[DFG] Should not fixup AnyIntUse in 32_64
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-08-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [DFG] Should not fixup AnyIntUse in 32_64
4         https://bugs.webkit.org/show_bug.cgi?id=161029
5
6         Reviewed by Saam Barati.
7
8         DFG fixup phase uses AnyIntUse even in 32bit DFG. This patch removes this incorrect filtering.
9         If the 32bit DFG see the TypeAnyInt, it should fallback to the NumberUse case.
10
11         * dfg/DFGFixupPhase.cpp:
12         (JSC::DFG::FixupPhase::fixupNode):
13
14 2016-08-21  Yusuke Suzuki  <utatane.tea@gmail.com>
15
16         Unreviewed, rolling out r204697
17         https://bugs.webkit.org/show_bug.cgi?id=161029
18
19         32bit is OK. DFGSpeculativeJIT64.cpp shortcut also need some cares.
20
21         * dfg/DFGFixupPhase.cpp:
22         (JSC::DFG::FixupPhase::fixupNode):
23
24 2016-08-21  Yusuke Suzuki  <utatane.tea@gmail.com>
25
26         [DFG] Should not fixup AnyIntUse in 32_64
27         https://bugs.webkit.org/show_bug.cgi?id=161029
28
29         Reviewed by Saam Barati.
30
31         DFG fixup phase uses AnyIntUse even in 32bit DFG. This patch removes this incorrect filtering.
32         If the 32bit DFG see the TypeAnyInt, it should fallback to the NumberUse case.
33
34         And this patch also fixes the case that the type set only contains TypeNumber. Previously,
35         we used NumberUse edge filtering. But it misses AnyInt logging: While the NumberUse filter
36         passes both TypeAnyInt and TypeNumber, the type set only logged TypeNumber.
37
38         * dfg/DFGFixupPhase.cpp:
39         (JSC::DFG::FixupPhase::fixupNode):
40
41 2016-08-20  Brian Burg  <bburg@apple.com>
42
43         Remote Inspector: some methods don't need to be marked virtual anymore
44         https://bugs.webkit.org/show_bug.cgi?id=161033
45
46         Reviewed by Darin Adler.
47
48         This probably happened when this code was last refactored and moved around.
49
50         * inspector/remote/RemoteConnectionToTarget.h:
51
52 2016-08-19  Sam Weinig  <sam@webkit.org>
53
54         Location.ancestorOrigins should return a FrozenArray<USVString>
55         https://bugs.webkit.org/show_bug.cgi?id=161018
56
57         Reviewed by Ryosuke Niwa and Chris Dumez.
58
59         * runtime/ObjectConstructor.h:
60         (JSC::objectConstructorFreeze):
61         Export objectConstructorFreeze so it can be used to freeze DOM FrozenArrays.
62
63 2016-08-19  Benjamin Poulain  <bpoulain@apple.com>
64
65         [JSC] ArithSqrt should work with any argument type
66         https://bugs.webkit.org/show_bug.cgi?id=160954
67
68         Reviewed by Saam Barati.
69
70         Previsouly, ArithSqrt would always OSR Exit if the argument
71         is not typed Integer, Double, or Boolean.
72         Since we can't recover by generalizing to those, we continuously
73         OSR Exit and recompile the same code over and over again.
74
75         This patch introduces a fallback to handle the remaining types.
76
77         * dfg/DFGAbstractInterpreterInlines.h:
78         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
79         * dfg/DFGClobberize.h:
80         (JSC::DFG::clobberize):
81         * dfg/DFGFixupPhase.cpp:
82         (JSC::DFG::FixupPhase::fixupNode):
83
84         * dfg/DFGMayExit.cpp:
85         This is somewhat unrelated. While discussing the design of this
86         with Filip, we decided not to use ToNumber+ArithSqrt despite
87         the guarantee that ToNumber does not OSR Exit.
88         Since it does not OSR Exit, we should say so in mayExitImpl().
89
90         * dfg/DFGNodeType.h:
91         * dfg/DFGOperations.cpp:
92         * dfg/DFGOperations.h:
93         * dfg/DFGSpeculativeJIT.cpp:
94         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
95         * dfg/DFGSpeculativeJIT.h:
96         (JSC::DFG::SpeculativeJIT::callOperation):
97         * ftl/FTLLowerDFGToB3.cpp:
98         (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt):
99
100 2016-08-19  Joseph Pecoraro  <pecoraro@apple.com>
101
102         Make custom Error properties (line, column, sourceURL) configurable and writable
103         https://bugs.webkit.org/show_bug.cgi?id=160984
104         <rdar://problem/27905979>
105
106         Reviewed by Saam Barati.
107
108         * runtime/Error.cpp:
109         (JSC::addErrorInfoAndGetBytecodeOffset):
110         (JSC::addErrorInfo):
111
112 2016-08-19  Joseph Pecoraro  <pecoraro@apple.com>
113
114         Remove empty files and empty namespace blocks
115         https://bugs.webkit.org/show_bug.cgi?id=160990
116
117         Reviewed by Alex Christensen.
118
119         * CMakeLists.txt:
120         * JavaScriptCore.xcodeproj/project.pbxproj:
121         * bytecode/ValueProfile.cpp: Removed.
122         * runtime/WatchdogMac.cpp: Removed.
123         * runtime/WatchdogNone.cpp: Removed.
124
125         * runtime/StringIteratorPrototype.cpp:
126         Remove empty namespace block.
127
128         * runtime/JSDestructibleObject.h:
129         Drive-by add missing copyright.
130
131 2016-08-19  Per Arne Vollan  <pvollan@apple.com>
132
133         [Win] Warning fix.
134         https://bugs.webkit.org/show_bug.cgi?id=160995
135
136         Avoid setting unknown compile option on source file.
137
138         Reviewed by Anders Carlsson.
139
140         * CMakeLists.txt:
141
142 2016-08-18  Mark Lam  <mark.lam@apple.com>
143
144         ScopedArguments is using the wrong owner object for a write barrier.
145         https://bugs.webkit.org/show_bug.cgi?id=160976
146         <rdar://problem/27328506>
147
148         Reviewed by Keith Miller.
149
150         * runtime/ScopedArguments.h:
151         (JSC::ScopedArguments::setIndexQuickly):
152
153 2016-08-18  Mark Lam  <mark.lam@apple.com>
154
155         Add LLINT probe() macro for X86_64.
156         https://bugs.webkit.org/show_bug.cgi?id=160968
157
158         Reviewed by Geoffrey Garen.
159
160         * llint/LowLevelInterpreter.asm:
161
162 2016-08-18  Mark Lam  <mark.lam@apple.com>
163
164         Remove unused SlotVisitor::append() variant.
165         https://bugs.webkit.org/show_bug.cgi?id=160961
166
167         Reviewed by Saam Barati.
168
169         * heap/SlotVisitor.h:
170         * jit/JITWriteBarrier.h:
171         (JSC::JITWriteBarrier::get):
172         (JSC::SlotVisitor::append): Deleted.
173
174 2016-08-18  Saam Barati  <sbarati@apple.com>
175
176         Make @Array(size) a bytecode intrinsic
177         https://bugs.webkit.org/show_bug.cgi?id=160867
178
179         Reviewed by Mark Lam.
180
181         There were a few places in the code where we were emitting `@Array(size)`
182         or `new @Array(size)`. Since we have a bytecode operation that already
183         represents this, called new_array_with_size, it's faster to just make a
184         bytecode intrinsic for the this operation. This patch does that and
185         the intrinsic is called `@newArrayWithSize`. This might be around a
186         1% speedup on ES6 sample bench, but it's within the noise. This is just
187         a good bytecode operation to have because it's common enough to
188         create arrays and it's good to make that fast in all tiers.
189
190         * builtins/ArrayConstructor.js:
191         (of):
192         (from):
193         * builtins/ArrayPrototype.js:
194         (filter):
195         (map):
196         (sort.stringSort):
197         (sort):
198         (concatSlowPath):
199         * bytecode/BytecodeIntrinsicRegistry.h:
200         * bytecompiler/NodesCodegen.cpp:
201         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
202         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newArrayWithSize):
203
204 2016-08-18  Rawinder Singh  <rawinder.singh-webkit@cisra.canon.com.au>
205
206         [web-animations] Add Animatable, AnimationEffect, KeyframeEffect and Animation interface
207         https://bugs.webkit.org/show_bug.cgi?id=156096
208
209         Reviewed by Dean Jackson.
210
211         Adds:
212         - Animatable interface and implementation of getAnimations in Element.
213         - Interface and implementation for Document getAnimations method.
214         - AnimationEffect interface and class stub.
215         - KeyframeEffect interface and constructor implementation.
216         - 'Animation' interface, constructor and query methods for effect and timeline.
217         - Remove runtime condition on Web animation interfaces (compile time flag is specified).
218
219         * runtime/CommonIdentifiers.h:
220
221 2016-08-17  Keith Miller  <keith_miller@apple.com>
222
223         Add WASM support for i64 simple opcodes.
224         https://bugs.webkit.org/show_bug.cgi?id=160928
225
226         Reviewed by Michael Saboff.
227
228         This patch also removes the unsigned int32 mod operator, which is not supported by B3 yet.
229
230         * wasm/WASMB3IRGenerator.cpp:
231         (JSC::WASM::toB3Op):
232         (JSC::WASM::B3IRGenerator::unaryOp):
233         * wasm/WASMFunctionParser.h:
234         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
235         * wasm/WASMOps.h:
236
237 2016-08-17  JF Bastien  <jfbastien@apple.com>
238
239         We allow assignments to const variables when in a for-in/for-of loop
240         https://bugs.webkit.org/show_bug.cgi?id=156673
241
242         Reviewed by Filip Pizlo.
243
244         for-in and for-of weren't checking whether iteration variable from
245         parent scopes were const. Assigning to such variables should
246         throw, but used not to.
247
248         * bytecompiler/NodesCodegen.cpp:
249         (JSC::ForInNode::emitLoopHeader):
250         (JSC::ForOfNode::emitBytecode):
251
252 2016-08-17  Geoffrey Garen  <ggaren@apple.com>
253
254         Fixed a potential bug in MarkedArgumentBuffer.
255         https://bugs.webkit.org/show_bug.cgi?id=160948
256         <rdar://problem/27889416>
257
258         Reviewed by Oliver Hunt.
259
260         I haven't been able to produce an observable test case after some trying.
261
262         * runtime/ArgList.cpp:
263         (JSC::MarkedArgumentBuffer::addMarkSet): New helper function -- I broke
264         this out from existing code for clarity, but the behavior is the same.
265
266         (JSC::MarkedArgumentBuffer::expandCapacity): Ditto.
267
268         (JSC::MarkedArgumentBuffer::slowAppend): Always addMarkSet() on the slow
269         path. This is faster than the old linear scan, and I think it might
270         avoid cases the old scan could miss.
271
272         * runtime/ArgList.h:
273         (JSC::MarkedArgumentBuffer::append): Account for the case where someone
274         has called clear() or removeLast().
275
276         (JSC::MarkedArgumentBuffer::mallocBase): No behavior change -- but it's
277         clearer to test the buffers directly instead of inferring what they
278         might be based on capacity.
279
280 2016-08-17  Mark Lam  <mark.lam@apple.com>
281
282         Remove an invalid assertion in the DFG backend's GetById emitter.
283         https://bugs.webkit.org/show_bug.cgi?id=160925
284         <rdar://problem/27248961>
285
286         Reviewed by Filip Pizlo.
287
288         The DFG backend's GetById assertion that the node's prediction not be SpecNone
289         is just plain wrong.  It assumes that we can never have a GetById node without a
290         type prediction, but this is not true.  The following test case proves otherwise:
291
292             function foo() {
293                 "use strict";
294                 return --arguments["callee"];
295             }
296
297         Will remove the assertion.  Nothing else needs to change as the DFG is working
298         correctly without the assertion.
299
300         * dfg/DFGSpeculativeJIT32_64.cpp:
301         (JSC::DFG::SpeculativeJIT::compile):
302         * dfg/DFGSpeculativeJIT64.cpp:
303         (JSC::DFG::SpeculativeJIT::compile):
304
305 2016-08-16  Mark Lam  <mark.lam@apple.com>
306
307         Heap::collectAllGarbage() should work with JSC_useImmortalObjects=true.
308         https://bugs.webkit.org/show_bug.cgi?id=160917
309
310         Reviewed by Filip Pizlo.
311
312         If we do an synchronous GC when JSC_useImmortalObjects=true, we'll get a
313         RELEASE_ASSERT failure:
314
315             $ JSC_useImmortalObjects=true jsc
316             >>> gc()
317             Trace/BPT trap: 5
318
319         This is because Heap::collectAllGarbage() is doing an explicit sweep of the
320         MarkedSpace, and the sweeper is expecting to see no RetiredBlocks.  However, we
321         make objects immortal by retiring their blocks.  As a result, there is a mismatch
322         in expectancy.
323
324         The fix is simply to not run the sweeper when JSC_useImmortalObjects=true.
325
326         * heap/Heap.cpp:
327         (JSC::Heap::collectAllGarbage):
328
329 2016-08-16  Keith Miller  <keith_miller@apple.com>
330
331         Add WASM I32 simple operators.
332         https://bugs.webkit.org/show_bug.cgi?id=160914
333
334         Reviewed by Benjamin Poulain.
335
336         This patch adds support for the i32 simple binary operators.
337
338         * wasm/WASMB3IRGenerator.cpp:
339         (JSC::WASM::toB3Op):
340         (JSC::WASM::B3IRGenerator::binaryOp):
341         * wasm/WASMFunctionParser.h:
342         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
343         * wasm/WASMOps.h:
344
345 2016-08-15  Ryosuke Niwa  <rniwa@webkit.org>
346
347         Conversion to sequence<T> is broken for iterable objects
348         https://bugs.webkit.org/show_bug.cgi?id=160801
349
350         Reviewed by Darin Adler.
351
352         Export functions used to iterate over iterable objects.
353
354         * runtime/IteratorOperations.h:
355         (JSC::forEachInIterable):
356
357 2016-08-15  Benjamin Poulain  <bpoulain@apple.com>
358
359         [Regression 204203-204210] 32-bit ASSERTION FAILED: !m_data[index].name.isValid()
360         https://bugs.webkit.org/show_bug.cgi?id=160881
361
362         Reviewed by Mark Lam.
363
364         * dfg/DFGSpeculativeJIT32_64.cpp:
365         (JSC::DFG::SpeculativeJIT::compile):
366         We were trying to set the result of the Identity node to the same
367         value as the source of the Identity.
368         That is pretty messed up.
369
370 2016-08-15  Saam Barati  <sbarati@apple.com>
371
372         Web Inspector: Introduce a method to enable code coverage profiler without enabling type profiler
373         https://bugs.webkit.org/show_bug.cgi?id=160750
374         <rdar://problem/27793469>
375
376         Reviewed by Joseph Pecoraro.
377
378         * inspector/agents/InspectorRuntimeAgent.cpp:
379         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
380         (Inspector::InspectorRuntimeAgent::enableControlFlowProfiler):
381         (Inspector::InspectorRuntimeAgent::disableControlFlowProfiler):
382         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
383         (Inspector::InspectorRuntimeAgent::setControlFlowProfilerEnabledState):
384         * inspector/agents/InspectorRuntimeAgent.h:
385         * inspector/protocol/Runtime.json:
386
387 2016-08-15  Saam Barati  <sbarati@apple.com>
388
389         Array.prototype.map builtin should go on the fast path when constructor===@Array
390         https://bugs.webkit.org/show_bug.cgi?id=160836
391
392         Reviewed by Keith Miller.
393
394         In the FTL, we were not compiling the result array in Array.prototype.map
395         efficiently when the result array should use the Array constructor
396         (which is the common case). We used to compile it as:
397         x: JSConstant(Array)
398         y: Construct(@x, ...)
399         instead of
400         y: NewArrayWithSize(...)
401
402         This patch changes the builtin to go down the fast path when certain
403         conditions are met. Often, the check to go down the fast path will
404         be constant folded because we always create a normal array from the
405         Array constructor.
406
407         This is around a 5% speedup on ES6 Sample Bench.
408
409         I also made similar changes for Array.prototype.filter
410         and Array.prototype.concat on its slow path.
411
412         * builtins/ArrayPrototype.js:
413
414 2016-08-15  Mark Lam  <mark.lam@apple.com>
415
416         Make JSValue::strictEqual() handle failures to resolve JSRopeStrings.
417         https://bugs.webkit.org/show_bug.cgi?id=160832
418         <rdar://problem/27577556>
419
420         Reviewed by Geoffrey Garen.
421
422         Currently, JSValue::strictEqualSlowCaseInline() (and peers) will blindly try to
423         access the StringImpl of a JSRopeString that fails to resolve its rope.  As a
424         result, we'll crash with null pointer dereferences.
425
426         We can fix this by introducing a JSString::equal() method that will do the
427         equality comparison, but is aware of the potential failures to resolve ropes.
428         JSValue::strictEqualSlowCaseInline() (and peers) will now call JSString::equal()
429         instead of accessing the underlying StringImpl directly.
430
431         Also added some exception checks.
432
433         * JavaScriptCore.xcodeproj/project.pbxproj:
434         * jit/JITOperations.cpp:
435         * runtime/ArrayPrototype.cpp:
436         (JSC::arrayProtoFuncIndexOf):
437         (JSC::arrayProtoFuncLastIndexOf):
438         * runtime/JSCJSValueInlines.h:
439         (JSC::JSValue::equalSlowCaseInline):
440         (JSC::JSValue::strictEqualSlowCaseInline):
441         * runtime/JSString.cpp:
442         (JSC::JSString::equalSlowCase):
443         * runtime/JSString.h:
444         * runtime/JSStringInlines.h: Added.
445         (JSC::JSString::equal):
446
447 2016-08-15  Keith Miller  <keith_miller@apple.com>
448
449         Implement WASM Parser and B3 IR generator
450         https://bugs.webkit.org/show_bug.cgi?id=160681
451
452         Reviewed by Benjamin Poulain.
453
454         This patch adds the skeleton for a WebAssembly pipeline. The
455         pipeline is designed in order to make it easy to have as much of
456         the compilation process threaded as possible. The flow of the
457         pipeline roughly goes as follows:
458
459         1) Create a WASMPlan with the VM and a Vector of the
460         assembly. Currently the plan will process all the work
461         synchronously, however, in the future this can be offloaded to
462         other threads.
463
464         2) The plan will run the WASMModuleParser, which collates all the
465         information needed to compile each module function
466         independently. Since, we are still in the early phases, the only
467         information is the starting and ending byte of the function's
468         body. The module parser, however, still scans both and
469         semi-validates the type and the function sections.
470
471         3) Each function is decoded and compiled. In the future this
472         should also include a opcode validation phase. The
473         WASMFunctionParser is templatized so that a validator should be
474         able to use most of the same code the B3 IR generator does.
475
476         4) When the plan has finished it will fill a Vector of
477         B3::Compilation objects that correspond to the respective function
478         in the WASM module.
479
480
481         The current testing plan for the modules is to inline the the
482         binary generated by the spec's OCaml prototype. The inlined binary
483         is passed to a WASMPlan then invoked to check the result of the
484         function. In the future we should add a more robust testing
485         infrastructure.
486
487         * JavaScriptCore.xcodeproj/project.pbxproj:
488         * testWASM.cpp:
489         (printUsageStatement):
490         (CommandLine::parseArguments):
491         (invoke):
492         (runWASMTests):
493         (main):
494         * wasm/JSWASMModule.h:
495         (JSC::JSWASMModule::globalVariableTypes):
496         * wasm/WASMB3IRGenerator.cpp: Added.
497         (JSC::WASM::B3IRGenerator::B3IRGenerator):
498         (JSC::WASM::B3IRGenerator::addLocal):
499         (JSC::WASM::B3IRGenerator::binaryOp):
500         (JSC::WASM::B3IRGenerator::addConstant):
501         (JSC::WASM::B3IRGenerator::addBlock):
502         (JSC::WASM::B3IRGenerator::endBlock):
503         (JSC::WASM::B3IRGenerator::addReturn):
504         (JSC::WASM::B3IRGenerator::unify):
505         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
506         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel):
507         (JSC::WASM::B3IRGenerator::stackForControlLevel):
508         (JSC::WASM::B3IRGenerator::blockForControlLevel):
509         (JSC::WASM::parseAndCompile):
510         * wasm/WASMB3IRGenerator.h: Copied from Source/WTF/wtf/DataLog.h.
511         * wasm/WASMFormat.h:
512         * wasm/WASMFunctionParser.h: Added.
513         (JSC::WASM::WASMFunctionParser<Context>::WASMFunctionParser):
514         (JSC::WASM::WASMFunctionParser<Context>::parse):
515         (JSC::WASM::WASMFunctionParser<Context>::parseBlock):
516         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
517         * wasm/WASMModuleParser.cpp: Added.
518         (JSC::WASM::WASMModuleParser::parse):
519         (JSC::WASM::WASMModuleParser::parseFunctionTypes):
520         (JSC::WASM::WASMModuleParser::parseFunctionSignatures):
521         (JSC::WASM::WASMModuleParser::parseFunctionDefinitions):
522         * wasm/WASMModuleParser.h: Copied from Source/WTF/wtf/DataLog.h.
523         (JSC::WASM::WASMModuleParser::WASMModuleParser):
524         (JSC::WASM::WASMModuleParser::functionInformation):
525         * wasm/WASMOps.h: Copied from Source/WTF/wtf/DataLog.h.
526         * wasm/WASMParser.h: Added.
527         (JSC::WASM::WASMParser::parseVarUInt32):
528         (JSC::WASM::WASMParser::WASMParser):
529         (JSC::WASM::WASMParser::consumeCharacter):
530         (JSC::WASM::WASMParser::consumeString):
531         (JSC::WASM::WASMParser::parseUInt32):
532         (JSC::WASM::WASMParser::parseUInt7):
533         (JSC::WASM::WASMParser::parseVarUInt1):
534         (JSC::WASM::WASMParser::parseValueType):
535         * wasm/WASMPlan.cpp: Copied from Source/WTF/wtf/DataLog.h.
536         (JSC::WASM::Plan::Plan):
537         * wasm/WASMPlan.h: Copied from Source/WTF/wtf/DataLog.h.
538         * wasm/WASMSections.cpp: Copied from Source/WTF/wtf/DataLog.h.
539         (JSC::WASM::WASMSections::lookup):
540         * wasm/WASMSections.h: Copied from Source/WTF/wtf/DataLog.h.
541         (JSC::WASM::WASMSections::validateOrder):
542
543 2016-08-15  Benjamin Poulain  <bpoulain@apple.com>
544
545         [JSC] B3 Neg opcode should support float
546         https://bugs.webkit.org/show_bug.cgi?id=160795
547
548         Reviewed by Geoffrey Garen.
549
550         This is required to implement WASM f32.neg opcode.
551
552         * assembler/MacroAssemblerARM64.h:
553         (JSC::MacroAssemblerARM64::negateFloat):
554         * b3/B3LowerToAir.cpp:
555         (JSC::B3::Air::LowerToAir::lower):
556         * b3/B3ReduceDoubleToFloat.cpp:
557         * b3/air/AirOpcode.opcodes:
558         * b3/testb3.cpp:
559         (JSC::B3::testNegDouble):
560         (JSC::B3::testNegFloat):
561         (JSC::B3::testNegFloatWithUselessDoubleConversion):
562         (JSC::B3::run):
563
564 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
565
566         Use #pragma once in inspector headers
567         https://bugs.webkit.org/show_bug.cgi?id=160861
568
569         Reviewed by Mark Lam.
570
571         * inspector/*.h:
572
573 2016-08-15  Daniel Bates  <dabates@apple.com>
574
575         Cannot build WebKit for iOS device using Xcode 7.3/iOS 9.3 public SDK due to missing
576         private frameworks and libraries
577         https://bugs.webkit.org/show_bug.cgi?id=155931
578         <rdar://problem/25807989>
579
580         Reviewed by Dan Bernstein.
581
582         Add directory WebKitLibraries/WebKitPrivateFrameworkStubs/iOS/X to the framework search path
583         where X is the major version of the active iOS SDK.
584
585         * Configurations/Base.xcconfig:
586
587 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
588
589         Reduce includes of Debugger.h
590         https://bugs.webkit.org/show_bug.cgi?id=160827
591
592         Reviewed by Mark Lam.
593
594         * API/JSTypedArray.cpp:
595         * bytecode/UnlinkedCodeBlock.h:
596         * bytecode/UnlinkedFunctionExecutable.cpp:
597         * bytecode/UnlinkedFunctionExecutable.h:
598         * bytecompiler/BytecodeGenerator.h:
599         * bytecompiler/NodesCodegen.cpp:
600         * dfg/DFGPlan.cpp:
601         * dfg/DFGSpeculativeJIT32_64.cpp:
602         * dfg/DFGSpeculativeJIT64.cpp:
603         * ftl/FTLJITCode.h:
604         * inspector/ScriptCallStackFactory.cpp:
605         * inspector/agents/InspectorDebuggerAgent.h:
606         * jit/JITOpcodes.cpp:
607         * jit/JITOpcodes32_64.cpp:
608         * jit/JITOperations.cpp:
609         * llint/LLIntOffsetsExtractor.cpp:
610         * parser/Nodes.cpp:
611         * parser/Parser.cpp:
612         * parser/Parser.h:
613         * runtime/Completion.cpp:
614         * runtime/Executable.cpp:
615         * runtime/Executable.h:
616         * runtime/FunctionConstructor.cpp:
617         * runtime/SamplingProfiler.cpp:
618         * runtime/SamplingProfiler.h:
619         * runtime/VMEntryScope.cpp:
620
621 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
622
623         Remove unused includes of wtf headers
624         https://bugs.webkit.org/show_bug.cgi?id=160839
625
626         Reviewed by Alex Christensen.
627
628         * Lots of files.
629
630 2016-08-13  Per Arne Vollan  <pvollan@apple.com>
631
632         [Win] Warning fixes.
633         https://bugs.webkit.org/show_bug.cgi?id=160803
634
635         Reviewed by Brent Fulgham.
636
637         Initialize local variables.
638
639         * jit/JIT.cpp:
640         (JSC::JIT::compileWithoutLinking):
641         * runtime/Error.cpp:
642         (JSC::addErrorInfoAndGetBytecodeOffset):
643
644 2016-08-12  Joseph Pecoraro  <pecoraro@apple.com>
645
646         Remove always true JSC::Debugger::needPauseHandling virtual method
647         https://bugs.webkit.org/show_bug.cgi?id=160822
648
649         Reviewed by Mark Lam.
650
651         All subclasses return true for this method. Just remove the method.
652
653         * debugger/Debugger.cpp:
654         (JSC::Debugger::pauseIfNeeded):
655         * inspector/ScriptDebugServer.h:
656
657 2016-08-12  Saam Barati  <sbarati@apple.com>
658
659         Inline store loop for CopyRest in DFG and FTL for certain array modes
660         https://bugs.webkit.org/show_bug.cgi?id=159612
661
662         Reviewed by Filip Pizlo.
663
664         This patch changes the old copy_rest bytecode to actually allocate the rest array itself.
665         The bytecode is now called create_rest with an analogous CreateRest node in the DFG/FTL.
666         This allows the bytecode to be in control of what type of indexingType the array is allocated
667         with. We always allocate using ArrayWithContiguous storage unless we're havingABadTime().
668         This also makes allocating and writing into the array fast. On the fast path, the DFG/FTL
669         JIT will fast allocate the array and its storage, and we will do a memmove from the rest
670         region of arguments into the array's storage.
671
672         I'm seeing a 1-2% speedup on ES6SampleBench, and about a 2x speedup
673         on micro benchmarks that just test rest creation speed.
674
675         * bytecode/BytecodeList.json:
676         * bytecode/BytecodeUseDef.h:
677         (JSC::computeUsesForBytecodeOffset):
678         (JSC::computeDefsForBytecodeOffset):
679         * bytecode/CodeBlock.cpp:
680         (JSC::CodeBlock::dumpBytecode):
681         * bytecompiler/BytecodeGenerator.cpp:
682         (JSC::BytecodeGenerator::emitRestParameter):
683         * dfg/DFGAbstractInterpreterInlines.h:
684         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
685         * dfg/DFGByteCodeParser.cpp:
686         (JSC::DFG::ByteCodeParser::parseBlock):
687         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
688         (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
689         * dfg/DFGCapabilities.cpp:
690         (JSC::DFG::capabilityLevel):
691         * dfg/DFGClobberize.h:
692         (JSC::DFG::clobberize):
693         * dfg/DFGDoesGC.cpp:
694         (JSC::DFG::doesGC):
695         * dfg/DFGFixupPhase.cpp:
696         (JSC::DFG::FixupPhase::fixupNode):
697         * dfg/DFGGraph.h:
698         (JSC::DFG::Graph::uses):
699         (JSC::DFG::Graph::isWatchingHavingABadTimeWatchpoint):
700         (JSC::DFG::Graph::compilation):
701         * dfg/DFGNode.h:
702         (JSC::DFG::Node::numberOfArgumentsToSkip):
703         * dfg/DFGNodeType.h:
704         * dfg/DFGOperations.cpp:
705         * dfg/DFGOperations.h:
706         * dfg/DFGPredictionPropagationPhase.cpp:
707         * dfg/DFGSafeToExecute.h:
708         (JSC::DFG::safeToExecute):
709         * dfg/DFGSpeculativeJIT.cpp:
710         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
711         (JSC::DFG::SpeculativeJIT::compileCreateRest):
712         (JSC::DFG::SpeculativeJIT::compileGetRestLength):
713         (JSC::DFG::SpeculativeJIT::compileCopyRest): Deleted.
714         * dfg/DFGSpeculativeJIT.h:
715         (JSC::DFG::SpeculativeJIT::callOperation):
716         * dfg/DFGSpeculativeJIT32_64.cpp:
717         (JSC::DFG::SpeculativeJIT::compile):
718         (JSC::DFG::SpeculativeJIT::compileArithRandom):
719         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
720         * dfg/DFGSpeculativeJIT64.cpp:
721         (JSC::DFG::SpeculativeJIT::compile):
722         (JSC::DFG::SpeculativeJIT::compileArithRandom):
723         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
724         * ftl/FTLCapabilities.cpp:
725         (JSC::FTL::canCompile):
726         * ftl/FTLLowerDFGToB3.cpp:
727         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
728         (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
729         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
730         (JSC::FTL::DFG::LowerDFGToB3::compileGetRestLength):
731         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
732         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize):
733         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
734         (JSC::FTL::DFG::LowerDFGToB3::compileCopyRest): Deleted.
735         * interpreter/CallFrame.h:
736         (JSC::ExecState::addressOfArgumentsStart):
737         (JSC::ExecState::argument):
738         * jit/JIT.cpp:
739         (JSC::JIT::privateCompileMainPass):
740         * jit/JIT.h:
741         * jit/JITOpcodes.cpp:
742         (JSC::JIT::emit_op_argument_count):
743         (JSC::JIT::emit_op_create_rest):
744         (JSC::JIT::emit_op_copy_rest): Deleted.
745         * jit/JITOperations.h:
746         * llint/LowLevelInterpreter.asm:
747         * runtime/CommonSlowPaths.cpp:
748         (JSC::SLOW_PATH_DECL):
749         * runtime/CommonSlowPaths.h:
750
751 2016-08-12  Ryosuke Niwa  <rniwa@webkit.org>
752
753         Add a helper class for enumerating elements in an iterable object
754         https://bugs.webkit.org/show_bug.cgi?id=160800
755
756         Reviewed by Benjamin Poulain.
757
758         Added iteratorForIterable which provides an abstraction for iterating over an iterable object,
759         and deployed it in the constructors of Set, WeakSet, Map, and WeakMap.
760
761         Also added a helper function iteratorForIterable, which retrieves the iterator out of an iterable object.
762
763         * runtime/IteratorOperations.cpp:
764         (JSC::iteratorForIterable): Added.
765         * runtime/IteratorOperations.h:
766         (JSC::forEachInIterable): Added.
767         * runtime/MapConstructor.cpp:
768         (JSC::constructMap):
769         * runtime/SetConstructor.cpp:
770         (JSC::constructSet):
771         * runtime/WeakMapConstructor.cpp:
772         (JSC::constructWeakMap):
773         * runtime/WeakSetConstructor.cpp:
774         (JSC::constructWeakSet):
775
776 2016-08-12  Joseph Pecoraro  <pecoraro@apple.com>
777
778         Remove unused includes of RefCountedLeakCounter.h
779         https://bugs.webkit.org/show_bug.cgi?id=160817
780
781         Reviewed by Mark Lam.
782
783         * parser/Nodes.cpp:
784         * runtime/Structure.cpp:
785
786 2016-08-12  Pranjal Jumde  <pjumde@apple.com>
787
788         ASSERTION FAILED: : line >= firstLine in BytecodeGenerator::emitExpressionInfo.
789         https://bugs.webkit.org/show_bug.cgi?id=160535
790         <rdar://problem/27328151>
791         
792         Reviewed by Saam Barati.
793
794         lineNumber from the savePoint was not being restored before calling next() causing discrepancy in the offset and line for the token
795
796         * parser/Parser.h:
797         (JSC::Parser::restoreLexerState):
798
799 2016-08-12  Skachkov Oleksandr  <gskachkov@gmail.com>
800
801         [ES2016] Implement Object.entries
802         https://bugs.webkit.org/show_bug.cgi?id=160412
803
804         Reviewed by Saam Barati.
805
806         This patch adds entries function to Object that returns list of 
807         key+values pairs. Patch did according to the point of
808         spec https://tc39.github.io/ecma262/#sec-object.entries
809
810         * builtins/ObjectConstructor.js:
811         (globalPrivate.enumerableOwnProperties):
812         (entries):
813         * runtime/ObjectConstructor.cpp:
814
815 2016-08-11  Mark Lam  <mark.lam@apple.com>
816
817         OverridesHasInstance should not branch across register allocations.
818         https://bugs.webkit.org/show_bug.cgi?id=160792
819         <rdar://problem/27361778>
820
821         Reviewed by Benjamin Poulain.
822
823         The OverrideHasInstance node has a branch test that is emitted conditionally.
824         It also has a bug where it allocated a register after this branch, which is not
825         allowed and would fail an assertion introduced in https://trac.webkit.org/r145931.
826         From the ChangeLog for r145931:
827
828         "This [assertion that register allocations are not branched around] protects
829         against the case where an allocation could have spilled register contents to free
830         up a register and that spill only occurs on one path of many through the code.
831         A subsequent fill of the spilled register may load garbage."
832
833         Because the branch isn't always emitted, this bug has gone unnoticed until now.
834         This patch fixes this issue by pre-allocating the registers before emitting the
835         branch in OverrideHasInstance.
836
837         Note: this issue is only present in DFGSpeculativeJIT64.cpp.  The 32-bit version
838         is doing it right.
839
840         * dfg/DFGSpeculativeJIT64.cpp:
841         (JSC::DFG::SpeculativeJIT::compile):
842
843 2016-08-11  Benjamin Poulain  <bpoulain@apple.com>
844
845         [JSC] Make B3 Return opcode work without arguments
846         https://bugs.webkit.org/show_bug.cgi?id=160787
847
848         Reviewed by Keith Miller.
849
850         We need a way to create functions that do not return values.
851
852         * assembler/MacroAssembler.h:
853         (JSC::MacroAssembler::retVoid):
854         * b3/B3BasicBlock.cpp:
855         (JSC::B3::BasicBlock::appendNewControlValue):
856         * b3/B3LowerToAir.cpp:
857         (JSC::B3::Air::LowerToAir::lower):
858         * b3/B3Validate.cpp:
859         * b3/B3Value.h:
860         * b3/air/AirOpcode.opcodes:
861         * b3/testb3.cpp:
862         (JSC::B3::testReturnVoid):
863         (JSC::B3::run):
864
865 2016-08-11  Mark Lam  <mark.lam@apple.com>
866
867         Gardening: fix gcc builds after r204387. 
868
869         Not reviewed.
870
871         Apparently, gcc is not sophisticated enough to realize that the end of the
872         function is unreachable, and is wrongly complaining about "control reaches end of
873         non-void function".  I'm restoring the RELEASE_ASSERT_NOT_REACHED() and return
874         statement at the end of MarkedBlock::sweepHelper() to appease gcc.
875
876         * heap/MarkedBlock.cpp:
877         (JSC::MarkedBlock::sweepHelper):
878
879 2016-08-11  Alex Christensen  <achristensen@webkit.org>
880
881         Use StringBuilder::appendLiteral when possible don't append result of makeString
882         https://bugs.webkit.org/show_bug.cgi?id=160772
883
884         Reviewed by Sam Weinig.
885
886         * API/tests/ExecutionTimeLimitTest.cpp:
887         (testExecutionTimeLimit):
888         * API/tests/PingPongStackOverflowTest.cpp:
889         (PingPongStackOverflowObject_hasInstance):
890         * bytecompiler/NodesCodegen.cpp:
891         (JSC::ArrayPatternNode::toString):
892         (JSC::RestParameterNode::toString):
893         * runtime/ErrorInstance.cpp:
894         (JSC::ErrorInstance::sanitizedToString):
895         * runtime/Options.cpp:
896         (JSC::Options::dumpOption):
897
898 2016-08-11  Benjamin Poulain  <bpoulain@apple.com>
899
900         [JSC] Revert most of r203808
901         https://bugs.webkit.org/show_bug.cgi?id=160784
902
903         Reviewed by Geoffrey Garen.
904
905         Switching to fastMalloc() caused regressions on Jetstream and Octane
906         on MacBook Air. I was able to get back some of it in the following
907         patches but the tests that never go to FTL are still regressed.
908
909         This patch revert r203808 except of the node index.
910         Nodes are allocated with the custom allocator like before but they are
911         now also kept in a table, addressed by the node index.
912
913         * CMakeLists.txt:
914         * JavaScriptCore.xcodeproj/project.pbxproj:
915         * b3/B3SparseCollection.h:
916         (JSC::B3::SparseCollection::packIndices): Deleted.
917         * dfg/DFGAllocator.h: Added.
918         (JSC::DFG::Allocator::Region::size):
919         (JSC::DFG::Allocator::Region::headerSize):
920         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
921         (JSC::DFG::Allocator::Region::data):
922         (JSC::DFG::Allocator::Region::isInThisRegion):
923         (JSC::DFG::Allocator::Region::regionFor):
924         (JSC::DFG::Allocator<T>::Allocator):
925         (JSC::DFG::Allocator<T>::~Allocator):
926         (JSC::DFG::Allocator<T>::allocate):
927         (JSC::DFG::Allocator<T>::free):
928         (JSC::DFG::Allocator<T>::freeAll):
929         (JSC::DFG::Allocator<T>::reset):
930         (JSC::DFG::Allocator<T>::indexOf):
931         (JSC::DFG::Allocator<T>::allocatorOf):
932         (JSC::DFG::Allocator<T>::bumpAllocate):
933         (JSC::DFG::Allocator<T>::freeListAllocate):
934         (JSC::DFG::Allocator<T>::allocateSlow):
935         (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
936         (JSC::DFG::Allocator<T>::startBumpingIn):
937         * dfg/DFGDriver.cpp:
938         (JSC::DFG::compileImpl):
939         * dfg/DFGGraph.cpp:
940         (JSC::DFG::Graph::Graph):
941         (JSC::DFG::Graph::~Graph):
942         (JSC::DFG::Graph::addNodeToMapByIndex):
943         (JSC::DFG::Graph::deleteNode):
944         (JSC::DFG::Graph::packNodeIndices):
945         * dfg/DFGGraph.h:
946         (JSC::DFG::Graph::addNode):
947         (JSC::DFG::Graph::maxNodeCount):
948         (JSC::DFG::Graph::nodeAt):
949         * dfg/DFGLongLivedState.cpp: Added.
950         (JSC::DFG::LongLivedState::LongLivedState):
951         (JSC::DFG::LongLivedState::~LongLivedState):
952         (JSC::DFG::LongLivedState::shrinkToFit):
953         * dfg/DFGLongLivedState.h: Added.
954         * dfg/DFGNode.h:
955         * dfg/DFGNodeAllocator.h: Added.
956         (operator new ):
957         * dfg/DFGPlan.cpp:
958         (JSC::DFG::Plan::compileInThread):
959         (JSC::DFG::Plan::compileInThreadImpl):
960         * dfg/DFGPlan.h:
961         * dfg/DFGWorklist.cpp:
962         (JSC::DFG::Worklist::runThread):
963         * runtime/VM.cpp:
964         (JSC::VM::VM):
965         * runtime/VM.h:
966
967 2016-08-11  Mark Lam  <mark.lam@apple.com>
968
969         The jsc shell's Element host constructor should throw if it fails to construct an object.
970         https://bugs.webkit.org/show_bug.cgi?id=160773
971         <rdar://problem/27328608>
972
973         Reviewed by Saam Barati.
974
975         The Element object is a test object provided in the jsc shell for testing use only.
976         JavaScriptCore expects host constructors to either throw an error or return a
977         constructed object.  Element has a host constructor that did not obey this contract.
978         As a result, the following statement will fail a RELEASE_ASSERT:
979
980             new (Element.bind())
981
982         This is now fixed.
983
984         * jsc.cpp:
985         (functionCreateElement):
986
987 2016-08-11  Mark Lam  <mark.lam@apple.com>
988
989         Disallow synchronous sweeping for eden GCs.
990         https://bugs.webkit.org/show_bug.cgi?id=160716
991
992         Reviewed by Geoffrey Garen.
993
994         * heap/Heap.cpp:
995         (JSC::Heap::collectAllGarbage):
996         (JSC::Heap::collectAndSweep): Deleted.
997         * heap/Heap.h:
998         (JSC::Heap::collectAllGarbage): Deleted.
999         - No need for a separate collectAndSweep() anymore since we only call it for
1000           FullCollections.
1001         - Since we've already swept all the blocks, I cleared m_blockSnapshot so that the
1002           IncrementalSweeper can bail earlier when it runs later.
1003
1004         * heap/MarkedBlock.cpp:
1005         (JSC::MarkedBlock::sweepHelper):
1006         - Removed the unreachable return statement.
1007
1008         * heap/MarkedBlock.h:
1009         - Document what "Retired" means.
1010
1011         * tools/JSDollarVMPrototype.cpp:
1012         (JSC::JSDollarVMPrototype::edenGC):
1013
1014 2016-08-11  Per Arne Vollan  <pvollan@apple.com>
1015
1016         [Win] Warning fix.
1017         https://bugs.webkit.org/show_bug.cgi?id=160734
1018
1019         Reviewed by Sam Weinig.
1020
1021         Add static cast from int to uint32_t.
1022
1023         * bytecode/ArithProfile.h:
1024
1025 2016-08-10  Michael Saboff  <msaboff@apple.com>
1026
1027         Baseline GetByVal and PutByVal for cache ID stubs need to handle exceptions
1028         https://bugs.webkit.org/show_bug.cgi?id=160749
1029
1030         Reviewed by Filip Pizlo.
1031
1032         We were emitting "callOperation()" calls in emitGetByValWithCachedId() and
1033         emitPutByValWithCachedId() without linking the exception checks created by the
1034         code emitted.  This manifested itself in various ways depending on the processor.
1035         This is due to what the destination is for an unlinked branch.  On X86, an unlinked
1036         branch goes tot he next instructions.  On ARM64, we end up with an infinite loop
1037         as we branch to the same instruction.  On ARM we branch to 0 as the branch is to
1038         an absolute address of 0.
1039
1040         Now we save the exception handler address for the original generated function and
1041         link the exception cases for these by-val stubs to this handler.
1042
1043         * bytecode/ByValInfo.h:
1044         (JSC::ByValInfo::ByValInfo): Added the address of the exception handler we should
1045         link to.
1046
1047         * jit/JIT.cpp:
1048         (JSC::JIT::link): Compute the linked exception handler address and pass it to
1049         the ByValInfo constructor.
1050         (JSC::JIT::privateCompileExceptionHandlers): Make sure that we generate the
1051         exception handler if we have any by-val handlers.
1052
1053         * jit/JIT.h:
1054         Added a label for the exception handler.  We'll link this later for the
1055         by value handlers.
1056
1057         * jit/JITPropertyAccess.cpp:
1058         (JSC::JIT::privateCompileGetByValWithCachedId):
1059         (JSC::JIT::privateCompilePutByValWithCachedId):
1060         Link exception branches to the exception handler for the main function.
1061
1062 2016-08-10  Mark Lam  <mark.lam@apple.com>
1063
1064         DFG's flushForTerminal() needs to add PhantomLocals for bytecode live locals.
1065         https://bugs.webkit.org/show_bug.cgi?id=160755
1066         <rdar://problem/27488507>
1067
1068         Reviewed by Filip Pizlo.
1069
1070         If the DFG sees that an inlined function will result in an OSR exit every time,
1071         it will treat all downstream blocks as dead.  However, it still needs to keep
1072         locals that are alive in the bytecode alive for the compiled function so that
1073         those locals are properly written to the stack by the OSR exit ramp.
1074
1075         The existing code neglected to do this.  This patch remedies this issue.
1076
1077         * dfg/DFGByteCodeParser.cpp:
1078         (JSC::DFG::ByteCodeParser::flushDirect):
1079         (JSC::DFG::ByteCodeParser::addFlushOrPhantomLocal):
1080         (JSC::DFG::ByteCodeParser::phantomLocalDirect):
1081         (JSC::DFG::ByteCodeParser::flushForTerminal):
1082
1083 2016-08-09  Skachkov Oleksandr  <gskachkov@gmail.com>
1084
1085         [ES2016] Implement Object.values
1086         https://bugs.webkit.org/show_bug.cgi?id=160410
1087
1088         Reviewed by Saam Barati, Yusuke Suzuki.
1089
1090         This patch adds values function to Object that return list of 
1091         own values of the object. Patch did according to the point of 
1092         spec http://tc39.github.io/ecma262/#sec-object.values
1093         
1094         Also patch adds generic builtin intrinsic constants: 
1095         @IterationKindKey/@IterationKindValue/@IterationKindKeyValue 
1096         that is used in  EnumerableOwnProperties to set Kind of operation  
1097         and replace own IterationKind enums in following iterators: 
1098         ArrayIterator, MapIterator, and SetIterator 
1099
1100         * JavaScriptCore.xcodeproj/project.pbxproj:
1101         * builtins/ObjectConstructor.js:
1102         (globalPrivate.enumerableOwnProperties):
1103         (values):
1104         * bytecode/BytecodeIntrinsicRegistry.cpp:
1105         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1106         * bytecode/BytecodeIntrinsicRegistry.h:
1107         * inspector/JSInjectedScriptHost.cpp:
1108         (Inspector::JSInjectedScriptHost::getInternalProperties):
1109         * runtime/ArrayIteratorPrototype.h:
1110         * runtime/IterationKind.h: Copied from Source/JavaScriptCore/builtins/ObjectConstructor.js.
1111         * runtime/JSMapIterator.h:
1112         (JSC::JSMapIterator::create):
1113         (JSC::JSMapIterator::next):
1114         (JSC::JSMapIterator::kind):
1115         (JSC::JSMapIterator::JSMapIterator):
1116         * runtime/JSSetIterator.h:
1117         (JSC::JSSetIterator::create):
1118         (JSC::JSSetIterator::next):
1119         (JSC::JSSetIterator::kind):
1120         (JSC::JSSetIterator::JSSetIterator):
1121         * runtime/MapPrototype.cpp:
1122         (JSC::mapProtoFuncValues):
1123         (JSC::mapProtoFuncEntries):
1124         (JSC::mapProtoFuncKeys):
1125         (JSC::privateFuncMapIterator):
1126         * runtime/ObjectConstructor.cpp:
1127         * runtime/SetPrototype.cpp:
1128         (JSC::setProtoFuncValues):
1129         (JSC::setProtoFuncEntries):
1130         (JSC::privateFuncSetIterator):
1131
1132 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
1133
1134         [JSC] Speed up SparseCollection & related maps
1135         https://bugs.webkit.org/show_bug.cgi?id=160733
1136
1137         Reviewed by Saam Barati.
1138
1139         On MBA, Graph::addNode() shows up in profiles due to SparseCollection::add().
1140         This is unfortunate.
1141
1142         The first improvement is to build the new unique_ptr in the empty slot
1143         instead of moving a new value into it.
1144
1145         Previously, the code would load the previous value, test if it is null
1146         then invoke the destructor and finally fastFree(). The initial test
1147         obviously fails so that's a whole bunch of code that is never executed.
1148
1149         With the new code, we just have a store.
1150
1151         I also removed the bounds checking on our maps based on node index.
1152         Those bounds checks are never eliminated by clang because the index
1153         is always loaded from memory instead of being computed.
1154         There are unfortunately too many nodes processed and the bounds checks
1155         get costly.
1156
1157         * b3/B3SparseCollection.h:
1158         (JSC::B3::SparseCollection::add):
1159         * dfg/DFGGraph.h:
1160         (JSC::DFG::Graph::abstractValuesCache):
1161         * dfg/DFGInPlaceAbstractState.h:
1162
1163 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
1164
1165         [JSC] Remove some useless code I left when rewriting CSE's large maps
1166         https://bugs.webkit.org/show_bug.cgi?id=160720
1167
1168         Reviewed by Michael Saboff.
1169
1170         * dfg/DFGCSEPhase.cpp:
1171         The maps m_worldMap && m_sideStateMap are useless. They come from the previous
1172         iteration that had weaker constraints.
1173
1174         Also move m_heapMap after m_fallbackStackMap since that is the order
1175         in which they are used in the algorithm.
1176
1177 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
1178
1179         Remove AbstractInterpreter::executeEdges(unsigned), it is no longer used anywhere
1180         https://bugs.webkit.org/show_bug.cgi?id=160708
1181
1182         Reviewed by Mark Lam.
1183
1184         * dfg/DFGAbstractInterpreter.h:
1185         * dfg/DFGAbstractInterpreterInlines.h:
1186         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges): Deleted.
1187
1188 2016-08-10  Simon Fraser  <simon.fraser@apple.com>
1189
1190         Sort the feature flags in the FEATURE_DEFINES lines
1191         https://bugs.webkit.org/show_bug.cgi?id=160742
1192
1193         Reviewed by Anders Carlsson.
1194
1195         * Configurations/FeatureDefines.xcconfig:
1196
1197 2016-08-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1198
1199         [ES6] Add ModuleLoaderPrototype and move methods to it
1200         https://bugs.webkit.org/show_bug.cgi?id=160633
1201
1202         Reviewed by Saam Barati.
1203
1204         In the future, we need to add the ability to create the new Loader object (by users).
1205         So rather than holding all the methods in the ModuleLoaderObject instance, moving them
1206         to ModuleLoaderPrototype and create the default JSModuleLoader instance is better.
1207
1208         No behavior change.
1209
1210         * CMakeLists.txt:
1211         * DerivedSources.make:
1212         * JavaScriptCore.xcodeproj/project.pbxproj:
1213         * builtins/ModuleLoaderObject.js:
1214         (setStateToMax): Deleted.
1215         (newRegistryEntry): Deleted.
1216         (ensureRegistered): Deleted.
1217         (forceFulfillPromise): Deleted.
1218         (fulfillFetch): Deleted.
1219         (fulfillTranslate): Deleted.
1220         (fulfillInstantiate): Deleted.
1221         (commitInstantiated): Deleted.
1222         (instantiation): Deleted.
1223         (requestFetch): Deleted.
1224         (requestTranslate): Deleted.
1225         (requestInstantiate): Deleted.
1226         (requestResolveDependencies.): Deleted.
1227         (requestResolveDependencies): Deleted.
1228         (requestInstantiateAll): Deleted.
1229         (requestLink): Deleted.
1230         (requestReady): Deleted.
1231         (link): Deleted.
1232         (moduleEvaluation): Deleted.
1233         (provide): Deleted.
1234         (loadAndEvaluateModule): Deleted.
1235         (loadModule): Deleted.
1236         (linkAndEvaluateModule): Deleted.
1237         * builtins/ModuleLoaderPrototype.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderObject.js.
1238         (setStateToMax):
1239         (newRegistryEntry):
1240         (ensureRegistered):
1241         (forceFulfillPromise):
1242         (fulfillFetch):
1243         (fulfillTranslate):
1244         (fulfillInstantiate):
1245         (commitInstantiated):
1246         (instantiation):
1247         (requestFetch):
1248         (requestTranslate):
1249         (requestInstantiate):
1250         (requestResolveDependencies.):
1251         (requestResolveDependencies):
1252         (requestInstantiateAll):
1253         (requestLink):
1254         (requestReady):
1255         (link):
1256         (moduleEvaluation):
1257         (provide):
1258         (loadAndEvaluateModule):
1259         (loadModule):
1260         (linkAndEvaluateModule):
1261         * bytecode/BytecodeIntrinsicRegistry.cpp:
1262         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1263         * jsc.cpp:
1264         (GlobalObject::moduleLoaderResolve):
1265         (GlobalObject::moduleLoaderFetch):
1266         * runtime/Completion.cpp:
1267         (JSC::loadAndEvaluateModule):
1268         (JSC::loadModule):
1269         * runtime/JSGlobalObject.cpp:
1270         (JSC::JSGlobalObject::init):
1271         (JSC::JSGlobalObject::visitChildren):
1272         * runtime/JSGlobalObject.h:
1273         (JSC::JSGlobalObject::moduleLoader):
1274         (JSC::JSGlobalObject::moduleLoaderStructure):
1275         * runtime/JSModuleLoader.cpp: Added.
1276         (JSC::JSModuleLoader::JSModuleLoader):
1277         (JSC::JSModuleLoader::finishCreation):
1278         (JSC::printableModuleKey):
1279         (JSC::JSModuleLoader::provide):
1280         (JSC::JSModuleLoader::loadAndEvaluateModule):
1281         (JSC::JSModuleLoader::loadModule):
1282         (JSC::JSModuleLoader::linkAndEvaluateModule):
1283         (JSC::JSModuleLoader::resolve):
1284         (JSC::JSModuleLoader::fetch):
1285         (JSC::JSModuleLoader::translate):
1286         (JSC::JSModuleLoader::instantiate):
1287         (JSC::JSModuleLoader::evaluate):
1288         * runtime/JSModuleLoader.h: Copied from Source/JavaScriptCore/runtime/ModuleLoaderObject.h.
1289         (JSC::JSModuleLoader::create):
1290         (JSC::JSModuleLoader::createStructure):
1291         * runtime/JSModuleRecord.h:
1292         * runtime/ModuleLoaderObject.cpp: Removed.
1293         (JSC::ModuleLoaderObject::ModuleLoaderObject): Deleted.
1294         (JSC::ModuleLoaderObject::finishCreation): Deleted.
1295         (JSC::printableModuleKey): Deleted.
1296         (JSC::ModuleLoaderObject::provide): Deleted.
1297         (JSC::ModuleLoaderObject::loadAndEvaluateModule): Deleted.
1298         (JSC::ModuleLoaderObject::loadModule): Deleted.
1299         (JSC::ModuleLoaderObject::linkAndEvaluateModule): Deleted.
1300         (JSC::ModuleLoaderObject::resolve): Deleted.
1301         (JSC::ModuleLoaderObject::fetch): Deleted.
1302         (JSC::ModuleLoaderObject::translate): Deleted.
1303         (JSC::ModuleLoaderObject::instantiate): Deleted.
1304         (JSC::ModuleLoaderObject::evaluate): Deleted.
1305         (JSC::moduleLoaderObjectParseModule): Deleted.
1306         (JSC::moduleLoaderObjectRequestedModules): Deleted.
1307         (JSC::moduleLoaderObjectModuleDeclarationInstantiation): Deleted.
1308         (JSC::moduleLoaderObjectResolve): Deleted.
1309         (JSC::moduleLoaderObjectFetch): Deleted.
1310         (JSC::moduleLoaderObjectTranslate): Deleted.
1311         (JSC::moduleLoaderObjectInstantiate): Deleted.
1312         (JSC::moduleLoaderObjectEvaluate): Deleted.
1313         * runtime/ModuleLoaderObject.h:
1314         (JSC::ModuleLoaderObject::create): Deleted.
1315         (JSC::ModuleLoaderObject::createStructure): Deleted.
1316         * runtime/ModuleLoaderPrototype.cpp: Added.
1317         (JSC::ModuleLoaderPrototype::ModuleLoaderPrototype):
1318         (JSC::moduleLoaderPrototypeParseModule):
1319         (JSC::moduleLoaderPrototypeRequestedModules):
1320         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1321         (JSC::moduleLoaderPrototypeResolve):
1322         (JSC::moduleLoaderPrototypeFetch):
1323         (JSC::moduleLoaderPrototypeTranslate):
1324         (JSC::moduleLoaderPrototypeInstantiate):
1325         (JSC::moduleLoaderPrototypeEvaluate):
1326         * runtime/ModuleLoaderPrototype.h: Renamed from Source/JavaScriptCore/runtime/ModuleLoaderObject.h.
1327         (JSC::ModuleLoaderPrototype::create):
1328         (JSC::ModuleLoaderPrototype::createStructure):
1329
1330 2016-08-09  Saam Barati  <sbarati@apple.com>
1331
1332         JSBoundFunction should lazily generate its name string
1333         https://bugs.webkit.org/show_bug.cgi?id=160678
1334         <rdar://problem/27043194>
1335
1336         Reviewed by Mark Lam.
1337
1338         We were eagerly allocating the BoundFunction's 'name' string
1339         by prepending the "bound " prefix. This patch makes the 'name'
1340         string creation lazy like we do with ordinary JSFunctions.
1341
1342         This is a 25% speedup on the microbenchmark I added that measures
1343         bound function creation speed. Hopefully this also helps us recover
1344         from a 1% Speedometer regression that was introduced in the original
1345         bound function "bound " prefixing patch.
1346
1347         * runtime/JSBoundFunction.cpp:
1348         (JSC::JSBoundFunction::create):
1349         (JSC::JSBoundFunction::JSBoundFunction):
1350         (JSC::JSBoundFunction::finishCreation):
1351         * runtime/JSBoundFunction.h:
1352         * runtime/JSFunction.cpp:
1353         (JSC::JSFunction::finishCreation):
1354         (JSC::JSFunction::getOwnPropertySlot):
1355         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1356         (JSC::JSFunction::put):
1357         (JSC::JSFunction::deleteProperty):
1358         (JSC::JSFunction::defineOwnProperty):
1359         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1360         (JSC::JSFunction::reifyBoundNameIfNeeded):
1361         * runtime/JSFunction.h:
1362
1363 2016-08-09  George Ruan  <gruan@apple.com>
1364
1365         Implement functionality of media capture on iOS
1366         https://bugs.webkit.org/show_bug.cgi?id=158945
1367         <rdar://problem/26893343>
1368
1369         Reviewed by Tim Horton.
1370
1371         * Configurations/FeatureDefines.xcconfig: Enable media capture feature
1372         for iOS.
1373
1374 2016-08-09  Saam Barati  <sbarati@apple.com>
1375
1376         Parser<LexerType>::parseFunctionInfo() has the wrong info about captured vars when a function is not cached.
1377         https://bugs.webkit.org/show_bug.cgi?id=160671
1378         <rdar://problem/27756112>
1379
1380         Reviewed by Mark Lam.
1381
1382         There was a bug in our captured variable analysis when a function has a default
1383         parameter expression that is a function that captures something from the parent scope.
1384         The bug was that we were relying on the SourceProviderCache to succeed for the
1385         analysis to work. This is obviously wrong. I've fixed this to work regardless
1386         of getting a cache hit. To prevent future bugs that rely on the success of the
1387         SourceProviderCache, I've made the validate testing mode disable the SourceProviderCache
1388
1389         * parser/Parser.cpp:
1390         (JSC::Parser<LexerType>::parseFunctionInfo):
1391         * parser/Parser.h:
1392         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1393         (JSC::Scope::addClosedVariableCandidateUnconditionally):
1394         (JSC::Scope::collectFreeVariables):
1395         * runtime/Options.h:
1396
1397 2016-08-08  Mark Lam  <mark.lam@apple.com>
1398
1399         ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().
1400         https://bugs.webkit.org/show_bug.cgi?id=160666
1401
1402         Reviewed by Keith Miller.
1403
1404         This assertion is benign.  JSFinalObject::visitChildren() calls
1405         JSObject::inlineStorage() to get a pointer to the object's inline storage, and
1406         later passes it to visitor.appendValuesHidden() with a previously computed
1407         storageSize.  When storageSize is 0, appendValuesHidden() ends up doing nothing.
1408         However, before we get there, JSObject::inlineStorage() will be asserting
1409         hasInlineStorage() and this assertion will fail when storageSize is 0.
1410
1411         We can fix this assertion failure by simply adding a storageSize check before
1412         calling hasInlineStorage() and visitor.appendValuesHidden().
1413
1414         * runtime/JSObject.cpp:
1415         (JSC::JSFinalObject::visitChildren):
1416
1417 2016-08-08  Brian Burg  <bburg@apple.com>
1418
1419         Web Inspector: clean up prefixing of Automation protocol generated files
1420         https://bugs.webkit.org/show_bug.cgi?id=160635
1421         <rdar://problem/27735327>
1422
1423         Reviewed by Timothy Hatcher.
1424
1425         Introduce different settings for the 'protocol group' name for C++ vs. Objective-C.
1426
1427         Use 'WD' as the prefix for generated Objective-C frontend dispatchers and helpers.
1428         Continue using 'Automation' as the prefix for generated C++ backend dispatchers.
1429
1430         * inspector/scripts/codegen/cpp_generator.py:
1431         (CppGenerator.protocol_name):
1432         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
1433         (ObjCProtocolTypeConversionsImplementationGenerator.generate_output):
1434         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
1435         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
1436         Adjust the class name. Generate one category per protocol domain to keep it easy to read.
1437
1438         * inspector/scripts/codegen/models.py:
1439         * inspector/scripts/codegen/objc_generator.py:
1440         (ObjCGenerator.protocol_name):
1441
1442         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1443         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1444         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1445         * inspector/scripts/tests/expected/enum-values.json-result:
1446         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1447         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1448         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1449         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1450         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1451         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1452         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1453         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1454         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1455         Rebaseline test results.
1456
1457 2016-08-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1458
1459         [ES6] Module namespace object should not allow unset IC
1460         https://bugs.webkit.org/show_bug.cgi?id=160553
1461
1462         Reviewed by Saam Barati.
1463
1464         Previously, module namespace object accidentally allow "unset IC". But this "unsetness" does not rely on
1465         the structure. We should disable inline caching onto the namespace object. Once it is needed, we should
1466         create the special caching for namespace object like the following: it should be similar to monomorphic IC,
1467         but it caches the object itself instead of the structure. It checks the object itself (And in DFG, it should be
1468         CheckCell) and loads the value from the target module environment directly[1].
1469
1470         And this patch also set setIsTaintedByProxy for the module namespace object to notify to the caller that
1471         this object has impure ::getOwnPropertySlot. Then this function is now renamed to setIsTaintedByOpaqueObject.
1472
1473         We drop the hack in JSModuleNamespaceObject::getOwnPropertySlot since we already introduced InternalMethodType
1474         for ProxyObject. Previously we cannot distinguish ::HasProperty and ::GetOwnProperty. So not to throw any
1475         errors for ::HasProperty case, we used slot.setCustom to delay the observable operation.
1476         But, this hack lacks the support for hasOwnProperty: hasOwnProperty uses [[GetOwnProperty]], so it should throw an error.
1477         However the previous implementation does not throw an error since the delayed observable part (custom function part) is
1478         skipped in hasOwnProperty implementation. We now remove this custom property hack and fix the corresponding failure
1479         in test262.
1480
1481         [1]: https://bugs.webkit.org/show_bug.cgi?id=160590
1482
1483         * jit/JITOperations.cpp:
1484         * runtime/ArrayPrototype.cpp:
1485         (JSC::getProperty):
1486         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1487         (JSC::constructGenericTypedArrayViewWithArguments):
1488         * runtime/JSModuleNamespaceObject.cpp:
1489         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1490         (JSC::callbackGetter): Deleted.
1491         * runtime/JSModuleNamespaceObject.h:
1492         * runtime/PropertySlot.cpp:
1493         (JSC::PropertySlot::getPureResult):
1494         * runtime/PropertySlot.h:
1495         (JSC::PropertySlot::PropertySlot):
1496         (JSC::PropertySlot::setIsTaintedByOpaqueObject):
1497         (JSC::PropertySlot::isTaintedByOpaqueObject):
1498         (JSC::PropertySlot::setIsTaintedByProxy): Deleted.
1499         (JSC::PropertySlot::isTaintedByProxy): Deleted.
1500         * runtime/ProxyObject.cpp:
1501         (JSC::ProxyObject::getOwnPropertySlotCommon):
1502
1503 2016-08-05  Keith Miller  <keith_miller@apple.com>
1504
1505         Add LEBDecoder and tests
1506         https://bugs.webkit.org/show_bug.cgi?id=160625
1507
1508         Reviewed by Benjamin Poulain.
1509
1510         Adds a new target testWASM that is currently used to test the LEB decoder.
1511         In the future, if we add more support for WASM we will put more tests
1512         here.
1513
1514         * JavaScriptCore.xcodeproj/project.pbxproj:
1515         * testWASM.cpp: Added.
1516         (CommandLine::CommandLine):
1517         (printUsageStatement):
1518         (CommandLine::parseArguments):
1519         (runLEBTests):
1520         (main):
1521
1522 2016-08-05  Keith Miller  <keith_miller@apple.com>
1523
1524         32-bit JSC test failure: stress/instanceof-late-constant-folding.js
1525         https://bugs.webkit.org/show_bug.cgi?id=160620
1526
1527         Reviewed by Filip Pizlo.
1528
1529         * dfg/DFGSpeculativeJIT32_64.cpp:
1530         (JSC::DFG::SpeculativeJIT::compile):
1531
1532 2016-08-05  Benjamin Poulain  <bpoulain@apple.com>
1533
1534         [JSC] Remove the first LocalCSE
1535         https://bugs.webkit.org/show_bug.cgi?id=160615
1536
1537         Reviewed by Saam Barati.
1538
1539         LocalCSE is the most expensive phase in DFG (excluding FTL).
1540
1541         The combination of two LocalCSEs does not seem to pay for its cost.
1542         Doing a single LocalCSE is always after ConstantFolding and StrengthReduction
1543         is always a win on my machine.
1544
1545         * dfg/DFGCleanUpPhase.cpp:
1546         (JSC::DFG::CleanUpPhase::run):
1547         * dfg/DFGPlan.cpp:
1548         (JSC::DFG::Plan::compileInThreadImpl):
1549
1550 2016-08-05  Saam Barati  <sbarati@apple.com>
1551
1552         various math operations don't properly check for an exception after calling toNumber() on the lhs
1553         https://bugs.webkit.org/show_bug.cgi?id=160154
1554
1555         Reviewed by Mark Lam.
1556
1557         We must check for an exception after calling toNumber() on the lhs
1558         because this can throw an exception. If we called toNumber() on
1559         the rhs without first checking for an exception after the toNumber()
1560         on the lhs, this can lead us to execute effectful code or deviate
1561         from the standard in subtle ways. I fixed this bug in various places
1562         by always checking for an exception after calling toNumber() on the
1563         lhs for the various bit and arithmetic operations.
1564
1565         This patch also found a commutativity bug inside DFGStrengthReduction.
1566         We could end up commuting the lhs and rhs of say an "|" expression
1567         even when the lhs/rhs may not be numbers. This is wrong because
1568         executing toNumber() on the lhs/rhs has strict ordering guarantees
1569         by the specification and is observable by user programs.
1570
1571         * dfg/DFGOperations.cpp:
1572         * dfg/DFGStrengthReductionPhase.cpp:
1573         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
1574         * jit/JITOperations.cpp:
1575         * runtime/CommonSlowPaths.cpp:
1576         (JSC::SLOW_PATH_DECL):
1577         * runtime/Operations.cpp:
1578         (JSC::jsAddSlowCase):
1579
1580 2016-08-05  Michael Saboff  <msaboff@apple.com>
1581
1582         compilePutByValForIntTypedArray() has a slow path in the middle of its processing
1583         https://bugs.webkit.org/show_bug.cgi?id=160614
1584
1585         Reviewed by Keith Miller.
1586
1587         In compilePutByValForIntTypedArray() we were calling out to the slow path
1588         operationToInt32() and then returning back to the middle of code to finish
1589         the processing of writing the value to the array.  When we make the slow
1590         path call, we trash any temporary registers that have been allocated.
1591         In general slow path calls should finish the operation in progress and
1592         continue processing at the beginning of the next node.
1593
1594         This was discovered while working on the register argument changes, when
1595         we SpeculateStrictInt32Operand on the value child node.  That child node's
1596         value was live in register with a spill format of DataFormatJSInt32.  In that
1597         case we allocate a new temporary register and copy just the lower 32 bits from
1598         the child register to the new temp register.  That temp register gets trashed
1599         when we make the operationToInt32() slow path call.
1600
1601         I spent some time trying to devise a test with the current code base and wasn't
1602         successful.  This case is tested with the register argument changes in progress.
1603
1604         * dfg/DFGSpeculativeJIT.cpp:
1605         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1606
1607 2016-08-05  Saam Barati  <sbarati@apple.com>
1608
1609         Assertion failure when accessing TDZ variable in catch through eval
1610         https://bugs.webkit.org/show_bug.cgi?id=160554
1611
1612         Reviewed by Mark Lam and Keith Miller.
1613
1614         When we were calculating the variables under TDZ from a JSScope,
1615         the algorithm was not taking into account that a catch scope
1616         has variables under TDZ.
1617
1618         * runtime/JSScope.cpp:
1619         (JSC::JSScope::collectVariablesUnderTDZ):
1620
1621 2016-08-05  Keith Miller  <keith_miller@apple.com>
1622
1623         Delete out of date WASM code.
1624         https://bugs.webkit.org/show_bug.cgi?id=160603
1625
1626         Reviewed by Saam Barati.
1627
1628         This patch removes a bunch of the wasm files that we are unlikey to use
1629         with the newer wasm spec. If we end up needing any of the deleted code
1630         later we can restore it at that time.
1631
1632         * CMakeLists.txt:
1633         * JavaScriptCore.xcodeproj/project.pbxproj:
1634         * jit/JITOperations.cpp:
1635         * jsc.cpp:
1636         (GlobalObject::finishCreation): Deleted.
1637         (functionLoadWebAssembly): Deleted.
1638         * llint/LLIntSlowPaths.cpp:
1639         (JSC::LLInt::setUpCall): Deleted.
1640         * runtime/Executable.cpp:
1641         (JSC::WebAssemblyExecutable::prepareForExecution): Deleted.
1642         * runtime/JSGlobalObject.cpp:
1643         (JSC::JSGlobalObject::init): Deleted.
1644         (JSC::JSGlobalObject::visitChildren): Deleted.
1645         * runtime/JSGlobalObject.h:
1646         (JSC::JSGlobalObject::wasmModuleStructure): Deleted.
1647         * wasm/WASMConstants.h: Removed.
1648         * wasm/WASMFunctionB3IRGenerator.h: Removed.
1649         (JSC::WASMFunctionB3IRGenerator::MemoryAddress::MemoryAddress): Deleted.
1650         (JSC::WASMFunctionB3IRGenerator::startFunction): Deleted.
1651         (JSC::WASMFunctionB3IRGenerator::endFunction): Deleted.
1652         (JSC::WASMFunctionB3IRGenerator::buildSetLocal): Deleted.
1653         (JSC::WASMFunctionB3IRGenerator::buildSetGlobal): Deleted.
1654         (JSC::WASMFunctionB3IRGenerator::buildReturn): Deleted.
1655         (JSC::WASMFunctionB3IRGenerator::buildImmediateI32): Deleted.
1656         (JSC::WASMFunctionB3IRGenerator::buildImmediateF32): Deleted.
1657         (JSC::WASMFunctionB3IRGenerator::buildImmediateF64): Deleted.
1658         (JSC::WASMFunctionB3IRGenerator::buildGetLocal): Deleted.
1659         (JSC::WASMFunctionB3IRGenerator::buildGetGlobal): Deleted.
1660         (JSC::WASMFunctionB3IRGenerator::buildConvertType): Deleted.
1661         (JSC::WASMFunctionB3IRGenerator::buildLoad): Deleted.
1662         (JSC::WASMFunctionB3IRGenerator::buildStore): Deleted.
1663         (JSC::WASMFunctionB3IRGenerator::buildUnaryI32): Deleted.
1664         (JSC::WASMFunctionB3IRGenerator::buildUnaryF32): Deleted.
1665         (JSC::WASMFunctionB3IRGenerator::buildUnaryF64): Deleted.
1666         (JSC::WASMFunctionB3IRGenerator::buildBinaryI32): Deleted.
1667         (JSC::WASMFunctionB3IRGenerator::buildBinaryF32): Deleted.
1668         (JSC::WASMFunctionB3IRGenerator::buildBinaryF64): Deleted.
1669         (JSC::WASMFunctionB3IRGenerator::buildRelationalI32): Deleted.
1670         (JSC::WASMFunctionB3IRGenerator::buildRelationalF32): Deleted.
1671         (JSC::WASMFunctionB3IRGenerator::buildRelationalF64): Deleted.
1672         (JSC::WASMFunctionB3IRGenerator::buildMinOrMaxI32): Deleted.
1673         (JSC::WASMFunctionB3IRGenerator::buildMinOrMaxF64): Deleted.
1674         (JSC::WASMFunctionB3IRGenerator::buildCallInternal): Deleted.
1675         (JSC::WASMFunctionB3IRGenerator::buildCallIndirect): Deleted.
1676         (JSC::WASMFunctionB3IRGenerator::buildCallImport): Deleted.
1677         (JSC::WASMFunctionB3IRGenerator::appendExpressionList): Deleted.
1678         (JSC::WASMFunctionB3IRGenerator::discard): Deleted.
1679         (JSC::WASMFunctionB3IRGenerator::linkTarget): Deleted.
1680         (JSC::WASMFunctionB3IRGenerator::jumpToTarget): Deleted.
1681         (JSC::WASMFunctionB3IRGenerator::jumpToTargetIf): Deleted.
1682         (JSC::WASMFunctionB3IRGenerator::startLoop): Deleted.
1683         (JSC::WASMFunctionB3IRGenerator::endLoop): Deleted.
1684         (JSC::WASMFunctionB3IRGenerator::startSwitch): Deleted.
1685         (JSC::WASMFunctionB3IRGenerator::endSwitch): Deleted.
1686         (JSC::WASMFunctionB3IRGenerator::startLabel): Deleted.
1687         (JSC::WASMFunctionB3IRGenerator::endLabel): Deleted.
1688         (JSC::WASMFunctionB3IRGenerator::breakTarget): Deleted.
1689         (JSC::WASMFunctionB3IRGenerator::continueTarget): Deleted.
1690         (JSC::WASMFunctionB3IRGenerator::breakLabelTarget): Deleted.
1691         (JSC::WASMFunctionB3IRGenerator::continueLabelTarget): Deleted.
1692         (JSC::WASMFunctionB3IRGenerator::buildSwitch): Deleted.
1693         * wasm/WASMFunctionCompiler.h: Removed.
1694         (JSC::operationConvertJSValueToInt32): Deleted.
1695         (JSC::operationConvertJSValueToDouble): Deleted.
1696         (JSC::operationDiv): Deleted.
1697         (JSC::operationMod): Deleted.
1698         (JSC::operationUnsignedDiv): Deleted.
1699         (JSC::operationUnsignedMod): Deleted.
1700         (JSC::operationConvertUnsignedInt32ToDouble): Deleted.
1701         (JSC::sizeOfMemoryType): Deleted.
1702         (JSC::WASMFunctionCompiler::MemoryAddress::MemoryAddress): Deleted.
1703         (JSC::WASMFunctionCompiler::WASMFunctionCompiler): Deleted.
1704         (JSC::WASMFunctionCompiler::startFunction): Deleted.
1705         (JSC::WASMFunctionCompiler::endFunction): Deleted.
1706         (JSC::WASMFunctionCompiler::buildSetLocal): Deleted.
1707         (JSC::WASMFunctionCompiler::buildSetGlobal): Deleted.
1708         (JSC::WASMFunctionCompiler::buildReturn): Deleted.
1709         (JSC::WASMFunctionCompiler::buildImmediateI32): Deleted.
1710         (JSC::WASMFunctionCompiler::buildImmediateF32): Deleted.
1711         (JSC::WASMFunctionCompiler::buildImmediateF64): Deleted.
1712         (JSC::WASMFunctionCompiler::buildGetLocal): Deleted.
1713         (JSC::WASMFunctionCompiler::buildGetGlobal): Deleted.
1714         (JSC::WASMFunctionCompiler::buildConvertType): Deleted.
1715         (JSC::WASMFunctionCompiler::buildLoad): Deleted.
1716         (JSC::WASMFunctionCompiler::buildStore): Deleted.
1717         (JSC::WASMFunctionCompiler::buildUnaryI32): Deleted.
1718         (JSC::WASMFunctionCompiler::buildUnaryF32): Deleted.
1719         (JSC::WASMFunctionCompiler::buildUnaryF64): Deleted.
1720         (JSC::WASMFunctionCompiler::buildBinaryI32): Deleted.
1721         (JSC::WASMFunctionCompiler::buildBinaryF32): Deleted.
1722         (JSC::WASMFunctionCompiler::buildBinaryF64): Deleted.
1723         (JSC::WASMFunctionCompiler::buildRelationalI32): Deleted.
1724         (JSC::WASMFunctionCompiler::buildRelationalF32): Deleted.
1725         (JSC::WASMFunctionCompiler::buildRelationalF64): Deleted.
1726         (JSC::WASMFunctionCompiler::buildMinOrMaxI32): Deleted.
1727         (JSC::WASMFunctionCompiler::buildMinOrMaxF64): Deleted.
1728         (JSC::WASMFunctionCompiler::buildCallInternal): Deleted.
1729         (JSC::WASMFunctionCompiler::buildCallIndirect): Deleted.
1730         (JSC::WASMFunctionCompiler::buildCallImport): Deleted.
1731         (JSC::WASMFunctionCompiler::appendExpressionList): Deleted.
1732         (JSC::WASMFunctionCompiler::discard): Deleted.
1733         (JSC::WASMFunctionCompiler::linkTarget): Deleted.
1734         (JSC::WASMFunctionCompiler::jumpToTarget): Deleted.
1735         (JSC::WASMFunctionCompiler::jumpToTargetIf): Deleted.
1736         (JSC::WASMFunctionCompiler::startLoop): Deleted.
1737         (JSC::WASMFunctionCompiler::endLoop): Deleted.
1738         (JSC::WASMFunctionCompiler::startSwitch): Deleted.
1739         (JSC::WASMFunctionCompiler::endSwitch): Deleted.
1740         (JSC::WASMFunctionCompiler::startLabel): Deleted.
1741         (JSC::WASMFunctionCompiler::endLabel): Deleted.
1742         (JSC::WASMFunctionCompiler::breakTarget): Deleted.
1743         (JSC::WASMFunctionCompiler::continueTarget): Deleted.
1744         (JSC::WASMFunctionCompiler::breakLabelTarget): Deleted.
1745         (JSC::WASMFunctionCompiler::continueLabelTarget): Deleted.
1746         (JSC::WASMFunctionCompiler::buildSwitch): Deleted.
1747         (JSC::WASMFunctionCompiler::localAddress): Deleted.
1748         (JSC::WASMFunctionCompiler::temporaryAddress): Deleted.
1749         (JSC::WASMFunctionCompiler::appendCall): Deleted.
1750         (JSC::WASMFunctionCompiler::appendCallWithExceptionCheck): Deleted.
1751         (JSC::WASMFunctionCompiler::emitNakedCall): Deleted.
1752         (JSC::WASMFunctionCompiler::appendCallSetResult): Deleted.
1753         (JSC::WASMFunctionCompiler::callOperation): Deleted.
1754         (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer): Deleted.
1755         (JSC::WASMFunctionCompiler::callAndUnboxResult): Deleted.
1756         (JSC::WASMFunctionCompiler::convertValueToInt32): Deleted.
1757         (JSC::WASMFunctionCompiler::convertValueToDouble): Deleted.
1758         (JSC::WASMFunctionCompiler::convertDoubleToValue): Deleted.
1759         * wasm/WASMFunctionParser.cpp: Removed.
1760         (JSC::nameOfType): Deleted.
1761         (JSC::WASMFunctionParser::checkSyntax): Deleted.
1762         (JSC::WASMFunctionParser::compile): Deleted.
1763         (JSC::WASMFunctionParser::parseFunction): Deleted.
1764         (JSC::WASMFunctionParser::parseLocalVariables): Deleted.
1765         (JSC::WASMFunctionParser::parseStatement): Deleted.
1766         (JSC::WASMFunctionParser::parseReturnStatement): Deleted.
1767         (JSC::WASMFunctionParser::parseBlockStatement): Deleted.
1768         (JSC::WASMFunctionParser::parseIfStatement): Deleted.
1769         (JSC::WASMFunctionParser::parseIfElseStatement): Deleted.
1770         (JSC::WASMFunctionParser::parseWhileStatement): Deleted.
1771         (JSC::WASMFunctionParser::parseDoStatement): Deleted.
1772         (JSC::WASMFunctionParser::parseLabelStatement): Deleted.
1773         (JSC::WASMFunctionParser::parseBreakStatement): Deleted.
1774         (JSC::WASMFunctionParser::parseBreakLabelStatement): Deleted.
1775         (JSC::WASMFunctionParser::parseContinueStatement): Deleted.
1776         (JSC::WASMFunctionParser::parseContinueLabelStatement): Deleted.
1777         (JSC::WASMFunctionParser::parseSwitchStatement): Deleted.
1778         (JSC::WASMFunctionParser::parseExpression): Deleted.
1779         (JSC::WASMFunctionParser::parseExpressionI32): Deleted.
1780         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionI32): Deleted.
1781         (JSC::WASMFunctionParser::parseImmediateExpressionI32): Deleted.
1782         (JSC::WASMFunctionParser::parseUnaryExpressionI32): Deleted.
1783         (JSC::WASMFunctionParser::parseBinaryExpressionI32): Deleted.
1784         (JSC::WASMFunctionParser::parseRelationalI32ExpressionI32): Deleted.
1785         (JSC::WASMFunctionParser::parseRelationalF32ExpressionI32): Deleted.
1786         (JSC::WASMFunctionParser::parseRelationalF64ExpressionI32): Deleted.
1787         (JSC::WASMFunctionParser::parseMinOrMaxExpressionI32): Deleted.
1788         (JSC::WASMFunctionParser::parseExpressionF32): Deleted.
1789         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF32): Deleted.
1790         (JSC::WASMFunctionParser::parseImmediateExpressionF32): Deleted.
1791         (JSC::WASMFunctionParser::parseUnaryExpressionF32): Deleted.
1792         (JSC::WASMFunctionParser::parseBinaryExpressionF32): Deleted.
1793         (JSC::WASMFunctionParser::parseExpressionF64): Deleted.
1794         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF64): Deleted.
1795         (JSC::WASMFunctionParser::parseImmediateExpressionF64): Deleted.
1796         (JSC::WASMFunctionParser::parseUnaryExpressionF64): Deleted.
1797         (JSC::WASMFunctionParser::parseBinaryExpressionF64): Deleted.
1798         (JSC::WASMFunctionParser::parseMinOrMaxExpressionF64): Deleted.
1799         (JSC::WASMFunctionParser::parseExpressionVoid): Deleted.
1800         (JSC::WASMFunctionParser::parseGetLocalExpression): Deleted.
1801         (JSC::WASMFunctionParser::parseGetGlobalExpression): Deleted.
1802         (JSC::WASMFunctionParser::parseSetLocal): Deleted.
1803         (JSC::WASMFunctionParser::parseSetGlobal): Deleted.
1804         (JSC::WASMFunctionParser::parseMemoryAddress): Deleted.
1805         (JSC::WASMFunctionParser::parseLoad): Deleted.
1806         (JSC::WASMFunctionParser::parseStore): Deleted.
1807         (JSC::WASMFunctionParser::parseCallArguments): Deleted.
1808         (JSC::WASMFunctionParser::parseCallInternal): Deleted.
1809         (JSC::WASMFunctionParser::parseCallIndirect): Deleted.
1810         (JSC::WASMFunctionParser::parseCallImport): Deleted.
1811         (JSC::WASMFunctionParser::parseConditional): Deleted.
1812         (JSC::WASMFunctionParser::parseComma): Deleted.
1813         (JSC::WASMFunctionParser::parseConvertType): Deleted.
1814         * wasm/WASMFunctionParser.h: Removed.
1815         (JSC::WASMFunctionParser::WASMFunctionParser): Deleted.
1816         * wasm/WASMFunctionSyntaxChecker.h: Removed.
1817         (JSC::WASMFunctionSyntaxChecker::MemoryAddress::MemoryAddress): Deleted.
1818         (JSC::WASMFunctionSyntaxChecker::startFunction): Deleted.
1819         (JSC::WASMFunctionSyntaxChecker::endFunction): Deleted.
1820         (JSC::WASMFunctionSyntaxChecker::buildSetLocal): Deleted.
1821         (JSC::WASMFunctionSyntaxChecker::buildSetGlobal): Deleted.
1822         (JSC::WASMFunctionSyntaxChecker::buildReturn): Deleted.
1823         (JSC::WASMFunctionSyntaxChecker::buildImmediateI32): Deleted.
1824         (JSC::WASMFunctionSyntaxChecker::buildImmediateF32): Deleted.
1825         (JSC::WASMFunctionSyntaxChecker::buildImmediateF64): Deleted.
1826         (JSC::WASMFunctionSyntaxChecker::buildGetLocal): Deleted.
1827         (JSC::WASMFunctionSyntaxChecker::buildGetGlobal): Deleted.
1828         (JSC::WASMFunctionSyntaxChecker::buildConvertType): Deleted.
1829         (JSC::WASMFunctionSyntaxChecker::buildLoad): Deleted.
1830         (JSC::WASMFunctionSyntaxChecker::buildStore): Deleted.
1831         (JSC::WASMFunctionSyntaxChecker::buildUnaryI32): Deleted.
1832         (JSC::WASMFunctionSyntaxChecker::buildUnaryF32): Deleted.
1833         (JSC::WASMFunctionSyntaxChecker::buildUnaryF64): Deleted.
1834         (JSC::WASMFunctionSyntaxChecker::buildBinaryI32): Deleted.
1835         (JSC::WASMFunctionSyntaxChecker::buildBinaryF32): Deleted.
1836         (JSC::WASMFunctionSyntaxChecker::buildBinaryF64): Deleted.
1837         (JSC::WASMFunctionSyntaxChecker::buildRelationalI32): Deleted.
1838         (JSC::WASMFunctionSyntaxChecker::buildRelationalF32): Deleted.
1839         (JSC::WASMFunctionSyntaxChecker::buildRelationalF64): Deleted.
1840         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxI32): Deleted.
1841         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxF64): Deleted.
1842         (JSC::WASMFunctionSyntaxChecker::buildCallInternal): Deleted.
1843         (JSC::WASMFunctionSyntaxChecker::buildCallImport): Deleted.
1844         (JSC::WASMFunctionSyntaxChecker::buildCallIndirect): Deleted.
1845         (JSC::WASMFunctionSyntaxChecker::appendExpressionList): Deleted.
1846         (JSC::WASMFunctionSyntaxChecker::discard): Deleted.
1847         (JSC::WASMFunctionSyntaxChecker::linkTarget): Deleted.
1848         (JSC::WASMFunctionSyntaxChecker::jumpToTarget): Deleted.
1849         (JSC::WASMFunctionSyntaxChecker::jumpToTargetIf): Deleted.
1850         (JSC::WASMFunctionSyntaxChecker::startLoop): Deleted.
1851         (JSC::WASMFunctionSyntaxChecker::endLoop): Deleted.
1852         (JSC::WASMFunctionSyntaxChecker::startSwitch): Deleted.
1853         (JSC::WASMFunctionSyntaxChecker::endSwitch): Deleted.
1854         (JSC::WASMFunctionSyntaxChecker::startLabel): Deleted.
1855         (JSC::WASMFunctionSyntaxChecker::endLabel): Deleted.
1856         (JSC::WASMFunctionSyntaxChecker::breakTarget): Deleted.
1857         (JSC::WASMFunctionSyntaxChecker::continueTarget): Deleted.
1858         (JSC::WASMFunctionSyntaxChecker::breakLabelTarget): Deleted.
1859         (JSC::WASMFunctionSyntaxChecker::continueLabelTarget): Deleted.
1860         (JSC::WASMFunctionSyntaxChecker::buildSwitch): Deleted.
1861         (JSC::WASMFunctionSyntaxChecker::stackHeight): Deleted.
1862         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeight): Deleted.
1863         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeightForCall): Deleted.
1864         * wasm/WASMModuleParser.cpp: Removed.
1865         (JSC::WASMModuleParser::WASMModuleParser): Deleted.
1866         (JSC::WASMModuleParser::parse): Deleted.
1867         (JSC::WASMModuleParser::parseModule): Deleted.
1868         (JSC::WASMModuleParser::parseConstantPoolSection): Deleted.
1869         (JSC::WASMModuleParser::parseSignatureSection): Deleted.
1870         (JSC::WASMModuleParser::parseFunctionImportSection): Deleted.
1871         (JSC::WASMModuleParser::parseGlobalSection): Deleted.
1872         (JSC::WASMModuleParser::parseFunctionDeclarationSection): Deleted.
1873         (JSC::WASMModuleParser::parseFunctionPointerTableSection): Deleted.
1874         (JSC::WASMModuleParser::parseFunctionDefinitionSection): Deleted.
1875         (JSC::WASMModuleParser::parseFunctionDefinition): Deleted.
1876         (JSC::WASMModuleParser::parseExportSection): Deleted.
1877         (JSC::WASMModuleParser::getImportedValue): Deleted.
1878         (JSC::parseWebAssembly): Deleted.
1879         * wasm/WASMModuleParser.h: Removed.
1880         * wasm/WASMReader.cpp: Removed.
1881         (JSC::WASMReader::readUInt32): Deleted.
1882         (JSC::WASMReader::readFloat): Deleted.
1883         (JSC::WASMReader::readDouble): Deleted.
1884         (JSC::WASMReader::readCompactInt32): Deleted.
1885         (JSC::WASMReader::readCompactUInt32): Deleted.
1886         (JSC::WASMReader::readString): Deleted.
1887         (JSC::WASMReader::readType): Deleted.
1888         (JSC::WASMReader::readExpressionType): Deleted.
1889         (JSC::WASMReader::readExportFormat): Deleted.
1890         (JSC::WASMReader::readByte): Deleted.
1891         (JSC::WASMReader::readOpStatement): Deleted.
1892         (JSC::WASMReader::readOpExpressionI32): Deleted.
1893         (JSC::WASMReader::readOpExpressionF32): Deleted.
1894         (JSC::WASMReader::readOpExpressionF64): Deleted.
1895         (JSC::WASMReader::readOpExpressionVoid): Deleted.
1896         (JSC::WASMReader::readVariableTypes): Deleted.
1897         (JSC::WASMReader::readOp): Deleted.
1898         (JSC::WASMReader::readSwitchCase): Deleted.
1899         * wasm/WASMReader.h: Removed.
1900         (JSC::WASMReader::WASMReader): Deleted.
1901         (JSC::WASMReader::offset): Deleted.
1902         (JSC::WASMReader::setOffset): Deleted.
1903
1904 2016-08-05  Keith Miller  <keith_miller@apple.com>
1905
1906         Fix 32-bit OverridesHasInstance in the DFG.
1907         https://bugs.webkit.org/show_bug.cgi?id=160600
1908
1909         Reviewed by Mark Lam.
1910
1911         In https://trac.webkit.org/changeset/204140, we fixed an issue where the DFG might
1912         do the wrong thing if it proved that the Symbol.hasInstance value for a constructor
1913         was a constant late in compilation. That fix was ommited from the 32-bit version,
1914         causing the new test to fail.
1915
1916         * dfg/DFGSpeculativeJIT32_64.cpp:
1917         (JSC::DFG::SpeculativeJIT::compile):
1918
1919 2016-08-04  Saam Barati  <sbarati@apple.com>
1920
1921         Restore CodeBlock jettison code to jettison when a CodeBlock has been alive for a long time
1922         https://bugs.webkit.org/show_bug.cgi?id=151241
1923
1924         Reviewed by Benjamin Poulain.
1925
1926         This patch rolls back in the jettisoning policy from https://bugs.webkit.org/show_bug.cgi?id=149727.
1927         We can now jettison a CodeBlock when it has been alive for a long time
1928         and is only pointed to by its owner executable. I haven't been able to get this
1929         patch to crash on anything it used to crash on, so I suspect we've fixed the bugs that
1930         were causing this before. I've also added some stress options for this feature that
1931         will cause us to either eagerly old-age jettison or to old-age jettison whenever it's legal.
1932         These options helped me find a bug where we would ask an Executable to create a CodeBlock,
1933         and then the Executable would do some other allocations, causing a GC, immediately causing
1934         the CodeBlock to jettison. There is a small chance that this was the bug we were seeing before,
1935         however, it's unlikely given that the previous timing metrics require at least 5 second between
1936         compiling to jettisoning.
1937
1938         This patch also enables the stress options for various modes
1939         of JSC stress tests.
1940
1941         * bytecode/CodeBlock.cpp:
1942         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
1943         (JSC::timeToLive):
1944         (JSC::CodeBlock::shouldJettisonDueToOldAge):
1945         * interpreter/CallFrame.h:
1946         (JSC::ExecState::callee):
1947         (JSC::ExecState::unsafeCallee):
1948         (JSC::ExecState::codeBlock):
1949         (JSC::ExecState::addressOfCodeBlock):
1950         (JSC::ExecState::unsafeCodeBlock):
1951         (JSC::ExecState::scope):
1952         * interpreter/Interpreter.cpp:
1953         (JSC::Interpreter::execute):
1954         (JSC::Interpreter::executeCall):
1955         (JSC::Interpreter::executeConstruct):
1956         (JSC::Interpreter::prepareForRepeatCall):
1957         * jit/JITOperations.cpp:
1958         * llint/LLIntSlowPaths.cpp:
1959         (JSC::LLInt::setUpCall):
1960         * runtime/Executable.cpp:
1961         (JSC::ScriptExecutable::installCode):
1962         (JSC::setupJIT):
1963         (JSC::ScriptExecutable::prepareForExecutionImpl):
1964         * runtime/Executable.h:
1965         (JSC::ScriptExecutable::prepareForExecution):
1966         * runtime/Options.h:
1967
1968 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1969
1970         [ES6] JSModuleNamespaceObject's Symbol.iterator function should have name
1971         https://bugs.webkit.org/show_bug.cgi?id=160549
1972
1973         Reviewed by Saam Barati.
1974
1975         ES6 Module's namespace[Symbol.iterator] function should have the name, "[Symbol.iterator]".
1976
1977         * runtime/JSModuleNamespaceObject.cpp:
1978         (JSC::JSModuleNamespaceObject::finishCreation):
1979
1980 2016-08-04  Keith Miller  <keith_miller@apple.com>
1981
1982         ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()
1983         https://bugs.webkit.org/show_bug.cgi?id=160562
1984         <rdar://problem/27704825>
1985
1986         Reviewed by Mark Lam.
1987
1988         This patch fixes an issue where we would emit incorrect code in the DFG when constant folding would
1989         convert a GetByOffset into a constant late in compilation. Additionally, it removes invalid assertions
1990         associated with the assumption that this could not happen.
1991
1992         * dfg/DFGSpeculativeJIT64.cpp:
1993         (JSC::DFG::SpeculativeJIT::compile):
1994         * ftl/FTLLowerDFGToB3.cpp:
1995         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance): Deleted.
1996
1997 2016-08-04  Keith Miller  <keith_miller@apple.com>
1998
1999         Remove unused intrinsic member of NativeExecutable
2000         https://bugs.webkit.org/show_bug.cgi?id=160560
2001
2002         Reviewed by Saam Barati.
2003
2004         NativeExecutable has an Intrinsic member. It appears that this member is never
2005         used. Instead we use the Intrinsic member NativeExecutable's super class,
2006         ExecutableBase.
2007
2008         * runtime/Executable.h:
2009
2010 2016-08-04  Benjamin Poulain  <bpoulain@apple.com>
2011
2012         [JSC] Speed up InPlaceAbstractState::endBasicBlock()
2013         https://bugs.webkit.org/show_bug.cgi?id=160539
2014
2015         Reviewed by Mark Lam.
2016
2017         This patch does small improvements to our handling
2018         of value propagation to the successors.
2019
2020         One key insight is that using HashMap to map Nodes
2021         to Value in valuesAtTail is too inefficient at the scale
2022         we use it. Instead, I reuse our existing mapping
2023         from every Node to its value, abstracted by forNode().
2024
2025         Since we are not going to use the mapping after endBasicBlock()
2026         I can replace whatever we had there. The next beginBasicBlock()
2027         will setup the new value as needed.
2028
2029         In endBasicBlock(), valuesAtTail is now a vector of all values live
2030         at tail. For each node, I merge the previous live at tail with
2031         the new value, then replace the value in the mapping.
2032         Liveness Analysis guarantees we won't have duplicates there which
2033         make the replacement sound.
2034
2035         Next, when propagating, I take the vector of values lives at head
2036         and use the global node->value mapping to find its new abstract value.
2037         Again, Liveness Analysis guarantees I won't find a value live at head
2038         that was not replaced by the merging at tail of the predecessor.
2039
2040         All our live lists have become vectors instead of HashTable.
2041         The mapping from Node to Value is always done by array indexing.
2042         Same big-O, much smaller constant.
2043
2044         * dfg/DFGAtTailAbstractState.cpp:
2045         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2046         (JSC::DFG::AtTailAbstractState::createValueForNode):
2047         (JSC::DFG::AtTailAbstractState::forNode):
2048         * dfg/DFGAtTailAbstractState.h:
2049         I did not look much into this state, I just made it equivalent
2050         to the previous mapping.
2051
2052         * dfg/DFGBasicBlock.h:
2053         * dfg/DFGCFAPhase.cpp:
2054         (JSC::DFG::CFAPhase::performBlockCFA):
2055         * dfg/DFGGraph.cpp:
2056         (JSC::DFG::Graph::dump):
2057         * dfg/DFGInPlaceAbstractState.cpp:
2058         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2059
2060         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2061         AbstractValue is big enough that we really don't want to copy it twice.
2062
2063         (JSC::DFG::InPlaceAbstractState::merge):
2064         (JSC::DFG::setLiveValues): Deleted.
2065         * dfg/DFGInPlaceAbstractState.h:
2066
2067         * dfg/DFGPhiChildren.h:
2068         This is heap allocated by AbstractInterpreter. It should use fastMalloc().
2069
2070 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2071
2072         [ES7] Update features.json for exponentiation expression
2073         https://bugs.webkit.org/show_bug.cgi?id=160541
2074
2075         Reviewed by Mark Lam.
2076
2077         * features.json:
2078
2079 2016-08-03  Chris Dumez  <cdumez@apple.com>
2080
2081         Drop DocumentType.internalSubset attribute
2082         https://bugs.webkit.org/show_bug.cgi?id=160530
2083
2084         Reviewed by Alex Christensen.
2085
2086         Drop DocumentType.internalSubset attribute.
2087
2088         * inspector/protocol/DOM.json:
2089
2090 2016-08-03  Benjamin Poulain  <bpoulain@apple.com>
2091
2092         [JSC] Improve the memory locality of DFG Node's AbstractValues
2093         https://bugs.webkit.org/show_bug.cgi?id=160443
2094
2095         Reviewed by Mark Lam.
2096
2097         The AbstractInterpreter spends a lot of time on memory operations
2098         for AbstractValues. This patch attempts to improve the situation
2099         by putting the values closer together in memory.
2100
2101         First, AbstractValue is moved out of DFG::Node and it kept in
2102         a vector addressed by node indices.
2103
2104         I initially moved them to InPlaceAbstractState but I quickly discovered
2105         initializing the values in the vector was costly.
2106         I moved the vector to Graph as a cache shared by every instantiation of
2107         InPlaceAbstractState. It is mainly there to avoid constructors and destructors
2108         of AbstractValue. The patch of https://bugs.webkit.org/show_bug.cgi?id=160370
2109         should also help eventually.
2110
2111         I instrumented CFA to find how packed is SparseCollection.
2112         The answer is it can be very sparse, which is bad for CFA.
2113         I added packIndices() to repack the collection before running
2114         liveness since that's where we start using the memory intensively.
2115         This is a measurable improvement but it implies we can no longer
2116         keep indices on a side channel between phases since they may change.
2117
2118         * b3/B3SparseCollection.h:
2119         (JSC::B3::SparseCollection::packIndices):
2120         * dfg/DFGGraph.cpp:
2121         (JSC::DFG::Graph::packNodeIndices):
2122         * dfg/DFGGraph.h:
2123         (JSC::DFG::Graph::abstractValuesCache):
2124         * dfg/DFGInPlaceAbstractState.cpp:
2125         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
2126         * dfg/DFGInPlaceAbstractState.h:
2127         (JSC::DFG::InPlaceAbstractState::forNode):
2128         * dfg/DFGLivenessAnalysisPhase.cpp:
2129         (JSC::DFG::performLivenessAnalysis):
2130         * dfg/DFGNode.h:
2131
2132 2016-08-03  Caitlin Potter  <caitp@igalia.com>
2133
2134         Clarify SyntaxErrors around yield and unskip tests
2135         https://bugs.webkit.org/show_bug.cgi?id=158460
2136
2137         Reviewed by Saam Barati.
2138
2139         Fix and unskip tests which erroneously asserted that `yield` is not a
2140         valid BindingIdentifier, and improve error message for YieldExpressions
2141         occuring in Arrow formal parameters.
2142
2143         * parser/Parser.cpp:
2144         (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope):
2145         (JSC::Parser<LexerType>::parseFunctionInfo):
2146         (JSC::Parser<LexerType>::parseYieldExpression):
2147         * parser/Parser.h:
2148
2149 2016-08-03  Filip Pizlo  <fpizlo@apple.com>
2150
2151         REGRESSION(r203368): broke some test262 tests
2152         https://bugs.webkit.org/show_bug.cgi?id=160479
2153
2154         Reviewed by Mark Lam.
2155         
2156         The optimization in r203368 overlooked a subtle detail: freezing should not set ReadOnly on
2157         Accessor properties.
2158
2159         * runtime/Structure.cpp:
2160         (JSC::Structure::nonPropertyTransition):
2161         * runtime/StructureTransitionTable.h:
2162         (JSC::setsDontDeleteOnAllProperties):
2163         (JSC::setsReadOnlyOnNonAccessorProperties):
2164         (JSC::setsReadOnlyOnAllProperties): Deleted.
2165
2166 2016-08-03  Csaba Osztrogonác  <ossy@webkit.org>
2167
2168         Lacking support on a arm-traditional disassembler.
2169         https://bugs.webkit.org/show_bug.cgi?id=123717
2170
2171         Reviewed by Mark Lam.
2172
2173         * CMakeLists.txt:
2174         * disassembler/ARMLLVMDisassembler.cpp: Added, based on pre r196729 LLVMDisassembler, but it is ARM traditional only now.
2175         (JSC::tryToDisassemble):
2176
2177 2016-08-03  Saam Barati  <sbarati@apple.com>
2178
2179         Implement nested rest destructuring w.r.t the ES7 spec
2180         https://bugs.webkit.org/show_bug.cgi?id=160423
2181
2182         Reviewed by Filip Pizlo.
2183
2184         The spec has updated the BindingRestElement grammar production to be:
2185         BindingRestElement:
2186            BindingIdentifier
2187            BindingingPattern.
2188
2189         It used to only allow BindingIdentifier in the grammar production.
2190         I've updated our engine to account for this. The semantics are exactly
2191         what you'd expect.  For example:
2192         `let [a, ...[b, ...c]] = expr();`
2193         means that we create an array for the first rest element `...[b, ...c]`
2194         and then perform the binding of `[b, ...c]` to that array. And so on, 
2195         applied recursively through the pattern.
2196
2197         * bytecompiler/NodesCodegen.cpp:
2198         (JSC::RestParameterNode::collectBoundIdentifiers):
2199         (JSC::RestParameterNode::toString):
2200         (JSC::RestParameterNode::bindValue):
2201         (JSC::RestParameterNode::emit):
2202         * parser/ASTBuilder.h:
2203         (JSC::ASTBuilder::createBindingLocation):
2204         (JSC::ASTBuilder::createRestParameter):
2205         (JSC::ASTBuilder::createAssignmentElement):
2206         * parser/NodeConstructors.h:
2207         (JSC::AssignmentElementNode::AssignmentElementNode):
2208         (JSC::RestParameterNode::RestParameterNode):
2209         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
2210         * parser/Nodes.h:
2211         (JSC::RestParameterNode::name): Deleted.
2212         * parser/Parser.cpp:
2213         (JSC::Parser<LexerType>::parseDestructuringPattern):
2214         (JSC::Parser<LexerType>::parseFormalParameters):
2215         * parser/SyntaxChecker.h:
2216         (JSC::SyntaxChecker::operatorStackPop):
2217
2218 2016-08-03  Benjamin Poulain  <benjamin@webkit.org>
2219
2220         [JSC] Fix Windows build after r204065
2221
2222         * dfg/DFGAbstractValue.cpp:
2223         (JSC::DFG::AbstractValue::observeTransitions):
2224         AbstractValue is bigger on Windows for an unknown reason.
2225
2226 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
2227
2228         [JSC] Fix 32bits jsc after r204065
2229
2230         Default constructed JSValue() are not equal to zero in 32bits.
2231
2232         * dfg/DFGAbstractValue.h:
2233         (JSC::DFG::AbstractValue::AbstractValue):
2234
2235 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
2236
2237         [JSC] Simplify the initialization of AbstractValue in the AbstractInterpreter
2238         https://bugs.webkit.org/show_bug.cgi?id=160370
2239
2240         Reviewed by Saam Barati.
2241
2242         We use a ton of AbstractValue to run the Abstract Interpreter.
2243
2244         When we set up the initial values, the compiler sets
2245         a zero on a first word, a one on a second word, and a zero
2246         again on a third word.
2247         Since no vector or double-store can deal with 3 words, unrolling
2248         is done by repeating those instructions.
2249
2250         The reason for the one was TinyPtrSet. It needed a flag for
2251         empty value to identify the set as thin. I flipped the flag to "fat"
2252         to make sure TinyPtrSet is initialized to zero.
2253
2254         With that done, I just had to clean some places to make
2255         the initialization shorter.
2256         It makes the binary easier to follow but this does not help with
2257         the bigger problem: the time spent per block on Abstract Interpreter.
2258
2259         * bytecode/Operands.h:
2260         The traits were useless, no client code defines it.
2261
2262         (JSC::Operands::Operands):
2263         (JSC::Operands::ensureLocals):
2264         Because of the size of the function, llvm is not inlining it.
2265         We were literally loading 3 registers from memory and storing
2266         them in the vector.
2267         Now that AbstractValue has a VectorTraits, we should just rely
2268         on the memset of Vector when possible.
2269
2270         (JSC::Operands::getLocal):
2271         (JSC::Operands::setArgumentFirstTime):
2272         (JSC::Operands::setLocalFirstTime):
2273         (JSC::Operands::clear):
2274         (JSC::OperandValueTraits::defaultValue): Deleted.
2275         (JSC::OperandValueTraits::isEmptyForDump): Deleted.
2276         * bytecode/OperandsInlines.h:
2277         (JSC::Operands<T>::dumpInContext):
2278         (JSC::Operands<T>::dump):
2279         (JSC::Traits>::dumpInContext): Deleted.
2280         (JSC::Traits>::dump): Deleted.
2281         * dfg/DFGAbstractValue.cpp:
2282         * dfg/DFGAbstractValue.h:
2283         (JSC::DFG::AbstractValue::AbstractValue):
2284
2285 2016-08-02  Saam Barati  <sbarati@apple.com>
2286
2287         update a class extending null w.r.t the ES7 spec
2288         https://bugs.webkit.org/show_bug.cgi?id=160417
2289
2290         Reviewed by Keith Miller.
2291
2292         When a class extends null, it should not be marked as a derived class.
2293         This was changed in the ES2016 spec, and this patch makes the needed
2294         changes in JSC to follow the spec. This allows classes to extend
2295         null and have their default constructor invoked without throwing an exception.
2296         This also prevents |this| from being under TDZ at the start of the constructor.
2297         Because ES6 allows arbitrary expressions in the `class <ident> extends <expr>`
2298         syntax, we don't know statically if a constructor is extending null or not.
2299         Therefore, we don't always know statically if it's a base or derived constructor.
2300         I solved this by putting a boolean on the constructor function under a private
2301         symbol named isDerivedConstructor when doing class construction. We only need
2302         to put this boolean on constructors that may extend null. Constructors that are
2303         declared in a class with no extends syntax can tell statically that they are a base constructor.
2304
2305         I've also renamed the ConstructorKind::Derived enum value to be
2306         ConstructorKind::Extends to better indicate that we can't answer
2307         the "am I a derived constructor?" question statically.
2308
2309         * builtins/BuiltinExecutables.cpp:
2310         (JSC::BuiltinExecutables::createDefaultConstructor):
2311         * builtins/BuiltinNames.h:
2312         * bytecompiler/BytecodeGenerator.cpp:
2313         (JSC::BytecodeGenerator::BytecodeGenerator):
2314         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2315         (JSC::BytecodeGenerator::emitReturn):
2316         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
2317         (JSC::BytecodeGenerator::ensureThis):
2318         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
2319         * bytecompiler/BytecodeGenerator.h:
2320         (JSC::BytecodeGenerator::makeFunction):
2321         * bytecompiler/NodesCodegen.cpp:
2322         (JSC::EvalFunctionCallNode::emitBytecode):
2323         (JSC::FunctionCallValueNode::emitBytecode):
2324         (JSC::FunctionNode::emitBytecode):
2325         (JSC::ClassExprNode::emitBytecode):
2326         * parser/Parser.cpp:
2327         (JSC::Parser<LexerType>::Parser):
2328         (JSC::Parser<LexerType>::parseFunctionInfo):
2329         (JSC::Parser<LexerType>::parseClass):
2330         (JSC::Parser<LexerType>::parseMemberExpression):
2331         * parser/ParserModes.h:
2332
2333 2016-08-02  Enrica Casucci  <enrica@apple.com>
2334
2335         Allow building with content filtering disabled.
2336         https://bugs.webkit.org/show_bug.cgi?id=160454
2337
2338         Reviewed by Simon Fraser.
2339
2340         * Configurations/FeatureDefines.xcconfig:
2341
2342 2016-08-02  Csaba Osztrogonác  <ossy@webkit.org>
2343
2344         [ARM] Disable Inline Caching on ARMv7 traditional until proper fix
2345         https://bugs.webkit.org/show_bug.cgi?id=159759
2346
2347         Reviewed by Saam Barati.
2348
2349         * jit/JITMathIC.h:
2350         (JSC::JITMathIC::generateInline):
2351
2352 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
2353
2354         REGRESSION (r203990): JSC Debug test stress/arity-check-ftl-throw.js failing
2355         https://bugs.webkit.org/show_bug.cgi?id=160438
2356
2357         Reviewed by Mark Lam.
2358         
2359         In r203990 I fixed a bug where CommonSlowPaths.h/arityCheckFor() was basically failing at
2360         catching stack overflow due to large parameter count. It would only catch regular old stack
2361         overflow, like if the frame pointer was already past the limit.
2362         
2363         This had a secondary problem: unfortunately all of our tests for what happens when you overflow
2364         the stack due to large parameter count were not going down that path at all, so we haven't had
2365         test coverage for this in ages.  There were bugs in all tiers of the engine when handling this
2366         case.
2367
2368         We need to be able to roll back the topCallFrame on paths that are meant to throw an exception
2369         from the caller. Otherwise, we'd crash in StackVisitor because it would see a busted stack
2370         frame. Rolling back like this "just works" except when the caller is the VM entry frame. I had
2371         some choices here. I could have forced anyone who is rolling back to always skip VM entry
2372         frames. They can't do it in a way that changes the value of VM::topVMEntryFrame, which is what
2373         a stack frame roll back normally does, since exception unwinding needs to see the current value
2374         of topVMEntryFrame. So, we have a choice to either try to magically avoid all of the paths that
2375         look at topCallFrame, or give topCallFrame a state that unambiguously signals that we are
2376         sitting right on top of a VM entry frame without having succeeded at making a JS call. The only
2377         place that really needs to know is StackVisitor, which wants to start scanning at topCallFrame.
2378         To signal this, I could have either made topCallFrame point to the real top JS call frame
2379         without also rolling back topVMEntryFrame, or I could make topCallFrame == topVMEntryFrame. The
2380         latter felt somehow cleaner. I filed a bug (https://bugs.webkit.org/show_bug.cgi?id=160441) for
2381         converting topCallFrame to a void*, which would give us a chance to harden the rest of the
2382         engine against this case.
2383         
2384         * interpreter/StackVisitor.cpp:
2385         (JSC::StackVisitor::StackVisitor):
2386         We may do ShadowChicken processing, which invokes StackVisitor, when we have topCallFrame
2387         pointing at topVMEntryFrame. This teaches StackVisitor how to handle this case. I believe that
2388         StackVisitor is the only place that needs to be taught about this at this time, because it's
2389         one of the few things that access topCallFrame along this special path.
2390         
2391         * jit/JITOperations.cpp: Roll back the top call frame.
2392         * runtime/CommonSlowPaths.cpp:
2393         (JSC::SLOW_PATH_DECL): Roll back the top call frame.
2394
2395 2016-08-01  Benjamin Poulain  <bpoulain@apple.com>
2396
2397         [JSC][ARM64] Fix branchTest32/64 taking an immediate as mask
2398         https://bugs.webkit.org/show_bug.cgi?id=160439
2399
2400         Reviewed by Filip Pizlo.
2401
2402         * assembler/MacroAssemblerARM64.h:
2403         (JSC::MacroAssemblerARM64::branchTest64):
2404         * b3/air/AirOpcode.opcodes:
2405         Fix the ARM64 codegen to lower BitImm64 without using a scratch register.
2406
2407 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
2408
2409         [B3] Fusing immediates into test instructions should work again
2410         https://bugs.webkit.org/show_bug.cgi?id=160073
2411
2412         Reviewed by Sam Weinig.
2413
2414         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
2415         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
2416         was still using Imm!  This meant that isValidForm() always returned false.
2417         
2418         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
2419         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
2420         with the scratch register).
2421         
2422         This is not an obvious progression on anything, so I added comprehensive tests to
2423         testb3, which check that we selected the optimal instruction in a variety of situations.
2424         We should add more tests like this!
2425
2426         Rolling this back in after fixing ARM64. The bug was that branchTest32|64 on ARM64 doesn't
2427         actually support BitImm or BitImm64, at least not yet. Disabling that in AirOpcodes makes
2428         this patch not a regression on ARM64. That change was reviewed by Benjamin Poulain.
2429
2430         * b3/B3BasicBlock.h:
2431         (JSC::B3::BasicBlock::successorBlock):
2432         * b3/B3LowerToAir.cpp:
2433         (JSC::B3::Air::LowerToAir::createGenericCompare):
2434         * b3/B3LowerToAir.h:
2435         * b3/air/AirArg.cpp:
2436         (JSC::B3::Air::Arg::isRepresentableAs):
2437         (JSC::B3::Air::Arg::usesTmp):
2438         * b3/air/AirArg.h:
2439         (JSC::B3::Air::Arg::isRepresentableAs):
2440         (JSC::B3::Air::Arg::castToType):
2441         (JSC::B3::Air::Arg::asNumber):
2442         * b3/air/AirCode.h:
2443         (JSC::B3::Air::Code::size):
2444         (JSC::B3::Air::Code::at):
2445         * b3/air/AirOpcode.opcodes:
2446         * b3/air/AirValidate.h:
2447         * b3/air/opcode_generator.rb:
2448         * b3/testb3.cpp:
2449         (JSC::B3::compile):
2450         (JSC::B3::compileAndRun):
2451         (JSC::B3::lowerToAirForTesting):
2452         (JSC::B3::testSomeEarlyRegister):
2453         (JSC::B3::testBranchBitAndImmFusion):
2454         (JSC::B3::zero):
2455         (JSC::B3::run):
2456
2457 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
2458
2459         Rationalize varargs stack overflow checks
2460         https://bugs.webkit.org/show_bug.cgi?id=160425
2461
2462         Reviewed by Michael Saboff.
2463
2464         * ftl/FTLLink.cpp:
2465         (JSC::FTL::link): AboveOrEqual 0 is a tautology. The code meant GreaterThanOrEqual, since the error code is -1.
2466         * runtime/CommonSlowPaths.h:
2467         (JSC::CommonSlowPaths::arityCheckFor): Use roundUpToMultipleOf(), which is almost certainly what we meant when we said %.
2468
2469 2016-08-01  Saam Barati  <sbarati@apple.com>
2470
2471         Sub should be a Math IC
2472         https://bugs.webkit.org/show_bug.cgi?id=160270
2473
2474         Reviewed by Mark Lam.
2475
2476         This makes Sub an IC like Mul and Add. I'm seeing the following
2477         improvements of average Sub size on Unity and JetStream:
2478
2479                    |   JetStream  |  Unity 3D  |
2480              ------| -------------|--------------
2481               Old  |   202 bytes  |  205 bytes |
2482              ------| -------------|--------------
2483               New  |   134  bytes |  134 bytes |
2484              ------------------------------------
2485
2486         * bytecode/CodeBlock.cpp:
2487         (JSC::CodeBlock::addJITMulIC):
2488         (JSC::CodeBlock::addJITSubIC):
2489         (JSC::CodeBlock::findStubInfo):
2490         (JSC::CodeBlock::dumpMathICStats):
2491         * bytecode/CodeBlock.h:
2492         (JSC::CodeBlock::stubInfoBegin):
2493         (JSC::CodeBlock::stubInfoEnd):
2494         * dfg/DFGSpeculativeJIT.cpp:
2495         (JSC::DFG::SpeculativeJIT::compileArithSub):
2496         * ftl/FTLLowerDFGToB3.cpp:
2497         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2498         * jit/JITArithmetic.cpp:
2499         (JSC::JIT::emit_op_sub):
2500         (JSC::JIT::emitSlow_op_sub):
2501         (JSC::JIT::emit_op_pow):
2502         * jit/JITMathIC.h:
2503         * jit/JITMathICForwards.h:
2504         * jit/JITOperations.cpp:
2505         * jit/JITOperations.h:
2506         * jit/JITSubGenerator.cpp:
2507         (JSC::JITSubGenerator::generateInline):
2508         (JSC::JITSubGenerator::generateFastPath):
2509         * jit/JITSubGenerator.h:
2510         (JSC::JITSubGenerator::JITSubGenerator):
2511         (JSC::JITSubGenerator::isLeftOperandValidConstant):
2512         (JSC::JITSubGenerator::isRightOperandValidConstant):
2513         (JSC::JITSubGenerator::arithProfile):
2514         (JSC::JITSubGenerator::didEmitFastPath): Deleted.
2515         (JSC::JITSubGenerator::endJumpList): Deleted.
2516         (JSC::JITSubGenerator::slowPathJumpList): Deleted.
2517
2518 2016-08-01  Keith Miller  <keith_miller@apple.com>
2519
2520         We should not keep the JavaScript tests inside the Source/JavaScriptCore/ directory.
2521         https://bugs.webkit.org/show_bug.cgi?id=160372
2522
2523         Rubber stamped by Geoffrey Garen.
2524
2525         This patch moves all the JavaScript tests from Source/JavaScriptCore/tests to
2526         a new top level directory, JSTests. Having the tests in the Source directory
2527         was both confusing an inconvenient for people that just want to checkout the
2528         source code of WebKit. Since there is no other obvious place to put all the
2529         JavaScript tests a new top level directory seemed the most sensible.
2530
2531         * tests/: Deleted.
2532
2533 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2534
2535         [JSC] Should check Test262Error correctly
2536         https://bugs.webkit.org/show_bug.cgi?id=159862
2537
2538         Reviewed by Saam Barati.
2539
2540         Test262Error in the harness does not have "name" property.
2541         Rather than checking "name" property, peforming `instanceof` is better to check the class of the exception.
2542
2543         * jsc.cpp:
2544         (checkUncaughtException):
2545         * runtime/JSObject.h:
2546         * tests/test262.yaml:
2547
2548 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2549
2550         [ES6] Module binding can be exported by multiple names
2551         https://bugs.webkit.org/show_bug.cgi?id=160343
2552
2553         Reviewed by Saam Barati.
2554
2555         ES6 Module can export the same local binding by using multiple names.
2556         For example,
2557
2558             ```
2559             var value = 42;
2560
2561             export { value };
2562             export { value as value2 };
2563             ```
2564
2565         Currently, we only allowed one local binding to be exported with one name. So, in the above case,
2566         the local binding "value" is exported as "value2" and "value" name is not exported. This is wrong.
2567
2568         To fix this issue, we collect the correspondence (local name => exported name) to the local bindings
2569         in the parser. Previously, we only maintained the exported local bindings in the parser. And utilize
2570         this information when creating the export entries in ModuleAnalyzer.
2571
2572         And this patch also moves ModuleScopeData from the Scope object to the Parser class since exported
2573         names should be managed per-module, not per-scope.
2574
2575         This change fixes several test262 failures.
2576
2577         * JavaScriptCore.xcodeproj/project.pbxproj:
2578         * parser/ModuleAnalyzer.cpp:
2579         (JSC::ModuleAnalyzer::exportVariable):
2580         (JSC::ModuleAnalyzer::analyze):
2581         (JSC::ModuleAnalyzer::exportedBinding): Deleted.
2582         (JSC::ModuleAnalyzer::declareExportAlias): Deleted.
2583         * parser/ModuleAnalyzer.h:
2584         * parser/ModuleScopeData.h: Copied from Source/JavaScriptCore/parser/ModuleAnalyzer.h.
2585         (JSC::ModuleScopeData::create):
2586         (JSC::ModuleScopeData::exportedBindings):
2587         (JSC::ModuleScopeData::exportName):
2588         (JSC::ModuleScopeData::exportBinding):
2589         * parser/Nodes.cpp:
2590         (JSC::ProgramNode::ProgramNode):
2591         (JSC::ModuleProgramNode::ModuleProgramNode):
2592         (JSC::EvalNode::EvalNode):
2593         (JSC::FunctionNode::FunctionNode):
2594         * parser/Nodes.h:
2595         (JSC::ModuleProgramNode::moduleScopeData):
2596         * parser/NodesAnalyzeModule.cpp:
2597         (JSC::ExportDefaultDeclarationNode::analyzeModule):
2598         (JSC::ExportNamedDeclarationNode::analyzeModule): Deleted.
2599         * parser/Parser.cpp:
2600         (JSC::Parser<LexerType>::Parser):
2601         (JSC::Parser<LexerType>::parseModuleSourceElements):
2602         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2603         (JSC::Parser<LexerType>::createBindingPattern):
2604         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2605         (JSC::Parser<LexerType>::parseClassDeclaration):
2606         (JSC::Parser<LexerType>::parseExportSpecifier):
2607         (JSC::Parser<LexerType>::parseExportDeclaration):
2608         * parser/Parser.h:
2609         (JSC::Parser::exportName):
2610         (JSC::Parser<LexerType>::parse):
2611         (JSC::ModuleScopeData::create): Deleted.
2612         (JSC::ModuleScopeData::exportedBindings): Deleted.
2613         (JSC::ModuleScopeData::exportName): Deleted.
2614         (JSC::ModuleScopeData::exportBinding): Deleted.
2615         (JSC::Scope::Scope): Deleted.
2616         (JSC::Scope::setSourceParseMode): Deleted.
2617         (JSC::Scope::moduleScopeData): Deleted.
2618         (JSC::Scope::setIsModule): Deleted.
2619         * tests/modules/aliased-names.js: Added.
2620         * tests/modules/aliased-names/main.js: Added.
2621         (change):
2622         * tests/stress/modules-syntax-error-with-names.js:
2623         (export.Cocoa):
2624         (SyntaxError.Cannot.export.a.duplicate.name):
2625         * tests/test262.yaml:
2626
2627 2016-07-30  Mark Lam  <mark.lam@apple.com>
2628
2629         Assertion failure while setting the length of an ArrayClass array.
2630         https://bugs.webkit.org/show_bug.cgi?id=160381
2631         <rdar://problem/27328703>
2632
2633         Reviewed by Filip Pizlo.
2634
2635         When setting large length values, we're currently treating ArrayClass as a
2636         ContiguousIndexingType array.  This results in an assertion failure.  This is
2637         now fixed.
2638
2639         There are currently only 2 places where we create arrays with indexing type
2640         ArrayClass: ArrayPrototype and RuntimeArray.  The fix in JSArray:;setLength()
2641         takes care of ArrayPrototype.
2642
2643         RuntimeArray already checks for the setting of its length property, and will
2644         throw a RangeError.  Hence, there's no change is needed for the RuntimeArray.
2645         Instead, I added some test cases ensure that the check and throw behavior does
2646         not change without notice.
2647
2648         * runtime/JSArray.cpp:
2649         (JSC::JSArray::setLength):
2650         * tests/stress/array-setLength-on-ArrayClass-with-large-length.js: Added.
2651         (toString):
2652         (assertEqual):
2653         * tests/stress/array-setLength-on-ArrayClass-with-small-length.js: Added.
2654         (toString):
2655         (assertEqual):
2656
2657 2016-07-29  Keith Miller  <keith_miller@apple.com>
2658
2659         TypedArray super constructor has some incompatabilities
2660         https://bugs.webkit.org/show_bug.cgi?id=160369
2661
2662         Reviewed by Filip Pizlo.
2663
2664         This patch fixes the length proprety of the TypedArray super constructor.
2665         Additionally, the TypedArray super constructor should no longer be callable.
2666
2667         Also, this patch fixes the expected result of some test262 tests.
2668
2669         * runtime/JSTypedArrayViewConstructor.cpp:
2670         (JSC::JSTypedArrayViewConstructor::finishCreation):
2671         (JSC::constructTypedArrayView):
2672         (JSC::JSTypedArrayViewConstructor::getCallData):
2673         * tests/test262.yaml:
2674
2675 2016-07-29  Jonathan Bedard  <jbedard@apple.com>
2676
2677         Undefined Behavior in JSValue cast from NaN
2678         https://bugs.webkit.org/show_bug.cgi?id=160322
2679
2680         Reviewed by Mark Lam.
2681
2682         JSValues can be constructed from doubles, and in some cases, are deliberately constructed with NaN values.
2683
2684         In circumstances where NaN is bound through the default JSValue constructor, however, an undefined conversion
2685         to int32_t occurs.  While the subsequent if statement should fail and construct the JSValue through the explicit
2686         double constructor, given that the deliberate use of NaN is fairly common, it seems that the jsNaN() function
2687         should immediately call the explicit double constructor both for efficiency and to prevent inadvertent
2688         suppressing of any other bugs which may be instantiating a JSValue with a NaN double.
2689
2690         * runtime/JSCJSValueInlines.h:
2691         (JSC::jsNaN): Explicit double construction for NaN JSValues to avoid undefined behavior.
2692
2693 2016-07-29  Michael Saboff  <msaboff@apple.com>
2694
2695         Refactor DFG::Node::hasLocal() to accessesStack()
2696         https://bugs.webkit.org/show_bug.cgi?id=160357
2697
2698         Reviewed by Filip Pizlo.
2699
2700         Refactoring in preparation for using register arguments for JavaScript calls.
2701
2702         Renamed Node::hasLocal() to Node::accessesStack() and changed all uses accordingly.
2703         Also changed uses of Node::hasVariableAccessData() to accessesStack() where that
2704         use guards stack operation logic associated with the Node's VariableAccessData.
2705
2706         The hasVariableAccessData() check now implies no more than the node has a
2707         VariableAccessData and nothing about its use of that data to coordinate stack   
2708         accesses.
2709
2710         * dfg/DFGGraph.cpp:
2711         (JSC::DFG::Graph::dump):
2712         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2713         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
2714         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
2715         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2716         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2717         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
2718         * dfg/DFGNode.h:
2719         (JSC::DFG::Node::containsMovHint):
2720         (JSC::DFG::Node::accessesStack):
2721         (JSC::DFG::Node::hasLocal): Deleted.
2722         * dfg/DFGPredictionInjectionPhase.cpp:
2723         (JSC::DFG::PredictionInjectionPhase::run):
2724         * dfg/DFGValidate.cpp:
2725
2726 2016-07-29  Benjamin Poulain  <benjamin@webkit.org>
2727
2728         [JSC] Use the same data structures for DFG and Air Liveness Analysis
2729         https://bugs.webkit.org/show_bug.cgi?id=160346
2730
2731         Reviewed by Geoffrey Garen.
2732
2733         In Air, we minimized memory accesses during liveness analysis
2734         with a couple of tricks:
2735         -Use a single Sparse Set ADT for the live value of each block.
2736         -Manipulate compact positive indices instead of hashing values.
2737
2738         This patch brings the same ideas to DFG.
2739
2740         This patch still uses the same fixpoint algorithms.
2741         The reason is Edge's KillStatus used by other phases. We cannot
2742         use a block-boundary liveness algorithm and update KillStatus
2743         simultaneously. It's something I'll probably revisit at some point.
2744
2745         * dfg/DFGAbstractInterpreterInlines.h:
2746         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
2747         (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
2748         * dfg/DFGBasicBlock.h:
2749         * dfg/DFGGraph.h:
2750         (JSC::DFG::Graph::maxNodeCount):
2751         (JSC::DFG::Graph::nodeAt):
2752         * dfg/DFGInPlaceAbstractState.cpp:
2753         (JSC::DFG::setLiveValues):
2754         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2755         * dfg/DFGLivenessAnalysisPhase.cpp:
2756         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
2757         (JSC::DFG::LivenessAnalysisPhase::run):
2758         (JSC::DFG::LivenessAnalysisPhase::processBlock):
2759         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
2760         (JSC::DFG::LivenessAnalysisPhase::process): Deleted.
2761
2762 2016-07-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2763
2764         Unreviewed, ByValInfo is only used in JIT enabled environments
2765         https://bugs.webkit.org/show_bug.cgi?id=158908
2766
2767         * bytecode/CodeBlock.cpp:
2768         (JSC::CodeBlock::stronglyVisitStrongReferences):
2769
2770 2016-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2771
2772         JSC::Symbol should be hash-consed
2773         https://bugs.webkit.org/show_bug.cgi?id=158908
2774
2775         Reviewed by Filip Pizlo.
2776
2777         Previously, SymbolImpls held by symbols represent identity of symbols.
2778         When we check the equality between symbols, we need to load SymbolImpls of symbols and compare them.
2779
2780         This patch performs hash-consing onto the symbols. We cache symbols in per-VM's SymbolImpl-keyed WeakGCMap.
2781         When creating a new symbol from SymbolImpl, we first query to this map and reuse the previously created symbol
2782         if it is found. This ensures that one-on-one correspondence between SymbolImpl and symbol. So now, we can use
2783         pointer-comparison to query the equality of symbols.
2784
2785         This change drops SymbolImpl loads when checking the equality. Furthermore, we can use DFG CheckCell to symbol
2786         when we would like to ensure that the given value is the expected symbol. This cleans up GetByVal's symbol-keyd
2787         caching. Then, we changed CheckIdent to CheckStringIdent since it only checks the string case now. The symbol
2788         case is handled by CheckCell.
2789
2790         Additionally, this patch also cleans up Map / Set implementation since we can use the logic for JSCell to symbols.
2791
2792         The performance effects in the related benchmarks are the followings.
2793
2794                                                                baseline                   patch
2795
2796             bigswitch-indirect-symbol-or-undefined         85.6214+-1.0063     ^     63.0522+-0.8615        ^ definitely 1.3579x faster
2797             bigswitch-indirect-symbol                      84.9653+-0.6258     ^     80.4900+-0.8008        ^ definitely 1.0556x faster
2798             fold-put-by-val-with-symbol-to-multi-put-by-offset
2799                                                             9.4396+-0.3726            9.2941+-0.3311          might be 1.0157x faster
2800             inlined-put-by-val-with-symbol-transition
2801                                                            49.5477+-0.2401     ?     49.7533+-0.3369        ?
2802             get-by-val-with-symbol-self-or-proto           11.9740+-0.0798     ?     12.1706+-0.2723        ? might be 1.0164x slower
2803             get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple
2804                                                             4.1364+-0.0841            4.0872+-0.0925          might be 1.0120x faster
2805             put-by-val-with-symbol                         11.3709+-0.0223           11.3613+-0.0264
2806             get-by-val-with-symbol-proto-or-self           11.8984+-0.0706     ?     11.9030+-0.0787        ?
2807             polymorphic-put-by-val-with-symbol             31.4176+-0.0558           31.3825+-0.0447
2808             implicit-bigswitch-indirect-symbol             61.3115+-0.6577     ^     58.0098+-0.1212        ^ definitely 1.0569x faster
2809             get-by-val-with-symbol-bimorphic-check-structure-elimination-simple
2810                                                             3.3139+-0.0565     ^      2.9947+-0.0732        ^ definitely 1.1066x faster
2811             get-by-val-with-symbol-chain-from-try-block
2812                                                             2.2316+-0.0179            2.2137+-0.0210
2813             get-by-val-with-symbol-bimorphic-check-structure-elimination
2814                                                            10.6031+-0.2216     ^     10.0939+-0.1977        ^ definitely 1.0504x faster
2815             get-by-val-with-symbol-check-structure-elimination
2816                                                             8.5576+-0.1521     ^      7.7107+-0.1308        ^ definitely 1.1098x faster
2817             put-by-val-with-symbol-slightly-polymorphic
2818                                                             3.1957+-0.0538     ^      2.9181+-0.0708        ^ definitely 1.0951x faster
2819             put-by-val-with-symbol-replace-and-transition
2820                                                            11.8253+-0.0757     ^     11.6590+-0.0351        ^ definitely 1.0143x faster
2821
2822             <geometric>                                    13.3911+-0.0527     ^     12.7376+-0.0457        ^ definitely 1.0513x faster
2823
2824         * bytecode/ByValInfo.h:
2825         * bytecode/CodeBlock.cpp:
2826         (JSC::CodeBlock::stronglyVisitStrongReferences):
2827         * dfg/DFGAbstractInterpreterInlines.h:
2828         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2829         * dfg/DFGByteCodeParser.cpp:
2830         (JSC::DFG::ByteCodeParser::parseBlock):
2831         * dfg/DFGClobberize.h:
2832         (JSC::DFG::clobberize):
2833         * dfg/DFGConstantFoldingPhase.cpp:
2834         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2835         * dfg/DFGDoesGC.cpp:
2836         (JSC::DFG::doesGC):
2837         * dfg/DFGFixupPhase.cpp:
2838         (JSC::DFG::FixupPhase::fixupNode):
2839         * dfg/DFGNode.h:
2840         (JSC::DFG::Node::hasUidOperand):
2841         * dfg/DFGNodeType.h:
2842         * dfg/DFGPredictionPropagationPhase.cpp:
2843         * dfg/DFGSafeToExecute.h:
2844         (JSC::DFG::safeToExecute):
2845         * dfg/DFGSpeculativeJIT.cpp:
2846         (JSC::DFG::SpeculativeJIT::compileSymbolEquality):
2847         (JSC::DFG::SpeculativeJIT::compilePeepHoleSymbolEquality):
2848         (JSC::DFG::SpeculativeJIT::compileCheckStringIdent):
2849         (JSC::DFG::SpeculativeJIT::extractStringImplFromBinarySymbols): Deleted.
2850         (JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
2851         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality): Deleted.
2852         * dfg/DFGSpeculativeJIT.h:
2853         * dfg/DFGSpeculativeJIT32_64.cpp:
2854         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
2855         (JSC::DFG::SpeculativeJIT::compile):
2856         * dfg/DFGSpeculativeJIT64.cpp:
2857         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
2858         (JSC::DFG::SpeculativeJIT::compile):
2859         * ftl/FTLAbstractHeapRepository.h:
2860         * ftl/FTLCapabilities.cpp:
2861         (JSC::FTL::canCompile):
2862         * ftl/FTLLowerDFGToB3.cpp:
2863         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2864         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStringIdent):
2865         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2866         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent): Deleted.
2867         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID): Deleted.
2868         * jit/JIT.h:
2869         * jit/JITOperations.cpp:
2870         (JSC::tryGetByValOptimize):
2871         * jit/JITPropertyAccess.cpp:
2872         (JSC::JIT::emitGetByValWithCachedId):
2873         (JSC::JIT::emitPutByValWithCachedId):
2874         (JSC::JIT::emitByValIdentifierCheck):
2875         (JSC::JIT::privateCompileGetByValWithCachedId):
2876         (JSC::JIT::privateCompilePutByValWithCachedId):
2877         (JSC::JIT::emitIdentifierCheck): Deleted.
2878         * jit/JITPropertyAccess32_64.cpp:
2879         (JSC::JIT::emitGetByValWithCachedId):
2880         (JSC::JIT::emitPutByValWithCachedId):
2881         * runtime/JSCJSValue.cpp:
2882         (JSC::JSValue::dumpInContextAssumingStructure):
2883         * runtime/JSCJSValueInlines.h:
2884         (JSC::JSValue::equalSlowCaseInline):
2885         (JSC::JSValue::strictEqualSlowCaseInline): Deleted.
2886         * runtime/JSFunction.cpp:
2887         (JSC::JSFunction::setFunctionName):
2888         * runtime/MapData.h:
2889         * runtime/MapDataInlines.h:
2890         (JSC::JSIterator>::clear): Deleted.
2891         (JSC::JSIterator>::find): Deleted.
2892         (JSC::JSIterator>::add): Deleted.
2893         (JSC::JSIterator>::remove): Deleted.
2894         (JSC::JSIterator>::replaceAndPackBackingStore): Deleted.
2895         * runtime/Symbol.cpp:
2896         (JSC::Symbol::finishCreation):
2897         (JSC::Symbol::create):
2898         * runtime/Symbol.h:
2899         * runtime/VM.cpp:
2900         (JSC::VM::VM):
2901         * runtime/VM.h:
2902         * tests/stress/symbol-equality-over-gc.js: Added.
2903         (shouldBe):
2904         (test):
2905
2906 2016-07-28  Mark Lam  <mark.lam@apple.com>
2907
2908         ASSERTION FAILED in errorProtoFuncToString() when Error name is a single char string.
2909         https://bugs.webkit.org/show_bug.cgi?id=160324
2910         <rdar://problem/27389572>
2911
2912         Reviewed by Keith Miller.
2913
2914         The issue is that errorProtoFuncToString() was using jsNontrivialString() to
2915         generate the error string even when the name string can be a single character
2916         string.  This is incorrect.  We should be using jsString() instead.
2917
2918         * runtime/ErrorPrototype.cpp:
2919         (JSC::errorProtoFuncToString):
2920         * tests/stress/errors-with-simple-names-or-messages-should-not-crash-toString.js: Added.
2921
2922 2016-07-28  Michael Saboff  <msaboff@apple.com>
2923
2924         ARM64: Fused left shift with a right shift can create NaNs from integers
2925         https://bugs.webkit.org/show_bug.cgi?id=160329
2926
2927         Reviewed by Geoffrey Garen.
2928
2929         When we fuse a left shift and a right shift of integers where the shift amounts
2930         are the same and the size of the quantity being shifted is 8 bits, we rightly
2931         generate a sign extend byte instruction.  On ARM64, we were sign extending
2932         to a 64 bit quantity, when we really wanted to sign extend to a 32 bit quantity.
2933
2934         Checking the ARM64 marco assembler and we were extending to 64 bits for all
2935         four combinations of zero / sign and 8 / 16 bits.
2936         
2937         * assembler/MacroAssemblerARM64.h:
2938         (JSC::MacroAssemblerARM64::zeroExtend16To32):
2939         (JSC::MacroAssemblerARM64::signExtend16To32):
2940         (JSC::MacroAssemblerARM64::zeroExtend8To32):
2941         (JSC::MacroAssemblerARM64::signExtend8To32):
2942         * tests/stress/regress-160329.js: New test added.
2943         (narrow):
2944
2945 2016-07-28  Mark Lam  <mark.lam@apple.com>
2946
2947         StringView should have an explicit m_is8Bit field.
2948         https://bugs.webkit.org/show_bug.cgi?id=160282
2949         <rdar://problem/27327943>
2950
2951         Reviewed by Benjamin Poulain.
2952
2953         * tests/stress/string-joining-long-strings-should-not-crash.js: Added.
2954         (catch):
2955
2956 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
2957
2958         [ARM] Typo fix after r121885
2959         https://bugs.webkit.org/show_bug.cgi?id=160288
2960
2961         Reviewed by Zoltan Herczeg.
2962
2963         * assembler/MacroAssemblerARM.h:
2964         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
2965
2966 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
2967
2968         64-bit alignment check isn't necessary in ARMAssembler::prepareExecutableCopy after r202214
2969         https://bugs.webkit.org/show_bug.cgi?id=159711
2970
2971         Reviewed by Mark Lam.
2972
2973         * assembler/ARMAssembler.cpp:
2974         (JSC::ARMAssembler::prepareExecutableCopy):
2975
2976 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2977
2978         [JSC] Remove some unused code from FTL
2979         https://bugs.webkit.org/show_bug.cgi?id=160285
2980
2981         Reviewed by Mark Lam.
2982
2983         All the liveness and swapping is done inside B3,
2984         this code is no longer needed.
2985
2986         * dfg/DFGEdge.h:
2987         (JSC::DFG::Edge::doesNotKill): Deleted.
2988         * ftl/FTLLowerDFGToB3.cpp:
2989         (JSC::FTL::DFG::LowerDFGToB3::doesKill): Deleted.
2990
2991 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2992
2993         [JSC] DFG::Node should not have its own allocator
2994         https://bugs.webkit.org/show_bug.cgi?id=160098
2995
2996         Reviewed by Geoffrey Garen.
2997
2998         We need some design changes for DFG::Node:
2999         -Accessing the index must be fast. B3 uses indices for sets
3000          and maps, it is a lot faster than hashing pointers.
3001         -We should be able to subclass DFG::Node to specialize it.
3002
3003         * CMakeLists.txt:
3004         * JavaScriptCore.xcodeproj/project.pbxproj:
3005         * dfg/DFGAllocator.h: Removed.
3006         (JSC::DFG::Allocator::Region::size): Deleted.
3007         (JSC::DFG::Allocator::Region::headerSize): Deleted.
3008         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
3009         (JSC::DFG::Allocator::Region::data): Deleted.
3010         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
3011         (JSC::DFG::Allocator::Region::regionFor): Deleted.
3012         (JSC::DFG::Allocator<T>::Allocator): Deleted.
3013         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
3014         (JSC::DFG::Allocator<T>::allocate): Deleted.
3015         (JSC::DFG::Allocator<T>::free): Deleted.
3016         (JSC::DFG::Allocator<T>::freeAll): Deleted.
3017         (JSC::DFG::Allocator<T>::reset): Deleted.
3018         (JSC::DFG::Allocator<T>::indexOf): Deleted.
3019         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
3020         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
3021         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
3022         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
3023         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
3024         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
3025         * dfg/DFGByteCodeParser.cpp:
3026         (JSC::DFG::ByteCodeParser::addToGraph):
3027         * dfg/DFGCPSRethreadingPhase.cpp:
3028         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3029         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
3030         * dfg/DFGCleanUpPhase.cpp:
3031         (JSC::DFG::CleanUpPhase::run):
3032         * dfg/DFGConstantFoldingPhase.cpp:
3033         (JSC::DFG::ConstantFoldingPhase::run):
3034         * dfg/DFGConstantHoistingPhase.cpp:
3035         * dfg/DFGDCEPhase.cpp:
3036         (JSC::DFG::DCEPhase::fixupBlock):
3037         * dfg/DFGDriver.cpp:
3038         (JSC::DFG::compileImpl):
3039         * dfg/DFGGraph.cpp:
3040         (JSC::DFG::Graph::Graph):
3041         (JSC::DFG::Graph::deleteNode):
3042         (JSC::DFG::Graph::killBlockAndItsContents):
3043         (JSC::DFG::Graph::~Graph): Deleted.
3044         * dfg/DFGGraph.h:
3045         (JSC::DFG::Graph::addNode):
3046         * dfg/DFGLICMPhase.cpp:
3047         (JSC::DFG::LICMPhase::attemptHoist):
3048         * dfg/DFGLongLivedState.cpp: Removed.
3049         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
3050         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
3051         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
3052         * dfg/DFGLongLivedState.h: Removed.
3053         * dfg/DFGNode.cpp:
3054         (JSC::DFG::Node::index): Deleted.
3055         * dfg/DFGNode.h:
3056         (JSC::DFG::Node::index):
3057         * dfg/DFGNodeAllocator.h: Removed.
3058         (operator new ): Deleted.
3059         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3060         * dfg/DFGPlan.cpp:
3061         (JSC::DFG::Plan::compileInThread):
3062         (JSC::DFG::Plan::compileInThreadImpl):
3063         * dfg/DFGPlan.h:
3064         * dfg/DFGSSAConversionPhase.cpp:
3065         (JSC::DFG::SSAConversionPhase::run):
3066         * dfg/DFGWorklist.cpp:
3067         (JSC::DFG::Worklist::runThread):
3068         * runtime/VM.cpp:
3069         (JSC::VM::VM): Deleted.
3070         * runtime/VM.h:
3071
3072 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
3073
3074         [JSC] Fix a bunch of use-after-free of DFG::Node
3075         https://bugs.webkit.org/show_bug.cgi?id=160228
3076
3077         Reviewed by Mark Lam.
3078
3079         FTL had a few places where we use a node after it has been
3080         deleted. The dangling pointers come from the SSA liveness information
3081         kept on the basic blocks.
3082
3083         This patch fixes the issues I could find and adds liveness invalidation
3084         to help finding dependencies like these.
3085
3086         * dfg/DFGBasicBlock.h:
3087         (JSC::DFG::BasicBlock::SSAData::invalidate):
3088
3089         * dfg/DFGConstantFoldingPhase.cpp:
3090         (JSC::DFG::ConstantFoldingPhase::run):
3091         Constant folding phase was deleting nodes in the loop over basic blocks.
3092         The problem is the deleted nodes can be referenced by other blocks.
3093         When the abstract interpreter was manipulating the abstract values of those
3094         it was doing so on the dead nodes.
3095
3096         * dfg/DFGConstantHoistingPhase.cpp:
3097         Just invalidation. Nothing wrong here since the useless nodes were
3098         kept live while iterating the blocks.
3099
3100         * dfg/DFGGraph.cpp:
3101         (JSC::DFG::Graph::killBlockAndItsContents):
3102         (JSC::DFG::Graph::killUnreachableBlocks):
3103         (JSC::DFG::Graph::invalidateNodeLiveness):
3104
3105         * dfg/DFGGraph.h:
3106         * dfg/DFGPlan.cpp:
3107         (JSC::DFG::Plan::compileInThreadImpl):
3108         We had a lot of use-after-free in LCIM because we were using the stale
3109         live nodes deleted by previous phases.
3110
3111 2016-07-27  Keith Miller  <keith_miller@apple.com>
3112
3113         concatAppendOne should allocate using the indexing type of the array if it cannot merge
3114         https://bugs.webkit.org/show_bug.cgi?id=160261
3115         <rdar://problem/27530122>
3116
3117         Reviewed by Mark Lam.
3118
3119         Before, if we could not merge the indexing types for copying, we would allocate the
3120         the array as ArrayWithUndecided. Instead, we should allocate an array with the original
3121         array's indexing type.
3122
3123         * runtime/ArrayPrototype.cpp:
3124         (JSC::concatAppendOne):
3125         * tests/stress/concat-append-one-with-sparse-array.js: Added.
3126
3127 2016-07-27  Saam Barati  <sbarati@apple.com>
3128
3129         We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an object with symbols
3130         https://bugs.webkit.org/show_bug.cgi?id=160211
3131         <rdar://problem/27572612>
3132
3133         Reviewed by Geoffrey Garen.
3134
3135         The fast for-in iteration mode assumes all inline/out-of-line properties
3136         can be iterated in linear order. This is not true if we have Symbols
3137         because Symbols should not be iterated by for-in.
3138
3139         * runtime/Structure.cpp:
3140         (JSC::Structure::add):
3141         * tests/stress/symbol-should-not-break-for-in.js: Added.
3142         (assert):
3143         (foo):
3144
3145 2016-07-27  Mark Lam  <mark.lam@apple.com>
3146
3147         The second argument for Function.prototype.apply should be array-like or null/undefined.
3148         https://bugs.webkit.org/show_bug.cgi?id=160212
3149         <rdar://problem/27328525>
3150
3151         Reviewed by Filip Pizlo.
3152
3153         The spec for Function.prototype.apply says its second argument can only be null,
3154         undefined, or must be array-like.  See
3155         https://tc39.github.io/ecma262/#sec-function.prototype.apply and
3156         https://tc39.github.io/ecma262/#sec-createlistfromarraylike.
3157
3158         Our previous implementation was not handling this correctly for SymbolType.
3159         This is now fixed.
3160
3161         * interpreter/Interpreter.cpp:
3162         (JSC::sizeOfVarargs):
3163         * tests/stress/apply-second-argument-must-be-array-like.js: Added.
3164
3165 2016-07-27  Saam Barati  <sbarati@apple.com>
3166
3167         MathICs should be able to emit only a jump along the inline path when they don't have any type data
3168         https://bugs.webkit.org/show_bug.cgi?id=160110
3169
3170         Reviewed by Mark Lam.
3171
3172         This patch allows for MathIC fast-path generation to be delayed.
3173         We delay when we don't see any observed type information for
3174         the lhs/rhs operand, which implies that the MathIC has never
3175         executed. This is profitable for two main reasons:
3176         1. If the math operation never executes, we emit much less code.
3177         2. Once we get type information for the lhs/rhs, we can emit better code.
3178
3179         To implement this, we just emit a jump to the slow path call
3180         that will repatch on first execution.
3181
3182         New data for add:
3183                    |   JetStream  |  Unity 3D  |
3184              ------| -------------|--------------
3185               Old  |   148 bytes  |  143 bytes |
3186              ------| -------------|--------------
3187               New  |   116  bytes |  113 bytes |
3188              ------------------------------------
3189
3190         New data for mul:
3191                    |   JetStream  |  Unity 3D  |
3192              ------| -------------|--------------
3193               Old  |   210 bytes  |  185 bytes |
3194              ------| -------------|--------------
3195               New  |   170  bytes |  137 bytes |
3196              ------------------------------------
3197
3198         * jit/JITAddGenerator.cpp:
3199         (JSC::JITAddGenerator::generateInline):
3200         * jit/JITAddGenerator.h:
3201         (JSC::JITAddGenerator::isLeftOperandValidConstant):
3202         (JSC::JITAddGenerator::isRightOperandValidConstant):
3203         (JSC::JITAddGenerator::arithProfile):
3204         * jit/JITMathIC.h:
3205         (JSC::JITMathIC::generateInline):
3206         (JSC::JITMathIC::generateOutOfLine):
3207         (JSC::JITMathIC::finalizeInlineCode):
3208         * jit/JITMathICInlineResult.h:
3209         * jit/JITMulGenerator.cpp:
3210         (JSC::JITMulGenerator::generateInline):
3211         * jit/JITMulGenerator.h:
3212         (JSC::JITMulGenerator::isLeftOperandValidConstant):
3213         (JSC::JITMulGenerator::isRightOperandValidConstant):
3214         (JSC::JITMulGenerator::arithProfile):
3215         * jit/JITOperations.cpp:
3216
3217 2016-07-26  Saam Barati  <sbarati@apple.com>
3218
3219         rollout r203666
3220         https://bugs.webkit.org/show_bug.cgi?id=160226
3221
3222         Unreviewed rollout.
3223
3224         * b3/B3BasicBlock.h:
3225         (JSC::B3::BasicBlock::successorBlock):
3226         * b3/B3LowerToAir.cpp:
3227         (JSC::B3::Air::LowerToAir::createGenericCompare):
3228         * b3/B3LowerToAir.h:
3229         * b3/air/AirArg.cpp:
3230         (JSC::B3::Air::Arg::isRepresentableAs):
3231         (JSC::B3::Air::Arg::usesTmp):
3232         * b3/air/AirArg.h:
3233         (JSC::B3::Air::Arg::isRepresentableAs):
3234         (JSC::B3::Air::Arg::asNumber):
3235         (JSC::B3::Air::Arg::castToType): Deleted.
3236         * b3/air/AirCode.h:
3237         (JSC::B3::Air::Code::size):
3238         (JSC::B3::Air::Code::at):
3239         * b3/air/AirOpcode.opcodes:
3240         * b3/air/AirValidate.h:
3241         * b3/air/opcode_generator.rb:
3242         * b3/testb3.cpp:
3243         (JSC::B3::compileAndRun):
3244         (JSC::B3::testSomeEarlyRegister):
3245         (JSC::B3::zero):
3246         (JSC::B3::run):
3247         (JSC::B3::lowerToAirForTesting): Deleted.
3248         (JSC::B3::testBranchBitAndImmFusion): Deleted.
3249
3250 2016-07-26  Caitlin Potter  <caitp@igalia.com>
3251
3252         [JSC] Object.getOwnPropertyDescriptors should not add undefined props to result
3253         https://bugs.webkit.org/show_bug.cgi?id=159409
3254
3255         Reviewed by Geoffrey Garen.
3256
3257         * runtime/ObjectConstructor.cpp:
3258         (JSC::objectConstructorGetOwnPropertyDescriptors):
3259         * tests/es6.yaml:
3260         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
3261         (testPropertiesIndexedSetterOnPrototypeThrows.set get var): Deleted.
3262         (testPropertiesIndexedSetterOnPrototypeThrows): Deleted.
3263         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js.
3264         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js.
3265
3266 2016-07-26  Mark Lam  <mark.lam@apple.com>
3267
3268         Remove unused DEBUG_WITH_BREAKPOINT configuration.
3269         https://bugs.webkit.org/show_bug.cgi?id=160203
3270
3271         Reviewed by Keith Miller.
3272
3273         * bytecompiler/BytecodeGenerator.cpp:
3274         (JSC::BytecodeGenerator::emitDebugHook):
3275
3276 2016-07-25  Benjamin Poulain  <benjamin@webkit.org>
3277
3278         Unreviewed, rolling out r203703.
3279
3280         It breaks some internal tests
3281
3282         Reverted changeset:
3283
3284         "[JSC] DFG::Node should not have its own allocator"
3285         https://bugs.webkit.org/show_bug.cgi?id=160098
3286         http://trac.webkit.org/changeset/203703
3287
3288 2016-07-25  Benjamin Poulain  <bpoulain@apple.com>
3289
3290         [JSC] DFG::Node should not have its own allocator
3291         https://bugs.webkit.org/show_bug.cgi?id=160098
3292
3293         Reviewed by Geoffrey Garen.
3294
3295         We need some design changes for DFG::Node:
3296         -Accessing the index must be fast. B3 uses indices for sets
3297          and maps, it is a lot faster than hashing pointers.
3298         -We should be able to subclass DFG::Node to specialize it.
3299
3300         * CMakeLists.txt:
3301         * JavaScriptCore.xcodeproj/project.pbxproj:
3302         * dfg/DFGAllocator.h: Removed.
3303         (JSC::DFG::Allocator::Region::size): Deleted.
3304         (JSC::DFG::Allocator::Region::headerSize): Deleted.
3305         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
3306         (JSC::DFG::Allocator::Region::data): Deleted.
3307         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
3308         (JSC::DFG::Allocator::Region::regionFor): Deleted.
3309         (JSC::DFG::Allocator<T>::Allocator): Deleted.
3310         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
3311         (JSC::DFG::Allocator<T>::allocate): Deleted.
3312         (JSC::DFG::Allocator<T>::free): Deleted.
3313         (JSC::DFG::Allocator<T>::freeAll): Deleted.
3314         (JSC::DFG::Allocator<T>::reset): Deleted.
3315         (JSC::DFG::Allocator<T>::indexOf): Deleted.
3316         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
3317         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
3318         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
3319         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
3320         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
3321         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
3322         * dfg/DFGByteCodeParser.cpp:
3323         (JSC::DFG::ByteCodeParser::addToGraph):
3324         * dfg/DFGCPSRethreadingPhase.cpp:
3325         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3326         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
3327         * dfg/DFGCleanUpPhase.cpp:
3328         (JSC::DFG::CleanUpPhase::run):
3329         * dfg/DFGConstantFoldingPhase.cpp:
3330         (JSC::DFG::ConstantFoldingPhase::run):
3331         * dfg/DFGConstantHoistingPhase.cpp:
3332         * dfg/DFGDCEPhase.cpp:
3333         (JSC::DFG::DCEPhase::fixupBlock):
3334         * dfg/DFGDriver.cpp:
3335         (JSC::DFG::compileImpl):
3336         * dfg/DFGGraph.cpp:
3337         (JSC::DFG::Graph::Graph):
3338         (JSC::DFG::Graph::deleteNode):
3339         (JSC::DFG::Graph::killBlockAndItsContents):
3340         (JSC::DFG::Graph::~Graph): Deleted.
3341         * dfg/DFGGraph.h:
3342         (JSC::DFG::Graph::addNode):
3343         * dfg/DFGLICMPhase.cpp:
3344         (JSC::DFG::LICMPhase::attemptHoist):
3345         * dfg/DFGLongLivedState.cpp: Removed.
3346         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
3347         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
3348         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.