enable *ByIdFlush in FTL
325         https://bugs.webkit.org/show_bug.cgi?id=125711
326
327         Reviewed by Filip Pizlo.
328
329         This patch ensures that anytime we need to make a C call inside
330         PolymorphicAccess, we ensure there is enough space on the stack to do so.
331
332         This patch also enables GetByIdFlush/PutByIdFlush inside the FTL.
333         Because PolymorphicAccess now spills the necessary registers
334         before making a JS/C call, any registers that LLVM report as
335         being in use for the patchpoint will be spilled before making
336         a call by PolymorphicAccess.
337
338         * bytecode/PolymorphicAccess.cpp:
339         (JSC::AccessGenerationState::restoreScratch):
340         (JSC::AccessGenerationState::succeed):
341         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
342         (JSC::AccessCase::generate):
343         (JSC::PolymorphicAccess::regenerate):
344         * ftl/FTLCapabilities.cpp:
345         (JSC::FTL::canCompile):
346         * ftl/FTLLowerDFGToLLVM.cpp:
347         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
348         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetById):
349         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
350         * jit/AssemblyHelpers.h:
351         (JSC::AssemblyHelpers::emitTypeOf):
352         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall):
353         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall):
354         * jit/RegisterSet.cpp:
355         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
356         (JSC::RegisterSet::registersToNotSaveForJSCall):
357         (JSC::RegisterSet::registersToNotSaveForCCall):
358         (JSC::RegisterSet::allGPRs):
359         (JSC::RegisterSet::registersToNotSaveForCall): Deleted.
360         * jit/RegisterSet.h:
361         (JSC::RegisterSet::set):
362         * jit/ScratchRegisterAllocator.cpp:
363         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
364         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
365         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
366         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
367         These methods now take an extra parameter indicating if they
368         should create space for a C call at the top of the stack if
369         there are any reused registers to spill.
370
371         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
372         * jit/ScratchRegisterAllocator.h:
373         (JSC::ScratchRegisterAllocator::usedRegisters):
374
375 2015-10-21  Joseph Pecoraro  <pecoraro@apple.com>
376
377         Web Inspector: Array previews with Symbol objects have too few preview values
378         https://bugs.webkit.org/show_bug.cgi?id=150404
379
380         Reviewed by Timothy Hatcher.
381
382         * inspector/InjectedScriptSource.js:
383         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
384         We should be continuing inside this loop not returning.
385
386 2015-10-21  Filip Pizlo  <fpizlo@apple.com>
387
388         Failures in PutStackSinkingPhase should be less severe
389         https://bugs.webkit.org/show_bug.cgi?id=150400
390
391         Reviewed by Geoffrey Garen.
392
393         Make the PutStackSinkingPhase abort instead of asserting. To test that it's OK to not have
394         PutStackSinkingPhase run, this adds a test mode where we run without PutStackSinkingPhase.
395
396         * dfg/DFGPlan.cpp: Make it possible to not run PutStackSinkingPhase for tests.
397         (JSC::DFG::Plan::compileInThreadImpl):
398         * dfg/DFGPutStackSinkingPhase.cpp: PutStackSinkingPhase should abort instead of asserting, except when validation is enabled.
399         * runtime/Options.h: Add an option for disabling PutStackSinkingPhase.
400
401 2015-10-21  Saam barati  <sbarati@apple.com>
402
403         The FTL should place the CallSiteIndex on the call frame for JS calls when it fills in the patchpoint
404         https://bugs.webkit.org/show_bug.cgi?id=150104
405
406         Reviewed by Filip Pizlo.
407
408         We lower JS Calls to patchpoints in LLVM. LLVM may decide to duplicate
409         these patchpoints (or remove them). We eagerly store the CallSiteIndex on the 
410         call frame when lowering DFG to LLVM. But, because the patchpoint we lower to may
411         be duplicated, we really don't know the unique CallSiteIndex until we've
412         actually seen the resulting patchpoints after LLVM has completed its transformations.
413         To solve this, we now store the unique CallSiteIndex on the call frame header 
414         when generating code to fill into the patchpoint.
415
416         * ftl/FTLCompile.cpp:
417         (JSC::FTL::mmAllocateDataSection):
418         * ftl/FTLJSCall.cpp:
419         (JSC::FTL::JSCall::JSCall):
420         (JSC::FTL::JSCall::emit):
421         * ftl/FTLJSCall.h:
422         (JSC::FTL::JSCall::stackmapID):
423         * ftl/FTLJSCallBase.cpp:
424         (JSC::FTL::JSCallBase::JSCallBase):
425         (JSC::FTL::JSCallBase::emit):
426         (JSC::FTL::JSCallBase::link):
427         * ftl/FTLJSCallBase.h:
428         * ftl/FTLJSCallVarargs.cpp:
429         (JSC::FTL::JSCallVarargs::JSCallVarargs):
430         (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
431         (JSC::FTL::JSCallVarargs::emit):
432         * ftl/FTLJSCallVarargs.h:
433         (JSC::FTL::JSCallVarargs::node):
434         (JSC::FTL::JSCallVarargs::stackmapID):
435         * ftl/FTLJSTailCall.cpp:
436         (JSC::FTL::JSTailCall::JSTailCall):
437         (JSC::FTL::m_instructionOffset):
438         (JSC::FTL::JSTailCall::emit):
439         * ftl/FTLLowerDFGToLLVM.cpp:
440         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
441         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
442         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
443         (JSC::FTL::DFG::LowerDFGToLLVM::codeOriginDescriptionOfCallSite):
444         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
445
446 2015-10-21  Geoffrey Garen  <ggaren@apple.com>
447
448         Date creation should share a little code
449         https://bugs.webkit.org/show_bug.cgi?id=150399
450
451         Reviewed by Filip Pizlo.
452
453         I want to fix a bug in this code, but I don't want to fix it in two
454         different places. (See https://bugs.webkit.org/show_bug.cgi?id=150386.)
455
456         * runtime/DateConstructor.cpp:
457         (JSC::DateConstructor::getOwnPropertySlot):
458         (JSC::milliseconds): Factored out a shared helper function. If you look
459         closely, you'll see that one copy of this code previously checked isfinite
460         while the other checked isnan. isnan returning nan was obviously a no-op,
461         so I removed it. isfinite, it turns out, is also a no-op -- but less
462         obviously so, so I kept it for now.
463
464         (JSC::constructDate):
465         (JSC::dateUTC): Use the helper function.
466
467 2015-10-21  Guillaume Emont  <guijemont@igalia.com>
468
469         llint: align stack pointer on mips too
470
471         [MIPS] LLInt: align stack pointer on MIPS too
472         https://bugs.webkit.org/show_bug.cgi?id=150380
473
474         Reviewed by Michael Saboff.
475
476         * llint/LowLevelInterpreter32_64.asm:
477
478 2015-10-20  Mark Lam  <mark.lam@apple.com>
479
480         YarrPatternConstructor::containsCapturingTerms() should not assume that its terms.size() is greater than 0.
481         https://bugs.webkit.org/show_bug.cgi?id=150372
482
483         Reviewed by Geoffrey Garen.
484
485         * yarr/YarrPattern.cpp:
486         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
487         (JSC::Yarr::YarrPatternConstructor::optimizeBOL):
488         (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
489         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
490
491 2015-10-20  Michael Saboff  <msaboff@apple.com>
492
493         REGRESSION (r191175): OSR Exit from an inlined tail callee trashes callee save registers
494         https://bugs.webkit.org/show_bug.cgi?id=150336
495
496         Reviewed by Mark Lam.
497
498         During OSR exit, we need to restore and transform the active stack into what the baseline
499         JIT expects.  Inlined call frames become true call frames.  When we reify an inlined call
500         frame and it is a tail call which we will be continuing from, we need to restore the tag
501         constant callee save registers with what was saved by the outermost caller.
502
503         Re-enabled tail calls and restored tests for tail calls.
504
505         * dfg/DFGOSRExitCompilerCommon.cpp:
506         (JSC::DFG::reifyInlinedCallFrames): Select whether or not we use the callee save tag register
507         contents or what was saved by the inlining caller when populating an inlined callee's
508         callee save registers.
509         * jit/AssemblyHelpers.h:
510         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor): This function no longer needs a stack offset.
511         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor): New helper.
512         * runtime/Options.h: Turned tail calls back on.
513         * tests/es6.yaml:
514         * tests/stress/dfg-tail-calls.js:
515         (nonInlinedTailCall.callee):
516         * tests/stress/mutual-tail-call-no-stack-overflow.js:
517         (shouldThrow):
518         * tests/stress/tail-call-in-inline-cache.js:
519         (tail):
520         * tests/stress/tail-call-no-stack-overflow.js:
521         (shouldThrow):
522         * tests/stress/tail-call-recognize.js:
523         (callerMustBeRun):
524         * tests/stress/tail-call-varargs-no-stack-overflow.js:
525         (shouldThrow):
526
527 2015-10-20  Joseph Pecoraro  <pecoraro@apple.com>
528
529         Web Inspector: JavaScriptCore should parse sourceURL and sourceMappingURL directives
530         https://bugs.webkit.org/show_bug.cgi?id=150096
531
532         Reviewed by Geoffrey Garen.
533
534         * inspector/ContentSearchUtilities.cpp:
535         (Inspector::ContentSearchUtilities::scriptCommentPattern): Deleted.
536         (Inspector::ContentSearchUtilities::findScriptSourceURL): Deleted.
537         (Inspector::ContentSearchUtilities::findScriptSourceMapURL): Deleted.
538         * inspector/ContentSearchUtilities.h:
539         No longer need to search script content.
540
541         * inspector/ScriptDebugServer.cpp:
542         (Inspector::ScriptDebugServer::dispatchDidParseSource):
543         Carry over the sourceURL and sourceMappingURL from the SourceProvider.
544
545         * inspector/agents/InspectorDebuggerAgent.cpp:
546         (Inspector::InspectorDebuggerAgent::sourceMapURLForScript):
547         (Inspector::InspectorDebuggerAgent::didParseSource):
548         No longer do content searching.
549
550         * parser/Lexer.cpp:
551         (JSC::Lexer<T>::setCode):
552         (JSC::Lexer<T>::skipWhitespace):
553         (JSC::Lexer<T>::parseCommentDirective):
554         (JSC::Lexer<T>::parseCommentDirectiveValue):
555         (JSC::Lexer<T>::consume):
556         (JSC::Lexer<T>::lex):
557         * parser/Lexer.h:
558         (JSC::Lexer::sourceURL):
559         (JSC::Lexer::sourceMappingURL):
560         (JSC::Lexer::sourceProvider): Deleted.
561         Give lexer the ability to detect script comment directives.
562         This just consumes characters in single line comments and
563         ultimately sets the sourceURL or sourceMappingURL found.
564
565         * parser/Parser.h:
566         (JSC::Parser<LexerType>::parse):
567         * parser/SourceProvider.h:
568         (JSC::SourceProvider::url):
569         (JSC::SourceProvider::sourceURL):
570         (JSC::SourceProvider::sourceMappingURL):
571         (JSC::SourceProvider::setSourceURL):
572         (JSC::SourceProvider::setSourceMappingURL):
573         After parsing a script, update the Source Provider with the
574         value of directives that may have been found in the script.
575
576 2015-10-20  Saam barati  <sbarati@apple.com>
577
578         GCAwareJITStubRoutineWithExceptionHandler has a stale CodeBlock pointer in its destructor
579         https://bugs.webkit.org/show_bug.cgi?id=150351
580
581         Reviewed by Mark Lam.
582
583         We may regenerate many GCAwareJITStubRoutineWithExceptionHandler stubs per one PolymorphicAccess.
584         Only the last GCAwareJITStubRoutineWithExceptionHandler stub that was generated will get the CodeBlock's aboutToDie()
585         notification. All other GCAwareJITStubRoutineWithExceptionHandler stubs will still be holding a stale CodeBlock pointer
586         that they will use in their destructor. The solution is to have GCAwareJITStubRoutineWithExceptionHandler remove its
587         exception handler in observeZeroRefCount() instead of its destructor. observeZeroRefCount() will run when a PolymorphicAccess
588         replaces its m_stubRoutine.
589
590         * jit/GCAwareJITStubRoutine.cpp:
591         (JSC::GCAwareJITStubRoutineWithExceptionHandler::aboutToDie):
592         (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount):
593         (JSC::createJITStubRoutine):
594         (JSC::GCAwareJITStubRoutineWithExceptionHandler::~GCAwareJITStubRoutineWithExceptionHandler): Deleted.
595         * jit/GCAwareJITStubRoutine.h:
596
597 >>>>>>> .r191351
598 2015-10-20  Tim Horton  <timothy_horton@apple.com>
599
600         Try to fix the build by disabling MAC_GESTURE_EVENTS on 10.9 and 10.10
601
602         * Configurations/FeatureDefines.xcconfig:
603
604 2015-10-20  Xabier Rodriguez Calvar  <calvaris@igalia.com>
605
606         [Streams API] Rework some readable stream internals that can be common to writable streams
607         https://bugs.webkit.org/show_bug.cgi?id=150133
608
609         Reviewed by Darin Adler.
610
611         * runtime/CommonIdentifiers.h:
612         * runtime/JSGlobalObject.cpp:
613         (JSC::JSGlobalObject::init): Added RangeError also as native functions.
614
615 2015-10-20  Yoav Weiss  <yoav@yoav.ws>
616
617         Rename the PICTURE_SIZES flag to CURRENTSRC
618         https://bugs.webkit.org/show_bug.cgi?id=150275
619
620         Reviewed by Dean Jackson.
621
622         * Configurations/FeatureDefines.xcconfig:
623
624 2015-10-19  Saam barati  <sbarati@apple.com>
625
626         FTL should generate a unique OSR exit for each duplicated OSR exit stackmap intrinsic.
627         https://bugs.webkit.org/show_bug.cgi?id=149970
628
629         Reviewed by Filip Pizlo.
630
631         When we lower DFG to LLVM, we generate a stackmap intrnsic for OSR 
632         exits. We also recorded the OSR exit inside FTL::JITCode during lowering.
633         This stackmap intrinsic may be duplicated or even removed by LLVM.
634         When the stackmap intrinsic is duplicated, we used to generate just
635         a single OSR exit data structure. Then, when we compiled an OSR exit, we 
636         would look for the first record in the record list that had the same stackmap ID
637         as what the OSR exit data structure had. We did this even when the OSR exit
638         stackmap intrinsic was duplicated. This would lead us to grab the wrong FTL::StackMaps::Record.
639
640         Now, each OSR exit knows exactly which FTL::StackMaps::Record it corresponds to.
641         We accomplish this by having an OSRExitDescriptor that is recorded during
642         lowering. Each descriptor may be referenced my zero, one, or more OSRExits.
643         Now, no more than one stackmap intrinsic corresponds to the same index inside 
644         JITCode's OSRExit Vector. Also, each OSRExit jump now jumps to a code location.
645
646         * ftl/FTLCompile.cpp:
647         (JSC::FTL::mmAllocateDataSection):
648         * ftl/FTLJITCode.cpp:
649         (JSC::FTL::JITCode::validateReferences):
650         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
651         * ftl/FTLJITCode.h:
652         * ftl/FTLJITFinalizer.cpp:
653         (JSC::FTL::JITFinalizer::finalizeFunction):
654         * ftl/FTLLowerDFGToLLVM.cpp:
655         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
656         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
657         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
658         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall):
659         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
660         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap):
661         * ftl/FTLOSRExit.cpp:
662         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
663         (JSC::FTL::OSRExitDescriptor::validateReferences):
664         (JSC::FTL::OSRExit::OSRExit):
665         (JSC::FTL::OSRExit::codeLocationForRepatch):
666         (JSC::FTL::OSRExit::validateReferences): Deleted.
667         * ftl/FTLOSRExit.h:
668         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
669         * ftl/FTLOSRExitCompilationInfo.h:
670         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
671         * ftl/FTLOSRExitCompiler.cpp:
672         (JSC::FTL::compileStub):
673         (JSC::FTL::compileFTLOSRExit):
674         * ftl/FTLStackMaps.cpp:
675         (JSC::FTL::StackMaps::computeRecordMap):
676         * ftl/FTLStackMaps.h:
677
678 2015-10-16  Brian Burg  <bburg@apple.com>
679
680         Unify handling of JavaScriptCore scripts that are used in WebCore
681         https://bugs.webkit.org/show_bug.cgi?id=150245
682
683         Reviewed by Alex Christensen.
684
685         Move all standalone JavaScriptCore scripts that are used by WebCore into the
686         JavaScriptCore/Scripts directory. Use JavaScriptCore_SCRIPTS_DIR to refer
687         to the path for these scripts.
688
689         * DerivedSources.make:
690
691             Define and use JavaScriptCore_SCRIPTS_DIR.
692
693         * JavaScriptCore.xcodeproj/project.pbxproj:
694
695             Make a new group in the Xcode project and clean up references.
696
697         * PlatformWin.cmake:
698
699             For Windows, copy these scripts over to ForwardingHeaders/Scripts since they
700             cannot be used directly from JAVASCRIPTCORE_DIR in AppleWin builds. Do the same
701             thing for both Windows variants to be consistent about it.
702
703         * Scripts/cssmin.py: Renamed from Source/JavaScriptCore/inspector/scripts/cssmin.py.
704         * Scripts/generate-combined-inspector-json.py: Renamed from Source/JavaScriptCore/inspector/scripts/generate-combined-inspector-json.py.
705         * Scripts/generate-js-builtins: Renamed from Source/JavaScriptCore/generate-js-builtins.
706         * Scripts/inline-and-minify-stylesheets-and-scripts.py: Renamed from Source/JavaScriptCore/inspector/scripts/inline-and-minify-stylesheets-and-scripts.py.
707         * Scripts/jsmin.py: Renamed from Source/JavaScriptCore/inspector/scripts/jsmin.py.
708         * Scripts/xxd.pl: Renamed from Source/JavaScriptCore/inspector/scripts/xxd.pl.
709
710 2015-10-19  Tim Horton  <timothy_horton@apple.com>
711
712         Try to fix the iOS build
713
714         * Configurations/FeatureDefines.xcconfig:
715
716 2015-10-17  Keith Miller  <keith_miller@apple.com>
717
718         Add regression tests for TypedArray.prototype functions' error messages.
719         https://bugs.webkit.org/show_bug.cgi?id=150288
720
721         Reviewed by Darin Adler.
722
723         Fix a typo in the text passed by TypedArrray.prototype.filter type error message.
724         Add tests that check the actual error message text for all the TypeArray.prototype
725         functions that throw.
726
727         * builtins/TypedArray.prototype.js:
728         (filter):
729         * tests/stress/typedarray-every.js:
730         * tests/stress/typedarray-filter.js:
731         * tests/stress/typedarray-find.js:
732         * tests/stress/typedarray-findIndex.js:
733         * tests/stress/typedarray-forEach.js:
734         * tests/stress/typedarray-map.js:
735         * tests/stress/typedarray-reduce.js:
736         * tests/stress/typedarray-reduceRight.js:
737         * tests/stress/typedarray-some.js:
738
739 2015-10-19  Tim Horton  <timothy_horton@apple.com>
740
741         Add magnify and rotate gesture event support for Mac
742         https://bugs.webkit.org/show_bug.cgi?id=150179
743         <rdar://problem/8036240>
744
745         Reviewed by Darin Adler.
746
747         * Configurations/FeatureDefines.xcconfig:
748         New feature flag.
749
750 2015-10-19  Csaba Osztrogonác  <ossy@webkit.org>
751
752         Fix the ENABLE(WEBASSEMBLY) build after r190827
753         https://bugs.webkit.org/show_bug.cgi?id=150330
754
755         Reviewed by Geoffrey Garen.
756
757         * bytecode/CodeBlock.cpp:
758         (JSC::CodeBlock::CodeBlock): Removed the duplicated VM argument.
759         * bytecode/CodeBlock.h:
760         (JSC::WebAssemblyCodeBlock::create): Added new parameters to finishCreation() calls.
761         (JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock): Change VM parameter to pointer to match *CodeBlock classes.
762         * runtime/Executable.cpp:
763         (JSC::WebAssemblyExecutable::prepareForExecution): Removed extra ")" and pass pointer as it is expected.
764
765 2015-10-19  Mark Lam  <mark.lam@apple.com>
766
767         DoubleRep fails to convert SpecBoolean values.
768         https://bugs.webkit.org/show_bug.cgi?id=150313
769
770         Reviewed by Geoffrey Garen.
771
772         This was uncovered by the op_sub stress test on 32-bit builds.  On 32-bit builds,
773         DoubleRep will erroneously convert 'true' to a 'NaN' instead of a double 1.
774         On 64-bit, the same issue exists but is masked by another bug in DoubleRep where
775         boolean values will always erroneously trigger a BadType OSR exit.
776
777         The erroneous conversion of 'true' to 'NaN' is because the 'true' case in
778         compileDoubleRep() is missing a jump to the "done" destination.  Instead, it
779         fall through to the "isUndefined" case where it produces a NaN.
780
781         The 64-bit erroneous BadType OSR exit is due to the boolean type check being
782         implemented incorrectly.  It was checking if any bits other than bit 0 were set.
783         However, boolean JS values always have TagBitBool (the 3rd bit) set.  Hence, the
784         check will always fail if we have a boolean value.
785
786         This patch fixes both of these issues.
787
788         No new test is needed because these issues are already covered by scenarios in
789         the op_sub.js stress test.  This patch also fixes the op_sub.js test to throw an
790         exception if any failures are encountered (as expected by the stress test
791         harness).  This patch also re-worked the test code to provide more accurate
792         descriptions of each test scenario for error reporting.
793
794         * dfg/DFGSpeculativeJIT.cpp:
795         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
796
797         * tests/stress/op_sub.js:
798         (generateScenarios):
799         (func):
800         (initializeTestCases):
801         (runTest):
802         (stringify): Deleted.
803
804 2015-10-19  Yusuke Suzuki  <utatane.tea@gmail.com>
805
806         Drop !newTarget check since it always becomes true
807         https://bugs.webkit.org/show_bug.cgi?id=150308
808
809         Reviewed by Geoffrey Garen.
810
811         In a context of calling a constructor, `newTarget` should not become JSEmpty.
812         So `!newTarget` always becomes true. This patch drops this unneccessary check.
813         And to ensure the implementation of the constructor is only called under
814         the context of calling it as a constructor, we change these functions to
815         static and only use them for constructor implementations of InternalFunction.
816
817         * runtime/IntlCollatorConstructor.cpp:
818         (JSC::constructIntlCollator):
819         (JSC::callIntlCollator):
820         * runtime/IntlCollatorConstructor.h:
821         * runtime/IntlDateTimeFormatConstructor.cpp:
822         (JSC::constructIntlDateTimeFormat):
823         (JSC::callIntlDateTimeFormat):
824         * runtime/IntlDateTimeFormatConstructor.h:
825         * runtime/IntlNumberFormatConstructor.cpp:
826         (JSC::constructIntlNumberFormat):
827         (JSC::callIntlNumberFormat):
828         * runtime/IntlNumberFormatConstructor.h:
829         * runtime/JSPromiseConstructor.cpp:
830         (JSC::constructPromise):
831
832 2015-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
833
834         Promise constructor should throw when not called with "new"
835         https://bugs.webkit.org/show_bug.cgi?id=149380
836
837         Reviewed by Darin Adler.
838
839         Implement handling new.target in Promise constructor. And
840         prohibiting Promise constructor call without "new".
841
842         * runtime/JSPromiseConstructor.cpp:
843         (JSC::constructPromise):
844         (JSC::callPromise):
845         (JSC::JSPromiseConstructor::getCallData):
846         * tests/es6.yaml:
847         * tests/stress/promise-cannot-be-called.js: Added.
848         (shouldBe):
849         (shouldThrow):
850         (Deferred):
851         (super):
852
853 2015-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
854
855         [ES6] Handle asynchronous tests in tests/es6
856         https://bugs.webkit.org/show_bug.cgi?id=150293
857
858         Reviewed by Darin Adler.
859
860         Since JSC can handle microtasks, some of ES6 Promise tests can be executed under the JSC shell.
861         Some of them still fail because it uses setTimeout that invokes macrotasks with explicit delay.
862
863         * tests/es6.yaml:
864         * tests/es6/Promise_Promise.all.js:
865         (test.asyncTestPassed):
866         (test):
867         * tests/es6/Promise_Promise.all_generic_iterables.js:
868         (test.asyncTestPassed):
869         (test):
870         * tests/es6/Promise_Promise.race.js:
871         (test.asyncTestPassed):
872         (test):
873         * tests/es6/Promise_Promise.race_generic_iterables.js:
874         (test.asyncTestPassed):
875         (test):
876         * tests/es6/Promise_basic_functionality.js:
877         (test.asyncTestPassed):
878         (test):
879         * tests/es6/Promise_is_subclassable_Promise.all.js:
880         (test.asyncTestPassed):
881         (test):
882         * tests/es6/Promise_is_subclassable_Promise.race.js:
883         (test.asyncTestPassed):
884         (test):
885         * tests/es6/Promise_is_subclassable_basic_functionality.js:
886         (test.asyncTestPassed):
887         (test):
888
889 2015-10-18  Sungmann Cho  <sungmann.cho@navercorp.com>
890
891         [Win] Fix the Windows builds.
892         https://bugs.webkit.org/show_bug.cgi?id=150300
893
894         Reviewed by Darin Adler.
895
896         Add missing files to JavaScriptCore.vcxproj.
897
898         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
899         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
900
901 2015-10-17  Filip Pizlo  <fpizlo@apple.com>
902
903         Fix some generational heap growth pathologies
904         https://bugs.webkit.org/show_bug.cgi?id=150270
905
906         Reviewed by Andreas Kling.
907
908         When doing generational copying, we would pretend that the size of old space was increased
909         just by the amount of bytes we copied. In reality, it would be increased by the number of
910         bytes used by the copied blocks we created. This is a larger number, and in some simple
911         pathological programs, the difference can be huge.
912
913         Fixing this bug was relatively easy, and the only really meaningful change here is in
914         Heap::updateAllocationLimits(). But to convince myself that the change was valid, I had to
915         add some debugging code and I had to refactor some stuff so that it made more sense.
916
917         This change does obviate the need for m_totalBytesCopied, because we no longer use it in
918         release builds to decide how much heap we are using at the end of collection. But I added a
919         FIXME about how we could restore our use of m_totalBytesCopied. So, I kept the logic, for
920         now. The FIXME references https://bugs.webkit.org/show_bug.cgi?id=150268.
921
922         Relanding with build fix.
923
924         * CMakeLists.txt:
925         * JavaScriptCore.xcodeproj/project.pbxproj:
926         * heap/CopiedBlock.cpp: Added.
927         (JSC::CopiedBlock::createNoZeroFill):
928         (JSC::CopiedBlock::destroy):
929         (JSC::CopiedBlock::create):
930         (JSC::CopiedBlock::zeroFillWilderness):
931         (JSC::CopiedBlock::CopiedBlock):
932         * heap/CopiedBlock.h:
933         (JSC::CopiedBlock::didSurviveGC):
934         (JSC::CopiedBlock::createNoZeroFill): Deleted.
935         (JSC::CopiedBlock::destroy): Deleted.
936         (JSC::CopiedBlock::create): Deleted.
937         (JSC::CopiedBlock::zeroFillWilderness): Deleted.
938         (JSC::CopiedBlock::CopiedBlock): Deleted.
939         * heap/CopiedSpaceInlines.h:
940         (JSC::CopiedSpace::startedCopying):
941         * heap/Heap.cpp:
942         (JSC::Heap::updateObjectCounts):
943         (JSC::Heap::resetVisitors):
944         (JSC::Heap::capacity):
945         (JSC::Heap::protectedGlobalObjectCount):
946         (JSC::Heap::collectImpl):
947         (JSC::Heap::willStartCollection):
948         (JSC::Heap::updateAllocationLimits):
949         (JSC::Heap::didFinishCollection):
950         (JSC::Heap::sizeAfterCollect): Deleted.
951         * heap/Heap.h:
952         * heap/HeapInlines.h:
953         (JSC::Heap::shouldCollect):
954         (JSC::Heap::isBusy):
955         (JSC::Heap::collectIfNecessaryOrDefer):
956         * heap/MarkedBlock.cpp:
957         (JSC::MarkedBlock::create):
958         (JSC::MarkedBlock::destroy):
959
960 2015-10-17  Commit Queue  <commit-queue@webkit.org>
961
962         Unreviewed, rolling out r191240.
963         https://bugs.webkit.org/show_bug.cgi?id=150281
964
965         Broke 32-bit builds (Requested by smfr on #webkit).
966
967         Reverted changeset:
968
969         "Fix some generational heap growth pathologies"
970         https://bugs.webkit.org/show_bug.cgi?id=150270
971         http://trac.webkit.org/changeset/191240
972
973 2015-10-17  Sungmann Cho  <sungmann.cho@navercorp.com>
974
975         [Win] Fix the Windows build.
976         https://bugs.webkit.org/show_bug.cgi?id=150278
977
978         Reviewed by Brent Fulgham.
979
980         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
981         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
982
983 2015-10-17  Mark Lam  <mark.lam@apple.com>
984
985         Fixed typos from r191224.
986
987         Not reviewed.
988
989         * jit/JITSubGenerator.h:
990         (JSC::JITSubGenerator::generateFastPath):
991
992 2015-10-17  Filip Pizlo  <fpizlo@apple.com>
993
994         Fix some generational heap growth pathologies
995         https://bugs.webkit.org/show_bug.cgi?id=150270
996
997         Reviewed by Andreas Kling.
998
999         When doing generational copying, we would pretend that the size of old space was increased
1000         just by the amount of bytes we copied. In reality, it would be increased by the number of
1001         bytes used by the copied blocks we created. This is a larger number, and in some simple
1002         pathological programs, the difference can be huge.
1003
1004         Fixing this bug was relatively easy, and the only really meaningful change here is in
1005         Heap::updateAllocationLimits(). But to convince myself that the change was valid, I had to
1006         add some debugging code and I had to refactor some stuff so that it made more sense.
1007
1008         This change does obviate the need for m_totalBytesCopied, because we no longer use it in
1009         release builds to decide how much heap we are using at the end of collection. But I added a
1010         FIXME about how we could restore our use of m_totalBytesCopied. So, I kept the logic, for
1011         now. The FIXME references https://bugs.webkit.org/show_bug.cgi?id=150268.
1012
1013         * CMakeLists.txt:
1014         * JavaScriptCore.xcodeproj/project.pbxproj:
1015         * heap/CopiedBlock.cpp: Added.
1016         (JSC::CopiedBlock::createNoZeroFill):
1017         (JSC::CopiedBlock::destroy):
1018         (JSC::CopiedBlock::create):
1019         (JSC::CopiedBlock::zeroFillWilderness):
1020         (JSC::CopiedBlock::CopiedBlock):
1021         * heap/CopiedBlock.h:
1022         (JSC::CopiedBlock::didSurviveGC):
1023         (JSC::CopiedBlock::createNoZeroFill): Deleted.
1024         (JSC::CopiedBlock::destroy): Deleted.
1025         (JSC::CopiedBlock::create): Deleted.
1026         (JSC::CopiedBlock::zeroFillWilderness): Deleted.
1027         (JSC::CopiedBlock::CopiedBlock): Deleted.
1028         * heap/CopiedSpaceInlines.h:
1029         (JSC::CopiedSpace::startedCopying):
1030         * heap/Heap.cpp:
1031         (JSC::Heap::updateObjectCounts):
1032         (JSC::Heap::resetVisitors):
1033         (JSC::Heap::capacity):
1034         (JSC::Heap::protectedGlobalObjectCount):
1035         (JSC::Heap::collectImpl):
1036         (JSC::Heap::willStartCollection):
1037         (JSC::Heap::updateAllocationLimits):
1038         (JSC::Heap::didFinishCollection):
1039         (JSC::Heap::sizeAfterCollect): Deleted.
1040         * heap/Heap.h:
1041         * heap/HeapInlines.h:
1042         (JSC::Heap::shouldCollect):
1043         (JSC::Heap::isBusy):
1044         (JSC::Heap::collectIfNecessaryOrDefer):
1045         * heap/MarkedBlock.cpp:
1046         (JSC::MarkedBlock::create):
1047         (JSC::MarkedBlock::destroy):
1048
1049 2015-10-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1050
1051         [ES6] Implement String.prototype.normalize
1052         https://bugs.webkit.org/show_bug.cgi?id=150094
1053
1054         Reviewed by Geoffrey Garen.
1055
1056         This patch implements String.prototype.normalize leveraging ICU.
1057         It can provide the feature applying {NFC, NFD, NFKC, NFKD} normalization to a given string.
1058
1059         * runtime/StringPrototype.cpp:
1060         (JSC::StringPrototype::finishCreation):
1061         (JSC::normalize):
1062         (JSC::stringProtoFuncNormalize):
1063         * tests/es6.yaml:
1064         * tests/stress/string-normalize.js: Added.
1065         (unicode):
1066         (shouldBe):
1067         (shouldThrow):
1068         (normalizeTest):
1069
1070 2015-10-16  Geoffrey Garen  <ggaren@apple.com>
1071
1072         Update JavaScriptCore API docs
1073         https://bugs.webkit.org/show_bug.cgi?id=150262
1074
1075         Reviewed by Mark Lam.
1076
1077         Apply some edits for clarity. These came out of a docs review.
1078
1079         * API/JSContext.h:
1080         * API/JSExport.h:
1081         * API/JSManagedValue.h:
1082         * API/JSValue.h:
1083
1084 2015-10-16  Keith Miller  <keith_miller@apple.com>
1085
1086         Unreviewed. Fix typo in TypeError messages in TypedArray.prototype.forEach/filter.
1087
1088         * builtins/TypedArray.prototype.js:
1089         (forEach):
1090         (filter):
1091
1092 2015-10-16  Mark Lam  <mark.lam@apple.com>
1093
1094         Use JITSubGenerator to support UntypedUse operands for op_sub in the DFG.
1095         https://bugs.webkit.org/show_bug.cgi?id=150038
1096
1097         Reviewed by Geoffrey Garen.
1098
1099         * bytecode/SpeculatedType.h:
1100         (JSC::isUntypedSpeculationForArithmetic): Added
1101         - Also fixed some comments.
1102         
1103         * dfg/DFGAbstractInterpreterInlines.h:
1104         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1105
1106         * dfg/DFGAbstractValue.cpp:
1107         (JSC::DFG::AbstractValue::resultType):
1108         * dfg/DFGAbstractValue.h:
1109         - Added function to compute the ResultType of an operand from its SpeculatedType.
1110
1111         * dfg/DFGFixupPhase.cpp:
1112         (JSC::DFG::FixupPhase::fixupNode):
1113         - Fix up ArithSub to speculate its operands to be numbers.  But if an OSR exit
1114           due to a BadType was seen at this node, we'll fix it up to expect UntypedUse
1115           operands.  This gives the generated code a change to run fast if it only
1116           receives numeric operands.
1117
1118         * dfg/DFGNode.h:
1119         (JSC::DFG::Node::shouldSpeculateUntypedForArithmetic):
1120
1121         * dfg/DFGOperations.cpp:
1122         * dfg/DFGOperations.h:
1123         - Add the C++ runtime function to implement op_sub when we really encounter the
1124           hard types in the operands.
1125
1126         * dfg/DFGSpeculativeJIT.cpp:
1127         (JSC::DFG::SpeculativeJIT::compileArithSub):
1128         - Added support for UntypedUse operands using the JITSubGenerator.
1129
1130         * dfg/DFGSpeculativeJIT.h:
1131         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
1132         (JSC::DFG::SpeculativeJIT::pickCanTrample):
1133         (JSC::DFG::SpeculativeJIT::callOperation):
1134
1135         * ftl/FTLCapabilities.cpp:
1136         (JSC::FTL::canCompile):
1137         - Just refuse to FTL compile functions with UntypedUse op_sub operands for now.
1138
1139         * jit/AssemblyHelpers.h:
1140         (JSC::AssemblyHelpers::boxDouble):
1141         (JSC::AssemblyHelpers::unboxDoubleNonDestructive):
1142         (JSC::AssemblyHelpers::unboxDouble):
1143         (JSC::AssemblyHelpers::boxBooleanPayload):
1144         * jit/JITArithmetic.cpp:
1145         (JSC::JIT::emit_op_sub):
1146
1147         * jit/JITSubGenerator.h:
1148         (JSC::JITSubGenerator::generateFastPath):
1149         (JSC::JITSubGenerator::endJumpList):
1150         - Added some asserts to document the contract that this generator expects in
1151           terms of its incoming registers.
1152
1153           Also fixed the generated code to not be destructive with regards to incoming
1154           registers.  The DFG expects this.
1155
1156           Also added an endJumpList so that we don't have to jump twice for the fast
1157           path where both operands are ints.
1158
1159         * parser/ResultType.h:
1160         (JSC::ResultType::ResultType):
1161         - Make the internal Type bits and the constructor private.  Clients should only
1162           create ResultType values using one of the provided factory methods.
1163
1164         * tests/stress/op_sub.js: Added.
1165         (o1.valueOf):
1166         (stringify):
1167         (generateScenarios):
1168         (printScenarios):
1169         (testCases.func):
1170         (func):
1171         (initializeTestCases):
1172         (runTest):
1173         - test op_sub results by comparing one LLINT result against the output of
1174           multiple LLINT, and JIT runs.  This test assume that we'll at least get the
1175           right result some of the time (if not all the time), and confirms that the
1176           various engines produce consistent results for all the various value pairs
1177           being tested.
1178
1179 2015-10-15  Filip Pizlo  <fpizlo@apple.com>
1180
1181         CopyBarrier must be avoided for slow TypedArrays
1182         https://bugs.webkit.org/show_bug.cgi?id=150217
1183         rdar://problem/23128791
1184
1185         Reviewed by Michael Saboff.
1186
1187         Change how we access array buffer views so that we don't fire the barrier slow path, and
1188         don't mask off the spaceBits, if the view is not FastTypedArray. That's because in that case
1189         m_vector could be misaligned and so have meaningful non-space data in the spaceBits. Also in
1190         that case, m_vector does not point into copied space.
1191
1192         * dfg/DFGSpeculativeJIT.cpp:
1193         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1194         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1195         * ftl/FTLLowerDFGToLLVM.cpp:
1196         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorWithBarrier):
1197         (JSC::FTL::DFG::LowerDFGToLLVM::copyBarrier):
1198         (JSC::FTL::DFG::LowerDFGToLLVM::isInToSpace):
1199         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyReadOnly):
1200         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorReadOnly):
1201         (JSC::FTL::DFG::LowerDFGToLLVM::removeSpaceBits):
1202         (JSC::FTL::DFG::LowerDFGToLLVM::isFastTypedArray):
1203         (JSC::FTL::DFG::LowerDFGToLLVM::baseIndex):
1204         * heap/CopyBarrier.h:
1205         (JSC::CopyBarrierBase::getWithoutBarrier):
1206         (JSC::CopyBarrierBase::getPredicated):
1207         (JSC::CopyBarrierBase::get):
1208         (JSC::CopyBarrierBase::copyState):
1209         (JSC::CopyBarrier::get):
1210         (JSC::CopyBarrier::getPredicated):
1211         (JSC::CopyBarrier::set):
1212         * heap/Heap.cpp:
1213         (JSC::Heap::copyBarrier):
1214         * jit/AssemblyHelpers.cpp:
1215         (JSC::AssemblyHelpers::branchIfNotType):
1216         (JSC::AssemblyHelpers::branchIfFastTypedArray):
1217         (JSC::AssemblyHelpers::branchIfNotFastTypedArray):
1218         (JSC::AssemblyHelpers::loadTypedArrayVector):
1219         (JSC::AssemblyHelpers::purifyNaN):
1220         * jit/AssemblyHelpers.h:
1221         (JSC::AssemblyHelpers::branchStructure):
1222         (JSC::AssemblyHelpers::branchIfToSpace):
1223         (JSC::AssemblyHelpers::branchIfNotToSpace):
1224         (JSC::AssemblyHelpers::removeSpaceBits):
1225         (JSC::AssemblyHelpers::addressForByteOffset):
1226         * jit/JITPropertyAccess.cpp:
1227         (JSC::JIT::emitIntTypedArrayGetByVal):
1228         (JSC::JIT::emitFloatTypedArrayGetByVal):
1229         (JSC::JIT::emitIntTypedArrayPutByVal):
1230         (JSC::JIT::emitFloatTypedArrayPutByVal):
1231         * runtime/JSArrayBufferView.h:
1232         (JSC::JSArrayBufferView::vector):
1233         (JSC::JSArrayBufferView::length):
1234         * runtime/JSArrayBufferViewInlines.h:
1235         (JSC::JSArrayBufferView::byteOffset):
1236         * runtime/JSGenericTypedArrayView.h:
1237         (JSC::JSGenericTypedArrayView::typedVector):
1238         * runtime/JSGenericTypedArrayViewInlines.h:
1239         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore):
1240         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1241         * tests/stress/misaligned-int8-view-byte-offset.js: Added.
1242         * tests/stress/misaligned-int8-view-read.js: Added.
1243         * tests/stress/misaligned-int8-view-write.js: Added.
1244
1245 2015-10-16  Keith Miller  <keith_miller@apple.com>
1246
1247         Unreviewed. Build fix for 191215.
1248
1249         * jit/IntrinsicEmitter.cpp:
1250
1251 2015-10-16  Keith Miller  <keith@Keiths-MacBook-Pro-5.local>
1252
1253         Add Intrinsic Getters and use them to fix performance on the getters of TypedArray properties.
1254         https://bugs.webkit.org/show_bug.cgi?id=149687
1255
1256         Reviewed by Geoffrey Garen.
1257
1258         Add the ability to create intrinsic getters in both the inline cache and the DFG/FTL. When the
1259         getter fetched by a GetById has an intrinsic we know about we add a new intrinsic access case.
1260         Once we get to the DFG, we observe that the access case was an intrinsic and add an appropriate
1261         GetByIdVariant. We then parse the intrinsic into an appropriate DFG node.
1262
1263         The first intrinsics are the new TypedArray prototype getters length, byteLength, and byteOffset.
1264
1265         * CMakeLists.txt:
1266         * JavaScriptCore.xcodeproj/project.pbxproj:
1267         * bytecode/GetByIdStatus.cpp:
1268         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1269         (JSC::GetByIdStatus::computeFor):
1270         * bytecode/GetByIdVariant.cpp:
1271         (JSC::GetByIdVariant::GetByIdVariant):
1272         (JSC::GetByIdVariant::operator=):
1273         (JSC::GetByIdVariant::canMergeIntrinsicStructures):
1274         (JSC::GetByIdVariant::attemptToMerge):
1275         (JSC::GetByIdVariant::dumpInContext):
1276         * bytecode/GetByIdVariant.h:
1277         (JSC::GetByIdVariant::intrinsicFunction):
1278         (JSC::GetByIdVariant::intrinsic):
1279         (JSC::GetByIdVariant::callLinkStatus): Deleted.
1280         * bytecode/PolymorphicAccess.cpp:
1281         (JSC::AccessGenerationState::addWatchpoint):
1282         (JSC::AccessGenerationState::restoreScratch):
1283         (JSC::AccessGenerationState::succeed):
1284         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
1285         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
1286         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
1287         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCallWithThrownException):
1288         (JSC::AccessGenerationState::callSiteIndexForExceptionHandlingOrOriginal):
1289         (JSC::AccessGenerationState::originalExceptionHandler):
1290         (JSC::AccessGenerationState::originalCallSiteIndex):
1291         (JSC::AccessCase::getIntrinsic):
1292         (JSC::AccessCase::clone):
1293         (JSC::AccessCase::visitWeak):
1294         (JSC::AccessCase::generate):
1295         (WTF::printInternal):
1296         (JSC::AccessCase::AccessCase): Deleted.
1297         (JSC::AccessCase::get): Deleted.
1298         (JSC::AccessCase::replace): Deleted.
1299         (JSC::AccessCase::transition): Deleted.
1300         * bytecode/PolymorphicAccess.h:
1301         (JSC::AccessCase::isGet):
1302         (JSC::AccessCase::isPut):
1303         (JSC::AccessCase::isIn):
1304         (JSC::AccessCase::intrinsicFunction):
1305         (JSC::AccessCase::intrinsic):
1306         (JSC::AccessGenerationState::AccessGenerationState):
1307         (JSC::AccessGenerationState::liveRegistersForCall):
1308         (JSC::AccessGenerationState::callSiteIndexForExceptionHandling):
1309         (JSC::AccessGenerationState::numberOfStackBytesUsedForRegisterPreservation):
1310         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
1311         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
1312         * bytecode/PutByIdVariant.h:
1313         (JSC::PutByIdVariant::intrinsic):
1314         * dfg/DFGAbstractInterpreterInlines.h:
1315         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1316         * dfg/DFGArrayMode.cpp:
1317         (JSC::DFG::ArrayMode::alreadyChecked):
1318         (JSC::DFG::arrayTypeToString):
1319         (JSC::DFG::toTypedArrayType):
1320         (JSC::DFG::refineTypedArrayType):
1321         (JSC::DFG::permitsBoundsCheckLowering):
1322         * dfg/DFGArrayMode.h:
1323         (JSC::DFG::ArrayMode::supportsLength):
1324         (JSC::DFG::ArrayMode::isSomeTypedArrayView):
1325         * dfg/DFGByteCodeParser.cpp:
1326         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1327         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1328         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
1329         (JSC::DFG::ByteCodeParser::load):
1330         (JSC::DFG::ByteCodeParser::handleGetById):
1331         (JSC::DFG::ByteCodeParser::presenceLike): Deleted.
1332         (JSC::DFG::ByteCodeParser::store): Deleted.
1333         * dfg/DFGClobberize.h:
1334         (JSC::DFG::clobberize):
1335         * dfg/DFGFixupPhase.cpp:
1336         (JSC::DFG::FixupPhase::fixupNode):
1337         (JSC::DFG::FixupPhase::convertToGetArrayLength): Deleted.
1338         (JSC::DFG::FixupPhase::prependGetArrayLength): Deleted.
1339         (JSC::DFG::FixupPhase::fixupChecksInBlock): Deleted.
1340         * dfg/DFGGraph.cpp:
1341         (JSC::DFG::Graph::tryGetFoldableView):
1342         * dfg/DFGPredictionPropagationPhase.cpp:
1343         (JSC::DFG::PredictionPropagationPhase::propagate):
1344         * dfg/DFGSpeculativeJIT.cpp:
1345         (JSC::DFG::SpeculativeJIT::checkArray):
1346         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1347         * ftl/FTLCapabilities.cpp:
1348         (JSC::FTL::canCompile):
1349         * ftl/FTLLowerDFGToLLVM.cpp:
1350         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetArrayLength):
1351         * jit/IntrinsicEmitter.cpp: Added.
1352         (JSC::AccessCase::canEmitIntrinsicGetter):
1353         (JSC::AccessCase::emitIntrinsicGetter):
1354         * jit/Repatch.cpp:
1355         (JSC::tryCacheGetByID):
1356         * runtime/Intrinsic.h:
1357         * runtime/JSArrayBufferView.cpp:
1358         (JSC::JSArrayBufferView::put):
1359         (JSC::JSArrayBufferView::defineOwnProperty):
1360         (JSC::JSArrayBufferView::deleteProperty):
1361         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
1362         (JSC::JSArrayBufferView::getOwnPropertySlot): Deleted.
1363         (JSC::JSArrayBufferView::finalize): Deleted.
1364         * runtime/JSDataView.cpp:
1365         (JSC::JSDataView::getOwnPropertySlot):
1366         (JSC::JSDataView::put):
1367         (JSC::JSDataView::defineOwnProperty):
1368         (JSC::JSDataView::deleteProperty):
1369         (JSC::JSDataView::getOwnNonIndexPropertyNames):
1370         * runtime/JSDataView.h:
1371         * runtime/JSFunction.h:
1372         * runtime/JSFunctionInlines.h:
1373         (JSC::JSFunction::intrinsic):
1374         * runtime/JSGenericTypedArrayView.h:
1375         * runtime/JSGenericTypedArrayViewInlines.h:
1376         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1377         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1378         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1379         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex): Deleted.
1380         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Deleted.
1381         * runtime/JSObject.cpp:
1382         (JSC::JSObject::putDirectNativeIntrinsicGetter):
1383         * runtime/JSObject.h:
1384         * runtime/JSTypedArrayViewPrototype.cpp:
1385         (JSC::JSTypedArrayViewPrototype::finishCreation):
1386         * tests/stress/typedarray-add-property-to-base-object.js: Added.
1387         (body.foo):
1388         (body):
1389         * tests/stress/typedarray-bad-getter.js: Added.
1390         (body.foo):
1391         (body.get Bar):
1392         (body):
1393         * tests/stress/typedarray-getter-on-self.js: Added.
1394         (body.foo):
1395         (body.bar):
1396         (body.baz):
1397         (body.get for):
1398         (body):
1399         * tests/stress/typedarray-intrinsic-getters-change-prototype.js: Added.
1400         (body.foo):
1401         (body.bar):
1402         (body.baz):
1403         (body):
1404
1405 2015-10-16  Keith Miller  <keith_miller@apple.com>
1406
1407         Fix some issues with TypedArrays
1408         https://bugs.webkit.org/show_bug.cgi?id=150216
1409
1410         Reviewed by Geoffrey Garen.
1411
1412         This fixes a couple of issues:
1413         1) The DFG had a separate case for creating new typedarrays in the dfg when the first argument is an object.
1414            Since the code for creating a Typedarray in the dfg is almost the same as the code in Baseline/LLInt
1415            the two cases have been merged.
1416         2) If the length property on an object was unset then the construction could crash.
1417         3) The TypedArray.prototype.set function and the TypedArray constructor should not call [[Get]] for the
1418            length of the source object when the source object is a TypedArray.
1419         4) The conditions that were used to decide if the iterator could be skipped were incorrect.
1420            Instead of checking for have a bad time we should have checked the Indexing type did not allow for
1421            indexed accessors.
1422
1423         * dfg/DFGOperations.cpp:
1424         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1425         (JSC::constructGenericTypedArrayViewWithArguments):
1426         (JSC::constructGenericTypedArrayView):
1427         (JSC::constructGenericTypedArrayViewWithFirstArgument): Deleted.
1428
1429 2015-10-16  Anders Carlsson  <andersca@apple.com>
1430
1431         Fix Windows build.
1432
1433         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1434         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1435
1436 2015-10-16  Michael Saboff  <msaboff@apple.com>
1437
1438         REGRESSION (r191175): Still crashing when clicking back button on netflix.com
1439         https://bugs.webkit.org/show_bug.cgi?id=150251
1440
1441         Rubber stamped by Filip Pizlo.
1442
1443         Turning off Tail Calls and disabling tests until the crash is fixed.
1444
1445         * runtime/Options.h:
1446         * tests/es6.yaml:
1447         * tests/stress/dfg-tail-calls.js:
1448         (nonInlinedTailCall.callee):
1449         * tests/stress/mutual-tail-call-no-stack-overflow.js:
1450         (shouldThrow):
1451         * tests/stress/tail-call-in-inline-cache.js:
1452         (tail):
1453         * tests/stress/tail-call-no-stack-overflow.js:
1454         (shouldThrow):
1455         * tests/stress/tail-call-recognize.js:
1456         (callerMustBeRun):
1457         * tests/stress/tail-call-varargs-no-stack-overflow.js:
1458         (shouldThrow):
1459
1460 2015-10-16  Mark Lam  <mark.lam@apple.com>
1461
1462         Add MacroAssembler::callProbe() for supporting lambda JIT probes.
1463         https://bugs.webkit.org/show_bug.cgi?id=150186
1464
1465         Reviewed by Geoffrey Garen.
1466
1467         With callProbe(), we can now make probes that are lambdas.  For example, we can
1468         now conveniently add probes like so: 
1469
1470             // When you know exactly which register you want to inspect:
1471             jit.callProbe([] (MacroAssembler::ProbeContext* context) {
1472                 intptr_t value = reinterpret_cast<intptr_t>(context->cpu.eax);
1473                 dataLogF("eax %p\n", context->cpu.eax); // Inspect the register.
1474                 ASSERT(value > 10); // Add test code for debugging.
1475             });
1476
1477             // When you want to inspect whichever register the JIT allocated:
1478             auto reg = op1.gpr();
1479             jit.callProbe([reg] (MacroAssembler::ProbeContext* context) {
1480                 intptr_t value = reinterpret_cast<intptr_t>(context->gpr(reg));
1481                 dataLogF("reg %s: %ld\n", context->gprName(reg), value);
1482                 ASSERT(value > 10);
1483             });
1484
1485         callProbe() is only meant to be used for debugging sessions.  It is not
1486         appropriate to use it in permanent code (even for debug builds).
1487         This is because:
1488         1. The probe mechanism saves and restores all (and I really mean "all")
1489            registers, and is inherently slow.
1490         2. callProbe() currently works by allocating (via new) a std::function to
1491            guarantee that it is persisted for the duration that the JIT generated code is
1492            live.  We don't currently delete it ever i.e. it leaks a bit of memory each
1493            time the JIT generates code that contains such a lambda probe.
1494
1495         These limitations are acceptable for a debugging session (assuming you're not
1496         debugging a memory leak), but not for deployment code.  If there's a need, we can
1497         plug that leak in another patch.
1498
1499         * assembler/AbstractMacroAssembler.h:
1500         (JSC::AbstractMacroAssembler::CPUState::fpr):
1501         - Removed an unnecessary empty line.
1502         (JSC::AbstractMacroAssembler::ProbeContext::gpr):
1503         (JSC::AbstractMacroAssembler::ProbeContext::fpr):
1504         (JSC::AbstractMacroAssembler::ProbeContext::gprName):
1505         (JSC::AbstractMacroAssembler::ProbeContext::fprName):
1506         - Added some convenience functions that will make using the probe mechanism
1507           easier.
1508
1509         * assembler/MacroAssembler.cpp:
1510         (JSC::StdFunctionData::StdFunctionData):
1511         (JSC::stdFunctionCallback):
1512         (JSC::MacroAssembler::callProbe):
1513         * assembler/MacroAssembler.h:
1514
1515 2015-10-16  Andreas Kling  <akling@apple.com>
1516
1517         Remove unused StructureRareData::m_cachedGenericPropertyNameEnumerator.
1518         <https://webkit.org/b/150244>
1519
1520         Reviewed by Geoffrey Garen.
1521
1522         Remove an unused field from StructureRareData.
1523
1524         * runtime/StructureRareData.cpp:
1525         (JSC::StructureRareData::visitChildren): Deleted.
1526         * runtime/StructureRareData.h:
1527
1528 2015-10-16  Keith Miller  <keith_miller@apple.com>
1529
1530         Unreviewed, rolling out r191190.
1531
1532         Patch needs some design changes.
1533
1534         Reverted changeset:
1535
1536         "Fix some issues with TypedArrays"
1537         https://bugs.webkit.org/show_bug.cgi?id=150216
1538         http://trac.webkit.org/changeset/191190
1539
1540 2015-10-16  Mark Lam  <mark.lam@apple.com>
1541
1542         Move all the probe trampolines into their respective MacroAssembler files.
1543         https://bugs.webkit.org/show_bug.cgi?id=150239
1544
1545         Reviewed by Saam Barati.
1546
1547         This patch does not introduce any behavior changes.  It only moves the
1548         ctiMasmProbeTrampoline implementations from the respective JITStubs<CPU>.h
1549         files to the corresponding MacroAssembler<CPU>.cpp files. 
1550
1551         I also had to make some minor changes to get the code to build after this move:
1552         1. Added #include <wtf/InlineASM.h> in the MacroAssembler<CPU>.cpp files
1553            because the ctiMasmProbeTrampoline is an inline assembly blob.
1554         2. In the moved code, convert MacroAssembler:: qualifiers to the CPU specific
1555            MacroAssembler equivalent.  The referenced entities were always defined in
1556            the CPU specific MacroAssembler anyway, and indirectly referenced through
1557            the generic MacroAssembler.
1558
1559         With this, we can get rid of all the JITStubs<CPU>.cpp files.  There is one
1560         exception: JITStubsMSVC64.asm.  However, that one is unrelated to the probe
1561         mechanism.  So, I'll leave it as is.
1562
1563         We can also remove JITStubs.cpp and JITStubs.h which are now empty except for
1564         some stale unused code.
1565
1566         This patch has been build tested for x86, x86_64, armv7, and arm64.
1567
1568         * CMakeLists.txt:
1569         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1570         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1571         * JavaScriptCore.xcodeproj/project.pbxproj:
1572         * assembler/MacroAssemblerARM.cpp:
1573         (JSC::MacroAssemblerARM::probe):
1574         * assembler/MacroAssemblerARM64.cpp:
1575         (JSC::arm64ProbeTrampoline):
1576         (JSC::MacroAssemblerARM64::probe):
1577         * assembler/MacroAssemblerARMv7.cpp:
1578         (JSC::MacroAssemblerARMv7::probe):
1579         * assembler/MacroAssemblerX86Common.cpp:
1580         * bytecode/CodeBlock.cpp:
1581         * ftl/FTLCompile.cpp:
1582         * ftl/FTLLink.cpp:
1583         * jit/JITArithmetic.cpp:
1584         * jit/JITArithmetic32_64.cpp:
1585         * jit/JITCode.h:
1586         * jit/JITExceptions.cpp:
1587         * jit/JITStubs.cpp: Removed.
1588         * jit/JITStubs.h: Removed.
1589         * jit/JITStubsARM.h: Removed.
1590         * jit/JITStubsARM64.h: Removed.
1591         * jit/JITStubsARMv7.h: Removed.
1592         * jit/JITStubsX86.h: Removed.
1593         * jit/JITStubsX86Common.h: Removed.
1594         * jit/JITStubsX86_64.h: Removed.
1595         * jit/JSInterfaceJIT.h:
1596         * llint/LLIntOffsetsExtractor.cpp:
1597         * runtime/CommonSlowPaths.cpp:
1598
1599 2015-10-16  Keith Miller  <keith_miller@apple.com>
1600
1601         Fix some issues with TypedArrays
1602         https://bugs.webkit.org/show_bug.cgi?id=150216
1603
1604         Reviewed by Michael Saboff.
1605
1606         This fixes a couple of issues:
1607         1) The DFG had a separate case for creating new typedarrays in the dfg when the first argument is an object.
1608            Since the code for creating a Typedarray in the dfg is almost the same as the code in Baseline/LLInt
1609            the two cases have been merged.
1610         2) If the length property on an object was unset then the construction could crash.
1611         3) The TypedArray.prototype.set function and the TypedArray constructor should not call [[Get]] for the
1612            length of the source object when the source object is a TypedArray.
1613         4) The conditions that were used to decide if the iterator could be skipped were incorrect.
1614            Instead of checking for have a bad time we should have checked the Indexing type did not allow for
1615            indexed accessors.
1616
1617         * dfg/DFGOperations.cpp:
1618         (JSC::DFG::newTypedArrayWithOneArgument): Deleted.
1619         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1620         (JSC::constructGenericTypedArrayViewFromIterator):
1621         (JSC::constructGenericTypedArrayViewWithFirstArgument):
1622         (JSC::constructGenericTypedArrayView):
1623         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1624         (JSC::genericTypedArrayViewProtoFuncSet):
1625         * tests/stress/typedarray-construct-iterator.js: Added.
1626         (iterator.return.next):
1627         (iterator):
1628         (body):
1629
1630 2015-10-15  Michael Saboff  <msaboff@apple.com>
1631
1632         REGRESSION (r190289): Repro crash clicking back button on netflix.com
1633         https://bugs.webkit.org/show_bug.cgi?id=150220
1634
1635         Reviewed by Geoffrey Garen.
1636
1637         Since constructors check for a valid new "this" object and return it, we can't make
1638         a tail call to another function from within a constructor.
1639
1640         Re-enabled the tail calls and the related tail call tests.
1641
1642         Did some other miscellaneous clean up in the tail call code as part of the debugging.
1643
1644         * bytecompiler/BytecodeGenerator.cpp:
1645         (JSC::BytecodeGenerator::BytecodeGenerator):
1646         * ftl/FTLLowerDFGToLLVM.cpp:
1647         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
1648         * interpreter/Interpreter.h:
1649         (JSC::calleeFrameForVarargs):
1650         * runtime/Options.h:
1651         * tests/es6.yaml:
1652         * tests/stress/dfg-tail-calls.js:
1653         (nonInlinedTailCall.callee):
1654         * tests/stress/mutual-tail-call-no-stack-overflow.js:
1655         (shouldThrow):
1656         * tests/stress/tail-call-in-inline-cache.js:
1657         (tail):
1658         * tests/stress/tail-call-no-stack-overflow.js:
1659         (shouldThrow):
1660         * tests/stress/tail-call-recognize.js:
1661         (callerMustBeRun):
1662         * tests/stress/tail-call-varargs-no-stack-overflow.js:
1663         (shouldThrow):
1664
1665 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1666
1667         Unreviewed. Attempted EFL build fix 2 after r191159.
1668
1669         * PlatformEfl.cmake:
1670
1671 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1672
1673         Unreviewed. Attempted EFL build fix after r191159.
1674
1675         * PlatformEfl.cmake:
1676
1677 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1678
1679         Unreviewed. Build fix after r191160.
1680
1681         * inspector/agents/InspectorHeapAgent.cpp:
1682         (Inspector::InspectorHeapAgent::didGarbageCollect):
1683
1684 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1685
1686         Unreviewed. Revert part of r191159 which caused ASSERTs.
1687
1688         A review comment suggested using WeakPtr. It is not suitable
1689         here and causes ASSERTs across threads. Will address separately.
1690
1691         * inspector/agents/InspectorHeapAgent.h:
1692         * inspector/agents/InspectorHeapAgent.cpp:
1693         (Inspector::InspectorHeapAgent::didGarbageCollect):
1694         (Inspector::InspectorHeapAgent::InspectorHeapAgent): Deleted.
1695
1696 2015-10-14  Joseph Pecoraro  <pecoraro@apple.com>
1697
1698         Web Inspector: Include Garbage Collection Event in Timeline
1699         https://bugs.webkit.org/show_bug.cgi?id=142510
1700
1701         Reviewed by Geoffrey Garen and Brian Burg.
1702
1703         * CMakeLists.txt:
1704         * DerivedSources.make:
1705         * JavaScriptCore.xcodeproj/project.pbxproj:
1706         Include new files in the build.
1707
1708         * heap/HeapObserver.h:
1709         (JSC::HeapObserver::~HeapObserver):
1710         * heap/Heap.cpp:
1711         (JSC::Heap::willStartCollection):
1712         (JSC::Heap::didFinishCollection):
1713         * heap/Heap.h:
1714         (JSC::Heap::addObserver):
1715         (JSC::Heap::removeObserver):
1716         Allow observers on heap to add hooks for starting / ending garbage collection.
1717
1718         * inspector/InspectorEnvironment.h:
1719         * inspector/JSGlobalObjectInspectorController.cpp:
1720         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1721         (Inspector::JSGlobalObjectInspectorController::vm):
1722         * inspector/JSGlobalObjectInspectorController.h:
1723         Access the VM through the InspectorEnvironment as it won't change.
1724
1725         * inspector/agents/InspectorHeapAgent.cpp: Added.
1726         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
1727         (Inspector::InspectorHeapAgent::~InspectorHeapAgent):
1728         (Inspector::InspectorHeapAgent::didCreateFrontendAndBackend):
1729         (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
1730         (Inspector::InspectorHeapAgent::enable):
1731         (Inspector::InspectorHeapAgent::disable):
1732         (Inspector::InspectorHeapAgent::gc):
1733         (Inspector::protocolTypeForHeapOperation):
1734         (Inspector::InspectorHeapAgent::willGarbageCollect):
1735         (Inspector::InspectorHeapAgent::didGarbageCollect):
1736         * inspector/agents/InspectorHeapAgent.h: Added.
1737         * inspector/protocol/Heap.json: Added.
1738         New domain and agent to handle tasks related to the JavaScriptCore heap.
1739
1740 2015-10-15  Commit Queue  <commit-queue@webkit.org>
1741
1742         Unreviewed, rolling out r191135.
1743         https://bugs.webkit.org/show_bug.cgi?id=150197
1744
1745         This patch causes 50+ LayoutTest crashes related to the
1746         inspector (Requested by ryanhaddad on #webkit).
1747
1748         Reverted changeset:
1749
1750         "Web Inspector: JavaScriptCore should parse sourceURL and
1751         sourceMappingURL directives"
1752         https://bugs.webkit.org/show_bug.cgi?id=150096
1753         http://trac.webkit.org/changeset/191135
1754
1755 2015-10-15  Geoffrey Garen  <ggaren@apple.com>
1756
1757         Unreviewed, rolling out r191003.
1758         https://bugs.webkit.org/show_bug.cgi?id=150042
1759
1760         We're seeing some crashes in GC beneath speculationFromCell. Maybe this
1761         patch caused them?
1762
1763         Reverted changeset:
1764
1765         CodeBlock write barriers should be precise
1766         https://bugs.webkit.org/show_bug.cgi?id=150042
1767         http://trac.webkit.org/changeset/191003
1768
1769 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1770
1771         Web Inspector: JavaScriptCore should parse sourceURL and sourceMappingURL directives
1772         https://bugs.webkit.org/show_bug.cgi?id=150096
1773
1774         Reviewed by Geoffrey Garen.
1775
1776         * inspector/ContentSearchUtilities.cpp:
1777         (Inspector::ContentSearchUtilities::scriptCommentPattern): Deleted.
1778         (Inspector::ContentSearchUtilities::findScriptSourceURL): Deleted.
1779         (Inspector::ContentSearchUtilities::findScriptSourceMapURL): Deleted.
1780         * inspector/ContentSearchUtilities.h:
1781         No longer need to search script content.
1782
1783         * inspector/ScriptDebugServer.cpp:
1784         (Inspector::ScriptDebugServer::dispatchDidParseSource):
1785         Carry over the sourceURL and sourceMappingURL from the SourceProvider.
1786
1787         * inspector/agents/InspectorDebuggerAgent.cpp:
1788         (Inspector::InspectorDebuggerAgent::sourceMapURLForScript):
1789         (Inspector::InspectorDebuggerAgent::didParseSource):
1790         No longer do content searching.
1791
1792         * parser/Lexer.cpp:
1793         (JSC::Lexer<T>::setCode):
1794         (JSC::Lexer<T>::skipWhitespace):
1795         (JSC::Lexer<T>::parseCommentDirective):
1796         (JSC::Lexer<T>::parseCommentDirectiveValue):
1797         (JSC::Lexer<T>::consume):
1798         (JSC::Lexer<T>::lex):
1799         * parser/Lexer.h:
1800         (JSC::Lexer::sourceURL):
1801         (JSC::Lexer::sourceMappingURL):
1802         (JSC::Lexer::sourceProvider): Deleted.
1803         Give lexer the ability to detect script comment directives.
1804         This just consumes characters in single line comments and
1805         ultimately sets the sourceURL or sourceMappingURL found.
1806
1807         * parser/Parser.h:
1808         (JSC::Parser<LexerType>::parse):
1809         * parser/SourceProvider.h:
1810         (JSC::SourceProvider::url):
1811         (JSC::SourceProvider::sourceURL):
1812         (JSC::SourceProvider::sourceMappingURL):
1813         (JSC::SourceProvider::setSourceURL):
1814         (JSC::SourceProvider::setSourceMappingURL):
1815         After parsing a script, update the Source Provider with the
1816         value of directives that may have been found in the script.
1817
1818 2015-10-15  Filip Pizlo  <fpizlo@apple.com>
1819
1820         InferredTypeTable should ref its keys
1821         https://bugs.webkit.org/show_bug.cgi?id=150138
1822         rdar://problem/23080555
1823
1824         Reviewed by Michael Saboff.
1825
1826         InferredTypeTable was incorrectly using a key hash traits that caused the underlying HashTable to
1827         store keys as UniquedStringImpl* rather than RefPtr<UniquedStringImpl>, even though the HashMap's
1828         nominal key type was RefPtr<UniquedStringImpl>. This arose because I copy-pasted the HashMap type
1829         instantiation from other places and then made random changes to adapt it to my needs, rather than
1830         actually thinking about what I was doing. The solution is to remove the key hash traits argument,
1831         since all it accomplishes is to produce this bug.
1832
1833         The way this bug manifested is probably best described in http://webkit.org/b/150008. After a while
1834         the InferredTypeTable would have dangling references to its strings, if some recompilation or other
1835         thing caused us to drop all other references to those strings. InferredTypeTable is particularly
1836         susceptible to this because it is designed to know about a superset of the property names that its
1837         client Structures know about. The debug assert would then happen when we rehashed the
1838         InferredTypeTable's HashMap, because we'd try to get the hashes of strings that were already
1839         deleted. AFAICT, we didn't have release crashes arising from those strings' memory being returned
1840         to the OS - but it's totally possible that this could have happened. So, we definitely should treat
1841         this bug as more than just a debug issue.
1842
1843         Interestingly, we could have also solved this problem by changing the hash function to use PtrHash.
1844         In all other ways, it's OK for InferredTypeTable to hold dangling references, since it uses the
1845         address of the UniquedStringImpl as a way to name an abstract heap. It's fine if the name of an
1846         abstract heap is a bogus memory address, and it's also fine if that name referred to an entirely
1847         different UniquedStringImpl at some point in the past. That's a nice benefit of any data structure
1848         that keys by abstract heap - if two of them get unified then it's no big deal. I've filed another
1849         bug, http://webkit.org/b/150137 about changing all of our UniquedStringImpl* hashing to use
1850         PtrHash.
1851
1852         * runtime/Identifier.h: Add a comment about http://webkit.org/b/150137.
1853         * runtime/InferredTypeTable.h: Fix the bug.
1854         * tests/stress/inferred-type-table-stale-identifiers.js: Added. I couldn't get this to cause a crash before my change, but it's an interesting test nonetheless.
1855
1856 2015-10-15  Mark Lam  <mark.lam@apple.com>
1857
1858         Add MASM_PROBE support for ARM64.
1859         https://bugs.webkit.org/show_bug.cgi?id=150128
1860
1861         Reviewed by Michael Saboff.
1862
1863         * JavaScriptCore.xcodeproj/project.pbxproj:
1864         * assembler/ARM64Assembler.h:
1865         - Convert the ARM64 registers enum list into a macro list so that we can use
1866           it elsewhere e.g. to declare fields in the probe CPUState.
1867           Also de-tabbed the contents of the ARM64Registers namespace since the enum
1868           list change touches almost all of it anyway. This reduces the amount of
1869           complaints from the style checker.
1870
1871         * assembler/AbstractMacroAssembler.h:
1872         (JSC::AbstractMacroAssembler::CPUState::registerName):
1873         (JSC::AbstractMacroAssembler::CPUState::registerValue):
1874         - Change CPUState methods to allow for registers ID that do not map to one of
1875           its fields. This is needed because ARM64's registers include aliases for some
1876           register names. The CPUState will not allocate separate storage for the
1877           aliases. 
1878
1879         * assembler/MacroAssemblerARM64.cpp: Added.
1880         (JSC::arm64ProbeTrampoline):
1881         - Unlike the probe mechanism for other CPUs, the ARM64 implementation does not
1882           allow the probe function to modify the sp and pc registers.  We insert this
1883           wrapper function between ctiMasmProbeTrampoline() and the user's probe function
1884           so that we can check if the user tried to modify sp and pc.  If so, we will
1885           print an error message so that we can alert the user that we don't support
1886           that on ARM64.
1887
1888           See the comment in ctiMasmProbeTrampoline() in JITStubsARM64.h for details
1889           on why we cannot support sp and pc modifications by the probe function.
1890
1891         (JSC::MacroAssemblerARM64::probe):
1892
1893         * assembler/MacroAssemblerARM64.h:
1894         (JSC::MacroAssemblerARM64::repatchCall):
1895         (JSC::MacroAssemblerARM64::makeBranch):
1896         * jit/JITStubs.cpp:
1897         * jit/JITStubsARM64.h: Added.
1898
1899 2015-10-15  Mark Lam  <mark.lam@apple.com>
1900
1901         Fix some typos in comments.
1902         https://bugs.webkit.org/show_bug.cgi?id=150181
1903
1904         Rubber stamped by Michael Saboff.
1905
1906         * jit/JITStubsARM.h:
1907         * jit/JITStubsARMv7.h:
1908
1909 2015-10-15  Mark Lam  <mark.lam@apple.com>
1910
1911         Refactoring: give the MASM probe CPUState methods shorter names.
1912         https://bugs.webkit.org/show_bug.cgi?id=150177
1913
1914         Reviewed by Michael Saboff.
1915
1916         The existing names are longer than they need to be.  Renaming them as follows:
1917             For GPR, registerName ==> gprName
1918             For GPR, registerValue ==> gpr
1919             For FPR, registerName ==> fprName
1920             For FPR, registerValue ==> fpr
1921
1922         * assembler/AbstractMacroAssembler.h:
1923         (JSC::AbstractMacroAssembler::CPUState::gprName):
1924         (JSC::AbstractMacroAssembler::CPUState::fprName):
1925         (JSC::AbstractMacroAssembler::CPUState::gpr):
1926         (JSC::AbstractMacroAssembler::CPUState::fpr):
1927         (JSC::AbstractMacroAssembler::CPUState::registerName): Deleted.
1928         (JSC::AbstractMacroAssembler::CPUState::registerValue): Deleted.
1929
1930         * assembler/MacroAssemblerPrinter.cpp:
1931         (JSC::printRegister):
1932         (JSC::printMemory):
1933         - Updated to use the new names.
1934
1935 2015-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1936
1937         [ES6] Class expression should have lexical environment that has itself as an imutable binding
1938         https://bugs.webkit.org/show_bug.cgi?id=150089
1939
1940         Reviewed by Geoffrey Garen.
1941
1942         According to ES6 spec, class expression has its own lexical environment that holds itself
1943         as an immutable binding[1] (section 14.5.14 step 2, 3, 4, 23)
1944
1945         As a result, even if the binding declared in the outer scope is overridden, methods inside
1946         class expression can refer its class by the class name.
1947
1948         [1]: http://ecma-international.org/ecma-262/6.0/#sec-runtime-semantics-classdefinitionevaluation
1949
1950         * bytecompiler/NodesCodegen.cpp:
1951         (JSC::ClassExprNode::emitBytecode):
1952         * parser/ASTBuilder.h:
1953         (JSC::ASTBuilder::createClassExpr):
1954         * parser/NodeConstructors.h:
1955         (JSC::ClassExprNode::ClassExprNode):
1956         * parser/Nodes.h:
1957         * parser/Parser.cpp:
1958         (JSC::Parser<LexerType>::parseClass):
1959         * parser/SyntaxChecker.h:
1960         (JSC::SyntaxChecker::createClassExpr):
1961         * tests/es6.yaml:
1962         * tests/stress/class-expression-generates-environment.js: Added.
1963         (shouldBe):
1964         (shouldThrow):
1965         (prototype.method):
1966         (staticMethod):
1967         (A.prototype.method):
1968         (A.staticMethod):
1969         (A):
1970         * tests/stress/class-expression-should-be-tdz-in-heritage.js: Added.
1971         (shouldThrow):
1972         (shouldThrow.A):
1973
1974 2015-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1975
1976         [ES6] Class method should not declare any variables to upper scope.
1977         https://bugs.webkit.org/show_bug.cgi?id=150115
1978
1979         Reviewed by Geoffrey Garen.
1980
1981         In the current implementation, class methods attempt to declare variables to an upper scope with their method names.
1982         But this is not specified behavior in the ES6 spec.
1983
1984         And as a result, previously, we attempted to declare variables with invalid identifiers.
1985         For example, `class A { 1() { } }` attempt to declare a variable with name `1`.
1986         This (declaring variables with incorrect names) is not allowed in the lexical environment.
1987         And it fires assertions in https://bugs.webkit.org/show_bug.cgi?id=150089.
1988
1989         * parser/Parser.cpp:
1990         (JSC::Parser<LexerType>::parseClass): Deleted.
1991         * tests/stress/class-method-does-not-declare-variable-to-upper-scope.js: Added.
1992         (shouldBe):
1993         (A.prototype.method):
1994         (A.staticMethod):
1995         (A):
1996
1997 2015-10-14  Joseph Pecoraro  <pecoraro@apple.com>
1998
1999         REGRESSION: Web Inspector hangs for many seconds when trying to reload page
2000         https://bugs.webkit.org/show_bug.cgi?id=150065
2001
2002         Reviewed by Mark Lam.
2003
2004         When debugging Web Pages, the same Debugger (PageScriptDebugServer) is
2005         attached to each of the different JSGlobalObjects on the page. This could
2006         mean multiple frames or isolated scripting contexts. Therefore we should
2007         only need to send sourceParsed events to the frontend for scripts within
2008         this new JSGlobalObject, not any JSGlobalObject that has this debugger.
2009
2010         * debugger/Debugger.cpp:
2011         (JSC::Debugger::attach):
2012         Only send sourceParsed events for Scripts in this JSGlobalObject.
2013
2014 2015-10-14  Joseph Pecoraro  <pecoraro@apple.com>
2015
2016         Remove unimplemented methods in CopiedSpace
2017         https://bugs.webkit.org/show_bug.cgi?id=150143
2018
2019         Reviewed by Andreas Kling.
2020
2021         * heap/CopiedSpace.h:
2022
2023 2015-10-14  Brent Fulgham  <bfulgham@apple.com>
2024
2025         [Win] Enforce launcher/library naming scheme
2026         https://bugs.webkit.org/show_bug.cgi?id=150124
2027
2028         Reviewed by Alex Christensen.
2029
2030         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Look for
2031         {name}Lib.dll instead of {name}.dll.
2032         (wWinMain):
2033         * shell/PlatformWin.cmake: Add 'Lib' suffix to DLLs.
2034
2035 2015-10-14  Keith Miller  <keith_miller@apple.com>
2036
2037         ES6 Fix TypedArray constructors.
2038         https://bugs.webkit.org/show_bug.cgi?id=149975
2039
2040         Reviewed by Geoffrey Garen.
2041
2042         The ES6 spec requires that any object argument passed to a TypedArray constructor that is not a TypedArray
2043         and has an iterator should use the iterator to construct the TypedArray. To avoid performance regressions related
2044         to iterating we check if the iterator attached to the object points to the generic array iterator and length is a value.
2045         If so, we do not use the iterator since there should be no observable difference. Another other interesting note is
2046         that the ES6 spec has the of and from functions on a shared constructor between all the TypedArray constructors.
2047         When the TypedArray is constructed the expectation is to crawl the prototype chain of the this value
2048         passed to the function. If the function finds a known TypedArray constructor (Int32Array, Float64Array,...) then
2049         it creates a TypedArray of that type. This is implemented by adding a private function (@allocateTypedArray) to each
2050         of the constructors that can be called in order to construct the array. By using the private functions the JIT should
2051         hopefully be able to optimize this to a direct call.
2052
2053         * CMakeLists.txt:
2054         * JavaScriptCore.xcodeproj/project.pbxproj:
2055         * builtins/TypedArrayConstructor.js: Added.
2056         (of):
2057         (from):
2058         (allocateInt8Array):
2059         (allocateInt16Array):
2060         (allocateInt32Array):
2061         (allocateUint32Array):
2062         (allocateUint16Array):
2063         (allocateUint8Array):
2064         (allocateUint8ClampedArray):
2065         (allocateFloat32Array):
2066         (allocateFloat64Array):
2067         * runtime/CommonIdentifiers.h:
2068         * runtime/JSDataView.cpp:
2069         (JSC::JSDataView::setIndex):
2070         * runtime/JSDataView.h:
2071         * runtime/JSGenericTypedArrayView.h:
2072         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue):
2073         * runtime/JSGenericTypedArrayViewConstructor.h:
2074         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2075         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
2076         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::create):
2077         (JSC::constructGenericTypedArrayViewFromIterator):
2078         (JSC::constructGenericTypedArrayView):
2079         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2080         (JSC::genericTypedArrayViewProtoFuncIndexOf):
2081         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2082         * runtime/JSGlobalObject.cpp:
2083         (JSC::JSGlobalObject::init):
2084         * runtime/JSTypedArrayViewConstructor.cpp: Added.
2085         (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
2086         (JSC::JSTypedArrayViewConstructor::finishCreation):
2087         (JSC::JSTypedArrayViewConstructor::create):
2088         (JSC::JSTypedArrayViewConstructor::createStructure):
2089         (JSC::constructTypedArrayView):
2090         (JSC::JSTypedArrayViewConstructor::getConstructData):
2091         (JSC::JSTypedArrayViewConstructor::getCallData):
2092         * runtime/JSTypedArrayViewConstructor.h: Copied from Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructor.h.
2093         * runtime/JSTypedArrayViewPrototype.cpp:
2094         (JSC::JSTypedArrayViewPrototype::create):
2095         * tests/es6.yaml:
2096         * tests/stress/resources/typedarray-constructor-helper-functions.js: Added.
2097         (forEachTypedArray):
2098         (hasSameValues):
2099         (foo):
2100         (testConstructorFunction):
2101         (testConstructor):
2102         * tests/stress/typedarray-constructor.js: Added.
2103         (A):
2104         (iterator.return.next):
2105         (iterator):
2106         (obj.valueOf):
2107         (iterator2.return.next):
2108         (iterator2):
2109         * tests/stress/typedarray-from.js: Added.
2110         (even):
2111         (isBigEnoughAndException):
2112         * tests/stress/typedarray-of.js: Added.
2113
2114 2015-10-14  Mark Lam  <mark.lam@apple.com>
2115
2116         Rename some JSC option names to be more uniform.
2117         https://bugs.webkit.org/show_bug.cgi?id=150127
2118
2119         Reviewed by Geoffrey Garen.
2120
2121         Renaming JSC_enableXXX options to JSC_useXXX, and JSC_showXXX options to JSC_dumpXXX.
2122         Also will renaming a few other miscellaneous to options, to abide by this scheme.
2123
2124         Also renaming some functions to match the option names where relevant.
2125
2126         * API/tests/ExecutionTimeLimitTest.cpp:
2127         (testExecutionTimeLimit):
2128         * assembler/AbstractMacroAssembler.h:
2129         (JSC::optimizeForARMv7IDIVSupported):
2130         (JSC::optimizeForARM64):
2131         (JSC::optimizeForX86):
2132         * assembler/LinkBuffer.cpp:
2133         (JSC::shouldDumpDisassemblyFor):
2134         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
2135         (JSC::shouldShowDisassemblyFor): Deleted.
2136         * assembler/LinkBuffer.h:
2137         * bytecode/CodeBlock.cpp:
2138         (JSC::CodeBlock::jettison):
2139         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
2140         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
2141         * bytecompiler/BytecodeGenerator.cpp:
2142         (JSC::BytecodeGenerator::BytecodeGenerator):
2143         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2144         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::fire):
2145         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2146         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2147         * dfg/DFGByteCodeParser.cpp:
2148         (JSC::DFG::ByteCodeParser::handleInlining):
2149         (JSC::DFG::ByteCodeParser::handleGetById):
2150         (JSC::DFG::ByteCodeParser::handlePutById):
2151         (JSC::DFG::ByteCodeParser::parse):
2152         * dfg/DFGCommon.h:
2153         (JSC::DFG::leastUpperBound):
2154         (JSC::DFG::shouldDumpDisassembly):
2155         (JSC::DFG::shouldShowDisassembly): Deleted.
2156         * dfg/DFGDriver.cpp:
2157         (JSC::DFG::compileImpl):
2158         * dfg/DFGJITCompiler.cpp:
2159         (JSC::DFG::JITCompiler::JITCompiler):
2160         (JSC::DFG::JITCompiler::disassemble):
2161         * dfg/DFGJumpReplacement.cpp:
2162         (JSC::DFG::JumpReplacement::fire):
2163         * dfg/DFGOSREntry.cpp:
2164         (JSC::DFG::prepareOSREntry):
2165         * dfg/DFGOSRExitCompiler.cpp:
2166         * dfg/DFGOSRExitFuzz.h:
2167         (JSC::DFG::doOSRExitFuzzing):
2168         * dfg/DFGPlan.cpp:
2169         (JSC::DFG::Plan::compileInThreadImpl):
2170         * dfg/DFGSpeculativeJIT.cpp:
2171         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
2172         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2173         (JSC::DFG::TierUpCheckInjectionPhase::run):
2174         * ftl/FTLCompile.cpp:
2175         (JSC::FTL::mmAllocateDataSection):
2176         * ftl/FTLJITCode.cpp:
2177         (JSC::FTL::JITCode::~JITCode):
2178         * ftl/FTLLowerDFGToLLVM.cpp:
2179         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
2180         * ftl/FTLOSRExitCompiler.cpp:
2181         (JSC::FTL::compileStub):
2182         (JSC::FTL::compileFTLOSRExit):
2183         * ftl/FTLState.h:
2184         (JSC::FTL::verboseCompilationEnabled):
2185         (JSC::FTL::shouldDumpDisassembly):
2186         (JSC::FTL::shouldShowDisassembly): Deleted.
2187         * heap/Heap.cpp:
2188         (JSC::Heap::addToRememberedSet):
2189         (JSC::Heap::didFinishCollection):
2190         (JSC::Heap::shouldDoFullCollection):
2191         * heap/Heap.h:
2192         (JSC::Heap::isDeferred):
2193         (JSC::Heap::structureIDTable):
2194         * heap/HeapStatistics.cpp:
2195         (JSC::StorageStatistics::storageCapacity):
2196         (JSC::HeapStatistics::dumpObjectStatistics):
2197         (JSC::HeapStatistics::showObjectStatistics): Deleted.
2198         * heap/HeapStatistics.h:
2199         * interpreter/StackVisitor.cpp:
2200         (JSC::StackVisitor::Frame::createArguments):
2201         * jit/AssemblyHelpers.cpp:
2202         (JSC::AssemblyHelpers::callExceptionFuzz):
2203         * jit/ExecutableAllocationFuzz.cpp:
2204         (JSC::doExecutableAllocationFuzzing):
2205         * jit/ExecutableAllocationFuzz.h:
2206         (JSC::doExecutableAllocationFuzzingIfEnabled):
2207         * jit/JIT.cpp:
2208         (JSC::JIT::privateCompile):
2209         * jit/JITCode.cpp:
2210         (JSC::JITCodeWithCodeRef::~JITCodeWithCodeRef):
2211         * jit/PolymorphicCallStubRoutine.cpp:
2212         (JSC::PolymorphicCallNode::unlink):
2213         (JSC::PolymorphicCallNode::clearCallLinkInfo):
2214         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
2215         * jit/Repatch.cpp:
2216         (JSC::linkFor):
2217         (JSC::unlinkFor):
2218         (JSC::linkVirtualFor):
2219         * jsc.cpp:
2220         (functionEnableExceptionFuzz):
2221         (jscmain):
2222         * llvm/InitializeLLVM.cpp:
2223         (JSC::initializeLLVMImpl):
2224         * runtime/ExceptionFuzz.cpp:
2225         (JSC::doExceptionFuzzing):
2226         * runtime/ExceptionFuzz.h:
2227         (JSC::doExceptionFuzzingIfEnabled):
2228         * runtime/JSGlobalObject.cpp:
2229         (JSC::JSGlobalObject::init):
2230         * runtime/Options.cpp:
2231         (JSC::recomputeDependentOptions):
2232         (JSC::Options::initialize):
2233         (JSC::Options::dumpOptionsIfNeeded):
2234         (JSC::Options::setOption):
2235         (JSC::Options::dumpAllOptions):
2236         (JSC::Options::dumpAllOptionsInALine):
2237         (JSC::Options::dumpOption):
2238         * runtime/Options.h:
2239         * runtime/VM.cpp:
2240         (JSC::VM::VM):
2241         * runtime/VM.h:
2242         (JSC::VM::exceptionFuzzingBuffer):
2243         * runtime/WriteBarrierInlines.h:
2244         (JSC::WriteBarrierBase<T>::set):
2245         (JSC::WriteBarrierBase<Unknown>::set):
2246         * tests/executableAllocationFuzz.yaml:
2247         * tests/stress/arrowfunction-typeof.js:
2248         * tests/stress/disable-function-dot-arguments.js:
2249         (foo):
2250         * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js:
2251         (sqrtOnInteger):
2252         * tests/stress/regress-148564.js:
2253
2254 2015-10-14  Mark Lam  <mark.lam@apple.com>
2255
2256         Speculative build fix: the CallSiteIndex constructor is explicit and requires an uint32_t.
2257
2258         Not Reviewed.
2259
2260         * bytecode/CodeBlock.cpp:
2261         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
2262
2263 2015-10-14  Commit Queue  <commit-queue@webkit.org>
2264
2265         Unreviewed, rolling out r191030.
2266         https://bugs.webkit.org/show_bug.cgi?id=150116
2267
2268         caused js/class-syntax-method-names.html to crash on debug
2269         builds (Requested by alexchristensen_ on #webkit).
2270
2271         Reverted changeset:
2272
2273         "[ES6] Class expression should have lexical environment that
2274         has itself as an imutable binding"
2275         https://bugs.webkit.org/show_bug.cgi?id=150089
2276         http://trac.webkit.org/changeset/191030
2277
2278 2015-10-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2279
2280         [ES6] Class expression should have lexical environment that has itself as an imutable binding
2281         https://bugs.webkit.org/show_bug.cgi?id=150089
2282
2283         Reviewed by Geoffrey Garen.
2284
2285         According to ES6 spec, class expression has its own lexical environment that holds itself
2286         as an immutable binding[1] (section 14.5.14 step 2, 3, 4, 23)
2287
2288         As a result, even if the binding declared in the outer scope is overridden, methods inside
2289         class expression can refer its class by the class name.
2290
2291         [1]: http://ecma-international.org/ecma-262/6.0/#sec-runtime-semantics-classdefinitionevaluation
2292
2293         * bytecompiler/NodesCodegen.cpp:
2294         (JSC::ClassExprNode::emitBytecode):
2295         * parser/ASTBuilder.h:
2296         (JSC::ASTBuilder::createClassExpr):
2297         * parser/NodeConstructors.h:
2298         (JSC::ClassExprNode::ClassExprNode):
2299         * parser/Nodes.h:
2300         * parser/Parser.cpp:
2301         (JSC::Parser<LexerType>::parseClass):
2302         * parser/SyntaxChecker.h:
2303         (JSC::SyntaxChecker::createClassExpr):
2304         * tests/es6.yaml:
2305         * tests/stress/class-expression-generates-environment.js: Added.
2306         (shouldBe):
2307         (shouldThrow):
2308         (prototype.method):
2309         (staticMethod):
2310         (A.prototype.method):
2311         (A.staticMethod):
2312         (A):
2313         * tests/stress/class-expression-should-be-tdz-in-heritage.js: Added.
2314         (shouldThrow):
2315         (shouldThrow.A):
2316
2317 2015-10-13  Saam barati  <sbarati@apple.com>
2318
2319         We were creating a GCAwareJITStubRoutineWithExceptionHandler when we didn't actually have an exception handler in the CodeBlock's exception handler table
2320         https://bugs.webkit.org/show_bug.cgi?id=150016
2321
2322         Reviewed by Geoffrey Garen.
2323
2324         There was a bug where we created a GCAwareJITStubRoutineWithExceptionHandler
2325         for inline caches that were custom setters/getters (but not JS getters/setters).
2326         This is wrong; we only create GCAwareJITStubRoutineWithExceptionHandler when we have
2327         an inline cache with a JS getter/setter call which causes the inline cache to add itself
2328         to the CodeBlock's exception handling table. The problem was that we created
2329         a GCAwareJITStubRoutineWithExceptionHandler that tried to remove itself from
2330         the exception handler table only to find out that it didn't have an entry in the table.
2331
2332         * bytecode/PolymorphicAccess.cpp:
2333         (JSC::PolymorphicAccess::regenerate):
2334
2335 2015-10-13  Joseph Pecoraro  <pecoraro@apple.com>
2336
2337         Simplify WeakBlock visit and reap phases
2338         https://bugs.webkit.org/show_bug.cgi?id=150045
2339
2340         Reviewed by Geoffrey Garen.
2341
2342         WeakBlock visiting and reaping both happen after MarkedBlock marking.
2343         All the MarkedBlocks we encounter should be either Marked or Retired.
2344
2345         * heap/MarkedBlock.h:
2346         (JSC::MarkedBlock::isMarkedOrRetired):
2347         * heap/WeakBlock.cpp:
2348         (JSC::WeakBlock::visit):
2349         (JSC::WeakBlock::reap):
2350         * heap/WeakBlock.h:
2351
2352 2015-10-12  Geoffrey Garen  <ggaren@apple.com>
2353
2354         CodeBlock write barriers should be precise
2355         https://bugs.webkit.org/show_bug.cgi?id=150042
2356
2357         Reviewed by Saam Barati.
2358
2359         CodeBlock performs lots of unnecessary write barriers. This wastes
2360         performance and makes the code a bit harder to follow, and it might mask
2361         important bugs. Now is a good time to unmask important bugs.
2362
2363         * bytecode/CodeBlock.h:
2364         (JSC::CodeBlockSet::mark): Don't write barrier all CodeBlocks on the
2365         stack. Only CodeBlocks that do value profiling need write barriers, and
2366         they do those themselves.
2367
2368         In steady state, when most of our CodeBlocks are old and FTL-compiled,
2369         and we're doing eden GC's, we should almost never visit a CodeBlock.
2370
2371         * dfg/DFGOSRExitCompilerCommon.cpp:
2372         (JSC::DFG::osrWriteBarrier):
2373         (JSC::DFG::adjustAndJumpToTarget): Don't write barrier all inlined
2374         CodeBlocks on exit. That's not necessary. Instead, write barrier the 
2375         CodeBlock(s) we will exit to, along with the one we will write a value
2376         profile to.
2377
2378 2015-10-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2379
2380         REGRESSION: ASSERT (impl->isAtomic()) @ facebook.com
2381         https://bugs.webkit.org/show_bug.cgi?id=149965
2382
2383         Reviewed by Geoffrey Garen.
2384
2385         Edge filtering for CheckIdent ensures that a given value is either Symbol or StringIdent.
2386         However, this filtering is not applied to CheckIdent when propagating a constant value in
2387         the constant folding phase. As a result, it is not guaranteeed that a constant value
2388         propagated in constant folding is Symbol or StringIdent.
2389
2390         * dfg/DFGConstantFoldingPhase.cpp:
2391         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2392
2393 2015-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2394
2395         Unreviewed, register symbol structure to fix Debug build
2396         https://bugs.webkit.org/show_bug.cgi?id=149622
2397
2398         Since InferredTypes for String or Symbol claim that they don't have any structure,
2399         `registerInferredType` does not register the structure for Symbol.
2400         We take the similar way to String to fix this issue; Registering Symbol structure
2401         explicitly in DFGStructureRegisterationPhase. Because,
2402
2403         1. InferredType::structure is only allowed for ObjectWithStructure / ObjectWithStructureOrOther.
2404            It looks clear to me that only ObjectWithStructure has structure.
2405         2. Symbol is similar primitive value to String. So handling its structure in similar way to String is nice.
2406
2407         * dfg/DFGStructureRegistrationPhase.cpp:
2408         (JSC::DFG::StructureRegistrationPhase::run):
2409
2410 2015-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2411
2412         Iterator loops over key twice after delete
2413         https://bugs.webkit.org/show_bug.cgi?id=149811
2414
2415         Reviewed by Geoffrey Garen.
2416
2417         When an object is the dictionary mode, JSPropertyNameEnumerator collects property names through generic property name enumeration `getPropertyNames`.
2418         The result vector contains indexed property names. But in this case, `publicLength()` may not be 0.
2419         So without disabling indexed names enumeration phase explicitly, JSPropertyNameEnumerator produces indexed property names twice.
2420         One in indexed name enumeration phase, and another in generic property name enumeration phase.
2421         This patch disables indexed names enumeration by setting `indexedLength` to 0 when collecting names through generic property name enumeration.
2422
2423         * runtime/JSPropertyNameEnumerator.h:
2424         (JSC::propertyNameEnumerator):
2425         * tests/stress/property-name-enumerator-should-not-look-into-indexed-values-when-it-is-a-dictionary.js: Added.
2426         (shouldBe):
2427         (col2.of.Reflect.enumerate):
2428
2429 2015-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2430
2431         Introduce Symbol type for property type inference
2432         https://bugs.webkit.org/show_bug.cgi?id=149622
2433
2434         Reviewed by Geoffrey Garen.
2435
2436         This patch introduces Symbol type into property type inference.
2437         One of the use cases of ES6 Symbol is enum value. In this case,
2438         we may hold different symbols as the same property of the same structure.
2439         Current property type inference does not support Symbol type, so in the
2440         above case, the property will be inferred as Top type.
2441
2442         * bytecode/PutByIdFlags.h:
2443         * dfg/DFGAbstractValue.cpp:
2444         (JSC::DFG::AbstractValue::set):
2445         * dfg/DFGInferredTypeCheck.cpp:
2446         (JSC::DFG::insertInferredTypeCheck):
2447         * ftl/FTLLowerDFGToLLVM.cpp:
2448         (JSC::FTL::DFG::LowerDFGToLLVM::checkInferredType):
2449         * jit/AssemblyHelpers.cpp:
2450         (JSC::AssemblyHelpers::branchIfNotType):
2451         * llint/LLIntData.cpp:
2452         (JSC::LLInt::Data::performAssertions):
2453         * llint/LowLevelInterpreter.asm:
2454         * llint/LowLevelInterpreter32_64.asm:
2455         * llint/LowLevelInterpreter64.asm:
2456         * runtime/InferredType.cpp:
2457         (JSC::InferredType::kindForFlags):
2458         (JSC::InferredType::Descriptor::forValue):
2459         (JSC::InferredType::Descriptor::putByIdFlags):
2460         (JSC::InferredType::Descriptor::merge):
2461         (WTF::printInternal):
2462         * runtime/InferredType.h:
2463         * tests/stress/prop-type-symbol-then-object.js: Added.
2464         (foo):
2465         (bar):
2466         (toString):
2467         * tests/stress/prop-type-symbol-then-string.js: Added.
2468         (foo):
2469         (bar):
2470
2471 2015-10-12  Joseph Pecoraro  <pecoraro@apple.com>
2472
2473         Web Inspector: Rebaseline Inspector generator tests and make better use of RWIProtocol constant
2474         https://bugs.webkit.org/show_bug.cgi?id=150044
2475
2476         Reviewed by Brian Burg.
2477
2478         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2479         (ObjCConfigurationHeaderGenerator.generate_output):
2480         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
2481         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2482         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
2483         * inspector/scripts/codegen/generate_objc_header.py:
2484         (ObjCHeaderGenerator.generate_output):
2485         * inspector/scripts/codegen/generate_objc_internal_header.py:
2486         (ObjCInternalHeaderGenerator.generate_output):
2487         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2488         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2489         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2490         * inspector/scripts/tests/expected/enum-values.json-result:
2491         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2492         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2493         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2494         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2495         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2496         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2497         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2498         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2499         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2500
2501 2015-10-12  Myles C. Maxfield  <mmaxfield@apple.com>
2502
2503         Unreviewed build fix
2504
2505         * runtime/JSObject.cpp:
2506         (JSC::JSObject::reallocateAndShrinkButterfly):
2507
2508 2015-10-08  Filip Pizlo  <fpizlo@apple.com>
2509
2510         GC should have a Baker barrier for concurrent copying
2511         https://bugs.webkit.org/show_bug.cgi?id=149852
2512
2513         Reviewed by Geoffrey Garen.
2514
2515         This adds a Baker-style read barrier [1] to copied space accesses. This barrier incurs some
2516         overhead (0%-2% depending on benchmark suite), but what it buys is the ability to make the GC copy
2517         phase concurrent.
2518
2519         The barrier relies on copied space pointers having two "space bits" in the low pointer bits. The
2520         space bits indicate whether the backing store is being copied right now or not, and if it is being
2521         copied, what stage of copying it's in. Two barrier variants are supported:
2522
2523         Read only barrier: if you load a backing store and immediately load from it without doing anything
2524         else, you can just mask off the bits. In the worst case, you'll get the old backing store while
2525         some copying thread is already allocating and populating the new version of the backing store. But
2526         in that case, forwarding to the new backing store will not enable you to load a more up-to-date
2527         value from the backing store. So, just masking the bits is enough. The read-only barrier is only
2528         used in ICs where we know that we are only reading, and opportunistically within the DFG and FTL
2529         thanks to the CopyBarrierOptimizationPhase. We never explicitly emit a read-only barrier in those
2530         compilers; instead the phase will turn a GetButterfly into GetButterflyReadOnly if it proves that a
2531         bunch of requirements are met.
2532
2533         Normal barrier: if the space bits are non-zero, call a slow path. The slow path will either do
2534         nothing (if the copy phase hasn't started yet), or it will copy the backing store and update the
2535         pointer (if the copy phase hasn't gotten around to copying this particular backing store), or it
2536         will wait for the copying thread to finish (if some thread is copying this backing store right
2537         now), or it will do nothing (if by the time we called into the slow path the backing store was
2538         already copied). This is just like Baker's CAR/CDR barrier, but with a lock thrown in to handle
2539         concurrent execution.
2540
2541         This is a 1% slow-down on SunSpider, a 1.5% slow-down on Octane, a 1.5% slow-down on Kraken, and a
2542         0% slow-down on AsmBench. Note that the Octane slow-down is excluding the SplayLatency benchmark.
2543         That benchmark will eventually speed up a lot once we finish doing all of this stuff. Probably, the
2544         JetStream splay-latency will see an even larger speed-up, since our version of the latency tests do
2545         a better job of punishing bad worst-case behavior.
2546
2547         [1] http://dspace.mit.edu/bitstream/handle/1721.1/41976/AI_WP_139.pdf, look for the CAR and CDR
2548         procedures on page 9.
2549
2550         * CMakeLists.txt:
2551         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2552         * JavaScriptCore.xcodeproj/project.pbxproj:
2553         * bytecode/PolymorphicAccess.cpp:
2554         (JSC::AccessCase::generate):
2555         * dfg/DFGAbstractInterpreterInlines.h:
2556         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2557         * dfg/DFGArgumentsEliminationPhase.cpp:
2558         * dfg/DFGClobberize.h:
2559         (JSC::DFG::clobberize):
2560         * dfg/DFGCopyBarrierOptimizationPhase.cpp: Added.
2561         (JSC::DFG::performCopyBarrierOptimization):
2562         * dfg/DFGCopyBarrierOptimizationPhase.h: Added.
2563         * dfg/DFGDoesGC.cpp:
2564         (JSC::DFG::doesGC):
2565         * dfg/DFGFixupPhase.cpp:
2566         (JSC::DFG::FixupPhase::fixupNode):
2567         * dfg/DFGHeapLocation.cpp:
2568         (WTF::printInternal):
2569         * dfg/DFGHeapLocation.h:
2570         * dfg/DFGLICMPhase.cpp:
2571         (JSC::DFG::LICMPhase::run):
2572         * dfg/DFGNodeType.h:
2573         * dfg/DFGOperations.cpp:
2574         * dfg/DFGOperations.h:
2575         * dfg/DFGPlan.cpp:
2576         (JSC::DFG::Plan::compileInThreadImpl):
2577         * dfg/DFGPredictionPropagationPhase.cpp:
2578         (JSC::DFG::PredictionPropagationPhase::propagate):
2579         * dfg/DFGSafeToExecute.h:
2580         (JSC::DFG::safeToExecute):
2581         * dfg/DFGSpeculativeJIT.cpp:
2582         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2583         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2584         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2585         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2586         (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
2587         * dfg/DFGSpeculativeJIT.h:
2588         * dfg/DFGSpeculativeJIT32_64.cpp:
2589         (JSC::DFG::SpeculativeJIT::compile):
2590         * dfg/DFGSpeculativeJIT64.cpp:
2591         (JSC::DFG::SpeculativeJIT::compile):
2592         * dfg/DFGTypeCheckHoistingPhase.cpp:
2593         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2594         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2595         * ftl/FTLCapabilities.cpp:
2596         (JSC::FTL::canCompile):
2597         * ftl/FTLLowerDFGToLLVM.cpp:
2598         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2599         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
2600         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterflyReadOnly):
2601         (JSC::FTL::DFG::LowerDFGToLLVM::compileConstantStoragePointer):
2602         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2603         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckArray):
2604         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
2605         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset):
2606         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiPutByOffset):
2607         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetDirectPname):
2608         (JSC::FTL::DFG::LowerDFGToLLVM::storageForTransition):
2609         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
2610         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
2611         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorWithBarrier):
2612         (JSC::FTL::DFG::LowerDFGToLLVM::copyBarrier):
2613         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyReadOnly):
2614         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorReadOnly):
2615         (JSC::FTL::DFG::LowerDFGToLLVM::removeSpaceBits):
2616         (JSC::FTL::DFG::LowerDFGToLLVM::baseIndex):
2617         * ftl/FTLOperations.cpp:
2618         (JSC::FTL::operationNewObjectWithButterfly):
2619         (JSC::FTL::operationPopulateObjectInOSR):
2620         * ftl/FTLOutput.h:
2621         (JSC::FTL::Output::testNonZero32):
2622         (JSC::FTL::Output::testIsZero64):
2623         (JSC::FTL::Output::testNonZero64):
2624         (JSC::FTL::Output::testIsZeroPtr):
2625         (JSC::FTL::Output::testNonZeroPtr):
2626         (JSC::FTL::Output::select):
2627         (JSC::FTL::Output::extractValue):
2628         * heap/CopyBarrier.h: Copied from Source/JavaScriptCore/heap/CopyWriteBarrier.h.
2629         (JSC::CopyBarrierBase::CopyBarrierBase):
2630         (JSC::CopyBarrierBase::operator!):
2631         (JSC::CopyBarrierBase::operator bool):
2632         (JSC::CopyBarrierBase::getWithoutBarrier):
2633         (JSC::CopyBarrierBase::get):
2634         (JSC::CopyBarrierBase::copyState):
2635         (JSC::CopyBarrierBase::setCopyState):
2636         (JSC::CopyBarrierBase::clear):
2637         (JSC::CopyBarrierBase::set):
2638         (JSC::CopyBarrierBase::setWithoutBarrier):
2639         (JSC::CopyBarrierBase::weakCASWithoutBarrier):
2640         (JSC::CopyBarrier::CopyBarrier):
2641         (JSC::CopyBarrier::getWithoutBarrier):
2642         (JSC::CopyBarrier::get):
2643         (JSC::CopyBarrier::set):
2644         (JSC::CopyBarrier::setWithoutBarrier):
2645         (JSC::CopyBarrier::weakCASWithoutBarrier):
2646         (JSC::CopyWriteBarrier::CopyWriteBarrier): Deleted.
2647         (JSC::CopyWriteBarrier::operator!): Deleted.
2648         (JSC::CopyWriteBarrier::operator bool): Deleted.
2649         (JSC::CopyWriteBarrier::get): Deleted.
2650         (JSC::CopyWriteBarrier::operator*): Deleted.
2651         (JSC::CopyWriteBarrier::operator->): Deleted.
2652         (JSC::CopyWriteBarrier::set): Deleted.
2653         (JSC::CopyWriteBarrier::setWithoutWriteBarrier): Deleted.
2654         (JSC::CopyWriteBarrier::clear): Deleted.
2655         * heap/CopyVisitorInlines.h:
2656         (JSC::CopyVisitor::checkIfShouldCopy):
2657         * heap/CopyWriteBarrier.h: Removed.
2658         * heap/Heap.cpp:
2659         (JSC::Heap::addToRememberedSet):
2660         (JSC::Heap::copyBarrier):
2661         (JSC::Heap::collectAndSweep):
2662         * heap/Heap.h:
2663         (JSC::Heap::writeBarrierBuffer):
2664         * heap/HeapInlines.h:
2665         * jit/AssemblyHelpers.h:
2666         (JSC::AssemblyHelpers::branchStructure):
2667         (JSC::AssemblyHelpers::branchIfNotToSpace):
2668         (JSC::AssemblyHelpers::removeSpaceBits):
2669         (JSC::AssemblyHelpers::addressForByteOffset):
2670         * jit/JIT.cpp:
2671         (JSC::JIT::privateCompileMainPass):
2672         (JSC::JIT::privateCompileSlowCases):
2673         * jit/JITOpcodes.cpp:
2674         (JSC::JIT::emitSlow_op_has_indexed_property):
2675         (JSC::JIT::emit_op_get_direct_pname):
2676         (JSC::JIT::emitSlow_op_get_direct_pname):
2677         * jit/JITOpcodes32_64.cpp:
2678         (JSC::JIT::emit_op_get_direct_pname):
2679         (JSC::JIT::emitSlow_op_get_direct_pname):
2680         * jit/JITPropertyAccess.cpp:
2681         (JSC::JIT::emitDoubleLoad):
2682         (JSC::JIT::emitContiguousLoad):
2683         (JSC::JIT::emitArrayStorageLoad):
2684         (JSC::JIT::emitSlow_op_get_by_val):
2685         (JSC::JIT::emitGenericContiguousPutByVal):
2686         (JSC::JIT::emitArrayStoragePutByVal):
2687         (JSC::JIT::emitSlow_op_put_by_val):
2688         (JSC::JIT::emit_op_get_from_scope):
2689         (JSC::JIT::emitSlow_op_get_from_scope):
2690         (JSC::JIT::emit_op_put_to_scope):
2691         (JSC::JIT::emitSlow_op_put_to_scope):
2692         (JSC::JIT::emitIntTypedArrayGetByVal):
2693         (JSC::JIT::emitFloatTypedArrayGetByVal):
2694         (JSC::JIT::emitIntTypedArrayPutByVal):
2695         (JSC::JIT::emitFloatTypedArrayPutByVal):
2696         * llint/LowLevelInterpreter.asm:
2697         * llint/LowLevelInterpreter64.asm:
2698         * runtime/DirectArguments.cpp:
2699         (JSC::DirectArguments::visitChildren):
2700         (JSC::DirectArguments::copyBackingStore):
2701         (JSC::DirectArguments::overrideThings):
2702         (JSC::DirectArguments::overrideThingsIfNecessary):
2703         (JSC::DirectArguments::overrideArgument):
2704         (JSC::DirectArguments::copyToArguments):
2705         * runtime/DirectArguments.h:
2706         (JSC::DirectArguments::canAccessIndexQuickly):
2707         (JSC::DirectArguments::canAccessArgumentIndexQuicklyInDFG):
2708         * runtime/JSArray.cpp:
2709         (JSC::JSArray::setLength):
2710         (JSC::JSArray::pop):
2711         (JSC::JSArray::push):
2712         (JSC::JSArray::fastSlice):
2713         (JSC::JSArray::fastConcatWith):
2714         (JSC::JSArray::shiftCountWithArrayStorage):
2715         (JSC::JSArray::shiftCountWithAnyIndexingType):
2716         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2717         (JSC::JSArray::fillArgList):
2718         (JSC::JSArray::copyToArguments):
2719         * runtime/JSArrayBufferView.cpp:
2720         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2721         (JSC::JSArrayBufferView::JSArrayBufferView):
2722         (JSC::JSArrayBufferView::finishCreation):
2723         (JSC::JSArrayBufferView::finalize):
2724         * runtime/JSArrayBufferView.h:
2725         (JSC::JSArrayBufferView::vector):
2726         (JSC::JSArrayBufferView::length):
2727         * runtime/JSArrayBufferViewInlines.h:
2728         (JSC::JSArrayBufferView::neuter):
2729         (JSC::JSArrayBufferView::byteOffset):
2730         * runtime/JSGenericTypedArrayView.h:
2731         (JSC::JSGenericTypedArrayView::typedVector):
2732         * runtime/JSGenericTypedArrayViewInlines.h:
2733         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2734         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore):
2735         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2736         * runtime/JSMap.h:
2737         (JSC::JSMap::JSMap):
2738         * runtime/JSObject.cpp:
2739         (JSC::JSObject::copyButterfly):
2740         (JSC::JSObject::visitChildren):
2741         (JSC::JSObject::copyBackingStore):
2742         (JSC::JSObject::getOwnPropertySlotByIndex):
2743         (JSC::JSObject::putByIndex):
2744         (JSC::JSObject::enterDictionaryIndexingMode):
2745         (JSC::JSObject::createInitialIndexedStorage):
2746         (JSC::JSObject::createArrayStorage):
2747         (JSC::JSObject::convertUndecidedToInt32):
2748         (JSC::JSObject::convertUndecidedToDouble):
2749         (JSC::JSObject::convertUndecidedToContiguous):
2750         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2751         (JSC::JSObject::convertUndecidedToArrayStorage):
2752         (JSC::JSObject::convertInt32ToDouble):
2753         (JSC::JSObject::convertInt32ToContiguous):
2754         (JSC::JSObject::convertInt32ToArrayStorage):
2755         (JSC::JSObject::convertDoubleToContiguous):
2756         (JSC::JSObject::convertDoubleToArrayStorage):
2757         (JSC::JSObject::convertContiguousToArrayStorage):
2758         (JSC::JSObject::setIndexQuicklyToUndecided):
2759         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2760         (JSC::JSObject::deletePropertyByIndex):
2761         (JSC::JSObject::getOwnPropertyNames):
2762         (JSC::JSObject::putIndexedDescriptor):
2763         (JSC::JSObject::defineOwnIndexedProperty):
2764         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2765         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2766         (JSC::JSObject::getNewVectorLength):
2767         (JSC::JSObject::ensureLengthSlow):
2768         (JSC::JSObject::reallocateAndShrinkButterfly):
2769         (JSC::JSObject::growOutOfLineStorage):
2770         (JSC::JSObject::getOwnPropertyDescriptor):
2771         (JSC::JSObject::getEnumerableLength):
2772         * runtime/JSObject.h:
2773         (JSC::JSObject::getArrayLength):
2774         (JSC::JSObject::getVectorLength):
2775         (JSC::JSObject::canGetIndexQuickly):
2776         (JSC::JSObject::getIndexQuickly):
2777         (JSC::JSObject::tryGetIndexQuickly):
2778         (JSC::JSObject::canSetIndexQuickly):
2779         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
2780         (JSC::JSObject::setIndexQuickly):
2781         (JSC::JSObject::initializeIndex):
2782         (JSC::JSObject::hasSparseMap):
2783         (JSC::JSObject::inSparseIndexingMode):
2784         (JSC::JSObject::inlineStorage):
2785         (JSC::JSObject::butterfly):
2786         (JSC::JSObject::outOfLineStorage):
2787         (JSC::JSObject::locationForOffset):
2788         (JSC::JSObject::ensureInt32):
2789         (JSC::JSObject::ensureDouble):
2790         (JSC::JSObject::ensureContiguous):
2791         (JSC::JSObject::ensureArrayStorage):
2792         (JSC::JSObject::arrayStorage):
2793         (JSC::JSObject::arrayStorageOrNull):
2794         (JSC::JSObject::ensureLength):
2795         (JSC::JSObject::putDirectWithoutTransition):
2796         * runtime/JSSet.h:
2797         (JSC::JSSet::JSSet):
2798         * runtime/MapData.h:
2799         (JSC::JSIterator>::MapDataImpl):
2800         (JSC::JSIterator>::IteratorData::next):
2801         (JSC::JSIterator>::IteratorData::refreshCursor):
2802         * runtime/MapDataInlines.h:
2803         (JSC::JSIterator>::clear):
2804         (JSC::JSIterator>::find):
2805         (JSC::JSIterator>::add):
2806         (JSC::JSIterator>::remove):
2807         (JSC::JSIterator>::replaceAndPackBackingStore):
2808         (JSC::JSIterator>::replaceBackingStore):
2809         (JSC::JSIterator>::ensureSpaceForAppend):
2810         (JSC::JSIterator>::visitChildren):
2811         (JSC::JSIterator>::copyBackingStore):
2812         * runtime/Options.h:
2813
2814 2015-10-12  Saam barati  <sbarati@apple.com>
2815
2816         Update JSC features.json
2817         https://bugs.webkit.org/show_bug.cgi?id=150043
2818
2819         Reviewed by Mark Lam.
2820
2821         There were a lot of things implemented that weren't in
2822         the list. We should be better about updating the list
2823         as we land patches for new ES6 features.
2824
2825         * features.json:
2826
2827 2015-10-12  Joseph Pecoraro  <pecoraro@apple.com>
2828
2829         Cleanup Heap.h and some related headers
2830         https://bugs.webkit.org/show_bug.cgi?id=149981
2831
2832         Reviewed by Geoffrey Garen.
2833
2834         * heap/Heap.h:
2835         - Some functions did not need export.
2836         - threadDupStrings never had an implementation.
2837
2838         * heap/ConservativeRoots.cpp:
2839         * heap/ConservativeRoots.h:
2840         * heap/Heap.cpp:
2841         * heap/ListableHandler.h:
2842         * heap/WeakReferenceHarvester.h:
2843         * jit/Repatch.cpp:
2844         * runtime/JSONObject.h:
2845         * runtime/VM.h:
2846         - Stale forward declarations / includes.
2847
2848 2015-10-12  Saam barati  <sbarati@apple.com>
2849
2850         Each *ById inline cache in the FTL must have its own CallSiteIndex
2851         https://bugs.webkit.org/show_bug.cgi?id=150039
2852
2853         Reviewed by Geoffrey Garen and Filip Pizlo.
2854
2855         When lowering to LLVM, we create a patchpoint intrinsic for each
2856         *ById in DFG IR. LLVM may choose to duplicate these patchpoints.
2857         Therefore, we want each resulting inline cache to have a unique
2858         CallSiteIndex because each inline cache will have its own set of 
2859         used registers. This change is necessary when we implement try/catch 
2860         in the FTL because an inline cache will ask for the set of used 
2861         registers it will need to restore in the event of an exception 
2862         being thrown. It asks for this set of registers by giving JITCode
2863         a CallSiteIndex. Because each corresponding inline cache that results
2864         from a duplicated patchpoint may all ask this for this set of registers, 
2865         we must assign each inline cache a unique CallSiteIndex.
2866
2867         * bytecode/CodeBlock.cpp:
2868         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
2869         * dfg/DFGCommonData.cpp:
2870         (JSC::DFG::CommonData::addCodeOrigin):
2871         (JSC::DFG::CommonData::addUniqueCallSiteIndex):
2872         (JSC::DFG::CommonData::addCodeOriginUnconditionally): Deleted.
2873         * dfg/DFGCommonData.h:
2874         * ftl/FTLCompile.cpp:
2875         (JSC::FTL::mmAllocateDataSection):
2876         * ftl/FTLInlineCacheDescriptor.h:
2877         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
2878         (JSC::FTL::InlineCacheDescriptor::stackmapID):
2879         (JSC::FTL::InlineCacheDescriptor::codeOrigin):
2880         (JSC::FTL::InlineCacheDescriptor::uid):
2881         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
2882         (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
2883         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
2884         (JSC::FTL::LazySlowPathDescriptor::LazySlowPathDescriptor):
2885         (JSC::FTL::InlineCacheDescriptor::callSiteIndex): Deleted.
2886         * ftl/FTLLowerDFGToLLVM.cpp:
2887         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
2888         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2889         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
2890         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
2891
2892 2015-10-12  Andreas Kling  <akling@apple.com>
2893
2894         "A + B" with strings shouldn't copy if A or B is empty.
2895         <https://webkit.org/b/150034>
2896
2897         Reviewed by Anders Carlsson.
2898
2899         * runtime/JSStringBuilder.h:
2900         (JSC::jsMakeNontrivialString):
2901         * runtime/Lookup.cpp:
2902         (JSC::reifyStaticAccessor):
2903         * runtime/ObjectPrototype.cpp:
2904         (JSC::objectProtoFuncToString):
2905
2906 2015-10-12  Joseph Pecoraro  <pecoraro@apple.com>
2907
2908         VisitedValueCount GC Counter misses parallel SlotVisitors
2909         https://bugs.webkit.org/show_bug.cgi?id=149980
2910
2911         Reviewed by Geoffrey Garen.
2912
2913         * heap/Heap.cpp:
2914         (JSC::Heap::updateObjectCounts):
2915         Include threaded slot visitor's object counts in the debugging value.
2916
2917 2015-10-12  Filip Pizlo  <fpizlo@apple.com>
2918
2919         Unreviewed, fix non-FTL build for real.
2920
2921         * ftl/FTLLazySlowPath.h:
2922
2923 2015-10-12  Filip Pizlo  <fpizlo@apple.com>
2924
2925         Unreviewed, clarify a comment. The example code had a bug.
2926
2927         * ftl/FTLLowerDFGToLLVM.cpp:
2928
2929 2015-10-12  Filip Pizlo  <fpizlo@apple.com>
2930
2931         Unreviewed, fix no-FTL build.
2932
2933         * ftl/FTLLazySlowPath.cpp:
2934
2935 2015-10-12  Philip Chimento  <philip.chimento@gmail.com>
2936
2937         webkit-gtk 2.3.3 fails to build on OS X - Conflicting type "Fixed"
2938         https://bugs.webkit.org/show_bug.cgi?id=126433
2939
2940         Reviewed by Philippe Normand
2941
2942         Don't include CoreFoundation.h when building the GTK port.
2943
2944         * Source/JavaScriptCore/API/WebKitAvailability.h: Add !defined(BUILDING_GTK__) to defined(__APPLE__).
2945
2946 2015-10-10  Filip Pizlo  <fpizlo@apple.com>
2947
2948         FTL should generate code to call slow paths lazily
2949         https://bugs.webkit.org/show_bug.cgi?id=149936
2950
2951         Reviewed by Saam Barati.
2952
2953         We often have complex slow paths in FTL-generated code. Those slow paths may never run. Even
2954         if they do run, they don't need stellar performance. So, it doesn't make sense to have LLVM
2955         worry about compiling such slow path code.
2956
2957         This patch enables us to use our own MacroAssembler for compiling the slow path inside FTL
2958         code. It does this by using a crazy lambda thingy (see FTLLowerDFGToLLVM.cpp's lazySlowPath()
2959         and its documentation). The result is quite natural to use.
2960
2961         Even for straight slow path calls via something like vmCall(), the lazySlowPath offers the
2962         benefit that the call marshalling and the exception checking are not expressed using LLVM IR
2963         and do not require LLVM to think about it. It also has the benefit that we never generate the
2964         code if it never runs. That's great, since function calls usually involve ~10 instructions
2965         total (move arguments to argument registers, make the call, check exception, etc.).
2966
2967         This patch adds the lazy slow path abstraction and uses it for some slow paths in the FTL.
2968         The code we generate with lazy slow paths is worse than the code that LLVM would have
2969         generated. Therefore, a lazy slow path only makes sense when we have strong evidence that
2970         the slow path will execute infrequently relative to the fast path. This completely precludes
2971         the use of lazy slow paths for out-of-line Nodes that unconditionally call a C++ function.
2972         It also precludes their use for the GetByVal out-of-bounds handler, since when we generate
2973         a GetByVal with an out-of-bounds handler it means that we only know that the out-of-bounds
2974         case executed at least once. So, for all we know, it may actually be the common case. So,
2975         this patch just deployed the lazy slow path for GC slow paths and masquerades-as-undefined
2976         slow paths. It makes sense for GC slow paths because those have a statistical guarantee of
2977         slow path frequency - probably bounded at less than 1/10. It makes sense for masquerades-as-
2978         undefined because we can say quite confidently that this is an uncommon scenario on the
2979         modern Web.
2980
2981         Something that's always been challenging about abstractions involving the MacroAssembler is
2982         that linking is a separate phase, and there is no way for someone who is just given access to
2983         the MacroAssembler& to emit code that requires linking, since linking happens once we have
2984         emitted all code and we are creating the LinkBuffer. Moreover, the FTL requires that the
2985         final parts of linking happen on the main thread. This patch ran into this issue, and solved
2986         it comprehensively, by introducing MacroAssembler::addLinkTask(). This takes a lambda and
2987         runs it at the bitter end of linking - when performFinalization() is called. This ensure that
2988         the task added by addLinkTask() runs on the main thread. This patch doesn't replace all of
2989         the previously existing idioms for dealing with this issue; we can do that later.
2990
2991         This shows small speed-ups on a bunch of things. No big win on any benchmark aggregate. But
2992         mainly this is done for https://bugs.webkit.org/show_bug.cgi?id=149852, where we found that
2993         outlining the slow path in this way was a significant speed boost.
2994
2995         * CMakeLists.txt:
2996         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2997         * JavaScriptCore.xcodeproj/project.pbxproj:
2998         * assembler/AbstractMacroAssembler.h:
2999         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
3000         (JSC::AbstractMacroAssembler::addLinkTask):
3001         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
3002         * assembler/LinkBuffer.cpp:
3003         (JSC::LinkBuffer::linkCode):
3004         (JSC::LinkBuffer::allocate):
3005         (JSC::LinkBuffer::performFinalization):
3006         * assembler/LinkBuffer.h:
3007         (JSC::LinkBuffer::wasAlreadyDisassembled):
3008         (JSC::LinkBuffer::didAlreadyDisassemble):
3009         (JSC::LinkBuffer::vm):
3010         (JSC::LinkBuffer::executableOffsetFor):
3011         * bytecode/CodeOrigin.h:
3012         (JSC::CodeOrigin::CodeOrigin):
3013         (JSC::CodeOrigin::isSet):
3014         (JSC::CodeOrigin::operator bool):
3015         (JSC::CodeOrigin::isHashTableDeletedValue):
3016         (JSC::CodeOrigin::operator!): Deleted.
3017         * ftl/FTLCompile.cpp:
3018         (JSC::FTL::mmAllocateDataSection):
3019         * ftl/FTLInlineCacheDescriptor.h:
3020         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
3021         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
3022         (JSC::FTL::LazySlowPathDescriptor::LazySlowPathDescriptor):
3023         * ftl/FTLJITCode.h:
3024         * ftl/FTLJITFinalizer.cpp:
3025         (JSC::FTL::JITFinalizer::finalizeFunction):
3026         * ftl/FTLJITFinalizer.h:
3027         * ftl/FTLLazySlowPath.cpp: Added.
3028         (JSC::FTL::LazySlowPath::LazySlowPath):
3029         (JSC::FTL::LazySlowPath::~LazySlowPath):
3030         (JSC::FTL::LazySlowPath::generate):
3031         * ftl/FTLLazySlowPath.h: Added.
3032         (JSC::FTL::LazySlowPath::createGenerator):
3033         (JSC::FTL::LazySlowPath::patchpoint):
3034         (JSC::FTL::LazySlowPath::usedRegisters):
3035         (JSC::FTL::LazySlowPath::callSiteIndex):
3036         (JSC::FTL::LazySlowPath::stub):
3037         * ftl/FTLLazySlowPathCall.h: Added.
3038         (JSC::FTL::createLazyCallGenerator):
3039         * ftl/FTLLowerDFGToLLVM.cpp:
3040         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateActivation):
3041         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
3042         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateDirectArguments):
3043         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
3044         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
3045         (JSC::FTL::DFG::LowerDFGToLLVM::compileNotifyWrite):
3046         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsObjectOrNull):
3047         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsFunction):
3048         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
3049         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeNewObject):
3050         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
3051         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckWatchdogTimer):
3052         (JSC::FTL::DFG::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl):
3053         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
3054         (JSC::FTL::DFG::LowerDFGToLLVM::allocateJSArray):
3055         (JSC::FTL::DFG::LowerDFGToLLVM::buildTypeOf):
3056         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
3057         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
3058         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
3059         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
3060         * ftl/FTLOperations.cpp:
3061         (JSC::FTL::operationMaterializeObjectInOSR):
3062         (JSC::FTL::compileFTLLazySlowPath):
3063         * ftl/FTLOperations.h:
3064         * ftl/FTLSlowPathCall.cpp:
3065         (JSC::FTL::SlowPathCallContext::SlowPathCallContext):
3066         (JSC::FTL::SlowPathCallContext::~SlowPathCallContext):
3067         (JSC::FTL::SlowPathCallContext::keyWithTarget):
3068         (JSC::FTL::SlowPathCallContext::makeCall):
3069         (JSC::FTL::callSiteIndexForCodeOrigin):
3070         (JSC::FTL::storeCodeOrigin): Deleted.
3071         (JSC::FTL::callOperation): Deleted.
3072         * ftl/FTLSlowPathCall.h:
3073         (JSC::FTL::callOperation):
3074         * ftl/FTLState.h:
3075         * ftl/FTLThunks.cpp:
3076         (JSC::FTL::genericGenerationThunkGenerator):
3077         (JSC::FTL::osrExitGenerationThunkGenerator):
3078         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3079         (JSC::FTL::registerClobberCheck):
3080         * ftl/FTLThunks.h:
3081         * interpreter/CallFrame.h:
3082         (JSC::CallSiteIndex::CallSiteIndex):
3083         (JSC::CallSiteIndex::operator bool):
3084         (JSC::CallSiteIndex::bits):
3085         * jit/CCallHelpers.h:
3086         (JSC::CCallHelpers::setupArgument):
3087         (JSC::CCallHelpers::setupArgumentsWithExecState):
3088         * jit/JITOperations.cpp:
3089
3090 2015-10-12  Philip Chimento  <philip.chimento@gmail.com>
3091
3092         webkit-gtk-2.3.4 fails to link JavaScriptCore, missing symbols add_history and readline
3093         https://bugs.webkit.org/show_bug.cgi?id=127059
3094
3095         Reviewed by Philippe Normand.
3096
3097         * shell/CMakeLists.txt: Link JSC with -ledit on Mac OSX.
3098
3099 2015-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3100
3101         ES6 classes: When a class extends B, super() invokes B.prototype.constructor() instead of B()
3102         https://bugs.webkit.org/show_bug.cgi?id=149001
3103
3104         Reviewed by Saam Barati.
3105
3106         This patch matches the `super()` call in the constructor to the latest spec.
3107         Before this patch, when calling `super()`, it loads `callee.[[HomeObject]].__proto__.constructor`
3108         as a super constructor. But after this patch, it loads `callee.__proto__` as a super constructor.
3109         This behavior corresponds to the section 12.3.5.2[1].
3110
3111         [1]: http://www.ecma-international.org/ecma-262/6.0/#sec-getsuperconstructor
3112
3113         * bytecompiler/NodesCodegen.cpp:
3114         (JSC::SuperNode::emitBytecode):
3115         * tests/stress/super-call-does-not-look-up-constructor.js: Added.
3116         (shouldBe):
3117         (B):
3118         (C):
3119         (B.prototype):
3120
3121 2015-10-10  Andreas Kling  <akling@apple.com>
3122
3123         Reduce pointless malloc traffic in CodeBlock construction.
3124         <https://webkit.org/b/149999>
3125
3126         Reviewed by Antti Koivisto.
3127
3128         Create the RefCountedArray<Instruction> for CodeBlock's m_instructions directly
3129         instead of first creating a Vector<Instruction> and then creating a RefCountedArray
3130         from that. None of the Vector functionality is needed here anyway.
3131
3132         * bytecode/CodeBlock.cpp:
3133         (JSC::CodeBlock::finishCreation):
3134         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
3135         * bytecode/CodeBlock.h:
3136
3137 2015-10-10  Dan Bernstein  <mitz@apple.com>
3138
3139         [iOS] Remove unnecessary iOS version checks
3140         https://bugs.webkit.org/show_bug.cgi?id=150002
3141
3142         Reviewed by Alexey Proskuryakov.
3143
3144         * llvm/library/LLVMExports.cpp:
3145         (initializeAndGetJSCLLVMAPI):
3146
3147 2015-10-10  Dan Bernstein  <mitz@apple.com>
3148
3149         [iOS] Remove project support for iOS 8
3150         https://bugs.webkit.org/show_bug.cgi?id=149993
3151
3152         Reviewed by Alexey Proskuryakov.
3153
3154         * Configurations/Base.xcconfig:
3155         * Configurations/JSC.xcconfig:
3156         * Configurations/JavaScriptCore.xcconfig:
3157         * Configurations/LLVMForJSC.xcconfig:
3158         * Configurations/ToolExecutable.xcconfig:
3159
3160 2015-10-09  Joseph Pecoraro  <pecoraro@apple.com>
3161
3162         Modernize and cleanup an NSNumber constant
3163         https://bugs.webkit.org/show_bug.cgi?id=149962
3164
3165         Reviewed by Andreas Kling.
3166
3167         * API/JSVirtualMachine.mm:
3168         (-[JSVirtualMachine addExternalRememberedObject:]):
3169
3170 2015-10-09  Joseph Pecoraro  <pecoraro@apple.com>
3171
3172         No need to keep setting needsVisit flag in SmallStrings
3173         https://bugs.webkit.org/show_bug.cgi?id=149961
3174
3175         Reviewed by Andreas Kling.
3176
3177         SmallStrings are all initialized at once privately before the VM
3178         enables Garbage Collection. There is no need to keep updating
3179         this flag, as it couldn't have changed.
3180
3181         * runtime/SmallStrings.cpp:
3182         (JSC::SmallStrings::createEmptyString):
3183         (JSC::SmallStrings::createSingleCharacterString):
3184         (JSC::SmallStrings::initialize):
3185         * runtime/SmallStrings.h:
3186
3187 2015-10-09  Geoffrey Garen  <ggaren@apple.com>
3188
3189         Unreviewed, rolling back in r190694
3190         https://bugs.webkit.org/show_bug.cgi?id=149727
3191
3192         This time for double sure?
3193
3194         The cause of the crash was an incorrect write barrier.
3195
3196         OSR exit was barriering the baseline codeblock for the top of the stack
3197         twice, missing the baseline codeblock for the bottom of the stack.
3198
3199         Restored changesets:
3200
3201         "CodeBlock should be a GC object"
3202         https://bugs.webkit.org/show_bug.cgi?id=149727
3203         http://trac.webkit.org/changeset/r190694
3204
3205 2015-10-09  Joseph Pecoraro  <pecoraro@apple.com>
3206
3207         Remove unused RecursiveAllocationScope
3208         https://bugs.webkit.org/show_bug.cgi?id=149967
3209
3210         Reviewed by Csaba Osztrogonác.
3211
3212         RecursiveAllocationScope has been unused since r163691.
3213
3214         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3215         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3216         * JavaScriptCore.xcodeproj/project.pbxproj:
3217         * heap/Heap.cpp:
3218         * heap/Heap.h:
3219         * heap/RecursiveAllocationScope.h: Removed.
3220         * runtime/VM.h:
3221
3222 2015-10-09  Geoffrey Garen  <ggaren@apple.com>
3223
3224         Unreviewed, rolling out r190694
3225         https://bugs.webkit.org/show_bug.cgi?id=148560
3226
3227         Crashes seen on PLT bots and facebook.com.
3228
3229         Reverted changesets:
3230
3231         "CodeBlock should be a GC object"
3232         https://bugs.webkit.org/show_bug.cgi?id=149727
3233         http://trac.webkit.org/changeset/190694
3234
3235 2015-10-09  Xabier Rodriguez Calvar  <calvaris@igalia.com> and Youenn Fablet  <youenn.fablet@crf.canon.fr>
3236
3237         Automate WebCore JS builtins generation and build system
3238         https://bugs.webkit.org/show_bug.cgi?id=149751
3239
3240         Reviewed by Darin Adler.
3241
3242         * generate-js-builtins: updating the part related to WebCore JS binding.
3243
3244 2015-10-08  Filip Pizlo  <fpizlo@apple.com>
3245
3246         DFG SSA should remove unreachable code
3247         https://bugs.webkit.org/show_bug.cgi?id=149931
3248
3249         Reviewed by Geoffrey Garen.
3250
3251         Rolled back in with a call to m_state.reset(), which fixes the debug asserts.
3252
3253         * dfg/DFGConstantFoldingPhase.cpp:
3254         (JSC::DFG::ConstantFoldingPhase::run): Remove unreachable code.
3255         * dfg/DFGObjectAllocationSinkingPhase.cpp: Deal with the CFG changing.
3256         * dfg/DFGPutStackSinkingPhase.cpp: Deal with the CFG changing.
3257
3258 2015-10-08  Daniel Bates  <dabates@apple.com>
3259
3260         Add LLVM binaries for iOS 9 device
3261         https://bugs.webkit.org/show_bug.cgi?id=149913
3262
3263         Reviewed by Filip Pizlo.
3264
3265         Look for locally built/binary dropped LLVM headers and libraries when building for iOS device
3266         in WebKitBuild/usr/local.
3267
3268         Currently Mac and iOS look for the locally built/binary dropped LLVM in different directories:
3269         WebKitBuild/usr/local and /usr/local/LLVMForJavaScriptCore, respectively. This difference is
3270         due to dependencies with the Apple internal build system. We should look to resolve the
3271         Apple internal dependencies and standardize on one location for both platforms.
3272
3273         * Configurations/Base.xcconfig:
3274
3275 2015-10-08  Commit Queue  <commit-queue@webkit.org>
3276
3277         Unreviewed, rolling out r190749.
3278         https://bugs.webkit.org/show_bug.cgi?id=149938
3279
3280         Caused 50+ layout test failures
3281         https://build.webkit.org/results/Apple%20El%20Capitan%20Debug%20WK1%20(Tests)/r190749%20(213)/results.html
3282         (Requested by litherum1 on #webkit).
3283
3284         Reverted changeset:
3285
3286         "DFG SSA should remove unreachable code"
3287         https://bugs.webkit.org/show_bug.cgi?id=149931
3288         http://trac.webkit.org/changeset/190749
3289
3290 2015-10-08  Filip Pizlo  <fpizlo@apple.com>
3291
3292         DFG SSA should remove unreachable code
3293         https://bugs.webkit.org/show_bug.cgi?id=149931
3294
3295         Reviewed by Geoffrey Garen.
3296
3297         * dfg/DFGConstantFoldingPhase.cpp:
3298         (JSC::DFG::ConstantFoldingPhase::run): Remove unreachable code.
3299         * dfg/DFGObjectAllocationSinkingPhase.cpp: Deal with the CFG changing.
3300         * dfg/DFGPutStackSinkingPhase.cpp: Deal with the CFG changing.
3301
3302 2015-10-08  Joseph Pecoraro  <pecoraro@apple.com>
3303
3304         Unreviewed build fix. Missing forward declaration.
3305
3306         * heap/Heap.h:
3307
3308 2015-10-08  Saam barati  <sbarati@apple.com>
3309
3310         Unreviewed Cloop build fix after bug: https://bugs.webkit.org/show_bug.cgi?id=149601
3311
3312         * bytecode/CodeBlock.cpp:
3313         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
3314         * jit/JITCode.cpp:
3315         (JSC::NativeJITCode::addressForCall):
3316         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3317         * jit/JITCode.h:
3318
3319 2015-10-08  Joseph Pecoraro  <pecoraro@apple.com>
3320
3321         Clean up Marked classes
3322         https://bugs.webkit.org/show_bug.cgi?id=149853
3323
3324         Reviewed by Darin Adler.
3325
3326         * heap/Heap.h:
3327         Move include here where it is really needed.
3328
3329         * heap/HeapStatistics.cpp:
3330         * heap/HeapStatistics.h:
3331         Simplify includes.
3332
3333         * heap/MarkedAllocator.h:
3334         Add missing copyright header.
3335
3336         * heap/MarkedBlock.cpp:
3337         * heap/MarkedBlock.h:
3338         (JSC::MarkedBlock::needsSweeping):
3339         Remove unused constants. Add some static asserts. Add some `const` ness.
3340
3341         * heap/MarkedSpace.h:
3342         (JSC::MarkedSpace::isIterating):
3343         Update comments to better reflect actual values.
3344         Remove unimplemented method (moved to Heap).
3345
3346         * heap/MarkedSpace.cpp:
3347         (JSC::Free::Free):
3348         (JSC::Free::operator()):
3349         (JSC::Free::returnValue): Deleted.
3350         (JSC::FreeOrShrink::FreeOrShrink):
3351         (JSC::FreeOrShrink::operator()):
3352         (JSC::MarkedSpace::~MarkedSpace):
3353         (JSC::MarkedSpace::shrink):
3354         Replace conditional Functor that was not using return value
3355         with simplified targeted VoidFunctors.
3356
3357         (JSC::Shrink::operator()): Deleted.
3358         Remove unused functor.
3359
3360         * heap/WeakBlock.cpp:
3361         * heap/WeakBlock.h:
3362         * runtime/Options.cpp:
3363         Remove dead code.
3364
3365 2015-10-08  Saam barati  <sbarati@apple.com>
3366
3367         We should be able to inline getter/setter calls inside an inline cache even when the SpillRegistersMode is NeedsToSpill
3368         https://bugs.webkit.org/show_bug.cgi?id=149601
3369
3370         Reviewed by Filip Pizlo.
3371
3372         Before, if we had a PolymorphicAccess with and a StructureStubInfo
3373         with a NeedToSpill spillMode, we wouldn't generate getter/setter
3374         calls. This patch changes it such that we will generate the
3375         getter/setter call and do the necessary register spilling/filling
3376         around the getter/setter call to preserve any "usedRegisters".
3377
3378         This has an interesting story with how it relates to exception handling 
3379         inside the DFG. Because the GetById variants are considered a throwing call 
3380         site, we must make sure that we properly restore the registers spilled to the stack 
3381         in case of an exception being thrown inside the getter/setter call. We do 
3382         this by having the inline cache register itself as a new exception handling 
3383         call site. When the inline cache "catches" the exception (i.e, genericUnwind 
3384         will jump to this code), it will restore the registers it spilled that are 
3385         live inside the original catch handler, and then jump to the original catch 
3386         handler. We make sure to only generate this makeshift catch handler when we 
3387         actually need to do any cleanup. If we determine that we don't need to restore 
3388         any registers, we don't bother generating this makeshift catch handler.
3389
3390         * bytecode/CodeBlock.cpp:
3391         (JSC::CodeBlock::~CodeBlock):
3392         (JSC::CodeBlock::handlerForIndex):
3393         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
3394         (JSC::CodeBlock::removeExceptionHandlerForCallSite):
3395         (JSC::CodeBlock::lineNumberForBytecodeOffset):
3396         * bytecode/CodeBlock.h:
3397         (JSC::CodeBlock::appendExceptionHandler):
3398         * bytecode/PolymorphicAccess.cpp:
3399         (JSC::AccessGenerationState::AccessGenerationState):
3400         (JSC::AccessGenerationState::restoreScratch):
3401         (JSC::AccessGenerationState::succeed):
3402         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
3403         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
3404         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
3405         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCallWithThrownException):
3406         (JSC::AccessGenerationState::liveRegistersForCall):
3407         (JSC::AccessGenerationState::callSiteIndexForExceptionHandlingOrOriginal):
3408         (JSC::AccessGenerationState::callSiteIndexForExceptionHandling):
3409         (JSC::AccessGenerationState::originalExceptionHandler):
3410         (JSC::AccessGenerationState::numberOfStackBytesUsedForRegisterPreservation):
3411         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
3412         (JSC::AccessGenerationState::originalCallSiteIndex):
3413         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
3414         (JSC::AccessCase::AccessCase):
3415         (JSC::AccessCase::generate):
3416         (JSC::PolymorphicAccess::regenerateWithCases):
3417         (JSC::PolymorphicAccess::regenerate):
3418         (JSC::PolymorphicAccess::aboutToDie):
3419         * bytecode/PolymorphicAccess.h:
3420         (JSC::AccessCase::doesCalls):
3421         (JSC::AccessCase::isGetter):
3422         (JSC::AccessCase::callLinkInfo):
3423         * bytecode/StructureStubInfo.cpp:
3424         (JSC::StructureStubInfo::deref):
3425         (JSC::StructureStubInfo::aboutToDie):
3426         (JSC::StructureStubInfo::addAccessCase):
3427         * bytecode/StructureStubInfo.h:
3428         * bytecode/ValueRecovery.h:
3429         (JSC::ValueRecovery::isInJSValueRegs):
3430         (JSC::ValueRecovery::fpr):
3431         * dfg/DFGCommonData.cpp:
3432         (JSC::DFG::CommonData::addCodeOrigin):
3433         (JSC::DFG::CommonData::addCodeOriginUnconditionally):
3434         (JSC::DFG::CommonData::lastCallSite):
3435         (JSC::DFG::CommonData::removeCallSiteIndex):
3436         (JSC::DFG::CommonData::shrinkToFit):
3437         * dfg/DFGCommonData.h:
3438         * dfg/DFGJITCode.cpp:
3439         (JSC::DFG::JITCode::reconstruct):
3440         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3441         (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
3442         * dfg/DFGJITCode.h:
3443         (JSC::DFG::JITCode::osrEntryBlock):
3444         (JSC::DFG::JITCode::setOSREntryBlock):
3445         * dfg/DFGJITCompiler.cpp:
3446         (JSC::DFG::JITCompiler::appendExceptionHandlingOSRExit):
3447         * dfg/DFGOSRExit.cpp:
3448         (JSC::DFG::OSRExit::OSRExit):
3449         * dfg/DFGOSRExit.h:
3450         * dfg/DFGSpeculativeJIT.cpp:
3451         (JSC::DFG::SpeculativeJIT::compileIn):
3452         * dfg/DFGSpeculativeJIT32_64.cpp:
3453         (JSC::DFG::SpeculativeJIT::cachedGetById):
3454         (JSC::DFG::SpeculativeJIT::cachedPutById):
3455         * dfg/DFGSpeculativeJIT64.cpp:
3456         (JSC::DFG::SpeculativeJIT::cachedGetById):
3457         (JSC::DFG::SpeculativeJIT::cachedPutById):
3458         * ftl/FTLCompile.cpp:
3459         (JSC::FTL::mmAllocateDataSection):
3460         * ftl/FTLJITCode.cpp:
3461         (JSC::FTL::JITCode::validateReferences):
3462         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3463         * ftl/FTLJITCode.h:
3464         (JSC::FTL::JITCode::handles):
3465         (JSC::FTL::JITCode::dataSections):
3466         * jit/GCAwareJITStubRoutine.cpp:
3467         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3468         (JSC::GCAwareJITStubRoutine::~GCAwareJITStubRoutine):
3469         (JSC::GCAwareJITStubRoutine::observeZeroRefCount):
3470         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::markRequiredObjectsInternal):
3471         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
3472         (JSC::GCAwareJITStubRoutineWithExceptionHandler::aboutToDie):
3473         (JSC::GCAwareJITStubRoutineWithExceptionHandler::~GCAwareJITStubRoutineWithExceptionHandler):
3474         (JSC::createJITStubRoutine):
3475         * jit/GCAwareJITStubRoutine.h:
3476         * jit/JITCode.cpp:
3477         (JSC::NativeJITCode::addressForCall):
3478         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3479         * jit/JITCode.h:
3480         * jit/JITInlineCacheGenerator.cpp:
3481         (JSC::JITByIdGenerator::JITByIdGenerator):
3482         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
3483         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
3484         * jit/JITInlineCacheGenerator.h:
3485         (JSC::JITByIdGenerator::reportSlowPathCall):
3486         * jit/JITPropertyAccess.cpp:
3487         (JSC::JIT::emitGetByValWithCachedId):
3488         (JSC::JIT::emitPutByValWithCachedId):
3489         (JSC::JIT::emit_op_get_by_id):
3490         (JSC::JIT::emit_op_put_by_id):
3491         * jit/JITPropertyAccess32_64.cpp:
3492         (JSC::JIT::emitGetByValWithCachedId):
3493         (JSC::JIT::emitPutByValWithCachedId):
3494         (JSC::JIT::emit_op_get_by_id):
3495         (JSC::JIT::emit_op_put_by_id):
3496         * jit/JITStubRoutine.h:
3497         (JSC::JITStubRoutine::createSelfManagedRoutine):
3498         (JSC::JITStubRoutine::aboutToDie):
3499         * jit/RegisterSet.cpp:
3500         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
3501         (JSC::RegisterSet::registersToNotSaveForCall):
3502         (JSC::RegisterSet::allGPRs):
3503         * jit/RegisterSet.h:
3504         (JSC::RegisterSet::set):
3505         (JSC::RegisterSet::clear):
3506         * jit/ScratchRegisterAllocator.cpp:
3507         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
3508         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
3509         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
3510         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
3511         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
3512         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
3513         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
3514         (JSC::ScratchRegisterAllocator::preserveRegistersToStackForCall):
3515         (JSC::ScratchRegisterAllocator::restoreRegistersFromStackForCall):
3516         * jit/ScratchRegisterAllocator.h:
3517         (JSC::ScratchRegisterAllocator::numberOfReusedRegisters):
3518         (JSC::ScratchRegisterAllocator::usedRegisters):
3519         * jsc.cpp:
3520         (WTF::CustomGetter::CustomGetter):
3521         (WTF::CustomGetter::createStructure):
3522         (WTF::CustomGetter::create):
3523         (WTF::CustomGetter::getOwnPropertySlot):
3524         (WTF::CustomGetter::customGetter):
3525         (WTF::Element::handleOwner):
3526         (GlobalObject::finishCreation):
3527         (functionCreateImpureGetter):
3528         (functionCreateCustomGetterObject):
3529         (functionSetImpureGetterDelegate):
3530         * tests/stress/try-catch-custom-getter-as-get-by-id.js: Added.
3531         (assert):
3532         (bar):
3533         (foo):
3534         * tests/stress/try-catch-getter-as-get-by-id-register-restoration.js: Added.
3535         (assert):
3536         (o1.get f):
3537         (bar):
3538         (foo):
3539         * tests/stress/try-catch-getter-as-get-by-id.js: Added.
3540         (assert):
3541         (o1.get f):
3542         (bar):
3543         (foo):
3544         * tests/stress/try-catch-setter-as-put-by-id.js: Added.
3545         (assert):
3546         (o1.set f):
3547         (bar):
3548         (foo):
3549         * tests/stress/try-catch-stub-routine-replaced.js: Added.
3550         (assert):
3551         (arr):
3552         (hello):
3553         (foo):
3554         (objChain.get f):
3555         (fakeOut.get f):
3556         (o.get f):
3557
3558 2015-10-08  Commit Queue  <commit-queue@webkit.org>
3559
3560         Unreviewed, rolling out r190716.
3561         https://bugs.webkit.org/show_bug.cgi?id=149924
3562
3563         broke mac build from time to time (Requested by youenn on
3564         #webkit).
3565
3566         Reverted changeset:
3567
3568         "Automate WebCore JS builtins generation and build system"
3569         https://bugs.webkit.org/show_bug.cgi?id=149751
3570         http://trac.webkit.org/changeset/190716
3571
3572 2015-10-08  Csaba Osztrogonác  <ossy@webkit.org>
3573
3574         Fix the WASM build on Linux
3575         https://bugs.webkit.org/show_bug.cgi?id=149919
3576
3577         Reviewed by Mark Lam.
3578
3579         * inspector/ScriptCallStackFactory.cpp:
3580         * wasm/JSWASMModule.cpp:
3581         * wasm/WASMFunctionCompiler.h:
3582         (JSC::sizeOfMemoryType):
3583         * wasm/WASMFunctionLLVMIRGenerator.h:
3584
3585 2015-10-08  Csaba Osztrogonác  <ossy@webkit.org>
3586
3587         Unreviewed CLOOP buildfix after r190718.
3588
3589         * jit/Repatch.h:
3590         (JSC::resetGetByID): Deleted.
3591         (JSC::resetPutByID): Deleted.
3592         (JSC::resetIn): Deleted.
3593
3594 2015-10-08  Joseph Pecoraro  <pecoraro@apple.com>
3595
3596         Remove references to removed class RepatchBuffer
3597         https://bugs.webkit.org/show_bug.cgi?id=149909
3598
3599         Reviewed by Csaba Osztrogonác.
3600
3601         * assembler/AbstractMacroAssembler.h:
3602         * assembler/MacroAssemblerARM.h:
3603         * assembler/MacroAssemblerARM64.h:
3604         * assembler/MacroAssemblerARMv7.h:
3605         * assembler/MacroAssemblerMIPS.h:
3606         * assembler/MacroAssemblerSH4.h:
3607         * assembler/MacroAssemblerX86.h:
3608         * assembler/MacroAssemblerX86_64.h:
3609         * jit/JITStubRoutine.h:
3610         * jit/Repatch.h:
3611
3612 2015-10-08  Xabier Rodriguez Calvar  <calvaris@igalia.com> and Youenn Fablet  <youenn.fablet@crf.canon.fr>
3613
3614         Automate WebCore JS builtins generation and build system
3615         https://bugs.webkit.org/show_bug.cgi?id=149751
3616
3617         Reviewed by Darin Adler.
3618
3619         * generate-js-builtins: updating the part related to WebCore JS binding.
3620
3621 2015-10-07  Joseph Pecoraro  <pecoraro@apple.com>
3622
3623         Clean up Copied classes
3624         https://bugs.webkit.org/show_bug.cgi?id=149863
3625
3626         Reviewed by Saam Barati.
3627
3628         * heap/CopiedAllocator.h:
3629         (JSC::CopiedAllocator::isValid):
3630         * heap/CopiedBlock.h:
3631         * heap/CopiedBlockInlines.h:
3632         * heap/CopiedSpace.cpp:
3633         * heap/CopiedSpace.h:
3634         (JSC::CopiedSpace::isInCopyPhase):
3635         (JSC::CopiedSpace::shouldDoCopyPhase):
3636         * heap/CopiedSpaceInlines.h:
3637         * heap/CopyToken.h:
3638         * heap/CopyVisitor.cpp:
3639         * heap/CopyVisitor.h:
3640         * heap/CopyVisitorInlines.h:
3641         * heap/CopyWorkList.h:
3642         * heap/HandleBlock.h:
3643         * heap/HandleSet.h:
3644         * heap/HeapHelperPool.cpp:
3645         * heap/HeapHelperPool.h:
3646
3647 2015-10-07  Mark Lam  <mark.lam@apple.com>
3648
3649         [Follow up 2] Disable tail calls because it is breaking some sites.
3650         https://bugs.webkit.org/show_bug.cgi?id=149900
3651
3652         Rubber stamped by Saam Barati.
3653
3654         Also need to surpress JSC tail call tests.
3655
3656         * tests/es6.yaml:
3657         * tests/stress/dfg-tail-calls.js:
3658         (nonInlinedTailCall.callee):
3659         * tests/stress/mutual-tail-call-no-stack-overflow.js:
3660         (shouldThrow):
3661         * tests/stress/tail-call-in-inline-cache.js:
3662         (tail):
3663         * tests/stress/tail-call-no-stack-overflow.js:
3664         (shouldThrow):
3665         * tests/stress/tail-call-recognize.js:
3666         (callerMustBeRun):
3667         * tests/stress/tail-call-varargs-no-stack-overflow.js:
3668         (shouldThrow):
3669
3670 2015-10-07  Geoffrey Garen  <ggaren@apple.com>
3671
3672         Unreviewed, rolling back in r190450
3673         https://bugs.webkit.org/show_bug.cgi?id=149727
3674
3675         This time for sure?
3676
3677         The cause of the leak was an invalidated compilation.
3678
3679         There was vestigial manual memory management code that eagerly removed
3680         a CodeBlock from the set of CodeBlocks if compilation was invalidated.
3681         That's not cool since we rely on the set of CodeBlocks when we run
3682         destructors.
3683
3684         The fix is to remove the vestigial code.
3685
3686         I ran the leaks, correctness, and performance tests locally and did not
3687         see any problems.
3688
3689         Restored changesets:
3690
3691         "CodeBlock should be a GC object"
3692         https://bugs.webkit.org/show_bug.cgi?id=149727
3693         http://trac.webkit.org/changeset/190450
3694
3695 2015-10-07  Mark Lam  <mark.lam@apple.com>
3696
3697         Disable tail calls because it is breaking some sites.
3698         https://bugs.webkit.org/show_bug.cgi?id=149900
3699
3700         Reviewed by Saam Barati.
3701
3702         This is until we fix whatever the breakage is.
3703
3704         * runtime/Options.h:
3705
3706 2015-10-07  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3707
3708         Add an LLVM IR generator for WebAssembly
3709         https://bugs.webkit.org/show_bug.cgi?id=149486
3710
3711         Reviewed by Mark Lam.
3712
3713         This patch adds initial support for an LLVM IR generator in WebAssembly
3714         (polyfill-prototype-1 format). All the methods will be implemented in
3715         subsequent patches.
3716
3717         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3718         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3719         * JavaScriptCore.xcodeproj/project.pbxproj:
3720         * wasm/WASMFunctionLLVMIRGenerator.h: Added.
3721         (JSC::WASMFunctionLLVMIRGenerator::MemoryAddress::MemoryAddress):
3722         (JSC::WASMFunctionLLVMIRGenerator::startFunction):
3723         (JSC::WASMFunctionLLVMIRGenerator::endFunction):
3724         (JSC::WASMFunctionLLVMIRGenerator::buildSetLocal):
3725         (JSC::WASMFunctionLLVMIRGenerator::buildSetGlobal):
3726         (JSC::WASMFunctionLLVMIRGenerator::buildReturn):
3727         (JSC::WASMFunctionLLVMIRGenerator::buildImmediateI32):
3728         (JSC::WASMFunctionLLVMIRGenerator::buildImmediateF32):
3729         (JSC::WASMFunctionLLVMIRGenerator::buildImmediateF64):
3730         (JSC::WASMFunctionLLVMIRGenerator::buildGetLocal):
3731         (JSC::WASMFunctionLLVMIRGenerator::buildGetGlobal):
3732         (JSC::WASMFunctionLLVMIRGenerator::buildConvertType):
3733         (JSC::WASMFunctionLLVMIRGenerator::buildLoad):
3734         (JSC::WASMFunctionLLVMIRGenerator::buildStore):
3735         (JSC::WASMFunctionLLVMIRGenerator::buildUnaryI32):
3736         (JSC::WASMFunctionLLVMIRGenerator::buildUnaryF32):
3737         (JSC::WASMFunctionLLVMIRGenerator::buildUnaryF64):
3738         (JSC::WASMFunctionLLVMIRGenerator::buildBinaryI32):
3739         (JSC::WASMFunctionLLVMIRGenerator::buildBinaryF32):
3740         (JSC::WASMFunctionLLVMIRGenerator::buildBinaryF64):
3741         (JSC::WASMFunctionLLVMIRGenerator::buildRelationalI32):
3742         (JSC::WASMFunctionLLVMIRGenerator::buildRelationalF32):
3743         (JSC::WASMFunctionLLVMIRGenerator::buildRelationalF64):
3744         (JSC::WASMFunctionLLVMIRGenerator::buildMinOrMaxI32):
3745         (JSC::WASMFunctionLLVMIRGenerator::buildMinOrMaxF64):
3746         (JSC::WASMFunctionLLVMIRGenerator::buildCallInternal):
3747         (JSC::WASMFunctionLLVMIRGenerator::buildCallIndirect):
3748         (JSC::WASMFunctionLLVMIRGenerator::buildCallImport):
3749         (JSC::WASMFunctionLLVMIRGenerator::appendExpressionList):
3750         (JSC::WASMFunctionLLVMIRGenerator::discard):
3751         (JSC::WASMFunctionLLVMIRGenerator::linkTarget):
3752         (JSC::WASMFunctionLLVMIRGenerator::jumpToTarget):
3753         (JSC::WASMFunctionLLVMIRGenerator::jumpToTargetIf):
3754         (JSC::WASMFunctionLLVMIRGenerator::startLoop):
3755         (JSC::WASMFunctionLLVMIRGenerator::endLoop):
3756         (JSC::WASMFunctionLLVMIRGenerator::startSwitch):
3757         (JSC::WASMFunctionLLVMIRGenerator::endSwitch):
3758         (JSC::WASMFunctionLLVMIRGenerator::startLabel):
3759         (JSC::WASMFunctionLLVMIRGenerator::endLabel):
3760         (JSC::WASMFunctionLLVMIRGenerator::breakTarget):
3761         (JSC::WASMFunctionLLVMIRGenerator::continueTarget):
3762         (JSC::WASMFunctionLLVMIRGenerator::breakLabelTarget):
3763         (JSC::WASMFunctionLLVMIRGenerator::continueLabelTarget):
3764         (JSC::WASMFunctionLLVMIRGenerator::buildSwitch):
3765         * wasm/WASMFunctionParser.cpp:
3766
3767 2015-10-07  Filip Pizlo  <fpizlo@apple.com>
3768
3769         Get rid of LLInt inline/out-of-line storage helpers, they are unused
3770         https://bugs.webkit.org/show_bug.cgi?id=149892
3771
3772         Reviewed by Mark Lam.
3773
3774         Just killing dead code.
3775
3776         * llint/LowLevelInterpreter.asm:
3777
3778 2015-10-07  Filip Pizlo  <fpizlo@apple.com>
3779
3780         Don't setOutOfBounds in JIT code for PutByVal, since the C++ slow path already does it
3781         https://bugs.webkit.org/show_bug.cgi?id=149885
3782
3783         Reviewed by Geoffrey Garen.
3784
3785         This simplifies the slow path code, which will make it easier to put read barriers on all of
3786         the butterflies.
3787
3788         * jit/JITOperations.cpp:
3789         (JSC::getByVal):
3790         * jit/JITPropertyAccess.cpp:
3791         (JSC::JIT::emitSlow_op_put_by_val):
3792
3793 2015-10-07  Filip Pizlo  <fpizlo@apple.com>
3794
3795         Get rid of JIT::compilePutDirectOffset
3796         https://bugs.webkit.org/show_bug.cgi?id=149884
3797
3798         Reviewed by Andreas Kling.
3799
3800         I'm finding more dead code.
3801
3802         * jit/JIT.h:
3803         * jit/JITPropertyAccess.cpp:
3804         (JSC::JIT::emitSlow_op_put_by_id):
3805         (JSC::JIT::emitVarInjectionCheck):
3806         (JSC::JIT::compilePutDirectOffset): Deleted.
3807
3808 2015-10-07  Joseph Pecoraro  <pecoraro@apple.com>
3809
3810         Heap::isWriteBarrierEnabled is unused
3811         https://bugs.webkit.org/show_bug.cgi?id=149881
3812
3813         Reviewed by Geoffrey Garen.
3814
3815         * heap/Heap.h:
3816         * heap/HeapInlines.h:
3817         (JSC::Heap::isWriteBarrierEnabled): Deleted.
3818
3819 2015-10-07  Filip Pizlo  <fpizlo@apple.com>
3820
3821         JIT::emitGetGlobalProperty/emitPutGlobalProperty are only called from one place
3822         https://bugs.webkit.org/show_bug.cgi?id=149879
3823
3824         Reviewed by Saam Barati.
3825
3826         To simplify my work to insert barriers on loads of the butterfly, I want to reduce the amount
3827         of abstraction we have around code that loads the butterfly.
3828
3829         * jit/JIT.h:
3830         * jit/JITPropertyAccess.cpp:
3831         (JSC::JIT::emitLoadWithStructureCheck):
3832         (JSC::JIT::emitGetVarFromPointer):
3833         (JSC::JIT::emit_op_get_from_scope):
3834         (JSC::JIT::emitSlow_op_get_from_scope):
3835         (JSC::JIT::emitPutGlobalVariable):
3836         (JSC::JIT::emit_op_put_to_scope):
3837         (JSC::JIT::emitGetGlobalProperty): Deleted.
3838         (JSC::JIT::emitPutGlobalProperty): Deleted.
3839         * jit/JITPropertyAccess32_64.cpp:
3840         (JSC::JIT::emitLoadWithStructureCheck):
3841         (JSC::JIT::emitGetVarFromPointer):
3842         (JSC::JIT::emit_op_get_from_scope):
3843         (JSC::JIT::emitSlow_op_get_from_scope):
3844         (JSC::JIT::emitPutGlobalVariable):
3845         (JSC::JIT::emit_op_put_to_scope):
3846         (JSC::JIT::emitGetGlobalProperty): Deleted.
3847         (JSC::JIT::emitPutGlobalProperty): Deleted.
3848
3849 2015-10-07  Filip Pizlo  <fpizlo@apple.com>
3850
3851         JIT::compileGetDirectOffset is useless
3852         https://bugs.webkit.org/show_bug.cgi?id=149878
3853
3854         Reviewed by Mark Lam.
3855
3856         Two of the overloads of this method were never called. The other was called only from one
3857         place, in a manner that rendered most of its code dead. This change removes the dead code and
3858         folds the method into its one caller.
3859
3860         * jit/JIT.h:
3861         * jit/JITPropertyAccess.cpp:
3862         (JSC::JIT::emitSlow_op_get_by_val):
3863         (JSC::JIT::emit_op_put_by_val):
3864         (JSC::JIT::compilePutDirectOffset):
3865         (JSC::JIT::emitVarInjectionCheck):
3866         (JSC::JIT::emitGetGlobalProperty):
3867         (JSC::JIT::emitGetVarFromPointer):
3868         (JSC::JIT::compileGetDirectOffset): Deleted.
3869         * jit/JITPropertyAccess32_64.cpp:
3870         (JSC::JIT::compilePutDirectOffset):
3871         (JSC::JIT::emitVarInjectionCheck):
3872         (JSC::JIT::emitGetGlobalProperty):
3873         (JSC::JIT::emitGetVarFromPointer):
3874         (JSC::JIT::compileGetDirectOffset): Deleted.
3875
3876 2015-10-06  Filip Pizlo  <fpizlo@apple.com>
3877
3878         Inline caches should handle out-of-line offsets out-of-line
3879         https://bugs.webkit.org/show_bug.cgi?id=149869
3880
3881         Reviewed by Saam Barati.
3882
3883         If we want to have a concurrent copying GC, then we need a read barrier on copied space
3884         pointers. That makes the convertible load portion of the get_by_id/put_by_id inline caches
3885         rather challenging. Currently we have a load instruction that we can turn into an add
3886         instruction - the add case is when we have an inline offset, and the load case is when we
3887         have an out-of-line offset and we need to load a copied space pointer. But if the load from
3888         copied space requires a barrier, then there is no easy way to convert that back to the inline
3889         case.
3890
3891         This patch removes the convertible load. The inline path of get_by_id/put_by_id only handles
3892         the inline offsets. Out-of-line offsets are now handled using out-of-line stubs.
3893
3894         * bytecode/StructureStubInfo.h:
3895         * ftl/FTLInlineCacheSize.cpp:
3896         (JSC::FTL::sizeOfGetById):
3897         (JSC::FTL::sizeOfPutById):
3898         * jit/JITInlineCacheGenerator.cpp:
3899         (JSC::JITByIdGenerator::finalize):
3900         (JSC::JITByIdGenerator::generateFastPathChecks):
3901         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
3902         (JSC::JITGetByIdGenerator::generateFastPath):
3903         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
3904         (JSC::JITPutByIdGenerator::generateFastPath):
3905         * jit/JITInlineCacheGenerator.h:
3906         * jit/Repatch.cpp:
3907         (JSC::repatchByIdSelfAccess):
3908         (JSC::tryCacheGetByID):
3909         (JSC::tryCachePutByID):
3910         * runtime/JSObject.h:
3911         (JSC::JSObject::butterflyTotalSize):
3912         (JSC::indexRelativeToBase):
3913         (JSC::offsetRelativeToBase):
3914         (JSC::maxOffsetRelativeToBase):
3915         (JSC::makeIdentifier):
3916         (JSC::offsetRelativeToPatchedStorage): Deleted.
3917         (JSC::maxOffsetRelativeToPatchedStorage): Deleted.
3918
3919 2015-10-07  Commit Queue  <commit-queue@webkit.org>
3920
3921         Unreviewed, rolling out r190664.
3922         https://bugs.webkit.org/show_bug.cgi?id=149877
3923
3924         mac build is sometimes borken due to missing generated header
3925         file (Requested by youenn on #webkit).
3926
3927         Reverted changeset:
3928
3929