Web Inspector: API View of Native DOM APIs looks poor (TypeErrors for native getters)
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-06-29  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Web Inspector: API View of Native DOM APIs looks poor (TypeErrors for native getters)
4         https://bugs.webkit.org/show_bug.cgi?id=158334
5         <rdar://problem/26615366>
6
7         Reviewed by Timothy Hatcher.
8
9         * inspector/InjectedScriptSource.js:
10         (InjectedScript.prototype._getProperties):
11         (InjectedScript.prototype._propertyDescriptors):
12         Do not create fake value property descriptors for native accessors
13         unless requested. This means, getProperties for a native prototype
14         should return  accessors for native accessors just like it does
15         for normal non-native accessors (getters/setters).
16
17         (InjectedScript.prototype.getProperties):
18         Do not produce fake value accessors for native accessors.
19
20         (InjectedScript.prototype.getDisplayableProperties):
21         (InjectedScript.RemoteObject.prototype._generatePreview):
22         Do produce fake value accessors for native accessors.
23
24 2016-06-29  Saam barati  <sbarati@apple.com>
25
26         JSGlobalLexicalEnvironment needs a toThis implementation
27         https://bugs.webkit.org/show_bug.cgi?id=159285
28
29         Reviewed by Mark Lam.
30
31         This was a huge oversight of my original implementation. It gave users
32         of the language direct access to the JSGlobalLexicalEnvironment object.
33
34         * runtime/JSGlobalLexicalEnvironment.cpp:
35         (JSC::JSGlobalLexicalEnvironment::isConstVariable):
36         (JSC::JSGlobalLexicalEnvironment::toThis):
37         * runtime/JSGlobalLexicalEnvironment.h:
38         (JSC::JSGlobalLexicalEnvironment::isEmpty):
39         * tests/stress/global-lexical-environment-to-this.js: Added.
40         (assert):
41         (let.f):
42         (let.fStrict):
43
44 2016-06-29  Joseph Pecoraro  <pecoraro@apple.com>
45
46         Web Inspector: Wrong function name next to scope
47         https://bugs.webkit.org/show_bug.cgi?id=158210
48         <rdar://problem/26543093>
49
50         Reviewed by Brian Burg.
51
52         * CMakeLists.txt:
53         * JavaScriptCore.xcodeproj/project.pbxproj:
54         Add DebuggerLocation. A helper for describing a unique location.
55
56         * bytecode/CodeBlock.cpp:
57         (JSC::CodeBlock::setConstantRegisters):
58         When compiled with debug info, add a SymbolTable rare data pointer
59         back to the CodeBlock. This will be used later to get JSScope debug
60         info if Web Inspector pauses.
61
62         * runtime/SymbolTable.h:
63         * runtime/SymbolTable.cpp:
64         (JSC::SymbolTable::cloneScopePart):
65         (JSC::SymbolTable::prepareForTypeProfiling):
66         (JSC::SymbolTable::uniqueIDForVariable):
67         (JSC::SymbolTable::uniqueIDForOffset):
68         (JSC::SymbolTable::globalTypeSetForOffset):
69         (JSC::SymbolTable::globalTypeSetForVariable):
70         Rename rareData and include a CodeBlock pointer.
71
72         (JSC::SymbolTable::rareDataCodeBlock):
73         (JSC::SymbolTable::setRareDataCodeBlock):
74         Setter and getter for the rare data. It should only be set once.
75
76         (JSC::SymbolTable::visitChildren):
77         Visit the rare data code block if we have one.
78
79         * debugger/DebuggerLocation.cpp: Added.
80         (JSC::DebuggerLocation::DebuggerLocation):
81         * debugger/DebuggerLocation.h: Added.
82         (JSC::DebuggerLocation::DebuggerLocation):
83         Construction from a ScriptExecutable.
84
85         * runtime/JSScope.cpp:
86         (JSC::JSScope::symbolTable):
87         * runtime/JSScope.h:
88         * debugger/DebuggerScope.h:
89         * debugger/DebuggerScope.cpp:
90         (JSC::DebuggerScope::name):
91         (JSC::DebuggerScope::location):
92         Name and location for a scope. This uses:
93         JSScope -> SymbolTable -> CodeBlock -> Executable
94
95         * inspector/protocol/Debugger.json:
96         * inspector/InjectedScriptSource.js:
97         (InjectedScript.CallFrameProxy.prototype._wrapScopeChain):
98         (InjectedScript.CallFrameProxy._createScopeJson):
99         * inspector/JSJavaScriptCallFrame.cpp:
100         (Inspector::valueForScopeType):
101         (Inspector::valueForScopeLocation):
102         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
103         (Inspector::JSJavaScriptCallFrame::scopeType): Deleted.
104         * inspector/JSJavaScriptCallFrame.h:
105         * inspector/JSJavaScriptCallFramePrototype.cpp:
106         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
107         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
108         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType): Deleted.
109         Simplify this code to build the objects we will send across the protocol
110         to descript a Scope.
111
112 2016-06-29  Saam barati  <sbarati@apple.com>
113
114         We don't emit TDZ checks for call_eval
115         https://bugs.webkit.org/show_bug.cgi?id=159277
116         <rdar://problem/27018801>
117
118         Reviewed by Benjamin Poulain.
119
120         This is a problem if you're trying to call a TDZ variable
121         that is named 'eval'.
122
123         * bytecompiler/NodesCodegen.cpp:
124         (JSC::EvalFunctionCallNode::emitBytecode):
125         * tests/stress/variable-named-eval-under-tdz.js: Added.
126         (shouldThrowTDZ):
127         (test):
128         (test.foo):
129         (throw.new.Error):
130
131 2016-06-29  Mark Lam  <mark.lam@apple.com>
132
133         Add support for collecting cumulative LLINT stats via a JSC_llintStatsFile option.
134         https://bugs.webkit.org/show_bug.cgi?id=159274
135
136         Reviewed by Keith Miller.
137
138         * jsc.cpp:
139         (main):
140         * llint/LLIntData.cpp:
141         (JSC::LLInt::initialize):
142         (JSC::LLInt::Data::finalizeStats):
143         (JSC::LLInt::compareStats):
144         (JSC::LLInt::Data::dumpStats):
145         (JSC::LLInt::Data::ensureStats):
146         (JSC::LLInt::Data::loadStats):
147         (JSC::LLInt::Data::resetStats):
148         (JSC::LLInt::Data::saveStats):
149         * llint/LLIntData.h:
150         (JSC::LLInt::Data::opcodeStats):
151         * runtime/Options.cpp:
152         (JSC::Options::isAvailable):
153         (JSC::recomputeDependentOptions):
154         (JSC::Options::initialize):
155         * runtime/Options.h:
156
157 2016-06-29  Saam barati  <sbarati@apple.com>
158
159         Destructuring variable declaration is missing a validation of the syntax of a sub production when there is a rhs
160         https://bugs.webkit.org/show_bug.cgi?id=159267
161
162         Reviewed by Mark Lam.
163
164         We were parsing something without checking if it had a syntax error.
165         This is wrong for many reasons, but it could actually cause a crash
166         in a debug build if you parsed particular programs.
167
168         * parser/Parser.cpp:
169         (JSC::Parser<LexerType>::parseVariableDeclarationList):
170
171 2016-06-29  Joseph Pecoraro  <pecoraro@apple.com>
172
173         Web Inspector: Show Shadow Root type in DOM Tree
174         https://bugs.webkit.org/show_bug.cgi?id=159236
175         <rdar://problem/27068521>
176
177         Reviewed by Timothy Hatcher.
178
179         * inspector/protocol/DOM.json:
180         Include optional shadowRootType property for DOMNodes.
181
182 2016-06-29  Commit Queue  <commit-queue@webkit.org>
183
184         Unreviewed, rolling out r202627.
185         https://bugs.webkit.org/show_bug.cgi?id=159266
186
187         patch is broken on arm (Requested by keith_miller on #webkit).
188
189         Reverted changeset:
190
191         "LLInt should support other types of prototype GetById
192         caching."
193         https://bugs.webkit.org/show_bug.cgi?id=158083
194         http://trac.webkit.org/changeset/202627
195
196 2016-06-29  Benjamin Poulain  <bpoulain@apple.com>
197
198         [JSC] Fix small issues of TypedArray prototype
199         https://bugs.webkit.org/show_bug.cgi?id=159248
200
201         Reviewed by Saam Barati.
202
203         First, TypedArray's toString and Array's toString
204         should be the same function.
205         I moved the function to GlobalObject and each array type
206         gets it as needed.
207
208         Then TypedArray length was supposed to be configurable.
209         I removed the "DontDelete" flag accordingly.
210
211         * runtime/ArrayPrototype.cpp:
212         (JSC::ArrayPrototype::finishCreation):
213         * runtime/JSGlobalObject.cpp:
214         (JSC::JSGlobalObject::init):
215         (JSC::JSGlobalObject::visitChildren):
216         * runtime/JSGlobalObject.h:
217         (JSC::JSGlobalObject::arrayProtoToStringFunction):
218         * runtime/JSTypedArrayViewPrototype.cpp:
219         (JSC::JSTypedArrayViewPrototype::finishCreation):
220
221 2016-06-29  Caio Lima  <ticaiolima@gmail.com>
222
223         LLInt should support other types of prototype GetById caching.
224         https://bugs.webkit.org/show_bug.cgi?id=158083
225
226         Recently, we started supporting prototype load caching for get_by_id
227         in the LLInt. This patch is expading the caching strategy to enable
228         cache the prototype accessor and custom acessors.
229
230         Similarly to the get_by_id_proto_load bytecode, we are adding new
231         bytecodes called get_by_id_proto_accessor that uses the calculated
232         offset of a object to call a getter function and get_by_id_proto_custom
233         that stores the pointer to the custom function and call them directly
234         from LowLevelInterpreter.
235
236         Reviewed by Keith Miller
237
238         * bytecode/BytecodeList.json:
239         * bytecode/BytecodeUseDef.h:
240         (JSC::computeUsesForBytecodeOffset):
241         (JSC::computeDefsForBytecodeOffset):
242         * bytecode/CodeBlock.cpp:
243         (JSC::CodeBlock::printGetByIdOp):
244         (JSC::CodeBlock::dumpBytecode):
245         (JSC::CodeBlock::finalizeLLIntInlineCaches):
246         * bytecode/GetByIdStatus.cpp:
247         (JSC::GetByIdStatus::computeFromLLInt):
248         * dfg/DFGByteCodeParser.cpp:
249         (JSC::DFG::ByteCodeParser::parseBlock):
250         * dfg/DFGCapabilities.cpp:
251         (JSC::DFG::capabilityLevel):
252         * jit/JIT.cpp:
253         (JSC::JIT::privateCompileMainPass):
254         (JSC::JIT::privateCompileSlowCases):
255         * llint/LLIntSlowPaths.cpp:
256         (JSC::LLInt::setupGetByIdPrototypeCache):
257         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
258         * llint/LLIntSlowPaths.h:
259         * llint/LowLevelInterpreter32_64.asm:
260         * llint/LowLevelInterpreter64.asm:
261
262 2016-06-28  Commit Queue  <commit-queue@webkit.org>
263
264         Unreviewed, rolling out r202580.
265         https://bugs.webkit.org/show_bug.cgi?id=159245
266
267         Caused all WKTR tests to fail on GuardMalloc and Production
268         only for unknown reasons, investigating offline. (Requested by
269         brrian on #webkit).
270
271         Reverted changeset:
272
273         "RunLoop::Timer should use constructor templates instead of
274         class templates"
275         https://bugs.webkit.org/show_bug.cgi?id=159153
276         http://trac.webkit.org/changeset/202580
277
278 2016-06-28  Keith Miller  <keith_miller@apple.com>
279
280         We should not crash there is a finally inside a for-in loop
281         https://bugs.webkit.org/show_bug.cgi?id=159243
282         <rdar://problem/27018910>
283
284         Reviewed by Benjamin Poulain.
285
286         Previously we would swap the m_forInContext with an empty vector
287         then attempt to shrink the size of m_forInContext by the amount
288         we expected. This meant that if there was more than one ForInContext
289         on the stack and we wanted to pop exactly one off we would crash.
290         This patch makes ForInContexts RefCounted so they can be duplicated
291         into other vectors. It also has ForInContexts copy the entire stack
292         rather than do the swap that we did before. This makes ForInContexts
293         work the same as the other contexts.
294
295         * bytecompiler/BytecodeGenerator.cpp:
296         (JSC::BytecodeGenerator::emitComplexPopScopes):
297         (JSC::BytecodeGenerator::pushIndexedForInScope):
298         (JSC::BytecodeGenerator::pushStructureForInScope):
299         * bytecompiler/BytecodeGenerator.h:
300         * tests/stress/finally-for-in.js: Added.
301         (repeat):
302         (createSimple):
303
304 2016-06-28  Saam Barati  <sbarati@apple.com>
305
306         Assertion failure or crash when accessing let-variable in TDZ with eval with a function in it that returns let variable
307         https://bugs.webkit.org/show_bug.cgi?id=158796
308         <rdar://problem/26984659>
309
310         Reviewed by Michael Saboff.
311
312         There was a bug where some functions inside of an eval were
313         omitting a necessary TDZ check. This obviously leads to bad
314         things because a variable under TDZ is the null pointer.
315         The eval's bytecode was generated with the correct TDZ set, but 
316         it created all its functions before pushing that TDZ set onto
317         the stack. That's a mistake. Those functions need to be created with
318         that TDZ set. The solution is simple, the TDZ set that the eval
319         is created with needs to be pushed onto the TDZ stack before
320         the eval creates any functions.
321
322         * bytecompiler/BytecodeGenerator.cpp:
323         (JSC::BytecodeGenerator::BytecodeGenerator):
324         * tests/stress/variable-under-tdz-eval-tricky.js: Added.
325         (assert):
326         (throw.new.Error):
327         (assert.try.underTDZ):
328
329 2016-06-28  Michael Saboff  <msaboff@apple.com>
330
331         REGRESSION (r200946): Improper backtracking from last alternative in sticky patterns
332         https://bugs.webkit.org/show_bug.cgi?id=159233
333
334         Reviewed by Mark Lam.
335
336         Jump to fail exit code when the last alternative of a sticky pattern fails.
337
338         * yarr/YarrJIT.cpp:
339         (JSC::Yarr::YarrGenerator::backtrack):
340
341 2016-06-28  Saam Barati  <sbarati@apple.com>
342
343         some Watchpoints' ::fireInternal method will call operations that might GC where the GC will cause the watchpoint itself to destruct
344         https://bugs.webkit.org/show_bug.cgi?id=159198
345         <rdar://problem/26302360>
346
347         Reviewed by Filip Pizlo.
348
349         Firing a watchpoint may cause a GC to happen. This GC could destroy various
350         Watchpoints themselves while they're in the process of firing. It's not safe
351         for most Watchpoints to be destructed while they're in the middle of firing.
352         This GC could also destroy the WatchpointSet itself, and it's not in a safe
353         state to be destroyed. WatchpointSet::fireAllWatchpoints now defers gc for a
354         while. This prevents a GC from destructing any Watchpoints while they're
355         in the process of firing. This bug was being hit by the stress GC bots
356         because we would destruct a particular Watchpoint while it was firing,
357         and then we would access its field after it had already been destroyed.
358         This was causing all kinds of weird symptoms. Also, this was easier to
359         catch when running with guard malloc because the first access after
360         destruction would lead to a crash.
361
362         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
363         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
364         * bytecode/CodeBlock.cpp:
365         (JSC::CodeBlock::finishCreation):
366         * bytecode/VariableWriteFireDetail.cpp:
367         (JSC::VariableWriteFireDetail::dump):
368         (JSC::VariableWriteFireDetail::touch):
369         * bytecode/VariableWriteFireDetail.h:
370         * bytecode/Watchpoint.cpp:
371         (JSC::WatchpointSet::add):
372         (JSC::WatchpointSet::fireAllSlow):
373         (JSC::WatchpointSet::fireAllWatchpoints):
374         (JSC::InlineWatchpointSet::add):
375         (JSC::InlineWatchpointSet::fireAll):
376         (JSC::InlineWatchpointSet::inflateSlow):
377         * bytecode/Watchpoint.h:
378         (JSC::WatchpointSet::startWatching):
379         (JSC::WatchpointSet::fireAll):
380         (JSC::WatchpointSet::touch):
381         (JSC::WatchpointSet::invalidate):
382         (JSC::WatchpointSet::isBeingWatched):
383         (JSC::WatchpointSet::offsetOfState):
384         (JSC::WatchpointSet::addressOfSetIsNotEmpty):
385         (JSC::InlineWatchpointSet::startWatching):
386         (JSC::InlineWatchpointSet::fireAll):
387         (JSC::InlineWatchpointSet::invalidate):
388         (JSC::InlineWatchpointSet::touch):
389         * bytecompiler/BytecodeGenerator.cpp:
390         (JSC::BytecodeGenerator::BytecodeGenerator):
391         * dfg/DFGOperations.cpp:
392         * interpreter/Interpreter.cpp:
393         (JSC::Interpreter::execute):
394         * jit/JITOperations.cpp:
395         * jsc.cpp:
396         (WTF::Masquerader::create):
397         * llint/LLIntSlowPaths.cpp:
398         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
399         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
400         (JSC::ArrayBufferNeuteringWatchpoint::fireAll):
401         * runtime/FunctionRareData.cpp:
402         (JSC::FunctionRareData::clear):
403         * runtime/InferredType.cpp:
404         (JSC::InferredType::willStoreValueSlow):
405         (JSC::InferredType::makeTopSlow):
406         (JSC::InferredType::set):
407         (JSC::InferredType::removeStructure):
408         (JSC::InferredType::InferredStructureWatchpoint::fireInternal):
409         * runtime/InferredValue.cpp:
410         (JSC::InferredValue::notifyWriteSlow):
411         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
412         * runtime/InferredValue.h:
413         (JSC::InferredValue::notifyWrite):
414         (JSC::InferredValue::invalidate):
415         * runtime/JSGlobalObject.cpp:
416         (JSC::JSGlobalObject::haveABadTime):
417         * runtime/JSSymbolTableObject.h:
418         (JSC::symbolTablePutTouchWatchpointSet):
419         (JSC::symbolTablePutInvalidateWatchpointSet):
420         * runtime/Structure.cpp:
421         (JSC::Structure::didCachePropertyReplacement):
422         (JSC::Structure::startWatchingInternalProperties):
423         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
424         (JSC::DeferredStructureTransitionWatchpointFire::add):
425         (JSC::Structure::didTransitionFromThisStructure):
426         (JSC::Structure::prototypeForLookup):
427         * runtime/StructureInlines.h:
428         (JSC::Structure::didReplaceProperty):
429         (JSC::Structure::propertyReplacementWatchpointSet):
430         * runtime/SymbolTable.h:
431         (JSC::SymbolTableEntry::isDontEnum):
432         (JSC::SymbolTableEntry::disableWatching):
433         * runtime/VM.cpp:
434         (JSC::VM::addImpureProperty):
435         (JSC::enableProfilerWithRespectToCount):
436
437 2016-06-28  Filip Pizlo  <fpizlo@apple.com>
438
439         JSRopeString should use release asserts, not debug asserts, about substring bounds
440         https://bugs.webkit.org/show_bug.cgi?id=159227
441
442         Reviewed by Saam Barati.
443         
444         According to my experiments this change costs nothing.  That's not surprising since the
445         most common way to construct a rope these days is inlined into the JIT, which does its own
446         safety checks.  This makes us crash sooner rather than corrupting memory.
447
448         * runtime/JSString.h:
449
450 2016-06-28  Brian Burg  <bburg@apple.com>
451
452         RunLoop::Timer should use constructor templates instead of class templates
453         https://bugs.webkit.org/show_bug.cgi?id=159153
454
455         Reviewed by Alex Christensen.
456
457         Remove the RunLoop::Timer class template argument, and pass its constructor
458         a reference to `this` instead of a pointer to `this`.
459
460         * inspector/agents/InspectorHeapAgent.cpp:
461         (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask):
462
463 2016-06-28  Joseph Pecoraro  <pecoraro@apple.com>
464
465         Web Inspector: selectElement.options shows unexpected entries in console (named indexes beyond collection length)
466         https://bugs.webkit.org/show_bug.cgi?id=159192
467
468         Reviewed by Timothy Hatcher.
469
470         * inspector/InjectedScriptSource.js:
471         (InjectedScript.prototype.arrayIndexPropertyNames):
472         Start with an empty array because we just push valid indexes.
473
474         (InjectedScript.prototype._propertyDescriptors):
475         Avoid the >100 length requirement, and always treat the
476         array-like objects the same. The frontend currently
477         doesn't show named indexes for arrays anyways, so they
478         would have been unused.
479
480 2016-06-28  Per Arne Vollan  <pvollan@apple.com>
481
482         [Win] Skip failing INTL test.
483         https://bugs.webkit.org/show_bug.cgi?id=159141
484
485         Reviewed by Brent Fulgham.
486
487         INTL is not enabled on Windows.
488
489         * tests/stress/intl-constructors-with-proxy.js:
490         (shouldBe):
491
492 2016-06-28  Joonghun Park  <jh718.park@samsung.com>
493
494         [JSC] Fix build break since r202502 - 2
495         https://bugs.webkit.org/show_bug.cgi?id=159194
496
497         Reviewed by Gyuyoung Kim.
498
499         Fix about the error message below.
500         error: control reaches end of non-void function [-Werror=return-type]
501
502         * b3/B3TypeMap.h: add #pragma GCC diagnostic ignored "-Wreturn-type".
503
504 2016-06-28  Joonghun Park  <jh718.park@samsung.com>
505
506         [JSC] Fix build break since r202502
507         https://bugs.webkit.org/show_bug.cgi?id=159194
508
509         Reviewed by Alex Christensen.
510
511         Fix about the error message below.
512         error: control reaches end of non-void function [-Werror=return-type]
513
514         * b3/B3TypeMap.h:
515         (JSC::B3::TypeMap::at): add missing ASSERT_NOT_REACHED().
516
517 2016-06-27  Keith Miller  <keith_miller@apple.com>
518
519         Fix bad assert in StructureRareData::setObjectToStringValue
520         https://bugs.webkit.org/show_bug.cgi?id=159171
521         <rdar://problem/26987355>
522
523         Reviewed by Mark Lam.
524
525         We should not have expected the generateConditionsForPrototypePropertyHit would succeed.
526         There are many reasons it might fail including that there is a proxy somewhere on the
527         prototype chain of the object.
528
529         * runtime/StructureRareData.cpp:
530         (JSC::StructureRareData::setObjectToStringValue):
531         * tests/stress/object-toString-with-proxy.js: Added.
532         (get target):
533
534 2016-06-27  Filip Pizlo  <fpizlo@apple.com>
535
536         Crashing at an unreachable code trap in FTL should give more information
537         https://bugs.webkit.org/show_bug.cgi?id=159177
538
539         Reviewed by Saam Barati.
540         
541         This stuffs information into registers so that we have some chance of seeing what happened
542         by looking at the register dumps.
543
544         * assembler/AbortReason.h:
545         * ftl/FTLLowerDFGToB3.cpp:
546         (JSC::FTL::DFG::ftlUnreachable):
547         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
548         (JSC::FTL::DFG::LowerDFGToB3::crash):
549
550 2016-06-27  Filip Pizlo  <fpizlo@apple.com>
551
552         Clean up resetting reachability in B3/Air
553         https://bugs.webkit.org/show_bug.cgi?id=159170
554
555         Reviewed by Geoffrey Garen.
556         
557         When I fixed bug 159165, I took the brute force approach. I still used the
558         B3::resetReachability() method, and changed the callback to record the set of deleted values
559         instead of deleting them eagerly. But this means tracking the set of deleted values, even
560         though resetReachability() already internally tracks the set of deleted blocks. You can find
561         out if a value is deleted by asking if its owning block was deleted.
562         
563         So, this change refactors B3::resetReachability() into a new helper called
564         B3::recomputePredecessors(). This new helper skips the block deletion step, and lets the
565         client delete blocks. This lets Air delete blocks the same way that it did before, and it
566         lets B3 use the isBlockDead() method (which is a glorified proxy for
567         block->predecessors().isEmpty()) to track which values are deleted. This allows B3 to turn
568         Upsilons that point to dead Phis into Nops before deleting the blocks.
569         
570         This shouldn't affect performance or anything real. It just makes the code cleaner.
571
572         * b3/B3BasicBlockUtils.h:
573         (JSC::B3::updatePredecessorsAfter):
574         (JSC::B3::recomputePredecessors):
575         (JSC::B3::isBlockDead):
576         (JSC::B3::resetReachability): Deleted.
577         * b3/B3Procedure.cpp:
578         (JSC::B3::Procedure::resetReachability):
579         (JSC::B3::Procedure::invalidateCFG):
580         * b3/air/AirCode.cpp:
581         (JSC::B3::Air::Code::resetReachability):
582         (JSC::B3::Air::Code::dump):
583
584 2016-06-27  Brian Burg  <bburg@apple.com>
585
586         Web Inspector: CRASH in backend at Inspector::HeapFrontendDispatcher::garbageCollected + 552 when closing frontend/inspected page
587         https://bugs.webkit.org/show_bug.cgi?id=159075
588         <rdar://problem/26094341>
589
590         Reviewed by Filip Pizlo.
591
592         This change caused JSC stress tests to all hit an assertion in RunLoop.
593         We should use RunLoop::current() to create the RunLoop::Timer since JSC-only
594         clients like testapi and jsc don't ever call initializeMainRunLoop().
595
596         * inspector/agents/InspectorHeapAgent.cpp:
597         (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask):
598
599 2016-06-27  Filip Pizlo  <fpizlo@apple.com>
600
601         B3::Procedure::resetReachability() can create dangling references from Upsilons to Phis
602         https://bugs.webkit.org/show_bug.cgi?id=159165
603
604         Reviewed by Mark Lam.
605         
606         You can delete an unreachable block that has a Phi but some prior block may still have an
607         Upsilon pointing to that Phi. This can happen if the Upsilon precedes a Check that always
608         exits or it can happen if we remove some successor of a block and this block had an Upsilon
609         for one of the removed successors. These things are valid IR even if they are not canonical.
610         Our policy for not-canonical-but-valid IR is that the compiler should still emit valid code
611         in the end.
612         
613         The solution is to have Procedure::resetReachability() turn those Upsilons into Nops.
614
615         * b3/B3Procedure.cpp:
616         (JSC::B3::Procedure::resetReachability): Fix the bug.
617         * b3/B3Validate.h:
618         * b3/testb3.cpp:
619         (JSC::B3::testResetReachabilityDanglingReference): Add a test. This always crashes prior to this change.
620         * dfg/DFGGraph.cpp:
621         (JSC::DFG::Graph::killUnreachableBlocks): Add a FIXME about a possible similar bug.
622
623 2016-06-27  Keith Miller  <keith_miller@apple.com>
624
625         Add comment to Module feature in features.json
626         https://bugs.webkit.org/show_bug.cgi?id=159159
627
628         Reviewed by Saam Barati.
629
630         * features.json:
631
632 2016-06-27  Keith Miller  <keith_miller@apple.com>
633
634         Update features.json for ES6 completed features.
635         https://bugs.webkit.org/show_bug.cgi?id=159152
636
637         Reviewed by Mark Lam.
638
639         * features.json:
640
641 2016-06-25  Filip Pizlo  <fpizlo@apple.com>
642
643         B3 should not use Nops when deleting unreachable code
644         https://bugs.webkit.org/show_bug.cgi?id=159120
645         rdar://problem/26500743
646
647         Reviewed by Michael Saboff.
648         
649         Prior to this change, transformations that obviated the need for some value could choose
650         from these ways to kill it:
651         
652         - replaceWithIdentity() if we're replacing with another value.
653         - replaceWithNop() if the type is Void or if we know that we'll fix any users of this
654           value.
655         - deleteValue() if the code is unreachable.
656         
657         The bug here is that reduceStrength() was being clever about how to get rid of a value.
658         reduceStrength() may find a Check that must always exit. The goal is to remove any code
659         dominated by the Check. But it would be awkward to eagerly delete all of the blocks
660         dominated by this one. So this code took a much simpler approach: it would
661         replaceWithNop() for all of the values in this block after the Check and it would replace
662         the terminal with Oops.
663         
664         But this corrupts the IR in a subtle way: some of those values may have been non-Void but
665         now they are Nops so they are Void. reduceStrength() will not yet realize that the blocks
666         dominated by the one with the Check are unreachable, so it will run all sorts of
667         optimizations on those blocks. This could have probably manifested as many different kinds
668         of badness, but the way I found out about this issue was through a crash in
669         IntRange::top(Type) when inlined into ReduceStrength::rangeFor(). We'd die in a switch
670         statement over a child's type.
671         
672         We could fix this by making rangeFor() tolerate Void. But I think that this would be
673         dangerous. There could easily be other places in reduceStrength() that assume that value's
674         children are non-Void. So, this change fixes the Check optimization and adds mechanisms to
675         prevent other optimizations from breaking the children-are-not-Void rule.
676         
677         This introduces two high-level changes:
678         
679         - It's no longer legal to replaceWithNop() if the value is not Void. This change alone
680           would cause reduceStrength() to instacrash in its Check optimization. Almost all other
681           uses of replaceWithNop() were already following this rule, so they were fine. One other
682           place was using replaceWithNop() on non-Void values after arranging for them to no
683           longer have any parents. That was changed to call replaceWithNopIgnoringType(), which
684           doesn't have any type assertions.
685         
686         - For reduceStrength() there is a new Value::replaceWithBottom() method that works with
687           Void or non-Void and behaves like you would want replaceWithNop() to behave: if you know
688           that the code is unreachable then it produces something that is guaranteed to be deleted
689           by later optimizations, and if it's not unreachable, then it's guaranteed to be compiled
690           to something harmless and cheap. This means replacing the value with an identity that
691           points to a bottom constant (the 0 for whatever type we have), or just replacing it with
692           Nop if it's Void.
693         
694         This also adds a test case for the reason why we do this: we may have two blocks, where
695         the first block unconditionally exits while dominating the second block. The second block
696         references values in the part of the first block that is unreachable. In trunk, this test
697         would assert in ReduceStrength::rangeFor() because the CheckAdd in the second block would
698         reference a Nop in the first block.
699         
700         This fixes a high volume crash in ReduceStrength::rangeFor(). This crash was very
701         confusing. Even though we were crashing at a RELEASE_ASSERT_NOT_REACHED() in a switch
702         statement in IntRange::top(Type), clang was merging that trap with the trap it used for
703         Vector OOB. The top of the stack in crash dumps looked like:
704         
705             JSC::B3::(anonymous namespace)::ReduceStrength::rangeFor(JSC::B3::Value*, unsigned int) + 4477 (Vector.h:655)
706         
707         Where Vector.h:655 is:
708         
709             OverflowHandler::overflowed();
710
711         But this crash was not at Vector.h:655. It was at B3ReduceStrength.cpp:121. The two lines
712         are both traps, so they got merged despite differences in debug info. This bug would have
713         been so much easier to fix if I had the right line number.
714
715         * b3/B3BottomProvider.h: Added. This is a utility for creating bottom values.
716         (JSC::B3::BottomProvider::BottomProvider):
717         (JSC::B3::BottomProvider::operator()):
718         * b3/B3InsertionSet.cpp: Optimized adding bottom values a bit. We will no longer create pointless duplicates.
719         (JSC::B3::InsertionSet::insertBottom):
720         (JSC::B3::InsertionSet::execute):
721         (JSC::B3::InsertionSet::bottomForType):
722         * b3/B3InsertionSet.h:
723         * b3/B3MoveConstants.cpp: Use replaceWithNopIgnoringType() because we *know* that we can replaceWithNop even for non-Void.
724         * b3/B3Procedure.h:
725         * b3/B3ReduceStrength.cpp: Use replaceWithBottom().
726         * b3/B3ReduceStrength.h:
727         * b3/B3TypeMap.h: I figured if I wrote type-casing code like this once then I'd never want to write it again.
728         * b3/B3Value.cpp:
729         (JSC::B3::Value::replaceWithIdentity):
730         (JSC::B3::Value::replaceWithNop):
731         (JSC::B3::Value::replaceWithNopIgnoringType):
732         * b3/B3Value.h:
733         * b3/B3ValueInlines.h:
734         (JSC::B3::Value::replaceWithBottom): This is the new method of killing unreachable code.
735         (JSC::B3::Value::as):
736         * b3/testb3.cpp: Add new tests!
737         (JSC::B3::testLateRegister):
738         (JSC::B3::testReduceStrengthCheckBottomUseInAnotherBlock):
739         (JSC::B3::zero):
740         (JSC::B3::run):
741
742 2016-06-27  Joseph Pecoraro  <pecoraro@apple.com>
743
744         REGRESSION: Web Inspector: Text search broken in resources with <CR>
745         https://bugs.webkit.org/show_bug.cgi?id=159110
746         <rdar://problem/27008485>
747
748         Reviewed by Brian Burg.
749
750         * inspector/ContentSearchUtilities.cpp:
751         (Inspector::ContentSearchUtilities::lineEndings):
752         The frontend moved to only treated newlines as line endings in
753         the TextEditor. The backend however was looking for many
754         different types of line endings (\r\n, \r, \n). This caused
755         the line endings to ultimately differ between the frontend
756         and the backend, so the frontend couldn't find the lines that
757         the backend was claiming search results were on. Change the
758         backend to only look for \n line endings.
759
760 2016-06-27  Brian Burg  <bburg@apple.com>
761
762         Web Inspector: CRASH in backend at Inspector::HeapFrontendDispatcher::garbageCollected + 552 when closing frontend/inspected page
763         https://bugs.webkit.org/show_bug.cgi?id=159075
764         <rdar://problem/26094341>
765
766         Reviewed by Timothy Hatcher.
767
768         Move the asynchronous work to a task class that can be cancelled when the
769         heap agent is reset, disabled or destroyed.
770
771         * inspector/agents/InspectorHeapAgent.cpp:
772         (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask):
773         (Inspector::SendGarbageCollectionEventsTask::addGarbageCollection):
774         (Inspector::SendGarbageCollectionEventsTask::reset):
775         (Inspector::SendGarbageCollectionEventsTask::timerFired):
776         Added. This holds onto GarbageCollectionData that needs to be sent asynchronously.
777         It uses the RunLoop variant of Timer and can queue multiple collections to be sent.
778         The data vector is guarded with a lock so that garbageCollected() can safely add
779         collection data from a non-main thread while the main thread sends out events.
780
781         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
782         (Inspector::InspectorHeapAgent::~InspectorHeapAgent):
783         (Inspector::InspectorHeapAgent::disable):
784         Reset the task when disabling or tearing down the agent so the timer doesn't fire after destruction.
785
786         (Inspector::InspectorHeapAgent::didGarbageCollect):
787         Add the collection data to the task, which will dispatch an event for it asynchronously.
788
789         * inspector/agents/InspectorHeapAgent.h:
790
791 2016-06-27  Michael Saboff  <msaboff@apple.com>
792
793         ES6 Change: Unify handling of RegExp CharacterClassEscapes \w and \W and Word Asserts \b and \B
794         https://bugs.webkit.org/show_bug.cgi?id=158505
795
796         Reviewed by Geoffrey Garen.
797
798         This change makes it so that the CharacterClassEscape \w matches the inverse of
799         \W and vice versa for unicode, ignore case RegExp's.
800
801         Before this change, both /\w/ui and /\W/ui RegExp's would match the characters
802         k, K, s, S, \u017f (Latin Small Letter Long S) and \u212a (Kelvin Sign).
803         This was due to how the ES6 standard defined matching of character classes
804         specifically that the abstract operation "Canonicalize()" is called for the
805         character to be matched AND for the characters in the character class we are
806         matching against.  This change is to make \W always be the inverse of \w.
807         It is still the case that the characters that match against \w changes
808         depending on a regular expression's flags.
809
810         The only real changes occur for regular expressions with both the unicode and
811         ignore case flags set.  Updated the character class generator to make 
812         nonwordUnicodeIgnoreCaseChar not include k, K, s, S, \u017f and \u212a.
813         Changed BytecodePattern.wordcharCharacterClass to use the correct
814         word character class for the flags.  Simplfied character class set up in
815         in the pattern to use m_pattern.wordUnicodeIgnoreCaseCharCharacterClass and
816         invert as appropriate when unicode and ignore case are both set.
817
818         * create_regex_tables:
819         * yarr/YarrInterpreter.h:
820         (JSC::Yarr::BytecodePattern::BytecodePattern):
821         * yarr/YarrPattern.cpp:
822         (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
823
824 2016-06-25  Keith Miller  <keith_miller@apple.com>
825
826         DFGByteCodeParsing does not handle calling the Object constructor with no arguments correctly
827         https://bugs.webkit.org/show_bug.cgi?id=159117
828         <rdar://problem/26996781>
829
830         Reviewed by Saam Barati.
831
832         DFGByteCodeParsing always assumed there would be an argument to the Object constructor.
833         This is clearly not always the case and we should be able to handle it.
834
835         * dfg/DFGByteCodeParser.cpp:
836         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
837         * tests/stress/indirect-call-object-constructor-with-no-arguments.js: Added.
838         (let.foo.Object.test):
839
840 2016-06-24  Filip Pizlo  <fpizlo@apple.com>
841
842         B3 should die sooner if a Value has the wrong number of children
843         https://bugs.webkit.org/show_bug.cgi?id=159108
844
845         Reviewed by Mark Lam.
846         
847         I've been looking at a bug (rdar://problem/26500743) that's about a Vector OOB crash in
848         ReduceStrength::rangeFor(). The only Vector accesses are to Value::m_children, and all of
849         the accesses in rangeFor() are for child(0) or child(1) of binary arithmetic opcodes.
850         Clearly those should never go out-of-bounds.
851         
852         Maybe we have horrible memory corruption. Or maybe some path creates a Value with the
853         wrong number of children, and that path is not tested by any of our tests. This patch adds
854         release assertions that will catch the latter.
855         
856         I've tested this a lot. It's not a regression on our benchmarks.
857
858         * b3/B3Opcode.h:
859         * b3/B3Value.cpp:
860         (JSC::B3::Value::dumpMeta):
861         (JSC::B3::Value::typeFor):
862         (JSC::B3::Value::badOpcode):
863         (JSC::B3::Value::checkOpcode): Deleted.
864         * b3/B3Value.h:
865
866 2016-06-24  Mark Lam  <mark.lam@apple.com>
867
868         [JSC] Error prototypes are called on remote scripts.
869         https://bugs.webkit.org/show_bug.cgi?id=52192
870
871         Reviewed by Keith Miller.
872
873         Added a sanitizedToString() to the Error instance object so that it can be used
874         to get an error string without invoking getters and proxies.
875
876         * runtime/ErrorInstance.cpp:
877         (JSC::ErrorInstance::finishCreation):
878         (JSC::ErrorInstance::sanitizedToString):
879         * runtime/ErrorInstance.h:
880         (JSC::ErrorInstance::createStructure):
881         (JSC::ErrorInstance::runtimeTypeForCause):
882         (JSC::ErrorInstance::clearRuntimeTypeForCause):
883
884 2016-06-24  Commit Queue  <commit-queue@webkit.org>
885
886         Unreviewed, rolling out r202443.
887         https://bugs.webkit.org/show_bug.cgi?id=159105
888
889         Introduced memory corruption crashes (Requested by ap on
890         #webkit).
891
892         Reverted changeset:
893
894         "Web Inspector: CRASH in backend at
895         Inspector::HeapFrontendDispatcher::garbageCollected + 552 when
896         closing frontend/inspected page"
897         https://bugs.webkit.org/show_bug.cgi?id=159075
898         http://trac.webkit.org/changeset/202443
899
900 2016-06-24  Brian Burg  <bburg@apple.com>
901
902         Web Inspector: CRASH in backend at Inspector::HeapFrontendDispatcher::garbageCollected + 552 when closing frontend/inspected page
903         https://bugs.webkit.org/show_bug.cgi?id=159075
904         <rdar://problem/26094341>
905
906         Reviewed by Joseph Pecoraro.
907
908         Move the asynchronous work to a task class that can be cancelled when the
909         heap agent is reset, disabled or destroyed.
910
911         * inspector/agents/InspectorHeapAgent.cpp:
912         (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask):
913         (Inspector::SendGarbageCollectionEventsTask::addGarbageCollection):
914         (Inspector::SendGarbageCollectionEventsTask::reset):
915         (Inspector::SendGarbageCollectionEventsTask::timerFired):
916         Added. This holds onto GarbageCollection objects that need to be sent asynchronously.
917         It uses the RunLoop variant of Timer and can queue multiple pending objects to be sent.
918
919         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
920         (Inspector::InspectorHeapAgent::~InspectorHeapAgent):
921         (Inspector::InspectorHeapAgent::disable):
922         Reset the task when disabling or tearing down the agent so the timer doesn't fire after destruction.
923
924         (Inspector::InspectorHeapAgent::didGarbageCollect):
925         Send the object to the task to be dispatched asynchronously.
926
927         * inspector/agents/InspectorHeapAgent.h:
928
929 2016-06-24  Commit Queue  <commit-queue@webkit.org>
930
931         Unreviewed, rolling out r202413.
932         https://bugs.webkit.org/show_bug.cgi?id=159097
933
934         Broke many JSC tests (Requested by ap on #webkit).
935
936         Reverted changeset:
937
938         "[JSC] Implement isFinite / isNaN in JS and make DFG ToNumber
939         accept non number values"
940         https://bugs.webkit.org/show_bug.cgi?id=154022
941         http://trac.webkit.org/changeset/202413
942
943 2016-06-23  Benjamin Poulain  <bpoulain@apple.com>
944
945         OOM Assertion failure in Array.prototype.toString
946         https://bugs.webkit.org/show_bug.cgi?id=158793
947
948         Reviewed by Saam Barati.
949
950         JSString::create() taking a StringImpl was using a signed integer
951         for the length of the string.
952         The problem is StringImpl uses an unsigned integer. When a large string
953         was passed to JSString, the signed integer would be negative and crash
954         JSString.
955
956         * runtime/JSString.h:
957         (JSC::JSString::create):
958
959 2016-06-23  Joseph Pecoraro  <pecoraro@apple.com> and Yusuke Suzuki  <utatane.tea@gmail.com>
960
961         [JSC] Implement isFinite / isNaN in JS and make DFG ToNumber accept non number values
962         https://bugs.webkit.org/show_bug.cgi?id=154022
963
964         Reviewed by Filip Pizlo.
965
966         We aim at optimizing @toInteger operation.
967         While it still has an unoptimized part[1], this patch should be a first step.
968
969         We introduce the @toNumber builtin intrinsic operation.
970         This converts the given value to the JS number by emitting op_to_number bytecode.
971         Previously @toInteger called C++ @Number constructor for that purpose.
972
973         And in DFG, op_to_number is converted to DFG ToNumber node.
974         During DFG, we attempt to convert this to edge filtering and Identity, but if we fail,
975         we just fall back to calling the C++ function.
976
977         To utilize ToNumber in user-land side, we add a path attempting to convert Number constructor calls
978         to ToNumber DFG nodes. This conversion is useful because `Number(value)` is used to convert a value to a number in JS.
979
980         Before this patch, we emit simple edge filtering (NumberUse) instead of emitting DFG node like ToNumber for op_to_number.
981         But emitting ToNumber is useful, because in the case of `Number(value)`, considering `value` may not be a number is reasonable.
982
983         By leveraging @toNumber operation, we rewrite Number.{isFinite, isNaN}, global.{isFinite, isNaN} and @toInteger.
984
985         ToNumber DFG node has a value profiling. This profiling is leveraged to determine the result number type of the ToNumber operation.
986         This value profiling is provided from either NumberConstructor's call operation or op_to_number.
987
988         The results (with the added performance tests) show that, while existing cases are performance neutral, the newly added cases gain the performance benefit.
989         And ASMBench/n-body.c also shows stable ~2% progression.
990
991         [1]: https://bugs.webkit.org/show_bug.cgi?id=153738
992
993         * CMakeLists.txt:
994         * DerivedSources.make:
995         * JavaScriptCore.xcodeproj/project.pbxproj:
996         * builtins/BuiltinNames.h:
997         * builtins/GlobalObject.js:
998         (globalPrivate.isFinite):
999         (globalPrivate.isNaN):
1000         (globalPrivate.toInteger): Deleted.
1001         (globalPrivate.toLength): Deleted.
1002         (globalPrivate.isDictionary): Deleted.
1003         (globalPrivate.speciesGetter): Deleted.
1004         (globalPrivate.speciesConstructor): Deleted.
1005         * builtins/GlobalOperations.js: Copied from Source/JavaScriptCore/builtins/GlobalObject.js.
1006         (globalPrivate.toInteger):
1007         (globalPrivate.toLength):
1008         (globalPrivate.isDictionary):
1009         (globalPrivate.speciesGetter):
1010         (globalPrivate.speciesConstructor):
1011         * builtins/NumberConstructor.js: Added.
1012         (isFinite):
1013         (isNaN):
1014         * bytecode/BytecodeIntrinsicRegistry.cpp:
1015         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1016         * bytecode/BytecodeIntrinsicRegistry.h:
1017         * bytecode/BytecodeList.json:
1018         * bytecode/CodeBlock.cpp:
1019         (JSC::CodeBlock::dumpBytecode):
1020         (JSC::CodeBlock::finishCreation):
1021         * bytecompiler/BytecodeGenerator.cpp:
1022         (JSC::BytecodeGenerator::emitUnaryOp):
1023         (JSC::BytecodeGenerator::emitUnaryOpProfiled):
1024         * bytecompiler/BytecodeGenerator.h:
1025         (JSC::BytecodeGenerator::emitToNumber):
1026         * bytecompiler/NodesCodegen.cpp:
1027         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
1028         (JSC::UnaryPlusNode::emitBytecode):
1029         * dfg/DFGAbstractInterpreterInlines.h:
1030         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1031         * dfg/DFGByteCodeParser.cpp:
1032         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1033         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1034         (JSC::DFG::ByteCodeParser::parseBlock):
1035         We use `getPrediction()` to retrieve the heap prediction from the to_number bytecode.
1036         According to the benchmark results, choosing `getPredictionWithoutOSRExit()` causes performance regression (1.5%) in kraken stanford-crypto-aes.
1037
1038         * dfg/DFGClobberize.h:
1039         (JSC::DFG::clobberize):
1040         * dfg/DFGConstantFoldingPhase.cpp:
1041         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1042         * dfg/DFGDoesGC.cpp:
1043         (JSC::DFG::doesGC):
1044         * dfg/DFGFixupPhase.cpp:
1045         (JSC::DFG::FixupPhase::fixupNode):
1046         (JSC::DFG::FixupPhase::fixupToNumber):
1047         * dfg/DFGNode.h:
1048         (JSC::DFG::Node::hasHeapPrediction):
1049         * dfg/DFGNodeType.h:
1050         * dfg/DFGOperations.cpp:
1051         * dfg/DFGOperations.h:
1052         * dfg/DFGPredictionPropagationPhase.cpp:
1053         Alway rely on the heap prediction.
1054
1055         * dfg/DFGSafeToExecute.h:
1056         (JSC::DFG::safeToExecute):
1057         * dfg/DFGSpeculativeJIT32_64.cpp:
1058         (JSC::DFG::SpeculativeJIT::compile):
1059         As of 64bit version, we carefully manage the register reuse. The largest difference between 32bit and 64bit is
1060         `branchIfNotNumber()` requires the temporary register. We should not use the result registers for that since
1061         it may be reuse the argument registers and it can break the argument registers before using them to call the operation.
1062         Currently, we allocate the additional temporary register for that scratch register.
1063
1064         * dfg/DFGSpeculativeJIT64.cpp:
1065         (JSC::DFG::SpeculativeJIT::compile):
1066         Reuse the argument register for the result if possible. And manually decrement the use count in the middle of the node.
1067         This is similar technique used in ToPrimitive. Typically, the child of ToNumber is only used by this ToNumber node since
1068         we would like to perform the type conversion onto this child node here. So this careful register reuse effectively removes
1069         the spills to call the operation. The example of the actually emitted code is the following.
1070
1071         76:<!2:loc11>     ToNumber(Untyped:@68, JS|MustGen|UseAsOther, DoubleimpurenanTopEmpty, R:World, W:Heap, Exits, ClobbersExit, bc#48)  predicting DoubleimpurenanTopEmpty
1072             0x7f986d5fe693: test %rax, %r14
1073             0x7f986d5fe696: jz 0x7f986d5fe6a1
1074             0x7f986d5fe69c: jmp 0x7f986d5fe6d1
1075             0x7f986d5fe6a1: mov %rax, %rsi
1076             0x7f986d5fe6a4: mov %rbp, %rdi
1077             0x7f986d5fe6a7: mov $0x2, 0x24(%rbp)
1078             0x7f986d5fe6ae: mov $0x7f98711ea5f0, %r11
1079             0x7f986d5fe6b8: call *%r11
1080             0x7f986d5fe6bb: mov $0x7f982d3f72d0, %r11
1081             0x7f986d5fe6c5: mov (%r11), %r11
1082             0x7f986d5fe6c8: test %r11, %r11
1083             0x7f986d5fe6cb: jnz 0x7f986d5fe88c
1084
1085         It effectively removes the unnecessary spill to call the operation!
1086
1087         * ftl/FTLCapabilities.cpp:
1088         (JSC::FTL::canCompile):
1089         * ftl/FTLLowerDFGToB3.cpp:
1090         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1091         (JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
1092         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
1093         * jit/AssemblyHelpers.h:
1094         (JSC::AssemblyHelpers::branchIfNumber):
1095         (JSC::AssemblyHelpers::branchIfNotNumber):
1096         * jit/JITOpcodes.cpp:
1097         (JSC::JIT::emit_op_to_number):
1098         * jit/JITOpcodes32_64.cpp:
1099         (JSC::JIT::emit_op_to_number):
1100         * llint/LowLevelInterpreter32_64.asm:
1101         * llint/LowLevelInterpreter64.asm:
1102         * parser/Nodes.h:
1103         (JSC::UnaryOpNode::opcodeID):
1104         * runtime/CommonSlowPaths.cpp:
1105         (JSC::SLOW_PATH_DECL):
1106         * runtime/JSGlobalObject.cpp:
1107         (JSC::JSGlobalObject::init):
1108         * runtime/JSGlobalObjectFunctions.cpp:
1109         (JSC::globalFuncIsNaN): Deleted.
1110         (JSC::globalFuncIsFinite): Deleted.
1111         * runtime/JSGlobalObjectFunctions.h:
1112         * runtime/MathCommon.h:
1113         (JSC::maxSafeInteger):
1114         (JSC::minSafeInteger):
1115         * runtime/NumberConstructor.cpp:
1116         (JSC::NumberConstructor::finishCreation):
1117         (JSC::numberConstructorFuncIsFinite): Deleted.
1118         (JSC::numberConstructorFuncIsNaN): Deleted.
1119         * runtime/NumberConstructor.h:
1120         * tests/stress/Number-isNaN-basics.js: Added.
1121         (numberIsNaNOnInteger):
1122         (testNumberIsNaNOnIntegers):
1123         (verifyNumberIsNaNOnIntegerWithOtherTypes):
1124         (numberIsNaNOnDouble):
1125         (testNumberIsNaNOnDoubles):
1126         (verifyNumberIsNaNOnDoublesWithOtherTypes):
1127         (numberIsNaNNoArguments):
1128         (numberIsNaNTooManyArguments):
1129         (testNumberIsNaNOnConstants):
1130         (numberIsNaNStructTransition):
1131         (Number.isNaN):
1132         * tests/stress/global-is-finite.js: Added.
1133         (shouldBe):
1134         * tests/stress/global-is-nan.js: Added.
1135         (shouldBe):
1136         * tests/stress/global-isNaN-basics.js: Added.
1137         (isNaNOnInteger):
1138         (testIsNaNOnIntegers):
1139         (verifyIsNaNOnIntegerWithOtherTypes):
1140         (isNaNOnDouble):
1141         (testIsNaNOnDoubles):
1142         (verifyIsNaNOnDoublesWithOtherTypes):
1143         (verifyIsNaNOnCoercedTypes):
1144         (isNaNNoArguments):
1145         (isNaNTooManyArguments):
1146         (testIsNaNOnConstants):
1147         (isNaNTypeCoercionSideEffects):
1148         (i.value.isNaNTypeCoercionSideEffects.valueOf):
1149         (isNaNStructTransition):
1150         (isNaN):
1151         * tests/stress/number-is-finite.js: Added.
1152         (shouldBe):
1153         (test2):
1154         (test3):
1155         * tests/stress/number-is-nan.js: Added.
1156         (shouldBe):
1157         (test2):
1158         (test3):
1159         * tests/stress/to-number-basics.js: Added.
1160         (shouldBe):
1161         * tests/stress/to-number-convert-identity-without-execution.js: Added.
1162         (shouldBe):
1163         (object.valueOf):
1164         (valueOf):
1165         * tests/stress/to-number-int52.js: Added.
1166         (shouldBe):
1167         (object.valueOf):
1168         * tests/stress/to-number-intrinsic-convert-to-identity-without-execution.js: Added.
1169         (shouldBe):
1170         (object.valueOf):
1171         (valueOf):
1172         * tests/stress/to-number-intrinsic-int52.js: Added.
1173         (shouldBe):
1174         (object.valueOf):
1175         * tests/stress/to-number-intrinsic-object-without-execution.js: Added.
1176         (shouldBe):
1177         (object.valueOf):
1178         * tests/stress/to-number-intrinsic-value-profiling.js: Added.
1179         (shouldBe):
1180         (object.valueOf):
1181         * tests/stress/to-number-object-without-execution.js: Added.
1182         (shouldBe):
1183         (object.valueOf):
1184         * tests/stress/to-number-object.js: Added.
1185         (shouldBe):
1186         (test12):
1187         (object1.valueOf):
1188         (test2):
1189         (test22):
1190         (object2.valueOf):
1191         (test3):
1192         (test32):
1193         (object3.valueOf):
1194         * tests/stress/to-number-value-profiling.js: Added.
1195         (shouldBe):
1196         (object.valueOf):
1197
1198 2016-06-23  Saam Barati  <sbarati@apple.com>
1199
1200         DFGSpeculativeJIT's m_slowPathLambdas should restore the current node field and DFG OSR entry functions should use DeferGCForAWhile instead of DeferGC
1201         https://bugs.webkit.org/show_bug.cgi?id=159064
1202         <rdar://problem/26599119>
1203
1204         Reviewed by Filip Pizlo.
1205
1206         The DFG has a list of m_slowPathLambdas that are code generators it emits
1207         amongst its slow paths. These lambdas, however, did not update the m_currentNode field.
1208         This caused us to use whatever Node happened to be used as the currentNode at the time
1209         we call the slowPathLambda. This means the wrong CallSiteIndex was stored into the call
1210         frame when we made a call. This may lead to a crash if the CallSiteIndex corresponds to
1211         the wrong CodeOrigin. For example, the wrong CodeOrigin could have an InlineCallFrame with
1212         a calleeRecovery that will not be in sync with the current stack state. Trying
1213         to recover that callee will often lead to a crash. The solution is to update
1214         m_currentNode to the DFG::Node* it corresponds to when emitting these slowPathLambdas.
1215
1216         I found this bug because we were inside this bad state when calling an operation
1217         that happened to have a DeferGC. When this DeferGC actually GCed, it would
1218         take a StackTrace, which would lead to a crash because we were updating
1219         ShadowChicken with vm.topCallFrame. It just so happened that the CallSiteIndex
1220         in the call frame in this program corresponded to an InlineCallFrame with a calleeRecover.
1221         However, this CallSiteIndex didn't correspond to the actual state of execution
1222         of the program. I'm adding new options to make reproducing DeferGC related
1223         bugs easier by making DeferGC force a GC according to some probability. To
1224         always have DeferGC force a GC, you can set that probability to 1.
1225
1226         There is a second bug that I discovered after solving the above bug. We were
1227         using DeferGC instead of DeferGCForAWhile in the OSR entry related functions
1228         in the DFG. This would cause us to take a stack trace when the call frame was
1229         in an inconsistent state. For example, the operation would call FTL::prepareOSREntry,
1230         which would replace the DFG CodeBlock in the call frame with the FTL CodeBlock.
1231         However, we wouldn't update the CallSiteIndex to correspond to an FTL CallSiteIndex.
1232         This would lead to a crash when taking a stack trace. The solution is to prevent
1233         stack traces from being taken when the program is in this state by using
1234         DeferGCForAWhie instead of DeferGC.
1235
1236         * dfg/DFGOperations.cpp:
1237         * dfg/DFGSpeculativeJIT.cpp:
1238         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
1239         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
1240         * dfg/DFGSpeculativeJIT.h:
1241         * heap/Heap.h:
1242         * heap/HeapInlines.h:
1243         (JSC::Heap::collectIfNecessaryOrDefer):
1244         (JSC::Heap::collectAccordingToDeferGCProbability):
1245         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1246         (JSC::Heap::markListSet):
1247         * runtime/Options.cpp:
1248         (JSC::recomputeDependentOptions):
1249         (JSC::Options::initialize):
1250         * runtime/Options.h:
1251         * tests/stress/slow-path-generator-updating-current-node-dfg.js: Added.
1252         (foo):
1253         (bar):
1254
1255 2016-06-23  Filip Pizlo  <fpizlo@apple.com>
1256
1257         Failing baseline JIT compilation of a code block and then trying to compile it from OSR from DFG/FTL will corrupt the CodeBlock
1258         https://bugs.webkit.org/show_bug.cgi?id=158806
1259
1260         Reviewed by Saam Barati.
1261         
1262         If we try to compile a CodeBlock that we already tried compiling in the past then we need
1263         to clean up the data structures that were partly filled in by the failed compile. That
1264         causes some races, since the DFG may be trying to parse those data structures while we are
1265         clearing them. This patch introduces such a clean-up (CodeBlock::resetJITData()) and fixes
1266         the races.
1267
1268         * bytecode/CodeBlock.cpp:
1269         (JSC::CodeBlock::dumpBytecode):
1270         (JSC::CodeBlock::getStubInfoMap):
1271         (JSC::CodeBlock::getCallLinkInfoMap):
1272         (JSC::CodeBlock::getByValInfoMap):
1273         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
1274         (JSC::CodeBlock::resetJITData):
1275         (JSC::CodeBlock::visitOSRExitTargets):
1276         (JSC::CodeBlock::setSteppingMode):
1277         (JSC::CodeBlock::addRareCaseProfile):
1278         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
1279         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
1280         (JSC::CodeBlock::resultProfileForBytecodeOffset):
1281         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset):
1282         (JSC::CodeBlock::couldTakeSpecialFastCase):
1283         (JSC::CodeBlock::ensureResultProfile):
1284         * bytecode/CodeBlock.h:
1285         (JSC::CodeBlock::getFromAllValueProfiles):
1286         (JSC::CodeBlock::numberOfRareCaseProfiles):
1287         (JSC::CodeBlock::numberOfResultProfiles):
1288         (JSC::CodeBlock::numberOfArrayProfiles):
1289         (JSC::CodeBlock::arrayProfiles):
1290         (JSC::CodeBlock::addRareCaseProfile): Deleted.
1291         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset): Deleted.
1292         (JSC::CodeBlock::couldTakeSpecialFastCase): Deleted.
1293         * dfg/DFGByteCodeParser.cpp:
1294         (JSC::DFG::ByteCodeParser::makeSafe):
1295         * dfg/DFGGraph.cpp:
1296         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1297         * jit/JIT.cpp:
1298         (JSC::JIT::link):
1299         * jit/JITWorklist.cpp:
1300         (JSC::JITWorklist::compileNow):
1301
1302 2016-06-23  Joseph Pecoraro  <pecoraro@apple.com>
1303
1304         Web Inspector: Memory Timeline sometimes shows impossible value for bmalloc size (underflowed)
1305         https://bugs.webkit.org/show_bug.cgi?id=158110
1306         <rdar://problem/26498584>
1307
1308         Reviewed by Andreas Kling.
1309
1310         * heap/Heap.cpp:
1311         (JSC::Heap::willStartCollection):
1312         (JSC::Heap::didFinishCollection):
1313         * heap/Heap.h:
1314         (JSC::Heap::externalMemorySize):
1315         * heap/HeapInlines.h:
1316         (JSC::Heap::reportExternalMemoryVisited):
1317         Keep count of external memory we visit.
1318
1319         * heap/SlotVisitor.h:
1320         * heap/SlotVisitorInlines.h:
1321         (JSC::SlotVisitor::reportExternalMemoryVisited):
1322         Report external memory visited like we do extra memory, since
1323         it will be some subset of extra memory that is external.
1324
1325 2016-06-23  Joseph Pecoraro  <pecoraro@apple.com>
1326
1327         Web Inspector: Snapshots should be cleared at some point
1328         https://bugs.webkit.org/show_bug.cgi?id=157907
1329         <rdar://problem/26373610>
1330
1331         Reviewed by Timothy Hatcher.
1332
1333         * heap/HeapSnapshotBuilder.h:
1334         * heap/HeapSnapshotBuilder.cpp:
1335         (JSC::HeapSnapshotBuilder::resetNextAvailableObjectIdentifier):
1336         Provide a way to reset the object identifier counter.
1337
1338         * inspector/agents/InspectorHeapAgent.h:
1339         * inspector/agents/InspectorHeapAgent.cpp:
1340         (Inspector::InspectorHeapAgent::clearHeapSnapshots):
1341         Make clearHeapSnapshots protected, so it can be called from a
1342         a PageHeapAgent on page navigations.
1343
1344 2016-06-22  Saam barati  <sbarati@apple.com>
1345
1346         TypeProfiler and TypeProfilerLog don't play nicely with the concurrent JIT
1347         https://bugs.webkit.org/show_bug.cgi?id=159037
1348         <rdar://problem/26935349>
1349
1350         Reviewed by Benjamin Poulain.
1351
1352         The primary focus of this patch is to make the concurrent
1353         baseline JIT work with the type profiler. We were clearing
1354         the type profiler log on the background baseline compiler
1355         thread which lead to bad things happening. This patch fixes
1356         this by processing the log before we launch the compile on
1357         a background thread.
1358
1359         Secondly, I audited the type profiler code inside the DFG,
1360         and found that we were doing some racy things. I haven't
1361         seen any crashes because of these things, but it is possible
1362         that they exist. We were grabbing a RefPtr to a TypeSet,
1363         even though TypeSet was RefCounted and not ThreadSafeRefCounted.
1364         This patch makes TypeSet ThreadSafeRefCounted. We were
1365         also copying a StructureSet while the execution thread could
1366         be augmenting the StructureSet. This patch puts changes to 
1367         TypeSet's StructureSet behind a ConcurrentJITLock.
1368
1369         I've also added two more large running tests that run with the
1370         type profiler enabled. These are here just to catch any major bugs
1371         in the type profiler implementation.
1372
1373         * jit/JIT.cpp:
1374         (JSC::JIT::compileWithoutLinking):
1375         (JSC::JIT::privateCompile):
1376         (JSC::JIT::privateCompileExceptionHandlers):
1377         (JSC::JIT::doMainThreadPreparationBeforeCompile):
1378         (JSC::JIT::frameRegisterCountFor):
1379         * jit/JIT.h:
1380         (JSC::JIT::compile):
1381         * jit/JITWorklist.cpp:
1382         (JSC::JITWorklist::Plan::Plan):
1383         (JSC::JITWorklist::Plan::compileInThread):
1384         * runtime/TypeSet.cpp:
1385         (JSC::TypeSet::addTypeInformation):
1386         (JSC::TypeSet::invalidateCache):
1387         * runtime/TypeSet.h:
1388         (JSC::TypeSet::create):
1389         (JSC::TypeSet::isEmpty):
1390         (JSC::TypeSet::seenTypes):
1391         (JSC::TypeSet::structureSet):
1392         * tests/typeProfiler/deltablue-for-of.js: Added.
1393         * tests/typeProfiler/getter-richards.js: Added.
1394
1395 2016-06-22  Keith Miller  <keith_miller@apple.com>
1396
1397         We should have a DFG intrinsic that checks if a value is a TypedArrayView
1398         https://bugs.webkit.org/show_bug.cgi?id=159048
1399
1400         Reviewed by Saam Barati.
1401
1402         This patch adds a new DFG Intrinsic that checks if a value is a TypedArrayView.
1403         The intrinsic, IsTypedArrayView, works in the same way that the other Is<insert-type>
1404         DFG nodes work. Additionally, a new builtin function isTypedArrayView has been added.
1405         These changes are needed to fix regressions in %TypedArray%.prototype.subarray.
1406
1407         * builtins/BuiltinNames.h:
1408         * dfg/DFGAbstractInterpreterInlines.h:
1409         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1410         * dfg/DFGByteCodeParser.cpp:
1411         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1412         * dfg/DFGClobberize.h:
1413         (JSC::DFG::clobberize):
1414         * dfg/DFGDoesGC.cpp:
1415         (JSC::DFG::doesGC):
1416         * dfg/DFGFixupPhase.cpp:
1417         (JSC::DFG::FixupPhase::fixupNode):
1418         * dfg/DFGNodeType.h:
1419         * dfg/DFGPredictionPropagationPhase.cpp:
1420         * dfg/DFGSafeToExecute.h:
1421         (JSC::DFG::safeToExecute):
1422         * dfg/DFGSpeculativeJIT.cpp:
1423         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
1424         * dfg/DFGSpeculativeJIT.h:
1425         * dfg/DFGSpeculativeJIT32_64.cpp:
1426         (JSC::DFG::SpeculativeJIT::compile):
1427         * dfg/DFGSpeculativeJIT64.cpp:
1428         (JSC::DFG::SpeculativeJIT::compile):
1429         * ftl/FTLCapabilities.cpp:
1430         (JSC::FTL::canCompile):
1431         * ftl/FTLLowerDFGToB3.cpp:
1432         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1433         (JSC::FTL::DFG::LowerDFGToB3::compileIsTypedArrayView):
1434         (JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView):
1435         * runtime/Intrinsic.h:
1436         * runtime/JSGlobalObject.cpp:
1437         (JSC::JSGlobalObject::init):
1438         * runtime/JSTypedArrayViewPrototype.cpp:
1439         (JSC::typedArrayViewPrivateFuncIsTypedArrayView):
1440         * runtime/JSTypedArrayViewPrototype.h:
1441         * tests/stress/istypedarrayview-intrinsic.js: Added.
1442         (makeFn):
1443         (typedArrays.forEach):
1444         (let.test):
1445         (test):
1446
1447 2016-06-21  Anders Carlsson  <andersca@apple.com>
1448
1449         Fix build.
1450
1451         * Configurations/FeatureDefines.xcconfig:
1452
1453 2016-06-21  Geoffrey Garen  <ggaren@apple.com>
1454
1455         Options::useImmortalObjects is not safe for conservative GC
1456         https://bugs.webkit.org/show_bug.cgi?id=158999
1457
1458         Reviewed by Geoffrey Garen.
1459
1460         useImmortalObjects set the mark bit to keep an object from being
1461         reallocated. This had the negative side-effect of convincing the
1462         conservative marker that the object was a valid and live cell, which
1463         would cause us to visit garbage.
1464
1465         * heap/Heap.cpp:
1466         (JSC::Heap::didFinishCollection):
1467         (JSC::Heap::resumeCompilerThreads):
1468         (JSC::Heap::setFullActivityCallback):
1469         (JSC::Heap::markDeadObjects): Deleted.
1470         * heap/Heap.h: Don't set the mark bit on a dead object. That's a bug in
1471         a conservative GC.
1472
1473         * heap/MarkedAllocator.cpp:
1474         (JSC::MarkedAllocator::retire): New helper.
1475
1476         (JSC::MarkedAllocator::reset): Automatically retire old blocks when
1477         we're doing the immortal objects thing. This has the effect of
1478         preserving memory for debugging because we never recycle a previously
1479         allocated block.
1480
1481 2016-06-21  Anders Carlsson  <andersca@apple.com>
1482
1483         Begin moving the Apple Pay code to the open source repository
1484         https://bugs.webkit.org/show_bug.cgi?id=158998
1485
1486         Reviewed by Tim Horton.
1487
1488         * Configurations/FeatureDefines.xcconfig:
1489         Add ENABLE_APPLE_PAY.
1490
1491 2016-06-21  Saam Barati  <sbarati@apple.com>
1492
1493         CodeBlock::shrinkToFit is racy
1494         https://bugs.webkit.org/show_bug.cgi?id=158994
1495         <rdar://problem/26920212>
1496
1497         Reviewed by Filip Pizlo.
1498
1499         To see why this is racy, consider the following scenario:
1500         - CodeBlock A is link()ing its baseline compile.
1501         - CodeBlock B is inlining A, and asks A for a result profile in DFGBytecodeParser.
1502         - The race occurs when the link() step of the baseline compile calls shrinkToFit
1503           on its m_resultProfiles field without grabbing a lock. This leads to a bad
1504           time because the DFG compile will be reading from that vector as it's getting
1505           changed by the baseline link() method.
1506
1507         This race has always existed, though the move to a concurrent baseline
1508         JIT has made it more likely to occur. The solution is to have CodeBlock::shrinkToFit
1509         grab its lock before shrinking the vector.
1510
1511         * bytecode/CodeBlock.cpp:
1512         (JSC::CodeBlock::shrinkToFit):
1513
1514 2016-06-21  David Kilzer  <ddkilzer@apple.com>
1515
1516         Migrate testair & testb3 settings from Xcode project to ToolExecutable.xcconfig
1517         <https://webkit.org/b/158989>
1518
1519         Reviewed by Andy Estes.
1520
1521         * Configurations/ToolExecutable.xcconfig:
1522         (CODE_SIGN_ENTITLEMENTS_ios_testair): Add from Xcode project.
1523         * JavaScriptCore.xcodeproj/project.pbxproj:
1524         (CODE_SIGN_ENTITLEMENTS_ios_testair): Move to
1525         ToolExecutable.xcconfig.
1526         (PRODUCT_NAME): Remove.  This variable is already set for both
1527         testair and testb3 since those build configurations use
1528         ToolExecutable.xcconfig as a base.
1529
1530 2016-06-21  Saam Barati  <sbarati@apple.com>
1531
1532         LLInt doesn't throw stack exception overflow from parent frame
1533         https://bugs.webkit.org/show_bug.cgi?id=158962
1534         <rdar://problem/26902188>
1535
1536         Reviewed by Filip Pizlo.
1537
1538         All JIT tiers will throw stack overflow exceptions from the parent frame.
1539         The LLInt, on the other hand, did not use to. I've changed the LLInt to be
1540         consistent with the JITs. The reason I found this bug is because we had a
1541         test that would give different results depending on if the function was compiled
1542         in the baseline or the LLInt. Since Filip recently landed the concurrent baseline
1543         JIT patch, this otherwise deterministic test became dependent on it being compiled
1544         in the LLInt or one of the JIT tiers. I've added a new test that is deterministic
1545         because it runs the test with --useJIT=false.
1546
1547         * llint/LLIntSlowPaths.cpp:
1548         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1549         * tests/stress/llint-stack-overflow-location.js: Added.
1550         (stackTraceDescription):
1551         (foo):
1552         (catch):
1553
1554 2016-06-21  David Kilzer  <ddkilzer@apple.com>
1555
1556         CODE_SIGN_ENTITLEMENTS should be applied to iOS Simulator builds
1557         <https://webkit.org/b/158990>
1558         <rdar://problem/26906273>
1559
1560         Reviewed by Dan Bernstein.
1561
1562         * Configurations/JSC.xcconfig:
1563         (CODE_SIGN_ENTITLEMENTS): Change [sdk=iphoneos*] to
1564         [sdk=iphone*] to apply setting to iOS Simulator as well.
1565         * Configurations/ToolExecutable.xcconfig:
1566         (CODE_SIGN_ENTITLEMENTS): Ditto.
1567
1568 2016-06-21  Keith Miller  <keith_miller@apple.com>
1569
1570         It should be easy to add a private global helper function for builtins
1571         https://bugs.webkit.org/show_bug.cgi?id=158893
1572
1573         Reviewed by Mark Lam.
1574
1575         This patch does two things. First it moves all the builtin names
1576         out of CommonIdentifiers and into BuiltinNames. This means that
1577         adding a new function to the Builtins does not require rebuilding
1578         all of JavaScriptCore. This patch also adds a new decorator to our
1579         builtins @privateGlobal that will automatically put the function
1580         on the global object. The name of the property will be the same as
1581         the private name of the function.
1582
1583         This patch, also, removes the JSArrayIterator.h/.cpp files
1584         as they no longer appear to be used in any real way. Finally,
1585         the builtins tests have been rebaselined. It appears this has
1586         not been done for a while so the expected files contain other
1587         changes.
1588
1589         * CMakeLists.txt:
1590         * JavaScriptCore.xcodeproj/project.pbxproj:
1591         * Scripts/builtins/builtins_generate_combined_header.py:
1592         (BuiltinsCombinedHeaderGenerator.generate_output):
1593         (generate_section_for_code_name_macro):
1594         (generate_section_for_global_private_code_name_macro):
1595         * Scripts/builtins/builtins_model.py:
1596         (BuiltinFunction.__init__):
1597         (BuiltinFunction.fromString):
1598         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1599         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
1600         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1601         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1602         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1603         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1604         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1605         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1606         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1607         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1608         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1609         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1610         * builtins/ArrayIteratorPrototype.js:
1611         * builtins/ArrayPrototype.js:
1612         * builtins/BuiltinNames.h:
1613         * builtins/GeneratorPrototype.js:
1614         * builtins/GlobalObject.js:
1615         * builtins/PromiseOperations.js:
1616         * builtins/RegExpPrototype.js:
1617         * builtins/StringPrototype.js:
1618         * bytecode/BytecodeIntrinsicRegistry.cpp:
1619         * bytecompiler/BytecodeGenerator.cpp:
1620         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1621         (JSC::BytecodeGenerator::expectedFunctionForIdentifier):
1622         (JSC::BytecodeGenerator::emitGetTemplateObject):
1623         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
1624         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
1625         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
1626         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
1627         (JSC::BytecodeGenerator::emitGeneratorStateChange):
1628         * bytecompiler/NodesCodegen.cpp:
1629         (JSC::emitHomeObjectForCallee):
1630         (JSC::emitPutHomeObject):
1631         (JSC::FunctionNode::emitBytecode):
1632         * dfg/DFGOperations.cpp:
1633         * inspector/JSInjectedScriptHost.cpp:
1634         (Inspector::JSInjectedScriptHost::subtype):
1635         (Inspector::JSInjectedScriptHost::getInternalProperties): Deleted.
1636         * parser/Lexer.cpp:
1637         (JSC::Lexer<LChar>::parseIdentifier):
1638         (JSC::Lexer<UChar>::parseIdentifier):
1639         * parser/Nodes.h:
1640         * parser/Parser.cpp:
1641         (JSC::Parser<LexerType>::createGeneratorParameters):
1642         (JSC::Parser<LexerType>::parseExportDeclaration):
1643         * runtime/ArrayIteratorPrototype.cpp:
1644         * runtime/ArrayIteratorPrototype.h:
1645         * runtime/ArrayPrototype.cpp:
1646         * runtime/CommonIdentifiers.cpp:
1647         (JSC::CommonIdentifiers::CommonIdentifiers): Deleted.
1648         * runtime/CommonIdentifiers.h:
1649         * runtime/CommonSlowPaths.cpp:
1650         (JSC::SLOW_PATH_DECL):
1651         * runtime/IntlDateTimeFormat.cpp:
1652         * runtime/IntlDateTimeFormatPrototype.cpp:
1653         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1654         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1655         * runtime/IntlNumberFormatPrototype.cpp:
1656         (JSC::IntlNumberFormatPrototypeGetterFormat):
1657         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1658         * runtime/IntlObjectInlines.h:
1659         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1660         * runtime/JSArrayIterator.cpp: Removed.
1661         (JSC::JSArrayIterator::finishCreation): Deleted.
1662         (JSC::JSArrayIterator::kind): Deleted.
1663         (JSC::JSArrayIterator::iteratedValue): Deleted.
1664         * runtime/JSArrayIterator.h: Removed.
1665         (JSC::JSArrayIterator::createStructure): Deleted.
1666         (JSC::JSArrayIterator::create): Deleted.
1667         (JSC::JSArrayIterator::JSArrayIterator): Deleted.
1668         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1669         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
1670         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1671         * runtime/JSGlobalObject.cpp:
1672         (JSC::JSGlobalObject::init):
1673         * runtime/JSInternalPromise.cpp:
1674         * runtime/JSInternalPromiseDeferred.cpp:
1675         (JSC::JSInternalPromiseDeferred::create):
1676         * runtime/JSPromise.cpp:
1677         (JSC::JSPromise::finishCreation):
1678         (JSC::JSPromise::result):
1679         * runtime/JSPromiseDeferred.cpp:
1680         (JSC::JSPromiseDeferred::create):
1681         * runtime/JSStringIterator.cpp:
1682         (JSC::JSStringIterator::finishCreation):
1683         (JSC::JSStringIterator::iteratedValue):
1684         (JSC::JSStringIterator::clone):
1685         * runtime/MapPrototype.cpp:
1686         (JSC::MapPrototype::finishCreation):
1687         * runtime/ObjectConstructor.cpp:
1688         (JSC::ObjectConstructor::finishCreation):
1689         * runtime/ReflectObject.cpp:
1690         (JSC::ReflectObject::finishCreation):
1691         * runtime/StringPrototype.cpp:
1692         (JSC::StringPrototype::finishCreation):
1693         * runtime/TypedArrayInlines.h:
1694
1695 2016-06-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1696
1697         [JSC] Use bytecode intrinsic to expose Module's loading status to builtin JS
1698         https://bugs.webkit.org/show_bug.cgi?id=158871
1699
1700         Reviewed by Sam Weinig.
1701
1702         Now JSC has bytecode intrinsic system. Use it instead of exposing status values through the loader's properties.
1703
1704         * builtins/ModuleLoaderObject.js:
1705         (newRegistryEntry):
1706         (fulfillFetch):
1707         (fulfillTranslate):
1708         (commitInstantiated):
1709         (requestFetch):
1710         (requestTranslate):
1711         (requestInstantiate):
1712         (requestResolveDependencies.):
1713         (requestResolveDependencies):
1714         (requestLink):
1715         (link):
1716         (provide):
1717         * bytecode/BytecodeIntrinsicRegistry.cpp:
1718         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1719         * bytecode/BytecodeIntrinsicRegistry.h:
1720         * runtime/ModuleLoaderObject.cpp:
1721         (JSC::ModuleLoaderObject::finishCreation): Deleted.
1722
1723 2016-06-20  Commit Queue  <commit-queue@webkit.org>
1724
1725         Unreviewed, rolling out r202248.
1726         https://bugs.webkit.org/show_bug.cgi?id=158960
1727
1728         breaks builds on the simulator (Requested by keith_mi_ on
1729         #webkit).
1730
1731         Reverted changeset:
1732
1733         "It should be easy to add a private global helper function for
1734         builtins"
1735         https://bugs.webkit.org/show_bug.cgi?id=158893
1736         http://trac.webkit.org/changeset/202248
1737
1738 2016-06-20  Keith Miller  <keith_miller@apple.com>
1739
1740         It should be easy to add a private global helper function for builtins
1741         https://bugs.webkit.org/show_bug.cgi?id=158893
1742
1743         Reviewed by Mark Lam.
1744
1745         This patch does two things. First it moves all the builtin names
1746         out of CommonIdentifiers and into BuiltinNames. This means that
1747         adding a new function to the Builtins does not require rebuilding
1748         all of JavaScriptCore. This patch also adds a new decorator to our
1749         builtins @privateGlobal that will automatically put the function
1750         on the global object. The name of the property will be the same as
1751         the private name of the function.
1752
1753         This patch, also, removes the JSArrayIterator.h/.cpp files
1754         as they no longer appear to be used in any real way. Finally,
1755         the builtins tests have been rebaselined. It appears this has
1756         not been done for a while so the expected files contain other
1757         changes.
1758
1759         * CMakeLists.txt:
1760         * JavaScriptCore.xcodeproj/project.pbxproj:
1761         * Scripts/builtins/builtins_generate_combined_header.py:
1762         (BuiltinsCombinedHeaderGenerator.generate_output):
1763         (generate_section_for_code_name_macro):
1764         (generate_section_for_global_private_code_name_macro):
1765         * Scripts/builtins/builtins_model.py:
1766         (BuiltinFunction.__init__):
1767         (BuiltinFunction.fromString):
1768         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1769         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
1770         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1771         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1772         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1773         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1774         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1775         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1776         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1777         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1778         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1779         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1780         * builtins/ArrayIteratorPrototype.js:
1781         * builtins/ArrayPrototype.js:
1782         * builtins/BuiltinNames.h:
1783         * builtins/GeneratorPrototype.js:
1784         * builtins/GlobalObject.js:
1785         * builtins/PromiseOperations.js:
1786         * builtins/RegExpPrototype.js:
1787         * builtins/StringPrototype.js:
1788         * bytecode/BytecodeIntrinsicRegistry.cpp:
1789         * bytecompiler/BytecodeGenerator.cpp:
1790         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1791         (JSC::BytecodeGenerator::expectedFunctionForIdentifier):
1792         (JSC::BytecodeGenerator::emitGetTemplateObject):
1793         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
1794         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
1795         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
1796         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
1797         (JSC::BytecodeGenerator::emitGeneratorStateChange):
1798         * bytecompiler/NodesCodegen.cpp:
1799         (JSC::emitHomeObjectForCallee):
1800         (JSC::emitPutHomeObject):
1801         (JSC::FunctionNode::emitBytecode):
1802         * dfg/DFGOperations.cpp:
1803         * inspector/JSInjectedScriptHost.cpp:
1804         (Inspector::JSInjectedScriptHost::subtype):
1805         (Inspector::JSInjectedScriptHost::getInternalProperties): Deleted.
1806         * parser/Lexer.cpp:
1807         (JSC::Lexer<LChar>::parseIdentifier):
1808         (JSC::Lexer<UChar>::parseIdentifier):
1809         * parser/Nodes.h:
1810         * parser/Parser.cpp:
1811         (JSC::Parser<LexerType>::createGeneratorParameters):
1812         (JSC::Parser<LexerType>::parseExportDeclaration):
1813         * runtime/ArrayIteratorPrototype.cpp:
1814         * runtime/ArrayIteratorPrototype.h:
1815         * runtime/ArrayPrototype.cpp:
1816         * runtime/CommonIdentifiers.cpp:
1817         (JSC::CommonIdentifiers::CommonIdentifiers): Deleted.
1818         * runtime/CommonIdentifiers.h:
1819         * runtime/CommonSlowPaths.cpp:
1820         (JSC::SLOW_PATH_DECL):
1821         * runtime/IntlDateTimeFormat.cpp:
1822         * runtime/IntlDateTimeFormatPrototype.cpp:
1823         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1824         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1825         * runtime/IntlNumberFormatPrototype.cpp:
1826         (JSC::IntlNumberFormatPrototypeGetterFormat):
1827         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1828         * runtime/IntlObjectInlines.h:
1829         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1830         * runtime/JSArrayIterator.cpp: Removed.
1831         (JSC::JSArrayIterator::finishCreation): Deleted.
1832         (JSC::JSArrayIterator::kind): Deleted.
1833         (JSC::JSArrayIterator::iteratedValue): Deleted.
1834         * runtime/JSArrayIterator.h: Removed.
1835         (JSC::JSArrayIterator::createStructure): Deleted.
1836         (JSC::JSArrayIterator::create): Deleted.
1837         (JSC::JSArrayIterator::JSArrayIterator): Deleted.
1838         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1839         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
1840         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1841         * runtime/JSGlobalObject.cpp:
1842         (JSC::JSGlobalObject::init):
1843         * runtime/JSInternalPromise.cpp:
1844         * runtime/JSInternalPromiseDeferred.cpp:
1845         (JSC::JSInternalPromiseDeferred::create):
1846         * runtime/JSPromise.cpp:
1847         (JSC::JSPromise::finishCreation):
1848         (JSC::JSPromise::result):
1849         * runtime/JSPromiseDeferred.cpp:
1850         (JSC::JSPromiseDeferred::create):
1851         * runtime/JSStringIterator.cpp:
1852         (JSC::JSStringIterator::finishCreation):
1853         (JSC::JSStringIterator::iteratedValue):
1854         (JSC::JSStringIterator::clone):
1855         * runtime/MapPrototype.cpp:
1856         (JSC::MapPrototype::finishCreation):
1857         * runtime/ObjectConstructor.cpp:
1858         (JSC::ObjectConstructor::finishCreation):
1859         * runtime/ReflectObject.cpp:
1860         (JSC::ReflectObject::finishCreation):
1861         * runtime/StringPrototype.cpp:
1862         (JSC::StringPrototype::finishCreation):
1863         * runtime/TypedArrayInlines.h:
1864
1865 2016-06-20  Filip Pizlo  <fpizlo@apple.com>
1866
1867         LLInt64 Float64 get_by_val doesn't purify NaN
1868         https://bugs.webkit.org/show_bug.cgi?id=158956
1869
1870         Reviewed by Michael Saboff.
1871
1872         * llint/LowLevelInterpreter64.asm: Fix the bug.
1873         * tests/stress/float64-array-nan-inlined.js: Make this test also run in LLInt-only mode to catch this bug.
1874
1875 2016-06-20  Keith Rollin  <krollin@apple.com>
1876
1877         Remove RefPtr::release() and change calls sites to use WTFMove()
1878         https://bugs.webkit.org/show_bug.cgi?id=158369
1879
1880         Reviewed by Chris Dumez.
1881
1882         RefPtr::release() releases its managed pointer awkwardly. It's more
1883         direct and clearer to use WTFMove to transfer ownership of the managed
1884         pointer.
1885
1886         As part of this cleanup, also change a lot of explicit data types to
1887         'auto'.
1888
1889         * API/JSObjectRef.cpp:
1890         (JSClassCreate):
1891         * API/JSScriptRef.cpp:
1892         * API/JSValueRef.cpp:
1893         (JSValueToStringCopy):
1894         * bytecompiler/StaticPropertyAnalyzer.h:
1895         (JSC::StaticPropertyAnalyzer::newObject):
1896         (JSC::StaticPropertyAnalyzer::mov):
1897         * debugger/DebuggerCallFrame.cpp:
1898         (JSC::DebuggerCallFrame::invalidate):
1899         * dfg/DFGJITCompiler.cpp:
1900         (JSC::DFG::JITCompiler::compile):
1901         (JSC::DFG::JITCompiler::compileFunction):
1902         * inspector/InspectorValues.cpp:
1903         (Inspector::InspectorValue::parseJSON):
1904         * inspector/agents/InspectorAgent.cpp:
1905         (Inspector::InspectorAgent::activateExtraDomain):
1906         (Inspector::InspectorAgent::activateExtraDomains):
1907         * inspector/agents/InspectorDebuggerAgent.cpp:
1908         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
1909         * inspector/remote/RemoteInspector.mm:
1910         (Inspector::RemoteInspector::receivedSetupMessage):
1911         * jit/Repatch.cpp:
1912         (JSC::linkPolymorphicCall):
1913         * runtime/GenericTypedArrayViewInlines.h:
1914         (JSC::GenericTypedArrayView<Adaptor>::create):
1915         (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
1916         * runtime/JSArrayBufferConstructor.cpp:
1917         (JSC::constructArrayBuffer):
1918         * runtime/PropertyNameArray.h:
1919         (JSC::PropertyNameArray::releaseData):
1920         * runtime/Structure.cpp:
1921         (JSC::Structure::toStructureShape):
1922         * runtime/TypeSet.cpp:
1923         (JSC::StructureShape::merge):
1924         * tools/FunctionOverrides.cpp:
1925         (JSC::initializeOverrideInfo):
1926
1927 2016-06-20  Joseph Pecoraro  <pecoraro@apple.com>
1928
1929         Web Inspector: console.profile should use the new Sampling Profiler
1930         https://bugs.webkit.org/show_bug.cgi?id=153499
1931         <rdar://problem/24352431>
1932
1933         Reviewed by Timothy Hatcher.
1934
1935         Currently console.profile/profileEnd behave slightly differently
1936         between JSContext and Web inspection. Unifying will be part of:
1937         <https://webkit.org/b/158753> Generalize the concept of Instruments on the backend
1938
1939         Both JSContext and Web inspection keep track of active
1940         profiles started and stopped via console.profile/profileEnd.
1941
1942         JSContext inspection sends its programmatic start/stop
1943         via the ScriptProfiler domain.
1944
1945         Web inspection sends its programmatic start/stop
1946         via the Timeline domain, and also will start/stop backend
1947         list of Instruments.
1948
1949         The functional differences between these is that for JSContext
1950         inspection, console.profile only starts/stops the ScriptProfiler
1951         domain, and does not auto-start other instruments. This isn't really
1952         a problem right now given the instruments available for JSContext
1953         inspection; but it will be nice to unify as we add more instruments.
1954         Also, JSContext inspection won't have "Profile (name)" records in
1955         its Events view, since those are currently generated only by the
1956         Web's Timeline domain.
1957
1958         * inspector/protocol/ScriptProfiler.json:
1959         * inspector/protocol/Timeline.json:
1960         Events to inform the frontend of programmatic start/stop.
1961
1962         * debugger/Debugger.h:
1963         * inspector/agents/InspectorDebuggerAgent.cpp:
1964         (Inspector::InspectorDebuggerAgent::breakpointsActive):
1965         (Inspector::InspectorDebuggerAgent::isPaused):
1966         * inspector/agents/InspectorDebuggerAgent.h:
1967         Expose breakpoints active state, since programmatic recording
1968         will temporarily disabled breakpoints if needed.
1969
1970         * inspector/JSGlobalObjectConsoleClient.cpp:
1971         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
1972         (Inspector::JSGlobalObjectConsoleClient::profile):
1973         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
1974         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
1975         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
1976         * inspector/JSGlobalObjectConsoleClient.h:
1977         * inspector/JSGlobalObjectInspectorController.cpp:
1978         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1979         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1980         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted):
1981         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped):
1982         * inspector/agents/InspectorScriptProfilerAgent.h:
1983         JSContext implementation of console.profile/profileEnd.
1984
1985 2016-06-19  Saam Barati  <sbarati@apple.com>
1986
1987         We should be able to generate more types of ICs inline
1988         https://bugs.webkit.org/show_bug.cgi?id=158719
1989         <rdar://problem/26825641>
1990
1991         Reviewed by Filip Pizlo.
1992
1993         This patch changes how we emit code for *byId ICs inline.
1994         We no longer keep data labels to patch structure checks, etc.
1995         Instead, we just regenerate the entire IC into a designated
1996         region of code that the Baseline/DFG/FTL JIT will emit inline.
1997         This makes it much simpler to patch inline ICs. All that's
1998         needed to patch an inline IC is to memcpy the code from
1999         a macro assembler inline using LinkBuffer. This architecture
2000         will be easy to extend into other forms of ICs, such as one
2001         for add, in the future.
2002
2003         To support this change, I've reworked the fields inside
2004         StructureStubInfo. It now has one field that is the CodeLocationLabel 
2005         of the start of the inline IC. Then it has a few ints that track deltas
2006         to other locations in the IC such as the slow path start, slow path call, the
2007         ICs 'done' location. We used to perform math on these ints in a bunch of different
2008         places. I've consolidated that math into methods inside StructureStubInfo.
2009
2010         To generate inline ICs, I've implemented a new class called InlineAccess.
2011         InlineAccess is stateless: it just has a bunch of static methods for
2012         generating code into the inline region specified by StructureStubInfo.
2013         Repatch will now decide when it wants to generate such an inline
2014         IC, and it will ask InlineAccess to do so.
2015
2016         I've implemented three types of inline ICs to begin with (extending
2017         this in the future should be easy):
2018         - Self property loads (both inline and out of line offsets).
2019         - Self property replace (both inline and out of line offsets).
2020         - Array length on specific array types.
2021         (An easy extension would be to implement JSString length.)
2022
2023         To know how much inline space to reserve, I've implemented a
2024         method that stubs out the various inline cache shapes and 
2025         dumps their size. This is used to determine how much space
2026         to save inline. When InlineAccess ends up generating more
2027         code than can fit inline, we will fall back to generating
2028         code with PolymorphicAccess instead.
2029
2030         To make generating code into already allocated executable memory
2031         efficient, I've made AssemblerData have 128 bytes of inline storage.
2032         This saves us a malloc when splatting code into the inline region.
2033
2034         This patch also tidies up LinkBuffer's API for generating
2035         into already allocated executable memory. Now, when generating
2036         code that has less size than the already allocated space, LinkBuffer
2037         will fill the extra space with nops. Also, if branch compaction shrinks
2038         the code, LinkBuffer will add a nop sled at the end of the shrunken
2039         code to take up the entire allocated size.
2040
2041         This looks like it could be a 1% octane progression.
2042
2043         * CMakeLists.txt:
2044         * JavaScriptCore.xcodeproj/project.pbxproj:
2045         * assembler/ARM64Assembler.h:
2046         (JSC::ARM64Assembler::nop):
2047         (JSC::ARM64Assembler::fillNops):
2048         * assembler/ARMv7Assembler.h:
2049         (JSC::ARMv7Assembler::nopw):
2050         (JSC::ARMv7Assembler::nopPseudo16):
2051         (JSC::ARMv7Assembler::nopPseudo32):
2052         (JSC::ARMv7Assembler::fillNops):
2053         (JSC::ARMv7Assembler::dmbSY):
2054         * assembler/AbstractMacroAssembler.h:
2055         (JSC::AbstractMacroAssembler::addLinkTask):
2056         (JSC::AbstractMacroAssembler::emitNops):
2057         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
2058         * assembler/AssemblerBuffer.h:
2059         (JSC::AssemblerData::AssemblerData):
2060         (JSC::AssemblerData::operator=):
2061         (JSC::AssemblerData::~AssemblerData):
2062         (JSC::AssemblerData::buffer):
2063         (JSC::AssemblerData::grow):
2064         (JSC::AssemblerData::isInlineBuffer):
2065         (JSC::AssemblerBuffer::AssemblerBuffer):
2066         (JSC::AssemblerBuffer::ensureSpace):
2067         (JSC::AssemblerBuffer::codeSize):
2068         (JSC::AssemblerBuffer::setCodeSize):
2069         (JSC::AssemblerBuffer::label):
2070         (JSC::AssemblerBuffer::debugOffset):
2071         (JSC::AssemblerBuffer::releaseAssemblerData):
2072         * assembler/LinkBuffer.cpp:
2073         (JSC::LinkBuffer::copyCompactAndLinkCode):
2074         (JSC::LinkBuffer::linkCode):
2075         (JSC::LinkBuffer::allocate):
2076         (JSC::LinkBuffer::performFinalization):
2077         (JSC::LinkBuffer::shrink): Deleted.
2078         * assembler/LinkBuffer.h:
2079         (JSC::LinkBuffer::LinkBuffer):
2080         (JSC::LinkBuffer::debugAddress):
2081         (JSC::LinkBuffer::size):
2082         (JSC::LinkBuffer::wasAlreadyDisassembled):
2083         (JSC::LinkBuffer::didAlreadyDisassemble):
2084         (JSC::LinkBuffer::applyOffset):
2085         (JSC::LinkBuffer::code):
2086         * assembler/MacroAssemblerARM64.h:
2087         (JSC::MacroAssemblerARM64::patchableBranch32):
2088         (JSC::MacroAssemblerARM64::patchableBranch64):
2089         * assembler/MacroAssemblerARMv7.h:
2090         (JSC::MacroAssemblerARMv7::patchableBranch32):
2091         (JSC::MacroAssemblerARMv7::patchableBranchPtrWithPatch):
2092         * assembler/X86Assembler.h:
2093         (JSC::X86Assembler::nop):
2094         (JSC::X86Assembler::fillNops):
2095         * bytecode/CodeBlock.cpp:
2096         (JSC::CodeBlock::printGetByIdCacheStatus):
2097         * bytecode/InlineAccess.cpp: Added.
2098         (JSC::InlineAccess::dumpCacheSizesAndCrash):
2099         (JSC::linkCodeInline):
2100         (JSC::InlineAccess::generateSelfPropertyAccess):
2101         (JSC::getScratchRegister):
2102         (JSC::hasFreeRegister):
2103         (JSC::InlineAccess::canGenerateSelfPropertyReplace):
2104         (JSC::InlineAccess::generateSelfPropertyReplace):
2105         (JSC::InlineAccess::isCacheableArrayLength):
2106         (JSC::InlineAccess::generateArrayLength):
2107         (JSC::InlineAccess::rewireStubAsJump):
2108         * bytecode/InlineAccess.h: Added.
2109         (JSC::InlineAccess::sizeForPropertyAccess):
2110         (JSC::InlineAccess::sizeForPropertyReplace):
2111         (JSC::InlineAccess::sizeForLengthAccess):
2112         * bytecode/PolymorphicAccess.cpp:
2113         (JSC::PolymorphicAccess::regenerate):
2114         * bytecode/StructureStubInfo.cpp:
2115         (JSC::StructureStubInfo::initGetByIdSelf):
2116         (JSC::StructureStubInfo::initArrayLength):
2117         (JSC::StructureStubInfo::initPutByIdReplace):
2118         (JSC::StructureStubInfo::deref):
2119         (JSC::StructureStubInfo::aboutToDie):
2120         (JSC::StructureStubInfo::propagateTransitions):
2121         (JSC::StructureStubInfo::containsPC):
2122         * bytecode/StructureStubInfo.h:
2123         (JSC::StructureStubInfo::considerCaching):
2124         (JSC::StructureStubInfo::slowPathCallLocation):
2125         (JSC::StructureStubInfo::doneLocation):
2126         (JSC::StructureStubInfo::slowPathStartLocation):
2127         (JSC::StructureStubInfo::patchableJumpForIn):
2128         (JSC::StructureStubInfo::valueRegs):
2129         * dfg/DFGJITCompiler.cpp:
2130         (JSC::DFG::JITCompiler::link):
2131         * dfg/DFGOSRExitCompilerCommon.cpp:
2132         (JSC::DFG::reifyInlinedCallFrames):
2133         * dfg/DFGSpeculativeJIT32_64.cpp:
2134         (JSC::DFG::SpeculativeJIT::cachedGetById):
2135         * dfg/DFGSpeculativeJIT64.cpp:
2136         (JSC::DFG::SpeculativeJIT::cachedGetById):
2137         * ftl/FTLLowerDFGToB3.cpp:
2138         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2139         (JSC::FTL::DFG::LowerDFGToB3::getById):
2140         * jit/JITInlineCacheGenerator.cpp:
2141         (JSC::JITByIdGenerator::finalize):
2142         (JSC::JITByIdGenerator::generateFastCommon):
2143         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2144         (JSC::JITGetByIdGenerator::generateFastPath):
2145         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2146         (JSC::JITPutByIdGenerator::generateFastPath):
2147         (JSC::JITPutByIdGenerator::slowPathFunction):
2148         (JSC::JITByIdGenerator::generateFastPathChecks): Deleted.
2149         * jit/JITInlineCacheGenerator.h:
2150         (JSC::JITByIdGenerator::reportSlowPathCall):
2151         (JSC::JITByIdGenerator::slowPathBegin):
2152         (JSC::JITByIdGenerator::slowPathJump):
2153         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2154         * jit/JITPropertyAccess.cpp:
2155         (JSC::JIT::emitGetByValWithCachedId):
2156         (JSC::JIT::emit_op_try_get_by_id):
2157         (JSC::JIT::emit_op_get_by_id):
2158         * jit/JITPropertyAccess32_64.cpp:
2159         (JSC::JIT::emitGetByValWithCachedId):
2160         (JSC::JIT::emit_op_try_get_by_id):
2161         (JSC::JIT::emit_op_get_by_id):
2162         * jit/Repatch.cpp:
2163         (JSC::repatchCall):
2164         (JSC::tryCacheGetByID):
2165         (JSC::repatchGetByID):
2166         (JSC::appropriateGenericPutByIdFunction):
2167         (JSC::tryCachePutByID):
2168         (JSC::repatchPutByID):
2169         (JSC::tryRepatchIn):
2170         (JSC::repatchIn):
2171         (JSC::linkSlowFor):
2172         (JSC::resetGetByID):
2173         (JSC::resetPutByID):
2174         (JSC::resetIn):
2175         (JSC::repatchByIdSelfAccess): Deleted.
2176         (JSC::resetGetByIDCheckAndLoad): Deleted.
2177         (JSC::resetPutByIDCheckAndLoad): Deleted.
2178         (JSC::replaceWithJump): Deleted.
2179
2180 2016-06-19  Filip Pizlo  <fpizlo@apple.com>
2181
2182         REGRESSION(concurrent baseline JIT): Kraken/ai-astar runs 20% slower
2183         https://bugs.webkit.org/show_bug.cgi?id=158906
2184
2185         Reviewed by Benjamin Poulain.
2186         
2187         The concurrent baseline JIT was a 2-3% progression on JSBench, possibly a 1% progression
2188         on PLT3, but a 2-5% regression on Kraken. This patch fixes the Kraken regression without
2189         affecting the other tests.
2190         
2191         The problem is that Kraken/ai-astar's initialization code had a ginormous piece of init
2192         code that took about 16ms to compile in baseline. There's no good way to avoid letting it
2193         tier-up into baseline since it has a compute loop. The time it takes to run this code is
2194         never measured. The concurrent baseline JIT caused us to schedule the compilation of this
2195         huge code rather than doing it eagerly. This meant that after initialization was done and
2196         we started actually running real stuff, all of the real stuff's compiles would be convoyed
2197         behind this super-expensive baseline compile. Note that DFG and FTL compiles convoy behind
2198         baseline compiles, since you can't schedule a DFG compile for a code block until that code
2199         block is in baseline.
2200         
2201         This uses the simplest fix: if we are thinking about scheduling some compile and the
2202         thread is busy, do the compile on the main thread instead. This doesn't completely
2203         eliminate the ai-astar regression (we still have a 4% regression on that test) but it now
2204         results in concurrent baseline JIT being an overall progression on Kraken as a whole (1%
2205         on my machine). This is because concurrent baseline appears to help on other tests.
2206
2207         In the future, we could fix this even better by allowing the JITWorklist to spawn more
2208         threads or by being smarter about baseline compilation. I think it's nasty that if a giant
2209         piece of initialization code ends in a compute loop, we compile all of the code instead of
2210         just the loop. It's also gross that a constant-like object creation expression will result
2211         in so much code. It would result in less code if we allowed ourselves to do a bit more
2212         static reasoning about object literals.
2213         
2214         But for now, I think that this is a great way to recover the Kraken regression while still
2215         keeping the other progressions from concurrent baseline.
2216
2217         * jit/JITWorklist.cpp:
2218         (JSC::JITWorklist::Plan::Plan):
2219         (JSC::JITWorklist::Plan::compileInThread):
2220         (JSC::JITWorklist::Plan::finalize):
2221         (JSC::JITWorklist::Plan::codeBlock):
2222         (JSC::JITWorklist::Plan::isFinishedCompiling):
2223         (JSC::JITWorklist::Plan::compileNow):
2224         (JSC::JITWorklist::JITWorklist):
2225         (JSC::JITWorklist::compileLater):
2226         (JSC::JITWorklist::compileNow):
2227         (JSC::JITWorklist::runThread):
2228         (JSC::JITWorklist::Plan::isFinalized): Deleted.
2229         * jit/JITWorklist.h:
2230
2231 2016-06-17  Commit Queue  <commit-queue@webkit.org>
2232
2233         Unreviewed, rolling out r202152.
2234         https://bugs.webkit.org/show_bug.cgi?id=158897
2235
2236         The new test is very unstable, timing out frequently
2237         (Requested by ap on #webkit).
2238
2239         Reverted changeset:
2240
2241         "Web Inspector: console.profile should use the new Sampling
2242         Profiler"
2243         https://bugs.webkit.org/show_bug.cgi?id=153499
2244         http://trac.webkit.org/changeset/202152
2245
2246 2016-06-14  Filip Pizlo  <fpizlo@apple.com>
2247
2248         Baseline JIT should be concurrent
2249         https://bugs.webkit.org/show_bug.cgi?id=158755
2250
2251         Reviewed by Geoffrey Garen.
2252         
2253         This makes the baseline JIT concurrent. We want it to be concurrent because it takes up
2254         about 1% of PLT3 and 10% of JSBench (though the JSBench number might be down from recent
2255         optimizations).
2256         
2257         The idea is really simple: I separated the compile and link phases of JIT::privateCompile(),
2258         and arranged to call the compile phase from another thread. This doesn't reuse the old
2259         DFG::Worklist code, because that code does things we don't need (like compilation plan
2260         cancellation to allow GC to interleave with compilations) and is structured in a way that
2261         would have required more changes to the baseline JIT. Also, I think that code uses the wrong
2262         API, and as a result, clients of that API have a bad time. For example, it's never clear who
2263         has the responsibility of setting the JIT thresholds and the DFG::Worklist goes to great
2264         lengths to try to help its client set those things correctly, but since it doesn't set them
2265         directly, the client then has to have additional complex logic to combine what it learned
2266         from the Worklist and what it knows to set the thresholds. This patch takes a simpler
2267         approach: the JITWorklist takes complete control over scheduling compilations. It's like a
2268         combination of DFG::Worklist and operationOptimize().
2269         
2270         Because the baseline JIT runs quickly, we can take some shortcuts. The JITWorklist requires
2271         that all of its plans complete before a GC begins. This ensures that we don't have to worry
2272         about interactions between the concurrent baseline JIT and the GC.
2273         
2274         I needed to do a bunch of minor changes to the JIT to handle the races that emerged. For
2275         example, I needed to do things to opcodes that read profiling both in the main path code
2276         generator and the slow path one. One trick I used was to create a copy of the instruction
2277         stream and provide that for anyone interested in the original value of the profiles. Most
2278         code still uses the CodeBlock's instruction stream because it may emit JIT code that points
2279         at the stream.
2280         
2281         This also fixes a LLInt bug in prototype caching. This bug was revealed by this change
2282         because more of our LayoutTests now run in LLInt.
2283         
2284         This looks like it might be a ~1% Octane speed-up (on command line) and a ~0.7% PLT3
2285         speed-up. This also looks like a ~2% JSBench speed-up.
2286
2287         * CMakeLists.txt:
2288         * JavaScriptCore.xcodeproj/project.pbxproj:
2289         * debugger/Debugger.cpp:
2290         (JSC::Debugger::setSteppingMode):
2291         (JSC::Debugger::toggleBreakpoint):
2292         (JSC::Debugger::clearBreakpoints):
2293         (JSC::Debugger::clearDebuggerRequests):
2294         * dfg/DFGOSRExitPreparation.cpp:
2295         (JSC::DFG::prepareCodeOriginForOSRExit):
2296         * heap/Heap.cpp:
2297         (JSC::Heap::didFinishIterating):
2298         (JSC::Heap::completeAllJITPlans):
2299         (JSC::Heap::deleteAllCodeBlocks):
2300         (JSC::Heap::collectImpl):
2301         (JSC::Heap::completeAllDFGPlans): Deleted.
2302         * heap/Heap.h:
2303         * heap/HeapInlines.h:
2304         (JSC::Heap::forEachCodeBlock):
2305         * jit/JIT.cpp:
2306         (JSC::JIT::emitNotifyWrite):
2307         (JSC::JIT::privateCompileMainPass):
2308         (JSC::JIT::privateCompileSlowCases):
2309         (JSC::JIT::compileWithoutLinking):
2310         (JSC::JIT::link):
2311         (JSC::JIT::privateCompile):
2312         (JSC::JIT::privateCompileExceptionHandlers):
2313         * jit/JIT.h:
2314         (JSC::JIT::compile):
2315         (JSC::JIT::getSlowCase):
2316         (JSC::JIT::linkSlowCase):
2317         (JSC::JIT::linkDummySlowCase):
2318         * jit/JITInlines.h:
2319         (JSC::JIT::emitTagBool):
2320         (JSC::JIT::originalInstruction):
2321         * jit/JITPropertyAccess32_64.cpp:
2322         (JSC::JIT::emitSlow_op_put_to_scope):
2323         * jit/JITPropertyAccess.cpp:
2324         (JSC::JIT::emitSlow_op_put_by_val):
2325         (JSC::JIT::emit_op_resolve_scope):
2326         (JSC::JIT::emitSlow_op_resolve_scope):
2327         (JSC::JIT::emit_op_get_from_scope):
2328         (JSC::JIT::emitSlow_op_get_from_scope):
2329         (JSC::JIT::emit_op_put_to_scope):
2330         (JSC::JIT::emitSlow_op_put_to_scope):
2331         * jit/JITWorklist.cpp: Added.
2332         (JSC::JITWorklist::Plan::Plan):
2333         (JSC::JITWorklist::Plan::compileInThread):
2334         (JSC::JITWorklist::Plan::finalize):
2335         (JSC::JITWorklist::Plan::codeBlock):
2336         (JSC::JITWorklist::Plan::vm):
2337         (JSC::JITWorklist::Plan::isFinishedCompiling):
2338         (JSC::JITWorklist::Plan::isFinalized):
2339         (JSC::JITWorklist::JITWorklist):
2340         (JSC::JITWorklist::~JITWorklist):
2341         (JSC::JITWorklist::completeAllForVM):
2342         (JSC::JITWorklist::poll):
2343         (JSC::JITWorklist::compileLater):
2344         (JSC::JITWorklist::compileNow):
2345         (JSC::JITWorklist::runThread):
2346         (JSC::JITWorklist::finalizePlans):
2347         (JSC::JITWorklist::instance):
2348         * jit/JITWorklist.h: Added.
2349         * llint/LLIntSlowPaths.cpp:
2350         (JSC::LLInt::jitCompileAndSetHeuristics):
2351         * runtime/CommonSlowPaths.cpp:
2352         (JSC::SLOW_PATH_DECL):
2353         * runtime/CommonSlowPaths.h:
2354         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2355         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2356         * runtime/VM.cpp:
2357         (JSC::VM::~VM):
2358
2359 2016-06-16  Joseph Pecoraro  <pecoraro@apple.com>
2360
2361         Web Inspector: console.profile should use the new Sampling Profiler
2362         https://bugs.webkit.org/show_bug.cgi?id=153499
2363         <rdar://problem/24352431>
2364
2365         Reviewed by Timothy Hatcher.
2366
2367         Currently console.profile/profileEnd behave slightly differently
2368         between JSContext and Web inspection. Unifying will be part of:
2369         <https://webkit.org/b/158753> Generalize the concept of Instruments on the backend
2370
2371         Both JSContext and Web inspection keep track of active
2372         profiles started and stopped via console.profile/profileEnd.
2373
2374         JSContext inspection sends its programmatic start/stop
2375         via the ScriptProfiler domain.
2376
2377         Web inspection sends its programmatic start/stop
2378         via the Timeline domain, and also will start/stop backend
2379         list of Instruments.
2380
2381         The functional differences between these is that for JSContext
2382         inspection, console.profile only starts/stops the ScriptProfiler
2383         domain, and does not auto-start other instruments. This isn't really
2384         a problem right now given the instruments available for JSContext
2385         inspection; but it will be nice to unify as we add more instruments.
2386         Also, JSContext inspection won't have "Profile (name)" records in
2387         its Events view, since those are currently generated only by the
2388         Web's Timeline domain.
2389
2390         * inspector/protocol/ScriptProfiler.json:
2391         * inspector/protocol/Timeline.json:
2392         Events to inform the frontend of programmatic start/stop.
2393
2394         * debugger/Debugger.h:
2395         * inspector/agents/InspectorDebuggerAgent.cpp:
2396         (Inspector::InspectorDebuggerAgent::breakpointsActive):
2397         (Inspector::InspectorDebuggerAgent::isPaused):
2398         * inspector/agents/InspectorDebuggerAgent.h:
2399         Expose breakpoints active state, since programmatic recording
2400         will temporarily disabled breakpoints if needed.
2401
2402         * inspector/JSGlobalObjectConsoleClient.cpp:
2403         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
2404         (Inspector::JSGlobalObjectConsoleClient::profile):
2405         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
2406         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
2407         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
2408         * inspector/JSGlobalObjectConsoleClient.h:
2409         * inspector/JSGlobalObjectInspectorController.cpp:
2410         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2411         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2412         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted):
2413         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped):
2414         * inspector/agents/InspectorScriptProfilerAgent.h:
2415         JSContext implementation of console.profile/profileEnd.
2416
2417 2016-06-16  Filip Pizlo  <fpizlo@apple.com>
2418
2419         Kraken/stanford-crypto-pbkdf2.js sometimes crashes with an OSR assertion in FTL
2420         https://bugs.webkit.org/show_bug.cgi?id=158850
2421
2422         Reviewed by Keith Miller.
2423         
2424         Bytecode liveness was incorrectly claiming that all tail-deleted locals are live! That's
2425         crazy! We never noticed this because extending OSR liveness is usually not a showstopper and
2426         until recently we didn't have a lot of tail-call test cases to play with. Well, we do now,
2427         thanks to the increasing reliance on tail calls in our builtins.
2428
2429         * dfg/DFGGraph.cpp:
2430         (JSC::DFG::Graph::localsLiveInBytecode): Fix the bug and add some optional tracing. Also restructure the code so that we don't break to return true, since that's counterintuitive.
2431         * ftl/FTLLowerDFGToB3.cpp:
2432         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments): Make this assertion print more useful information.
2433
2434 2016-06-16  Mark Lam  <mark.lam@apple.com>
2435
2436         Add collecting of LLINT slow path stats.
2437         https://bugs.webkit.org/show_bug.cgi?id=158829
2438
2439         Reviewed by Keith Miller.
2440
2441         * llint/LLIntData.cpp:
2442         (JSC::LLInt::Data::dumpStats):
2443         * llint/LLIntData.h:
2444         * llint/LLIntSlowPaths.cpp:
2445         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2446         * llint/LLIntSlowPaths.h:
2447         * llint/LowLevelInterpreter.asm:
2448         * llint/LowLevelInterpreter32_64.asm:
2449         * llint/LowLevelInterpreter64.asm:
2450
2451 2016-06-15  Keith Miller  <keith_miller@apple.com>
2452
2453         Add support for Symbol.isConcatSpreadable (round 2)
2454         https://bugs.webkit.org/show_bug.cgi?id=158769
2455
2456         Reviewed by Mark Lam.
2457
2458         This patch adds support for Symbol.isConcatSpreadable. In order to
2459         do so, it was necessary to move the Array.prototype.concat function
2460         to JS. A number of different optimizations were needed to make
2461         such the move to a builtin performant. First, this patch adds a
2462         new Bytecode intrinsic, isJSArray, that checks if the value is a
2463         JSArray object. Specifically, isJSArray checks that the array
2464         object is a normal instance of JSArray and not a RuntimeArray or
2465         Array.prototype. isJSArray can also be converted into a constant
2466         by the DFG if we are able to prove that the incomming value is
2467         already a JSArray.
2468
2469         In order to further improve the perfomance we also now cover more
2470         indexing types in our fast path memcpy code. Before we would only
2471         memcpy Arrays if they had the same indexing type and did not have
2472         Array storage or were undecided. Now the memcpy code covers the
2473         following additional three cases:
2474
2475         1) One array is undecided and the other does not have array storage
2476
2477         2) One array is Int32 and the other is contiguous (we map this
2478         into a contiguous array).
2479
2480         3) The this value is an array and first argument is a non-array
2481         that does not have Symbol.isConcatSpreadable set.
2482
2483         This patch also adds a new fast path for concat with more than one
2484         array argument by using memcpy to append values onto the result
2485         array. This works roughly the same as the two array fast path
2486         using the same methodology to decide if we can memcpy the other
2487         butterfly into the result butterfly.
2488
2489         * JavaScriptCore.xcodeproj/project.pbxproj:
2490         * builtins/ArrayPrototype.js:
2491         (concatSlowPath):
2492         (concat):
2493         * bytecode/BytecodeIntrinsicRegistry.cpp:
2494         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2495         * bytecode/BytecodeIntrinsicRegistry.h:
2496         * bytecode/BytecodeList.json:
2497         * bytecode/BytecodeUseDef.h:
2498         (JSC::computeUsesForBytecodeOffset):
2499         (JSC::computeDefsForBytecodeOffset):
2500         * bytecode/CodeBlock.cpp:
2501         (JSC::CodeBlock::dumpBytecode):
2502         * bytecompiler/BytecodeGenerator.h:
2503         (JSC::BytecodeGenerator::emitIsJSArray):
2504         * bytecompiler/NodesCodegen.cpp:
2505         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray):
2506         * dfg/DFGAbstractInterpreterInlines.h:
2507         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2508         * dfg/DFGByteCodeParser.cpp:
2509         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2510         (JSC::DFG::ByteCodeParser::parseBlock):
2511         * dfg/DFGCapabilities.cpp:
2512         (JSC::DFG::capabilityLevel):
2513         * dfg/DFGClobberize.h:
2514         (JSC::DFG::clobberize):
2515         * dfg/DFGDoesGC.cpp:
2516         (JSC::DFG::doesGC):
2517         * dfg/DFGFixupPhase.cpp:
2518         (JSC::DFG::FixupPhase::fixupNode):
2519         * dfg/DFGNodeType.h:
2520         * dfg/DFGOperations.cpp:
2521         * dfg/DFGOperations.h:
2522         * dfg/DFGPredictionPropagationPhase.cpp:
2523         * dfg/DFGSafeToExecute.h:
2524         (JSC::DFG::safeToExecute):
2525         * dfg/DFGSpeculativeJIT.cpp:
2526         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2527         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
2528         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
2529         * dfg/DFGSpeculativeJIT.h:
2530         (JSC::DFG::SpeculativeJIT::callOperation):
2531         * dfg/DFGSpeculativeJIT32_64.cpp:
2532         (JSC::DFG::SpeculativeJIT::compile):
2533         * dfg/DFGSpeculativeJIT64.cpp:
2534         (JSC::DFG::SpeculativeJIT::compile):
2535         * ftl/FTLCapabilities.cpp:
2536         (JSC::FTL::canCompile):
2537         * ftl/FTLLowerDFGToB3.cpp:
2538         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2539         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
2540         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
2541         (JSC::FTL::DFG::LowerDFGToB3::isArray):
2542         * jit/JIT.cpp:
2543         (JSC::JIT::privateCompileMainPass):
2544         * jit/JIT.h:
2545         * jit/JITOpcodes.cpp:
2546         (JSC::JIT::emit_op_is_jsarray):
2547         * jit/JITOpcodes32_64.cpp:
2548         (JSC::JIT::emit_op_is_jsarray):
2549         * jit/JITOperations.h:
2550         * llint/LLIntData.cpp:
2551         (JSC::LLInt::Data::performAssertions):
2552         * llint/LowLevelInterpreter.asm:
2553         * llint/LowLevelInterpreter32_64.asm:
2554         * llint/LowLevelInterpreter64.asm:
2555         * runtime/ArrayConstructor.h:
2556         (JSC::isArrayConstructor):
2557         * runtime/ArrayPrototype.cpp:
2558         (JSC::ArrayPrototype::finishCreation):
2559         (JSC::speciesWatchpointsValid):
2560         (JSC::speciesConstructArray):
2561         (JSC::moveElements):
2562         (JSC::concatAppendOne):
2563         (JSC::arrayProtoFuncConcat): Deleted.
2564         * runtime/ArrayPrototype.h:
2565         * runtime/CommonIdentifiers.h:
2566         * runtime/CommonSlowPaths.cpp:
2567         (JSC::SLOW_PATH_DECL):
2568         * runtime/IndexingType.h:
2569         (JSC::indexingTypeForValue):
2570         * runtime/JSArray.cpp:
2571         (JSC::JSArray::appendMemcpy):
2572         (JSC::JSArray::fastConcatWith): Deleted.
2573         * runtime/JSArray.h:
2574         (JSC::JSArray::createStructure):
2575         (JSC::isJSArray):
2576         (JSC::JSArray::fastConcatType): Deleted.
2577         * runtime/JSArrayInlines.h: Added.
2578         (JSC::JSArray::mergeIndexingTypeForCopying):
2579         (JSC::JSArray::canFastCopy):
2580         * runtime/JSGlobalObject.cpp:
2581         (JSC::JSGlobalObject::init):
2582         * runtime/JSObject.cpp:
2583         (JSC::JSObject::convertUndecidedForValue):
2584         * runtime/JSType.h:
2585         * runtime/ObjectConstructor.h:
2586         (JSC::constructObject):
2587         * tests/es6.yaml:
2588         * tests/stress/array-concat-spread-object.js: Added.
2589         (arrayEq):
2590         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
2591         (arrayEq):
2592         * tests/stress/array-concat-spread-proxy.js: Added.
2593         (arrayEq):
2594         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
2595         (arrayEq):
2596         * tests/stress/array-species-config-array-constructor.js:
2597
2598 2016-06-15  Mark Lam  <mark.lam@apple.com>
2599
2600         Assertion failure when returning incomplete property descriptor from proxy trap.
2601         https://bugs.webkit.org/show_bug.cgi?id=157078
2602
2603         Reviewed by Saam Barati.
2604
2605         If the proxy returns a descriptor that expects a value but does not specify one,
2606         we should use undefined for the value.
2607
2608         * runtime/ProxyObject.cpp:
2609         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2610         * tests/stress/proxy-returning-incomplete-property-descriptor.js: Added.
2611         (truthiness):
2612         (compare):
2613         (shouldBe):
2614         (test):
2615         (get test):
2616
2617 2016-06-15  Keith Miller  <keith_miller@apple.com>
2618
2619         Unreviewed, fix typo in test and move tests to the correct files.
2620
2621         * tests/stress/multi-get-by-offset-proto-or-unset.js:
2622         * tests/stress/multi-get-by-offset-proto-self-or-unset.js:
2623
2624 2016-06-15  Keith Miller  <keith_miller@apple.com>
2625
2626         DFGByteCodeParser should be able to infer the value of unset properties in MultiGetByOffset
2627         https://bugs.webkit.org/show_bug.cgi?id=158802
2628
2629         Reviewed by Filip Pizlo.
2630
2631         This patch adds support for unset properties in MultiGetByOffset. Since MultiGetByOffset
2632         already supports constant values this patch just adds a constant case where the fetched
2633         value is undefined. Fortunately (or unfortunately) we don't support object allocation
2634         sinking for constant cases of MultiGetByOffset, which means we don't need to adjust any
2635         in that phase.
2636
2637         * dfg/DFGByteCodeParser.cpp:
2638         (JSC::DFG::ByteCodeParser::planLoad):
2639         (JSC::DFG::ByteCodeParser::handleGetById):
2640         * dfg/DFGMultiGetByOffsetData.h:
2641         * tests/stress/multi-get-by-offset-proto-or-unset.js: Added.
2642         (foo):
2643         * tests/stress/multi-get-by-offset-proto-self-or-unset.js: Added.
2644         (foo):
2645         * tests/stress/multi-get-by-offset-self-or-unset.js: Added.
2646         (foo):
2647
2648 2016-06-15  Chris Dumez  <cdumez@apple.com>
2649
2650         Unreviewed GCC build fix after r202098.
2651
2652         * bytecode/CodeBlock.cpp:
2653         (JSC::CodeBlock::thresholdForJIT):
2654
2655 2016-06-14  Geoffrey Garen  <ggaren@apple.com>
2656
2657         compilation policy should adapt to past behavior
2658         https://bugs.webkit.org/show_bug.cgi?id=158759
2659
2660         Reviewed by Saam Barati.
2661
2662         This looks like a ~9% speedup on JSBench.
2663
2664         * bytecode/CodeBlock.cpp:
2665         (JSC::CodeBlock::~CodeBlock): Record when a CodeBlock dies without ever
2666         making it to DFG.
2667
2668         (JSC::CodeBlock::thresholdForJIT): CodeBlocks that make it to DFG should
2669         compile sooner; CodeBlocks that don't should compile later. The goal is
2670         to use past behavior, in addition to execution counts, to determine
2671         whether compilation is profitable.
2672
2673         (JSC::CodeBlock::jitAfterWarmUp):
2674         (JSC::CodeBlock::jitSoon): Apply the thresholdForJIT rule.
2675
2676         * bytecode/CodeBlock.h: Moved some code into the .cpp file so I could
2677         change stuff without recompiling.
2678         (JSC::CodeBlock::jitAfterWarmUp): Deleted.
2679         (JSC::CodeBlock::jitSoon): Deleted.
2680
2681         * bytecode/UnlinkedCodeBlock.cpp:
2682         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2683         * bytecode/UnlinkedCodeBlock.h:
2684         (JSC::UnlinkedCodeBlock::didOptimize):
2685         (JSC::UnlinkedCodeBlock::setDidOptimize): Added a piece of data to track
2686         whether we made it to DFG.
2687
2688         * jit/JITOperations.cpp: Record when we make it to DFG.
2689
2690 2016-06-15  Konstantin Tokarev  <annulen@yandex.ru>
2691
2692         Only Mac port needs ObjC API for JSC.
2693         https://bugs.webkit.org/show_bug.cgi?id=158780
2694
2695         Reviewed by Philippe Normand.
2696
2697         * API/JSBase.h: Removed !defined(BUILDING_GTK__)
2698
2699 2016-06-15  Keith Miller  <keith_miller@apple.com>
2700
2701         DFGByteCodeParser should be able to infer a property is unset from the Baseline inline cache.
2702         https://bugs.webkit.org/show_bug.cgi?id=158774
2703
2704         Reviewed by Filip Pizlo.
2705
2706         This patch allows the DFGByteCodeParser to speculatively convert a property access into a
2707         constant if that access was always a miss in the Baseline inline cache. This patch does
2708         not add support for MultiGetByOffset and unset properties. That functionality will come
2709         a future patch.
2710
2711         * bytecode/ComplexGetStatus.cpp:
2712         (JSC::ComplexGetStatus::computeFor):
2713         * bytecode/GetByIdStatus.cpp:
2714         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2715         * bytecode/GetByIdVariant.h:
2716         (JSC::GetByIdVariant::isPropertyUnset):
2717         * bytecode/PutByIdVariant.h:
2718         (JSC::PutByIdVariant::isPropertyUnset):
2719         * dfg/DFGByteCodeParser.cpp:
2720         (JSC::DFG::ByteCodeParser::load):
2721         (JSC::DFG::ByteCodeParser::handleGetById):
2722         * tests/stress/undefined-access-then-self-change.js: Added.
2723         (foo):
2724
2725 2016-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2726
2727         [JSC] Move calling convention flags to WTF
2728         https://bugs.webkit.org/show_bug.cgi?id=158661
2729
2730         Reviewed by Keith Miller.
2731
2732         Due to some calling convention flags and JIT_OPERATION flags, MathCommon.h includes MacroAssemblerCodeRef and JITOperations.h.
2733         But MacroAssembler and JIT part should not be necessary for the MathCommon component.
2734         As with other calling convention flags like JSC_HOST_CALL, these flags should be in WTF.
2735
2736         * assembler/MacroAssemblerCodeRef.h:
2737         * jit/JITOperations.h:
2738         Add wtf/Platform.h inclusion driven by the Windows port build failure.
2739
2740         * runtime/MathCommon.h:
2741
2742 2016-06-15  Romain Bellessort  <romain.bellessort@crf.canon.fr>
2743
2744         Enabling Shadow DOM for all platforms
2745         https://bugs.webkit.org/show_bug.cgi?id=158738
2746
2747         Reviewed by Ryosuke Niwa.
2748
2749         Removed Shadow DOM from options (enabled by default)
2750
2751         * Configurations/FeatureDefines.xcconfig:
2752
2753 2016-06-14  Caio Lima  <ticaiolima@gmail.com>
2754
2755         The parser doesn't properly parse "super" when default parameter is an
2756         arrow function.
2757         https://bugs.webkit.org/show_bug.cgi?id=157872.
2758
2759         Reviewed by Saam Barati.
2760
2761         The "super" member or "super()" could not be used when default parameter is an
2762         arrow function, resuling in sytax error. It happened because the
2763         "closestOrdinaryFunctionScope" was not being initialized properly
2764         before "parseFunctionParameters" step and the condition
2765         "functionSuperBinding == SuperBinding::NotNeeded" or
2766         "functionConstructorKind != ConstructorKind::Derived" on
2767         "Parser<LexerType>::parseMemberExpression" step were being true
2768         resulting in SyntaxError.
2769
2770         * parser/Parser.cpp: 
2771         (JSC::Parser<LexerType>::parseFunctionInfo): setting
2772         "functionScope->setExpectedSuperBinding(expectedSuperBinding)" and
2773         "functionScope->setConstructorKind(constructorKind)" before
2774         "parseFunctionParameters" step.
2775
2776 2016-06-14  Joseph Pecoraro  <pecoraro@apple.com>
2777
2778         Web Inspector: Rename Timeline.setAutoCaptureInstruments to Timeline.setInstruments
2779         https://bugs.webkit.org/show_bug.cgi?id=158762
2780
2781         Reviewed by Timothy Hatcher.
2782
2783         Rename the protocol methods since the backend may use the instruments
2784         for purposes other then auto-capture, such as programmatic capture
2785         via console.profile.
2786
2787         * inspector/protocol/Timeline.json:
2788
2789 2016-06-14  David Kilzer  <ddkilzer@apple.com>
2790
2791         Document the native format of JSChar type
2792         <http://webkit.org/b/156137>
2793
2794         Reviewed by Darin Adler.
2795
2796         * API/JSStringRef.h:
2797         (typedef JSChar): Update documentation.
2798
2799 2016-06-14  Keith Miller  <keith_miller@apple.com>
2800
2801         The Array species constructor watchpoints should be created the first time they are needed rather than on creation
2802         https://bugs.webkit.org/show_bug.cgi?id=158754
2803
2804         Reviewed by Benjamin Poulain.
2805
2806         We use adaptive watchpoints for some Array prototype functions to
2807         ensure that the user has not overridden the value of the
2808         Array.prototype.constructor or Array[Symbol.species]. This patch
2809         changes when the Array species constructor watchpoints are
2810         initialized. Before, those watchpoints would be created when the
2811         global object is initialized. This had the advantage that it did
2812         not require validating the constructor and Symbol.species
2813         properties. On the other hand, it also meant that if the user were
2814         to reconfigure properties Array.prototype, which would cause the
2815         structure of the property to become an uncachable dictionary,
2816         prior to running code that the watchpoints would be
2817         invalidated. It turns out that JSBench amazon, for instance, does
2818         reconfigure some of Array.prototype's properties. This patch
2819         initializes the watchpoints the first time they are needed. Since
2820         we only initialize once we also flatten the structure of Array and
2821         Array.prototype.
2822
2823         * runtime/ArrayPrototype.cpp:
2824         (JSC::speciesConstructArray):
2825         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint):
2826         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2827         (JSC::ArrayPrototype::setConstructor): Deleted.
2828         * runtime/ArrayPrototype.h:
2829         (JSC::ArrayPrototype::speciesWatchpointStatus):
2830         (JSC::ArrayPrototype::didChangeConstructorOrSpeciesProperties): Deleted.
2831         * runtime/JSGlobalObject.cpp:
2832         (JSC::JSGlobalObject::init):
2833         * runtime/JSGlobalObject.h:
2834         (JSC::JSGlobalObject::speciesGetterSetter):
2835         (JSC::JSGlobalObject::arrayConstructor):
2836         * tests/stress/array-symbol-species-lazy-watchpoints.js: Added.
2837         (test):
2838         (arrayEq):
2839         (A):
2840
2841 2016-06-14  Keith Miller  <keith_miller@apple.com>
2842
2843         REGRESSION(202002-202014): 845 32-bit JSC Stress Test failures
2844         https://bugs.webkit.org/show_bug.cgi?id=158737
2845
2846         Reviewed by Filip Pizlo.
2847
2848         When the this child and arguments child for the varargs nodes was switched I missed one
2849         case in the 32-bit build.
2850
2851         * dfg/DFGSpeculativeJIT32_64.cpp:
2852         (JSC::DFG::SpeculativeJIT::emitCall):
2853
2854 2016-06-13  Gavin & Ellie Barraclough  <barraclough@apple.com>
2855
2856         setUpStaticFunctionSlot does not handle Builtin|Accessor properties
2857         https://bugs.webkit.org/show_bug.cgi?id=158637
2858
2859         Reviewed by Geoff Garen.
2860
2861         setUpStaticFunctionSlot contains a duplicate copy of the body of the function reifyStaticProperty
2862         - however it is missing handling for Accessor type under Builtin functions.
2863         Fix the bug by de-duplicating - setUpStaticFunctionSlot should just call reifyStaticProperty.
2864
2865         * runtime/Lookup.cpp:
2866         (JSC::setUpStaticFunctionSlot):
2867             - should just call reifyStaticProperty.
2868         * runtime/Lookup.h:
2869         (JSC::lookupPut):
2870         (JSC::reifyStaticProperty):
2871             - changed reifyStaticProperty to take PropertyName.
2872
2873 2016-06-13  Gavin & Ellie Barraclough  <barraclough@apple.com>
2874
2875         JSBoundSlotBaseFunction no longer binds slot base
2876         https://bugs.webkit.org/show_bug.cgi?id=157978
2877
2878         Reviewed by Geoff Garen.
2879
2880         This class is basically currently named after a bug. We should never have
2881         been binding function to slot bases - this was not ever correct behavior.
2882         This was fixed earlier in the year, but there is still some cruft including
2883         the class name to clean up.
2884
2885             - renamed JSBoundSlotBaseFunction -> JSCustomGetterSetterFunction
2886             - removed m_boundSlotBase - don't retain the original slot base
2887               (we were not really using it anyway).
2888             - ASSERT customGetterSetter->getter/setter are non-null, rather than checking.
2889             - Store the PropertyName such that we can pass this to the getter
2890               (we're currently reperforming the String->Identifier conversion every time).
2891             - Removed JSFunction::lookUpOrCreateNativeExecutable - this is just overhead,
2892               and not used consistently.
2893
2894         * CMakeLists.txt:
2895         * JavaScriptCore.xcodeproj/project.pbxproj:
2896         * runtime/JSBoundSlotBaseFunction.cpp: Removed.
2897         * runtime/JSBoundSlotBaseFunction.h: Removed.
2898             - JSBoundSlotBaseFunction -> JSCustomGetterSetterFunction
2899         * runtime/JSCustomGetterSetterFunction.cpp: Copied from Source/JavaScriptCore/runtime/JSBoundSlotBaseFunction.cpp.
2900         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
2901             - made a static function on JSCustomGetterSetterFunction such that accessor
2902               to member properties could be made private. Call variant of callCustomSetter
2903               that does not require slotBase, ASSERT getter/setter present, pass stored
2904               PropertyName to getter.
2905         (JSC::JSCustomGetterSetterFunction::JSCustomGetterSetterFunction):
2906             - renamed, store propertyName.
2907         (JSC::JSCustomGetterSetterFunction::create):
2908             - use same function name to Executable as is being passed to Function::finishCreation.
2909         (JSC::JSCustomGetterSetterFunction::visitChildren):
2910         (JSC::JSCustomGetterSetterFunction::finishCreation):
2911             - removed m_boundSlotBase.
2912         * runtime/JSCustomGetterSetterFunction.h: Copied from Source/JavaScriptCore/runtime/JSBoundSlotBaseFunction.h.
2913         (JSC::JSCustomGetterSetterFunction::customGetterSetter):
2914         (JSC::JSCustomGetterSetterFunction::isSetter):
2915             - made private.
2916         (JSC::JSCustomGetterSetterFunction::propertyName):
2917             - new accessor.
2918         (JSC::JSBoundSlotBaseFunction::boundSlotBase): Deleted.
2919             - removed.
2920         * runtime/JSFunction.cpp:
2921         (JSC::JSFunction::create):
2922         (JSC::JSFunction::lookUpOrCreateNativeExecutable): Deleted.
2923             - removed lookUpOrCreateNativeExecutable. This inconsistently used wrapper was providing no value, only bloat.
2924         * runtime/JSFunction.h:
2925         * runtime/JSGlobalObject.cpp:
2926         (JSC::JSGlobalObject::init):
2927         (JSC::JSGlobalObject::visitChildren):
2928             - renamed JSBoundSlotBaseFunction -> JSCustomGetterSetterFunction, etc.
2929         * runtime/JSGlobalObject.h:
2930         (JSC::JSGlobalObject::customGetterSetterFunctionStructure):
2931         (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): Deleted.
2932             - renamed JSBoundSlotBaseFunction -> JSCustomGetterSetterFunction, etc.
2933         * runtime/JSNativeStdFunction.cpp:
2934         (JSC::JSNativeStdFunction::create):
2935             - removed lookUpOrCreateNativeExecutable.
2936         * runtime/JSObject.cpp:
2937         (JSC::getCustomGetterSetterFunctionForGetterSetter):
2938         (JSC::JSObject::getOwnPropertyDescriptor):
2939         (JSC::getBoundSlotBaseFunctionForGetterSetter): Deleted.
2940             - renamed JSBoundSlotBaseFunction -> JSCustomGetterSetterFunction, etc.
2941         * runtime/VM.h:
2942             - renamed JSBoundSlotBaseFunction -> JSCustomGetterSetterFunction, etc.
2943
2944 2016-06-13  Saam Barati  <sbarati@apple.com>
2945
2946         The sampling profiler should further protect itself against certain forms of sampling bias that arise due to the sampling interval being in sync with some other system process
2947         https://bugs.webkit.org/show_bug.cgi?id=158678
2948
2949         Reviewed by Benjamin Poulain.
2950
2951         I first became aware of this problem when I read this paper:
2952         http://plv.colorado.edu/papers/mytkowicz-pldi10.pdf
2953
2954         To provide background for this change, I'll quote a paragraph
2955         from section 6.2:
2956         "One statically sound method for collecting random samples is to collect a
2957         sample at every t + r milliseconds, where t is the desired sampling interval
2958         and r is a random number between −t and t. One might think that sampling every
2959         t seconds is enough (i.e., drop the r component) but it is not: specifically,
2960         if a profiler samples every t seconds, the sampling rate would be synchronized
2961         with any program or system activity that occurs at regular time intervals [17].
2962         For example, if the thread scheduler switches between threads every 10ms and our
2963         sampling interval was also 10ms, then we may always take samples immediately after
2964         a thread switch. Because performance is often different immediately after a thread
2965         switch than at other points (e.g., due to cache and TLB warm-up effects) we would
2966         get biased data. The random component, r, guards against such situations."
2967
2968         * runtime/SamplingProfiler.cpp:
2969         (JSC::SamplingProfiler::timerLoop):
2970
2971 2016-06-13  Oliver Hunt  <oliver@apple.com>
2972
2973         DFG Validation fails when performing a concatenation with only a single entry
2974         https://bugs.webkit.org/show_bug.cgi?id=158699
2975
2976         Reviewed by Saam Barati.
2977
2978         Fairly simple short circuiting of a single replacement template string
2979         without any padding to be planted as a simple to string rather than
2980         op_strcat.
2981
2982         * bytecompiler/NodesCodegen.cpp:
2983         (JSC::TemplateLiteralNode::emitBytecode):
2984         * tests/stress/template-literal.js:
2985         (testSingleNode):
2986
2987 2016-06-13  Filip Pizlo  <fpizlo@apple.com>
2988
2989         FTL::Output methods should be out-of-line whenever possible
2990         https://bugs.webkit.org/show_bug.cgi?id=158704
2991
2992         Reviewed by Benjamin Poulain.
2993         
2994         These methods turn into a non-trivial amount of code because of the template-based B3 API.
2995         Inlining them didn't achieve any performance advantages for the FTL, but it did make the
2996         code larger. This outlines most methods in FTL::Output. It makes FTL::LowerDFGToB3 smaller
2997         and it doesn't change performance.
2998
2999         * ftl/FTLOutput.cpp:
3000         (JSC::FTL::Output::appendTo):
3001         (JSC::FTL::Output::framePointer):
3002         (JSC::FTL::Output::lockedStackSlot):
3003         (JSC::FTL::Output::constBool):
3004         (JSC::FTL::Output::constInt32):
3005         (JSC::FTL::Output::constInt64):
3006         (JSC::FTL::Output::constDouble):
3007         (JSC::FTL::Output::phi):
3008         (JSC::FTL::Output::add):
3009         (JSC::FTL::Output::sub):
3010         (JSC::FTL::Output::mul):
3011         (JSC::FTL::Output::div):
3012         (JSC::FTL::Output::chillDiv):
3013         (JSC::FTL::Output::mod):
3014         (JSC::FTL::Output::chillMod):
3015         (JSC::FTL::Output::neg):
3016         (JSC::FTL::Output::doubleAdd):
3017         (JSC::FTL::Output::doubleSub):
3018         (JSC::FTL::Output::doubleMul):
3019         (JSC::FTL::Output::doubleDiv):
3020         (JSC::FTL::Output::doubleMod):
3021         (JSC::FTL::Output::bitAnd):
3022         (JSC::FTL::Output::bitOr):
3023         (JSC::FTL::Output::bitXor):
3024         (JSC::FTL::Output::shl):
3025         (JSC::FTL::Output::aShr):
3026         (JSC::FTL::Output::lShr):
3027         (JSC::FTL::Output::bitNot):
3028         (JSC::FTL::Output::logicalNot):
3029         (JSC::FTL::Output::ctlz32):
3030         (JSC::FTL::Output::doubleAbs):
3031         (JSC::FTL::Output::doubleCeil):
3032         (JSC::FTL::Output::doubleFloor):
3033         (JSC::FTL::Output::doubleTrunc):
3034         (JSC::FTL::Output::doubleSin):
3035         (JSC::FTL::Output::doubleCos):
3036         (JSC::FTL::Output::doublePow):
3037         (JSC::FTL::Output::doublePowi):
3038         (JSC::FTL::Output::doubleSqrt):
3039         (JSC::FTL::Output::doubleLog):
3040         (JSC::FTL::Output::hasSensibleDoubleToInt):
3041         (JSC::FTL::Output::doubleToUInt):
3042         (JSC::FTL::Output::signExt32To64):
3043         (JSC::FTL::Output::zeroExt):
3044         (JSC::FTL::Output::intToDouble):
3045         (JSC::FTL::Output::unsignedToDouble):
3046         (JSC::FTL::Output::castToInt32):
3047         (JSC::FTL::Output::doubleToFloat):
3048         (JSC::FTL::Output::floatToDouble):
3049         (JSC::FTL::Output::load):
3050         (JSC::FTL::Output::load8SignExt32):
3051         (JSC::FTL::Output::baseIndex):
3052         (JSC::FTL::Output::equal):
3053         (JSC::FTL::Output::notEqual):
3054         (JSC::FTL::Output::above):
3055         (JSC::FTL::Output::aboveOrEqual):
3056         (JSC::FTL::Output::below):
3057         (JSC::FTL::Output::belowOrEqual):
3058         (JSC::FTL::Output::greaterThan):
3059         (JSC::FTL::Output::greaterThanOrEqual):
3060         (JSC::FTL::Output::lessThan):
3061         (JSC::FTL::Output::lessThanOrEqual):
3062         (JSC::FTL::Output::doubleEqual):
3063         (JSC::FTL::Output::doubleEqualOrUnordered):
3064         (JSC::FTL::Output::doubleNotEqualOrUnordered):
3065         (JSC::FTL::Output::doubleLessThan):
3066         (JSC::FTL::Output::doubleLessThanOrEqual):
3067         (JSC::FTL::Output::doubleGreaterThan):
3068         (JSC::FTL::Output::doubleGreaterThanOrEqual):
3069         (JSC::FTL::Output::doubleNotEqualAndOrdered):
3070         (JSC::FTL::Output::doubleLessThanOrUnordered):
3071         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
3072         (JSC::FTL::Output::doubleGreaterThanOrUnordered):
3073         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
3074         (JSC::FTL::Output::isZero32):
3075         (JSC::FTL::Output::notZero32):
3076         (JSC::FTL::Output::isZero64):
3077         (JSC::FTL::Output::notZero64):
3078         (JSC::FTL::Output::select):
3079         (JSC::FTL::Output::jump):
3080         (JSC::FTL::Output::branch):
3081         (JSC::FTL::Output::check):
3082         (JSC::FTL::Output::ret):
3083         (JSC::FTL::Output::unreachable):
3084         (JSC::FTL::Output::speculate):
3085         (JSC::FTL::Output::speculateAdd):
3086         (JSC::FTL::Output::speculateSub):
3087         (JSC::FTL::Output::speculateMul):
3088         (JSC::FTL::Output::patchpoint):
3089         (JSC::FTL::Output::trap):
3090         (JSC::FTL::Output::anchor):
3091         (JSC::FTL::Output::bitCast):
3092         (JSC::FTL::Output::fround):
3093         * ftl/FTLOutput.h:
3094         (JSC::FTL::Output::setOrigin):
3095         (JSC::FTL::Output::origin):
3096         (JSC::FTL::Output::constIntPtr):
3097         (JSC::FTL::Output::doubleNeg):
3098         (JSC::FTL::Output::zeroExtPtr):
3099         (JSC::FTL::Output::load32NonNegative):
3100         (JSC::FTL::Output::isNull):
3101         (JSC::FTL::Output::notNull):
3102         (JSC::FTL::Output::testIsZeroPtr):
3103         (JSC::FTL::Output::testNonZeroPtr):
3104         (JSC::FTL::Output::call):
3105         (JSC::FTL::Output::operation):
3106         (JSC::FTL::Output::branch):
3107         (JSC::FTL::Output::switchInstruction):
3108         (JSC::FTL::Output::addIncomingToPhi):
3109         (JSC::FTL::Output::framePointer): Deleted.
3110         (JSC::FTL::Output::constBool): Deleted.
3111         (JSC::FTL::Output::constInt32): Deleted.
3112         (JSC::FTL::Output::constInt64): Deleted.
3113         (JSC::FTL::Output::constDouble): Deleted.
3114         (JSC::FTL::Output::phi): Deleted.
3115         (JSC::FTL::Output::add): Deleted.
3116         (JSC::FTL::Output::sub): Deleted.
3117         (JSC::FTL::Output::mul): Deleted.
3118         (JSC::FTL::Output::div): Deleted.
3119         (JSC::FTL::Output::chillDiv): Deleted.
3120         (JSC::FTL::Output::mod): Deleted.
3121         (JSC::FTL::Output::chillMod): Deleted.
3122         (JSC::FTL::Output::doubleAdd): Deleted.
3123         (JSC::FTL::Output::doubleSub): Deleted.
3124         (JSC::FTL::Output::doubleMul): Deleted.
3125         (JSC::FTL::Output::doubleDiv): Deleted.
3126         (JSC::FTL::Output::doubleMod): Deleted.
3127         (JSC::FTL::Output::bitAnd): Deleted.
3128         (JSC::FTL::Output::bitOr): Deleted.
3129         (JSC::FTL::Output::bitXor): Deleted.
3130         (JSC::FTL::Output::shl): Deleted.
3131         (JSC::FTL::Output::aShr): Deleted.
3132         (JSC::FTL::Output::lShr): Deleted.
3133         (JSC::FTL::Output::ctlz32): Deleted.
3134         (JSC::FTL::Output::addWithOverflow32): Deleted.
3135         (JSC::FTL::Output::subWithOverflow32): Deleted.
3136         (JSC::FTL::Output::mulWithOverflow32): Deleted.
3137         (JSC::FTL::Output::addWithOverflow64): Deleted.
3138         (JSC::FTL::Output::subWithOverflow64): Deleted.
3139         (JSC::FTL::Output::mulWithOverflow64): Deleted.
3140         (JSC::FTL::Output::doubleAbs): Deleted.
3141         (JSC::FTL::Output::doubleCeil): Deleted.
3142         (JSC::FTL::Output::doubleFloor): Deleted.
3143         (JSC::FTL::Output::doubleSin): Deleted.
3144         (JSC::FTL::Output::doubleCos): Deleted.
3145         (JSC::FTL::Output::doublePow): Deleted.
3146         (JSC::FTL::Output::doubleSqrt): Deleted.
3147         (JSC::FTL::Output::doubleLog): Deleted.
3148         (JSC::FTL::Output::signExt32To64): Deleted.
3149         (JSC::FTL::Output::zeroExt): Deleted.
3150         (JSC::FTL::Output::intToDouble): Deleted.
3151         (JSC::FTL::Output::castToInt32): Deleted.
3152         (JSC::FTL::Output::doubleToFloat): Deleted.
3153         (JSC::FTL::Output::floatToDouble): Deleted.
3154         (JSC::FTL::Output::equal): Deleted.
3155         (JSC::FTL::Output::notEqual): Deleted.
3156         (JSC::FTL::Output::above): Deleted.
3157         (JSC::FTL::Output::aboveOrEqual): Deleted.
3158         (JSC::FTL::Output::below): Deleted.
3159         (JSC::FTL::Output::belowOrEqual): Deleted.
3160         (JSC::FTL::Output::greaterThan): Deleted.
3161         (JSC::FTL::Output::greaterThanOrEqual): Deleted.
3162         (JSC::FTL::Output::lessThan): Deleted.
3163         (JSC::FTL::Output::lessThanOrEqual): Deleted.
3164         (JSC::FTL::Output::doubleEqual): Deleted.
3165         (JSC::FTL::Output::doubleEqualOrUnordered): Deleted.
3166         (JSC::FTL::Output::doubleNotEqualOrUnordered): Deleted.
3167         (JSC::FTL::Output::doubleLessThan): Deleted.
3168         (JSC::FTL::Output::doubleLessThanOrEqual): Deleted.
3169         (JSC::FTL::Output::doubleGreaterThan): Deleted.
3170         (JSC::FTL::Output::doubleGreaterThanOrEqual): Deleted.
3171         (JSC::FTL::Output::doubleNotEqualAndOrdered): Deleted.
3172         (JSC::FTL::Output::doubleLessThanOrUnordered): Deleted.
3173         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered): Deleted.
3174         (JSC::FTL::Output::doubleGreaterThanOrUnordered): Deleted.
3175         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered): Deleted.
3176         (JSC::FTL::Output::isZero32): Deleted.
3177         (JSC::FTL::Output::notZero32): Deleted.
3178         (JSC::FTL::Output::isZero64): Deleted.
3179         (JSC::FTL::Output::notZero64): Deleted.
3180         (JSC::FTL::Output::select): Deleted.
3181         (JSC::FTL::Output::extractValue): Deleted.
3182         (JSC::FTL::Output::jump): Deleted.
3183         (JSC::FTL::Output::ret): Deleted.
3184         (JSC::FTL::Output::unreachable): Deleted.
3185         (JSC::FTL::Output::speculate): Deleted.
3186         (JSC::FTL::Output::speculateAdd): Deleted.
3187         (JSC::FTL::Output::speculateSub): Deleted.
3188         (JSC::FTL::Output::speculateMul): Deleted.
3189         (JSC::FTL::Output::patchpoint): Deleted.
3190         (JSC::FTL::Output::trap): Deleted.
3191         (JSC::FTL::Output::anchor): Deleted.
3192         (JSC::FTL::Output::bitCast): Deleted.
3193         (JSC::FTL::Output::fround): Deleted.
3194
3195 2016-06-13  Keith Miller  <keith_miller@apple.com>
3196
3197         Unreviewed, Cloop build fix.
3198
3199         * bytecode/BytecodeList.json:
3200
3201 2016-06-12  Keith Miller  <keith_miller@apple.com>
3202
3203         Add new builtin opcode tailCallForwardArguments
3204         https://bugs.webkit.org/show_bug.cgi?id=158666
3205
3206         Reviewed by Filip Pizlo.
3207
3208         We should support the ability to have a builtin forward its
3209         arguments to a helper without allocating an arguments object. This
3210         patch adds a new bytecode intrinsic @tailCallForwardArguments that
3211         takes two values. The first is the target of the call and the
3212         second is the new this value. This opcode will tail call to the
3213         passed function without triggering an allocation of an arguments
3214         object for the caller function.
3215
3216         In the LLInt and Baseline this function acts the same way a normal
3217         tail call does.  The bytecode will allocate a new stack frame
3218         copying all the arguments of the caller function into the new
3219         frame, along with the new this. Then when the actual call happens
3220         the new frame is copied over the caller frame. While this is not
3221         necessary, it allows the target function to have more arguments
3222         than the caller function via arity fixup.
3223
3224         Once we get to the DFG we reuse existing DFG Nodes for forwarding
3225         arguments, although there were some minor changes. This patch
3226         swaps the meaning of the second and third children for each DFG
3227         varargs node, exchanging the argmuments and this child,
3228         respectively. It also makes the arguments child for each varargs
3229         node, as well as the ForwardVarargs node optional. If the optional
3230         child is missing, then forwarding node assumes that the arguments
3231         for the node's inlineCallFrame should be used instead. Finally,
3232         when inlining the target of an inlined
3233         op_tail_call_forward_arguments we make sure the arguments of the
3234         forwarding function are marked as non-unboxable since this would
3235         normally be done by the caller's create arguments object node,
3236         which does not exist in this case.
3237
3238         * bytecode/BytecodeIntrinsicRegistry.h:
3239         * bytecode/BytecodeList.json:
3240         * bytecode/BytecodeUseDef.h:
3241         (JSC::computeUsesForBytecodeOffset):
3242         (JSC::computeDefsForBytecodeOffset):
3243         * bytecode/CallLinkInfo.h:
3244         (JSC::CallLinkInfo::callTypeFor):
3245         * bytecode/CodeBlock.cpp:
3246         (JSC::CodeBlock::dumpBytecode):
3247         (JSC::CodeBlock::finishCreation):
3248         * bytecompiler/BytecodeGenerator.cpp:
3249         (JSC::BytecodeGenerator::emitCallForwardArgumentsInTailPosition):
3250         (JSC::BytecodeGenerator::emitCallVarargs):
3251         * bytecompiler/BytecodeGenerator.h:
3252         * bytecompiler/NodesCodegen.cpp:
3253         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tailCallForwardArguments):
3254         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
3255         * dfg/DFGArgumentsEliminationPhase.cpp:
3256         * dfg/DFGByteCodeParser.cpp:
3257         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3258         (JSC::DFG::ByteCodeParser::handleCall):
3259         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3260         (JSC::DFG::ByteCodeParser::handleInlining):
3261         (JSC::DFG::ByteCodeParser::parseBlock):
3262         * dfg/DFGCapabilities.cpp:
3263         (JSC::DFG::capabilityLevel):
3264         * dfg/DFGFixupPhase.cpp:
3265         (JSC::DFG::FixupPhase::fixupNode):
3266         * dfg/DFGNode.h:
3267         (JSC::DFG::Node::hasArgumentsChild):
3268         (JSC::DFG::Node::argumentsChild):
3269         * dfg/DFGPreciseLocalClobberize.h:
3270         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
3271         * dfg/DFGPredictionPropagationPhase.cpp:
3272         * dfg/DFGSpeculativeJIT.cpp:
3273         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
3274         * dfg/DFGSpeculativeJIT32_64.cpp:
3275         (JSC::DFG::SpeculativeJIT::emitCall):
3276         * dfg/DFGSpeculativeJIT64.cpp:
3277         (JSC::DFG::SpeculativeJIT::emitCall):
3278         * dfg/DFGVarargsForwardingPhase.cpp:
3279         * ftl/FTLLowerDFGToB3.cpp:
3280         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3281         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
3282         * interpreter/Interpreter.cpp:
3283         (JSC::sizeFrameForForwardArguments):
3284         (JSC::setupForwardArgumentsFrame):
3285         (JSC::setupForwardArgumentsFrameAndSetThis):
3286         * interpreter/Interpreter.h:
3287         * jit/JIT.cpp:
3288         (JSC::JIT::privateCompileMainPass):
3289         (JSC::JIT::privateCompileSlowCases):
3290         * jit/JIT.h:
3291         * jit/JITCall.cpp:
3292         (JSC::JIT::compileSetupVarargsFrame):
3293         (JSC::JIT::compileOpCall):
3294         (JSC::JIT::compileOpCallSlowCase):
3295         (JSC::JIT::emit_op_tail_call_forward_arguments):
3296         (JSC::JIT::emitSlow_op_tail_call_forward_arguments):
3297         * jit/JITCall32_64.cpp:
3298         (JSC::JIT::emitSlow_op_tail_call_forward_arguments):
3299         (JSC::JIT::emit_op_tail_call_forward_arguments):
3300         (JSC::JIT::compileSetupVarargsFrame):
3301         (JSC::JIT::compileOpCall):
3302         * jit/JITOperations.cpp:
3303         * jit/JITOperations.h:
3304         * llint/LLIntSlowPaths.cpp:
3305         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3306         (JSC::LLInt::varargsSetup):
3307         * llint/LLIntSlowPaths.h:
3308         * llint/LowLevelInterpreter.asm:
3309         * tests/stress/tailCallForwardArguments.js: Added.
3310         (putFuncToPrivateName.createBuiltin):
3311         (putFuncToPrivateName):
3312         (createTailCallForwardingFuncWith):
3313         (baz):
3314         (baz2):